<key>keychain-access-groups</key>
<array>
<string>apple</string>
+ <string>com.apple.identities</string>
+ </array>
+ <key>seatbelt-profiles</key>
+ <array>
+ <string>racoon</string>
</array>
</dict>
</plist>
#define ENABLE_DPD 1
/* IKE fragmentation support */
-#undef ENABLE_FRAG
+#define ENABLE_FRAG 1
/* Hybrid authentication support */
#define ENABLE_HYBRID 1
/* Enable NAT-Traversal */
#define ENABLE_NATT 1
-#ifndef __APPLE__
-/* our kernel does not have support for versions 00 or 01 */
-/* Enable NAT-Traversal draft 00 */
-#undef ENABLE_NATT_00
-
-/* Enable NAT-Traversal draft 01 */
-#undef ENABLE_NATT_01
-#endif /* __APPLE__ */
-
/* Enable NAT-Traversal draft 02 */
#define ENABLE_NATT_02 1
#define HAVE_GETIFADDRS 1
+#if TARGET_OS_EMBEDDED
+#undef HAVE_OPENSSL
+#else
+#define HAVE_OPENSSL 1
+#endif
+
+#ifdef HAVE_OPENSSL
/* Define to 1 if you have the <openssl/aes.h> header file. */
#define HAVE_OPENSSL_AES_H 1
/* Define to 1 if you have the <openssl/rc5.h> header file. */
#define HAVE_OPENSSL_RC5_H 1
+#endif
/* Define to 1 if you have the `pam_start' function. */
#if TARGET_OS_EMBEDDED
/* Use advanced IPv6 API */
#define INET6_ADVAPI 1
+#define __APPLE_USE_RFC_3542 1
/* Name of package */
#undef PACKAGE
/* Define to `unsigned' if <sys/types.h> does not define. */
#undef size_t
-#ifdef __APPLE__
#define USE_SYSTEMCONFIGURATION_PRIVATE_HEADERS 1
-#endif
#ifndef _IPSECMESSAGETRACER_H
#define _IPSECMESSAGETRACER_H
+#import <asl.h>
+
#define CONSTSTR(str) (const char *)str
#define L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.l2tpipsec")
#define PLAINIPSEC_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.plain")
#define PLAINIPSECDOMAIN CONSTSTR("com.apple.Networking.ipsec.main")
+#define IPSECASLDOMAIN CONSTSTR("com.apple.Networking.ipsec.asl")
+#define IPSECASLKEY CONSTSTR("IPSEC")
+
#if TARGET_OS_EMBEDDED
#define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason)
#endif
+#if 1 //TARGET_OS_EMBEDDED
+#define IPSECLOGASLMSG(format, args...) syslog(LOG_NOTICE, format, ##args);
+#else
+#define IPSECLOGASLMSG(format, args...) do { \
+ aslmsg m = asl_new(ASL_TYPE_MSG); \
+ asl_set(m, ASL_KEY_FACILITY, IPSECASLDOMAIN); \
+ asl_set(m, ASL_KEY_MSG, IPSECASLKEY); \
+ asl_log(NULL, m, ASL_LEVEL_NOTICE, format, ##args); \
+ asl_free(m); \
+ } while(0)
+#endif
+
static inline double get_percentage (double numerator, double denominator)
{
if (numerator >= denominator || denominator == 0) {
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-#ifdef __APPLE__
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t, u_int16_t));
-#else
-int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
- caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
- u_int64_t, u_int64_t, u_int32_t));
-int pfkey_send_update_nat __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
- caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
- u_int64_t, u_int64_t, u_int32_t,
- u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
-int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
- caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
- u_int64_t, u_int64_t, u_int32_t));
-int pfkey_send_add_nat __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
- caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
- u_int64_t, u_int64_t, u_int32_t,
- u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
-#endif /*__APPLE__ */
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
static __inline u_int8_t
sysdep_sa_len (const struct sockaddr *sa)
{
-#ifdef __linux__
- switch (sa->sa_family)
- {
- case AF_INET:
- return sizeof (struct sockaddr_in);
- case AF_INET6:
- return sizeof (struct sockaddr_in6);
- }
- // log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family);
- return sizeof (struct sockaddr_in);
-#else
return sa->sa_len;
-#endif
}
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
static int findsupportedmap __P((int));
static int setsupportedmap __P((struct sadb_supported *));
static struct sadb_alg *findsupportedalg __P((u_int, u_int));
-#ifdef __APPLE__
static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
u_int32_t, u_int32_t, u_int32_t, u_int16_t));
-#else
-static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
- u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
- u_int32_t, u_int32_t, u_int32_t,
- u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
-#endif
static int pfkey_send_x2 __P((int, u_int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
static int pfkey_send_x3 __P((int, u_int, u_int));
static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int,
u_int, u_int32_t, pid_t));
-#ifdef __APPLE__
static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
u_int, u_int, u_int32_t, u_int16_t));
-#else
-static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
- u_int, u_int, u_int32_t));
-#endif
static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int,
struct sockaddr *, u_int, u_int));
static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int));
}
-#ifdef __APPLE__
/*
* sending SADB_UPDATE message to the kernel.
* The length of key material is a_keylen + e_keylen.
}
-#else /* __APPLE__ */
-
-/*
- * sending SADB_UPDATE message to the kernel.
- * The length of key material is a_keylen + e_keylen.
- * OUT:
- * positive: success and return length sent.
- * -1 : error occured, and set errno.
- */
-int
-pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
-{
- int len;
- if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
- reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, (u_int)l_bytes, (u_int)l_addtime,
- (u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0)
- return -1;
-
- return len;
-}
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
-int
-pfkey_send_update_nat(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq,
- l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
- l_natt_frag)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
- u_int8_t l_natt_type;
- u_int16_t l_natt_sport, l_natt_dport;
- struct sockaddr *l_natt_oa;
- u_int16_t l_natt_frag;
-{
- int len;
- if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
- reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, (u_int)l_bytes, (u_int)l_addtime,
- (u_int)l_usetime, seq, l_natt_type, l_natt_sport,
- l_natt_dport, l_natt_oa, l_natt_frag)) < 0)
- return -1;
-
- return len;
-}
-#endif
-
-/*
- * sending SADB_ADD message to the kernel.
- * The length of key material is a_keylen + e_keylen.
- * OUT:
- * positive: success and return length sent.
- * -1 : error occured, and set errno.
- */
-int
-pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
-{
- int len;
- if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
- reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, (u_int)l_bytes, (u_int)l_addtime,
- (u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0)
- return -1;
-
- return len;
-}
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
-int
-pfkey_send_add_nat(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq,
- l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
- l_natt_frag)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
- u_int8_t l_natt_type;
- u_int16_t l_natt_sport, l_natt_dport;
- struct sockaddr *l_natt_oa;
- u_int16_t l_natt_frag;
-{
- int len;
- if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
- reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, (u_int)l_bytes, (u_int)l_addtime,
- (u_int)l_usetime, seq, l_natt_type, l_natt_sport,
- l_natt_dport, l_natt_oa, l_natt_frag)) < 0)
- return -1;
-
- return len;
-}
-#endif
-#endif /* __APPLE__ */
-
/*
* sending SADB_DELETE message to the kernel.
* OUT:
return len;
}
-#ifdef __APPLE__
+
/* sending SADB_ADD or SADB_UPDATE message to the kernel */
static int
pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
return len;
}
-#else /* __APPLE__ */
-
-/* sending SADB_ADD or SADB_UPDATE message to the kernel */
-static int
-pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq,
- l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
- l_natt_frag)
- int so;
- u_int type, satype, mode;
- struct sockaddr *src, *dst, *l_natt_oa;
- u_int32_t spi, reqid;
- u_int wsize;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
- u_int16_t l_natt_sport, l_natt_dport;
- u_int8_t l_natt_type;
- u_int16_t l_natt_frag;
-{
- struct sadb_msg *newmsg;
- int len;
- caddr_t p;
- int plen;
- caddr_t ep;
-
- /* validity check */
- if (src == NULL || dst == NULL) {
- __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
- return -1;
- }
- if (src->sa_family != dst->sa_family) {
- __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
- return -1;
- }
- switch (src->sa_family) {
- case AF_INET:
- plen = sizeof(struct in_addr) << 3;
- break;
- case AF_INET6:
- plen = sizeof(struct in6_addr) << 3;
- break;
- default:
- __ipsec_errcode = EIPSEC_INVAL_FAMILY;
- return -1;
- }
-
- switch (satype) {
- case SADB_SATYPE_ESP:
- if (e_type == SADB_EALG_NONE) {
- __ipsec_errcode = EIPSEC_NO_ALGS;
- return -1;
- }
- break;
- case SADB_SATYPE_AH:
- if (e_type != SADB_EALG_NONE) {
- __ipsec_errcode = EIPSEC_INVAL_ALGS;
- return -1;
- }
- if (a_type == SADB_AALG_NONE) {
- __ipsec_errcode = EIPSEC_NO_ALGS;
- return -1;
- }
- break;
- case SADB_X_SATYPE_IPCOMP:
- if (e_type == SADB_X_CALG_NONE) {
- __ipsec_errcode = EIPSEC_INVAL_ALGS;
- return -1;
- }
- if (a_type != SADB_AALG_NONE) {
- __ipsec_errcode = EIPSEC_NO_ALGS;
- return -1;
- }
- break;
-#ifdef SADB_X_AALG_TCP_MD5
- case SADB_X_SATYPE_TCPSIGNATURE:
- if (e_type != SADB_EALG_NONE) {
- __ipsec_errcode = EIPSEC_INVAL_ALGS;
- return -1;
- }
- if (a_type != SADB_X_AALG_TCP_MD5) {
- __ipsec_errcode = EIPSEC_INVAL_ALGS;
- return -1;
- }
- break;
-#endif
- default:
- __ipsec_errcode = EIPSEC_INVAL_SATYPE;
- return -1;
- }
-
- /* create new sadb_msg to reply. */
- len = sizeof(struct sadb_msg)
- + sizeof(struct sadb_sa)
- + sizeof(struct sadb_x_sa2)
- + sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
- + sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(dst))
- + sizeof(struct sadb_lifetime)
- + sizeof(struct sadb_lifetime);
-
- if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP)
- len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
- if (a_type != SADB_AALG_NONE)
- len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
- /* add nat-t packets */
- if (l_natt_type) {
- switch(satype) {
- case SADB_SATYPE_ESP:
- case SADB_X_SATYPE_IPCOMP:
- break;
- default:
- __ipsec_errcode = EIPSEC_NO_ALGS;
- return -1;
- }
-
- len += sizeof(struct sadb_x_nat_t_type);
- len += sizeof(struct sadb_x_nat_t_port);
- len += sizeof(struct sadb_x_nat_t_port);
- if (l_natt_oa)
- len += sizeof(struct sadb_address) +
- PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa));
-#ifdef SADB_X_EXT_NAT_T_FRAG
- if (l_natt_frag)
- len += sizeof(struct sadb_x_nat_t_frag);
-#endif
- }
-#endif
-
- if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
- __ipsec_set_strerror(strerror(errno));
- return -1;
- }
- ep = ((caddr_t)(void *)newmsg) + len;
-
- p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
- satype, seq, getpid());
- if (!p) {
- free(newmsg);
- return -1;
- }
- p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
- if (!p) {
- free(newmsg);
- return -1;
- }
- p = pfkey_setsadbxsa2(p, ep, mode, reqid);
- if (!p) {
- free(newmsg);
- return -1;
- }
- p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
- IPSEC_ULPROTO_ANY);
- if (!p) {
- free(newmsg);
- return -1;
- }
- p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
- IPSEC_ULPROTO_ANY);
- if (!p) {
- free(newmsg);
- return -1;
- }
-
- if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) {
- p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
- keymat, e_keylen);
- if (!p) {
- free(newmsg);
- return -1;
- }
- }
- if (a_type != SADB_AALG_NONE) {
- p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
- keymat + e_keylen, a_keylen);
- if (!p) {
- free(newmsg);
- return -1;
- }
- }
-
- /* set sadb_lifetime for destination */
- p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
- l_alloc, l_bytes, l_addtime, l_usetime);
- if (!p) {
- free(newmsg);
- return -1;
- }
- p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
- l_alloc, l_bytes, l_addtime, l_usetime);
- if (!p) {
- free(newmsg);
- return -1;
- }
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
- /* Add nat-t messages */
- if (l_natt_type) {
- p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, l_natt_type);
- if (!p) {
- free(newmsg);
- return -1;
- }
-
- p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT,
- l_natt_sport);
- if (!p) {
- free(newmsg);
- return -1;
- }
-
- p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT,
- l_natt_dport);
- if (!p) {
- free(newmsg);
- return -1;
- }
-
- if (l_natt_oa) {
- p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
- l_natt_oa,
- (u_int)PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)),
- IPSEC_ULPROTO_ANY);
- if (!p) {
- free(newmsg);
- return -1;
- }
- }
-
- if (l_natt_frag) {
-#ifdef SADB_X_EXT_NAT_T_FRAG
- p = pfkey_set_natt_frag(p, ep, SADB_X_EXT_NAT_T_FRAG,
- l_natt_frag);
- if (!p) {
- free(newmsg);
- return -1;
- }
-#endif
- }
- }
-#endif
-
- if (p != ep) {
- free(newmsg);
- return -1;
- }
-
- /* send message */
- len = pfkey_send(so, newmsg, len);
- free(newmsg);
-
- if (len < 0)
- return -1;
-
- __ipsec_errcode = EIPSEC_NO_ERROR;
- return len;
-}
-#endif /* __APPLE__ */
/* sending SADB_DELETE or SADB_GET message to the kernel */
/*ARGSUSED*/
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
-#ifdef __APPLE__
+ sizeof(struct sadb_sa_2)
-#else
- + sizeof(struct sadb_sa)
-#endif
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(sysdep_sa_len(src))
+ sizeof(struct sadb_address)
free(newmsg);
return -1;
}
-#ifdef __APPLE__
p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0, 0);
-#else
- p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
-#endif
if (!p) {
free(newmsg);
return -1;
return(buf + len);
}
-#ifdef __APPLE__
/*
* copy secasvar data into sadb_address.
* `buf' must has been allocated sufficiently.
return(buf + len);
}
-#else
-
-/*
- * copy secasvar data into sadb_address.
- * `buf' must has been allocated sufficiently.
- */
-static caddr_t
-pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
- caddr_t buf;
- caddr_t lim;
- u_int32_t spi, flags;
- u_int wsize, auth, enc;
-{
- struct sadb_sa *p;
- u_int len;
-
- p = (void *)buf;
- len = sizeof(struct sadb_sa);
-
- if (buf + len > lim)
- return NULL;
-
- memset(p, 0, len);
- p->sadb_sa_len = PFKEY_UNIT64(len);
- p->sadb_sa_exttype = SADB_EXT_SA;
- p->sadb_sa_spi = spi;
- p->sadb_sa_replay = wsize;
- p->sadb_sa_state = SADB_SASTATE_LARVAL;
- p->sadb_sa_auth = auth;
- p->sadb_sa_encrypt = enc;
- p->sadb_sa_flags = flags;
- p->sadb_sa_natt_port = port;
-
- return(buf + len);
-}
-#endif
/*
* set data into sadb_address.
# include <netinet/ipsec.h>
#endif
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#include <arpa/inet.h>
m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD];
-#ifdef __linux__
- /* *bsd indicates per-socket policies by omiting src and dst
- * extensions. Linux always includes them, but we can catch it
- * by checkin for policy id.
- */
- if (m_xpl->sadb_x_policy_id % 8 >= 3) {
- printf("(per-socket policy) ");
- } else
-#endif
if (m_saddr && m_daddr) {
/* source address */
sa = (void *)(m_saddr + 1);
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#include "libpfkey.h"
-#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__)
#include "y.tab.h"
-#else
-#include "policy_parse.h"
-#endif
#define yylval __libipseclval /* XXX */
int yylex __P((void));
#include <sys/socket.h>
#include <netinet/in.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet6/ipsec.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/un.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#endif
#include "session.h"
#include "gcmalloc.h"
+#include "vpn.h"
+#include "vpn_control_var.h"
#ifdef ENABLE_ADMINPORT
}
if (com.ac_cmd == ADMIN_RELOAD_CONF) {
+ siginfo_t sigi;
+ bzero(&sigi, sizeof(sigi));
+ sigi.si_signo = SIGUSR1;
+ sigi.si_pid = getpid();
+ sigi.si_uid = getuid();
/* reload does not work at all! */
- signal_handler(SIGUSR1);
+ signal_handler(SIGUSR1, &sigi, (void *)NULL);
goto end;
}
target->user_pw = key;
}
#endif
- vpn_connect(target);
+ vpn_connect(target, VPN_STARTED_BY_ADMIN);
com->ac_errno = 0;
outofhere:
if (target->user_id != NULL)
{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8,
eay_des_encrypt, eay_des_decrypt,
eay_des_weakkey, eay_des_keylen, },
+#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_IDEA_H
{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8,
eay_idea_encrypt, eay_idea_decrypt,
eay_rc5_encrypt, eay_rc5_decrypt,
eay_rc5_weakkey, eay_rc5_keylen, },
#endif
+#endif
{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8,
eay_3des_encrypt, eay_3des_decrypt,
eay_3des_weakkey, eay_3des_keylen, },
+#ifdef HAVE_OPENSSL
{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8,
eay_cast_encrypt, eay_cast_decrypt,
eay_cast_weakkey, eay_cast_keylen, },
+#endif
{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
eay_aes_encrypt, eay_aes_decrypt,
eay_aes_weakkey, eay_aes_keylen, },
{ "3des", algtype_3des, IPSECDOI_ESP_3DES, 8,
NULL, NULL,
NULL, eay_3des_keylen, },
+#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_RC5_H
{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8,
NULL, NULL,
{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8,
NULL, NULL,
NULL, eay_bf_keylen, },
+#endif
{ "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8,
NULL, NULL,
NULL, eay_des_keylen, },
{ "aes", algtype_aes, IPSECDOI_ESP_AES, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
+#ifdef HAVE_OPENSSL
{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
NULL, NULL,
NULL, eay_twofish_keylen, },
{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
NULL, NULL,
NULL, NULL, },
+#endif
};
static struct hmac_algorithm ipsec_hmacdef[] = {
NULL, NULL,
NULL, eay_sha1_hashlen,
NULL, },
+#ifdef HAVE_OPENSSL
{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK,
NULL, NULL,
NULL, eay_kpdk_hashlen,
NULL, },
+#endif
{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE,
NULL, NULL,
NULL, eay_null_hashlen,
continue;
}
l_addtime -= current - created;
-#ifdef __APPLE__
if (pfkey_send_add(
lcconf->sock_pfkey,
satype,
"restore SA filed line#%d in %s: %s\n",
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror());
}
-#else
- if (pfkey_send_add(
- lcconf->sock_pfkey,
- satype,
- mode,
- src,
- dst,
- spi,
- reqid,
- wsize,
- keymat,
- e_type, e_keylen, a_type, a_keylen, flags,
- 0, l_bytes, l_addtime, 0, seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "restore SA filed line#%d in %s: %s\n",
- line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror());
- }
-#endif
racoon_free(src);
racoon_free(dst);
racoon_free(keymat);
#include "gssapi.h"
#endif
#include "vendorid.h"
+#ifdef HAVE_OPENSSL
#include "rsalist.h"
+#endif
#include "ipsecConfigTracer.h"
#include "ipsecMessageTracer.h"
{
#ifdef ENABLE_HYBRID
isakmp_cfg_config.pfs_group = $2;
+#ifndef HAVE_OPENSSL
+ if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
+ && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
+ yyerror("PFS group must be 2 or 5");
+ return -1;
+ }
+#endif
#else /* ENABLE_HYBRID */
yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
: PFS_GROUP dh_group_num
{
cur_sainfo->pfs_group = $2;
+#ifndef HAVE_OPENSSL
+ if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
+ && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
+ yyerror("PFS group must be 2 or 5");
+ return -1;
+ }
+#endif
}
EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
if (cur_rmconf->mycertfile
-#ifdef __APPLE__
|| cur_rmconf->identity_in_keychain)
-#endif
{
if (cur_rmconf->idv)
yywarn("Both CERT and ASN1 ID "
return -1;
}
}
-
-#ifdef __APPLE__
+
if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
struct genlist_entry *gpb;
if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) {
return -1;
}
}
-#endif
if (cur_rmconf->prhead->spspec == NULL
&& cur_rmconf->inherited_from
| CERTIFICATE_TYPE cert_spec
| PEERS_CERTFILE QUOTEDSTRING
{
+#ifdef HAVE_OPENSSL
yywarn("This directive without certtype will be removed!\n");
yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
cur_rmconf->peerscertfile = racoon_strdup($2->v);
STRDUP_FATAL(cur_rmconf->peerscertfile);
vfree($2);
+#else
+ yyerror("cert files not supported.\n");
+ return -1;
+#endif
}
EOS
| CA_TYPE CERT_X509 QUOTEDSTRING
{
+#ifdef HAVE_OPENSSL
cur_rmconf->cacerttype = $2;
cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
if (cur_rmconf->cacertfile != NULL)
cur_rmconf->cacertfile = racoon_strdup($3->v);
STRDUP_FATAL(cur_rmconf->cacertfile);
vfree($3);
+#else
+ yyerror("cert files not supported.\n");
+ return -1;
+#endif
+
}
EOS
| PEERS_CERTFILE CERT_X509 QUOTEDSTRING
{
+#ifdef HAVE_OPENSSL
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
if (cur_rmconf->peerscertfile != NULL)
racoon_free(cur_rmconf->peerscertfile);
cur_rmconf->peerscertfile = racoon_strdup($3->v);
STRDUP_FATAL(cur_rmconf->peerscertfile);
vfree($3);
+#else
+ yyerror("cert files not supported.\n");
+ return -1;
+#endif
+
}
EOS
| PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
{
+#ifdef HAVE_OPENSSL
char path[MAXPATHLEN];
int ret = 0;
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
+#else
+ yyerror("plainrsa not supported.\n");
+ return -1;
+#endif
}
EOS
| PEERS_CERTFILE DNSSEC
| SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
| CERTIFICATE_VERIFICATION VERIFICATION_MODULE
{
-#ifdef __APPLE__
cur_rmconf->cert_verification = $2;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
} EOS
| CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
- {
-#ifdef __APPLE__
+ {
cur_rmconf->cert_verification = $2;
cur_rmconf->cert_verification_option = $3;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
}
EOS
| OPEN_DIR_AUTH_GROUP QUOTEDSTRING
{
-#if defined(__APPLE__) && HAVE_OPENDIR
+#if HAVE_OPENDIR
cur_rmconf->open_dir_auth_group = $2;
#else
yyerror("Apple specific features not compiled in.");
| VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
| SHARED_SECRET SECRETTYPE QUOTEDSTRING
{
-#ifdef __APPLE__
cur_rmconf->secrettype = $2;
cur_rmconf->shared_secret = $3;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
} EOS
| SHARED_SECRET SECRETTYPE
{
-#ifdef __APPLE__
if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) {
yyerror("shared secret value missing.\n");
return -1;
}
cur_rmconf->secrettype = $2;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
-
} EOS
| NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
| DH_GROUP
| NAT_TRAVERSAL_MULTI_USER SWITCH
{
#ifdef ENABLE_NATT
-#ifdef __APPLE__
cur_rmconf->natt_multiple_user = $2;
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
#else
yyerror("NAT-T support not compiled in.");
#endif
| NAT_TRAVERSAL_KEEPALIVE SWITCH
{
#ifdef ENABLE_NATT
-#ifdef __APPLE__
cur_rmconf->natt_keepalive = $2;
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
#else
yyerror("NAT-T support not compiled in.");
#endif
EOS
| CERT_X509 IN_KEYCHAIN
{
-#ifdef __APPLE__
cur_rmconf->certtype = $1;
cur_rmconf->identity_in_keychain = 1;
cur_rmconf->keychainCertRef = NULL;
-#endif
}
EOS
;
| CERT_X509 IN_KEYCHAIN QUOTEDSTRING
{
-#ifdef __APPLE__
-
cur_rmconf->certtype = $1;
cur_rmconf->identity_in_keychain = 1;
cur_rmconf->keychainCertRef = $3;
-#endif
}
EOS
;
| CERT_PLAINRSA QUOTEDSTRING
{
+#ifdef HAVE_OPENSSL
char path[MAXPATHLEN];
int ret = 0;
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
+#else
+ yyerror("plainrsa not supported.\n");
+ return -1;
+#endif
}
EOS
;
yyerror("must be DH group");
return -1;
}
+#ifndef HAVE_OPENSSL
+ if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
+ yyerror("DH group must be 2 or 5");
+ return -1;
+ }
+#endif
}
| NUMBER
{
$$ = 0;
return -1;
}
+#ifndef HAVE_OPENSSL
+ if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
+ yyerror("DH group must be 2 or 5");
+ return -1;
+ }
+#endif
}
;
identifierstring
cur_rmconf->prhead->spspec->vendorid =
VENDORID_GSSAPI;
break;
+#ifdef HAVE_OPENSSL
case algtype_rsasig:
if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
}
}
break;
+#endif
default:
break;
}
return -1;
}
p->udp_encap = udp_encap;
-#ifdef __APPLE__
/* These need to be initialized for Apple modifications
* to open code for isakmp sockets
*/
p->sock = -1;
p->in_use = 1;
-#endif
insmyaddr(p, &lcconf->myaddrs);
int
cfreparse(int sig)
{
- int ignore_established_handles = (sig == SIGUSR1);
+ int ignore_estab_or_assert_handles = (sig == SIGUSR1);
if (sig >= 0 && sig < NSIG) {
plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]);
CONSTSTR("cfreparse: triggered by unknown signal"));
}
- flushph2(ignore_established_handles);
- flushph1(ignore_established_handles);
+ flushph2(ignore_estab_or_assert_handles);
+ flushph1(ignore_estab_or_assert_handles);
flushrmconf();
flushsainfo();
flushlcconf();
//%%% BUG FIX - 2 missing include files when not using
// the bison files
+#ifdef HAVE_OPENSSL
#include <openssl/bn.h>
#include <openssl/rsa.h>
-
+#endif
+
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "gcmalloc.h"
#endif
-#ifdef __APPLE__
#include "y.tab.h"
-#else
-#include "cfparse.h"
-#endif
int yyerrorcount = 0;
<S_RMTS>certificate_type { YYD; return(CERTIFICATE_TYPE); }
<S_RMTS>ca_type { YYD; return(CA_TYPE); }
<S_RMTS>x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); }
-<S_RMTS>plain_rsa { YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); }
+<S_RMTS>plain_rsa {
+#ifdef HAVE_OPENSSL
+ YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA);
+#else
+ yyerror("plainrsa not supported.");
+#endif
+}
<S_RMTS>open_dir_auth_group {
-#if defined(__APPLE__) && HAVE_OPENDIR
+#if HAVE_OPENDIR
YYD;
return(OPEN_DIR_AUTH_GROUP);
#else
#endif
}
<S_RMTS>shared_secret {
-#ifdef __APPLE__
YYD;
return(SHARED_SECRET);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
<S_RMTS>in_keychain {
-#ifdef __APPLE__
YYD;
return(IN_KEYCHAIN);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
<S_RMTS>certificate_verification {
-#ifdef __APPLE__
YYD;
return(CERTIFICATE_VERIFICATION);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
<S_RMTS>peers_certfile { YYD; return(PEERS_CERTFILE); }
<S_RMTS>dnssec { YYD; return(DNSSEC); }
<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
<S_RMTS>force { YYD; yylval.num = NATT_FORCE; return(NAT_TRAVERSAL_LEVEL); }
<S_RMTS>nat_traversal_multi_user {
-#ifdef __APPLE__
YYD;
return(NAT_TRAVERSAL_MULTI_USER);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
<S_RMTS>nat_traversal_keepalive {
-#ifdef __APPLE__
YYD;
return(NAT_TRAVERSAL_KEEPALIVE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }
keyid_use {
-#ifdef __APPLE__
YYD;
yylval.num = IDTYPE_KEYIDUSE;
return(IDENTIFIERTYPE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); }
subnet { YYD; yylval.num = IDTYPE_SUBNET; return(IDENTIFIERTYPE); }
/* shared secret type */
use {
-#ifdef __APPLE__
YYD;
yylval.num = SECRETTYPE_USE;
return(SECRETTYPE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
key {
-#ifdef __APPLE__
YYD;
yylval.num = SECRETTYPE_KEY;
return(SECRETTYPE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
keychain {
-#if defined(__APPLE__) && HAVE_KEYCHAIN
+#if HAVE_KEYCHAIN
YYD;
yylval.num = SECRETTYPE_KEYCHAIN;
return(SECRETTYPE);
#endif
}
keychain_by_id {
-#ifdef __APPLE__
YYD;
yylval.num = SECRETTYPE_KEYCHAIN_BY_ID;
return(SECRETTYPE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
/* certificate verification */
openssl {
-#ifdef __APPLE__
YYD;
yylval.num = VERIFICATION_MODULE_OPENSSL;
return(VERIFICATION_MODULE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
sec_framework {
-#ifdef __APPLE__
YYD;
yylval.num = VERIFICATION_MODULE_SEC_FRAMEWORK;
return(VERIFICATION_MODULE);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
use_open_dir {
-#ifdef __APPLE__
YYD;
yylval.num = VERIFICATION_OPTION_OPEN_DIR;
return(VERIFICATION_OPTION);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
use_peers_identifier {
-#ifdef __APPLE__
YYD;
yylval.num = VERIFICATION_OPTION_PEERS_IDENTIFIER;
return(VERIFICATION_OPTION);
-#else
- yyerror("Apple specific features not compiled in.");
-#endif
}
/* identifier qualifier */
yy_delete_buffer(YY_CURRENT_BUFFER);
incstackp--;
nextfile:
- if (incstack[incstackp].matchon <
+ if (incstack[incstackp].matches.gl_pathc != 0 &&
+ incstack[incstackp].matches.gl_pathv &&
+ incstack[incstackp].matchon <
incstack[incstackp].matches.gl_pathc) {
char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
incstack[incstackp].matchon++;
#include "crypto_cssm.h"
+#if TARGET_OS_EMBEDDED
+static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef);
+#else
+static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef);
+#endif
-static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef);
-static const char *GetSecurityErrorString(OSStatus err);
#if !TARGET_OS_EMBEDDED
static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef);
static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef);
#endif
-/*
- * Verify cert using security framework
- */
-int crypto_cssm_check_x509cert(vchar_t *cert, CFStringRef hostname, cert_status_t certStatus)
+static SecPolicyRef
+crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname)
{
OSStatus status;
- SecCertificateRef certRef = NULL;
SecPolicyRef policyRef = NULL;
+#if !TARGET_OS_EMBEDDED
+ CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC;
+ // get our policy object
+ status = FindPolicy(&ourPolicyOID, &policyRef);
+ if (status != noErr && status != -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "error %d %s.\n", status, GetSecurityErrorString(status));
+ }
+#else
+ if (hostname) {
+ policyRef = SecPolicyCreateIPSec(FALSE, hostname);
+ if (policyRef == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "unable to create a SSL policyRef.\n");
+ }
+ }
+#endif
+ return policyRef;
+}
+
+SecCertificateRef
+crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert)
+{
+ OSStatus status;
+ SecCertificateRef certRef = NULL;
#if !TARGET_OS_EMBEDDED
CSSM_DATA certData;
- CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC;
// create cert ref
certData.Length = cert->l;
certData.Data = (uint8 *)cert->v;
status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
- &certRef);
- if (status != noErr)
- goto end;
-
- // get our policy object
- status = FindPolicy(&ourPolicyOID, &policyRef);
- if (status != noErr)
- goto end;
- // no options used at present - verification of subjectAltName fields, etc.
- // are done elsewhere in racoon in oakley_check_certid()
-
+ &certRef);
+ if (status != noErr && status != -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "error %d %s.\n", status, GetSecurityErrorString(status));
+ }
#else
CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull);
if (cert_data) {
certRef = SecCertificateCreateWithData(NULL, cert_data);
CFRelease(cert_data);
}
-
+#endif
if (certRef == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "unable to create a certRef.\n");
- status = -1;
- goto end;
+ "unable to create a certRef.\n");
}
+ return certRef;
+}
- if (hostname) {
- policyRef = SecPolicyCreateIPSec(FALSE, hostname);
- if (policyRef == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to create a SSL policyRef.\n");
- status = -1;
- goto end;
+static cert_status_t
+crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef)
+{
+ cert_status_t certStatus = CERT_STATUS_OK;
+#if TARGET_OS_EMBEDDED
+ CFAbsoluteTime timeNow = 0;
+ CFAbsoluteTime notvalidbeforedate = 0;
+ CFAbsoluteTime notvalidafterdate = 0;
+ CFDateRef nowcfdatedata = NULL;
+ CFDateRef notvalidbeforedatedata = NULL;
+ CFDateRef notvalidafterdatedata = NULL;
+ CFArrayRef certProparray = NULL;
+ CFDictionaryRef propDict = NULL;
+ const void *datevalue = NULL;
+ const void *labelvalue = NULL;
+ CFGregorianDate gregoriandate;
+ CFIndex count;
+ CFIndex i;
+
+ if ((certProparray = SecCertificateCopyProperties(certificateRef))){
+ if ((count = CFArrayGetCount( certProparray ))){
+ for( i = 0; i < count; i++) {
+ if ((propDict = CFArrayGetValueAtIndex(certProparray, i))) {
+ if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){
+ /* get kSecPropertyKeyLabel */
+ if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){
+ if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){
+ if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue)) {
+ if (notvalidbeforedatedata) {
+ CFRelease(notvalidbeforedatedata);
+ }
+ notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate);
+ }
+ }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){
+ if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue)) {
+ if (notvalidafterdatedata) {
+ CFRelease(notvalidafterdatedata);
+ }
+ notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate);
+ }
+ }
+ }
+ }
+ }
+ }
}
}
-
+
+ if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){
+ if ( notvalidbeforedatedata ){
+ gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL);
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
+ gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL);
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
+ if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "current time before valid time\n");
+ certStatus = CERT_STATUS_PREMATURE;
+ } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "current time after valid time\n");
+ certStatus = CERT_STATUS_EXPIRED;
+ }else {
+ plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n");
+ certStatus = CERT_STATUS_OK;
+ }
+ }
+ }
+
+ if (notvalidbeforedatedata)
+ CFRelease(notvalidbeforedatedata);
+ if (notvalidafterdatedata)
+ CFRelease(notvalidafterdatedata);
+ if (certProparray)
+ CFRelease(certProparray);
+ if (nowcfdatedata)
+ CFRelease(nowcfdatedata);
#endif
+ return certStatus;
+}
+
+/*
+ * Verify cert using security framework
+ */
+#if TARGET_OS_EMBEDDED
+int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef)
+#else
+int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname)
+#endif
+{
+ cert_t *p;
+ cert_status_t certStatus = 0;
+ OSStatus status;
+ CFIndex certArrayRefNumValues = 0;
+ CFIndex n = 0;
+ int certArraySiz;
+ SecCertificateRef *certArrayRef = NULL;
+ SecPolicyRef policyRef = crypto_cssm_x509cert_get_SecPolicyRef(hostname);
+
+ if (!hostcert || !certchain) {
+ return -1;
+ }
+
+ // find the total number of certs
+ for (p = certchain; p; p = p->chain, n++);
+ if (n> 1) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s: checking chain of %d certificates.\n", __FUNCTION__, n);
+ }
+
+ certArraySiz = n * sizeof(CFTypeRef);
+ certArrayRef = CFAllocatorAllocate(NULL, certArraySiz, 0);
+ if (!certArrayRef) {
+ return -1;
+ }
+ bzero(certArrayRef, certArraySiz);
+ if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&hostcert->cert))) {
+ /* don't overwrite any pending status */
+ if (!hostcert->status) {
+ hostcert->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]);
+ if (hostcert->status) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "host certificate failed date verification: %d.\n", hostcert->status);
+ certStatus = hostcert->status;
+ }
+ }
+ certArrayRefNumValues++;
+ }
+ for (p = certchain; p && certArrayRefNumValues < n; p = p->chain) {
+ if (p != hostcert) {
+ if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&p->cert))) {
+ /* don't overwrite any pending status */
+ if (!p->status) {
+ p->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]);
+ if (p->status) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "other certificate in chain failed date verification: %d.\n", p->status);
+ if (!certStatus) {
+ certStatus = p->status;
+ }
+ }
+ }
+ certArrayRefNumValues++;
+ }
+ }
+ }
// evaluate cert
- status = EvaluateCert(certRef, policyRef);
+#if TARGET_OS_EMBEDDED
+ status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef, publicKeyRef);
+#else
+ status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef);
+#endif
+
+ while (certArrayRefNumValues) {
+ CFRelease(certArrayRef[--certArrayRefNumValues]);
+ }
+ CFAllocatorDeallocate(NULL, certArrayRef);
-end:
-
- if (certRef)
- CFRelease(certRef);
if (policyRef)
CFRelease(policyRef);
if (status != noErr && status != -1) {
plog(LLV_ERROR, LOCATION, NULL,
- "error %d %s.\n", status, GetSecurityErrorString(status));
+ "error %d %s.\n", status, GetSecurityErrorString(status));
status = -1;
- } else if (certStatus) {
- plog(LLV_ERROR, LOCATION, NULL,
- "certificate failed date verification: %d.\n", certStatus);
+ } else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) {
status = -1;
}
return status;
+
+}
+#if TARGET_OS_EMBEDDED
+int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature)
+{
+ return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l);
}
+#endif
/*
* Encrypt a hash via CSSM using the private key in the keychain
vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash)
{
- OSStatus status;
+ OSStatus status = -1;
SecIdentityRef identityRef = NULL;
SecKeyRef privateKeyRef = NULL;
vchar_t *sig = NULL;
#if !TARGET_OS_EMBEDDED
- u_int32_t bytesEncrypted = 0;
+ CSSM_SIZE bytesEncrypted = 0;
SecCertificateRef certificateRef = NULL;
SecIdentitySearchRef idSearchRef = NULL;
SecKeychainRef keychainRef = NULL;
CSSM_CSP_HANDLE cspHandle = nil;
CSSM_CC_HANDLE cssmContextHandle = nil;
const CSSM_ACCESS_CREDENTIALS *credentials = NULL;
- //CSSM_SIZE bytesEncrypted = 0; //%%%%HWR fix this - need new headers on Leopard
CSSM_DATA clearData;
CSSM_DATA cipherData;
CSSM_DATA remData;
cert_status_t *certStatus)
{
- OSStatus status;
+ OSStatus status = -1;
vchar_t *cert = NULL;
SecIdentityRef identityRef = NULL;
SecCertificateRef certificateRef = NULL;
const void *values_persist[] = { kCFBooleanTrue, persistentCertRef };
size_t dataLen;
CFDataRef certData = NULL;
- CFAbsoluteTime timeNow = 0;
- CFAbsoluteTime notvalidbeforedate = 0;
- CFAbsoluteTime notvalidafterdate = 0;
- CFDateRef nowcfdatedata = NULL;
- CFDateRef notvalidbeforedatedata = NULL;
- CFDateRef notvalidafterdatedata = NULL;
- CFArrayRef certProparray = NULL;
- CFRange range;
- CFDictionaryRef *values = NULL;
- CFDictionaryRef propDict = NULL;
- const void *datevalue = NULL;
- const void *labelvalue = NULL;
- CFGregorianDate gregoriandate;
- int count;
- int i;
/* find identity by persistent ref */
persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist,
- (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL);
+ (sizeof(keys_persist) / sizeof(*keys_persist)), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (persistFind == NULL)
goto end;
// verify expiry or missing fields
if (certStatus) {
-
- *certStatus = CERT_STATUS_OK;
-
- if ((certProparray = SecCertificateCopyProperties(certificateRef))){
- if ((count = CFArrayGetCount( certProparray ))){
- range.location = 0;
- range.length = count;
- if ( (values = CFAllocatorAllocate(NULL, count * sizeof(CFDictionaryRef), 0))){
- CFArrayGetValues(certProparray, range, (const void **)values);
- for( i = 0; i < count; i++)
- {
- if ((propDict = values[i])){
- if ( CFDictionaryContainsValue(propDict, kSecPropertyTypeDate) ){
- if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){
- /* get kSecPropertyKeyLabel */
- if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){
- if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){
- if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue))
- notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate);
- }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){
- if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue))
- notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate);
- }
- }
- }
- }
- }
-
- }
- }
- }
- }
-
- if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){
- if ( notvalidbeforedatedata ){
- gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL);
- plog(LLV_DEBUG, LOCATION, NULL,
- "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
- gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL);
- plog(LLV_DEBUG, LOCATION, NULL,
- "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
- if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){
- plog(LLV_ERROR, LOCATION, NULL,
- "current time before valid time\n");
- *certStatus = CERT_STATUS_PREMATURE;
- }
- else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){
- plog(LLV_ERROR, LOCATION, NULL,
- "current time after valid time\n");
- *certStatus = CERT_STATUS_EXPIRED;
- }else {
- plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n");
- *certStatus = CERT_STATUS_OK;
- }
-
- }
-
- }
+ *certStatus = crypto_cssm_check_x509cert_dates(certificateRef);
}
#endif
if (keychainRef)
CFRelease(keychainRef);
#else
- if (notvalidbeforedatedata)
- CFRelease(notvalidbeforedatedata);
- if (notvalidafterdatedata)
- CFRelease(notvalidafterdatedata);
- if (certProparray)
- CFRelease(certProparray);
- if (values)
- CFAllocatorDeallocate(NULL, values);
- if (nowcfdatedata)
- CFRelease(nowcfdatedata);
if (persistFind)
CFRelease(persistFind);
if (certData)
/*
* Evaluate the trust of a cert using the policy provided
*/
-static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef)
+#if TARGET_OS_EMBEDDED
+static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef)
+#else
+static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef)
+
+#endif
{
OSStatus status;
SecTrustRef trustRef = 0;
CFArrayRef certChain;
#endif
- SecCertificateRef evalCertArray[1] = { cert };
-
- CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1,
+ CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, evalCertArrayNumValues,
&kCFTypeArrayCallBacks);
if (!cfCertRef) {
#endif
status = -1;
+ goto end;
}
+#if TARGET_OS_EMBEDDED
+ /* get and return the public key */
+ *publicKeyRef = SecTrustCopyPublicKey(trustRef);
+#endif
+
end:
if (cfCertRef)
CFRelease(cfCertRef);
#include "vmbuf.h"
#include <CoreFoundation/CoreFoundation.h>
-
-
-extern int crypto_cssm_check_x509cert(vchar_t *cert, CFStringRef hostname, cert_status_t certStatus);
+#include <Security/SecBase.h>
+
+#if TARGET_OS_EMBEDDED
+extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef);
+extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature);
+#else
+extern int crypto_cssm_check_x509cert(cert_t *hostcert, cert_t *certchain, CFStringRef hostname);
+#endif
+extern SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert);
extern vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash);
extern vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus);
-
+extern const char *GetSecurityErrorString(OSStatus err);
#endif /* __CRYPTO_CSSM_H__ */
#include "config.h"
-#ifdef __APPLE__
#define COMMON_DIGEST_FOR_OPENSSL 1
-#endif
#include <sys/types.h>
#include <sys/param.h>
#include <limits.h>
#include <string.h>
+#ifdef HAVE_OPENSSL
/* get openssl/ssleay version number */
#include <openssl/opensslv.h>
#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL)
#error OpenSSL version 0.9.6 or later required.
