From: Apple Date: Fri, 24 Oct 2014 18:05:41 +0000 (+0000) Subject: ipsec-286.1.1.tar.gz X-Git-Tag: os-x-1010^0 X-Git-Url: https://git.saurik.com/apple/ipsec.git/commitdiff_plain/d9c572c0d1634988834f2a68361f92bc7242cce4 ipsec-286.1.1.tar.gz --- diff --git a/entitlements-mac.plist b/entitlements-mac.plist new file mode 100644 index 0000000..4651ae6 --- /dev/null +++ b/entitlements-mac.plist @@ -0,0 +1,8 @@ + + + + + com.apple.private.nehelper.privileged + + + diff --git a/entitlements.plist b/entitlements.plist index a40c33f..bb6a89a 100644 --- a/entitlements.plist +++ b/entitlements.plist @@ -4,6 +4,8 @@ com.apple.coretelephony.SimAuthentication.allow + com.apple.coretelephony.Identity.get + keychain-access-groups apple @@ -14,5 +16,7 @@ racoon + com.apple.private.nehelper.privileged + diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index b172131..cd9cb92 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -47,6 +47,9 @@ /* Enable samode-unspec */ #undef ENABLE_SAMODE_UNSPECIFIED +/* Enable no SA flush */ +#define ENABLE_NO_SA_FLUSH 1 + /* Enable statictics */ /* #define ENABLE_STATS 1*/ /* causes too many logs to syslog */ diff --git a/ipsec-tools/Common/key_debug.c b/ipsec-tools/Common/key_debug.c index e1bec26..8b03d7e 100644 --- a/ipsec-tools/Common/key_debug.c +++ b/ipsec-tools/Common/key_debug.c @@ -82,7 +82,7 @@ static void kdebug_sadb_session_id (struct sadb_ext *); static void kdebug_sadb_sastat (struct sadb_ext *); static void kdebug_sadb_x_policy (struct sadb_ext *ext); static void kdebug_sockaddr (struct sockaddr_storage *addr); - +static void kdebug_sadb_x_ipsecif (struct sadb_ext *ext); #ifdef SADB_X_EXT_NAT_T_TYPE static void kdebug_sadb_x_nat_t_type (struct sadb_ext *ext); static void kdebug_sadb_x_nat_t_port (struct sadb_ext *ext); @@ -185,6 +185,7 @@ kdebug_sadb(base) kdebug_sadb_sastat(ext); break; case SADB_X_EXT_IPSECIF: + kdebug_sadb_x_ipsecif(ext); break; #ifdef SADB_X_EXT_NAT_T_TYPE case SADB_X_EXT_NAT_T_TYPE: @@ -455,6 +456,20 @@ struct sadb_ext *ext; p->sadb_session_id_v[1]); } +static void +kdebug_sadb_x_ipsecif(struct sadb_ext *ext) +{ + struct sadb_x_ipsecif *p = ALIGNED_CAST(__typeof__(p))ext; + + if (ext == NULL) { + printf("sadb_x_ipsecif: NULL pointer was passed.\n"); + return; + } + + printf("sadb_x_ipsec_if{ ipsecif=%s outgoing=%s\n", p->sadb_x_ipsecif_ipsec_if, p->sadb_x_ipsecif_outgoing_if); + printf(" internal=%s disabled=%d }\n", p->sadb_x_ipsecif_internal_if, p->sadb_x_ipsecif_init_disabled); +} + static void kdebug_sadb_sastat(ext) struct sadb_ext *ext; diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index 2e7b526..409333d 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -2189,7 +2189,10 @@ pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid, u_ p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; p->sadb_x_sa2_mode = mode; p->sadb_x_sa2_reqid = reqid; - p->sadb_x_sa2_alwaysexpire = always_expire; + p->sadb_x_sa2_alwaysexpire = always_expire; +#ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH + p->sadb_x_sa2_flags |= SADB_X_EXT_SA2_DELETE_ON_DETACH; +#endif /* SADB_X_EXT_SA2_DELETE_ON_DETACH */ return(buf + len); } diff --git a/ipsec-tools/Common/pfkey_dump.c b/ipsec-tools/Common/pfkey_dump.c index ecfa1a0..2833544 100644 --- a/ipsec-tools/Common/pfkey_dump.c +++ b/ipsec-tools/Common/pfkey_dump.c @@ -251,6 +251,7 @@ pfkey_sadump1(m, withports) int use_natt = 0; #endif + struct sadb_x_ipsecif *m_ipif = NULL; struct sockaddr *sa; /* check pfkey message. */ @@ -289,6 +290,7 @@ pfkey_sadump1(m, withports) if (natt_type && natt_type->sadb_x_nat_t_type_type) use_natt = 1; #endif + m_ipif = (void *)mhp[SADB_X_EXT_IPSECIF]; /* source address */ if (m_saddr == NULL) { printf("no ADDRESS_SRC extension.\n"); @@ -387,11 +389,27 @@ pfkey_sadump1(m, withports) m_sa->sadb_sa_replay, m_sa->sadb_sa_flags); +#ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH + printf("flags2=0x%08x ", + m_sa2->sadb_x_sa2_flags); +#endif + /* state */ printf("state="); GETMSGSTR(str_state, m_sa->sadb_sa_state); printf("\n"); + if (m_ipif) { + printf("\t"); + if (m_ipif->sadb_x_ipsecif_internal_if[0]) + printf("internal_if: %s ", m_ipif->sadb_x_ipsecif_internal_if); + if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) + printf("outgoing_if: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); + if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) + printf("ipsec_if: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); + printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); + } + /* lifetime */ if (m_lftc != NULL) { time_t tmp_time = time(0); @@ -639,17 +657,17 @@ int withports; (u_long)m_lfth->sadb_lifetime_usetime); } - if (m_ipif) { - printf("\t"); - if (m_ipif->sadb_x_ipsecif_internal_if[0]) - printf("Internal interface: %s ", m_ipif->sadb_x_ipsecif_internal_if); - if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) - printf("Outgoing interface: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); - if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) - printf("IPSec interface: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); - printf("Disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); - } - + if (m_ipif) { + printf("\t"); + if (m_ipif->sadb_x_ipsecif_internal_if[0]) + printf("internal_if: %s ", m_ipif->sadb_x_ipsecif_internal_if); + if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) + printf("outgoing_if: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); + if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) + printf("ipsec_if: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); + printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); + } + printf("\tspid=%ld seq=%ld pid=%ld\n", (u_long)m_xpl->sadb_x_policy_id, (u_long)m->sadb_msg_seq, diff --git a/ipsec-tools/racoon/algorithm.c b/ipsec-tools/racoon/algorithm.c index 31291b5..4aaa0ea 100644 --- a/ipsec-tools/racoon/algorithm.c +++ b/ipsec-tools/racoon/algorithm.c @@ -50,7 +50,6 @@ #include "ipsec_doi.h" #include "gcmalloc.h" - static struct hash_algorithm oakley_hashdef[] = { { "md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5, eay_md5_init, eay_md5_update, @@ -736,7 +735,6 @@ alg_oakley_authdef_name (doi) return "*UNKNOWN*"; } - /* * give the default key length * OUT: -1: NG @@ -882,7 +880,6 @@ algtype2doi(class, type) return res; } - /* * convert algorithm class to DOI value. * OUT -1 : NG diff --git a/ipsec-tools/racoon/algorithm.h b/ipsec-tools/racoon/algorithm.h index c6acef4..a81cf7f 100644 --- a/ipsec-tools/racoon/algorithm.h +++ b/ipsec-tools/racoon/algorithm.h @@ -122,5 +122,4 @@ extern const char *alg_oakley_hashdef_name (int); extern const char *alg_oakley_dhdef_name (int); extern const char *alg_oakley_authdef_name (int); - #endif /* _ALGORITHM_H */ diff --git a/ipsec-tools/racoon/algorithm_types.h b/ipsec-tools/racoon/algorithm_types.h index b5cd55e..61b58f5 100644 --- a/ipsec-tools/racoon/algorithm_types.h +++ b/ipsec-tools/racoon/algorithm_types.h @@ -42,9 +42,7 @@ enum { algclass_isakmp_hash, algclass_isakmp_dh, algclass_isakmp_ameth, /* authentication method. */ - algclass_ikev2_prf, - algclass_ikev2_integ, -#define MAXALGCLASS 9 +#define MAXALGCLASS 7 }; #define ALG_DEFAULT_KEYLEN 64 diff --git a/ipsec-tools/racoon/api_support.h b/ipsec-tools/racoon/api_support.h index 7b028d2..6143116 100644 --- a/ipsec-tools/racoon/api_support.h +++ b/ipsec-tools/racoon/api_support.h @@ -29,124 +29,18 @@ #include "racoon_types.h" #include #include -#include #include -#include - -struct isakmp_cfg_state; -struct ikev2_traffic_selector; - -#define kSNIPSecDBSrcRangeEndAddress CFSTR("SrcRangeEndAddress") /* CFString */ -#define kSNIPSecDBDstRangeEndAddress CFSTR("DstRangeEndAddress") /* CFString */ -#define kSNIPSecDBSrcRangeEndPort CFSTR("SrcRangeEndPort") /* CFNumber */ -#define kSNIPSecDBDstRangeEndPort CFSTR("DstRangeEndPort") /* CFNumber */ - -#define kSNIPSecDBPolicyID CFSTR("PolicyID") /* CFNumber */ - -#define kSNIPSecDBPolicyType CFSTR("PolicyType") /* CFString */ -#define kSNIPSecDBValPolicyTypeDiscard CFSTR("Discard") -#define kSNIPSecDBValPolicyTypeNone CFSTR("None") -#define kSNIPSecDBValPolicyTypeIPSec CFSTR("IPSec") -#define kSNIPSecDBValPolicyTypeEntrust CFSTR("Entrust") -#define kSNIPSecDBValPolicyTypeBypass CFSTR("Bypass") -#define kSNIPSecDBValPolicyTypeGenerate CFSTR("Generate") - -#define kSNIPSecDBSACreateTime CFSTR("CreateTime") -#define kSNIPSecDBSACurrentTime CFSTR("CurrentTime") -#define kSNIPSecDBSADiffTime CFSTR("DiffTime") -#define kSNIPSecDBSAHardLifetime CFSTR("HardLifetime") -#define kSNIPSecDBSASoftLifetime CFSTR("SoftLifetime") -#define kSNIPSecDBSALastUseTime CFSTR("LastUseTime") -#define kSNIPSecDBSAHardUseTime CFSTR("HardUseTime") -#define kSNIPSecDBSASoftUseTime CFSTR("SoftUseTime") -#define kSNIPSecDBSACurrentBytes CFSTR("CurrentBytes") -#define kSNIPSecDBSAHardBytes CFSTR("HardBytes") -#define kSNIPSecDBSASoftBytes CFSTR("SoftBytes") -#define kSNIPSecDBSACurrentAllocations CFSTR("CurrentAllocations") -#define kSNIPSecDBSAHardAllocations CFSTR("HardAllocations") -#define kSNIPSecDBSASoftAllocations CFSTR("SoftAllocations") - -#define kSNIPSecDBSAState CFSTR("State") -#define kSNIPSecDBValSAStateLarval CFSTR("Larval") -#define kSNIPSecDBValSAStateMature CFSTR("Mature") -#define kSNIPSecDBValSAStateDying CFSTR("Dying") -#define kSNIPSecDBValSAStateDead CFSTR("Dead") - -#define kSNIPSecIKEAssignedPCSCFIPv6Address CFSTR("AssignedPCSCFIPv6Address") typedef uint32_t InternalSessionRef; typedef uint32_t InternalItemRef; -/* IPSec DB API Types */ -typedef InternalSessionRef InternalDBRef; -typedef InternalItemRef InternalDBSARef; -typedef InternalItemRef InternalDBPolicyRef; -typedef InternalItemRef InternalDBInterfaceRef; -#define kInternalDBRefInvalid 0 -#define kInternalDBSARefInvalid 0 -#define kInternalDBPolicyRefInvalid 0 -#define kInternalDBInterfaceRefInvalid 0 - /* IKE API Types */ typedef InternalSessionRef InternalIKESARef; -typedef InternalItemRef InternalChildSARef; #define kInternalIKESARefInvalid 0 -#define kInternalChildSARefInvalid 0 - -/* Internal support functions -- Dictionaries should be verified for required keys and valid types before calling these */ -void ASSendXPCReply (InternalSessionRef sessionRef, InternalItemRef objRef, int callType, void *retVal, Boolean success); -void ASSendXPCMessage(uint32_t message, void *messageobj, uint32_t sessionID, uint32_t itemID); - -/* IPSec DB API Functions */ -InternalDBRef ASDBCreate (void); -InternalDBSARef ASDBGetSPI (InternalDBRef ref, CFDictionaryRef sadata); -InternalDBSARef ASDBCreateSA (InternalDBRef ref, CFDictionaryRef sadata); -Boolean ASDBUpdateSA (InternalDBRef ref, InternalDBSARef saref, CFDictionaryRef sadata); -Boolean ASDBDeleteSA (InternalDBRef ref, InternalDBSARef saref); -Boolean ASDBCopySA (InternalDBRef ref, InternalDBSARef saref); -Boolean ASDBFlushSA (InternalDBRef ref, Boolean *blockForResponse); -CFArrayRef ASDBCopySAIDs (InternalDBRef ref); -InternalDBPolicyRef ASDBAddPolicy (InternalDBRef ref, CFDictionaryRef spdata); -Boolean ASDBDeletePolicy (InternalDBRef ref, InternalDBPolicyRef policyref); -Boolean ASDBCopyPolicy (InternalDBRef ref, InternalDBPolicyRef policyref); -Boolean ASDBFlushPolicy (InternalDBRef ref, Boolean *blockForResponse); -CFArrayRef ASDBCopyPolicyIDs (InternalDBRef ref); -Boolean ASDBFlushAll (InternalDBRef ref, Boolean *blockForResponse); -Boolean ASDBDispose (InternalDBRef ref, Boolean *blockForResponse); -/* IPSec DB Interface Functions */ -InternalDBInterfaceRef ASDBCreateIPSecInterface (InternalDBRef ref, struct sockaddr_storage *address, struct sockaddr_storage *netmask, struct sockaddr_storage *v6address, int v6prefix); -Boolean ASDBFlushInterfaces (InternalDBRef ref); - -/* IKE API Functions */ -InternalIKESARef ASIKECreate (CFDictionaryRef ikedata, CFDictionaryRef childData); -InternalChildSARef ASIKEStartConnection (InternalIKESARef ref); -Boolean ASIKEStopConnection (InternalIKESARef ref); -InternalChildSARef ASIKEStartChildSA (InternalIKESARef ref, CFDictionaryRef ikechilddata); -Boolean ASIKEStopChildSA (InternalIKESARef ref, InternalChildSARef childref); -SNIPSecIKEStatus ASIKEGetConnectionStatus (InternalIKESARef ref); -SNIPSecIKEStatus ASIKEGetChildStatus (InternalIKESARef ref, InternalChildSARef childref); -Boolean ASIKEDispose (InternalIKESARef ref, Boolean *blockForResponse); -Boolean ASIKEEnableAll (InternalIKESARef ref); -Boolean ASIKEDisableAll (InternalIKESARef ref); - -/* Functions to support racoon */ -InternalDBSARef ASDBGetSPIFromIKE (InternalDBRef ref, phase2_handle_t *phase2); -Boolean ASDBAddSAFromIKE (InternalDBRef ref, phase2_handle_t *phase2, Boolean update); -Boolean ASDBDeleteSAFromIKE (InternalDBRef ref, struct sockaddr_storage *dst, uint32_t spi, int ipsecProtocol); -Boolean ASDBFlushAllForIKEChildSA (InternalDBRef ref, InternalChildSARef childRef); -InternalDBPolicyRef ASDBAddPolicyFromIKE (InternalDBRef ref, phase2_handle_t *phase2); -Boolean ASDBReceivePFKeyMessage (caddr_t *message, int array_size); /* Returns TRUE if handled message */ -Boolean ASDBGetIPSecInterfaceName (InternalDBRef ref, char *buf, int bufLen); -Boolean ASIKEConnectionAddChildSAFromIKE (InternalIKESARef ref, phase2_handle_t *childSA); -Boolean ASIKEConnectionSwapChildSAs (InternalIKESARef ref, InternalChildSARef oldChildSA, InternalChildSARef newChildSA); -void ASIKEConnectionExpireChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef); Boolean ASHasValidSessions (void); -void ASIKEUpdateLocalAddressesFromIKE (void); -void ASIKEUpdateStatusFromIKE (InternalIKESARef ref, InternalChildSARef childRef, uint32_t status, uint32_t reason); -phase2_handle_t *ASIKEConnectionGetChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef); -void ASIKEUpdateConfigurationFromIKE (InternalIKESARef ref, struct isakmp_cfg_state *config); -void ASIKEUpdateTrafficSelectorsFromIKE (InternalIKESARef ref, InternalChildSARef childRef, struct ikev2_traffic_selector *local, struct ikev2_traffic_selector *remote); -void ASIKEStopConnectionFromIKE (InternalIKESARef ref); + +InternalIKESARef ASIKECreate (CFDictionaryRef ikeData, CFDictionaryRef childData); +Boolean ASIKEDispose(InternalIKESARef ref, Boolean *blockForResponse); #endif diff --git a/ipsec-tools/racoon/cfparse.y b/ipsec-tools/racoon/cfparse.y index 74aa040..bd81184 100644 --- a/ipsec-tools/racoon/cfparse.y +++ b/ipsec-tools/racoon/cfparse.y @@ -188,6 +188,7 @@ static int fix_lifebyte (u_long); %token VERIFY_CERT SEND_CERT SEND_CR %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER %token PEERS_IDENTIFIER VERIFY_IDENTIFIER +%token LOCAL_ADDRESS %token SHARED_SECRET SECRETTYPE %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION @@ -203,7 +204,6 @@ static int fix_lifebyte (u_long); %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION %token XAUTH_LOGIN WEAK_PHASE1_CHECK -%token EAP_TYPE EAP_TYPES EAP_OPTIONS %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID @@ -223,7 +223,7 @@ static int fix_lifebyte (u_long); %type ALGORITHMTYPE STRENGTHTYPE %type PREFIX prefix PORT port ike_port %type ul_proto UL_PROTO -%type EXCHANGETYPE DOITYPE SITUATIONTYPE EAP_TYPE +%type EXCHANGETYPE DOITYPE SITUATIONTYPE %type CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL %type VERIFICATION_MODULE VERIFICATION_OPTION %type unittype_time unittype_byte @@ -1405,9 +1405,8 @@ remote_specs_block if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) return -1; - /* DH group settting if aggressive mode or IKEv2. */ - if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL - ) { + /* DH group setting if aggressive mode or IKEv2. */ + if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { struct isakmpsa *p; int b = 0; @@ -1591,6 +1590,15 @@ remote_spec } EOS | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS + | LOCAL_ADDRESS ADDRSTRING + { + struct sockaddr_storage *saddr; + saddr = str2saddr($2->v, NULL); + vfree($2); + if (saddr == NULL) + return -1; + cur_rmconf->forced_local = saddr; + } EOS | SHARED_SECRET SECRETTYPE QUOTEDSTRING { cur_rmconf->secrettype = $2; @@ -1628,32 +1636,6 @@ remote_spec | WEAK_PHASE1_CHECK SWITCH { cur_rmconf->weak_phase1_check = $2; } EOS - | EAP_TYPES { cur_rmconf->eap_types = NULL; } eap_types EOS - | EAP_OPTIONS QUOTEDSTRING { - vchar_t *options_path = $2; - cur_rmconf->eap_options = NULL; - if (options_path) { - CFStringRef option_path_str = CFStringCreateWithCString(kCFAllocatorDefault, options_path->v, kCFStringEncodingASCII); - if (option_path_str) { - CFURLRef plist_url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, option_path_str, kCFURLPOSIXPathStyle, false); - if (plist_url) { - CFReadStreamRef read_stream = CFReadStreamCreateWithFile(kCFAllocatorDefault, plist_url); - if (read_stream) { - CFReadStreamOpen (read_stream); - cur_rmconf->eap_options = CFPropertyListCreateWithStream(kCFAllocatorDefault, read_stream, 0, kCFPropertyListImmutable, NULL, NULL); - CFRelease (read_stream); - } - CFRelease (plist_url); - } else { - racoon_yywarn("eap_options must contain a path to a property list"); - } - CFRelease(option_path_str); - } else { - racoon_yywarn("eap_options string could not be processed"); - } - vfree(options_path); - } - } EOS | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS @@ -1795,30 +1777,6 @@ exchange_types } } ; -eap_types - : /* nothing */ - | eap_types EAP_TYPE - { - struct etypes *new_eaps; - new_eaps = racoon_malloc(sizeof(struct etypes)); - if (new_eaps == NULL) { - racoon_yyerror("failed to allocate etypes"); - return -1; - } - new_eaps->type = $2; - new_eaps->next = NULL; - if (cur_rmconf->eap_types == NULL) - cur_rmconf->eap_types = new_eaps; - else { - struct etypes *p; - for (p = cur_rmconf->eap_types; - p->next != NULL; - p = p->next) - ; - p->next = new_eaps; - } - } - ; cert_spec : CERT_X509 IN_KEYCHAIN { diff --git a/ipsec-tools/racoon/cftoken.l b/ipsec-tools/racoon/cftoken.l index 5428f97..a5c4a8f 100644 --- a/ipsec-tools/racoon/cftoken.l +++ b/ipsec-tools/racoon/cftoken.l @@ -88,7 +88,6 @@ #endif #include "y.tab.h" -#include "eap_sim.h" int yyerrorcount = 0; @@ -306,6 +305,7 @@ hexstring 0x{hexdigit}+ xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ } peers_identifier { YYD; return(PEERS_IDENTIFIER); } verify_identifier { YYD; return(VERIFY_IDENTIFIER); } +local_address { YYD; return(LOCAL_ADDRESS); } certificate_type { YYD; return(CERTIFICATE_TYPE); } ca_type { YYD; return(CA_TYPE); } x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); } @@ -375,11 +375,6 @@ hexstring 0x{hexdigit}+ esp_frag { YYD; return(ESP_FRAG); } mode_cfg { YYD; return(MODE_CFG); } weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); } -eap_types { YYD; return(EAP_TYPES); } -eap_any { YYD; yylval.num = EAP_TYPE_NONE; return(EAP_TYPE); } -eap_sim { YYD; yylval.num = EAP_TYPE_SIM; return(EAP_TYPE); } -eap_aka { YYD; yylval.num = EAP_TYPE_AKA; return(EAP_TYPE); } -eap_options { YYD; return(EAP_OPTIONS); } /* remote proposal */ proposal { BEGIN S_RMTP; YYDB; return(PROPOSAL); } {bcl} { return(BOC); } @@ -390,8 +385,6 @@ hexstring 0x{hexdigit}+ encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); } authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); } hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); } -prf_algorithm { YYD; yylval.num = algclass_ikev2_prf; return(ALGORITHM_CLASS); } -integ_algorithm { YYD; yylval.num = algclass_ikev2_integ; return(ALGORITHM_CLASS); } dh_group { YYD; return(DH_GROUP); } gss_id { YYD; return(GSS_ID); } gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */ diff --git a/ipsec-tools/racoon/eap.c b/ipsec-tools/racoon/eap.c deleted file mode 100644 index d1bc6a5..0000000 --- a/ipsec-tools/racoon/eap.c +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ -/* - * eap.c - Extensible Authentication Protocol. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by Gregory M. Christy. The name of the author may not be used to - * endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#define RCSID "$Id: eap.c,v 1.25 2005/12/13 06:30:15 lindak Exp $" - -#include "config.h" diff --git a/ipsec-tools/racoon/eap.h b/ipsec-tools/racoon/eap.h deleted file mode 100644 index eff068a..0000000 --- a/ipsec-tools/racoon/eap.h +++ /dev/null @@ -1,245 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ -/* - * eap.h - Extensible Authentication Protocol definitions. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the author. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $ - */ - -#ifndef __EAP_H__ -#define __EAP_H__ - -#include "vmbuf.h" -#include - -/* - * Challenge lengths (for challenges we send) and other limits. - */ -#define MAX_EAP_RESPONSE_LENGTH 1024 /* Max len for the EAP data part */ -#define MAX_NAME_LENGTH 256 - -/* Code + ID + length */ -#define EAP_HEADERLEN 4 - -/* - * EAP codes. - */ - -/* support for request types 1..4 is mandatory */ -#define EAP_TYPE_NONE 0 /* No EAP type */ -#define EAP_TYPE_IDENTITY 1 /* request for identity */ -#define EAP_TYPE_NOTIFICATION 2 /* notification message */ -#define EAP_TYPE_NAK 3 /* nak (response only) */ -#define EAP_TYPE_MD5CHALLENGE 4 /* password MD5 coded */ - -#define EAP_TYPE_OTP 5 /* One Time Password (OTP) */ -#define EAP_TYPE_TOKEN 6 /* Generic Token Card */ - -#define EAP_TYPE_RSA 9 /* RSA Public Key Authentication */ -#define EAP_TYPE_DSS 10 /* DSS Unilateral */ -#define EAP_TYPE_KEA 11 /* KEA */ -#define EAP_TYPE_KEA_VALIDATE 12 /* KEA-VALIDATE */ -#define EAP_TYPE_TLS 13 /* EAP-TLS */ -#define EAP_TYPE_AXENT 14 /* Defender Token (AXENT) */ -#define EAP_TYPE_RSA_SECURID 15 /* RSA Security SecurID EAP */ -#define EAP_TYPE_ARCOT 16 /* Arcot Systems EAP */ -#define EAP_TYPE_CISCO 17 /* EAP-Cisco Wireless */ -#define EAP_TYPE_SIM 18 /* EAP-SIM */ -#define EAP_TYPE_SRP_SHA1_1 19 /* SRP-SHA1 Part 1 */ -#define EAP_TYPE_SRP_SHA1_2 20 /* SRP-SHA1 Part 2 */ -#define EAP_TYPE_TTLS 21 /* EAP-TTLS */ -#define EAP_TYPE_RAS 22 /* Remote Access Service */ -#define EAP_TYPE_AKA 23 /* EAP-AKA */ -#define EAP_TYPE_3COM 24 /* EAP-3Com Wireless */ -#define EAP_TYPE_PEAP 25 /* PEAP */ -#define EAP_TYPE_MS 26 /* MS-EAP-Authentication */ -#define EAP_TYPE_MAKE 27 /* Mutual Authentication w/Key Exchange (MAKE) */ -#define EAP_TYPE_CRYPTO 28 /* CRYPTOCard */ -#define EAP_TYPE_MSCHAP_V2 29 /* EAP-MSCHAP-V2 */ -#define EAP_TYPE_DYNAM_ID 30 /* DynamID */ -#define EAP_TYPE_ROB 31 /* Rob EAP */ -#define EAP_TYPE_SECUR_ID 32 /* SecurID EAP */ -#define EAP_TYPE_MS_TLV 33 /* MS-Authentication-TLV */ -#define EAP_TYPE_SENTRINET 34 /* SentriNET */ -#define EAP_TYPE_ACTIONTEC 35 /* EAP-Actiontec Wireless */ -#define EAP_TYPE_COGENT 36 /* Cogent Systems Biometrics Authentication EAP */ - -#define kEAPPropertiesTypeEAPSIM CFSTR("EAPSIMProperties") -#define kEAPPropertiesTypeEAPAKA CFSTR("EAPAKAProperties") - -#define EAP_REQUEST 1 -#define EAP_RESPONSE 2 -#define EAP_SUCCESS 3 -#define EAP_FAILURE 4 - - -struct EAP_Packet -{ - u_int8_t code; // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure - u_int8_t id; // packet id - u_int16_t len; // packet len (network order) - u_int8_t data[1]; // packet data -} __attribute__((__packed__)); - -#define