#endif
-
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
-#ifdef __APPLE__
-#include <CommonCrypto/CommonDigest.h>
-#include <CommonCrypto/CommonHMAC.h>
-#include <CommonCrypto/CommonCryptor.h>
-#else
-#include <openssl/md5.h>
-#include <openssl/sha.h>
-#include <openssl/hmac.h>
-#endif
#include <openssl/des.h>
#include <openssl/crypto.h>
#ifdef HAVE_OPENSSL_ENGINE_H
#include <openssl/aes.h>
#elif defined(HAVE_OPENSSL_RIJNDAEL_H)
#include <openssl/rijndael.h>
-#else
-#include "crypto/rijndael/rijndael-api-fst.h"
-#endif
-#ifdef WITH_SHA2
-#ifndef __APPLE__
-#ifdef HAVE_OPENSSL_SHA2_H
-#include <openssl/sha2.h>
-#endif
-#endif
#endif
+#else /* HAVE_OPENSSL */
+#include <Security/SecDH.h>
+#include <Security/SecRandom.h>
+#endif /* HAVE_OPENSSL */
+
+#include <CommonCrypto/CommonDigest.h>
+#include <CommonCrypto/CommonHMAC.h>
+#include <CommonCrypto/CommonCryptor.h>
+#ifdef HAVE_OPENSSL
/* 0.9.7 stuff? */
#if OPENSSL_VERSION_NUMBER < 0x0090700fL
typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
#endif
#define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0)
+#endif
+#include "crypto_openssl.h"
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
-#include "crypto_openssl.h"
#include "debug.h"
#include "gcmalloc.h"
* necessary for SSLeay/OpenSSL portability. It sucks.
*/
+#ifdef HAVE_OPENSSL
static int cb_check_cert_local __P((int, X509_STORE_CTX *));
static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
static X509 *mem2x509 __P((vchar_t *));
-
-#ifdef __APPLE__
-static caddr_t eay_hmac_init __P((vchar_t *, CCHmacAlgorithm));
-#else
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
#endif
+static caddr_t eay_hmac_init __P((vchar_t *, CCHmacAlgorithm));
+
+#ifdef HAVE_OPENSSL
/* X509 Certificate */
/*
* convert the string of the subject name into DER
return NULL;
}
-#ifdef __APPLE__
-
/*
* Get the common name from a cert
*/
return error;
}
-#else /* __APPLE__ */
-
-/*
- * get the subjectAltName from X509 certificate.
- * the name must be terminated by '\0'.
- */
-int
-eay_get_x509subjectaltname(cert, altname, type, pos)
- vchar_t *cert;
- char **altname;
- int *type;
- int pos;
-{
- X509 *x509 = NULL;
- GENERAL_NAMES *gens = NULL;
- GENERAL_NAME *gen;
- int len;
- int error = -1;
-
- *altname = NULL;
- *type = GENT_OTHERNAME;
-
- x509 = mem2x509(cert);
- if (x509 == NULL)
- goto end;
-
- gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
- if (gens == NULL)
- goto end;
-
- /* there is no data at "pos" */
- if (pos > sk_GENERAL_NAME_num(gens))
- goto end;
-
- gen = sk_GENERAL_NAME_value(gens, pos - 1);
-
- /* read DNSName / Email */
- if (gen->type == GEN_DNS ||
- gen->type == GEN_EMAIL ||
- gen->type == GEN_URI )
- {
- /* make sure if the data is terminated by '\0'. */
- if (gen->d.ia5->data[gen->d.ia5->length] != '\0')
- {
- plog(LLV_ERROR, LOCATION, NULL,
- "data is not terminated by NUL.");
- hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
- goto end;
- }
-
- len = gen->d.ia5->length + 1;
- *altname = racoon_malloc(len);
- if (!*altname)
- goto end;
-
- strlcpy(*altname, (char *) gen->d.ia5->data, len);
- *type = gen->type;
- error = 0;
- }
- /* read IP address */
- else if (gen->type == GEN_IPADD)
- {
- unsigned char p[5], *ip;
- const int maxaltnamelen = 20;
- ip = p;
-
- /* only support IPv4 */
- if (gen->d.ip->length != 4)
- goto end;
-
- /* convert Octet String to String
- * XXX ???????
- */
- /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = gen->d.ip->data;
-
- /* XXX Magic, enough for an IPv4 address
- */
- *altname = racoon_malloc(maxaltnamelen);
- if (!*altname)
- goto end;
-
- snprintf(*altname, maxaltnamelen, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
- *type = gen->type;
- error = 0;
- }
- /* XXX other possible types ?
- * For now, error will be -1 if unsupported type
- */
-
-end:
- if (error) {
- if (*altname) {
- racoon_free(*altname);
- *altname = NULL;
- }
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- }
- if (x509)
- X509_free(x509);
- if (gens)
- /* free the whole stack. */
- sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-
- return error;
-}
-
-#endif
-
/*
* decode a X509 certificate and make a readable text terminated '\n'.
* return the buffer allocated, so must free it later.
return EVP_CIPHER_key_length(e) << 3;
}
+#endif /* HAVE_OPENSSL */
vchar_t *
eay_CCCrypt(CCOperation oper,
eay_des_encrypt(data, key, iv)
vchar_t *data, *key, *iv;
{
-#ifdef __APPLE__
return(eay_CCCrypt(kCCEncrypt, kCCAlgorithmDES, 0 /* CBC */, data, key, iv));
-#else
- return evp_crypt(data, key, iv, EVP_des_cbc(), 1);
-#endif /* __APPLE__ */
}
vchar_t *
eay_des_decrypt(data, key, iv)
vchar_t *data, *key, *iv;
{
-#ifdef __APPLE__
return(eay_CCCrypt(kCCDecrypt, kCCAlgorithmDES, 0 /* CBC */, data, key, iv));
-#else
- return evp_crypt(data, key, iv, EVP_des_cbc(), 0);
-#endif /* __APPLE__ */
}
int
eay_des_weakkey(key)
vchar_t *key;
{
+#ifdef HAVE_OPENSSL
#ifdef USE_NEW_DES_API
return DES_is_weak_key((void *)key->v);
#else
return des_is_weak_key((void *)key->v);
#endif
+#else
+ return 0;
+#endif
}
int
eay_des_keylen(len)
int len;
{
-#ifdef __APPLE__
/* CommonCrypto return lengths in bytes, ipsec-tools
* uses lengths in bits, therefore conversion is required.
*/
return -1;
return kCCKeySizeDES << 3;
-#else
- return evp_keylen(len, EVP_des_cbc());
-#endif /* __APPLE__ */
}
#ifdef HAVE_OPENSSL_IDEA_H
}
#endif
+#ifdef HAVE_OPENSSL
/*
* BLOWFISH-CBC
*/
return -1;
return len;
}
+#endif
#ifdef HAVE_OPENSSL_RC5_H
/*
eay_3des_encrypt(data, key, iv)
vchar_t *data, *key, *iv;
{
-#ifdef __APPLE__
return(eay_CCCrypt(kCCEncrypt, kCCAlgorithm3DES, 0 /* CBC */, data, key, iv));
-#else
- return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 1);
-#endif /* __APPLE__ */
}
vchar_t *
eay_3des_decrypt(data, key, iv)
vchar_t *data, *key, *iv;
{
-#ifdef __APPLE__
return(eay_CCCrypt(kCCDecrypt, kCCAlgorithm3DES, 0 /* CBC */, data, key, iv));
-#else
- return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 0);
-#endif /* __APPLE__ */
}
int
eay_3des_weakkey(key)
vchar_t *key;
{
+#ifdef HAVE_OPENSSL
#ifdef USE_NEW_DES_API
return (DES_is_weak_key((void *)key->v) ||
DES_is_weak_key((void *)(key->v + 8)) ||
des_is_weak_key((void *)(key->v + 8)) ||
des_is_weak_key((void *)(key->v + 16)));
#endif
+#else /* HAVE_OPENSSL */
+ return 0;
+#endif
+
}
int
eay_3des_keylen(len)
int len;
{
-#ifdef __APPLE__
/* CommonCrypto return lengths in bytes, ipsec-tools
* uses lengths in bits, therefore conversion is required.
*/
return -1;
return kCCKeySize3DES << 3;
-#else
- if (len != 0 && len != 192)
- return -1;
- return 192;
-#endif /* __APPLE__ */
}
+#ifdef HAVE_OPENSSL
/*
* CAST-CBC
*/
return -1;
return len;
}
+#endif
/*
* AES(RIJNDAEL)-CBC
*/
-#ifdef __APPLE__
vchar_t *
eay_aes_encrypt(data, key, iv)
vchar_t *data, *key, *iv;
return len;
}
-#else
-
-#ifndef HAVE_OPENSSL_AES_H
-vchar_t *
-eay_aes_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- keyInstance k;
- cipherInstance c;
-
- memset(&k, 0, sizeof(k));
- if (rijndael_makeKey(&k, DIR_ENCRYPT, key->l << 3, key->v) < 0)
- return NULL;
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* encryption data */
- memset(&c, 0, sizeof(c));
- if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
- vfree(res);
- return NULL;
- }
- if (rijndael_blockEncrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
- vfree(res);
- return NULL;
- }
-
- return res;
-}
-
-vchar_t *
-eay_aes_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- keyInstance k;
- cipherInstance c;
-
- memset(&k, 0, sizeof(k));
- if (rijndael_makeKey(&k, DIR_DECRYPT, key->l << 3, key->v) < 0)
- return NULL;
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- memset(&c, 0, sizeof(c));
- if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
- vfree(res);
- return NULL;
- }
- if (rijndael_blockDecrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
- vfree(res);
- return NULL;
- }
-
- return res;
-}
-#else
-static inline const EVP_CIPHER *
-aes_evp_by_keylen(int keylen)
-{
- switch(keylen) {
- case 16:
- case 128:
- return EVP_aes_128_cbc();
- case 24:
- case 192:
- return EVP_aes_192_cbc();
- case 32:
- case 256:
- return EVP_aes_256_cbc();
- default:
- return NULL;
- }
-}
-
-vchar_t *
-eay_aes_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 1);
-}
-
-vchar_t *
-eay_aes_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 0);
-}
-#endif /* HAVE_OPENSSL_AES_H */
-
-int
-eay_aes_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len != 128 && len != 192 && len != 256)
- return -1;
- return len;
-}
-#endif /* __APPLE__ */
int
eay_aes_weakkey(key)
return 0;
}
+#ifdef HAVE_OPENSSL
int
eay_kpdk_hashlen()
{
return -1;
return len;
}
+#endif
int
eay_null_keylen(len)
/*
* HMAC functions
*/
-
-#ifdef __APPLE__
static caddr_t
eay_hmac_init(key, algorithm)
vchar_t *key;
return (caddr_t)c;
}
-#else
-static caddr_t
-eay_hmac_init(key, md)
- vchar_t *key;
- const EVP_MD *md;
-{
- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-
- HMAC_Init(c, key->v, key->l, md);
-
- return (caddr_t)c;
-}
-#endif /* __APPLE__ */
#ifdef WITH_SHA2
/*
eay_hmacsha2_512_init(key)
vchar_t *key;
{
-#ifdef __APPLE__
return eay_hmac_init(key, kCCHmacAlgSHA512);
-#else
- return eay_hmac_init(key, EVP_sha2_512());
-#endif
}
void
caddr_t c;
vchar_t *data;
{
-#ifdef __APPLE__
CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
-#else
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-#endif
}
-#ifdef __APPLE__
vchar_t *
eay_hmacsha2_512_final(c)
caddr_t c;
(void)racoon_free(c);
return(res);
}
-#else
-vchar_t *
-eay_hmacsha2_512_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
-
- (void)racoon_free(c);
-
- if (SHA512_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_512 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* __APPLE__ */
/*
* HMAC SHA2-384
eay_hmacsha2_384_init(key)
vchar_t *key;
{
-#ifdef __APPLE__
return eay_hmac_init(key, kCCHmacAlgSHA384);
-#else
- return eay_hmac_init(key, EVP_sha2_384());
-#endif
}
void
caddr_t c;
vchar_t *data;
{
-#ifdef __APPLE__
CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
-#else
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-#endif
}
-#ifdef __APPLE__
vchar_t *
eay_hmacsha2_384_final(c)
caddr_t c;
(void)racoon_free(c);
return(res);
}
-#else
-vchar_t *
-eay_hmacsha2_384_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
-
- (void)racoon_free(c);
-
- if (SHA384_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_384 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* __APPLE__ */
/*
* HMAC SHA2-256
eay_hmacsha2_256_init(key)
vchar_t *key;
{
-#ifdef __APPLE__
return eay_hmac_init(key, kCCHmacAlgSHA256);
-#else
- return eay_hmac_init(key, EVP_sha2_256());
-#endif
}
void
caddr_t c;
vchar_t *data;
{
-#ifdef __APPLE__
CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
-#else
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-#endif
}
-#ifdef __APPLE__
vchar_t *
eay_hmacsha2_256_final(c)
caddr_t c;
(void)racoon_free(c);
return(res);
}
-#else
-vchar_t *
-eay_hmacsha2_256_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
-
- (void)racoon_free(c);
-
- if (SHA256_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_256 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* __APPLE__ */
#endif /* WITH_SHA2 */
/*
eay_hmacsha1_init(key)
vchar_t *key;
{
-#ifdef __APPLE__
return eay_hmac_init(key, kCCHmacAlgSHA1);
-#else
- return eay_hmac_init(key, EVP_sha1());
-#endif
}
void
caddr_t c;
vchar_t *data;
{
-#ifdef __APPLE__
CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
-#else
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-#endif
}
-#ifdef __APPLE__
vchar_t *
eay_hmacsha1_final(c)
caddr_t c;
(void)racoon_free(c);
return(res);
}
-#else
-vchar_t *
-eay_hmacsha1_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
-
- (void)racoon_free(c);
-
- if (SHA_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha1 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* __APPLE__ */
/*
* HMAC MD5
eay_hmacmd5_init(key)
vchar_t *key;
{
-#ifdef __APPLE__
return eay_hmac_init(key, kCCHmacAlgMD5);
-#else
- return eay_hmac_init(key, EVP_md5());
-#endif
}
void
caddr_t c;
vchar_t *data;
{
-#ifdef __APPLE__
CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
-#else
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-#endif
}
-#ifdef __APPLE__
vchar_t *
eay_hmacmd5_final(c)
caddr_t c;
return(res);
}
-#else
-vchar_t *
-eay_hmacmd5_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
- return NULL;
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
-
- (void)racoon_free(c);
-
- if (MD5_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac md5 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* __APPLE__ */
#ifdef WITH_SHA2
/*
* SHA2-384 functions
*/
-#ifdef __APPLE__
typedef SHA512_CTX SHA384_CTX;
-#endif
caddr_t
eay_sha2_384_init()
return MD5_DIGEST_LENGTH << 3;
}
+
+#ifdef HAVE_OPENSSL
/*
* eay_set_random
* size: number of bytes.
BN_free(r);
return(res);
}
+#else
+vchar_t *
+eay_set_random(u_int32_t size)
+{
+ vchar_t *res = vmalloc(size);
+
+ if (res == NULL)
+ return NULL;
+
+ if (SecRandomCopyBytes(kSecRandomDefault, size, res->v)) {
+ vfree(res);
+ return NULL;
+ }
+
+ return res;
+}
+#endif
+#ifdef HAVE_OPENSSL
/* DH */
int
eay_dh_generate(prime, g, publen, pub, priv)
return rsa_pub;
}
+#endif /* HAVE_OPENSSL */
u_int32_t
eay_random()
return result;
}
+#ifdef HAVE_OPENSSL
const char *
eay_version()
{
return SSLeay_version(SSLEAY_VERSION);
}
+#endif
\ No newline at end of file
#ifndef _CRYPTO_OPENSSL_H
#define _CRYPTO_OPENSSL_H
+#include "vmbuf.h"
#include "crypto_openssl.h"
-
+#ifdef HAVE_OPENSSL
#include <openssl/x509v3.h>
#include <openssl/rsa.h>
extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *));
extern int eay_check_x509cert __P((vchar_t *, char *, char *, int));
extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *));
-#ifdef __APPLE__
extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int, int*));
extern vchar_t *eay_get_x509_common_name __P((vchar_t *));
-#else
-extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int));
-#endif
extern char *eay_get_x509text __P((vchar_t *));
extern vchar_t *eay_get_x509cert __P((char *));
extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *));
const EVP_CIPHER *e, int enc));
extern int evp_weakkey __P((vchar_t *key, const EVP_CIPHER *e));
extern int evp_keylen __P((int len, const EVP_CIPHER *e));
+#endif /* HAVE_OPENSSL */
/* DES */
extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_des_weakkey __P((vchar_t *));
extern int eay_des_keylen __P((int));
+#ifdef HAVE_OPENSSL
/* IDEA */
extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_rc5_weakkey __P((vchar_t *));
extern int eay_rc5_keylen __P((int));
+#endif /* HAVE_OPENSSL */
/* 3DES */
extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_3des_weakkey __P((vchar_t *));
extern int eay_3des_keylen __P((int));
+#ifdef HAVE_OPENSSL
/* CAST */
extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_cast_weakkey __P((vchar_t *));
extern int eay_cast_keylen __P((int));
+#endif
/* AES(RIJNDAEL) */
extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
/* misc */
extern int eay_null_keylen __P((int));
extern int eay_null_hashlen __P((void));
+#ifdef HAVE_OPENSSL
extern int eay_kpdk_hashlen __P((void));
extern int eay_twofish_keylen __P((int));
+#endif
/* hash */
#if defined(WITH_SHA2)
extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **));
extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **));
+#ifdef HAVE_OPENSSL
/* Base 64 */
vchar_t *base64_encode(char *in, long inlen);
vchar_t *base64_decode(char *in, long inlen);
RSA *base64_pubkey2rsa(char *in);
RSA *bignum_pubkey2rsa(BIGNUM *in);
+#endif
/* misc */
+#ifdef HAVE_OPENSSL
extern int eay_revbnl __P((vchar_t *));
#include <openssl/bn.h>
extern int eay_v2bn __P((BIGNUM **, vchar_t *));
extern int eay_bn2v __P((vchar_t **, BIGNUM *));
extern const char *eay_version __P((void));
+#endif
#define CBC_BLOCKLEN 8
#define IPSEC_ENCRYPTKEYLEN 8
printf("\n");
vfree(vstr);
-#ifdef __APPLE__
/* print subject alt name */
{
int pos;
racoon_free(str);
}
}
-#else
- /* print subject alt name */
- {
- int pos;
- for (pos = 1; ; pos++) {
- error = eay_get_x509subjectaltname(&c, &str, &type, pos);
- if (error) {
- printf("no subjectaltname found.\n");
- break;
- }
- if (!str)
- break;
- printf("SubjectAltName: %d: %s\n", type, str);
- racoon_free(str);
- }
- }
-#endif
/* NULL => name of the certificate file */
error = eay_check_x509cert(&c, certpath, NULL, 1);
#include <sys/ioctl.h>
#include <net/if.h>
-#if defined(__FreeBSD__) && __FreeBSD__ >= 3
#include <net/if_var.h>
-#endif
-#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__APPLE__)
#include <netinet/in.h>
#include <netinet6/in6_var.h>
-#endif
#include <net/route.h>
#include <stdlib.h>
#include "gcmalloc.h"
#include "nattraversal.h"
-#ifdef __linux__
-#include <linux/types.h>
-#include <linux/rtnetlink.h>
-#ifndef HAVE_GETIFADDRS
-#define HAVE_GETIFADDRS
-#define NEED_LINUX_GETIFADDRS
-#endif
-#endif
-
#ifndef HAVE_GETIFADDRS
static unsigned int if_maxindex __P((void));
#endif
static int suitable_ifaddr6 __P((const char *, const struct sockaddr *));
#endif
-#ifdef NEED_LINUX_GETIFADDRS
-
-/* We could do this _much_ better. kame racoon in its current form
- * will esentially die at frequent changes of address configuration.
- */
-
-struct ifaddrs
-{
- struct ifaddrs *ifa_next;
- char ifa_name[16];
- int ifa_ifindex;
- struct sockaddr *ifa_addr;
- struct sockaddr_storage ifa_addrbuf;
-};
-
-static int parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len)
-{
- while (RTA_OK(rta, len)) {
- if (rta->rta_type <= max)
- tb[rta->rta_type] = rta;
- rta = RTA_NEXT(rta,len);
- }
- return 0;
-}
-
-static void recvaddrs(int fd, struct ifaddrs **ifa, __u32 seq)
-{
- char buf[8192];
- struct sockaddr_nl nladdr;
- struct iovec iov = { buf, sizeof(buf) };
- struct ifaddrmsg *m;
- struct rtattr * rta_tb[IFA_MAX+1];
- struct ifaddrs *I;
-
- while (1) {
- int status;
- struct nlmsghdr *h;
-
- struct msghdr msg = {
- (void*)&nladdr, sizeof(nladdr),
- &iov, 1,
- NULL, 0,
- 0
- };
-
- status = recvmsg(fd, &msg, 0);
-
- if (status < 0)
- continue;
-
- if (status == 0)
- return;
-
- if (nladdr.nl_pid) /* Message not from kernel */
- continue;
-
- h = (struct nlmsghdr*)buf;
- while (NLMSG_OK(h, status)) {
- if (h->nlmsg_seq != seq)
- goto skip_it;
-
- if (h->nlmsg_type == NLMSG_DONE)
- return;
-
- if (h->nlmsg_type == NLMSG_ERROR)
- return;
-
- if (h->nlmsg_type != RTM_NEWADDR)
- goto skip_it;
-
- m = NLMSG_DATA(h);
-
- if (m->ifa_family != AF_INET &&
- m->ifa_family != AF_INET6)
- goto skip_it;
-
- if (m->ifa_flags&IFA_F_TENTATIVE)
- goto skip_it;
-
- memset(rta_tb, 0, sizeof(rta_tb));
- parse_rtattr(rta_tb, IFA_MAX, IFA_RTA(m), h->nlmsg_len - NLMSG_LENGTH(sizeof(*m)));
-
- if (rta_tb[IFA_LOCAL] == NULL)
- rta_tb[IFA_LOCAL] = rta_tb[IFA_ADDRESS];
- if (rta_tb[IFA_LOCAL] == NULL)
- goto skip_it;
-
- I = malloc(sizeof(struct ifaddrs));
- if (!I)
- return;
- memset(I, 0, sizeof(*I));
-
- I->ifa_ifindex = m->ifa_index;
- I->ifa_addr = (struct sockaddr*)&I->ifa_addrbuf;
- I->ifa_addr->sa_family = m->ifa_family;
- if (m->ifa_family == AF_INET) {
- struct sockaddr_in *sin = (void*)I->ifa_addr;
- memcpy(&sin->sin_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 4);
- } else {
- struct sockaddr_in6 *sin = (void*)I->ifa_addr;
- memcpy(&sin->sin6_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 16);
- if (IN6_IS_ADDR_LINKLOCAL(&sin->sin6_addr))
- sin->sin6_scope_id = I->ifa_ifindex;
- }
- I->ifa_next = *ifa;
- *ifa = I;
-
-skip_it:
- h = NLMSG_NEXT(h, status);
- }
- if (msg.msg_flags & MSG_TRUNC)
- continue;
- }
- return;
-}
-
-static int getifaddrs(struct ifaddrs **ifa0)
-{
- struct {
- struct nlmsghdr nlh;
- struct rtgenmsg g;
- } req;
- struct sockaddr_nl nladdr;
- static __u32 seq;
- struct ifaddrs *i;
- int fd;
-
- fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
- if (fd < 0)
- return -1;
-
- memset(&nladdr, 0, sizeof(nladdr));
- nladdr.nl_family = AF_NETLINK;
-
- req.nlh.nlmsg_len = sizeof(req);
- req.nlh.nlmsg_type = RTM_GETADDR;
- req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
- req.nlh.nlmsg_pid = 0;
- req.nlh.nlmsg_seq = ++seq;
- req.g.rtgen_family = AF_UNSPEC;
-
- if (sendto(fd, (void*)&req, sizeof(req), 0, (struct sockaddr*)&nladdr, sizeof(nladdr)) < 0) {
- close(fd);
- return -1;
- }
-
- *ifa0 = NULL;
-
- recvaddrs(fd, ifa0, seq);
-
- close(fd);
-
- fd = socket(AF_INET, SOCK_DGRAM, 0);
-
- for (i=*ifa0; i; i = i->ifa_next) {
- struct ifreq ifr;
- ifr.ifr_ifindex = i->ifa_ifindex;
- ioctl(fd, SIOCGIFNAME, (void*)&ifr);
- memcpy(i->ifa_name, ifr.ifr_name, 16);
- }
- close(fd);
-
- return 0;
-}
-
-static void freeifaddrs(struct ifaddrs *ifa0)
-{
- struct ifaddrs *i;
-
- while (ifa0) {
- i = ifa0;
- ifa0 = i->ifa_next;
- free(i);
- }
-}
-
-#endif
-
#ifndef HAVE_GETIFADDRS
static unsigned int
if_maxindex()
const char *ifname;
const struct sockaddr *ifaddr;
{
-#ifdef ENABLE_HYBRID
+#if 0 //we need to be able to do nested ipsec for BTMM... stub out ifdef ENABLE_HYBRID
/* Exclude any address we got through ISAKMP mode config */
if (exclude_cfg_addr(ifaddr) == 0)
return 0;
const char *ifname;
const struct sockaddr *ifaddr;
{
-#ifndef __linux__
struct in6_ifreq ifr6;
int s;
-#endif
if (ifaddr->sa_family != AF_INET6)
return 0;
-#ifndef __linux__
s = socket(PF_INET6, SOCK_DGRAM, 0);
if (s == -1) {
plog(LLV_ERROR, LOCATION, NULL,
|| ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED
|| ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST)
return 0;
-#endif
/* suitable */
return 1;
int
update_myaddrs()
{
-#ifdef __linux__
- char msg[BUFSIZ];
- int len;
- struct nlmsghdr *h = (void*)msg;
- len = read(lcconf->rtsock, msg, sizeof(msg));
- if (len < 0)
- return errno == ENOBUFS;
- if (len < sizeof(*h))
- return 0;
- if (h->nlmsg_pid) /* not from kernel! */
- return 0;
- if (h->nlmsg_type == RTM_NEWLINK)
- return 0;
- plog(LLV_DEBUG, LOCATION, NULL,
- "netlink signals update interface address list\n");
- return 1;
-#else
char msg[BUFSIZ];
int len;
struct rt_msghdr *rtm;
rtm->rtm_type);
return 1;
-#endif /* __linux__ */
}
/*
{
if (myaddr->addr)
racoon_free(myaddr->addr);
-#ifdef __APPLE__
if (myaddr->ifname)
racoon_free(myaddr->ifname);
-#endif
racoon_free(myaddr);
}
return -1;
}
-#ifdef __linux__
- {
- struct sockaddr_nl nl;
- u_int addr_len;
-
- memset(&nl, 0, sizeof(nl));
- nl.nl_family = AF_NETLINK;
- nl.nl_groups = RTMGRP_IPV4_IFADDR|RTMGRP_LINK;
-
- if (bind(lcconf->rtsock, (struct sockaddr*)&nl, sizeof(nl)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "bind(PF_NETLINK) failed: %s\n",
- strerror(errno));
- return -1;
- }
- addr_len = sizeof(nl);
- if (getsockname(lcconf->rtsock, (struct sockaddr*)&nl, &addr_len) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getsockname(PF_NETLINK) failed: %s\n",
- strerror(errno));
- return -1;
- }
- }
-#endif
-
if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) {
grab_myaddrs();
struct sockaddr *my;
{
struct myaddrs *p, *lastresort = NULL;
-#if defined(INET6) && defined(__linux__)
- struct myaddrs *match_wo_scope_id = NULL;
- int check_wo_scope_id = (my->sa_family == AF_INET6) &&
- IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)my)->sin6_addr);
-#endif
for (p = lcconf->myaddrs; p; p = p->next) {
if (p->addr == NULL)
&& memcmp(my, p->addr, sysdep_sa_len(my)) == 0) {
break;
}
-#if defined(INET6) && defined(__linux__)
- if (check_wo_scope_id && IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)p->addr)->sin6_addr) &&
- /* XXX: this depends on sin6_scope_id to be last
- * item in struct sockaddr_in6 */
- memcmp(my, p->addr,
- sysdep_sa_len(my) - sizeof(uint32_t)) == 0) {
- match_wo_scope_id = p;
- }
-#endif
}
-#if defined(INET6) && defined(__linux__)
- if (!p)
- p = match_wo_scope_id;
-#endif
if (!p)
p = lastresort;
if (!p) {
struct sockaddr *addr;
int sock;
int udp_encap;
-#ifdef __APPLE__
int in_use;
char *ifname;
-#endif
};
extern void clear_myaddr __P((void));
#ifdef HAVE_GSSAPI
#include "gssapi.h"
#endif
+#include "power_mgmt.h"
static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
struct ph1handle *p;
LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
+ if (p->is_dying || p->status == PHASE1ST_EXPIRED)
continue;
if (CMPSADDR(ph1->remote, p->remote) == 0) {
if (p == ph1)
EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
#ifdef ENABLE_NATT
-#ifndef __APPLE__
- if (iph1->natt_flags & NAT_KA_QUEUED)
- natt_keepalive_remove (iph1->local, iph1->remote);
-#endif /* __APPLE__ */
if (iph1->natt_options) {
racoon_free(iph1->natt_options);
iph1->natt_options = NULL;
gssapi_free_state(iph1);
#endif
-#ifdef __APPLE__
if (iph1->parent_session) {
ike_session_unlink_ph1_from_session(iph1);
}
unlink_rmconf_from_ph1(iph1->rmconf);
iph1->rmconf = NULL;
}
-#endif
racoon_free(iph1);
}
* flush isakmp-sa
*/
void
-flushph1(int ignore_established_handles)
+flushph1(int ignore_estab_or_assert_handles)
{
struct ph1handle *p, *next;
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "flushing ph1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles);
+
for (p = LIST_FIRST(&ph1tree); p; p = next) {
next = LIST_NEXT(p, chain);
-
+
+ if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "skipping phase1 %s that's asserted...\n",
+ isakmp_pindex(&p->index, 0));
+ continue;
+ }
+
/* send delete information */
if (p->status == PHASE1ST_ESTABLISHED) {
- if (ignore_established_handles &&
- (ike_session_has_negoing_ph2(p->parent_session) ||
- p->mode_cfg->flags)) {
+ if (ignore_estab_or_assert_handles &&
+ ike_session_has_negoing_ph2(p->parent_session)) {
plog(LLV_DEBUG2, LOCATION, NULL,
- "skipping ph1 handler that's established... because it's needed by children phase2s\n");
+ "skipping phase1 %s that's established... because it's needed by children phase2s\n",
+ isakmp_pindex(&p->index, 0));
continue;
}
/* send delete information */
plog(LLV_DEBUG2, LOCATION, NULL,
- "got a ph1 handler to flush...\n");
+ "got a phase1 %s to flush...\n",
+ isakmp_pindex(&p->index, 0));
isakmp_info_send_d1(p);
}
iph2->proposal = NULL;
}
-#ifdef __APPLE__
if (iph2->parent_session) {
ike_session_unlink_ph2_from_session(iph2);
}
vfree(iph2->ext_nat_id_p);
iph2->ext_nat_id_p = NULL;
}
-#endif
racoon_free(iph2);
}
}
void
-flushph2(int ignore_established_handles)
+flushph2(int ignore_estab_or_assert_handles)
{
struct ph2handle *p, *next;
plog(LLV_DEBUG2, LOCATION, NULL,
- "flushing all ph2 handlers...\n");
+ "flushing ph2 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles);
for (p = LIST_FIRST(&ph2tree); p; p = next) {
next = LIST_NEXT(p, chain);
if (p->is_dying || p->status == PHASE2ST_EXPIRED) {
continue;
}
+ if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "skipping phase2 handle that's asserted...\n");
+ continue;
+ }
if (p->status == PHASE2ST_ESTABLISHED){
- if (ignore_established_handles) {
+ if (ignore_estab_or_assert_handles) {
plog(LLV_DEBUG2, LOCATION, NULL,
"skipping ph2 handler that's established...\n");
continue;
LIST_INIT(&ctdtree);
}
+time_t
+get_exp_retx_interval (int num_retries, int fixed_retry_interval)
+{
+ // first 3 retries aren't exponential
+ if (num_retries <= 3) {
+ return (time_t)fixed_retry_interval;
+ } else {
+ return (time_t)(num_retries * fixed_retry_interval);
+ }
+}
+
/*
* check the response has been sent to the peer. when not, simply reply
* the buffered packet to the peer.
{
vchar_t *hash;
struct recvdpkt *r;
- time_t t;
+ time_t t, d;
int len, s;
/* set current time */
if (s == -1)
return -1;
+ // don't send if we recently sent a response.
+ if (r->time_send && t > r->time_send) {
+ d = t - r->time_send;
+ if (d < r->retry_interval) {
+ plog(LLV_ERROR, LOCATION, NULL, "already responded within the past %ld secs\n", d);
+ return 1;
+ }
+ }
+
+#ifdef ENABLE_FRAG
+ if (r->frag_flags && r->sendbuf->l > ISAKMP_FRAG_MAXLEN) {
+ /* resend the packet if needed */
+ plog(LLV_ERROR, LOCATION, NULL, "!!! retransmitting frags\n");
+ len = sendfragsfromto(s, r->sendbuf,
+ r->local, r->remote, lcconf->count_persend,
+ r->frag_flags);
+ } else {
+ plog(LLV_ERROR, LOCATION, NULL, "!!! skipped retransmitting frags: frag_flags %x, r->sendbuf->l %d, max %d\n", r->frag_flags, r->sendbuf->l, ISAKMP_FRAG_MAXLEN);
+ /* resend the packet if needed */
+ len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
+ r->local, r->remote, lcconf->count_persend);
+ }
+#else
/* resend the packet if needed */
len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
r->local, r->remote, lcconf->count_persend);
+#endif
if (len == -1) {
plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
return -1;
plog(LLV_DEBUG, LOCATION, NULL,
"deleted the retransmission packet to %s.\n",
saddr2str(remote));
- } else
+ } else {
r->time_send = t;
+ r->retry_interval = get_exp_retx_interval((lcconf->retry_counter - r->retry_counter),
+ lcconf->retry_interval);
+ }
return 1;
}
* adding a hash of received packet into the received list.
*/
int
-add_recvdpkt(remote, local, sbuf, rbuf, non_esp)
+add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags)
struct sockaddr *remote, *local;
vchar_t *sbuf, *rbuf;
size_t non_esp;
+ u_int32_t frag_flags;
{
struct recvdpkt *new = NULL;
new->retry_counter = lcconf->retry_counter;
new->time_send = 0;
new->created = time(NULL);
+#ifdef ENABLE_FRAG
+ if (frag_flags) {
+ new->frag_flags = frag_flags;
+ }
+#endif
+ new->retry_interval = get_exp_retx_interval((lcconf->retry_counter - new->retry_counter),
+ lcconf->retry_interval);
LIST_INSERT_HEAD(&rcptree, new, chain);
{
int found = 0;
struct ph1handle *p;
-
+ struct ph2handle *p2;
+
+ LIST_FOREACH(p2, &ph2tree, chain) {
+ if (cmpsaddrwop(remote, p2->dst) == 0) {
+ plog(LLV_WARNING, LOCATION, NULL,
+ "in %s... purging phase2s\n", __FUNCTION__);
+ if (p2->status == PHASE2ST_ESTABLISHED)
+ isakmp_info_send_d2(p2);
+ if (p2->status < PHASE2ST_EXPIRED) {
+ isakmp_ph2expire(p2);
+ } else {
+ isakmp_ph2delete(p2);
+ }
+ found++;
+ }
+ }
+
LIST_FOREACH(p, &ph1tree, chain) {
if (cmpsaddrwop(remote, p->remote) == 0) {
plog(LLV_WARNING, LOCATION, NULL,
} else {
plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (dpd already in progress).\n");
}
+ if (p->parent_session) {
+ p->parent_session->controller_awaiting_peer_resp = 1;
+ }
} else {
plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n",
p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval);
return status;
}
#endif
+
+void
+sweep_sleepwake(void)
+{
+ struct ph2handle *iph2;
+ struct ph1handle *iph1;
+
+ // do the ph1s.
+ LIST_FOREACH(iph1, &ph1tree, chain) {
+ if (iph1->parent_session && iph1->parent_session->is_asserted) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's been asserted.\n",
+ isakmp_pindex(&iph1->index, 0));
+ continue;
+ }
+ if (iph1->is_dying || iph1->status >= PHASE1ST_EXPIRED) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's already expired.\n",
+ isakmp_pindex(&iph1->index, 0));
+ continue;
+ }
+ if (iph1->sce) {
+ if (iph1->sce->xtime <= swept_at) {
+ SCHED_KILL(iph1->sce);
+ SCHED_KILL(iph1->sce_rekey);
+ iph1->is_dying = 1;
+ iph1->status = PHASE1ST_EXPIRED;
+ ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1
+ iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
+ plog(LLV_DEBUG2, LOCATION, NULL, "phase1 %s expired while sleeping: quick deletion.\n",
+ isakmp_pindex(&iph1->index, 0));
+ }
+ }
+ if (iph1->sce_rekey) {
+ if (iph1->status == PHASE1ST_EXPIRED || iph1->sce_rekey->xtime <= swept_at) {
+ SCHED_KILL(iph1->sce_rekey);
+ }
+ }
+ if (iph1->scr) {
+ if (iph1->status == PHASE1ST_EXPIRED || iph1->scr->xtime <= swept_at) {
+ SCHED_KILL(iph1->scr);
+ }
+ }
+#ifdef ENABLE_DPD
+ if (iph1->dpd_r_u) {
+ if (iph1->status == PHASE1ST_EXPIRED || iph1->dpd_r_u->xtime <= swept_at) {
+ SCHED_KILL(iph1->dpd_r_u);
+ }
+ }
+#endif
+ }
+
+ // do ph2's next
+ LIST_FOREACH(iph2, &ph2tree, chain) {
+ if (iph2->parent_session && iph2->parent_session->is_asserted) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's been asserted.\n");
+ continue;
+ }
+ if (iph2->is_dying || iph2->status >= PHASE2ST_EXPIRED) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's already expired.\n");
+ continue;
+ }
+ if (iph2->sce) {
+ if (iph2->sce->xtime <= swept_at) {
+ iph2->status = PHASE2ST_EXPIRED;
+ iph2->is_dying = 1;
+ isakmp_ph2expire(iph2); // iph2 will go down 1 second later.
+ ike_session_stopped_by_controller(iph2->parent_session,
+ ike_session_stopped_by_sleepwake);
+ plog(LLV_DEBUG2, LOCATION, NULL, "phase2 expired while sleeping: quick deletion.\n");
+ }
+ }
+ if (iph2->scr) {
+ if (iph2->status == PHASE2ST_EXPIRED || iph2->scr->xtime <= swept_at) {
+ SCHED_KILL(iph2->scr);
+ }
+ }
+ }
+
+ // do the ike_session last
+ ike_session_sweep_sleepwake();
+}
#ifndef _HANDLER_H
#define _HANDLER_H
+#include "config.h"
+
#include <sys/queue.h>
+#ifdef HAVE_OPENSSL
#include <openssl/rsa.h>
+#endif
#include <sys/time.h>
#include "isakmp_var.h"
#include "oakley.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
typedef struct ike_session ike_session_t;
int retry_counter; /* for resend. */
vchar_t *sendbuf; /* buffer for re-sending */
+#ifndef HAVE_OPENSSL
+ SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
+ size_t publicKeySize;
+#endif
vchar_t *dhpriv; /* DH; private value */
vchar_t *dhpub; /* DH; public value */
vchar_t *dhpub_p; /* DH; partner's public value */
cert_t *cert_p; /* peer's CERT minus general header */
cert_t *crl_p; /* peer's CRL minus general header */
cert_t *cr_p; /* peer's CR not including general */
+#ifdef HAVE_OPENSSL
RSA *rsa; /* my RSA key */
RSA *rsa_p; /* peer's RSA key */
struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
+#endif
vchar_t *id; /* ID minus gen header */
vchar_t *id_p; /* partner's ID minus general header */
/* i.e. struct ipsecdoi_id_b*. */
u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */
vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */
#endif
-#ifdef __APPLE__
int is_rekey:1;
int is_dying:1;
ike_session_t *parent_session;
LIST_ENTRY(ph1handle) ph1ofsession_chain;
-#endif
};
/* Phase 2 handler */
struct saprop *approval; /* SA(s) approved. */
caddr_t spidx_gen; /* policy from peer's proposal */
+#ifndef HAVE_OPENSSL
+ SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
+ size_t publicKeySize;
+#endif
struct dhgroup *pfsgrp; /* DH; prime number */
vchar_t *dhpriv; /* DH; private value */
vchar_t *dhpub; /* DH; public value */
struct timeval end;
#endif
struct ph1handle *ph1; /* back pointer to isakmp status */
-#ifdef __APPLE__
int is_rekey:1;
int is_dying:1;
ike_session_t *parent_session;
LIST_ENTRY(ph2handle) ph2ofsession_chain;
vchar_t *ext_nat_id;
vchar_t *ext_nat_id_p;
-#endif
LIST_ENTRY(ph2handle) chain;
LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
int retry_counter; /* how many times to send */
time_t time_send; /* timestamp to send a packet */
time_t created; /* timestamp to create a queue */
+ time_t retry_interval;
+#ifdef ENABLE_FRAG
+ u_int32_t frag_flags; /* IKE phase 1 fragmentation */
+#endif
struct sched *scr; /* schedule for resend, may not used */
extern void clear_contacted __P((void));
extern void initctdtree __P((void));
+extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval));
+
extern int check_recvdpkt __P((struct sockaddr *,
struct sockaddr *, vchar_t *));
extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
- vchar_t *, vchar_t *, size_t));
+ vchar_t *, vchar_t *, size_t, u_int32_t));
extern void clear_recvdpkt __P((void));
extern void init_recvdpkt __P((void));
#ifdef ENABLE_DPD
extern int ph1_force_dpd __P((struct sockaddr *));
#endif
+extern void sweep_sleepwake __P((void));
#endif /* _HANDLER_H */
#include "vpn_control.h"
#include "proposal.h"
#include "sainfo.h"
+#include "power_mgmt.h"
+
+#define GET_SAMPLE_PERIOD(s,m) do { \
+ s = m / 20; \
+ if (s < 3) { \
+ s = 3; \
+ if (m < (s * 2)) { \
+ s = 1; /* bad */\
+ } \
+ } \
+ } while(0);
const char *ike_session_stopped_by_vpn_disconnect = "Stopped by VPN disconnect";
const char *ike_session_stopped_by_flush = "Stopped by Flush";
const char *ike_session_stopped_by_idle = "Stopped by Idle";
const char *ike_session_stopped_by_xauth_timeout = "Stopped by XAUTH timeout";
+const char *ike_session_stopped_by_sleepwake = "Stopped by Sleep-Wake";
+const char *ike_session_stopped_by_assert = "Stopped by Assert";
static LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree = { NULL };
return;
}
if (min_period) {
- sample_period = min_period / 20;
- if (!sample_period)
- sample_period = 1; // bad
+ GET_SAMPLE_PERIOD(sample_period, min_period);
} else {
- sample_period = max_period / 20;
- if (!sample_period)
- sample_period = 1; // bad
+ GET_SAMPLE_PERIOD(sample_period, max_period);
}
iph1->parent_session->traffic_monitor.interv_mon = sample_period;
}
iph1->parent_session = NULL;
session->ikev1_state.active_ph1cnt--;
if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) {
+ session->is_dying = 1;
free_ike_session(session);
}
iph2->parent_session = NULL;
session->ikev1_state.active_ph2cnt--;
if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) {
+ session->is_dying = 1;
free_ike_session(session);
}
{
ike_session_t *session = (__typeof__(session))arg;
- if (session) {
+ if (session &&
+ (session->established && !session->stopped_by_vpn_controller && !session->stop_timestamp.tv_sec && !session->stop_timestamp.tv_usec)) {
SCHED_KILL(session->traffic_monitor.sc_mon);
/* get traffic query from kernel */
if (pk_sendget_inbound_sastats(session) < 0) {
if (session->traffic_monitor.dir_idle == IPSEC_DIR_INBOUND ||
session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) {
if (session->peer_sent_data_sc_idle) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n",
+ __FUNCTION__, session->traffic_monitor.dir_idle);
SCHED_KILL(session->traffic_monitor.sc_idle);
if (session->traffic_monitor.interv_idle) {
session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle,
if (session->traffic_monitor.dir_idle == IPSEC_DIR_OUTBOUND ||
session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) {
if (session->i_sent_data_sc_idle) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n",
+ __FUNCTION__, session->traffic_monitor.dir_idle);
SCHED_KILL(session->traffic_monitor.sc_idle);
if (session->traffic_monitor.interv_idle) {
session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle,
}
}
+static void
+ike_session_start_traffic_mon (ike_session_t *session)
+{
+ if (session->traffic_monitor.interv_mon) {
+ session->traffic_monitor.sc_mon = sched_new(session->traffic_monitor.interv_mon,
+ ike_session_traffic_cop,
+ session);
+ }
+ if (session->traffic_monitor.interv_idle) {
+ session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle,
+ ike_session_cleanup_idle,
+ session);
+ }
+}
+
void
ike_session_ph2_established (struct ph2handle *iph2)
{
if (!iph2->parent_session->established) {
gettimeofday(&iph2->parent_session->estab_timestamp, NULL);
iph2->parent_session->established = 1;
- IPSECSESSIONTRACERESTABLISHED(iph2->parent_session);
- if (iph2->parent_session->traffic_monitor.interv_mon) {
- iph2->parent_session->traffic_monitor.sc_mon = sched_new(iph2->parent_session->traffic_monitor.interv_mon,
- ike_session_traffic_cop,
- iph2->parent_session);
- }
- if (iph2->parent_session->traffic_monitor.interv_idle) {
- iph2->parent_session->traffic_monitor.sc_idle = sched_new(iph2->parent_session->traffic_monitor.interv_idle,
- ike_session_cleanup_idle,
- iph2->parent_session);
- }
+ IPSECSESSIONTRACERESTABLISHED(iph2->parent_session);
+ ike_session_start_traffic_mon(iph2->parent_session);
+ } else if (iph2->parent_session->is_asserted) {
+ ike_session_start_traffic_mon(iph2->parent_session);
}
+ iph2->parent_session->is_asserted = 0;
// nothing happening to this session
iph2->parent_session->term_reason = NULL;
ike_session_update_mode(iph2);
- plog(LLV_DEBUG2, LOCATION, NULL, "%s phase2 established, spid %d.\n", __FUNCTION__, iph2->spid);
+
+#ifdef ENABLE_VPNCONTROL_PORT
+ vpncontrol_notify_peer_resp_ph2(1, iph2);
+#endif /* ENABLE_VPNCONTROL_PORT */
+ plog(LLV_DEBUG2, LOCATION, NULL, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid);
}
void
void
ike_session_cleanup_ph2 (struct ph2handle *iph2)
{
- if (iph2->status == PHASE2ST_EXPIRED) {
- return;
- }
+ if (iph2->status == PHASE2ST_EXPIRED) {
+ return;
+ }
- SCHED_KILL(iph2->sce);
+ SCHED_KILL(iph2->sce);
plog(LLV_ERROR, LOCATION, NULL,
"about to cleanup ph2: status %d, seq %d dying %d\n",
iph2->status, iph2->seq, iph2->is_dying);
-
+
/* send delete information */
if (iph2->status == PHASE2ST_ESTABLISHED) {
isakmp_info_send_d2(iph2);
- }
- // delete outgoing SAs
- if (iph2->approval) {
- struct saproto *pr;
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- if (pr->ok) {
- pfkey_send_delete(lcconf->sock_pfkey,
+ // delete outgoing SAs
+ if (iph2->approval) {
+ struct saproto *pr;
+
+ for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
+ if (pr->ok) {
+ pfkey_send_delete(lcconf->sock_pfkey,
ipsecdoi2pfkey_proto(pr->proto_id),
IPSEC_MODE_ANY,
iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */);
- }
- }
- }
+ }
+ }
+ }
+ }
- delete_spd(iph2);
+ delete_spd(iph2);
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
}
if (!session->established || session->stopped_by_vpn_controller || session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) {
- plog(LLV_DEBUG2, LOCATION, NULL, "dropping update on invalid session.\n", __FUNCTION__);
+ plog(LLV_DEBUG2, LOCATION, NULL, "dropping update on invalid session in %s.\n", __FUNCTION__);
return;
}
if (!session)
return;
+ session->is_dying = 1;
+
SCHED_KILL(session->traffic_monitor.sc_idle);
// do ph2's first... we need the ph1s for notifications
for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = LIST_NEXT(iph2, ph2ofsession_chain)) {
}
isakmp_ph1expire(iph1);
}
-
+
// send ipsecManager a notification
- if (reason == ike_session_stopped_by_idle) {
+ if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect) {
u_int32_t address;
if (((struct sockaddr *)&session->session_id.remote)->sa_family == AF_INET) {
address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr;
} else {
address = 0;
}
- (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_IDLE_TIMEOUT, FROM_LOCAL, address, 0, NULL);
+ // TODO: log
+ if (reason == ike_session_stopped_by_idle) {
+ (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_IDLE_TIMEOUT, FROM_LOCAL, address, 0, NULL);
+ } else {
+ (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_INTERNAL_ERROR, FROM_LOCAL, address, 0, NULL);
+ }
}
}
return 0;
}
+int
+ike_session_has_established_ph1 (ike_session_t *session)
+{
+ struct ph1handle *p;
+
+ if (!session) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__);
+ return 0;
+ }
+
+ for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) {
+ if (!p->is_dying && p->status == PHASE1ST_ESTABLISHED) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
int
ike_session_has_negoing_ph2 (ike_session_t *session)
{
if ((older_ph2->ext_nat_id && ike_session_is_id_portany(older_ph2->ext_nat_id)) ||
(older_ph2->ext_nat_id_p && ike_session_is_id_portany(older_ph2->ext_nat_id_p))) {
// try ignoring ports in iph2->id and iph2->id
- if (iph2->id && (portany_id = vdup(iph2->id))) {
+ if (iph2->id && (portany_id = vdup(iph2->id))) {
ike_session_set_id_portany(portany_id);
}
if (iph2->id_p && (portany_id_p = vdup(iph2->id_p))) {
}
return 0;
}
- if (iph2->id && older_ph2->ext_nat_id &&
+ if (portany_id && iph2->id && older_ph2->ext_nat_id &&
iph2->id->l == older_ph2->ext_nat_id->l &&
memcmp(portany_id->v, older_ph2->ext_nat_id->v, portany_id->l) == 0 &&
iph2->id_p && older_ph2->id_p &&
}
return 0;
}
- if (iph2->id && older_ph2->id &&
+ if (portany_id_p && iph2->id && older_ph2->id &&
iph2->id->l == older_ph2->id->l &&
memcmp(iph2->id->v, older_ph2->id->v, iph2->id->l) == 0 &&
iph2->id_p && older_ph2->ext_nat_id_p &&
plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 found in %s.\n", __FUNCTION__);
if (ipany_ids ||
ike_session_cmp_ph2_ids(iph2, p) == 0) {
- plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s, spid %d.\n", __FUNCTION__, p->spid);
+ plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__);
iph2->sainfo = p->sainfo;
if (!iph2->spid) {
iph2->spid = p->spid;
}
int
-ike_session_drop_rekey (ike_session_t *session)
+ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_type)
{
if (session) {
- // drop if btmm session is idle) {
if (session->is_btmm_ipsec &&
session->last_time_data_sc_detected &&
session->traffic_monitor.interv_mon &&
session->traffic_monitor.interv_idle) {
+ // for btmm: drop ph1/ph2 rekey if session is idle
time_t now = time(NULL);
if ((now - session->last_time_data_sc_detected) > (session->traffic_monitor.interv_mon << 1)) {
- plog(LLV_DEBUG2, LOCATION, NULL, "session is idle: drop rekey.\n");
+ plog(LLV_DEBUG2, LOCATION, NULL, "btmm session is idle: drop ph%drekey.\n",
+ rekey_type);
+ return 1;
+ }
+ } else if (!session->is_btmm_ipsec) {
+ if (rekey_type == IKE_SESSION_REKEY_TYPE_PH1 &&
+ !ike_session_has_negoing_ph2(session)) {
+ // for vpn: only drop ph1 if there are no more ph2s.
+ plog(LLV_DEBUG2, LOCATION, NULL, "vpn session is idle: drop ph1 rekey.\n");
return 1;
}
}
return 0;
}
+/*
+ * this is called after racooon receives a 'kIOMessageSystemHasPoweredOn'
+ * a lot is done to make sure that we don't sweep a session that's already been asserted.
+ * however, it'll be too bad if the assertion comes after the session has already been swept.
+ */
+void
+ike_session_sweep_sleepwake (void)
+{
+ ike_session_t *p;
+
+ // flag session as dying if all ph1/ph2 are dead/dying
+ for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) {
+ if (p->is_dying) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of dying session.\n");
+ continue;
+ }
+ SCHED_KILL(p->sc_xauth);
+ if (p->is_asserted) {
+ // for asserted session, traffic monitors will be restared after phase2 becomes established.
+ SCHED_KILL(p->traffic_monitor.sc_mon);
+ SCHED_KILL(p->traffic_monitor.sc_idle);
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n");
+ continue;
+ }
+
+ if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) {
+ p->is_dying = 1;
+ plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n");
+ }
+ if (p->traffic_monitor.sc_mon) {
+ if (p->traffic_monitor.sc_mon->xtime <= swept_at) {
+ SCHED_KILL(p->traffic_monitor.sc_mon);
+ if (!p->is_dying && p->traffic_monitor.interv_mon) {
+ p->traffic_monitor.sc_mon = sched_new(p->traffic_monitor.interv_mon,
+ ike_session_traffic_cop,
+ p);
+ }
+ }
+ }
+ if (p->traffic_monitor.sc_idle) {
+ if (p->traffic_monitor.sc_idle->xtime <= swept_at) {
+ SCHED_KILL(p->traffic_monitor.sc_idle);
+ if (!p->is_dying && p->traffic_monitor.interv_idle) {
+ p->traffic_monitor.sc_idle = sched_new(p->traffic_monitor.interv_idle,
+ ike_session_cleanup_idle,
+ p);
+ }
+ }
+ }
+ }
+}
+
+/*
+ * this is called after racooon receives an assert command from the controller/pppd.
+ * this is intended to make racoon prepare to rekey both SAs because a network event occurred.
+ * in the event of a sleepwake, the assert could happen before or after 'ike_session_sweep_sleepwake'.
+ */
+int
+ike_session_assert_session (ike_session_t *session)
+{
+ struct ph2handle *iph2, *iph2_next;
+ struct ph1handle *iph1, *iph1_next;
+
+ if (!session || session->is_dying) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__);
+ return -1;
+ }
+
+ // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase2s
+ for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = iph2_next) {
+ // take next pointer now, since delete change the underlying ph2tree list
+ iph2_next = LIST_NEXT(iph2, ph2ofsession_chain);
+ if (!iph2->is_dying && iph2->status < PHASE2ST_EXPIRED) {
+ SCHED_KILL(iph2->sce);
+ iph2->is_dying = 1;
+
+ // delete SAs (in the kernel)
+ if (iph2->status == PHASE2ST_ESTABLISHED && iph2->approval) {
+ struct saproto *pr;
+
+ for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
+ if (pr->ok) {
+ //log deletion
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "assert: phase2 %s deleted\n",
+ sadbsecas2str(iph2->src, iph2->dst, iph2->satype, iph2->spid, ipsecdoi2pfkey_mode(pr->encmode)));
+
+ pfkey_send_delete(lcconf->sock_pfkey,
+ ipsecdoi2pfkey_proto(pr->proto_id),
+ ipsecdoi2pfkey_mode(pr->encmode),
+ iph2->src, iph2->dst, pr->spi_p);
+ }
+ }
+ }
+
+ iph2->status = PHASE2ST_EXPIRED; // we want to delete SAs without telling the PEER
+ iph2->sce = sched_new(3, ike_session_cleanup_ph2_stub, iph2);
+ }
+ }
+
+ // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase1s
+ for (iph1 = LIST_FIRST(&session->ikev1_state.ph1tree); iph1; iph1 = iph1_next) {
+ // take next pointer now, since delete change the underlying ph1tree list
+ iph1_next = LIST_NEXT(iph1, ph1ofsession_chain);
+ if (!iph1->is_dying && iph1->status < PHASE1ST_EXPIRED) {
+ SCHED_KILL(iph1->sce);
+ SCHED_KILL(iph1->sce_rekey);
+ iph1->is_dying = 1;
+
+ //log deletion
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "assert: phase1 %s deleted\n",
+ isakmp_pindex(&iph1->index, 0));
+
+ ike_session_unbindph12_from_ph1(iph1);
+
+ iph1->status = PHASE1ST_EXPIRED; // we want to delete SAs without telling the PEER
+ /* responder sets up timer to delete old inbound SAs... say 7 secs later and flags them as rekeyed */
+ iph1->sce = sched_new(5, ike_session_cleanup_ph1_stub, iph1);
+ }
+ }
+ session->is_asserted = 1;
+
+ return 0;
+}
+
+int
+ike_session_assert (struct sockaddr *local,
+ struct sockaddr *remote)
+{
+ ike_session_t *sess;
+
+ if (!local || !remote) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__);
+ return -1;
+ }
+
+ if ((sess = ike_session_get_session(local, remote, FALSE))) {
+ return(ike_session_assert_session(sess));
+ }
+ return -1;
+}
+
void
ike_session_ph2_retransmits (struct ph2handle *iph2)
{
}
}
}
+
+void
+ike_session_ph1_retransmits (struct ph1handle *iph1)
+{
+ int num_retransmits;
+
+ if (!iph1->is_dying &&
+ iph1->is_rekey &&
+ !iph1->sce_rekey &&
+ iph1->status >= PHASE1ST_START && iph1->status < PHASE1ST_ESTABLISHED &&
+ iph1->side == INITIATOR &&
+ iph1->parent_session &&
+ iph1->parent_session->is_client &&
+ !ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) {
+ num_retransmits = iph1->rmconf->retry_counter - iph1->retry_counter;
+ if (num_retransmits == 3) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "many phase1 retransmits: try quit earlier.\n");
+ iph1->retry_counter = 0;
+ }
+ }
+}
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/param.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#include "handler.h"
#include "ipsecSessionTracer.h"
int i_sent_data_sc_idle:1;
int is_client:1;
time_t last_time_data_sc_detected;
+ int controller_awaiting_peer_resp:1;
+ int is_dying:1;
+ int is_asserted:1;
u_int32_t natt_flags;
u_int32_t natt_version;
char *term_reason;
LIST_ENTRY(ike_session) chain;
};
+typedef enum ike_session_rekey_type {
+ IKE_SESSION_REKEY_TYPE_NONE = 0,
+ IKE_SESSION_REKEY_TYPE_PH1,
+ IKE_SESSION_REKEY_TYPE_PH2,
+} ike_session_rekey_type_t;
+
extern const char * ike_session_stopped_by_vpn_disconnect;
extern const char * ike_session_stopped_by_flush;
+extern const char * ike_session_stopped_by_sleepwake;
+extern const char * ike_session_stopped_by_assert;
extern void ike_session_init __P((void));
extern ike_session_t * ike_session_get_session __P((struct sockaddr *, struct sockaddr *, int));
extern void ike_session_update_traffic_idle_status __P((ike_session_t *, u_int32_t, struct sastat *, u_int32_t));
extern void ike_session_cleanup __P((ike_session_t *, const char *));
extern int ike_session_has_negoing_ph1 __P((ike_session_t *));
+extern int ike_session_has_established_ph1 __P((ike_session_t *));
extern int ike_session_has_negoing_ph2 __P((ike_session_t *));
extern int ike_session_has_established_ph2 __P((ike_session_t *));
extern void ike_session_cleanup_ph1s_by_ph2 __P((struct ph2handle *));
extern int ike_session_get_proposal_r __P((struct ph2handle *));
extern void ike_session_update_natt_version __P((struct ph1handle *));
extern int ike_session_get_natt_version __P((struct ph1handle *));
-extern int ike_session_drop_rekey __P((ike_session_t *));
+extern int ike_session_drop_rekey __P((ike_session_t *, ike_session_rekey_type_t));
+extern void ike_session_sweep_sleepwake __P((void));
+extern int ike_session_assert __P((struct sockaddr *, struct sockaddr *));
+extern int ike_session_assert_session __P((ike_session_t *));
extern void ike_session_ph2_retransmits __P((struct ph2handle *));
+extern void ike_session_ph1_retransmits __P((struct ph1handle *));
#endif /* _IKE_SESSION_H */
p = (u_char *)&d->lorv;
} else { /*TLV*/
len = ntohs(d->lorv);
+ if (len > tlen) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid ISAKMP-SA attr, attr-len %d, overall-len %d\n",
+ len, tlen);
+ return -1;
+ }
p = (u_char *)(d + 1);
}
val = vmalloc(len);
return 0;
}
-#ifdef __APPLE__
/*
* return 1 if all of the given protocols are tunnel mode.
*/
return 0;
}
-#endif
/*
* return 1 if all of the given protocols are transport mode.
#endif
+#ifdef NOT_USED
/*
* Check and Compare two IDs
* - specify 0 for exact if wildcards are allowed
return -1;
}
+#endif
/*
* check the following:
switch (id->idtype) {
case IDTYPE_ASN1DN:
+#ifdef HAVE_OPENSSL
ident.v = iph1->id_p->v + sizeof(*id_b);
ident.l = iph1->id_p->l - sizeof(*id_b);
if (eay_cmp_asn1dn(ident0, &ident) == 0)
goto matched;
+#else
+ plog(LLV_WARNING, LOCATION, NULL, "ASN1DN ID matching not implemented - passed.\n");
+ goto matched; //%%%%%% hack for now until we have code to do this.
+#endif
break;
case IDTYPE_ADDRESS:
sa = (struct sockaddr *)ident0->v;
ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
break;
case IDTYPE_KEYID:
-#ifdef __APPLE__
case IDTYPE_KEYIDUSE:
-#endif
id_b.type = IPSECDOI_ID_KEY_ID;
ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
break;
"failed to get own CERT.\n");
goto err;
}
+#if TARGET_OS_EMBEDDED
+ {
+ SecCertificateRef certificate;
+ CFDataRef subject;
+ UInt8* namePtr;
+ int len;
+
+ certificate = crypto_cssm_x509cert_get_SecCertificateRef(&iph1->cert->cert);
+ if (certificate == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get SecCertificateRef\n");
+ break;
+ }
+ subject = SecCertificateCopySubjectSequence(certificate);
+ if (subject == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get subjectName\n");
+ CFRelease(certificate);
+ break;
+ }
+ len = CFDataGetLength(subject);
+ namePtr = CFDataGetBytePtr(subject);
+ ident = vmalloc(len);
+ if (ident == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get subjectName\n");
+ CFRelease(certificate);
+ CFRelease(subject);
+ break;
+ }
+ memcpy(ident->v, namePtr, len);
+ CFRelease(certificate);
+ CFRelease(subject);
+ break;
+ }
+#else
ident = eay_get_x509asn1subjectname(&iph1->cert->cert);
+#endif
}
break;
case IDTYPE_ADDRESS:
plog(LLV_DEBUG, LOCATION, NULL,
"use ID type of %s\n", s_ipsecdoi_ident(id_b.type));
+ plogdump(LLV_DEBUG, iph1->id->v, iph1->id->l);
if (ident)
vfree(ident);
return 0;
"Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
return -1;
}
-#ifdef __APPLE__
case IDTYPE_KEYIDUSE:
-#endif
#ifdef ENABLE_HYBRID
case IDTYPE_LOGIN:
#endif
break;
}
case IDTYPE_ASN1DN:
+#ifdef HAVE_OPENSSL
if (value->v[0] == '~')
/* Hex-encoded ASN1 strings */
new = eay_hex2asn1dn(value->v + 1, - 1);
X509_NAME_free(xn);
BIO_free(bio);
}
+#else
+ plog(LLV_DEBUG, LOCATION, NULL, "Setting ID type ASN1DN from string not supported\n");
+ return -1;
+#endif
break;
}
spidx2str(&sp->spidx));
return -1;
}
+ if ((((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR ||
+ ((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) &&
+ iph2->side == RESPONDER &&
+ iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED_ME) &&
+ lcconf->ext_nat_id) {
+ vfree(iph2->id);
+ if (!(iph2->id = vdup(lcconf->ext_nat_id))) {
+ return -1;
+ }
+ }
plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n",
s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
+ plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
/* remote side */
iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
plog(LLV_DEBUG, LOCATION, NULL,
"use remote ID type %s\n",
s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type));
+ plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
return 0;
}
switch (id_b->type) {
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-#ifndef __linux__
saddr->sa_len = sizeof(struct sockaddr_in);
-#endif
saddr->sa_family = AF_INET;
((struct sockaddr_in *)saddr)->sin_port =
(id_b->port == 0
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
-#ifndef __linux__
saddr->sa_len = sizeof(struct sockaddr_in6);
-#endif
saddr->sa_family = AF_INET6;
((struct sockaddr_in6 *)saddr)->sin6_port =
(id_b->port == 0
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
case IPSECDOI_ID_IPV4_ADDR_RANGE:
-#ifndef __linux__
((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in);
-#endif
((struct sockaddr *)&saddr)->sa_family = AF_INET;
((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
case IPSECDOI_ID_IPV6_ADDR:
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
case IPSECDOI_ID_IPV6_ADDR_RANGE:
-
-#ifndef __linux__
((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6);
-#endif
((struct sockaddr *)&saddr)->sa_family = AF_INET6;
((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
-#ifndef __linux__
((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in);
-#endif
((struct sockaddr *)&saddr)->sa_family = AF_INET;
((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
-#ifndef __linux__
((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6);
-#endif
((struct sockaddr *)&saddr)->sa_family = AF_INET6;
((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
case IPSECDOI_ID_DER_ASN1_DN:
case IPSECDOI_ID_DER_ASN1_GN:
{
+#ifdef HAVE_OPENSSL
X509_NAME *xn = NULL;
+#endif
dat = id->v + sizeof(*id_b);
len = id->l - sizeof(*id_b);
-
+#ifdef HAVE_OPENSSL
if (d2i_X509_NAME(&xn, (void*) &dat, len) != NULL) {
BIO *bio = BIO_new(BIO_s_mem());
X509_NAME_print_ex(bio, xn, 0, 0);
memcpy(buf,dat,len);
BIO_free(bio);
X509_NAME_free(xn);
- } else {
+ } else
+#endif
+ {
+
plog(LLV_ERROR, LOCATION, NULL,
"unable to extract asn1dn from id\n");
#define IDTYPE_ASN1DN 5
#define IDTYPE_LOGIN 6
#define IDTYPE_SUBNET 7
-#ifdef __APPLE__
#define IDTYPE_KEYIDUSE 8
/* shared secret type, it's internal use. */
#define VERIFICATION_OPTION_NONE 0
#define VERIFICATION_OPTION_PEERS_IDENTIFIER 1
#define VERIFICATION_OPTION_OPEN_DIR 2
-#endif
/* qualifiers for KEYID (and maybe others) */
#define IDQUAL_UNSPEC 0
extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
extern int ipsecdoi_transportmode __P((struct saprop *));
-#ifdef __APPLE__
extern int ipsecdoi_tunnelmode __P((struct ph2handle *));
extern int ipsecdoi_any_transportmode __P((struct saprop *));
-#endif
extern int ipsecdoi_get_defaultlifetime __P((void));
extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
extern int ipproto2doi __P((int));
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
-#ifdef __APPLE__
#define __APPLE_API_PRIVATE
-#endif
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
+#include <sys/ioctl.h>
#include <sys/queue.h>
#include <netinet/in.h>
+#include <net/if_var.h>
+#include <netinet6/in6_var.h>
#include <arpa/inet.h>
#ifndef HAVE_NETINET6_IPSEC
# include "nattraversal.h"
#endif
#include "ike_session.h"
-# ifdef __linux__
-# include <linux/udp.h>
-# include <linux/ip.h>
-# ifndef SOL_UDP
-# define SOL_UDP 17
-# endif
-# endif /* __linux__ */
-# if defined(__NetBSD__) || defined(__FreeBSD__) || \
- (defined(__APPLE__) && defined(__MACH__))
# include <netinet/in.h>
# include <netinet/udp.h>
# include <netinet/in_systm.h>
# include <netinet/ip.h>
# define SOL_UDP IPPROTO_UDP
-# endif /* __NetBSD__ / __FreeBSD__ */
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#include "power_mgmt.h"
static int nostate1 __P((struct ph1handle *, vchar_t *));
static int nostate2 __P((struct ph2handle *, vchar_t *));
char buf[sizeof (isakmp) + 4];
u_int32_t non_esp[2];
char lbuf[sizeof(struct udphdr) +
-#ifdef __linux
- sizeof(struct iphdr) +
-#else
sizeof(struct ip) +
-#endif
sizeof(isakmp) + 4];
} x;
struct sockaddr_storage remote;
vchar_t *buf = NULL, *tmpbuf = NULL;
int error = -1;
+ if (slept_at || woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignoring isakmp port until power-mgmt event is handled.\n");
+ return 0;
+ }
+
/* read message by MSG_PEEK */
while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
/* Lucent IKE in UDP encapsulation */
{
struct udphdr *udp;
-#ifdef __linux__
- struct iphdr *ip;
-
- udp = (struct udphdr *)&x.lbuf[0];
- if (ntohs(udp->dest) == 501) {
- ip = (struct iphdr *)(x.lbuf + sizeof(*udp));
- extralen += sizeof(*udp) + ip->ihl;
- }
-#else
struct ip *ip;
udp = (struct udphdr *)&x.lbuf[0];
ip = (struct ip *)(x.lbuf + sizeof(*udp));
extralen += sizeof(*udp) + ip->ip_hl;
}
-#endif
}
#ifdef ENABLE_NATT
plog(LLV_ERROR, LOCATION, NULL,
"failed to receive isakmp packet: %s\n",
strerror (errno));
-#ifdef __APPLE__
error = -2; /* serious problem with socket */
-#endif
}
goto end;
}
goto end;
}
+ if (len < extralen) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid len (%d Bytes) & extralen (%d Bytes)\n",
+ len, extralen);
+ goto end;
+ }
+
if ((buf = vmalloc(len - extralen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate reading buffer (%u Bytes)\n",
/* simply reply if the packet was processed. */
if (check_recvdpkt((struct sockaddr *)&remote,
(struct sockaddr *)&local, buf)) {
+ IPSECLOGASLMSG("Received retransmitted packet from %s.\n",
+ saddr2str((struct sockaddr *)&remote));
+
plog(LLV_NOTIFY, LOCATION, NULL,
"the packet is retransmitted by %s.\n",
saddr2str((struct sockaddr *)&remote));
plog (LLV_INFO, LOCATION, NULL,
"NAT-T: ports changed to: %s\n",
saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
-#ifndef __APPLE__
- natt_keepalive_add_ph1 (iph1);
-#endif
}
#endif
-
/* must be same addresses in one stream of a phase at least. */
if (cmpsaddrstrict(iph1->remote, remote) != 0) {
char *saddr_db, *saddr_act;
isakmp->etype, saddr2str(remote));
return -1;
}
-
+ if (iph1->status != PHASE1ST_ESTABLISHED) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "mode config %d from %s, "
+ "but ISAKMP-SA %s isn't established.\n",
+ isakmp->etype, saddr2str(remote),
+ isakmp_pindex(&iph1->index, iph1->msgid));
+ return -1;
+ }
#ifdef ENABLE_FRAG
if (isakmp->np == ISAKMP_NPTYPE_FRAG)
return frag_handler(iph1, msg, remote, local);
#ifdef ENABLE_VPNCONTROL_PORT
vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
+ vpncontrol_notify_peer_resp_ph1(1, iph1);
#endif
}
iph1->status = PHASE1ST_START;
iph1->rmconf = rmconf;
-#ifdef __APPLE__
if (link_rmconf_to_ph1(rmconf) < 0) {
plog(LLV_ERROR, LOCATION, remote,
"couldn't link "
delph1(iph1);
return -1;
}
-#endif
iph1->side = INITIATOR;
iph1->started_by_api = started_by_api;
iph1->version = ISAKMP_VERSION_NUMBER;
delph1(iph1);
return -1;
}
+ // HACK!!! to track rekeys across SIGHUPs
+ if (started_by_api == VPN_RESTARTED_BY_API &&
+ !iph1->is_rekey) {
+ iph1->parent_session->established = 1;
+ iph1->parent_session->ikev1_state.ph2cnt++;
+ iph1->is_rekey = 1;
+ }
/* start phase 1 exchange */
iph1->etype = rmconf->etypes->type;
gettimeofday(&iph1->start, NULL);
gettimeofday(&start, NULL);
#endif
+
+ IPSECLOGASLMSG("IPSec Phase1 started (Initiated by me).\n");
+
/* start exchange */
if ((ph1exchange[etypesw1(iph1->etype)]
[iph1->side]
#ifdef ENABLE_VPNCONTROL_PORT
vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
#endif
-
return 0;
}
memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
iph1->status = PHASE1ST_START;
iph1->rmconf = rmconf;
-#ifdef __APPLE__
if (link_rmconf_to_ph1(rmconf) < 0) {
plog(LLV_ERROR, LOCATION, remote,
"couldn't link "
delph1(iph1);
return -1;
}
-#endif
iph1->flags = 0;
iph1->side = RESPONDER;
iph1->started_by_api = 0;
gettimeofday(&start, NULL);
#endif
+ IPSECLOGASLMSG("IPSec Phase1 started (Initiated by peer).\n");
+
#ifndef ENABLE_FRAG
/* start exchange */
}
iph2->status = PHASE2ST_STATUS2;
+ IPSECLOGASLMSG("IPSec Phase2 started (Initiated by me).\n");
+
if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
[iph2->side]
[iph2->status])(iph2, NULL) < 0) {
gettimeofday(&start, NULL);
#endif
+ IPSECLOGASLMSG("IPSec Phase2 started (Initiated by peer).\n");
+
error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
[iph2->side]
[iph2->status])(iph2, msg);
return result;
}
-/* %%% */
-#ifndef __APPLE__
-int
-isakmp_init()
-{
- /* initialize a isakmp status table */
- initph1tree();
- initph2tree();
- initctdtree();
- init_recvdpkt();
-
- if (isakmp_open() < 0)
- goto err;
-
- return(0);
-
-err:
- isakmp_close();
- return(-1);
-}
-#else
int
-isakmp_init(int ignore_phX)
+isakmp_init(int ignore_phX, int *tentative_failures)
{
/* initialize a isakmp status table */
if (!ignore_phX) {
initctdtree();
init_recvdpkt();
- if (isakmp_open() < 0)
+ if (isakmp_open(tentative_failures) < 0)
goto err;
return(0);
isakmp_close();
return(-1);
}
-#endif /* __APPLE__ */
void
isakmp_cleanup()
/* open ISAKMP sockets. */
int
-isakmp_open()
+isakmp_open(int *tentative_failures)
{
const int yes = 1;
int ifnum = 0, encap_ifnum = 0;
#endif
struct myaddrs *p;
+ if (tentative_failures) {
+ *tentative_failures = FALSE;
+ }
+
for (p = lcconf->myaddrs; p; p = p->next) {
if (!p->addr)
continue;
-
-#ifdef __APPLE__
if (p->sock != -1) {
ifnum++;
if (p->udp_encap)
encap_ifnum++;
continue; // socket already open
}
-#endif
/* warn if wildcard address - should we forbid this? */
switch (p->addr->sa_family) {
switch (p->addr->sa_family) {
case AF_INET:
if (setsockopt(p->sock, IPPROTO_IP,
-#ifdef __linux__
- IP_PKTINFO,
-#else
IP_RECVDSTADDR,
-#endif
(const void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt IP_RECVDSTADDR (%s)\n",
#ifdef INET6
case AF_INET6:
#ifdef INET6_ADVAPI
-#ifdef IPV6_RECVPKTINFO
pktinfo = IPV6_RECVPKTINFO;
-#else /* old adv. API */
- pktinfo = IPV6_PKTINFO;
-#endif /* IPV6_RECVPKTINFO */
#else
pktinfo = IPV6_RECVDSTADDR;
#endif
if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
goto err_and_next;
-#ifdef __APPLE__
if (extract_port(p->addr) == PORT_ISAKMP) {
if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT,
(void *)&yes, sizeof(yes)) < 0) {
goto err_and_next;
}
}
-#endif
if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
+ int tmp_errno = errno;
plog(LLV_ERROR, LOCATION, p->addr,
"failed to bind to address %s (%s).\n",
- saddr2str(p->addr), strerror(errno));
+ saddr2str(p->addr), strerror(tmp_errno));
+#ifdef INET6
+ // if bind failed b/c of a tentative v6 address, try again later
+ if (tmp_errno == EADDRNOTAVAIL && p->addr->sa_family == AF_INET6) {
+ struct in6_ifreq ifr6;
+
+ bzero(&ifr6, sizeof(ifr6));
+ strlcpy(ifr6.ifr_name, p->ifname, sizeof(ifr6.ifr_name));
+ memcpy(&ifr6.ifr_addr, p->addr, sizeof(ifr6.ifr_addr));
+ if (ioctl(p->sock, SIOCGIFAFLAG_IN6, &ifr6) >= 0) {
+ /*
+ * the tentative flag may have cleared between the bind() and ioctl() calls (i.e due to timing), so
+ * try infering that it was tentative from ensuring the absense other cases of EADDRNOTAVAIL.