EAP_NOTIFICATION_NONE 0 -#define EAP_NOTIFICATION_START 1 -#define EAP_NOTIFICATION_RESTART 2 -#define EAP_NOTIFICATION_SUCCESS 3 -#define EAP_NOTIFICATION_PACKET 4 -#define EAP_NOTIFICATION_DATA_FROM_UI 5 -#define EAP_NOTIFICATION_TIMEOUT 6 - -typedef struct EAP_Input { - u_int16_t size; // size of the structure (for future extension) - u_int8_t mode; // 0 for client, 1 for server - u_int8_t initial_id; // initial EAP ID - u_int16_t mtu; // mtu wll determine the maximum packet size to send - u_int16_t notification; // notification the EAP engine sends to the module - u_int16_t data_len; // len of the data - void *data; // data to be consumed depending on the notification - char *identity; // authenticatee identity - char *username; // authenticatee user name - char *password; // authenticatee password -} EAP_Input_t; - -#define EAP_ACTION_NONE 0 -#define EAP_ACTION_SEND 1 -#define EAP_ACTION_INVOKE_UI 2 -#define EAP_ACTION_ACCESS_GRANTED 3 -#define EAP_ACTION_ACCESS_DENIED 4 -#define EAP_ACTION_SEND_WITH_TIMEOUT 5 -#define EAP_ACTION_SEND_AND_DONE 6 -#define EAP_ACTION_CANCEL 7 - - -typedef struct EAP_Output { - u_int16_t size; // size of the structure (for future extension) - u_int16_t action; // action the EAP engine needs to perform - u_int16_t data_len; // len of the data - void *data; // data to be consumed depending on the action - char *username; // authenticatee user name (useful in server mode) -} EAP_Output_t; - -enum { - EAP_NO_ERROR = 0, - EAP_ERROR_GENERIC, - EAP_ERROR_INVALID_PACKET -}; - -/* attribute information returned upon successful authentication */ - -#define EAP_ATTRIBUTE_NONE 0 -#define EAP_ATTRIBUTE_MPPE_SEND_KEY 1 -#define EAP_ATTRIBUTE_MPPE_RECV_KEY 2 - -typedef struct EAP_Attribute { - u_int16_t type; // type of the attribute - u_int16_t data_len; // len of the data - void *data; // data to be consumed depending on the type - /* data follow according to the size */ -} __attribute__((__packed__)) EAP_Attribute_t; - -/* - * Extension structure for eap types. - */ - -#define EAP_EXT_CLIENT 0x1 // support client mode - -typedef struct eap_ext { - struct eap_ext *next; // next extensiopn structure - u_int8_t type; // eap type - char *name; // extension name - u_int32_t flags; // support flags - void *plugin; // used to keep ref of the plugin - int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options); - //int (*reinit) (void *context); - int (*dispose) (void *context); - int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); - int (*free) (void *context, EAP_Output_t *eap_out); - int (*attribute) (void *context, EAP_Attribute_t *eap_attr); - int (*identity) (char *identity, int maxlen); - -} eap_ext_t; - -typedef struct eap_state { - int clientstate; /* Client state */ - - char *our_identity; /* Our identity name */ - char *username; /* the user name (only for client mode) */ - char *password; /* the password (only for client mode) */ - char peer_identity[MAX_NAME_LENGTH]; /* peer name discovered with identity request */ - - u_char req_id; /* ID of last challenge */ - u_char resp_id; /* ID of last response */ - u_char req_type; /* last request type */ - vchar_t *rcvd_msg; - vchar_t *send_key; - vchar_t *recv_key; - - eap_ext_t *client_ext; /* client eap extension */ - void *client_ext_ctx; /* client eap extension context */ - EAP_Input_t *client_ext_input; /* client eap extension input structure */ - EAP_Output_t *client_ext_output; /* client eap extension output structure */ - - struct etypes *supported_eap_types; - CFDictionaryRef extra_options; -} eap_state_t; - -#define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */ - -int EapExtAdd(eap_ext_t *newext); - -/* - * Client (peer) states. - */ -#define EAPCS_INITIAL 0 /* Lower layer down, not opened */ -#define EAPCS_CLOSED 1 /* Lower layer up, not opened */ -#define EAPCS_PENDING 2 /* Auth us to peer when lower up */ -#define EAPCS_LISTEN 3 /* Listening for a challenge */ -#define EAPCS_OPEN 4 /* We've received Success */ - -int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *); -void EapLostFailure (eap_state_t *state); - -int EAPLoad(eap_state_t *cstate); - -void EapInit(eap_state_t *cstate); - -void EapStart(eap_state_t *cstate, int); - -void EapStop(eap_state_t *cstate); - -int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len); - -#endif diff --git a/ipsec-tools/racoon/eap_aka.c b/ipsec-tools/racoon/eap_aka.c deleted file mode 100644 index ff314ab..0000000 --- a/ipsec-tools/racoon/eap_aka.c +++ /dev/null @@ -1,340 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#if !TARGET_OS_EMBEDDED // This file is not built for Embedded -#include -#include -#include -#include -#endif /* TARGET_OS_EMBEDDED */ -#include -#include "plog.h" -#include "eap.h" -#include "eap_sim.h" - -/*--------------------------------------------------------------------------- - ** Internal routines - **--------------------------------------------------------------------------- - */ - -static CFBundleRef bundle = 0; /* our bundle ref */ -static char eapaka_unique[17]; - -static EAPClientModuleRef eapRef = NULL; -static EAPClientPluginData eapData; -static CFMutableDictionaryRef eapProperties = NULL; -static CFDictionaryRef eapOptions = NULL; -static struct EAP_Packet *eapSavePacket = NULL; - -extern EAPClientPluginFuncRef -eapaka_introspect(EAPClientPluginFuncName name); - -/* ------------------------------------------------------------------------------------ - get the EAP dictionary from the options - ------------------------------------------------------------------------------------ */ -static void -EAPAKAGetOptions (void) -{ - if (eapOptions) - return; - - // no option, use empty dictionary - if (!eapOptions) - eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -static int -EAPAKALoad (void) -{ - EAPClientModuleStatus status; - - if (eapRef) - return EAP_NO_ERROR; - - status = EAPClientModuleAddBuiltinModule(eapaka_introspect); - if (status != kEAPClientModuleStatusOK) { - plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientAddBuiltinModule(eapaka) failed %d\n", status); - return EAP_ERROR_GENERIC; - } - - eapRef = EAPClientModuleLookup(kEAPTypeEAPAKA); - if (eapRef == NULL) { - plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientModuleLookup(eapaka) failed\n"); - return EAP_ERROR_GENERIC; - } - - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int EAPAKAIdentity (char *identity, int maxlen) -{ - CFStringRef identRef = NULL; - int error; - int ret = EAP_ERROR_GENERIC; - - error = EAPAKALoad(); - if (error) - return error; - - EAPAKAGetOptions(); - if (eapOptions == NULL) - return ret; - - identRef = EAPClientModulePluginUserName(eapRef, eapOptions); - if (identRef) { - if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8)) - ret = EAP_NO_ERROR; - CFRelease(identRef); - } - - return ret; -} - -/* ------------------------------------------------------------------------------------ - Init routine called by the EAP engine when it needs the module. - Identity of the peer is known at this point. - mode is 0 for client, 1 for server. - cookie is the EAP engine context, to pass to subsequent calls to EAP. - context is EAP module context, that will be passed to subsequent calls to the module - ------------------------------------------------------------------------------------ */ -int -EAPAKAInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions) -{ - int error; - EAPClientModuleStatus status; - int ret = EAP_ERROR_GENERIC; - - error = EAPAKALoad(); - if (error) - return error; - - bundle = (CFBundleRef)eap_in->data; - if (bundle) - CFRetain(bundle); - - EAPAKAGetOptions(); - - bzero(&eapData, sizeof(eapData)); - - /* remaining fields are