+ */
+ if ((ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_ANYCAST | IN6_IFF_DUPLICATED | IN6_IFF_DETACHED | IN6_IFF_DEPRECATED)) == 0) {
+ // address may have been tentantive... invalidate sock but leave address around for another try later
+ plog(LLV_ERROR, LOCATION, p->addr,
+ "failed to bind to address %s: because interface address is/was not ready (flags %x).\n",
+ saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6);
+ close(p->sock);
+ p->sock = -1;
+ if (tentative_failures) {
+ *tentative_failures = TRUE;
+ }
+ continue;
+ } else {
+ plog(LLV_ERROR, LOCATION, p->addr,
+ "failed to bind to address %s: because of interface address error, flags %x.\n",
+ saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6);
+ }
+ } else {
+ plog(LLV_ERROR, LOCATION, p->addr,
+ "failed to bind to address %s: can't read interface address flags.\n",
+ saddr2str(p->addr));
+ }
+ }
+#endif
close(p->sock);
p->sock = -1;
goto err_and_next;
}
ifnum++;
-#ifdef __APPLE__
if (p->udp_encap)
encap_ifnum++;
-#endif
plog(LLV_INFO, LOCATION, NULL,
"%s used as isakmp port (fd=%d)\n",
saddr2str(p->addr), p->sock);
-
-#ifndef __APPLE__
-#ifdef ENABLE_NATT
- if (p->addr->sa_family == AF_INET) {
- int option = -1;
-
- if(p->udp_encap)
- option = UDP_ENCAP_ESPINUDP;
-#if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
- else
- option = UDP_ENCAP_ESPINUDP_NON_IKE;
-#endif
- if(option != -1){
- if (setsockopt (p->sock, SOL_UDP,
- UDP_ENCAP, &option, sizeof (option)) < 0) {
- plog(LLV_WARNING, LOCATION, NULL,
- "setsockopt(%s): UDP_ENCAP %s\n",
- option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
- strerror(errno));
- goto skip_encap;
- }
- else {
- plog(LLV_INFO, LOCATION, NULL,
- "%s used for NAT-T\n",
- saddr2str(p->addr));
- encap_ifnum++;
- }
- }
- }
-skip_encap:
-#endif
-#endif /* __APPLE__ */
-
continue;
err_and_next:
isakmp_ph1resend(iph1)
struct ph1handle *iph1;
{
+ time_t retry_interval;
+
+ // make sure there is a buffer to send
+ // isakmp_plist_set_all() could have returned NULL
+ if (iph1->sendbuf == NULL)
+ return -1;
+
/* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
*/
if (iph1->retry_counter <= 0) {
return 0;
}
return -1;
+ } else {
+ ike_session_ph1_retransmits(iph1);
}
if (isakmp_send(iph1, iph1->sendbuf) < 0){
isakmp_pindex(&iph1->index, iph1->msgid));
iph1->retry_counter--;
-
- iph1->scr = sched_new(iph1->rmconf->retry_interval,
+ retry_interval = get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter),
+ iph1->rmconf->retry_interval);
+ iph1->scr = sched_new(retry_interval,
isakmp_ph1resend_stub, iph1);
return 0;
isakmp_ph2resend(iph2)
struct ph2handle *iph2;
{
+ time_t retry_interval;
+
/* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
*/
//%%% BUG FIX - related to commit bit usage - crash happened here
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
iph2->retry_counter--;
-
- iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
+ retry_interval = get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter),
+ iph2->ph1->rmconf->retry_interval);
+ iph2->scr = sched_new(retry_interval,
isakmp_ph2resend_stub, iph2);
#ifdef ENABLE_DPD
racoon_free(src);
racoon_free(dst);
- if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session)) {
+ if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
return;
}
racoon_free(src);
racoon_free(dst);
+ if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
+ plog(LLV_INFO, LOCATION, iph1->remote,
+ "request for ISAKMP-SA rekey was ignored "
+ "due to idleness.\n");
+ return 0;
+ }
+
// exit if there is another ph1 that is established (with a pending rekey timer)
if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) {
plog(LLV_INFO, LOCATION, iph1->remote,
"due to no phase1 found.\n",
saddrwop2str(iph2->dst));
+ // exit if there is another ph1 that is established (with a pending rekey timer)
+ if (ike_session_has_negoing_ph1(iph2->parent_session)) {
+ plog(LLV_INFO, LOCATION, iph2->dst,
+ "request for phase1 was ignored "
+ "due to another negotiating ph1.\n");
+ return 0;
+ }
+
/* start phase 1 negotiation as a initiator. */
if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) {
- SCHED_KILL(sc);
- return -1;
+ plog(LLV_INFO, LOCATION, iph2->dst,
+ "request for phase1 failed. will try later.\n");
}
return 0;
return -1;
}
+ if (ntohs(gen->len) < sizeof(*gen)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore this payload, invalid payload len %d.\n",
+ ntohs(gen->len));
+ return -1;
+ }
+
*buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
if (*buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
static char ntop_buf[NI_MAXHOST];
memset(&addr, 0, sizeof(addr));
-#ifndef __linux__
addr.sin_len = sizeof(struct sockaddr_in);
-#endif
addr.sin_family = AF_INET;
memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
racoon_free(src);
racoon_free(dst);
+ IPSECLOGASLMSG("IPSec Phase1 established (Initiated by %s).\n",
+ (iph1->side == INITIATOR)? "me" : "peer");
+
return;
}
"Packet reassembly failed\n");
return -1;
}
+
+ /* simply reply if the packet was processed. */
+ if (check_recvdpkt((struct sockaddr *)remote,
+ (struct sockaddr *)local, newmsg) > 0) {
+ IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n",
+ saddr2str((struct sockaddr *)remote));
+
+ plog(LLV_NOTIFY, LOCATION, NULL,
+ "the reassembled packet is retransmitted by %s.\n",
+ saddr2str((struct sockaddr *)remote));
+ return 0;
+ }
+
return isakmp_main(newmsg, remote, local);
}
}
}
+#ifdef HAVE_OPENSSL
if (privsep_script_exec(iph1->rmconf->script[script]->v,
script, envp) != 0)
plog(LLV_ERROR, LOCATION, NULL,
"Script %s execution failed\n", script_names[script]);
-
+#else
+ if (script_exec(iph1->rmconf->script[script]->v,
+ script, envp) != 0)
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Script %s execution failed\n", script_names[script]);
+#endif
+
out:
for (c = envp; *c; c++)
racoon_free(*c);
vchar_t *
isakmp_plist_append_initial_contact (iph1, plist)
-struct ph1handle *iph1;
-struct payload_list *plist;
+ struct ph1handle *iph1;
+ struct payload_list *plist;
{
if (!iph1->is_rekey && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
vchar_t *notp_ini = NULL;
struct isakmp_pl_n np, *nptr;
char *cptr;
-
+
np.doi = htonl(iph1->rmconf->doitype);
np.proto_id = IPSECDOI_PROTO_ISAKMP;
np.spi_size = sizeof(isakmp_index);
/* IKE fragmentation payload */
struct isakmp_frag {
- u_int16_t unknown0; /* always set to zero? */
+ u_int16_t unknown0; /* Next Payload (1st u_int8_t) and RESERVED (2nd u_int8_t), both must set to 0 */
u_int16_t len;
- u_int16_t unknown1; /* always set to 1? */
+ u_int16_t unknown1; /* fragid */
u_int8_t index;
u_int8_t flags;
} __attribute__((__packed__));
#include "vpn_control_var.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/*
* begin Aggressive Mode as initiator.
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->rmconf->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0) {
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
#ifdef HAVE_GSSAPI
vchar_t *gsstoken = NULL;
#endif
+ int received_cert = 0;
#ifdef ENABLE_NATT
int natd_seq = 0;
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"remote supports DPD\n");
}
+#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
#endif
break;
case ISAKMP_NPTYPE_N:
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
pa->type == iph1->natt_options->payload_nat_d) {
struct natd_payload *natd;
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
plog(LLV_ERROR, LOCATION, iph1->remote,
#endif
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
need_cert = 1;
/* add CERT payload if there */
+ // we don't support sending of certchains
if (need_cert)
plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
goto end;
}
-
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#endif
#ifdef ENABLE_FRAG
if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
iph1->frag = 1;
+ }
#endif
break;
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0) {
+ &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
+ if (oakley_dh_generate(iph1->rmconf->dhgrp,
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
}
/* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
/* chosen VID */
plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
/* NAT-D */
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
int natd_seq = 0;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG1SENT) {
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
#endif
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
if (ptype != 0) {
#endif
#include "vpn_control.h"
#include "vpn_control_var.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/* %%%
* begin Identity Protection Mode as initiator.
"remote supports DPD\n");
}
#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
+#endif
break;
default:
/* don't send information, see ident_r1recv() */
sizeof(cookie_t));
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0)
+#else
if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID to compute hash if not signature mode */
goto end;
}
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
vchar_t *natd_received;
int natd_seq = 0, natd_verified;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG2SENT) {
case ISAKMP_NPTYPE_CERT:
if (oakley_savecert(iph1, pa->ptr) < 0)
goto end;
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
pa->type == iph1->natt_options->payload_nat_d) {
natd_received = NULL;
}
#endif
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
}
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID to compute hash if signature mode */
if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
natt_handle_vendorid(iph1, vid_numeric);
#endif
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
- iph1->frag = 1;
-#endif
#ifdef ENABLE_HYBRID
switch (vid_numeric) {
case VENDORID_XAUTH:
"remote supports DPD\n");
}
#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
+#endif
break;
default:
/* don't send information, see ident_r1recv() */
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
int natd_seq = 0;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG1SENT) {
case ISAKMP_NPTYPE_CERT:
if (oakley_savecert(iph1, pa->ptr) < 0)
goto end;
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (pa->type == iph1->natt_options->payload_nat_d)
{
vchar_t *natd_received = NULL;
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0)
+#else
if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
+#endif
goto end;
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID */
goto end;
}
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#include <sys/queue.h>
#include <utmpx.h>
-#if defined(__APPLE__) && defined(__MACH__)
#include <util.h>
-#endif
+
#ifdef __FreeBSD__
# include <libutil.h>
plen = ntohs(ph->len);
nph = (struct isakmp_gen *)((char *)ph + plen);
plen = ntohs(nph->len);
-
+ /* Check that the hash payload fits in the packet */
+ if (tlen < (plen + ntohs(ph->len))) {
+ plog(LLV_WARNING, LOCATION, NULL,
+ "Invalid Hash payload. len %d, overall-len %d\n",
+ ntohs(nph->len),
+ plen);
+ goto out;
+ }
+
if ((payload = vmalloc(plen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory\n");
/* connection was started by API - save attr list for passing to VPN controller */
if (iph1->mode_cfg->attr_list != NULL) /* shouldn't happen */
vfree(iph1->mode_cfg->attr_list);
+ if (ntohs(attrpl->h.len) < sizeof(*attrpl)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid cfg-attr-list, attr-len %d\n",
+ ntohs(attrpl->h.len));
+ return -1;
+ }
alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
{
vchar_t *buf;
+ if (ntohs(attrpl->h.len) < sizeof(*attrpl)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid cfg-attr-list, attr-len %d\n",
+ ntohs(attrpl->h.len));
+ return -1;
+ }
alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
if ((buf = vmalloc(alen)) == NULL) {
plog(LLV_WARNING, LOCATION, NULL,
iph1->xauth_awaiting_userinput = 1;
iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later
ike_session_start_xauth_timer(iph1);
+
+ IPSECLOGASLMSG("IPSec Extended Authentication requested.\n");
+
return 0;
}
if (msg) {
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg,
- PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
+ PH2_NON_ESP_EXTRA_LEN(iph2), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
}
if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
return isakmp_cfg_accounting_radius(iph1, inout);
#endif
+#ifdef HAVE_OPENSSL
if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
return privsep_accounting_system(iph1->mode_cfg->port,
iph1->remote, iph1->mode_cfg->login, inout);
+#endif
return 0;
}
vfree(buffer);
+ IPSECLOGASLMSG("IPSec Network Configuration requested.\n");
+
return error;
}
#ifdef HAVE_LIBPAM
#include <security/pam_appl.h>
#endif
+#include <resolv.h>
/*
* XXX don't forget to update
#include <netinet/in.h>
#include <arpa/inet.h>
+#ifdef HAVE_OPENSSL
#include <openssl/md5.h>
+#endif
#include <stdlib.h>
#include <stdio.h>
#include "handler.h"
#include "isakmp_frag.h"
#include "strnames.h"
+#include "nattraversal.h"
+#include "grabmyaddr.h"
+#include "localconf.h"
int
isakmp_sendfrags(iph1, buf)
unsigned int fragnum = 0;
size_t len;
int etype;
+#ifdef ENABLE_NATT
+ size_t extralen = NON_ESP_MARKER_USE(iph1)? NON_ESP_MARKER_LEN : 0;
+#else
+ size_t extralen = 0;
+#endif
+ int s;
+ vchar_t *vbuf;
+
+
+ /* select the socket to be sent */
+ s = getsockmyaddr(iph1->local);
+ if (s == -1){
+ return -1;
+ }
/*
* Catch the exchange type for later: the fragments and the
* First compute the maximum data length that will fit in it
*/
max_datalen = ISAKMP_FRAG_MAXLEN -
- (sizeof(*hdr) + sizeof(*fraghdr) + sizeof(trailer));
+ (sizeof(*hdr) + sizeof(*fraghdr));
sdata = buf->v;
len = buf->l;
else
datalen = len;
- fraglen = sizeof(*hdr)
- + sizeof(*fraghdr)
- + datalen;
+ fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen;
if ((frag = vmalloc(fraglen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
hdr->etype = etype;
fraghdr = (struct isakmp_frag *)(hdr + 1);
- fraghdr->unknown0 = htons(0);
+ fraghdr->unknown0 = 0;
fraghdr->len = htons(fraglen - sizeof(*hdr));
fraghdr->unknown1 = htons(1);
fraghdr->index = fragnum;
data = (caddr_t)(fraghdr + 1);
memcpy(data, sdata, datalen);
- if (isakmp_send(iph1, frag) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote, "isakmp_send failed\n");
+#ifdef ENABLE_NATT
+ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
+ must added just before the packet itself. For this we must
+ allocate a new buffer and release it at the end. */
+ if (extralen) {
+ if ((vbuf = vmalloc(frag->l + extralen)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "%s: vbuf allocation failed\n", __FUNCTION__);
+ vfree(frag);
+ return -1;
+ }
+ *(u_int32_t *)vbuf->v = 0; // non-esp marker
+ memcpy(vbuf->v + extralen, frag->v, frag->l);
+ vfree(frag);
+ frag = vbuf;
+ }
+#endif
+
+ if (sendfromto(s, frag->v, frag->l,
+ iph1->local, iph1->remote, lcconf->count_persend) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL, "%s: sendfromto failed\n", __FUNCTION__);
+ vfree(frag);
return -1;
}
len -= datalen;
sdata += datalen;
}
-
+
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s: processed %d fragments\n", __FUNCTION__, fragnum);
+
return fragnum;
}
struct isakmp_gen *gen;
{
int *hp;
+ int hashlen_bytes = eay_md5_hashlen() >> 3;
hp = (int *)(gen + 1);
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
+ return ntohl(hp[hashlen_bytes / sizeof(*hp)]);
}
int
return -1;
}
+ if (ntohs(frag->len) < sizeof(*frag)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid Frag, frag-len %d\n",
+ ntohs(frag->len));
+ return -1;
+ }
+
if ((buf = vmalloc(ntohs(frag->len) - sizeof(*frag))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
return -1;
item->frag_last = (frag->flags & ISAKMP_FRAG_LAST);
item->frag_next = NULL;
item->frag_packet = buf;
+ item->frag_id = ntohs(frag->unknown1);
/* Look for the last frag while inserting the new item in the chain */
if (item->frag_last)
if (item != NULL) /* It is complete */
return 1;
}
-
+
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s: processed %d fragments\n", __FUNCTION__, last_frag);
+
return 0;
}
data += item->frag_packet->l;
}
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s: processed %d fragments\n", __FUNCTION__, frag_count);
+
out:
item = iph1->frag_chain;
- do {
+
+ while (item != NULL) {
struct isakmp_frag_item *next_item;
next_item = item->frag_next;
racoon_free(item);
item = next_item;
- } while (item != NULL);
+ }
iph1->frag_chain = NULL;
{
int *capp;
size_t len;
+ int hashlen_bytes = eay_md5_hashlen() >> 3;
/* If the capability has not been added, add room now */
len = buf->l;
- if (len == MD5_DIGEST_LENGTH) {
+ if (len == hashlen_bytes) {
if ((buf = vrealloc(buf, len + sizeof(cap))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory\n");
*capp = htonl(0);
}
- capp = (int *)(buf->v + MD5_DIGEST_LENGTH);
+ capp = (int *)(buf->v + hashlen_bytes);
*capp |= htonl(cap);
return buf;
}
+int
+sendfragsfromto(s, buf, local, remote, count_persend, frag_flags)
+ int s;
+ vchar_t *buf;
+ struct sockaddr *local;
+ struct sockaddr *remote;
+ int count_persend;
+ u_int32_t frag_flags;
+{
+ struct isakmp *main_hdr;
+ struct isakmp *hdr;
+ struct isakmp_frag *fraghdr;
+ caddr_t data;
+ caddr_t sdata;
+ size_t datalen;
+ size_t max_datalen;
+ size_t fraglen;
+ vchar_t *frag;
+ unsigned int trailer;
+ unsigned int fragnum = 0;
+ size_t len;
+#ifdef ENABLE_NATT
+ size_t extralen = (frag_flags & FRAG_PUT_NON_ESP_MARKER)? NON_ESP_MARKER_LEN : 0;
+#else
+ size_t extralen = 0;
+#endif
+
+ /*
+ * fragmented packet must have the same exchange type (amongst other fields in the header).
+ */
+ main_hdr = (struct isakmp *)buf->v;
+
+ /*
+ * We want to send a a packet smaller than ISAKMP_FRAG_MAXLEN
+ * First compute the maximum data length that will fit in it
+ */
+ max_datalen = ISAKMP_FRAG_MAXLEN -
+ (sizeof(*main_hdr) + sizeof(*fraghdr));
+
+ sdata = buf->v;
+ len = buf->l;
+
+ while (len > 0) {
+ fragnum++;
+
+ if (len > max_datalen)
+ datalen = max_datalen;
+ else
+ datalen = len;
+
+ fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen;
+
+ if ((frag = vmalloc(fraglen)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot allocate memory\n");
+ return -1;
+ }
+
+ hdr = (struct isakmp *)frag->v;
+ bcopy(main_hdr, hdr, sizeof(*hdr));
+ hdr->len = htonl(frag->l);
+ hdr->np = ISAKMP_NPTYPE_FRAG;
+
+ fraghdr = (struct isakmp_frag *)(hdr + 1);
+ fraghdr->unknown0 = 0;
+ fraghdr->len = htons(fraglen - sizeof(*hdr));
+ fraghdr->unknown1 = htons(1);
+ fraghdr->index = fragnum;
+ if (len == datalen)
+ fraghdr->flags = ISAKMP_FRAG_LAST;
+ else
+ fraghdr->flags = 0;
+
+ data = (caddr_t)(fraghdr + 1);
+ memcpy(data, sdata, datalen);
+
+#ifdef ENABLE_NATT
+ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
+ must added just before the packet itself. For this we must
+ allocate a new buffer and release it at the end. */
+ if (extralen) {
+ vchar_t *vbuf;
+
+ if ((vbuf = vmalloc(frag->l + extralen)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "%s: vbuf allocation failed\n", __FUNCTION__);
+ vfree(frag);
+ return -1;
+ }
+ *(u_int32_t *)vbuf->v = 0; // non-esp marker
+ memcpy(vbuf->v + extralen, frag->v, frag->l);
+ vfree(frag);
+ frag = vbuf;
+ }
+#endif
+
+ if (sendfromto(s, frag->v, frag->l, local, remote, count_persend) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
+ vfree(frag);
+ return -1;
+ }
+
+ vfree(frag);
+
+ len -= datalen;
+ sdata += datalen;
+ }
+
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s: processed %d fragments\n", __FUNCTION__, fragnum);
+
+ return fragnum;
+}
* SUCH DAMAGE.
*/
+#ifndef _ISAKMP_FRAG_H
+#define _ISAKMP_FRAG_H
+
/* These are the values from parsing "remote {}"
block of the config file. */
#define ISAKMP_FRAG_OFF FLASE /* = 0 */
#define VENDORID_FRAG_BASE 0x40000000
#define VENDORID_FRAG_AGG 0x80000000
-#define ISAKMP_FRAG_MAXLEN 552
+#define ISAKMP_FRAG_MAXLEN 1280 // TODO: make configurable (for now, use 1280 to make enough room for typical overhead)
+
+#define FRAG_PUT_NON_ESP_MARKER 1
struct isakmp_frag_item {
int frag_num;
int frag_last;
+ u_int16_t frag_id;
struct isakmp_frag_item *frag_next;
vchar_t *frag_packet;
};
int isakmp_frag_extract(struct ph1handle *, vchar_t *);
vchar_t *isakmp_frag_reassembly(struct ph1handle *);
vchar_t *isakmp_frag_addcap(vchar_t *, int);
+int sendfragsfromto(int s, vchar_t *, struct sockaddr *, struct sockaddr *, int, u_int32_t);
+
+#endif /* _ISAKMP_FRAG_H */
#include "vpn_control_var.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
static vchar_t *ident_ir2mx __P((struct ph1handle *));
static vchar_t *ident_ir3mx __P((struct ph1handle *));
#ifdef ENABLE_DPD
if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
iph1->dpd_support=1;
+#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
#endif
break;
default:
sizeof(cookie_t));
/* generate DH public value */
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph1->approval->dhgrp,
&iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
pa->type == iph1->natt_options->payload_nat_d) {
natd_received = NULL;
}
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef HAVE_GSSAPI
vchar_t *gsstoken = NULL;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG3SENT) {
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
/* verify identifier */
if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
natt_handle_vendorid(iph1, vid_numeric);
#endif
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
- iph1->frag = 1;
-#endif
#ifdef ENABLE_HYBRID
switch (vid_numeric) {
case VENDORID_XAUTH:
#ifdef ENABLE_DPD
if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
iph1->dpd_support=1;
+#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
#endif
break;
default:
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
pa->type == iph1->natt_options->payload_nat_d)
{
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph1->approval->dhgrp,
&iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
#ifdef HAVE_GSSAPI
vchar_t *gsstoken = NULL;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG2SENT) {
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
/* XXX same as ident_i4recv(), should be merged. */
{
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
/* add CERT payload if there */
+ // we don't support sending of certchains
if (need_cert)
plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
/* add SIG payload */
#include <sys/param.h>
#include <sys/socket.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#include <sys/queue.h>
#ifndef HAVE_NETINET6_IPSEC
struct isakmp_gen *nd;
u_int8_t np;
int encrypted;
- int flag;
+ int flag = 0;
plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid);
if (ivm == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute IV");
+ "failed to compute IV\n");
IPSECSESSIONTRACEREVENT(iph1->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Information message"),
oakley_delivm(ivm);
if (msg == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to decrypt packet");
+ "failed to decrypt packet\n");
IPSECSESSIONTRACEREVENT(iph1->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Information message"),
}
break;
case ISAKMP_NTYPE_INITIAL_CONTACT:
- if (encrypted)
+ if (encrypted) {
info_recv_initialcontact(iph1);
return 0;
+ }
break;
#ifdef ENABLE_DPD
case ISAKMP_NTYPE_R_U_THERE:
return 0;
}
+#ifdef ENABLE_VPNCONTROL_PORT
+static
+void
+isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1,
+ int isakmp_info_initiator,
+ int type,
+ vchar_t *data)
+{
+ u_int32_t address;
+ u_int32_t fail_reason;
+
+ /* notify the API that we have received the delete */
+ if (iph1->remote->sa_family == AF_INET)
+ address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
+ else
+ address = 0;
+
+ if (isakmp_info_initiator == FROM_REMOTE) {
+ int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
+ int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
+
+ if (premature) {
+ fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE;
+ } else if (expired) {
+ fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED;
+ } else {
+ fail_reason = type;
+ }
+ vpncontrol_notify_ike_failed(fail_reason, isakmp_info_initiator, address, 0, NULL);
+ return;
+ } else {
+ /* FROM_LOCAL */
+ if (type == ISAKMP_INTERNAL_ERROR ||
+ type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) {
+ int premature = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_PREMATURE);
+ int expired = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_EXPIRED);
+ int subjname = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_INVALID_SUBJNAME);
+ int subjaltname = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_INVALID_SUBJALTNAME);
+
+ if (premature) {
+ fail_reason = VPNCTL_NTYPE_PEER_CERT_PREMATURE;
+ } else if (expired) {
+ fail_reason = VPNCTL_NTYPE_PEER_CERT_EXPIRED;
+ } else if (subjname) {
+ fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME;
+ } else if (subjaltname) {
+ fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME;
+ } else {
+ fail_reason = type;
+ }
+ (void)vpncontrol_notify_ike_failed(fail_reason, isakmp_info_initiator, address,
+ (data ? data->l : 0), (u_int8_t *)(data ? data->v : NULL));
+ return;
+ }
+ }
+}
+#endif /* ENABLE_VPNCONTROL_PORT */
+
/*
* handling of Deletion payload
*/
* Just delete the IKE SA.
*/
#ifdef ENABLE_VPNCONTROL_PORT
-
- if (del_ph1->started_by_api)
+ if (del_ph1->started_by_api || (del_ph1->is_rekey && del_ph1->parent_session && del_ph1->parent_session->is_client)) {
if (islast_ph1(del_ph1)) {
- u_int32_t address;
-
- /* notify the API that we have received the delete */
- if (iph1->remote->sa_family == AF_INET)
- address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
- else
- address = 0;
- if (iph1->cert && IS_CERT_STATUS_ERROR(iph1->cert->status)) {
- vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR + iph1->cert->status, FROM_REMOTE, address, 0, NULL);
- } else {
- vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE, FROM_REMOTE, address, 0, NULL);
- }
+ isakmp_info_vpncontrol_notify_ike_failed(del_ph1, FROM_REMOTE, VPNCTL_NTYPE_PH1_DELETE, NULL);
}
+ }
#endif
isakmp_ph1expire(del_ph1);
}
isakmp_newcookie((char *)&iph1->index.r_ck, remote, local);
iph1->status = PHASE1ST_START;
iph1->rmconf = rmconf;
-#ifdef __APPLE__
if (link_rmconf_to_ph1(rmconf) < 0) {
IPSECSESSIONTRACEREVENT(sess,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
error = -1;
goto end;
}
-#endif
iph1->side = INITIATOR;
iph1->version = isakmp->v;
iph1->flags = 0;
memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
#ifdef ENABLE_VPNCONTROL_PORT
- {
- u_int32_t address;
- if (type == ISAKMP_INTERNAL_ERROR ||
- type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) {
- if (remote->sa_family == AF_INET)
- address = ((struct sockaddr_in *)remote)->sin_addr.s_addr;
- else
- address = 0;
- (void)vpncontrol_notify_ike_failed(type, FROM_LOCAL, address,
- (data ? data->l : 0), (data ? data->v : NULL));
- }
- }
+ isakmp_info_vpncontrol_notify_ike_failed(iph1, FROM_LOCAL, type, data);
#endif
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
#ifdef ENABLE_VPNCONTROL_PORT
- {
- u_int32_t address;
-
- if (type == ISAKMP_INTERNAL_ERROR ||
- type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) {
- if (iph1->remote->sa_family == AF_INET)
- address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
- else
- address = 0;
- (void)vpncontrol_notify_ike_failed(type, FROM_LOCAL, address,
- (data ? data->l : 0), (data ? data->v : NULL));
- }
- }
+ isakmp_info_vpncontrol_notify_ike_failed(iph1, FROM_LOCAL, type, data);
#endif
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags);
"purge_ipsec_spi:\n");
plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0));
plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0]));
+ plog(LLV_DEBUG2, LOCATION, NULL, "num SPI: %d\n", n);
buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto));
if (buf == NULL) {
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
if (CMPSADDR2(dst0, dst)) {
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str(dst));
msg = next;
continue;
}
}
plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
+#ifdef ENABLE_VPNCONTROL_PORT
+ vpncontrol_notify_peer_resp_ph1(1, iph1);
+#endif /* ENABLE_VPNCONTROL_PORT */
+
return 0;
}
}
/*
- * monitor DPD (ALGORITHM_INBOUND_DETECT) Informational exchange.
+ * monitor DPD (ALGORITHM_BLACKHOLE_DETECT) Informational exchange.
*/
static void
isakmp_info_monitor_r_u_algo_blackhole_detect (struct ph1handle *iph1)
#include "nattraversal.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/* quick mode */
static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
"failed to set DH value.\n");
goto end;
}
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph2->pfsgrp,
- &iph2->dhpub, &iph2->dhpriv) < 0) {
+ &iph2->dhpub, &iph2->dhpriv) < 0) {
+#else
+ if (oakley_dh_generate(iph2->pfsgrp,
+ &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
/* allocate buffer for computing HASH(2) */
tlen = iph2->nonce->l
+ ntohl(isakmp->len) - sizeof(*isakmp);
+ if (tlen < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid length (%d,%d) while getting hash buffer.\n",
+ iph2->nonce->l, ntohl(isakmp->len));
+ goto end;
+ }
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
if (lcconf->ext_nat_id)
vfree(lcconf->ext_nat_id);
+ if (idp_ptr->h.len < sizeof(struct isakmp_gen)) {
+ plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len);
+ goto end;
+ }
lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
if (lcconf->ext_nat_id == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n");
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
iph2->sendbuf, msg0,
- PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
+ PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to decrypt packet");
+ "failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to parse msg");
+ "failed to parse msg\n");
goto end;
}
vfree(tmp);
if (my_hash == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute HASH");
+ "failed to compute HASH\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to decrypt packet");
+ "failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to parse msg");
+ "failed to parse msg\n");
goto end;
}
pa = (struct isakmp_parse_t *)pbuf->v;
/* allocate buffer for computing HASH(1) */
tlen = ntohl(isakmp->len) - sizeof(*isakmp);
+ if (tlen < 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while extracting hash.\n",
+ ntohl(isakmp->len));
+ goto end;
+ }
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
}
if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to process SA payload");
+ "failed to process SA payload\n");
goto end;
}
break;
case ISAKMP_NPTYPE_NONCE:
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to process NONCE payload");
+ "failed to process NONCE payload\n");
goto end;
}
break;
case ISAKMP_NPTYPE_KE:
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to process KE payload");
+ "failed to process KE payload\n");
goto end;
}
break;
if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to process IDci2 payload");
+ "failed to process IDci2 payload\n");
goto end;
}
if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to process IDcr2 payload");
+ "failed to process IDcr2 payload\n");
goto end;
}
} else {
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
if (my_hash == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute HASH");
+ "failed to compute HASH\n");
goto end;
}
goto end;
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->dhpriv) < 0) {
+#else
+ if (oakley_dh_generate(iph2->pfsgrp,
+ &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH public");
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
- PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
+ PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to decrypt packet");
+ "failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to parse msg");
+ "failed to parse msg\n");
goto end;
}
vfree(tmp);
if (my_hash == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute HASH");
+ "failed to compute HASH\n");
goto end;
}
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
- PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
+ PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph2->sainfo = anonymous;
}
-#ifdef __APPLE__
if (link_sainfo_to_ph2(iph2->sainfo) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to link sainfo\n");
iph2->sainfo = NULL;
goto end;
}
-#endif
#ifdef ENABLE_HYBRID
/* xauth group inclusion check */
extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int));
extern vchar_t *isakmp_parse __P((vchar_t *));
-#ifndef __APPLE__
-extern int isakmp_init __P((void));
-#else
-extern int isakmp_init __P((int));
-#endif /* __APPLE__ */
+extern int isakmp_init __P((int, int *));
extern void isakmp_cleanup __P((void));
extern const char *isakmp_pindex __P((const isakmp_index *, const u_int32_t));
-extern int isakmp_open __P((void));
+extern int isakmp_open __P((int *));
extern void isakmp_close __P((void));
-#ifdef __APPLE__
extern void isakmp_close_sockets __P((void));
extern void isakmp_close_unused __P((void));
-#endif
extern int isakmp_send __P((struct ph1handle *, vchar_t *));
extern void isakmp_ph1resend_stub __P((void *));
extern vchar_t *isakmp_plist_set_all __P((struct payload_list **plist,
struct ph1handle *iph1));
extern vchar_t *isakmp_plist_append_initial_contact __P((struct ph1handle *,
- struct payload_list *));
+ struct payload_list *));
#ifdef HAVE_PRINT_ISAKMP_C
extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *,
switch (isakmp_cfg_config.authsource) {
case ISAKMP_CFG_AUTH_SYSTEM:
+#ifdef HAVE_OPENSSL
res = privsep_xauth_login_system(usr, pwd);
+#else
+ res = xauth_login_system(usr, pwd);
+#endif
break;
#ifdef HAVE_LIBRADIUS
case ISAKMP_CFG_AUTH_RADIUS:
struct xauth_state *xst = &iph1->mode_cfg->xauth;
char *usr = xst->authdata.generic.usr;
+ if (iph1->is_dying) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "dropped login for user \"%s\"\n", usr);
+ return -1;
+ }
+
if (res != 0) {
if (port != -1)
isakmp_cfg_putport(iph1, port);
((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 0, NULL);
iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
+
+ IPSECLOGASLMSG("IPSec Extended Authentication Failed.\n");
} else {
IPSECSESSIONTRACEREVENT(iph1->parent_session,
IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC,
if (iph1->is_rekey) {
xst->status = XAUTHST_OK;
}
+
+ IPSECLOGASLMSG("IPSec Extended Authentication Passed.\n");
}
#include <netinet/in.h>
#include <arpa/inet.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <stdlib.h>
#include <stdio.h>
* Dumb plog functions (used by sockmisc.c)
*/
void
-plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
+plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
{
va_list ap;
#include "gcmalloc.h"
#include "session.h"
-#ifdef __APPLE__
#include <CoreFoundation/CoreFoundation.h>
#if HAVE_SECURITY_FRAMEWORK
#include <Security/Security.h>
#else
typedef void * SecKeychainRef;
#endif
-#endif
struct localconf *lcconf;
char *id;
vchar_t *key = NULL;
+ plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by name.\n");
+
id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
if (id == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
id0->l - sizeof(struct ipsecdoi_id_b));
id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
+#ifdef HAVE_OPENSSL
key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
+#else
+ key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
+#endif
end:
if (id)
return key;
}
-#if defined(__APPLE__) && HAVE_KEYCHAIN
+#if HAVE_KEYCHAIN
/*
* get PSK from keyChain.
*/
OSStatus status;
char serviceName[] = "com.apple.net.racoon";
+ plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from keychain.\n");
+
status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
if (status != noErr) {
plog(LLV_ERROR, LOCATION, NULL,
if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) {
/* try looking up based on peers id */
- char* peer_id;
+ char* peer_id = NULL;
int idlen = id_p->l - sizeof(struct ipsecdoi_id_b);
u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type;
case IPSECDOI_ID_FQDN:
case IPSECDOI_ID_USER_FQDN:
case IPSECDOI_ID_KEY_ID:
- peer_id = racoon_malloc(idlen);
+ peer_id = racoon_malloc(1 + idlen);
if (peer_id == NULL)
goto end;
memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen);
&cur_password_len,
&cur_password,
NULL);
-
+ if (peer_id)
+ racoon_free(peer_id);
if (status == noErr)
goto end;
/* otherwise fall through to use the default value */
end:
if (cur_password) {
- key = vmalloc(cur_password_len + 1);
+ key = vmalloc(cur_password_len);
if (key == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate key buffer.\n");
- } else {
- memcpy(key->v, cur_password, key->l);
- key->v[cur_password_len] = 0;
- }
+ } else
+ memcpy(key->v, cur_password, cur_password_len);
free(cur_password);
}
vchar_t *key = NULL;
char addr[NI_MAXHOST], port[NI_MAXSERV];
+ plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by addr.\n");
+
GETNAMEINFO(remote, addr, port);
+#ifdef HAVE_OPENSSL
key = privsep_getpsk(addr, strlen(addr));
+#else
+ key = getpsk(addr, strlen(addr));
+#endif
return key;
}
char *p, *q;
size_t keylen;
char *k = NULL;
+
+ plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from file.\n");
if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
#define LC_DEFAULT_PAD_STRICT FALSE
#define LC_DEFAULT_PAD_EXCLTAIL TRUE
#define LC_DEFAULT_RETRY_COUNTER 5
-#define LC_DEFAULT_RETRY_INTERVAL 10
+#define LC_DEFAULT_RETRY_INTERVAL 2
#define LC_DEFAULT_COUNT_PERSEND 1
#define LC_DEFAULT_RETRY_CHECKPH1 30
#define LC_DEFAULT_WAIT_PH2COMPLETE 30
extern void flushlcconf __P((void));
extern vchar_t *getpskbyname __P((vchar_t *));
extern vchar_t *getpskbyaddr __P((struct sockaddr *));
-#if defined(__APPLE__) && HAVE_KEYCHAIN
+#if HAVE_KEYCHAIN
extern vchar_t *getpskfromkeychain __P((const char *, u_int8_t, int, vchar_t *));
#endif
extern void getpathname __P((char *, int, int, const char *));
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/stat.h>
#include <stdlib.h>
#include <stdio.h>
#include "var.h"
#include "gcmalloc.h"
+#define MAX_LOG_FILESIZE_BYTES 2097152 // 2MB
+#define MAX_LOG_FILESIZE_KBYTES (MAX_LOG_FILESIZE_BYTES/1024)
+#define MAX_LOG_FILESIZE_MBYTES (MAX_LOG_FILESIZE_BYTES/(1024 * 1024))
+#define LOG_DISCARD_BYTES (MAX_LOG_FILESIZE_BYTES/3)
+
+static int log_flush (struct log *p, int newbytes)
+{
+ struct stat st;
+ int good = 0;
+
+ if (!p || !p->fp) {
+ return -1;
+ }
+
+ if (!p->byteswritten) {
+ bzero(&st, sizeof(st));
+ if (fstat(fileno(p->fp), &st) < 0) {
+ return -1;
+ }
+ if (st.st_size < 0) {
+ return -1;
+ }
+ p->byteswritten = st.st_size;
+ }
+ if (newbytes > 0) {
+ p->byteswritten += newbytes;
+ }
+
+ if (p->byteswritten > MAX_LOG_FILESIZE_BYTES) {
+ // hack to delete the first 1/3 of the file: won't work on some devices because malloc(MAX_LOG_FILESIZE_BYTES) fails
+ char *buf = NULL;
+ size_t discard, saved = 0;
+ FILE *fp;
+
+ // calc how much to seek into the file
+ discard = p->byteswritten/3;
+ if (discard < LOG_DISCARD_BYTES) {
+ discard = LOG_DISCARD_BYTES;
+ }
+ fp = fopen(p->fname, "r");
+ // get a temp buffer to hold the last 2/3 of the file
+ buf = malloc(MAX_LOG_FILESIZE_BYTES);
+ // seek into the file (skipping the first 1/3 of the file)
+ if (fp && buf) {
+ if (fseeko(fp, discard, SEEK_SET) == 0) {
+ // try reading as much as possible.. shouldn't fill up buffer
+ saved = fread(buf, MAX_LOG_FILESIZE_BYTES, sizeof(*buf), fp);
+ // p->byteswritten may be inaccurate (e.g another stream is writing to the file)
+ if (saved == MAX_LOG_FILESIZE_BYTES) {
+ saved = 0;
+ }
+ }
+ }
+ if (fp) {
+ fclose(fp);
+ }
+
+ p->byteswritten = 0;
+ (void)fpurge(p->fp);
+ // delete file and start appending logs again
+ p->fp = freopen(p->fname, "wa", p->fp);
+ if (p->fp == NULL)
+ return -1;
+ fprintf(p->fp, "logfile turned over due to size>%d%s\n",
+ (MAX_LOG_FILESIZE_MBYTES > 0)? MAX_LOG_FILESIZE_MBYTES:MAX_LOG_FILESIZE_KBYTES,
+ (MAX_LOG_FILESIZE_MBYTES > 0)? "MB":"KB");
+ // append some of the previous logs (if successfully we buffered 2/3 of the file)
+ if (buf && saved) {
+ (void)fwrite(buf, saved, sizeof(*buf), p->fp);
+ }
+ if (buf) {
+ free(buf);
+ }
+ }
+ (void)fflush(p->fp);
+ return 0;
+}
+
struct log *
log_open(siz, fname)
size_t siz;
struct log *p;
char *str;
{
- FILE *fp;
+ int bytes;
if (p->fname == NULL)
return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
+ if (p->fp == NULL) {
+ p->fp = fopen(p->fname, "a");
+ }
+ if (p->fp == NULL)
return -1;
- fprintf(fp, "%s", str);
- fclose(fp);
+ bytes = fprintf(p->fp, "%s", str);
+ if (log_flush(p, bytes)) {
+ return -1;
+ }
return 0;
}
log_vprint(struct log *p, const char *fmt, ...)
{
va_list ap;
-
- FILE *fp;
+ int bytes;
if (p->fname == NULL)
return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
+ if (p->fp == NULL) {
+ p->fp = fopen(p->fname, "a");
+ }
+ if (p->fp == NULL)
return -1;
va_start(ap, fmt);
- vfprintf(fp, fmt, ap);
+ bytes = vfprintf(p->fp, fmt, ap);
va_end(ap);
-
- fclose(fp);
+ if (log_flush(p, bytes)) {
+ return -1;
+ }
return 0;
}
int
log_vaprint(struct log *p, const char *fmt, va_list ap)
{
- FILE *fp;
+ int bytes;
if (p->fname == NULL)
return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
+ if (p->fp == NULL) {
+ p->fp = fopen(p->fname, "a");
+ }
+ if (p->fp == NULL)
return -1;
- vfprintf(fp, fmt, ap);
- fclose(fp);
+ bytes = vfprintf(p->fp, fmt, ap);
+ if (log_flush(p, bytes)) {
+ return -1;
+ }
return 0;
}
log_close(p)
struct log *p;
{
- FILE *fp;
int i, j;
char ts[256];
struct tm *tm;
+ int bytes;
if (p->fname == NULL)
goto nowrite;
- fp = fopen(p->fname, "a");
- if (fp == NULL)
+ if (p->fp == NULL) {
+ p->fp = fopen(p->fname, "a");
+ }
+ if (p->fp == NULL)
goto nowrite;
for (i = 0; i < p->siz; i++) {
if (p->buf[j]) {
tm = localtime(&p->tbuf[j]);
strftime(ts, sizeof(ts), "%B %d %T", tm);
- fprintf(fp, "%s: %s\n", ts, p->buf[j]);
- if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n')
- fprintf(fp, "\n");
+ bytes = fprintf(p->fp, "%s: %s\n", ts, p->buf[j]);
+ (void)log_flush(p, bytes);
+ if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n') {
+ bytes = fprintf(p->fp, "\n");
+ (void)log_flush(p, bytes);
+ }
}
}
- fclose(fp);
nowrite:
log_free(p);
racoon_free(p->tbuf);
if (p->fname)
racoon_free(p->fname);
+ if (p->fp) {
+ fclose(p->fp);
+ }
racoon_free(p);
}
int siz;
char **buf;
time_t *tbuf;
+ FILE *fp;
char *fname;
+ off_t byteswritten;
};
extern struct log *log_open __P((size_t, char *));
#include "backupsa.h"
#include "vendorid.h"
-#ifdef __APPLE__
#include <CoreFoundation/CoreFoundation.h>
#include <SystemConfiguration/SystemConfiguration.h>
-#endif
+#ifndef TARGET_OS_EMBEDDED
+#include <sandbox.h>
+#endif // !TARGET_OS_EMBEDDED
+#include "power_mgmt.h"
//#include "package_version.h"
pid_t racoon_pid = 0;
int print_pid = 1; /* for racoon only */
+char logFileStr[MAXPATHLEN+1];
void
usage()
char **av;
{
int error;
- char logFileStr[MAXPATHLEN+1];
+#ifndef TARGET_OS_EMBEDDED
+ char *sb_errorbuf = NULL;
+#endif // !TARGET_OS_EMBEDDED
+
+#ifndef TARGET_OS_EMBEDDED
+ if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) {
+ if (sb_errorbuf) {
+ syslog(LOG_ERR, "sandbox_init failed: %s\n", sb_errorbuf);
+ sandbox_free_error(sb_errorbuf);
+ sb_errorbuf = NULL;
+ } else {
+ syslog(LOG_ERR, "sandbox_init failed\n");
+ }
+ }
+#endif // !TARGET_OS_EMBEDDED
if (geteuid() != 0) {
errx(1, "must be root to invoke this program.");
logFileStr[0] = 0;
+#ifdef HAVE_OPENSSL
eay_init();
+#endif
+
initlcconf();
initrmconf();
oakley_dhinit();
compute_vendorids();
parse(ac, av);
-
- #ifdef __APPLE__
+ plogmtxinit();
+
/*
* Check IPSec plist
*/
if (logFileStr[0])
plogset(logFileStr);
else
-#endif /* __APPLE__ */
if (lcconf->logfile_param)
plogset(lcconf->logfile_param);
plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid());
plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
+#ifdef HAVE_OPENSSL
plog(LLV_INFO, LOCATION, NULL, "@(#)"
"This product linked %s (http://www.openssl.org/)"
"\n", eay_version());
+#endif
plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
lcconf->racoon_conf);
extern double timedelta __P((struct timeval *, struct timeval *));
char *strdup __P((const char *));
-#if defined(__APPLE__)
#define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \
TAILQ_FOREACH_REVERSE(var, head, field, headname)
-#else
-#define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \
- TAILQ_FOREACH_REVERSE(var, head, headname, field)
-#endif
#define STRDUP_FATAL(x) if (x == NULL) { \
plog(LLV_ERROR, LOCATION, NULL, "strdup failed\n"); \
#include <sys/types.h>
#include <sys/param.h>
-#ifdef __linux__
-#include <linux/udp.h>
-#endif
-#if defined(__NetBSD__) || defined (__FreeBSD__)
#include <netinet/udp.h>
-#endif
#include <stdlib.h>
#include <stdio.h>
if (iph1->rmconf->nat_traversal == NATT_FORCE)
return verified;
-#ifdef __APPLE__
/* old APPLE version sends natd payload in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
if (natd_seq == 0) {
flag = NAT_DETECTED_ME;
}
} else
-#endif
{
if (natd_seq == 0) {
natd_computed = natt_hash_addr (iph1, iph1->local);
opts->version = version;
switch (version) {
-#ifndef __APPLE__
- case VENDORID_NATT_00:
- case VENDORID_NATT_01:
- opts->float_port = 0; /* No port floating for those drafts */
- opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
- opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
- opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
- opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
- opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
- break;
-#endif
-
case VENDORID_NATT_02:
case VENDORID_NATT_02_N:
case VENDORID_NATT_03:
case VENDORID_NATT_06:
case VENDORID_NATT_07:
case VENDORID_NATT_08:
-#ifdef __APPLE__
case VENDORID_NATT_APPLE:
opts->float_port = lcconf->port_isakmp_natt;
opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT;
opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
opts->encaps_type = UDP_ENCAP_ESPINUDP;
break;
-#endif
case VENDORID_NATT_RFC:
opts->float_port = lcconf->port_isakmp_natt;
opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC;
return;
if (! iph1->natt_options->float_port){
/* Drafts 00 / 01, just schedule keepalive */
-#ifndef __APPLE__
- natt_keepalive_add_ph1 (iph1);
-#endif
return;
}
iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
ike_session_ikev1_float_ports(iph1);
-
-#ifndef __APPLE__
- natt_keepalive_add_ph1 (iph1);
-#endif
}
void
iph1->natt_flags |= NAT_ANNOUNCED;
}
-#ifndef __APPLE__
-/* NAT keepalive functions */
-static void
-natt_keepalive_send (void *param)
-{
- struct natt_ka_addrs *ka, *next = NULL;
- char keepalive_packet[] = { 0xff };
- size_t len;
- int s;
-
- for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
- next = TAILQ_NEXT(ka, chain);
-
- s = getsockmyaddr(ka->src);
- if (s == -1) {
- TAILQ_REMOVE (&ka_tree, ka, chain);
- racoon_free (ka);
- continue;
- }
- plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
- saddr2str_fromto("%s->%s", ka->src, ka->dst));
- len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet),
- ka->src, ka->dst, 1);
- if (len == -1)
- plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n",
- strerror (errno));
- }
-
- sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
-}
-
-void
-natt_keepalive_init (void)
-{
- TAILQ_INIT(&ka_tree);
-
- /* To disable sending KAs set natt_ka_interval=0 */
- if (lcconf->natt_ka_interval > 0)
- sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
-}
-
-int
-natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
-{
- struct natt_ka_addrs *ka = NULL, *new_addr;
-
- TAILQ_FOREACH (ka, &ka_tree, chain) {
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0) {
- ka->in_use++;
- plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
- return 0;
- }
- }
-
- plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst));
-
- new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr));
- if (! new_addr) {
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
-
- if ((new_addr->src = dupsaddr(src)) == NULL) {
- racoon_free(new_addr);
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
- if ((new_addr->dst = dupsaddr(dst)) == NULL) {
- racoon_free(new_addr);
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
- new_addr->in_use = 1;
- TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain);
-
- return 0;
-}
-
-int
-natt_keepalive_add_ph1 (struct ph1handle *iph1)
-{
- int ret = 0;
-
- /* Should only the NATed host send keepalives?
- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
- to the following condition. */
- if (iph1->natt_flags & NAT_DETECTED &&
- ! (iph1->natt_flags & NAT_KA_QUEUED)) {
- ret = natt_keepalive_add (iph1->local, iph1->remote);
- if (ret == 0)
- iph1->natt_flags |= NAT_KA_QUEUED;
- }
-
- return ret;
-}
-
-void
-natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
-{
- struct natt_ka_addrs *ka, *next = NULL;
-
- plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst));
-
- for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
- next = TAILQ_NEXT(ka, chain);
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0 &&
- -- ka->in_use <= 0) {
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
-
- TAILQ_REMOVE (&ka_tree, ka, chain);
- racoon_free (ka);
- /* Should we break here? Every pair of addresses should
- be inserted only once, but who knows :-) Lets traverse
- the whole list... */
- }
- }
-}
-#endif /* __APPLE__ */
-
static struct remoteconf *
natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data)
{
#define _NATTRAVERSAL_H
#include "vendorid.h"
+#ifdef ENABLE_NATT
+#ifdef ENABLE_FRAG
+#include "isakmp_frag.h"
+#endif /* ENABLE_NATT */
+#endif /* ENABLE_FRAG */
-#ifdef __APPLE__
#define UDP_ENCAP_ESPINUDP 2 /* to make it compile - we don't use this */
-#endif
#define NAT_ANNOUNCED (1L<<0)
#define NAT_DETECTED_ME (1L<<1)
#ifdef ENABLE_FRAG
#define PH1_NON_ESP_EXTRA_LEN(iph1) ((iph1->frag && iph1->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0))
#define PH2_NON_ESP_EXTRA_LEN(iph2) ((iph2->ph1->frag && iph2->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0))
+#define PH1_FRAG_FLAGS(iph1) (NON_ESP_MARKER_USE(iph1) ? FRAG_PUT_NON_ESP_MARKER : 0)
+#define PH2_FRAG_FLAGS(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? FRAG_PUT_NON_ESP_MARKER : 0)
#else
#define PH1_NON_ESP_EXTRA_LEN(iph1) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)
#define PH2_NON_ESP_EXTRA_LEN(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)
+#define PH1_FRAG_FLAGS(iph1) 0
+#define PH2_FRAG_FLAGS(iph2) 0
#endif
#else
#define PH1_NON_ESP_EXTRA_LEN(iph1) 0
#define PH2_NON_ESP_EXTRA_LEN(iph2) 0
+#define PH1_FRAG_FLAGS(iph1) 0
+#define PH2_FRAG_FLAGS(iph2) 0
#endif
/* These are the values from parsing "remote {}"
struct payload_list *
isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]);
-#ifndef __APPLE__
-/* NAT keepalive functions */
-void natt_keepalive_init (void);
-int natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst);
-int natt_keepalive_add_ph1 (struct ph1handle *iph1);
-void natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst);
-#endif
-
/* Walk through all rmconfigs and tell if NAT-T is enabled in at least one. */
int natt_enabled_in_rmconf (void);
#include <sys/socket.h> /* XXX for subjectaltname */
#include <netinet/in.h> /* XXX for subjectaltname */
+#ifdef HAVE_OPENSSL
#include <openssl/pkcs7.h>
#include <openssl/x509.h>
+#endif
#include <stdlib.h>
#include <stdio.h>
#include "sainfo.h"
#include "proposal.h"
#include "crypto_openssl.h"
-#ifdef __APPLE__
#include "crypto_cssm.h"
#if HAVE_OPENDIR
#include "open_dir.h"
#endif
-#endif
#include "dnssec.h"
#include "sockmisc.h"
#include "strnames.h"
#include "gcmalloc.h"
+#ifdef HAVE_OPENSSL
#include "rsalist.h"
-#ifdef __APPLE__
-#include <CoreFoundation/CoreFoundation.h>
#endif
+#include <CoreFoundation/CoreFoundation.h>
#include "remoteconf.h"
#include "vpn_control.h"
-
+#if TARGET_OS_EMBEDDED
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#endif
#ifdef HAVE_GSSAPI
#include "gssapi.h"
#endif
+#include "vpn_control_var.h"
#define OUTBOUND_SA 0
#define INBOUND_SA 1
-#ifdef __APPLE__
#define CERT_CHECKID_FROM_PEER 0
#define CERT_CHECKID_FROM_RMCONFIG 1
-#endif
+#ifdef HAVE_OPENSSL
#define INITDHVAL(a, s, d, t) \
do { \
- vchar_t buf; \
- buf.v = str2val((s), 16, &buf.l); \
- memset(&a, 0, sizeof(struct dhgroup)); \
- a.type = (t); \
- a.prime = vdup(&buf); \
- a.gen1 = 2; \
- a.gen2 = 0; \
- racoon_free(buf.v); \
+vchar_t buf; \
+buf.v = str2val((s), 16, &buf.l); \
+memset(&a, 0, sizeof(struct dhgroup)); \
+a.type = (t); \
+a.prime = vdup(&buf); \
+a.gen1 = 2; \
+a.gen2 = 0; \
+racoon_free(buf.v); \
} while(0);
+#else /* HAVE_OPENSSL */
+#define INITDHVAL(a, s, d, t) \
+do { \
+vchar_t buf; \
+buf.v = str2val((s), 16, &buf.l); \
+memset(&a, 0, sizeof(struct dhgroup)); \
+a.desc = (d); \
+a.type = (t); \
+a.prime = vdup(&buf); \
+a.gen1 = 2; \
+a.gen2 = 0; \
+racoon_free(buf.v); \
+} while(0);
+#endif /* HAVE_OPENSSL */
struct dhgroup dh_modp768;
struct dhgroup dh_modp1024;
static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
static int get_cert_fromlocal __P((struct ph1handle *, int));
+#ifdef HAVE_OPENSSL
static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
-#ifdef __APPLE__
-static int oakley_check_certid __P((struct ph1handle *iph1, int));
-static int oakley_check_certid_1 __P((struct ph1handle*, int, int, void*));
-#else
-static int oakley_check_certid __P((struct ph1handle *iph1));
#endif
+static int oakley_check_certid __P((struct ph1handle *iph1, int));
+static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus));
static int check_typeofcertname __P((int, int));
static cert_t *save_certbuf __P((struct isakmp_gen *));
+#ifdef HAVE_OPENSSL
static cert_t *save_certx509 __P((X509 *));
+#endif
static int oakley_padlen __P((int, int));
-#ifdef __APPLE__
static int base64toCFData(vchar_t *, CFDataRef*);
+static cert_t *oakley_appendcert_to_certchain(cert_t *, cert_t *);
+
+static void oakley_cert_prettyprint (vchar_t *cert)
+{
+ char *p = NULL;
+#ifdef HAVE_OPENSSL
+ p = eay_get_x509text(cert);
+#else
+ /* add new cert dump code here */
#endif
+ plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
+ racoon_free(p);
+}
int
oakley_get_defaultlifetime()
* IN: *dh, *pub, *priv, *pub_p
* OUT: **gxy
*/
+#ifdef HAVE_OPENSSL
int
-oakley_dh_compute(dh, pub, priv, pub_p, gxy)
- const struct dhgroup *dh;
- vchar_t *pub, *priv, *pub_p, **gxy;
+oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t *pub_p, vchar_t **gxy)
{
#ifdef ENABLE_STATS
struct timeval start, end;
return 0;
}
+#else
+int
+oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext dhC)
+{
+
+ vchar_t *computed_key = NULL;
+ size_t computed_keylen;
+ size_t maxKeyLen;
+
+#ifdef ENABLE_STATS
+ struct timeval start, end;
+ gettimeofday(&start, NULL);
+#endif
+
+ plog(LLV_DEBUG, LOCATION, NULL, "compute DH result.\n");
+
+ maxKeyLen = SecDHGetMaxKeyLength(dhC);
+ computed_key = vmalloc(maxKeyLen);
+ if (computed_key == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+ goto fail;
+ }
+ computed_keylen = computed_key->l;
+ if (SecDHComputeKey(dhC, pub_p->v + (maxKeyLen - publicKeySize), publicKeySize,
+ computed_key->v, &computed_keylen)) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to compute dh value.\n");
+ goto fail;
+ }
+
+#ifdef ENABLE_STATS
+ gettimeofday(&end, NULL);
+ syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+ s_attr_isakmp_group(dh->type), dh->prime->l << 3,
+ timedelta(&start, &end));
+#endif
+
+ *gxy = vmalloc(maxKeyLen);
+ if (*gxy == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+ goto fail;
+ }
+ memcpy((*gxy)->v + (maxKeyLen - computed_keylen), computed_key->v, computed_keylen);
+ plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
+ plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
+ SecDHDestroy(dhC);
+ vfree(computed_key);
+ return 0;
+
+fail:
+ SecDHDestroy(dhC);
+ vfree(*gxy);
+ vfree(computed_key);
+ return -1;
+}
+
+#endif
/*
* generate values of DH
* IN: *dh
* OUT: **pub, **priv
*/
+#ifdef HAVE_OPENSSL
int
oakley_dh_generate(dh, pub, priv)
const struct dhgroup *dh;
return 0;
}
+#else
+int
+oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySize, SecDHContext *dhC)
+{
+ vchar_t *public = NULL;
+ size_t maxKeyLen;
+
+#ifdef ENABLE_STATS
+ struct timeval start, end;
+ gettimeofday(&start, NULL);
+#endif
+
+ plog(LLV_DEBUG, LOCATION, NULL, "generate DH key pair.\n");
+ *pub = NULL;
+ switch (dh->type) {
+ case OAKLEY_ATTR_GRP_TYPE_MODP:
+ if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) {
+ plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n");
+ goto fail;
+ }
+ if (SecDHCreate(dh->desc, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n");
+ goto fail;
+ }
+ maxKeyLen = SecDHGetMaxKeyLength(*dhC);
+ public = vmalloc(maxKeyLen);
+ *publicKeySize = public->l;
+ if (public == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+ goto fail;
+ }
+ if (SecDHGenerateKeypair(*dhC, public->v, publicKeySize)) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to generate dh key pair.\n");
+ goto fail;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "got DH key pair.\n");
+
+ *pub = vmalloc(maxKeyLen);
+ if (*pub == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+ goto fail;
+ }
+ /* copy and fill with leading zeros */
+ memcpy((*pub)->v + (maxKeyLen - *publicKeySize), public->v, *publicKeySize);
+ break;
+
+ case OAKLEY_ATTR_GRP_TYPE_ECP:
+ case OAKLEY_ATTR_GRP_TYPE_EC2N:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "dh type %d isn't supported.\n", dh->type);
+ goto fail;
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid dh type %d.\n", dh->type);
+ goto fail;
+ }
+
+#ifdef ENABLE_STATS
+ gettimeofday(&end, NULL);
+ syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+ s_attr_isakmp_group(dh->type), dh->prime->l << 3,
+ timedelta(&start, &end));
+#endif
+
+ if (oakley_check_dh_pub(dh->prime, pub) != 0) {
+ plog(LLV_DEBUG, LOCATION, NULL, "failed DH public key size check.\n");
+ goto fail;
+ }
+
+ plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
+ plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
+ plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
+
+ vfree(public);
+ return 0;
+
+fail:
+ SecDHDestroy(*dhC);
+ vfree(*pub);
+ vfree(public);
+ return -1;
+
+}
+#endif
/*
* copy pre-defined dhgroup values.
/* compute sharing secret of DH when PFS */
if (iph2->approval->pfs_group && iph2->dhpub_p) {
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
- iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
+ iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
+#else
+ if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, iph2->dhC) < 0)
+#endif
goto end;
}
return res;
}
+#if HAVE_OPENDIR
+static int
+oakley_verify_userid(iph1)
+ struct ph1handle *iph1;
+{
+ cert_t *p;
+ vchar_t *user_id;
+ int user_id_found = 0;
+
+ for (p = iph1->cert_p; p; p = p->chain) {
+ user_id = eay_get_x509_common_name(&p->cert);
+ if (user_id) {
+ user_id_found = 1;
+ // the following functions will check if user_id == 0
+ if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group)) {
+ vfree(user_id);
+ return 0;
+ }
+ vfree(user_id);
+ }
+ }
+ if (user_id_found) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "the peer is not authorized for access.\n");
+ } else {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "the peer is not authorized for access - user ID not found.\n");
+ }
+ return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
+}
+#endif /* HAVE_OPENDIR */
+
+#ifdef HAVE_OPENSSL
+static int
+oakley_verify_x509sign(certchain, my_hash, my_sig)
+ cert_t *certchain;
+ vchar_t *my_hash;
+ vchar_t *my_sig;
+{
+ cert_t *p;
+ int result = -1;
+
+ for (p = certchain; p; p = p->chain) {
+ if ((result = eay_check_x509sign(my_hash,
+ my_sig,
+ &p->cert)) == 0) {
+ break;
+ }
+ }
+ return result;
+}
+#endif
+#ifdef HAVE_OPENSSL
+static int
+oakley_check_x509cert(certchain, capath, cafile, local)
+ cert_t *certchain;
+ char *capath;
+ char *cafile;
+ int local;
+{
+ cert_t *p;
+ int result = 0;
+
+ for (p = certchain; p; p = p->chain) {
+ if ((result = eay_check_x509cert(&p->cert,
+ capath,
+ cafile,
+ local))) {
+ break;
+ }
+ }
+ return result;
+}
+#endif /* HAVE_OPENSSL */
+
/*
* compute each authentication method in phase 1.
* OUT:
#ifdef ENABLE_STATS
struct timeval start, end;
#endif
+#if TARGET_OS_EMBEDDED
+ SecKeyRef publicKeyRef;
+#endif
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
return ISAKMP_INTERNAL_ERROR;
}
break;
+#ifdef HAVE_OPENSSL
case ISAKMP_GETCERT_LOCALFILE:
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
if (error)
return ISAKMP_INTERNAL_ERROR;
break;
+#endif
case ISAKMP_GETCERT_DNS:
if (iph1->rmconf->peerscertfile != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
/* compare ID payload and certificate name */
if (iph1->rmconf->verify_cert &&
-#ifdef __APPLE__
(error = oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) != 0)
-#else
- (error = oakley_check_certid(iph1)) != 0)
-#endif
return error;
-
-#ifdef __APPLE__
/* check configured peers identifier against cert IDs */
/* allows checking of specified ID against multiple ids in the cert */
#if HAVE_OPENDIR
/* check cert common name against Open Directory authentication group */
if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_OPEN_DIR) {
-
- vchar_t *user_id = NULL;
-
- user_id = eay_get_x509_common_name(&iph1->cert_p->cert);
- if (user_id) {
- // the following functions will check if user_id == 0
- if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "the peer is not authorized for access.\n");
- vfree(user_id);
- return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
- }
- vfree(user_id);
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "the peer is not authorized for access - user ID not found.\n");
- return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
+ if (oakley_verify_userid(iph1)) {
+ return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
}
}
#endif /* HAVE_OPENDIR */
-#endif /* __APPLE__ */
/* verify certificate */
if (iph1->rmconf->verify_cert
} else
hostname = CFStringCreateWithBytes(NULL, (u_int8_t *)id_spec->id->v, id_spec->id->l, kCFStringEncodingUTF8, FALSE);
}
- error = crypto_cssm_check_x509cert(&iph1->cert_p->cert, hostname, iph1->cert_p->status);
+ error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1), iph1->cert_p, hostname, &publicKeyRef);
if (hostname)
CFRelease(hostname);
}
#else /* TARGET_OS_EMBEDDED */
-#ifdef __APPLE__
if (iph1->rmconf->cert_verification == VERIFICATION_MODULE_SEC_FRAMEWORK)
- error = crypto_cssm_check_x509cert(&iph1->cert_p->cert, NULL, iph1->cert_p->status);
+ error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1),
+ iph1->cert_p,
+ NULL);
else
-#endif /* __APPLE__ */
{
char path[MAXPATHLEN];
char *ca;
ca = NULL;
}
- error = eay_check_x509cert(&iph1->cert_p->cert,
- lcconf->pathinfo[LC_PATHTYPE_CERT],
- ca, 0);
+ error = oakley_check_x509cert(iph1->cert_p,
+ lcconf->pathinfo[LC_PATHTYPE_CERT],
+ ca, 0);
}
#endif /* TARGET_OS_EMBEDDED */
break;
switch (certtype) {
case ISAKMP_CERT_X509SIGN:
case ISAKMP_CERT_DNS:
- error = eay_check_x509sign(my_hash,
- iph1->sig_p,
- &iph1->cert_p->cert);
+#if TARGET_OS_EMBEDDED
+ error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p);
+ if (error)
+ plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error));
+
+ CFRelease(publicKeyRef);
+#else
+ error = oakley_verify_x509sign(iph1->cert_p, my_hash, iph1->sig_p);
+#endif
break;
+#ifdef HAVE_OPENSSL
case ISAKMP_CERT_PLAINRSA:
iph1->rsa_p = rsa_try_check_rsasign(my_hash,
iph1->sig_p, iph1->rsa_candidates);
error = iph1->rsa_p ? 0 : -1;
break;
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"no supported certtype %d\n",
return 0;
}
+int
+oakley_find_status_in_certchain (cert_t *certchain, cert_status_t certStatus)
+{
+ cert_t *p;
+
+ for (p = certchain; p; p = p->chain) {
+ if (p->status == certStatus) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static
+int
+oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1,
+ int notify_initiator)
+{
+#if TARGET_OS_EMBEDDED
+ int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
+ int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
+ if (premature || expired) {
+ u_int32_t address;
+ u_int32_t fail_reason;
+
+ if (iph1->remote->sa_family == AF_INET)
+ address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
+ else
+ address = 0;
+ if (premature) {
+ fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE;
+ } else {
+ fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED;
+ }
+ vpncontrol_notify_ike_failed(fail_reason, notify_initiator, address, 0, NULL);
+ return -1;
+ }
+#endif /* TARGET_OS_EMBEDDED */
+ return 0;
+}
+
/* get my certificate
* NOTE: include certificate type.