read-only: */ - uint32_t username_len = strlen(eap_in->username); - eapData.username = (uint8_t *)strndup(eap_in->username, username_len); - memcpy((void*)&eapData.username_length, &username_len, sizeof(uint32_t)); - *((bool *)&eapData.log_enabled) = 1; - *((uint32_t *)&eapData.log_level) = LOG_NOTICE; - *((uint32_t *)&eapData.mtu) = eap_in->mtu; - *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */ - - arc4random_buf(eapaka_unique, sizeof(eapaka_unique) - 1); - eapaka_unique[sizeof(eapaka_unique)-1] = 0; - - eapData.unique_id = eapaka_unique; /* used for TLS session resumption??? */ - *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id); - - if (eapOptions) { - CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPAKA); - if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) { - eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value); - } else { - eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions); - } - } else - eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - if (eapProperties == NULL) { - plog(ASL_LEVEL_ERR, "EAP-AKA: Cannot allocate memory\n"); - goto failed; - } - - *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties; - - status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error); - if (status != kEAPClientStatusOK) { - plog(ASL_LEVEL_ERR, "EAP-AKA: EAPClientPluginInit(eapaka) failed, error %d\n", status); - goto failed; - } - - eapSavePacket = NULL; - - return EAP_NO_ERROR; - -failed: - - return ret; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int EAPAKADispose (void *context) -{ - - EAPClientModulePluginFree(eapRef, &eapData); - eapRef = 0; - - if (bundle) { - CFRelease(bundle); - bundle = 0; - } - - if (eapOptions) { - CFRelease(eapOptions); - eapOptions = 0; - } - - if (eapProperties) { - CFRelease(eapProperties); - eapProperties = 0; - } - - if (eapSavePacket) { - free(eapSavePacket); - eapSavePacket = 0; - } - - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPAKAProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out) -{ - struct EAP_Packet *pkt_in = NULL; - struct EAP_Packet *pkt_out = NULL; - EAPClientStatus status; - EAPClientState state; - EAPClientDomainSpecificError error; - int do_process = 0; - - // by default, ignore the message - eap_out->action = EAP_ACTION_NONE; - eap_out->data = 0; - eap_out->data_len = 0; - - switch (eap_in->notification) { - - case EAP_NOTIFICATION_DATA_FROM_UI: - plog(ASL_LEVEL_ERR, "unexpected EAP UI event"); - break; - - case EAP_NOTIFICATION_PACKET: - - pkt_in = (struct EAP_Packet *)eap_in->data; - do_process = 1; - break; - } - - if (do_process) { - - state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error); - switch(state) { - case kEAPClientStateAuthenticating: - switch (status) { - - case kEAPClientStatusOK: - eap_out->data = pkt_out; - eap_out->data_len = ntohs(pkt_out->len); - eap_out->action = EAP_ACTION_SEND; - break; - - case kEAPClientStatusUserInputRequired: - plog(ASL_LEVEL_ERR, "unsupported EAP UI input"); - default: - eap_out->action = EAP_ACTION_ACCESS_DENIED; - } - break; - - case kEAPClientStateSuccess: - eap_out->action = EAP_ACTION_ACCESS_GRANTED; - break; - - default: - case kEAPClientStateFailure: - eap_out->action = EAP_ACTION_ACCESS_DENIED; - break; - } - } - - if (eapSavePacket) { - free(eapSavePacket); - eapSavePacket = 0; - } - - return 0; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPAKAFree (void *context, EAP_Output_t *eap_out) -{ - - EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data); - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPAKAGetAttribute (void *context, EAP_Attribute_t *eap_attr) -{ - void *data = NULL; - int len = 0; - - eap_attr->data = 0; - - switch (eap_attr->type) { - - case EAP_ATTRIBUTE_MPPE_SEND_KEY: - data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len); - break; - case EAP_ATTRIBUTE_MPPE_RECV_KEY: - data = EAPClientModulePluginServerKey(eapRef, &eapData, &len); - break; - } - - if (data == NULL) - return -1; - - eap_attr->data = data; - if (len == 32) - eap_attr->data_len = 64; - else - eap_attr->data_len = len; - return 0; -} diff --git a/ipsec-tools/racoon/eap_sim.c b/ipsec-tools/racoon/eap_sim.c deleted file mode 100644 index 2e276d5..0000000 --- a/ipsec-tools/racoon/eap_sim.c +++ /dev/null @@ -1,336 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#if !TARGET_OS_EMBEDDED // This file is not built for Embedded -#include -#include -#include -#include -#endif /* TARGET_OS_EMBEDDED */ -#include -#include "plog.h" -#include "eap.h" -#include "eap_sim.h" - -/*--------------------------------------------------------------------------- - ** Internal routines - **--------------------------------------------------------------------------- - */ - -static CFBundleRef bundle = 0; /* our bundle ref */ -static char eapsim_unique[17]; - -static EAPClientModuleRef eapRef = NULL; -static EAPClientPluginData eapData; -static CFMutableDictionaryRef eapProperties = NULL; -static CFDictionaryRef eapOptions = NULL; -static struct EAP_Packet *eapSavePacket = NULL; - -extern EAPClientPluginFuncRef eapsim_introspect(EAPClientPluginFuncName name); - -/* ------------------------------------------------------------------------------------ - get the EAP dictionary from the options - ------------------------------------------------------------------------------------ */ -static void -EAPSIMGetOptions (void) -{ - if (eapOptions) - return; - - // no option, use empty dictionary - if (!eapOptions) - eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -static int -EAPSIMLoad (void) -{ - EAPClientModuleStatus status; - - if (eapRef) - return EAP_NO_ERROR; - - status = EAPClientModuleAddBuiltinModule(eapsim_introspect); - if (status != kEAPClientModuleStatusOK) { - plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientAddBuiltinModule(eapsim) failed %d\n", status); - return EAP_ERROR_GENERIC; - } - - eapRef = EAPClientModuleLookup(kEAPTypeEAPSIM); - if (eapRef == NULL) { - plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientModuleLookup(eapsim) failed\n"); - return EAP_ERROR_GENERIC; - } - - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int EAPSIMIdentity (char *identity, int maxlen) -{ - CFStringRef identRef = NULL; - int error; - int ret = EAP_ERROR_GENERIC; - - error = EAPSIMLoad(); - if (error) - return error; - - EAPSIMGetOptions(); - if (eapOptions == NULL) - return ret; - - identRef = EAPClientModulePluginUserName(eapRef, eapOptions); - if (identRef) { - if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8)) - ret = EAP_NO_ERROR; - CFRelease(identRef); - } - - return ret; -} - -/* ------------------------------------------------------------------------------------ - Init routine called by the EAP engine when it needs the module. - Identity of the peer is known at this point. - mode is 0 for client, 1 for server. - cookie is the EAP engine context, to pass to subsequent calls to EAP. - context is EAP module context, that will be passed to subsequent calls to the module - ------------------------------------------------------------------------------------ */ -int -EAPSIMInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions) -{ - int error; - EAPClientModuleStatus status; - int ret = EAP_ERROR_GENERIC; - - error = EAPSIMLoad(); - if (error) - return error; - - bundle = (CFBundleRef)eap_in->data; - if (bundle) - CFRetain(bundle); - - EAPSIMGetOptions(); - - bzero(&eapData, sizeof(eapData)); - - /* remaining fields are read-only: */ - *((bool *)&eapData.log_enabled) = 1; - *((uint32_t *)&eapData.log_level) = LOG_NOTICE; - *((uint32_t *)&eapData.mtu) = eap_in->mtu; - *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */ - - arc4random_buf(eapsim_unique, sizeof(eapsim_unique) - 1); - eapsim_unique[sizeof(eapsim_unique)-1] = 0; - - eapData.unique_id = eapsim_unique; /* used for TLS session resumption??? */ - *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id); - - if (eapOptions) { - CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPSIM); - if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) { - eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value); - } else { - eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions); - } - } else - eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - if (eapProperties == NULL) { - plog(ASL_LEVEL_ERR, "EAP-SIM: Cannot allocate memory\n"); - goto failed; - } - - *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties; - - status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error); - if (status != kEAPClientStatusOK) { - plog(ASL_LEVEL_ERR, "EAP-SIM: EAPClientPluginInit(eapsim) failed, error %d\n", status); - goto failed; - } - - eapSavePacket = NULL; - - return EAP_NO_ERROR; - -failed: - - return ret; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int EAPSIMDispose (void *context) -{ - - EAPClientModulePluginFree(eapRef, &eapData); - eapRef = 0; - - if (bundle) { - CFRelease(bundle); - bundle = 0; - } - - if (eapOptions) { - CFRelease(eapOptions); - eapOptions = 0; - } - - if (eapProperties) { - CFRelease(eapProperties); - eapProperties = 0; - } - - if (eapSavePacket) { - free(eapSavePacket); - eapSavePacket = 0; - } - - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPSIMProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out) -{ - struct EAP_Packet *pkt_in = NULL; - struct EAP_Packet *pkt_out = NULL; - EAPClientStatus status; - EAPClientState state; - EAPClientDomainSpecificError error; - int do_process = 0; - - // by default, ignore the message - eap_out->action = EAP_ACTION_NONE; - eap_out->data = 0; - eap_out->data_len = 0; - - switch (eap_in->notification) { - - case EAP_NOTIFICATION_DATA_FROM_UI: - plog(ASL_LEVEL_ERR, "unexpected EAP UI event"); - break; - - case EAP_NOTIFICATION_PACKET: - - pkt_in = (struct EAP_Packet *)eap_in->data; - do_process = 1; - break; - } - - if (do_process) { - - state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error); - switch(state) { - case kEAPClientStateAuthenticating: - switch (status) { - - case kEAPClientStatusOK: - eap_out->data = pkt_out; - eap_out->data_len = ntohs(pkt_out->len); - eap_out->action = EAP_ACTION_SEND; - break; - - case kEAPClientStatusUserInputRequired: - plog(ASL_LEVEL_ERR, "unsupported EAP UI input"); - default: - eap_out->action = EAP_ACTION_ACCESS_DENIED; - } - break; - - case kEAPClientStateSuccess: - eap_out->action = EAP_ACTION_ACCESS_GRANTED; - break; - - default: - case kEAPClientStateFailure: - eap_out->action = EAP_ACTION_ACCESS_DENIED; - break; - } - } - - if (eapSavePacket) { - free(eapSavePacket); - eapSavePacket = 0; - } - - return 0; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPSIMFree (void *context, EAP_Output_t *eap_out) -{ - - EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data); - return EAP_NO_ERROR; -} - -/* ------------------------------------------------------------------------------------ - ------------------------------------------------------------------------------------ */ -int -EAPSIMGetAttribute (void *context, EAP_Attribute_t *eap_attr) -{ - void *data = NULL; - int len = 0; - - eap_attr->data = 0; - - switch (eap_attr->type) { - - case EAP_ATTRIBUTE_MPPE_SEND_KEY: - data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len); - break; - case EAP_ATTRIBUTE_MPPE_RECV_KEY: - data = EAPClientModulePluginServerKey(eapRef, &eapData, &len); - break; - } - - if (data == NULL) - return -1; - - eap_attr->data = data; - if (len == 32) - eap_attr->data_len = 64; - else - eap_attr->data_len = len; - return 0; -} diff --git a/ipsec-tools/racoon/eap_sim.h b/ipsec-tools/racoon/eap_sim.h deleted file mode 100644 index 536c6d4..0000000 --- a/ipsec-tools/racoon/eap_sim.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ -/* - * eap_plugin.h - Extensible Authentication Protocol Plugin API. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the author. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * $Id: eap_plugin.h,v 1.4 2003/08/14 00:00:29 callie Exp $ - */ - -/* ---------------------------------------------------------------------- - IMPORTANT: EAP Plugin API is not stable. - The API will change in the upcoming releases - ---------------------------------------------------------------------- */ - -#ifndef __EAP_SIM__ -#define __EAP_SIM__ - -#include "eap.h" - -/* EAP-AKA Subtypes */ -#define EAP_AKA_SUBTYPE_CHALLENGE 1 -#define EAP_AKA_SUBTYPE_AUTH_REJECT 2 -#define EAP_AKA_SUBTYPE_SYNC_FAIL 4 -#define EAP_AKA_SUBTYPE_IDENTITY 5 -#define EAP_AKA_SUBTYPE_NOTIFICATION 12 -#define EAP_AKA_SUBTYPE_REAUTH 13 -#define EAP_AKA_SUBTYPE_CLIENT_ERROR 14 - -/* EAP-SIM Subtypes */ -#define EAP_SIM_SUBTYPE_START 10 -#define EAP_SIM_SUBTYPE_CHALLENGE 11 -#define EAP_SIM_SUBTYPE_NOTIFICATION 12 -#define EAP_SIM_SUBTYPE_REAUTH 13 -#define EAP_SIM_SUBTYPE_CLIENT_ERROR 14 - -/* Non-skippable attributes */ -#define EAP_AT_RAND 1 -#define EAP_AT_AUTN 2 -#define EAP_AT_RES 3 -#define EAP_AT_AUTS 4 -#define EAP_AT_PADDING 6 -#define EAP_AT_NONCE_MT 7 -#define EAP_AT_PERMANENT_ID_REQ 10 -#define EAP_AT_MAC 11 -#define EAP_AT_NOTIFICATION 12 -#define EAP_AT_ANY_ID_REQ 13 -#define EAP_AT_IDENTITY 14 -#define EAP_AT_VERSION_LIST 15 -#define EAP_AT_SELECTED_VERSION 16 -#define EAP_AT_FULL_AUTH_ID_REQ 17 -#define EAP_AT_COUNTER 19 -#define EAP_AT_COUNTER_TOO_SMALL 20 -#define EAP_AT_NONCE_S 21 -#define EAP_AT_CLIENT_ERROR_CODE 22 -#define EAP_AT_KDF_INPUT 23 -#define EAP_AT_KDF 24 - -/* Skippable attributes */ -#define EAP_AT_IV 129 -#define EAP_AT_ENCR_DATA 130 -#define EAP_AT_NEXT_PSEUDONYM 132 -#define EAP_AT_NEXT_REAUTH_ID 133 -#define EAP_AT_CHECKCODE 134 -#define EAP_AT_RESULT_IND 135 -#define EAP_AT_BIDDING 136 -#define EAP_AT_IPMS_IND 137 -#define EAP_AT_IPMS_RES 138 -#define EAP_AT_TRUST_IND 139 - -/* Attribute notification values */ -#define EAP_AT_NOTIFICATION_GEN_FAIL_POST_AUTH 0 /* General failure after authentication */ -#define EAP_AT_NOTIFICATION_USER_DENIED 1026 /* User has been temporarily denied access */ -#define EAP_AT_NOTIFICATION_NOT_SUBSCRIBED 1031 /* User has not subscribed to the requested service */ -#define EAP_AT_NOTIFICATION_GEN_FAIL 16384 /* General failure */ -#define EAP_AT_NOTIFICATION_SUCCESS 32768 /* Success */ - -#define EAP_SIM_VERSION_1 1 - -typedef struct eap_sim_hdr { - u_int8_t eap_type; /* Must be EAP-SIM, 18 */ - u_int8_t eap_subtype; - u_int16_t reserved; -} __attribute__((__packed__)) eap_sim_hdr_t; - -typedef struct eap_sim_attribute { - u_int8_t at_type; - u_int8_t at_len; - u_int16_t at_value; - /* Followed by variable-length value */ -} __attribute__((__packed__)) eap_sim_attr_t; - -typedef struct eap_sim_msg { - eap_sim_hdr_t eap_hdr; - eap_sim_attr_t payload[0]; /* Multiple attributes */ -} __attribute__((__packed__)) eap_sim_t; - -int EAPSIMIdentity(char *identity, int maxlen); -int EAPSIMInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options); -int EAPSIMDispose(void *context); -int EAPSIMProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); -int EAPSIMFree(void *context, EAP_Output_t *eap_out); -int EAPSIMGetAttribute(void *context, EAP_Attribute_t *eap_attr); - -int EAPAKAIdentity(char *identity, int maxlen); -int EAPAKAInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options); -int EAPAKADispose(void *context); -int EAPAKAProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); -int EAPAKAFree(void *context, EAP_Output_t *eap_out); -int