*/
case ISAKMP_CERT_X509SIGN:
if (iph1->cert)
return 0;
-/* only do the local cert test on the phone */
- {
if ( !(err = get_cert_fromlocal(iph1, 1))){
- if ( iph1->cert->status == CERT_STATUS_EXPIRED || iph1->cert->status == CERT_STATUS_PREMATURE){
- if (iph1->remote->sa_family == AF_INET)
- address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
- else
- address = 0;
- vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR + iph1->cert->status, FROM_LOCAL, address, 0, NULL);
+ if (oakley_vpncontrol_notify_ike_failed_if_mycert_invalid(iph1, FROM_LOCAL)) {
return -1;
}
}
- }
return err;
-
+#ifdef HAVE_OPENSSL
case ISAKMP_CERT_PLAINRSA:
if (iph1->rsa)
return 0;
return get_plainrsa_fromlocal(iph1, 1);
-
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
certfile = iph1->rmconf->peerscertfile;
certpl = &iph1->cert_p;
}
-
-#ifdef __APPLE__
if (!certfile && iph1->rmconf->identity_in_keychain == 0) {
-#else
- if (!certfile) {
-#endif
plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n");
return 0;
}
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
-#if defined(__APPLE__)
if (iph1->rmconf->identity_in_keychain) {
CFDataRef dataRef;
CFRelease(dataRef);
break;
} // else fall thru
-#endif
+#ifdef HAVE_OPENSSL
case ISAKMP_CERT_DNS:
/* make public file name */
getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile);
cert = eay_get_x509cert(path);
if (cert) {
- char *p = NULL;
- p = eay_get_x509text(cert);
- plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
- racoon_free(p);
+ oakley_cert_prettyprint(cert);
};
break;
-
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"not supported certtype %d\n",
plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l);
-
+ oakley_cert_prettyprint(cert);
+
error = 0;
end:
return error;
}
+#ifdef HAVE_OPENSSL
static int
get_plainrsa_fromlocal(iph1, my)
struct ph1handle *iph1;
end:
return error;
}
+#endif
/* get signature */
int
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
-#if defined(__APPLE__)
// cert in keychain - use cssm to sign
if (iph1->rmconf->identity_in_keychain) {
CFDataRef dataRef;
CFRelease(dataRef);
break;
} // else fall thru
-#endif
+#ifdef HAVE_OPENSSL
case ISAKMP_CERT_DNS:
if (iph1->rmconf->myprivfile == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
case ISAKMP_CERT_PLAINRSA:
iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
break;
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
return error;
}
-#ifdef __APPLE__
+void
+oakley_verify_certid(iph1)
+struct ph1handle *iph1;
+{
+ if (iph1->rmconf->verify_cert &&
+ oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Discarding CERT: does not match ID:\n");
+ oakley_delcert(iph1->cert_p);
+ iph1->cert_p = NULL;
+ }
+}
+
+static int
+oakley_check_certid_in_certchain(certchain, idtype, idlen, id)
+ cert_t *certchain;
+ int idtype;
+ int idlen;
+ void *id;
+{
+ cert_t *p;
+
+ for (p = certchain; p; p = p->chain) {
+ if (oakley_check_certid_1(&p->cert, idtype, idlen, id, &p->status) == 0) {
+ return 0;
+ }
+ }
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+}
+
+cert_t *
+oakley_get_peer_cert_from_certchain(iph1)
+ struct ph1handle * iph1;
+{
+ cert_t *p;
+ struct ipsecdoi_id_b *id_b;
+ int idlen;
+ void *peers_id;
+
+ if (!iph1->id_p || !iph1->cert_p) {
+ plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
+ return NULL;
+ }
+ if (!iph1->cert_p->chain) {
+ // no chain: simply return the only cert
+ return iph1->cert_p;
+ }
+
+ id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+ peers_id = id_b + 1;
+ idlen = iph1->id_p->l - sizeof(*id_b);
+ for (p = iph1->cert_p; p; p = p->chain) {
+ if (oakley_check_certid_1(&p->cert, id_b->type, idlen, peers_id, &p->status) == 0) {
+ return p;
+ }
+ }
+ return NULL;
+}
/*
* compare certificate name and ID value.
peers_id = id_b + 1;
idlen = iph1->id_p->l - sizeof(*id_b);
- return oakley_check_certid_1(iph1, doi_type, idlen, peers_id);
+ return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id);
} else {
/* use ID from remote configuration */
peers_id = id_spec->id->v;
idlen = id_spec->id->l;
}
- if (oakley_check_certid_1(iph1, doi_type, idlen, peers_id) == 0)
+ if (oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id) == 0)
return 0;
}
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
}
static int
-oakley_check_certid_1(iph1, idtype, idlen, id)
- struct ph1handle *iph1;
+oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
+ vchar_t *cert;
int idtype;
int idlen;
void *id;
+ cert_status_t *certStatus;
{
vchar_t *name = NULL;
switch (idtype) {
case IPSECDOI_ID_DER_ASN1_DN:
- name = eay_get_x509asn1subjectname(&iph1->cert_p->cert);
+#if TARGET_OS_EMBEDDED
+ {
+ SecCertificateRef certificate;
+ CFDataRef subject;
+ UInt8* namePtr;
+
+ certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+ if (certificate == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to get SecCertificateRef\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID;
+ }
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ }
+ subject = SecCertificateCopySubjectSequence(certificate);
+ if (subject == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
+ CFRelease(certificate);
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ }
+ len = CFDataGetLength(subject);
+ namePtr = CFDataGetBytePtr(subject);
+ if (idlen != len) {
+ plog(LLV_ERROR, LOCATION, NULL, "Invalid ID length in phase 1.\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
+ CFRelease(subject);
+ CFRelease(certificate);
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ }
+ error = memcmp(id, namePtr, idlen);
+ if (error != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ID mismatched with subjectName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectName (type %s):\n",
+ s_ipsecdoi_ident(idtype));
+ plogdump(LLV_ERROR, namePtr, len);
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
+ CFRelease(certificate);
+ CFRelease(subject);
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ }
+ }
+#else
+ name = eay_get_x509asn1subjectname(cert);
if (!name) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get subjectName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
if (idlen != name->l) {
plog(LLV_ERROR, LOCATION, NULL,
"Invalid ID length in phase 1.\n");
vfree(name);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
error = memcmp(id, name->v, idlen);
- vfree(name);
if (error != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"ID mismatched with subjectName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectName (type %s):\n",
+ s_ipsecdoi_ident(idtype));
+ plogdump(LLV_ERROR, name->v, name->l);
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ vfree(name);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+ }
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
+ vfree(name);
+#endif
return 0;
+
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR:
{
-
+#if TARGET_OS_EMBEDDED
+ CFIndex pos, count;
+ SecCertificateRef certificate;
+ CFArrayRef addresses;
+
+ certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+ if (certificate == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get SecCertificateRef\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID;
+ }
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ }
+ addresses = SecCertificateCopyIPAddresses(certificate);
+ if (addresses == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ CFRelease(certificate);
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ }
+ count = CFArrayGetCount(addresses);
+ for (pos = 0; pos < count; pos++) {
+
+ CFStringRef address;
+ CFIndex addressLen;
+ char *addressBuf, numAddress[128];
+ int result;
+
+ address = CFArrayGetValueAtIndex(addresses, pos);
+ addressLen = CFStringGetLength(address);
+ if (addressLen == 0)
+ continue;
+ addressBuf = racoon_malloc(addressLen + 1);
+ if (addressBuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "out of memory\n");
+ return -1;
+ }
+ if (CFStringGetCString(address, addressBuf, addressLen + 1, kCFStringEncodingUTF8) == TRUE) {
+ result = inet_pton(idtype == IPSECDOI_ID_IPV4_ADDR ? AF_INET : AF_INET6, addressBuf, numAddress);
+ racoon_free(addressBuf);
+ if (result == 0)
+ continue; // wrong type or invalid address
+ if (memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ?
+ CFRelease(addresses);
+ CFRelease(certificate);
+ return 0;
+ }
+ } else
+ racoon_free(addressBuf);
+ }
+ plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
+ plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ CFRelease(addresses);
+ CFRelease(certificate);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+#else
/*
* Openssl returns the IPAddress as an ASN1 octet string (binary format)
* followed by a trailing NULL. 5 bytes for IPv4 and 17 bytes for IPv6
}
for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert, &altname, &type, pos, &len) !=0) {
+ if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) !=0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get subjectAltName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
/* it's the end condition of the loop. */
if (!altname) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid subjectAltName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
/* invalid IP address length in certificate - bad or bogus certificate */
plog(LLV_ERROR, LOCATION, NULL,
"invalid IP address in certificate.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s, got type %s):\n",
+ s_ipsecdoi_ident(idtype),
+ s_ipsecdoi_ident(type));
+ plogdump(LLV_ERROR, altname, len);
racoon_free(altname);
altname = NULL;
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
/* compare the addresses */
error = memcmp(id, altname, idlen);
- racoon_free(altname);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID mismatched with subjectAltName.\n");
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- return 0;
- }
- }
- case IPSECDOI_ID_FQDN:
- case IPSECDOI_ID_USER_FQDN:
- {
- int pos;
-
- for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert, &altname, &type, pos, &len) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectAltName\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- /* it's the end condition of the loop. */
- if (!altname) {
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
-
- if (check_typeofcertname(idtype, type) != 0) {
- /* wrong general type - skip this one */
- racoon_free(altname);
- altname = NULL;
- continue;
- }
-
- if (idlen != strlen(altname)) {
- /* wrong length - skip this one */
- racoon_free(altname);
- altname = NULL;
+ if (error)
continue;
- }
- error = memcmp(id, altname, idlen);
racoon_free(altname);
- if (error) {
- plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
return 0;
- }
- }
- default:
+ }
+ /* failed to find a match */
plog(LLV_ERROR, LOCATION, NULL,
- "Impropper ID type passed: %s.\n",
- s_ipsecdoi_ident(idtype));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- /*NOTREACHED*/
-}
-
-#else /* __APPLE__ */
-
-/*
- * compare certificate name and ID value.
- */
-static int
-oakley_check_certid(iph1)
- struct ph1handle *iph1;
-{
- struct ipsecdoi_id_b *id_b;
- vchar_t *name = NULL;
- char *altname = NULL;
- int idlen, type;
- int error;
-
- if (iph1->id_p == NULL || iph1->cert_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
+ "ID mismatched with subjectAltName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s, got type %s):\n",
+ s_ipsecdoi_ident(idtype),
+ s_ipsecdoi_ident(type));
+ plogdump(LLV_ERROR, altname, len);
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ racoon_free(altname);
+ if (certStatus && !*certStatus)
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+
+#endif /* TARGET_OS_EMBEDDED */
}
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
- idlen = iph1->id_p->l - sizeof(*id_b);
-
- switch (id_b->type) {
- case IPSECDOI_ID_DER_ASN1_DN:
- name = eay_get_x509asn1subjectname(&iph1->cert_p->cert);
- if (!name) {
+#if TARGET_OS_EMBEDDED
+ case IPSECDOI_ID_FQDN:
+ {
+ CFIndex pos, count;
+ SecCertificateRef certificate;
+ CFArrayRef names;
+ CFStringRef name, ID;
+
+ certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+ if (certificate == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectName\n");
+ "failed to get SecCertificateRef\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
- if (idlen != name->l) {
+ names = SecCertificateCopyDNSNames(certificate);
+ if (names == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ID length in phase 1.\n");
- vfree(name);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ "failed to get subjectName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ CFRelease(certificate);
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
- error = memcmp(id_b + 1, name->v, idlen);
- vfree(name);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID mismatched with ASN1 SubjectName.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, name->v, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ count = CFArrayGetCount(names);
+ ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8);
+ if (ID== NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error\n");
+ CFRelease(names);
+ CFRelease(certificate);
+
}
- return 0;
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV6_ADDR:
- {
- /*
- * converting to binary from string because openssl return
- * a string even if object is a binary.
- * XXX fix it ! access by ASN.1 directly without.
- */
- struct addrinfo hints, *res;
- caddr_t a = NULL;
- int pos;
-
- for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
- &altname, &type, pos) !=0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectAltName\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- /* it's the end condition of the loop. */
- if (!altname) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ for (pos = 0; pos < count; pos++) {
+ name = CFArrayGetValueAtIndex(names, pos);
+ if (CFStringCompare(name, ID, 0) == kCFCompareEqualTo) {
+ CFRelease(ID);
+ CFRelease(names);
+ CFRelease(certificate);
+ return 0;
}
-
- if (check_typeofcertname(id_b->type, type) == 0)
- break;
-
- /* next name */
- racoon_free(altname);
- altname = NULL;
}
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = PF_UNSPEC;
- hints.ai_socktype = SOCK_RAW;
- hints.ai_flags = AI_NUMERICHOST;
- error = getaddrinfo(altname, NULL, &hints, &res);
- if (error != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
+ plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ CFRelease(ID);
+ CFRelease(names);
+ CFRelease(certificate);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ }
+
+ case IPSECDOI_ID_USER_FQDN:
+ {
+ CFIndex pos, count;
+
+ SecCertificateRef certificate;
+ CFArrayRef names;
+ CFStringRef name, ID;
+
+ certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+ if (certificate == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- racoon_free(altname);
+ "failed to get SecCertificateRef\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
- switch (res->ai_family) {
- case AF_INET:
- a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr;
- break;
-#ifdef INET6
- case AF_INET6:
- a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr;
- break;
-#endif
- default:
+ names = SecCertificateCopyRFC822Names(certificate);
+ if (names == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "family not supported: %d.\n", res->ai_family);
- racoon_free(altname);
- freeaddrinfo(res);
+ "failed to get subjectName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ CFRelease(certificate);
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
- error = memcmp(id_b + 1, a, idlen);
- freeaddrinfo(res);
- vfree(name);
- if (error != 0) {
+ count = CFArrayGetCount(names);
+ ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8);
+ if (ID == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "ID mismatched with subjectAltName.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, a, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ "memory error\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID;
+ }
+ CFRelease(names);
+ CFRelease(certificate);
+ return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ }
+ for (pos = 0; pos < count; pos++) {
+ name = CFArrayGetValueAtIndex(names, pos);
+ if (CFStringCompare(name, ID, 0) == kCFCompareEqualTo) {
+ CFRelease(ID);
+ CFRelease(names);
+ CFRelease(certificate);
+ return 0;
+ }
}
- return 0;
+ plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
+ plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
+ CFRelease(ID);
+ CFRelease(names);
+ CFRelease(certificate);
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
+#else
case IPSECDOI_ID_FQDN:
case IPSECDOI_ID_USER_FQDN:
{
int pos;
for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
- &altname, &type, pos) != 0){
+ if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get subjectAltName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
/* it's the end condition of the loop. */
if (!altname) {
plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
+ "invalid subjectAltName\n");
+ if (certStatus && !*certStatus) {
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ }
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
- if (check_typeofcertname(id_b->type, type) == 0)
- break;
+ if (check_typeofcertname(idtype, type) != 0) {
+ /* wrong general type - skip this one */
+ racoon_free(altname);
+ altname = NULL;
+ continue;
+ }
- /* next name */
- racoon_free(altname);
- altname = NULL;
- }
- if (idlen != strlen(altname)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ID length in phase 1.\n");
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- if (check_typeofcertname(id_b->type, type) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID type mismatched. ID: %s CERT: %s.\n",
- s_ipsecdoi_ident(id_b->type),
- s_ipsecdoi_ident(type));
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- error = memcmp(id_b + 1, altname, idlen);
- if (error) {
- plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, altname, idlen);
+ if (idlen != strlen(altname)) {
+ /* wrong length - skip this one */
+ racoon_free(altname);
+ altname = NULL;
+ continue;
+ }
+ error = memcmp(id, altname, idlen);
+ if (error)
+ continue;
racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ return 0;
}
+ plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
+ plog(LLV_ERROR, LOCATION, NULL,
+ "subjectAltName (expected type %s, got type %s):\n",
+ s_ipsecdoi_ident(idtype),
+ s_ipsecdoi_ident(type));
+ plogdump(LLV_ERROR, altname, len);
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ID:\n");
+ plogdump(LLV_ERROR, id, idlen);
racoon_free(altname);
- return 0;
+ if (certStatus && !*certStatus)
+ *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Impropper ID type passed: %s.\n",
- s_ipsecdoi_ident(id_b->type));
+ s_ipsecdoi_ident(idtype));
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
+ }
/*NOTREACHED*/
}
-
-#endif /* __APPLE__ */
-
+#ifdef HAVE_OPENSSL
static int
check_typeofcertname(doi, genid)
int doi, genid;
}
/*NOTREACHED*/
}
+#endif
/*
* save certificate including certificate type.
{
cert_t **c;
u_int8_t type;
+#ifdef HAVE_OPENSSL
STACK_OF(X509) *certs=NULL;
PKCS7 *p7;
-
+#endif
type = *(u_int8_t *)(gen + 1) & 0xff;
switch (type) {
return -1;
}
- /* XXX choice the 1th cert, ignore after the cert. */
- /* XXX should be processed. */
if (*c) {
plog(LLV_WARNING, LOCATION, NULL,
- "ignore 2nd CERT payload.\n");
- return 0;
+ "preexisting CERT payload... chaining.\n");
}
-
+#ifdef HAVE_OPENSSL
if (type == ISAKMP_CERT_PKCS7) {
u_char *bp;
int i;
for (i = 0; i < sk_X509_num(certs); i++) {
int len;
u_char *bp;
+ cert_t *new;
X509 *cert = sk_X509_value(certs,i);
plog(LLV_DEBUG, LOCATION, NULL,
"Trying PKCS#7 cert %d.\n", i);
/* We'll just try each cert in turn */
- *c = save_certx509(cert);
-
- if (!*c) {
+ new = save_certx509(cert);
+ if (!new) {
plog(LLV_ERROR, LOCATION, NULL,
"Failed to get CERT buffer.\n");
continue;
}
-
- /* Ignore cert if it doesn't match identity
- * XXX If verify cert is disabled, we still just take
- * the first certificate....
- */
- if(iph1->rmconf->verify_cert &&
- oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Discarding CERT: does not match ID.\n");
- oakley_delcert((*c));
- *c = NULL;
- continue;
- }
-
- {
- char *p = eay_get_x509text(&(*c)->cert);
- plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
- plog(LLV_DEBUG, LOCATION, NULL, "%s",
- p ? p : "\n");
- racoon_free(p);
- }
- break;
+ *c = oakley_appendcert_to_certchain(*c, new);
+ plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+ plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
+ oakley_cert_prettyprint(&new->cert);
}
PKCS7_free(p7);
- } else {
- *c = save_certbuf(gen);
- if (!*c) {
+ } else
+#endif
+ {
+ cert_t *new;
+ new = save_certbuf(gen);
+ if (!new) {
plog(LLV_ERROR, LOCATION, NULL,
"Failed to get CERT buffer.\n");
return -1;
}
- switch ((*c)->type) {
+ switch (new->type) {
case ISAKMP_CERT_DNS:
plog(LLV_WARNING, LOCATION, NULL,
"CERT payload is unnecessary in DNSSEC. "
* XXX If verify cert is disabled, we still just take
* the first certificate....
*/
- if(iph1->rmconf->verify_cert &&
- oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Discarding CERT: does not match ID.\n");
- oakley_delcert((*c));
- *c = NULL;
- return 0;
- }
-
- {
- char *p = eay_get_x509text(&(*c)->cert);
- plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
- plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
- racoon_free(p);
- }
+ *c = oakley_appendcert_to_certchain(*c, new);
+ plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+ plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
+ oakley_cert_prettyprint(&new->cert);
break;
case ISAKMP_CERT_CRL:
+ *c = oakley_appendcert_to_certchain(*c, new);
plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+ plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
+ oakley_cert_prettyprint(&new->cert);
break;
case ISAKMP_CERT_X509KE:
case ISAKMP_CERT_X509ATTR:
case ISAKMP_CERT_ARL:
default:
/* XXX */
- oakley_delcert((*c));
- *c = NULL;
+ oakley_delcert(new);
return 0;
}
}
{
cert_t **c;
u_int8_t type;
+ cert_t *new;
type = *(u_int8_t *)(gen + 1) & 0xff;
return -1;
}
- *c = save_certbuf(gen);
- if (!*c) {
+ new = save_certbuf(gen);
+ if (!new) {
plog(LLV_ERROR, LOCATION, NULL,
"Failed to get CR buffer.\n");
return -1;
}
-
+ *c = oakley_appendcert_to_certchain(*c, new);
plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+ plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
return 0;
}
return new;
}
+#ifdef HAVE_OPENSSL
static cert_t *
save_certx509(cert)
X509 *cert;
return new;
}
+#endif
/*
* get my CR.
case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
#endif
-#ifdef __APPLE__
if (iph1->rmconf->shared_secret) {
switch (iph1->rmconf->secrettype) {
case SECRETTYPE_USE:
/* in the remote configuration */
default:
- iph1->authstr = vdup(iph1->rmconf->shared_secret);
+ /* rmconf->shared_secret is a string and contains a NULL character that must be removed */
+ iph1->authstr = vmalloc(iph1->rmconf->shared_secret->l - 1);
+ if (iph1->authstr == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+ break;
+ }
+ memcpy(iph1->authstr->v, iph1->rmconf->shared_secret->v, iph1->authstr->l);
}
-
}
else
-#endif
if (iph1->etype != ISAKMP_ETYPE_IDENT) {
iph1->authstr = getpskbyname(iph1->id_p);
if (iph1->authstr == NULL) {
}
new->pl = NULL;
+ new->chain = NULL;
return new;
}
/* delete buffer for CERT */
void
-oakley_delcert(cert)
+oakley_delcert_1(cert)
cert_t *cert;
{
if (!cert)
VPTRINIT(cert->pl);
racoon_free(cert);
}
-
+
+/* delete buffer for CERT */
+void
+oakley_delcert(cert)
+ cert_t *cert;
+{
+ cert_t *p, *to_delete;
+
+ if (!cert)
+ return;
+
+ for (p = cert; p;) {
+ to_delete = p;
+ p = p->chain;
+ oakley_delcert_1(to_delete);
+ }
+}
+
+/* delete buffer for CERT */
+static cert_t *
+oakley_appendcert_to_certchain(certchain, new)
+ cert_t *certchain;
+ cert_t *new;
+{
+ cert_t *p;
+
+ if (!certchain)
+ return new;
+
+ for (p = certchain; p; p = p->chain) {
+ if (!p->chain) {
+ p->chain = new;
+ return certchain;
+ }
+ }
+ return NULL;
+}
+
/*
* compute IV and set to ph1handle
* IV = hash(g^xi | g^xr)
return padlen;
}
-#ifdef __APPLE__
/* -----------------------------------------------------------------------------
The base-64 encoding packs three 8-bit bytes into four 7-bit ASCII
characters. If the number of bytes in the original data isn't divisable
return -1;
}
-#endif
+
#ifndef _OAKLEY_H
#define _OAKLEY_H
+#include "config.h"
+
#include "vmbuf.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/* refer to RFC 2409 */
#define MAXPADLWORD 20
struct dhgroup {
+#ifndef HAVE_OPENSSL
+ int desc;
+#endif
int type;
vchar_t *prime;
int gen1;
CERT_STATUS_OK = 0,
CERT_STATUS_PREMATURE,
CERT_STATUS_EXPIRED,
+ CERT_STATUS_INVALID_SUBJNAME,
+ CERT_STATUS_INVALID_SUBJALTNAME,
CERT_STATUS_INVALID,
} cert_status_t;
vchar_t cert; /* pointer to the CERT */
vchar_t *pl; /* CERT payload minus isakmp general header */
cert_status_t status;
+ struct cert_t_tag *chain;
} cert_t;
struct ph1handle;
extern int oakley_dhinit __P((void));
extern void oakley_dhgrp_free __P((struct dhgroup *));
-extern int oakley_dh_compute __P((const struct dhgroup *,
- vchar_t *, vchar_t *, vchar_t *, vchar_t **));
-extern int oakley_dh_generate __P((const struct dhgroup *,
- vchar_t **, vchar_t **));
+#ifdef HAVE_OPENSSL
+extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, vchar_t *, vchar_t *, vchar_t **));
+extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, vchar_t **));
+#else
+extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, size_t, vchar_t **, SecDHContext));
+extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, size_t *, SecDHContext*));
+#endif
extern int oakley_setdhgroup __P((int, struct dhgroup **));
extern vchar_t *oakley_prf __P((vchar_t *, vchar_t *, struct ph1handle *));
extern int oakley_validate_auth __P((struct ph1handle *));
extern int oakley_getmycert __P((struct ph1handle *));
extern int oakley_getsign __P((struct ph1handle *));
+extern cert_t * oakley_get_peer_cert_from_certchain __P((struct ph1handle *));
+extern int oakley_find_status_in_certchain __P((cert_t *, cert_status_t));
+extern void oakley_verify_certid __P((struct ph1handle *));
extern vchar_t *oakley_getcr __P((struct ph1handle *));
extern int oakley_checkcr __P((struct ph1handle *));
extern int oakley_needcr __P((int));
#include <arpa/inet.h>
#ifdef ENABLE_NATT
-# ifdef __linux__
-# include <linux/udp.h>
-# endif
-# if defined(__NetBSD__) || defined(__FreeBSD__)
-# include <netinet/udp.h>
-# endif
+#include <netinet/udp.h>
#endif
#include <sys/types.h>
#include <sys/sysctl.h>
#include <net/route.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include "ike_session.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#include "power_mgmt.h"
#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
struct sadb_msg *msg;
int len;
+ if (slept_at || woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignoring pfkey port until power-mgmt event is handled.\n");
+ return 0;
+ }
+
/* receive pfkey message. */
len = 0;
msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len);
{
struct saved_msg_elem *elem;
struct saved_msg_elem *elem_tmp = NULL;
-
+
+ if (slept_at || woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
+ return 0;
+ }
+
TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) {
pfkey_process((struct sadb_msg *)elem->msg);
TAILQ_REMOVE(&lcconf->saved_msg_queue, elem, chain);
continue;
}
- if (msg->sadb_msg_pid != pid)
- continue;
-
/*
* for multi-processor system this had to be added because the messages can
* be interleaved - they won't all be dump messages
continue;
}
+ // ignore dump messages that aren't racoon's
+ if (msg->sadb_msg_pid != pid)
+ continue;
+
ml = msg->sadb_msg_len << 3;
bl = buf ? buf->l : 0;
buf = vrealloc(buf, bl + ml);
lifebyte = 0;
#endif
-#ifdef __APPLE__
#ifdef ENABLE_NATT
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
if (pr->udp_encap) {
if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
if (iph2->ph1->rmconf->natt_keepalive == TRUE)
flags |= SADB_X_EXT_NATT_KEEPALIVE;
- }
- else if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
- mode == IPSEC_MODE_TRANSPORT &&
- src->sa_family == AF_INET)
+ } else {
+ if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
+ mode == IPSEC_MODE_TRANSPORT &&
+ src->sa_family == AF_INET) {
flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
+ }
+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
+ // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
+ flags |= SADB_X_EXT_NATT_DETECTED_PEER;
+ }
+ }
} else {
memset (&natt, 0, sizeof (natt));
}
return -1;
}
#endif /* ENABLE_NATT */
-#else
-#ifdef ENABLE_NATT
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update_nat\n");
- if (pr->udp_encap) {
- memset (&natt, 0, sizeof (natt));
- natt.type = iph2->ph1->natt_options->encaps_type;
- natt.sport = extract_port (iph2->ph1->remote);
- natt.dport = extract_port (iph2->ph1->local);
- natt.oa = NULL; // FIXME: Here comes OA!!!
- natt.frag = iph2->ph1->rmconf->esp_frag;
- } else {
- memset (&natt, 0, sizeof (natt));
- }
-
- if (pfkey_send_update_nat(
- lcconf->sock_pfkey,
- satype,
- mode,
- dst,
- src,
- pr->spi,
- pr->reqid_in,
- wsize,
- pr->keymat->v,
- e_type, e_keylen, a_type, a_keylen, flags,
- 0, lifebyte, iph2->approval->lifetime, 0,
- iph2->seq,
- natt.type, natt.sport, natt.dport, natt.oa,
- natt.frag) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send update_nat (%s)\n",
- ipsec_strerror());
- return -1;
- }
-#else
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
- if (pfkey_send_update(
- lcconf->sock_pfkey,
- satype,
- mode,
- dst,
- src,
- pr->spi,
- pr->reqid_in,
- wsize,
- pr->keymat->v,
- e_type, e_keylen, a_type, a_keylen, flags,
- 0, lifebyte, iph2->approval->lifetime, 0,
- iph2->seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send update (%s)\n",
- ipsec_strerror());
- return -1;
- }
-#endif /* ENABLE_NATT */
-#endif /* __APPLE__ */
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
ike_session_ph2_established(iph2);
+ IPSECLOGASLMSG("IPSec Phase2 established (Initiated by %s).\n",
+ (iph2->side == INITIATOR)? "me" : "peer");
+
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
syslog(LOG_NOTICE, "%s(%s): %8.6f",
lifebyte = 0;
#endif
-#ifdef __APPLE__
#ifdef ENABLE_NATT
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
if (iph2->ph1->rmconf->natt_keepalive == TRUE)
flags |= SADB_X_EXT_NATT_KEEPALIVE;
- }
- else if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
- mode == IPSEC_MODE_TRANSPORT &&
- dst->sa_family == AF_INET)
+ } else {
+ if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
+ mode == IPSEC_MODE_TRANSPORT &&
+ dst->sa_family == AF_INET) {
flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
+ }
+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
+ // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
+ flags |= SADB_X_EXT_NATT_DETECTED_PEER;
+ }
+ }
} else {
memset (&natt, 0, sizeof (natt));
return -1;
}
#endif /* ENABLE_NATT */
-#else /* __APPLE__ */
-#ifdef ENABLE_NATT
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add_nat\n");
-
- if (pr->udp_encap) {
- memset (&natt, 0, sizeof (natt));
- natt.type = UDP_ENCAP_ESPINUDP;
- natt.sport = extract_port (iph2->ph1->local);
- natt.dport = extract_port (iph2->ph1->remote);
- natt.oa = NULL; // FIXME: Here comes OA!!!
- natt.frag = iph2->ph1->rmconf->esp_frag;
- } else {
- memset (&natt, 0, sizeof (natt));
-
- /* Remove port information, that SA doesn't use it */
- set_port(src, 0);
- set_port(dst, 0);
- }
-
- if (pfkey_send_add_nat(
- lcconf->sock_pfkey,
- satype,
- mode,
- src,
- dst,
- pr->spi_p,
- pr->reqid_out,
- wsize,
- pr->keymat_p->v,
- e_type, e_keylen, a_type, a_keylen, flags,
- 0, lifebyte, iph2->approval->lifetime, 0,
- iph2->seq,
- natt.type, natt.sport, natt.dport, natt.oa,
- natt.frag) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send add_nat (%s)\n",
- ipsec_strerror());
- return -1;
- }
-#else
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
-
- /* Remove port information, it is not used without NAT-T */
- set_port(src, 0);
- set_port(dst, 0);
-
- if (pfkey_send_add(
- lcconf->sock_pfkey,
- satype,
- mode,
- src,
- dst,
- pr->spi_p,
- pr->reqid_out,
- wsize,
- pr->keymat_p->v,
- e_type, e_keylen, a_type, a_keylen, flags,
- 0, lifebyte, iph2->approval->lifetime, 0,
- iph2->seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send add (%s)\n",
- ipsec_strerror());
- return -1;
- }
-#endif /* ENABLE_NATT */
-#endif /* __APPLE__ */
-
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
/* allocate buffer for status management of pfkey message */
if (iph2->side == INITIATOR &&
!ike_session_has_other_established_ph2(iph2->parent_session, iph2) &&
- !ike_session_drop_rekey(iph2->parent_session)) {
+ !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) {
initph2(iph2);
return -1;
/* XXX should use the algorithm list from register message */
}
-#ifdef __APPLE__
if (link_sainfo_to_ph2(iph2[n]->sainfo) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to link sainfo\n");
delph2(iph2[n]);
return -1;
}
-#endif
}
if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) {
daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-#ifdef __linux__
- /* bsd skips over per-socket policies because there will be no
- * src and dst extensions in spddump messages. On Linux the only
- * way to achieve the same is check for policy id.
- */
- if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
-#endif
-
new = newsp();
if (new == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
#endif
#include <ctype.h>
#include <err.h>
+#include <pthread.h>
+#include <unistd.h>
#include "var.h"
#include "misc.h"
int print_location = 0;
static struct log *logp = NULL;
+static pthread_mutex_t logp_mtx = {0};
static char *logfile = NULL;
static char *plog_common __P((int, const char *, const char *));
static char *
plog_common(pri, fmt, func)
- int pri;
- const char *fmt, *func;
+int pri;
+const char *fmt, *func;
{
static char buf[800]; /* XXX shoule be allocated every time ? */
char *p;
int reslen, len;
-
+
p = buf;
reslen = sizeof(buf);
-
+
if (logfile || f_foreground) {
time_t t;
struct tm *tm;
-
+
t = time(0);
tm = localtime(&t);
len = strftime(p, reslen, "%Y-%m-%d %T: ", tm);
p += len;
reslen -= len;
}
-
+
if (pri < ARRAYLEN(ptab)) {
if (print_pid)
len = snprintf(p, reslen, "[%d] %s: ", getpid(), ptab[pri].name);
} else
*p = '\0';
}
-
+
if (print_location)
snprintf(p, reslen, "%s: %s", func, fmt);
else
while ((p = strstr(buf,"%z")) != NULL)
p[1] = 'l';
#endif
-
+
return buf;
}
void
-plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
+plogmtxinit (void)
+{
+ pthread_mutexattr_t attrs;
+ pthread_mutexattr_init(&attrs);
+ pthread_mutexattr_settype(&attrs, PTHREAD_MUTEX_RECURSIVE);
+ pthread_mutex_init(&logp_mtx, &attrs);
+ pthread_mutexattr_destroy(&attrs);
+}
+
+void
+plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
{
va_list ap;
void
plogv(int pri, const char *func, struct sockaddr *sa,
- const char *fmt, va_list *ap)
+ const char *fmt, va_list *ap)
{
char *newfmt;
va_list ap_bak;
-
+
if (pri > loglevel)
return;
- newfmt = plog_common(pri, fmt, func);
+ pthread_mutex_lock(&logp_mtx);
+ newfmt = plog_common(pri, fmt, func);
+
VA_COPY(ap_bak, ap);
if (f_foreground)
vprintf(newfmt, *ap);
-
- if (logfile)
+
+
+ if (logfile) {
log_vaprint(logp, newfmt, ap_bak);
- else {
+ } else {
if (pri < ARRAYLEN(ptab))
vsyslog(ptab[pri].priority, newfmt, ap_bak);
else
vsyslog(LOG_ALERT, newfmt, ap_bak);
}
+ pthread_mutex_unlock(&logp_mtx);
}
void
buf[i++] = '\n';
buf[i] = '\0';
}
- plog(pri, LOCATION, NULL, "%s", buf);
+ plog_func(pri, LOCATION, NULL, "%s", buf);
racoon_free(buf);
}
void
ploginit()
{
+ pthread_mutex_lock(&logp_mtx);
+
if (logfile) {
logp = log_open(250, logfile);
if (logp == NULL)
errx(1, "ERROR: failed to open log file %s.", logfile);
+ pthread_mutex_unlock(&logp_mtx);
return;
}
openlog(pname, LOG_NDELAY, LOG_DAEMON);
+
+ pthread_mutex_unlock(&logp_mtx);
}
void
plogset(file)
char *file;
{
+ pthread_mutex_lock(&logp_mtx);
if (logfile != NULL)
racoon_free(logfile);
logfile = racoon_strdup(file);
STRDUP_FATAL(logfile);
+ pthread_mutex_unlock(&logp_mtx);
}
void
plogreset(file)
char *file;
{
-
+ pthread_mutex_lock(&logp_mtx);
+
/* if log paths equal - do nothing */
- if (logfile == NULL && file == NULL)
+ if (logfile == NULL && file == NULL) {
+ pthread_mutex_unlock(&logp_mtx);
return;
+ }
if (logfile != NULL && file != NULL)
- if (!strcmp(logfile, file))
+ if (!strcmp(logfile, file)) {
+ pthread_mutex_unlock(&logp_mtx);
return;
-
+ }
+
if (logfile == NULL) /* no logfile was specified - daemon was used */
closelog(); /* close it */
else {
if (file)
plogset(file);
ploginit();
+
+ pthread_mutex_unlock(&logp_mtx);
}
/*
size_t n;
{
int p,q;
- char* d;
for (p = 0, q = 0; p < n; p++) {
if (isgraph((int)binstr[p])) {
binstr[q++] = binstr[p];
extern int print_location;
struct sockaddr;
-extern void plog __P((int, const char *, struct sockaddr *, const char *, ...))
+extern void plog_func __P((int, const char *, struct sockaddr *, const char *, ...))