EAPAKAGetAttribute(void *context, EAP_Attribute_t *eap_attr); - -#endif diff --git a/ipsec-tools/racoon/fsm.c b/ipsec-tools/racoon/fsm.c index 5e5a054..ea5802b 100644 --- a/ipsec-tools/racoon/fsm.c +++ b/ipsec-tools/racoon/fsm.c @@ -389,4 +389,3 @@ fsm_ikev1_phase2_send_response(phase2_handle_t *iph2, vchar_t *msg) return error; } - diff --git a/ipsec-tools/racoon/fsm.h b/ipsec-tools/racoon/fsm.h index 4a43c0d..b5f5f10 100644 --- a/ipsec-tools/racoon/fsm.h +++ b/ipsec-tools/racoon/fsm.h @@ -184,7 +184,6 @@ #define IKEV1_STATE_QUICK_R_COMMIT (IKEV1_STATE_RESPONDER_QUICK | 4) #define IKEV1_STATE_QUICK_R_ADDSA (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_ADDSA) - extern void fsm_set_state(int *var, int state); //================================ // Version Agnostic Events diff --git a/ipsec-tools/racoon/grabmyaddr.c b/ipsec-tools/racoon/grabmyaddr.c index c8bcaee..3d584c1 100644 --- a/ipsec-tools/racoon/grabmyaddr.c +++ b/ipsec-tools/racoon/grabmyaddr.c @@ -498,7 +498,6 @@ update_myaddrs(void *unused) isakmp_close_unused(); autoconf_myaddrsport(); isakmp_open(); - ASIKEUpdateLocalAddressesFromIKE(); } diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index e287145..df3380d 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -81,7 +81,6 @@ #include "power_mgmt.h" - extern LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree; static LIST_HEAD(_ctdtree_, contacted) ctdtree; static LIST_HEAD(_rcptree_, recvdpkt) rcptree; @@ -382,8 +381,6 @@ ike_session_delph1(phase1_handle_t *iph1) VPTRINIT(iph1->skeyid_a_p); VPTRINIT(iph1->skeyid_e); VPTRINIT(iph1->skeyid_e_p); - VPTRINIT(iph1->skeyid_p); - VPTRINIT(iph1->skeyid_p_p); VPTRINIT(iph1->key); VPTRINIT(iph1->key_p); VPTRINIT(iph1->hash); @@ -526,7 +523,7 @@ ike_session_getph2bymsgid(phase1_handle_t *iph1, u_int32_t msgid) phase2_handle_t *p; LIST_FOREACH(p, &iph1->parent_session->ph2tree, ph2ofsession_chain) { - if (p->msgid == msgid) + if (p->msgid == msgid && !p->is_defunct) return p; } @@ -800,7 +797,6 @@ ike_session_delph2(phase2_handle_t *iph2) if (iph2->scr) SCHED_KILL(iph2->scr); - racoon_free(iph2); } @@ -1322,8 +1318,7 @@ ike_session_expire_session(ike_session_t *session) continue; } - if (FSM_STATE_IS_ESTABLISHED(p2->status)) - isakmp_info_send_d2(p2); + // Don't send a delete, since the ph1 implies the removal of ph2s isakmp_ph2expire(p2); found++; } diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index 2f4dd31..2b8f056 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -53,7 +53,6 @@ #include - /* About address semantics in each case. * initiator(addr=I) responder(addr=R) * src dst src dst @@ -128,8 +127,6 @@ struct phase1handle { vchar_t *skeyid_a_p; /* SKEYID_a_p, i.e. integrity protection */ vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ vchar_t *skeyid_e_p; /* peer's SKEYID_e, i.e. encryption */ - vchar_t *skeyid_p; /* SKEYID_p, i.e. for IKEv2 */ - vchar_t *skeyid_p_p; /* peer's SKEYID_p, i.e. for IKEv2 */ vchar_t *key; /* cipher key */ vchar_t *key_p; /* peer's cipher key */ vchar_t *hash; /* HASH minus general header */ @@ -186,10 +183,8 @@ struct phase1handle { ike_session_t *parent_session; LIST_HEAD(_ph2ofph1_, phase2handle) bound_ph2tree; LIST_ENTRY(phase1handle) ph1ofsession_chain; - }; - #define PHASE2_TYPE_SA 0 #define PHASE2_TYPE_INFO 1 #define PHASE2_TYPE_CFG 2 @@ -279,12 +274,12 @@ struct phase2handle { struct phase1handle *ph1; /* back pointer to isakmp status */ int is_rekey:1; int is_dying:1; + int is_defunct:1; ike_session_t *parent_session; vchar_t *ext_nat_id; vchar_t *ext_nat_id_p; LIST_ENTRY(phase2handle) ph2ofsession_chain; LIST_ENTRY(phase2handle) ph1bind_chain; /* chain to ph1handle */ - }; /* diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index c1e7718..e40f898 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -266,7 +266,7 @@ ike_session_get_session (struct sockaddr_storage *local, p->ikev1_state.active_ph1cnt, p->ikev1_state.active_ph2cnt); continue; } - + // Skip if the spi doesn't match if (optionalIndex != NULL && ike_session_getph1byindex(p, optionalIndex) == NULL) { continue; @@ -359,9 +359,7 @@ ike_session_update_mode (phase2_handle_t *iph2) } if (iph2->phase2_type != PHASE2_TYPE_SA) return; - if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV2) { - return; // for now - } + // exit early if we already detected cisco-ipsec if (iph2->parent_session->is_cisco_ipsec) { return; @@ -927,7 +925,7 @@ ike_session_replace_other_ph1 (phase1_handle_t *new_iph1, /* * if we are responder, then we should wait until the server sends a delete notification. */ - if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) && + if (session->is_client && new_iph1->side == RESPONDER) { return; } @@ -975,7 +973,7 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, /* * if we are responder, then we should wait until the server sends a delete notification. */ - if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) && + if (session->is_client && new_iph1->side == RESPONDER) { return; } diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h index 4fa6079..9fe7510 100644 --- a/ipsec-tools/racoon/ike_session.h +++ b/ipsec-tools/racoon/ike_session.h @@ -69,7 +69,6 @@ typedef struct ike_session_sastats { struct sastat out_last_poll[8]; } ike_sesssion_sastats_t; - struct ike_session { u_int8_t mode; /* mode of protocol, see ipsec.h */ u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ @@ -110,7 +109,6 @@ struct ike_session { LIST_HEAD(_ph2tree_, phase2handle) ph2tree; LIST_ENTRY(ike_session) chain; - }; typedef enum ike_session_rekey_type { diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.c b/ipsec-tools/racoon/ikev2_ike_sa_rfc.c deleted file mode 100644 index d88c3ac..0000000 --- a/ipsec-tools/racoon/ikev2_ike_sa_rfc.c +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include "config.h" - diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.h b/ipsec-tools/racoon/ikev2_ike_sa_rfc.h deleted file mode 100644 index 71e63d7..0000000 --- a/ipsec-tools/racoon/ikev2_ike_sa_rfc.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - diff --git a/ipsec-tools/racoon/ikev2_info_rfc.c b/ipsec-tools/racoon/ikev2_info_rfc.c deleted file mode 100644 index 0887408..0000000 --- a/ipsec-tools/racoon/ikev2_info_rfc.c +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ -#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_info_rfc.h b/ipsec-tools/racoon/ikev2_info_rfc.h deleted file mode 100644 index 71e63d7..0000000 --- a/ipsec-tools/racoon/ikev2_info_rfc.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c deleted file mode 100644 index 5dd0807..0000000 --- a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h deleted file mode 100644 index 71e63d7..0000000 --- a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - diff --git a/ipsec-tools/racoon/ikev2_rfc.c b/ipsec-tools/racoon/ikev2_rfc.c deleted file mode 100644 index 64751fe..0000000 --- a/ipsec-tools/racoon/ikev2_rfc.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_rfc.h b/ipsec-tools/racoon/ikev2_rfc.h deleted file mode 100644 index da4ea49..0000000 --- a/ipsec-tools/racoon/ikev2_rfc.h +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/* - * (RFC4306) - * http://www.iana.org/assignments/ikev2-parameters - */ - diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.c b/ipsec-tools/racoon/ikev2_sessresume_rfc.c deleted file mode 100644 index 64751fe..0000000 --- a/ipsec-tools/racoon/ikev2_sessresume_rfc.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.h b/ipsec-tools/racoon/ikev2_sessresume_rfc.h deleted file mode 100644 index 71e63d7..0000000 --- a/ipsec-tools/racoon/ikev2_sessresume_rfc.