__attribute__ ((__format__ (__printf__, 4, 5)));
extern void plogv __P((int, const char *, struct sockaddr *,
const char *, va_list *));
extern char* binsanitize __P((char*, size_t));
+#define plog(pri, func, sa, fmt, args...) do { \
+ if (pri <= loglevel) { \
+ plog_func(pri, func, sa, fmt, ##args); \
+ } \
+ } while(0)
+extern void plogmtxinit __P((void));
+
#endif /* _PLOG_H */
if (a->dst.ss_family != b->dst.ss_family)
return 1;
-#ifndef __linux__
/* compare src address */
if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) {
plog(LLV_ERROR, LOCATION, NULL,
a->src.ss_len, b->src.ss_len);
return 1;
}
-#endif
mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src,
b->prefs);
mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src,
if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
return 1;
-#ifndef __linux__
/* compare dst address */
if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) {
plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n");
exit(1);
}
-#endif
mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst,
b->prefd);
mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst,
--- /dev/null
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <errno.h>
+#include <notify.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreFoundation/CFUserNotification.h>
+#include <mach/mach_port.h>
+#include <mach/mach_interface.h>
+#include <mach/mach_init.h>
+#include <IOKit/IOKitLib.h>
+#include <IOKit/pwr_mgt/IOPM.h>
+#include <IOKit/pwr_mgt/IOPMLib.h>
+#if !TARGET_OS_EMBEDDED
+#include <IOKit/pwr_mgt/IOPMLibPrivate.h>
+#endif /* !TARGET_OS_EMBEDDED */
+#include <IOKit/IOMessage.h>
+
+#include "var.h"
+#include "misc.h"
+#include "vmbuf.h"
+#include "plog.h"
+#include "sockmisc.h"
+#include "schedule.h"
+#include "debug.h"
+
+#include "isakmp_var.h"
+#include "isakmp.h"
+#include "handler.h"
+
+#ifndef kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+IONotificationPortRef notify;
+io_object_t iterator;
+io_connect_t gIOPort;
+CFUserNotificationRef gSleepNotification = NULL;
+#endif // !kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+
+pthread_t power_mgmt_thread;
+time_t slept_at = 0;
+time_t woke_at = 0;
+time_t swept_at = 0;
+
+static int sleeping = 0;
+
+#ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+#define WAKE_CAPS (kIOPMSystemPowerStateCapabilityCPU | kIOPMSystemPowerStateCapabilityNetwork)
+
+IOPMConnection gPMConnection = NULL;
+
+static void
+iosleep_capabilities_notifier(void *param, IOPMConnection connection, IOPMConnectionMessageToken token, IOPMSystemPowerStateCapabilities capabilities)
+{
+ plog(LLV_DEBUG, LOCATION, NULL,"received power-mgmt event: capabilities %X%s%s%s%s%s",
+ capabilities,
+ capabilities & kIOPMSystemPowerStateCapabilityCPU ? " CPU" : "",
+ capabilities & kIOPMSystemPowerStateCapabilityVideo ? " Video" : "",
+ capabilities & kIOPMSystemPowerStateCapabilityAudio ? " Audio" : "",
+ capabilities & kIOPMSystemPowerStateCapabilityNetwork ? " Network" : "",
+ capabilities & kIOPMSystemPowerStateCapabilityDisk ? " Disk" : "");
+
+ if ((capabilities & WAKE_CAPS) != WAKE_CAPS) {
+ if (!sleeping) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will sleep\n");
+ sleeping = 1;
+ slept_at = current_time();
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignored power-mgmt event: sleep(%x) while asleep\n", capabilities);
+ }
+ IOPMConnectionAcknowledgeEvent(connection, token );
+ } else if ((capabilities & WAKE_CAPS) == WAKE_CAPS) {
+ // allow processing of packets
+ if (sleeping) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will wake(%x)\n", capabilities);
+ sleeping = 0;
+ woke_at = current_time();
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignored power-mgmt event: wake(%x) while not asleep\n", capabilities);
+ }
+ IOPMConnectionAcknowledgeEvent(connection, token);
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignored power-mgmt event: capabilities(%x)\n", capabilities);
+ IOPMConnectionAcknowledgeEvent(connection, token);
+ }
+}
+
+#else
+
+static
+void iosleep_notifier(void * x, io_service_t y, natural_t messageType, void *messageArgument)
+{
+ switch ( messageType ) {
+ case kIOMessageSystemWillSleep:
+ sleeping = 1;
+ slept_at = current_time();
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will sleep\n");
+ IOAllowPowerChange(gIOPort, (long)messageArgument);
+ break;
+ case kIOMessageCanSystemSleep:
+ IOAllowPowerChange(gIOPort, (long)messageArgument);
+ break;
+ case kIOMessageSystemWillNotSleep:
+ /* someone refused an idle sleep */
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will not sleep\n");
+ sleeping = 0;
+ slept_at = 0;
+ break;
+ case kIOMessageSystemWillPowerOn:
+ if (sleeping) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will wake\n");
+ sleeping = 0;
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: will power-on\n");
+ }
+ break;
+ case kIOMessageSystemHasPoweredOn:
+ woke_at = current_time();
+ if (slept_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: has woken\n");
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: has powered-on\n");
+ }
+ break;
+ default:
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received power-mgmt event: %x\n", messageType);
+ break;
+ }
+}
+#endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+
+void *
+power_mgmt_thread_func (void *arg)
+{
+#ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+ IOReturn ret;
+
+ ret = IOPMConnectionCreate(CFSTR("racoon power-mgmt"),
+ WAKE_CAPS,
+ &gPMConnection);
+ if (ret != kIOReturnSuccess) {
+ plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret);
+ return NULL;
+ }
+
+ ret = IOPMConnectionSetNotification(gPMConnection, NULL, iosleep_capabilities_notifier);
+ if (ret != kIOReturnSuccess) {
+ plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret);
+ return NULL;
+ }
+
+ ret = IOPMConnectionScheduleWithRunLoop(gPMConnection, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
+ if (ret != kIOReturnSuccess) {
+ plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret);
+ return NULL;
+ }
+#else
+ if ((gIOPort = IORegisterForSystemPower(0, ¬ify, iosleep_notifier, &iterator)) == MACH_PORT_NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "IORegisterForSystemPower failed for power-mgmt thread\n");
+ return NULL;
+ }
+
+ CFRunLoopAddSource(CFRunLoopGetCurrent(),
+ IONotificationPortGetRunLoopSource(notify),
+ kCFRunLoopDefaultMode);
+#endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements
+
+ CFRunLoopRun();
+ return NULL;
+}
+
+int
+init_power_mgmt (void)
+{
+ int err;
+
+ if ((err = pthread_create(&power_mgmt_thread, NULL, power_mgmt_thread_func, NULL))) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to create power-mgmt thread: %d\n", err);
+ return -1;
+ }
+
+ return 0;
+}
+
+void
+check_power_mgmt (void)
+{
+ if (slept_at && woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "handling power-mgmt event: sleep-wake\n");
+ swept_at = current_time();
+ sweep_sleepwake();
+ slept_at = 0;
+ woke_at = 0;
+ } else if (woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "handling power-mgmt event: power-on\n");
+ woke_at = 0;
+ }
+}
--- /dev/null
+#ifndef _POWER_MGMT_H
+#define _POWER_MGMT_H
+
+#include <sys/types.h>
+
+extern time_t slept_at;
+extern time_t woke_at;
+extern time_t swept_at;
+
+extern int init_power_mgmt __P((void));
+extern void check_power_mgmt __P((void));
+
+#endif /* _POWER_MGMT_H */
#include "sockmisc.h"
#include "privsep.h"
+#ifdef HAVE_OPENSSL
static int privsep_sock[2] = { -1, -1 };
static int privsep_recv(int, struct privsep_com_msg **, size_t *);
static int unsafe_env(char *const *);
static int unknown_name(int);
static int unsafe_path(char *, int);
+#endif
+#ifdef HAVE_OPENSSL
static int
privsep_send(sock, buf, len)
int sock;
return 0;
}
+#endif /* HAVE_OPENSSL */
+#ifdef HAVE_OPENSSL
int
privsep_init(void)
{
plog(LLV_INFO, LOCATION, NULL, "privsep exit\n");
_exit(0);
}
+#endif /* HAVE_OPENSSL */
-
+#ifdef HAVE_OPENSSL
vchar_t *
privsep_eay_get_pkcs1privkey(path)
char *path;
racoon_free(msg);
return NULL;
}
+#endif
/*
* No prigilege separation trick here, we just open PFKEY before
return;
}
+#ifdef HAVE_OPENSSL
int
privsep_script_exec(script, name, envp)
char *script;
racoon_free(msg);
return 0;
}
+#endif
+#ifdef HAVE_OPENSSL
vchar_t *
privsep_getpsk(str, keylen)
const char *str;
racoon_free(msg);
return NULL;
}
+#endif
+#ifdef HAVE_OPENSSL
#ifdef ENABLE_HYBRID
int
privsep_xauth_login_system(usr, pwd)
racoon_free(msg);
return -1;
}
+#endif
static int
port_check(port)
return 0;
}
-#endif
+#endif /* HAVE_OPENSSL */
+#ifdef HAVE_OPENSSL
static int
safety_check(msg, index)
struct privsep_com_msg *msg;
return 0;
}
+#endif /* HAVE_OPENSSL */
#ifdef HAVE_LIBPAM
int
* me +--- SA1 ---+ peer1
* me +--- SA2 --------------+ peer2
*/
-#ifdef __linux__
- if (req->saidx.src.ss_family && req->saidx.dst.ss_family) {
-#else
if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
-#endif
/* check the end of ip addresses of SA */
if (iph2->side == INITIATOR)
paddr = (caddr_t)&req->saidx.dst;
#include <sys/stat.h>
#include <unistd.h>
+#ifdef HAVE_OPENSSL
#include <openssl/bn.h>
#include <openssl/rsa.h>
-
+#endif
+#include "crypto_openssl.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "oakley.h"
#include "isakmp_var.h"
#include "handler.h"
-#include "crypto_openssl.h"
+
#include "sockmisc.h"
#include "rsalist.h"
/* This file contains a tokeniser for FreeS/WAN-style ipsec.secrets RSA keys. */
+#include <config.h>
#include <string.h>
+#ifdef HAVE_OPENSSL
#include <openssl/bn.h>
#include <openssl/rsa.h>
-#ifdef __APPLE__
+#endif
#include "y.tab.h"
-#else
-#include "prsa_par.h"
-#endif
extern int prsalex (void);
extern int prsa_cur_lineno;
.Bk -words
.Op Fl l Ar logfile
.Ek
-.Bk -words
-.Op Fl P Ar isakmp-natt-port
-.Ek
-.Bk -words
-.Op Fl p Ar isakmp-port
-.Ek
.\"
.Sh DESCRIPTION
.Nm
+is used to setup and maintain an IPSec tunnel or transport channel,
+between two devices, over which network traffic is conveyed securely.
+This security is made possible by cryptographic keys and operations
+on both devices.
+.\"
+.Nm
+relies on a standardized network protocol (IKE) to automatically
+negotiate and manage the cryptographic keys (e.g. security
+associations) that are necessary for the
+IPSec tunnel or transport channel to function.
+.\"
+.Nm
speaks the IKE
.Pq ISAKMP/Oakley
key management protocol,
.Ar logfile
as the logging file instead of
.Xr syslogd 8 .
-.It Fl P Ar isakmp-natt-port
-Use
-.Ar isakmp-natt-port
-for NAT-Traversal port-floating.
-The default is 4500.
-.It Fl p Ar isakmp-port
-Listen to the ISAKMP key exchange on port
-.Ar isakmp-port
-instead of the default port number, 500.
.It Fl v
This flag causes the packet dump be more verbose, with higher
debugging level.
path to the VARRUN directory specified at compilation time.
Default is
.Pa racoon.pid .
+.It Ic path logfile Ar file ;
+Specifies a file to which logs generated by
+.Xr racoon 8
+are stored.
+When the file's size exceeds 200KB,
+.Xr racoon 8
+will trim the logfile by dropping the oldest events.
+If path starts with
+.Pa /
+it is treated as an absolute path. Otherwise, it is treated as a relative
+path to the VARRUN directory specified at compilation time.
.El
.\"
.Ss File Inclusion
#include <netinet/in.h>
#include <arpa/inet.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <stdlib.h>
#include <stdio.h>
(racoonctl_interface < RACOONCTL_INTERFACE))
errx(1, "Incompatible racoonctl interface");
-#ifdef __linux__
- /*
- * Disable GNU extensions that will prevent racoonct vc -u login
- * from working (GNU getopt(3) does not like options after vc)
- */
- setenv("POSIXLY_CORRECT", "1", 0);
-#endif
while ((c = getopt(ac, av, "lds:")) != -1) {
switch(c) {
case 'l':
#include "nattraversal.h"
#include "isakmp_frag.h"
#include "genlist.h"
+#ifdef HAVE_OPENSSL
#include "rsalist.h"
+#endif
static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
}
TAILQ_FOREACH(p, &rmtree, chain) {
-#ifdef __APPLE__
if (p->to_delete || p->to_remove) {
continue;
}
-#endif
if ((remote->sa_family == AF_UNSPEC
&& remote->sa_family == p->remote->sa_family)
|| (!withport && cmpsaddrwop(remote, p->remote) == 0)
return getrmconf_strict(remote, 1);
}
-#ifdef __APPLE__
int
link_rmconf_to_ph1 (struct remoteconf *new)
{
}
return(0);
}
-#endif
struct remoteconf *
newrmconf()
new->gen_policy = FALSE;
new->retry_counter = lcconf->retry_counter;
new->retry_interval = lcconf->retry_interval;
-#ifdef __APPLE__
new->nat_traversal = NATT_ON;
new->natt_multiple_user = FALSE;
new->natt_keepalive = TRUE;
new->to_remove = FALSE;
new->to_delete = FALSE;
new->linked_to_ph1 = 0;
-#else
- new->nat_traversal = NATT_OFF;
-#endif
+#ifdef HAVE_OPENSSL
new->rsa_private = genlist_init();
new->rsa_public = genlist_init();
+#endif
new->idv = NULL;
new->key = NULL;
delrmconf(rmconf)
struct remoteconf *rmconf;
{
-#ifdef __APPLE__
if (rmconf->linked_to_ph1) {
rmconf->to_delete = TRUE;
return;
}
-#endif
if (rmconf->remote)
racoon_free(rmconf->remote);
#ifdef ENABLE_HYBRID
racoon_free(rmconf->cacertfile);
if (rmconf->prhead)
proposalspec_free(rmconf->prhead);
+#ifdef HAVE_OPENSSL
if (rmconf->rsa_private)
genlist_free(rmconf->rsa_private, rsa_key_free);
if (rmconf->rsa_public)
genlist_free(rmconf->rsa_public, rsa_key_free);
-#ifdef __APPLE__
+#endif
if (rmconf->shared_secret)
vfree(rmconf->shared_secret);
if (rmconf->keychainCertRef)
vfree(rmconf->keychainCertRef);
if (rmconf->open_dir_auth_group)
vfree(rmconf->open_dir_auth_group);
-#endif
racoon_free(rmconf);
}
remrmconf(rmconf)
struct remoteconf *rmconf;
{
-#ifdef __APPLE__
if (rmconf->linked_to_ph1) {
rmconf->to_remove = TRUE;
return;
}
-#endif
TAILQ_REMOVE(&rmtree, rmconf, chain);
}
plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
p->nat_traversal == NATT_FORCE ?
"force" : s_switch (p->nat_traversal));
-#ifdef __APPLE__
plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
s_switch (p->natt_multiple_user));
-#endif
plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
p->nonce_size);
plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
}
+#ifdef HAVE_OPENSSL
void
rsa_key_free(void *entry)
{
RSA_free(key->rsa);
free(key);
}
+#endif
\ No newline at end of file
#include "isakmp_var.h"
#include "isakmp_xauth.h"
#endif
-#ifdef __APPLE__
#include <CoreFoundation/CFData.h>
-#endif
#include "algorithm.h"
vchar_t *key; /* my pre-shared key */
struct genlist *idvl_p; /* peer's identifiers list */
-#ifdef __APPLE__
int identity_in_keychain; /* cert and private key is in the keychain */
vchar_t *keychainCertRef; /* peristant keychain ref for cert */
int secrettype; /* type of secret [use, key, keychain] */
vchar_t *shared_secret; /* shared secret */
vchar_t *open_dir_auth_group; /* group to be used to authorize user */
-#endif
int certtype; /* certificate type if need */
char *mycertfile; /* file name of my certificate */
int send_cert; /* send to CERT or not */
int send_cr; /* send to CR or not */
int verify_cert; /* verify a CERT strictly */
-#ifdef __APPLE__
int cert_verification; /* openssl or security framework */
int cert_verification_option; /* nothing, peers identifier, or open_dir */
-#endif
int verify_identifier; /* vefify the peer's identifier */
int nonce_size; /* the number of bytes of nonce */
int passive; /* never initiate */
int ini_contact; /* initial contact */
int pcheck_level; /* level of propocl checking */
int nat_traversal; /* NAT-Traversal */
-#ifdef __APPLE__
int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
int natt_keepalive; /* do we need to send natt keep alive */
-#endif
vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */
int dh_group; /* use it when only aggressive mode */
struct dhgroup *dhgrp; /* use it when only aggressive mode */
from which this one
was inherited */
struct proposalspec *prhead;
-
+#ifdef HAVE_OPENSSL
struct genlist *rsa_private, /* lists of PlainRSA keys to use */
*rsa_public;
+#endif
#ifdef ENABLE_HYBRID
struct xauth_rmconf *xauth;
#endif
int initiate_ph1rekey;
-
-#ifdef __APPLE__
int to_remove;
int to_delete;
int linked_to_ph1;
-#endif
TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
};
extern struct remoteconf *getrmconf_strict
__P((struct sockaddr *remote, int allow_anon));
-#ifdef __APPLE__
extern int link_rmconf_to_ph1 __P((struct remoteconf *));
extern int unlink_rmconf_from_ph1 __P((struct remoteconf *));
-#endif
extern int no_remote_configs __P((int));
extern struct remoteconf *copyrmconf __P((struct sockaddr *));
extern struct remoteconf *newrmconf __P((void));
pass = 2;
again:
LIST_FOREACH(s, &sitree, chain) {
-#ifdef __APPLE__
if (s->to_delete || s->to_remove) {
continue;
}
-#endif /* __APPLE__ */
if (s->idsrc != NULL) {
plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n");
plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l);
return anonymous;
}
-#ifdef __APPLE__
-int
-link_sainfo_to_ph2 (struct sainfo *new)
-{
- if (!new) {
- return(-1);
- }
- if (new->to_delete ||
- new->to_remove) {
- return(-1);
- }
- new->linked_to_ph2++;
- return(0);
-}
-
/*
* return matching entry.
* no matching entry found and if there is anonymous entry, return it.
return anonymous;
}
+int
+link_sainfo_to_ph2 (struct sainfo *new)
+{
+ if (!new) {
+ return(-1);
+ }
+ if (new->to_delete ||
+ new->to_remove) {
+ return(-1);
+ }
+ new->linked_to_ph2++;
+ return(0);
+}
+
int
unlink_sainfo_from_ph2 (struct sainfo *old)
{
}
return(0);
}
-#endif
struct sainfo *
newsainfo()
new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
-#ifdef __APPLE__
new->to_remove = FALSE;
new->to_delete = FALSE;
new->linked_to_ph2 = 0;
-#endif
return new;
}
{
int i;
-#ifdef __APPLE__
if (si->linked_to_ph2) {
si->to_delete = TRUE;
return;
}
-#endif
for (i = 0; i < MAXALGCLASS; i++)
delsainfoalg(si->algs[i]);
remsainfo(si)
struct sainfo *si;
{
-#ifdef __APPLE__
if (si->linked_to_ph2) {
si->to_remove = TRUE;
return;
}
-#endif
LIST_REMOVE(si, chain);
}
vchar_t *id_i; /* identifier of the authorized initiator */
struct sainfoalg *algs[MAXALGCLASS];
int dynamic; /* created through vpn control socket */
-#ifdef __APPLE__
int to_remove;
int to_delete;
int linked_to_ph2;
-#endif
LIST_ENTRY(sainfo) chain;
};
extern struct sainfo *getsainfo __P((const vchar_t *,
const vchar_t *, const vchar_t *, int));
-#ifdef __APPLE__
extern struct sainfo *getsainfo_by_dst_id __P((const vchar_t *, const vchar_t *));
extern int link_sainfo_to_ph2 __P((struct sainfo *));
extern int unlink_sainfo_from_ph2 __P((struct sainfo *));
-#endif
extern struct sainfo *newsainfo __P((void));
extern void delsainfo __P((struct sainfo *));
extern void inssainfo __P((struct sainfo *));
#include "schedule.h"
#include "var.h"
#include "gcmalloc.h"
+#include "power_mgmt.h"
#if !defined(__LP64__)
// year 2038 problem and fix for 32-bit only
static TAILQ_HEAD(_schedtree, sched) sctree;
static void sched_add __P((struct sched *));
-static time_t current_time __P((void));
/*
* schedule handler
time_t now, delta;
struct sched *p, *next = NULL;
+ if (slept_at || woke_at) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "ignoring schedular until power-mgmt event is handled.\n");
+ return NULL;
+ }
+
now = current_time();
for (p = TAILQ_FIRST(&sctree); p; p = next) {
* if defined FIXY2038PROBLEM, base time is the time when called sched_init().
* Otherwise, conform to time(3).
*/
-static time_t
+time_t
current_time()
{
time_t n;
int sched_dump __P((caddr_t *, int *));
void sched_init __P((void));
void sched_scrub_param __P((void *));
+time_t current_time __P((void));
#endif /* _SCHEDULE_H */
#include <resolv.h>
#include <TargetConditionals.h>
-#if __APPLE__
#include <vproc_priv.h>
-#endif
#include "libpfkey.h"
#include "algorithm.h" /* XXX ??? */
#include "sainfo.h"
+#include "power_mgmt.h"
extern pid_t racoon_pid;
+extern char logFileStr[];
extern int launchedbylaunchd(void);
static void close_session __P((void));
static void check_rtsock __P((void *));
static void initfds __P((void));
static void init_signal __P((void));
-static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int))));
+static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int, siginfo_t *, void *))));
static void check_sigreq __P((void));
static void check_flushsa_stub __P((void *));
static void check_flushsa __P((void));
static struct sched *check_rtsock_sched = NULL;
int terminated = 0;
+#define HANDLE_TENTATIVE_INTF_FAILURES() do { \
+ if (tentative_failures) { \
+ plog(LLV_ERROR, LOCATION, NULL, \
+ "detected tentative interface/address issues: will retry later.\n"); \
+ if (check_rtsock_sched == NULL) { \
+ /* only schedule if not already done */ \
+ check_rtsock_sched = sched_new(5, check_rtsock, NULL); \
+ } \
+ } \
+ } while(0)
+
static void
reinit_socks (void)
{
+ int tentative_failures;
+
isakmp_close();
close(lcconf->rtsock);
initmyaddr();
- if (isakmp_open() < 0) {
+ if (isakmp_open(&tentative_failures) < 0) {
plog(LLV_ERROR2, LOCATION, NULL,
"failed to reopen isakmp sockets\n");
}
initfds();
+ HANDLE_TENTATIVE_INTF_FAILURES();
}
-#ifdef __APPLE__
static int64_t racoon_keepalive = -1;
/*
* This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly)
- * launched on demand and for <rdar://problem/8773022> requires a keepalive on dirty/failure exits.
+ * launched on demand and for <rdar://problem/8768510> requires a keepalive on dirty/failure exits.
* The launchd plist can't be used for this because RunOnLoad is required to have keepalive on a failure exit.
*/
int64_t
}
return racoon_keepalive;
}
-#endif // __APPLE__
int
session(void)
char pid_file[MAXPATHLEN];
FILE *fp;
int i, update_fds;
+ int tentative_failures;
/* initialize schedular */
sched_init();
+ /* needs to be called after schedular */
+ if (init_power_mgmt() < 0) {
+ errx(1, "failed to initialize power-mgmt.");
+ }
+
initmyaddr();
-#ifndef __APPLE__
- if (isakmp_init() < 0) {
-#else
- if (isakmp_init(false) < 0) {
-#endif /* __APPLE__ */
+ if (isakmp_init(false, &tentative_failures) < 0) {
plog(LLV_ERROR2, LOCATION, NULL,
"failed to initialize isakmp");
exit(1);
}
-
+ HANDLE_TENTATIVE_INTF_FAILURES();
+
#ifdef ENABLE_ADMINPORT
if (admin_init() < 0) {
plog(LLV_ERROR2, LOCATION, NULL,
init_signal();
initfds();
-#ifndef __APPLE__
-#ifdef ENABLE_NATT
- natt_keepalive_init ();
-#endif
-#endif
-
+#ifdef HAVE_OPENSSL
if (privsep_init() != 0) {
plog(LLV_ERROR2, LOCATION, NULL,
"failed to initialize privsep");
exit(1);
}
-
+#endif
+
for (i = 0; i <= NSIG; i++)
sigreq[i] = 0;
}
}
-#ifdef __APPLE__
#if !TARGET_OS_EMBEDDED
// enable keepalive for recovery (from crashes and bad exits... after init)
(void)launchd_update_racoon_keepalive(true);
#endif // !TARGET_OS_EMBEDDED
-#endif // __APPLE__
while (1) {
if (!TAILQ_EMPTY(&lcconf->saved_msg_queue))
*/
check_sigreq();
+ check_power_mgmt();
+
/* scheduling */
timeout = schedular();
// <rdar://problem/7650111> Workaround: make sure timeout is playing nice
timeout->tv_sec = 1;
}
}
-
+
if (dying)
rfds = maskdying;
else
continue;
default:
plog(LLV_ERROR2, LOCATION, NULL,
- "failed select (%s) nfds %d\n",
- strerror(errno), nfds);
+ "failed select (%s) nfds %d\n",
+ strerror(errno), nfds);
reinit_socks();
update_fds = 0;
continue;
for (p = lcconf->myaddrs; p; p = p->next) {
if (!p->addr)
continue;
- if (FD_ISSET(p->sock, &rfds))
+ if ((p->sock != -1) &&
+ (FD_ISSET(p->sock, &rfds)))
if ((error = isakmp_handler(p->sock)) == -2)
break;
}
if (error == -2) {
+ plog(LLV_ERROR2, LOCATION, NULL,
+ "failed to process isakmp port\n");
reinit_socks();
update_fds = 0;
+ continue;
}
if (FD_ISSET(lcconf->sock_pfkey, &rfds))
if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) {
if (update_myaddrs() && lcconf->autograbaddr)
if (check_rtsock_sched == NULL) /* only schedule if not already done */
- check_rtsock_sched = sched_new(5, check_rtsock, NULL);
+ check_rtsock_sched = sched_new(1, check_rtsock, NULL);
// initfds(); //%%% BUG FIX - not needed here
}
if (update_fds) {
close_sockets();
backupsa_clean();
-#ifdef __APPLE__
#if !TARGET_OS_EMBEDDED
// a clean exit, so disable launchd keepalive
(void)launchd_update_racoon_keepalive(false);
#endif // !TARGET_OS_EMBEDDED
-#endif // __APPLE__
plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n");
exit(0);
check_rtsock(p)
void *p;
{
+ int tentative_failures;
check_rtsock_sched = NULL;
grab_myaddrs();
isakmp_close_unused();
autoconf_myaddrsport();
- isakmp_open();
+ isakmp_open(&tentative_failures);
/* initialize socket list again */
initfds();
+ HANDLE_TENTATIVE_INTF_FAILURES();
}
static void
* main loop in session().
*/
RETSIGTYPE
-signal_handler(sig)
+signal_handler(sig, sigi, ctx)
int sig;
+ siginfo_t *sigi;
+ void *ctx;
{
+#if 0
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "%s received signal %d from pid %d uid %d\n\n",
+ __FUNCTION__, sig, sigi->si_pid, sigi->si_uid);
+#endif
+
/* Do not just set it to 1, because we may miss some signals by just setting
* values to 0/1
*/
check_sigreq()
{
int sig;
+ int tentative_failures;
/*
* XXX We are not able to tell if we got
if ( terminated )
break;
+ /*
+ * if we got a HUP... try graceful teardown of sessions before we close and reopen sockets...
+ * so that info-deletes notifications can make it to the peer.
+ */
+ if (sig == SIGHUP) {
+ flushph2(true);
+ flushph1(true);
+ }
/* Save old configuration, load new one... */
isakmp_close();
close(lcconf->rtsock);
"configuration read failed\n");
exit(1);
}
- if (lcconf->logfile_param == NULL)
+ if (lcconf->logfile_param == NULL && logFileStr[0] == 0)
plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
initmyaddr();
isakmp_cleanup();
-#ifdef __APPLE__
- isakmp_init(true);
-#else
- isakmp_init();
-#endif /* __APPLE__ */
+ isakmp_init(true, &tentative_failures);
+ HANDLE_TENTATIVE_INTF_FAILURES();
initfds();
#if TARGET_OS_EMBEDDED
if (no_remote_configs(TRUE)) {
return;
}
-#if !TARGET_OS_EMBEDDED
- // abort exit if policies/config/control state is still there
- if (vpn_control_connected() ||
- policies_installed() ||
- !no_remote_configs(FALSE)) {
- return;
- }
-#endif
-
close_session();
#if !TARGET_OS_EMBEDDED
if (lcconf->vt)
static int
set_signal(sig, func)
int sig;
- RETSIGTYPE (*func) __P((int));
+ RETSIGTYPE (*func) __P((int, siginfo_t *, void *));
{
struct sigaction sa;
memset((caddr_t)&sa, 0, sizeof(sa));
sa.sa_handler = func;
- sa.sa_flags = SA_RESTART;
+ sa.sa_flags = SA_RESTART | SA_SIGINFO;
if (sigemptyset(&sa.sa_mask) < 0)
return -1;
#include "handler.h"
extern int session __P((void));
-extern RETSIGTYPE signal_handler __P((int));
+extern RETSIGTYPE signal_handler __P((int, siginfo_t *, void *));
extern void check_auto_exit __P((void));
#endif /* _SESSION_H */
if (addr1 == 0 || addr2 == 0)
return 1;
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
-
-#endif /* __linux__ */
-
switch (addr1->sa_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
if (addr1 == 0 || addr2 == 0)
return 1;
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
-#endif /* __linux__ */
-
switch (addr1->sa_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
if (addr1 == 0 || addr2 == 0)
return 1;
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
-#endif /* __linux__ */
-
switch (addr1->sa_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sin6 = (struct sockaddr_in6 *)to;
memset(sin6, 0, sizeof(*sin6));
sin6->sin6_family = AF_INET6;
-#ifndef __linux__
sin6->sin6_len = sizeof(*sin6);
-#endif
memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
sizeof(sin6->sin6_addr));
/* XXX other cases, such as site-local? */
continue;
}
#endif
-#ifdef __linux__
- if (ss.ss_family == AF_INET
- && cm->cmsg_level == IPPROTO_IP
- && cm->cmsg_type == IP_PKTINFO
- && otolen >= sizeof(sin)) {
- struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm));
- *tolen = sizeof(*sin);
- sin = (struct sockaddr_in *)to;
- memset(sin, 0, sizeof(*sin));
- sin->sin_family = AF_INET;
- memcpy(&sin->sin_addr, &pi->ipi_addr,
- sizeof(sin->sin_addr));
- sin->sin_port =
- ((struct sockaddr_in *)&ss)->sin_port;
- otolen = -1; /* "to" already set */
- continue;
- }
-#endif
#if defined(INET6) && defined(IPV6_RECVDSTADDR)
if (ss.ss_family == AF_INET6
&& cm->cmsg_level == IPPROTO_IPV6
continue;
}
#endif
-#ifndef __linux__
if (ss.ss_family == AF_INET
&& cm->cmsg_level == IPPROTO_IP
&& cm->cmsg_type == IP_RECVDSTADDR
otolen = -1; /* "to" already set */
continue;
}
-#endif
}
return len;
struct sockaddr *dst;
{
struct sockaddr_storage ss;
- u_int len;
+ int len;
int i;
if (src->sa_family != dst->sa_family) {
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendmsg (%s)\n", strerror(errno));
- return -1;
+ if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
+ return -1;
+ }
+ // <rdar://problem/6609744> treat these failures like
+ // packet loss, in case the network interface is flaky
+ len = 0;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
return len;
}
#endif
-#ifdef __linux__
- case AF_INET:
- {
- struct msghdr m;
- struct cmsghdr *cm;
- struct iovec iov[2];
- u_char cmsgbuf[256];
- struct in_pktinfo *pi;
- int ifindex = 0;
- struct sockaddr_in src6, dst6;
-
- memcpy(&src6, src, sizeof(src6));
- memcpy(&dst6, dst, sizeof(dst6));
-
- memset(&m, 0, sizeof(m));
- m.msg_name = (caddr_t)&dst6;
- m.msg_namelen = sizeof(dst6);
- iov[0].iov_base = (char *)buf;
- iov[0].iov_len = buflen;
- m.msg_iov = iov;
- m.msg_iovlen = 1;
-
- memset(cmsgbuf, 0, sizeof(cmsgbuf));
- cm = (struct cmsghdr *)cmsgbuf;
- m.msg_control = (caddr_t)cm;
- m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
-
- cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
- cm->cmsg_level = IPPROTO_IP;
- cm->cmsg_type = IP_PKTINFO;
- pi = (struct in_pktinfo *)CMSG_DATA(cm);
- memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr));
- pi->ipi_ifindex = ifindex;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "src4 %s\n",
- saddr2str((struct sockaddr *)&src6));
- plog(LLV_DEBUG, LOCATION, NULL,
- "dst4 %s\n",
- saddr2str((struct sockaddr *)&dst6));
-
- for (i = 0; i < cnt; i++) {
- len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "sendmsg (%s)\n", strerror(errno));
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d times of %d bytes message will be sent "
- "to %s\n",
- i + 1, len, saddr2str(dst));
- }
- plogdump(LLV_DEBUG, (char *)buf, buflen);
-
- return len;
- }
-#endif /* __linux__ */
default:
{
int needclose = 0;
return -1;
}
if (setsockopt(sendsock, SOL_SOCKET,
-#ifdef __linux__
- SO_REUSEADDR,
-#else
SO_REUSEPORT,
-#endif
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt SO_REUSEPORT (%s)\n",
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendto (%s)\n", strerror(errno));
- if (needclose)
- close(sendsock);
- return len;
+ if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
+ if (needclose)
+ close(sendsock);
+ return -1;
+ }
+ plog(LLV_ERROR, LOCATION, NULL,
+ "treating socket error (%s) like packet loss\n", strerror(errno));
+ // else treat these failures like a packet loss
+ len = 0;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"%s\n", strerror(errno));
goto out;
}
-
-#ifdef __linux__
- if (len == sizeof (struct sockaddr_in6))
- new->sa_family = AF_INET6;
- else
- new->sa_family = AF_INET;
-#else
/* initial */
new->sa_len = len;
-#endif
out:
return new;
}
static char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST], port[NI_MAXSERV];
- if (saddr == NULL)
- return NULL;
+ if (saddr == NULL) {
+ buf[0] = '\0';
+ return buf;
+ }
if (saddr->sa_family == AF_UNSPEC)
snprintf (buf, sizeof(buf), "%s", "anonymous");
static char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST];
- if (saddr == NULL)
- return NULL;
-
+ if (saddr == NULL) {
+ buf[0] = '\0';
+ return buf;
+ }
+
GETNAMEINFO_NULL(saddr, addr);
snprintf(buf, sizeof(buf), "%s", addr);
static char buf[NI_MAXHOST + 10];
static const struct sockaddr sa_any; /* this is initialized to all zeros */
- if (naddr == NULL)
- return NULL;
-
+ if (naddr == NULL) {
+ buf[0] = '\0';
+ return buf;
+ }
+
if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
snprintf(buf, sizeof(buf), "%s", "any");
else {
static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
char *src, *dst;
- src = racoon_strdup(saddr2str(saddr));
- dst = racoon_strdup(saddr2str(daddr));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
+ if (saddr) {
+ src = racoon_strdup(saddr2str(saddr));
+ STRDUP_FATAL(src);
+ } else {
+ src = NULL;
+ }
+ if (daddr) {
+ dst = racoon_strdup(saddr2str(daddr));
+ STRDUP_FATAL(dst);
+ } else {
+ dst = NULL;
+ }
/* WARNING: Be careful about the format string! Don't
ever pass in something that a user can modify!!! */
- snprintf (buf, sizeof(buf), format, src, dst);
- racoon_free (src);
- racoon_free (dst);
+ snprintf (buf, sizeof(buf), format, src? src:"[null]", dst? dst:"[null]");
+ if (src) {
+ racoon_free (src);
+ }
+ if (dst) {
+ racoon_free (dst);
+ }
return buf;
}
{ VENDORID_NATT_06 , "draft-ietf-ipsec-nat-t-ike-06" },
{ VENDORID_NATT_07 , "draft-ietf-ipsec-nat-t-ike-07" },
{ VENDORID_NATT_08 , "draft-ietf-ipsec-nat-t-ike-08" },
-#ifdef __APPLE__
{ VENDORID_NATT_APPLE , "draft-ietf-ipsec-nat-t-ike" },
-#endif
{ VENDORID_NATT_RFC , "RFC 3947" },
{ VENDORID_XAUTH , "draft-ietf-ipsra-isakmp-xauth-06.txt" },
{ VENDORID_UNITY , "CISCO-UNITY" },
return current->id;
unknown:
- plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID\n");
+ plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID:\n");
+ plogdump(LLV_DEBUG, (char *)(gen + 1), vidlen);
return (VENDORID_UNKNOWN);
}
#define VENDORID_NATT_07 12
#define VENDORID_NATT_08 13
-#ifdef __APPLE__
#define VENDORID_NATT_APPLE 14
#define VENDORID_NATT_RFC 15
/* Hybrid auth */
#define VENDORID_FRAG 18
/* Dead Peer Detection */
#define VENDORID_DPD 19
-#else /* __APPLE__ */
-#define VENDORID_NATT_RFC 14
-/* Hybrid auth */
-#define VENDORID_XAUTH 15
-#define VENDORID_UNITY 16
-/* IKE fragmentation */
-#define VENDORID_FRAG 17
-/* Dead Peer Detection */
-#define VENDORID_DPD 18
-#endif /* __APPLE__ */
#define VENDORID_NATT_FIRST VENDORID_NATT_00
#define VENDORID_NATT_LAST VENDORID_NATT_RFC
} \
} while(0);
-#if defined(__APPLE__) && defined(__MACH__)
/* vfree is already defined in Apple's system libraries */
#define vfree vmbuf_free
-#endif
extern vchar_t *vmalloc __P((size_t));
extern vchar_t *vrealloc __P((vchar_t *, size_t));
#include <sys/stat.h>
#include <sys/un.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include "vpn_control_var.h"
#include "strnames.h"
#include "ike_session.h"
+#include "ipsecMessageTracer.h"
static int vpn_get_ph2pfs(struct ph1handle *);
int
-vpn_connect(struct bound_addr *srv)
+vpn_connect(struct bound_addr *srv, int oper)
{
int error = -1;
struct sockaddr *dst;
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str(remote));
+ IPSECLOGASLMSG("IPSec connecting to server %s\n",
+ saddrwop2str(remote));
+
/* begin ident mode */
- if (isakmp_ph1begin_i(rmconf, remote, local, 1) < 0)
+ if (isakmp_ph1begin_i(rmconf, remote, local, oper) < 0)
goto out1;
error = 0;
saddr.sin_addr.s_addr = srv->address;
saddr.sin_port = 0;
saddr.sin_family = AF_INET;
- ike_sessions_stopped_by_controller(&saddr,
+
+ IPSECLOGASLMSG("IPSec disconnecting from server %s\n",
+ saddrwop2str(&saddr));
+
+ ike_sessions_stopped_by_controller(&saddr,
0,
ike_session_stopped_by_vpn_disconnect);
if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) {
memcpy(cptr, iph1->mode_cfg->attr_list->v, iph1->mode_cfg->attr_list->l);
*msg_size = msize;
+ IPSECLOGASLMSG("IPSec Network Configuration established.\n");
+
return 0;
}
VPTRINIT(iph1->xauth_awaiting_userinput_msg);
ike_session_stop_xauth_timer(iph1);
+ IPSECLOGASLMSG("IPSec Extended Authentication sent.\n");
+
end:
if (payload)
vfree(payload);
return error;
}
+int
+vpn_assert(struct sockaddr *src_addr, struct sockaddr *dst_addr)
+{
+ if (ike_session_assert(src_addr, dst_addr)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot assert - no matching session.\n");
+ return -1;
+ }
+
+ return 0;
+}
* SUCH DAMAGE.
*/
-
-int vpn_connect __P((struct bound_addr *));
+int vpn_connect __P((struct bound_addr *, int));
#include "isakmp_inf.h"
#include "session.h"
#include "gcmalloc.h"
+#include "isakmp_cfg.h"
#ifdef ENABLE_VPNCONTROL_PORT
char *vpncontrolsock_path = VPNCONTROLSOCK_PATH;
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
/* start the connection */
- error = vpn_connect(addr);
+ error = vpn_connect(addr, VPN_STARTED_BY_API);
break;
}
}
}
break;
+ case VPNCTL_CMD_ASSERT:
+ {
+ struct vpnctl_cmd_assert *pkt = (struct vpnctl_cmd_assert *)combuf;
+// struct bound_addr *addr;
+// struct bound_addr *t_addr;
+ struct sockaddr_in saddr;
+ struct sockaddr_in daddr;
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received assert command on vpn control socket.\n");
+ plogdump(LLV_DEBUG2, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr));
+// LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
+// if (pkt->dst_address == addr->address) {
+ bzero(&saddr, sizeof(saddr));
+ saddr.sin_len = sizeof(saddr);
+ saddr.sin_addr.s_addr = pkt->src_address;
+ saddr.sin_port = 0;
+ saddr.sin_family = AF_INET;
+ bzero(&daddr, sizeof(daddr));
+ daddr.sin_len = sizeof(daddr);
+ daddr.sin_addr.s_addr = pkt->dst_address;
+ daddr.sin_port = 0;
+ daddr.sin_family = AF_INET;
+
+ error = vpn_assert((struct sockaddr *)&saddr, (struct sockaddr *)&daddr);
+ break;
+// }
+// }
+ }
+ break;
+
+ case VPNCTL_CMD_RECONNECT:
+ {
+ struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf;
+ struct bound_addr *addr;
+ struct bound_addr *t_addr;
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received reconnect command on vpn control socket.\n");
+ LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
+ if (pkt->address == addr->address) {
+ /* start the connection */
+ error = vpn_connect(addr, VPN_RESTARTED_BY_API);
+ break;
+ }
+ }
+ }
+ break;
+
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid command: %d\n", ntohs(hdr->msg_type));
plog(LLV_DEBUG, LOCATION, NULL,
"sending vpn_control phase change status\n");
- if (iph1 && !start && iph1->mode_cfg) {
+ if (iph1 && !start && iph1->mode_cfg && iph1->mode_cfg->xauth.status != XAUTHST_OK) {
if (vpn_get_config(iph1, &msg, &msg_size) == 1)
return 0; /* mode config not finished yet */
} else {
return 0;
}
+static int
+vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address)
+{
+ struct vpnctl_status_peer_resp msg;
+ struct vpnctl_socket_elem *sock_elem;
+ struct bound_addr *bound_addr;
+ size_t tlen;
+ int rc = -1;
+
+ bzero(&msg, sizeof(msg));
+ msg.hdr.msg_type = htons(VPNCTL_STATUS_PEER_RESP);
+ msg.hdr.cookie = msg.hdr.reserved = msg.hdr.result = 0;
+ msg.hdr.len = htons(sizeof(msg) - sizeof(msg.hdr));
+ msg.address = address;
+ msg.ike_code = notify_code;
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "sending vpn_control status (peer response) message - code=%d addr=%x.\n", notify_code, address);
+
+ LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
+ LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
+ if (bound_addr->address == 0xFFFFFFFF ||
+ bound_addr->address == address) {
+ tlen = send(sock_elem->sock, &msg, sizeof(msg), 0);
+ if (tlen < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "unable to send vpn_control status (peer response): %s\n", strerror(errno));
+ } else {
+ rc = 0;
+ }
+ break;
+ }
+ }
+ }
+
+ return rc;
+}
+
+int
+vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, struct ph1handle *iph1)
+{
+ u_int32_t address;
+ int rc;
+
+ if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) {
+ if (iph1->remote->sa_family == AF_INET)
+ address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
+ else
+ address = 0;
+ } else {
+ return 0;
+ }
+
+ if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) {
+ iph1->parent_session->controller_awaiting_peer_resp = 0;
+ }
+ return rc;
+}
+
+int
+vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, struct ph2handle *iph2)
+{
+ u_int32_t address;
+ int rc;
+
+ if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) {
+ if (iph2->dst->sa_family == AF_INET)
+ address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
+ else
+ address = 0;
+ } else {
+ return 0;
+ }
+
+ if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) {
+ iph2->parent_session->controller_awaiting_peer_resp = 0;
+ }
+ return rc;
+}
int
vpncontrol_init()
#define VPNCTL_CMD_START_PH2 0x0013
#define VPNCTL_CMD_XAUTH_INFO 0x0014
#define VPNCTL_CMD_START_DPD 0x0015
+#define VPNCTL_CMD_ASSERT 0x0016
+#define VPNCTL_CMD_RECONNECT 0x0017
#define VPNCTL_STATUS_IKE_FAILED 0x8001
#define VPNCTL_STATUS_PH1_START_US 0x8011
#define VPNCTL_STATUS_PH1_START_PEER 0x8012
#define VPNCTL_STATUS_PH2_ESTABLISHED 0x8022
#define VPNCTL_STATUS_NEED_AUTHINFO 0x8101
#define VPNCTL_STATUS_NEED_REAUTHINFO 0x8102
+#define VPNCTL_STATUS_PEER_RESP 0x8103
/*
* Flags
/* array of struct vpnctl_algo */
};
+/* assert connection (after network change) */
+struct vpnctl_cmd_assert {
+ struct vpnctl_hdr hdr;
+ u_int32_t src_address;
+ u_int32_t dst_address;
+};
+
/* set xauth info */
struct vpnctl_cmd_xauth_info {
struct vpnctl_hdr hdr;
#define VPNCTL_NTYPE_PEER_DEAD 50001 /* detected by DPD */
#define VPNCTL_NTYPE_PH1_DELETE 50002 /* received a delete payload leaving no PH1 SA for the remote address */
#define VPNCTL_NTYPE_IDLE_TIMEOUT 50003
-#define VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR VPNCTL_NTYPE_IDLE_TIMEOUT /* used for offsetting cert errors */
-#define VPNCTL_NTYPE_PH1_DELETE_CERT_PREMATURE 50004 /* received a delete payload & there was a cert verification error leaving no PH1 SA for the remote address */
-#define VPNCTL_NTYPE_PH1_DELETE_CERT_EXPIRED 50005 /* received a delete payload & there was a cert verification error leaving no PH1 SA for the remote address */
+#define VPNCTL_NTYPE_LOCAL_CERT_PREMATURE 50004 /* certificate is premature */
+#define VPNCTL_NTYPE_LOCAL_CERT_EXPIRED 50005 /* certificate has expired */
+#define VPNCTL_NTYPE_PEER_CERT_PREMATURE 50006 /* peer's certificate is premature */
+#define VPNCTL_NTYPE_PEER_CERT_EXPIRED 50007 /* peer's certificate has expired */
+#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME 50008 /* peer's certificate has an invalid subjname */
+#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME 50009 /* peer's certificate has an invalid subjaltname */
#define VPNCTL_NTYPE_INTERNAL_ERROR -1
u_int8_t data[0];
};
+struct vpnctl_status_peer_resp {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+ u_int16_t ike_code;
+};
#endif /* _VPN_CONTROL_H */
#include "vpn_control.h"
+enum {
+ VPN_STARTED_BY_API = 1,
+ VPN_STARTED_BY_ADMIN,
+ VPN_RESTARTED_BY_API,
+};
+
extern int vpncontrol_handler __P((void));
extern int vpncontrol_comm_handler __P((struct vpnctl_socket_elem *));
extern int vpncontrol_notify_ike_failed __P((u_int16_t, u_int16_t, u_int32_t, u_int16_t, u_int8_t*));
extern int vpncontrol_init __P((void));
extern void vpncontrol_close __P((void));
extern int vpn_control_connected __P((void));
-extern int vpn_connect __P((struct bound_addr *));
+extern int vpn_connect __P((struct bound_addr *, int));
extern int vpn_disconnect __P((struct bound_addr *));
extern int vpn_start_ph2 __P((struct bound_addr *, struct vpnctl_cmd_start_ph2 *));
extern int vpncontrol_notify_need_authinfo __P((struct ph1handle *, void*, size_t));
+extern int vpncontrol_notify_peer_resp_ph1 __P((u_int16_t, struct ph1handle*));
+extern int vpncontrol_notify_peer_resp_ph2 __P((u_int16_t, struct ph2handle*));
+extern int vpn_assert __P((struct sockaddr *, struct sockaddr *));
#endif /* _VPN_CONTROL_VAR_H */
#include <sys/socket.h>
#include <netinet/in.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
#include <sys/sysctl.h>
#include <err.h>
#include <netinet/in.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
#include <sys/socket.h>
#include <net/route.h>
#include <netinet/in.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
#include <System/netkey/keydb.h>
#include <System/netkey/key_var.h>
#include <System/netkey/key_debug.h>
-#else
-#include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
-#include <netkey/key_var.h>
-#include <netkey/key_debug.h>
-#endif
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
-#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
-#else
-#include <net/pfkeyv2.h>
-#endif
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#include <netdb.h>
#include "vchar.h"
-#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__)
-#include "parse.h"
-#else
#include "y.tab.h"
-#endif
#include "extern.h"
-(
- {
- "OpenSourceModifications" = (
- "Several security updates, memory leak fixes from 0.7.1 (ported by Les Aug/08)",
- );
- OpenSourceProject = racoon;
- OpenSourceVersion = "0.6.7";
- OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools";
- OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src";
- },
- {
- OpenSourceProject = libipsec;
- OpenSourceVersion = "0.6.5";
- OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools";
- OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src";
- },
- {
- OpenSourceProject = setkey;
- OpenSourceVersion = "0.6.5";
- OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools";
- OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src";
- },
- {
- OpenSourceProject = racoonctl;
- OpenSourceVersion = "0.6.5";
- OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools";
- OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src";
- },
-)
\ No newline at end of file
+<plist version="1.0">
+<array>
+<dict>
+ <key>OpenSourceProject</key>
+ <string>racoon</string>
+ <key>OpenSourceImportDate</key>
+ <string>2002-04-01</string>
+ <key>OpenSourceVersion</key>
+ <string>Original version number unavailable, but later based on 0.6.7</string>
+ <key>OpenSourceWebsiteURL</key>
+ <string>http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceSCM</key>
+ <string>cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceModifications</key>
+ <array>
+ <string>Several select security updates, memory leak fixes from 0.7.2 </string>
+ </array>
+ <key>OpenSourceLicense</key>
+ <string>BSD</string>
+ <key>OpenSourceLicenseFile</key>
+ <string>ipsec.txt</string>
+</dict>
+<dict>
+ <key>OpenSourceProject</key>
+ <string>libipsec</string>
+ <key>OpenSourceImportDate</key>
+ <string>2002-04-01</string>
+ <key>OpenSourceVersion</key>
+ <string>Original version number unavailable, but later based on 0.6.5</string>
+ <key>OpenSourceWebsiteURL</key>
+ <string>http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceSCM</key>
+ <string>cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceLicense</key>
+ <string>BSD</string>
+ <key>OpenSourceLicenseFile</key>
+ <string>ipsec.txt</string>
+</dict>
+<dict>
+ <key>OpenSourceProject</key>
+ <string>setkey</string>
+ <key>OpenSourceImportDate</key>
+ <string>2002-04-01</string>
+ <key>OpenSourceVersion</key>
+ <string>Original version number unavailable, but later based on 0.6.5</string>
+ <key>OpenSourceWebsiteURL</key>
+ <string>http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceSCM</key>
+ <string>cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceLicense</key>
+ <string>BSD</string>
+ <key>OpenSourceLicenseFile</key>
+ <string>ipsec.txt</string>
+</dict>
+<dict>
+ <key>OpenSourceProject</key>
+ <string>racoonctl</string>
+ <key>OpenSourceImportDate</key>
+ <string>2002-04-01</string>
+ <key>OpenSourceVersion</key>
+ <string>Original version number unavailable, but later based on 0.6.5</string>
+ <key>OpenSourceWebsiteURL</key>
+ <string>http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceSCM</key>
+ <string>cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src</string>
+ <key>OpenSourceLicense</key>
+ <string>BSD</string>
+ <key>OpenSourceLicenseFile</key>
+ <string>ipsec.txt</string>
+</dict>
+</array>
+</plist>
--- /dev/null
+1)
+ Majority of the code in libipsec, racoon, racoonctl, and setkey is distributed under the following WIDE license:
+
+ Copyright (C) 1995-2003 WIDE Project.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the project nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+2)
+ Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license):
+
+ Copyright (C) 2004-2006 Emmanuel Dreyfus
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the project nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+3)
+ Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license):
+
+ Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
+ Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the project nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+3)
+ Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license):
+
+ Copyright 2000 Wasabi Systems, Inc.
+ All rights reserved.
+
+ This software was written by Frank van der Linden of Wasabi Systems
+ for Zembu Labs, Inc. http://www.zembu.com/
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of Wasabi Systems, Inc. may not be used to endorse
+ or promote products derived from this software without specific prior
+ written permission.
+
+ THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
+ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+4)
+ Parts of the Rijndael code in racoon was done by Vincent Rijmen, Antoon Bosselaers
+ and Paulo Barreto is in the public domain and distributed
+ with the following license:
+
+ @version 2.4
+
+ Optimised ANSI C code for the Rijndael cipher (now AES)
+
+ @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ @author Paulo Barreto <paulo.barreto@terra.com.br>
+
+ This code is hereby placed in the public domain.
+
+ THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
buildConfigurationList = 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */;
buildPhases = (
72265DD80F818ED700730A7D /* CopyFiles */,
+ BAA6806112B17CF900ACF6D3 /* CopyFiles */,
);
dependencies = (
25D3DDE30989AFDE0025F703 /* PBXTargetDependency */,
812531110D3FEA28006BDF4F /* PBXTargetDependency */,
81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */,
8125312C0D3FEA44006BDF4F /* PBXTargetDependency */,
- 81DDFDDB0D622C5100C5CB87 /* PBXTargetDependency */,
81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */,
);
name = "IPSec Embedded (Aggregate)";
812530EB0D3FE9DC006BDF4F /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
812530EC0D3FE9DC006BDF4F /* nattraversal.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F00988657000D15623 /* nattraversal.c */; };
812530ED0D3FE9DC006BDF4F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
- 812530EE0D3FE9DC006BDF4F /* rsalist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259100988657000D15623 /* rsalist.c */; };
812530EF0D3FE9DC006BDF4F /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; };
812530F00D3FE9DC006BDF4F /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; };
812530F10D3FE9DC006BDF4F /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; };
8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103A0D5BE18800C7B441 /* racoon.conf */; };
8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8176A6B80D45661700BC5251 /* libldap.dylib */; };
817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
- 817FFC4F0D6134AD004A8DD8 /* rsaparse.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 25E08C9A09D9E64A001A11CF /* rsaparse.o */; };
817FFC5A0D613729004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
818710410D5BE22B00C7B441 /* psk.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103D0D5BE1CF00C7B441 /* psk.txt */; };
818710420D5BE22F00C7B441 /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103B0D5BE1B400C7B441 /* racoon.conf */; };
81DDFDC50D622C2700C5CB87 /* ipsec_strerror.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9550989B4EE00E5B678 /* ipsec_strerror.3 */; };
81DDFDC60D622C2700C5CB87 /* ipsec_get_policylen.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */; };
81DDFDC70D622C2700C5CB87 /* ipsec_dump_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */; };
- 81DDFDD00D622C3500C5CB87 /* prsa_par.y in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBA809D8B727002DC960 /* prsa_par.y */; };
- 81DDFDD10D622C3500C5CB87 /* prsa_tok.l in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBAA09D8B727002DC960 /* prsa_tok.l */; };
81EDB0690B5D8D9600840BC7 /* ipsec_get_policylen.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */; };
81EDB06A0B5D8D9A00840BC7 /* ipsec_dump_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */; };
834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; };
8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; };
8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; };
+ BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; };
+ BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; };
+ BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; };
+ BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; };
BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; };
BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; };
BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; };
BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; };
BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
+ BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; };
+ BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; };
BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
+ BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
+ BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
+ BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
remoteGlobalIDString = 81DDFDB80D622C2700C5CB87;
remoteInfo = "libipsec Embedded";
};
- 81DDFDDA0D622C5100C5CB87 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 81DDFDCE0D622C3500C5CB87;
- remoteInfo = "rsaparse Embedded";
- };
81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
remoteGlobalIDString = 81DDFDB80D622C2700C5CB87;
remoteInfo = "libipsec Embedded";
};
- 81DDFDE00D622D2A00C5CB87 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 81DDFDCE0D622C3500C5CB87;
- remoteInfo = "rsaparse Embedded";
- };
81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
dstPath = usr/share/man/man5;
- dstSubfolderSpec = 16;
+ dstSubfolderSpec = 0;
files = (
258CF2E40A191AD500166B38 /* racoon.conf.5 in CopyFiles */,
);
);
runOnlyForDeploymentPostprocessing = 1;
};
+ BA64A930114EFDFD00F3574C /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /System/Library/Sandbox/Profiles;
+ dstSubfolderSpec = 0;
+ files = (
+ BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ BA64A932114EFE4400F3574C /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/share/sandbox/profiles/embedded/builtin;
+ dstSubfolderSpec = 0;
+ files = (
+ BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ BAA6806112B17CF900ACF6D3 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/OpenSourceLicenses;
+ dstSubfolderSpec = 0;
+ files = (
+ BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
81CA08910CE3BC870055C0AF /* vpn.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = vpn.c; sourceTree = "<group>"; };
81DDFDAA0D622C1700C5CB87 /* setkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = setkey; sourceTree = BUILT_PRODUCTS_DIR; };
81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libipsec.A.dylib; sourceTree = BUILT_PRODUCTS_DIR; };
- 81DDFDD70D622C3500C5CB87 /* rsaparse.o */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.objfile"; includeInIndex = 0; path = rsaparse.o; sourceTree = BUILT_PRODUCTS_DIR; };
81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_dump_policy.3; path = libipsec/ipsec_dump_policy.3; sourceTree = "<group>"; };
81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_get_policylen.3; path = libipsec/ipsec_get_policylen.3; sourceTree = "<group>"; };
8D5B16230E5F7E9300E72675 /* libresolv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libresolv.dylib; path = /usr/lib/libresolv.dylib; sourceTree = "<absolute>"; };
+ BA485FA1109C1ECA00545E19 /* power_mgmt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = power_mgmt.c; sourceTree = "<group>"; };
+ BA485FA6109C243900545E19 /* power_mgmt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = power_mgmt.h; sourceTree = "<group>"; };
+ BA48611B109C2BBA00545E19 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; };
BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecConfigTracer.c; sourceTree = "<group>"; };
BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecSessionTracer.c; sourceTree = "<group>"; };
BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecPolicyTracer.c; sourceTree = "<group>"; };
BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsecSessionTracer.h; sourceTree = "<group>"; };
BA5B6F380EC1A03C003774E7 /* ipsecPolicyTracer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsecPolicyTracer.h; sourceTree = "<group>"; };
BA5B6F4F0EC1A136003774E7 /* vpn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vpn.h; sourceTree = "<group>"; };
+ BA64A933114EFE5C00F3574C /* racoon.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = racoon.sb; sourceTree = "<group>"; };
BA6F10940EA1D67700546773 /* ike_session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ike_session.h; sourceTree = "<group>"; };
BA6F109A0EA1DEC200546773 /* ike_session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ike_session.c; sourceTree = "<group>"; };
+ BACBF18B10290AE000BBFC85 /* ipsec.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ipsec.txt; sourceTree = "<group>"; };
C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenSDK.xcconfig; path = AppleInternal/XcodeConfig/AspenSDK.xcconfig; sourceTree = DEVELOPER_DIR; };
/* End PBXFileReference section */
25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */,
8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */,
81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */,
+ BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- 817FFC4F0D6134AD004A8DD8 /* rsaparse.o in Frameworks */,
8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */,
817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */,
812530F80D3FE9DC006BDF4F /* libiconv.dylib in Frameworks */,
812A64ED0D4AA082004CB7EB /* Security.framework in Frameworks */,
81C964590DA2CBEF00257BC8 /* SystemConfiguration.framework in Frameworks */,
81C9645E0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */,
+ BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
);
runOnlyForDeploymentPostprocessing = 0;
};
- 81DDFDD20D622C3500C5CB87 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
23D2D78C087071FC00C51098 = {
isa = PBXGroup;
children = (
+ BA64A933114EFE5C00F3574C /* racoon.sb */,
+ BACBF18B10290AE000BBFC85 /* ipsec.txt */,
72265DDB0F818F9300730A7D /* ipsec.plist */,
C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */,
25E5E82D0981A61900F2834C /* ipsec-tools */,
812531290D3FEA33006BDF4F /* racoonctl */,
81DDFDAA0D622C1700C5CB87 /* setkey */,
81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */,
- 81DDFDD70D622C3500C5CB87 /* rsaparse.o */,
);
name = Products;
sourceTree = "<group>";
25EAE83109D875790042CC7F /* Security.framework */,
25EAE83709D875BF0042CC7F /* DirectoryService.framework */,
25EAE8C009D87B080042CC7F /* CoreFoundation.framework */,
+ BA48611B109C2BBA00545E19 /* IOKit.framework */,
);
name = Frameworks;
sourceTree = "<group>";
25F258FE0988657000D15623 /* plog.h */,
25F258FF0988657000D15623 /* policy.c */,
25F259000988657000D15623 /* policy.h */,
+ BA485FA1109C1ECA00545E19 /* power_mgmt.c */,
+ BA485FA6109C243900545E19 /* power_mgmt.h */,
25F259010988657000D15623 /* privsep.c */,
25F259020988657000D15623 /* privsep.h */,
25F259030988657000D15623 /* proposal.c */,
724A38A20E3676FB00F6B25F /* CopyFiles */,
258CF2F80A191B3900166B38 /* CopyFiles */,
258CF2FA0A191B3900166B38 /* CopyFiles */,
+ BA64A930114EFDFD00F3574C /* CopyFiles */,
258CF31B0A1941A200166B38 /* ShellScript */,
);
buildRules = (
812530FF0D3FE9DC006BDF4F /* CopyFiles */,
812531020D3FE9DC006BDF4F /* CopyFiles */,
725F453B0E36A15C005BB55C /* CopyFiles */,
+ BA64A932114EFE4400F3574C /* CopyFiles */,
812531040D3FE9DC006BDF4F /* ShellScript */,
834072BB0EDCC5C400B6CCE8 /* CopyFiles */,
);
);
dependencies = (
81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */,
- 81DDFDE10D622D2A00C5CB87 /* PBXTargetDependency */,
);
name = "racoon Embedded";
productName = racoon;
productReference = 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */;
productType = "com.apple.product-type.library.dynamic";
};
- 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 81DDFDD30D622C3500C5CB87 /* Build configuration list for PBXNativeTarget "rsaparse Embedded" */;
- buildPhases = (
- 81DDFDCF0D622C3500C5CB87 /* Sources */,
- 81DDFDD20D622C3500C5CB87 /* Frameworks */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = "rsaparse Embedded";
- productName = rsaparse;
- productReference = 81DDFDD70D622C3500C5CB87 /* rsaparse.o */;
- productType = "com.apple.product-type.objfile";
- };
/* End PBXNativeTarget section */
/* Begin PBXProject section */
isa = PBXProject;
buildConfigurationList = 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */;
compatibilityVersion = "Xcode 3.0";
+ developmentRegion = English;
hasScannedForEncodings = 0;
+ knownRegions = (
+ English,
+ Japanese,
+ French,
+ German,
+ );
mainGroup = 23D2D78C087071FC00C51098;
productRefGroup = 23D2D79C087074CC00C51098 /* Products */;
projectDirPath = "";
812531120D3FEA33006BDF4F /* racoonctl Embedded */,
81DDFD970D622C1700C5CB87 /* setkey Embedded */,
81DDFDB80D622C2700C5CB87 /* libipsec Embedded */,
- 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */,
);
};
/* End PBXProject section */
25F259370988657000D15623 /* ipsec_doi.c in Sources */,
25F259380988657000D15623 /* isakmp_agg.c in Sources */,
25F259390988657000D15623 /* isakmp_base.c in Sources */,
+ BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */,
25F2593C0988657000D15623 /* isakmp_ident.c in Sources */,
25F2593D0988657000D15623 /* isakmp_inf.c in Sources */,
25F2593E0988657000D15623 /* isakmp_newg.c in Sources */,
BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */,
BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */,
BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
+ BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
812530CF0D3FE9DC006BDF4F /* ipsec_doi.c in Sources */,
812530D00D3FE9DC006BDF4F /* isakmp_agg.c in Sources */,
812530D10D3FE9DC006BDF4F /* isakmp_base.c in Sources */,
+ BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */,
812530D20D3FE9DC006BDF4F /* isakmp_ident.c in Sources */,
812530D30D3FE9DC006BDF4F /* isakmp_inf.c in Sources */,
812530D40D3FE9DC006BDF4F /* isakmp_newg.c in Sources */,
812530EB0D3FE9DC006BDF4F /* vmbuf.c in Sources */,
812530EC0D3FE9DC006BDF4F /* nattraversal.c in Sources */,
812530ED0D3FE9DC006BDF4F /* pfkey.c in Sources */,
- 812530EE0D3FE9DC006BDF4F /* rsalist.c in Sources */,
812530EF0D3FE9DC006BDF4F /* isakmp_cfg.c in Sources */,
812530F00D3FE9DC006BDF4F /* isakmp_unity.c in Sources */,
812530F10D3FE9DC006BDF4F /* isakmp_xauth.c in Sources */,
BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */,
BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */,
BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
+ BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
);
runOnlyForDeploymentPostprocessing = 0;
};
- 81DDFDCF0D622C3500C5CB87 /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 81DDFDD00D622C3500C5CB87 /* prsa_par.y in Sources */,
- 81DDFDD10D622C3500C5CB87 /* prsa_tok.l in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */;
};
- 81DDFDDB0D622C5100C5CB87 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */;
- targetProxy = 81DDFDDA0D622C5100C5CB87 /* PBXContainerItemProxy */;
- };
81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
targetProxy = 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */;
};
- 81DDFDE10D622D2A00C5CB87 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */;
- targetProxy = 81DDFDE00D622D2A00C5CB87 /* PBXContainerItemProxy */;
- };
81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
i386,
- ppc,
- ppc64,
x86_64,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
SKIP_INSTALL = YES;
- VALID_ARCHS = "ppc64 i386 x86_64 ppc";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
i386,
- ppc,
- ppc64,
x86_64,
);
COPY_PHASE_STRIP = NO;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "ppc64 i386 x86_64 ppc";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
i386,
- ppc,
- ppc64,
x86_64,
);
COPY_PHASE_STRIP = NO;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "armv6 ppc64 i386 x86_64 ppc";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = "plainrsa-gen";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Development;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = YES;
PREBINDING = NO;
PRODUCT_NAME = "plainrsa-gen";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Deployment;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
GCC_ENABLE_FIX_AND_CONTINUE = YES;
PREBINDING = NO;
PRODUCT_NAME = "plainrsa-gen";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Default;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = eaytest;
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Development;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = YES;
PRODUCT_NAME = eaytest;
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Deployment;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
COPY_PHASE_STRIP = YES;
GCC_ENABLE_FIX_AND_CONTINUE = YES;
PRODUCT_NAME = eaytest;
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Default;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
COPY_PHASE_STRIP = NO;
GCC_DYNAMIC_NO_PIC = NO;
PREBINDING = NO;
PRODUCT_NAME = "test-policy";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Development;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
COPY_PHASE_STRIP = YES;
GCC_ENABLE_FIX_AND_CONTINUE = NO;
PRODUCT_NAME = "test-policy";
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Deployment;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = "test-policy";
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Default;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
COPY_PHASE_STRIP = NO;
GCC_DYNAMIC_NO_PIC = NO;
PREBINDING = NO;
PRODUCT_NAME = "test-pfkey";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Development;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
COPY_PHASE_STRIP = YES;
GCC_ENABLE_FIX_AND_CONTINUE = NO;
PRODUCT_NAME = "test-pfkey";
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Deployment;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
i386,
+ x86_64,
);
GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = "test-pfkey";
SKIP_INSTALL = YES;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
ZERO_LINK = NO;
};
name = Default;
25D3DAB9098952B20025F703 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ARCHS = (
+ i386,
+ x86_64,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "ppc64 ppc7400 ppc970 i386 x86_64 ppc";
+ VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DABA098952B20025F703 /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ARCHS = (
+ i386,
+ x86_64,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DABB098952B20025F703 /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ARCHS = (
+ i386,
+ x86_64,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "armv6 i386 ppc x86_64";
+ VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 i386 ppc x86_64";
+ VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
+ x86_64,
i386,
- ppc,
- armv6,
);
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 i386 ppc x86_64";
+ VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = YES;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- ppc,
+ x86_64,
i386,
);
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386 ppc";
+ VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
};
25D3DACD098952B20025F703 /* Development */ = {
isa = XCBuildConfiguration;
+ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
ARCHS = (
armv6,
i386,
- ppc64,
- arm,
+ armv7,
x86_64,
- ppc,
);
+ VALID_ARCHS = "armv6 x86_64 i386 armv7";
};
name = Development;
};
25D3DACE098952B20025F703 /* Deployment */ = {
isa = XCBuildConfiguration;
+ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
ARCHS = (
armv6,
i386,
- ppc64,
- arm,
+ armv7,
x86_64,
- ppc,
);
+ VALID_ARCHS = "armv6 x86_64 i386 armv7";
};
name = Deployment;
};
25D3DACF098952B20025F703 /* Default */ = {
isa = XCBuildConfiguration;
+ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
ARCHS = (
armv6,
i386,
- ppc64,
- arm,
+ armv7,
x86_64,
- ppc,
);
+ VALID_ARCHS = "armv6 armv7 x86_64 i386";
};
name = Default;
};
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = rsaparse;
SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 ppc x86_64 armv6";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -pprsa";
};
name = Development;
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
- ppc,
+ x86_64,
i386,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = rsaparse;
SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 ppc x86_64 armv6";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -pprsa";
ZERO_LINK = NO;
};
buildSettings = {
ARCHS = (
i386,
- ppc,
- armv6,
+ x86_64,
);
COPY_PHASE_STRIP = NO;
GCC_MODEL_TUNING = G5;
PREBINDING = NO;
PRODUCT_NAME = rsaparse;
SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 ppc x86_64 armv6";
+ VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -pprsa";
};
name = Default;
isa = XCBuildConfiguration;
buildSettings = {
ADDITIONAL_SDKS = "";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec Embedded (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
buildSettings = {
ADDITIONAL_SDKS = "";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
isa = XCBuildConfiguration;
buildSettings = {
ADDITIONAL_SDKS = "";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec Embedded (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
CODE_SIGN_IDENTITY = "-";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\"";
OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\"";
OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)";
- OTHER_LDFLAGS = "-lcrypto";
+ OTHER_LDFLAGS = "";
OTHER_REZFLAGS = "";
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
CODE_SIGN_IDENTITY = "-";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\"";
OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\"";
OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)";
- OTHER_LDFLAGS = "-lcrypto";
+ OTHER_LDFLAGS = "";
OTHER_REZFLAGS = "";
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
CODE_SIGN_IDENTITY = "-";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\"";
OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\"";
OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)";
- OTHER_LDFLAGS = "-lcrypto";
+ OTHER_LDFLAGS = "";
OTHER_REZFLAGS = "";
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
+ VALID_ARCHS = "armv6 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
STRIP_INSTALLED_PRODUCT = YES;
+ VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
isa = XCBuildConfiguration;
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
+ ARCHS = (
+ armv6,
+ armv7,
+ );
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
+ VALID_ARCHS = "armv6 armv7 ";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
SKIP_INSTALL = YES;
+ VALID_ARCHS = "armv6 armv7";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
+ VALID_ARCHS = "armv6 armv7";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
+ ARCHS = (
+ armv6,
+ armv7,
+ );
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
+ VALID_ARCHS = "armv6 i386";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
name = Default;
};
- 81DDFDD40D622C3500C5CB87 /* Development */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
- buildSettings = {
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
- };
- name = Development;
- };
- 81DDFDD50D622C3500C5CB87 /* Deployment */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
- buildSettings = {
- COPY_PHASE_STRIP = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
- GCC_MODEL_TUNING = G5;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 81DDFDD60D622C3500C5CB87 /* Default */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
- buildSettings = {
- COPY_PHASE_STRIP = NO;
- GCC_MODEL_TUNING = G5;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
- };
- name = Default;
- };
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Deployment;
};
- 81DDFDD30D622C3500C5CB87 /* Build configuration list for PBXNativeTarget "rsaparse Embedded" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 81DDFDD40D622C3500C5CB87 /* Development */,
- 81DDFDD50D622C3500C5CB87 /* Deployment */,
- 81DDFDD60D622C3500C5CB87 /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
/* End XCConfigurationList section */
};
rootObject = 23D2D790087071FC00C51098 /* Project object */;
--- /dev/null
+;; OriginatingProject: ipsec
+(version 1)
+(deny default)
+(allow system-socket sysctl-read sysctl-write)
+
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
+(allow ipc-posix-shm
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
+
+(allow file-read* file-ioctl
+ (subpath "/private/etc/master.passwd")
+ (subpath "/private/var/run/racoon")
+ (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
+ (subpath "/private/etc/racoon"))
+
+(allow file-read*
+ (subpath "/Library/Managed\ Preferences")
+ (subpath "/Library/Preferences")
+ (subpath "/private/var/root")
+ (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+
+(allow file-write*
+ (literal "/private/var/run/racoon.sock")
+ (literal "/private/var/run/racoon.pid"))
+
+(allow file*
+ (literal "/var/log/racoon.log")
+ (literal "/private/var/log/racoon.log"))
+
+(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+
+(allow network-outbound (subpath "/private/var/tmp/launchd"))
+(allow network*
+ (local udp "*:500" "*:4500")
+ (remote udp "*:*")
+ (literal "/private/var/run/racoon.sock"))
+
+(allow file*
+ (literal "/Library/Keychains/System.keychain")
+ (literal "/private/var/db/mds/system/mdsObject.db")
+ (literal "/private/var/db/mds/system/mds.lock")
+ (literal "/private/var/db/mds/system/mdsDirectory.db"))
+
+(allow mach-lookup
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.ocspd"))
+
+;;;;;; Common system sandbox rules
+;;;;;;
+;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
+;;;;;;
+;;;;;; WARNING: The sandbox rules in this file currently constitute
+;;;;;; Apple System Private Interface and are subject to change at any time and
+;;;;;; without notice. The contents of this file are also auto-generated and
+;;;;;; not user editable; it may be overwritten at any time.
+
+;;; Allow read access to standard system paths.
+
+(allow file-read*
+ (require-all (file-mode #o0004)
+ (require-any (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath "/usr/sbin")
+ (subpath "/usr/share"))))
+
+(allow file-read-metadata
+ (literal "/etc")
+ (literal "/tmp")
+ (literal "/var"))
+
+;;; Allow access to standard special files.
+
+(allow file-read*
+ (literal "/private/var/db/timezone/localtime")
+ (literal "/dev/random")
+ (literal "/dev/urandom"))
+
+(allow file-read*
+ file-write-data
+ (literal "/dev/null")
+ (literal "/dev/zero"))
+
+(allow file-read*
+ file-write-data
+ file-ioctl
+ (literal "/dev/aes_0")
+ (literal "/dev/sha1_0")
+ (literal "/dev/dtracehelper"))
+
+(allow network-outbound
+ (literal "/private/var/run/asl_input")
+ (literal "/private/var/run/syslog"))
+
+;;; Allow IPC to standard system agents.
+
+(allow mach-lookup
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.bsd.dirhelper")
+ (global-name "com.apple.system.DirectoryService.libinfo_v1")
+ (global-name "com.apple.system.DirectoryService.membership_v1")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center"))
projects / apple / ipsec.git / commitdiff