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. - * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 8fe1460..2fc1c22 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -86,7 +86,6 @@ #ifdef ENABLE_NATT #include "nattraversal.h" #endif -#include "ikev2_rfc.h" #ifdef ENABLE_HYBRID static int switch_authmethod(int); @@ -372,7 +371,6 @@ get_ph1approvalx(p, proposal, sap, check_level) tsap->encklen == s->encklen && tsap->version == s->version) { switch(check_level) { - case PROP_CHECK_IKEV2: case PROP_CHECK_OBEY: goto found; break; @@ -1074,11 +1072,17 @@ get_ph2approvalx(iph2, pp) } /* no proposal matching */ err: - flushsaprop(pr0); + if (pr0 != NULL) { + flushsaprop(pr0); + pr0 = NULL; + } return NULL; found: - flushsaprop(pr0); + if (pr0 != NULL) { + flushsaprop(pr0); + pr0 = NULL; + } plog(ASL_LEVEL_DEBUG, "matched\n"); iph2->approval = pr; @@ -2567,8 +2571,6 @@ ipsecdoi_setph1proposal (phase1_handle_t *iph1) (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); (void)setph1prop(iph1, mysa->v + sizeof(struct ipsecdoi_sa_b)); - } else { - (void)setph1prop(iph1, mysa->v); } return mysa; @@ -2579,7 +2581,6 @@ setph1prop (phase1_handle_t *iph1, caddr_t buf) { struct isakmpsa *props = iph1->rmconf->proposal; - unsigned int version = iph1->version; struct isakmp_pl_p *prop = NULL; struct isakmpsa *s = NULL; @@ -2587,10 +2588,7 @@ setph1prop (phase1_handle_t *iph1, u_int8_t *np_t; /* pointer next trns type in previous header */ int trns_num; caddr_t p = buf; - u_int16_t tmplen; int spi_size = 0; - cookie_t *my_cookie = (iph1->side == INITIATOR) ? &iph1->index.i_ck : &iph1->index.r_ck; - proplen = sizeof(*prop) + spi_size; if (buf) { @@ -2965,7 +2963,6 @@ setph2proposal0(iph2, pp, pr) return p; } - /* * create phase2 proposal from policy configuration. * NOT INCLUDING isakmp general header of SA payload. @@ -3007,13 +3004,11 @@ ipsecdoi_setph2proposal(phase2_handle_t *iph2, int return_sa) for (a = proposal; a; a = a->next) { for (b = a->head; b; b = b->next) { if (b->proto_id == IPSECDOI_PROTO_IPCOMP) { - // %%%%% todo - IKEv2 uses ipcomp notification // skip this - not specified in the SA // Need to set this in iph2 ??? continue; } // IKEv1 sends encode mode in SA - uses diferent codes when NATT being used - // IKEv2 does not send encode mode in SA #ifdef ENABLE_NATT if (iph2->ph1->natt_flags & NAT_DETECTED) { plog (ASL_LEVEL_INFO, "NAT detected -> UDP encapsulation\n"); diff --git a/ipsec-tools/racoon/ipsec_interface.c b/ipsec-tools/racoon/ipsec_interface.c deleted file mode 100644 index 70866a1..0000000 --- a/ipsec-tools/racoon/ipsec_interface.c +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include "config.h" -#include -#include -#include -#include - -#include -#include -#include -#include "racoon_types.h" -#include "plog.h" -#include -#include -#include - -#include "var.h" - -int ipsec_interface_create(char *name, int name_max_len, int *index, int flags) -{ - - struct ctl_info kernctl_info; - struct sockaddr_ctl kernctl_addr; - u_int32_t optlen; - int tunsock = -1; - - tunsock = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); - if (tunsock == -1) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: cannot create kernel control socket (errno = %d)", errno); - goto fail; - } - - bzero(&kernctl_info, sizeof(kernctl_info)); - strlcpy(kernctl_info.ctl_name, "com.apple.net.ipsec_control", sizeof(kernctl_info.ctl_name)); - if (ioctl(tunsock, CTLIOCGINFO, &kernctl_info)) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: ioctl failed on kernel control socket (errno = %d)", errno); - goto fail; - } - - bzero(&kernctl_addr, sizeof(kernctl_addr)); // sets the sc_unit field to 0 - kernctl_addr.sc_len = sizeof(kernctl_addr); - kernctl_addr.sc_family = AF_SYSTEM; - kernctl_addr.ss_sysaddr = AF_SYS_CONTROL; - kernctl_addr.sc_id = kernctl_info.ctl_id; - kernctl_addr.sc_unit = 0; // we will get the unit number from getpeername - if (connect(tunsock, (struct sockaddr *)&kernctl_addr, sizeof(kernctl_addr))) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: connect failed on kernel control socket (errno = %d)", errno); - goto fail; - } - - optlen = name_max_len; - if (getsockopt(tunsock, SYSPROTO_CONTROL, 2, name, &optlen)) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt ifname failed on kernel control socket (errno = %d)", errno); - goto fail; - } - - *index = if_nametoindex(name); - - if (flags) { - int optflags = 0; - optlen = sizeof(u_int32_t); - if (getsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, &optlen)) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt flags failed on kernel control socket (errno = %d)", errno); - goto fail; - } - - optflags |= flags; - optlen = sizeof(u_int32_t); - if (setsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, optlen)) { - plog(ASL_LEVEL_ERR, "create_ipsec_interface: setsockopt flags failed on kernel control socket (errno = %d)", errno); - goto fail; - } - } - - return tunsock; - -fail: - if (tunsock != -1) - close(tunsock); - return -1; - -} - -int ipsec_interface_set_mtu(char *ifname, int mtu) -{ - struct ifreq ifr; - int ip_sockfd; - - ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0); - if (ip_sockfd < 0) { - plog(ASL_LEVEL_ERR, "sifmtu: cannot create ip socket, %s", strerror(errno)); - return 0; - } - - strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); - ifr.ifr_mtu = mtu; - ioctl(ip_sockfd, SIOCSIFMTU, (caddr_t) &ifr); - - close(ip_sockfd); - return 1; -} - -void -in6_len2mask(struct in6_addr *mask, int len) -{ - int i; - bzero(mask, sizeof(*mask)); - for (i = 0; i < len / 8; i++) - mask->s6_addr[i] = 0xff; - if (len % 8) - mask->s6_addr[i] = (0xff00 >> (len % 8)) & 0xff; -} - -#define SET_SA_FAMILY(addr, family) \ -bzero((char *) &(addr), sizeof(addr)); \ -addr.sa_family = (family); \ -addr.sa_len = sizeof(addr); -int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix) -{ - int ip_sockfd; - - int family = address->ss_family; - - if (family == AF_INET) { - struct ifaliasreq ifra __attribute__ ((aligned (4))); // Wcast-align fix - force alignment - ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0); - if (ip_sockfd < 0) { - plog(ASL_LEVEL_ERR, "Cannot create ip socket, %s", strerror(errno)); - return 0; - } - - strlcpy(ifra.ifra_name, ifname, sizeof(ifra.ifra_name)); - - SET_SA_FAMILY(ifra.ifra_addr, AF_INET); - (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_addr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr; - - SET_SA_FAMILY(ifra.ifra_broadaddr, AF_INET); - (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_broadaddr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr; - - if (netmask != 0) { - SET_SA_FAMILY(ifra.ifra_mask, AF_INET); - (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_mask)->sin_addr.s_addr = ((struct sockaddr_in*)netmask)->sin_addr.s_addr; - } - else - bzero(&ifra.ifra_mask, sizeof(ifra.ifra_mask)); - - if (ioctl(ip_sockfd, SIOCAIFADDR, (caddr_t) &ifra) < 0) { - if (errno != EEXIST) { - plog(ASL_LEVEL_ERR, "Couldn't set interface address"); - close(ip_sockfd); - return 0; - } - plog(ASL_LEVEL_ERR, "Couldn't set interface address, already exists"); - } - close(ip_sockfd); - } else if (family == AF_INET6) { - struct in6_aliasreq addreq6; - struct in6_addr mask; - struct in6_addr *addr6 = &((struct sockaddr_in6*)address)->sin6_addr; - - ip_sockfd = socket(AF_INET6, SOCK_DGRAM, 0); - if (ip_sockfd < 0) { - plog(ASL_LEVEL_ERR, "Cannot create IPv6 socket, %s", strerror(errno)); - return 0; - } - - memset(&addreq6, 0, sizeof(addreq6)); - strlcpy(addreq6.ifra_name, ifname, sizeof(addreq6.ifra_name)); - /* my addr */ - addreq6.ifra_addr.sin6_family = AF_INET6; - addreq6.ifra_addr.sin6_len = sizeof(struct sockaddr_in6); - memcpy(&addreq6.ifra_addr.sin6_addr, addr6, sizeof(struct in6_addr)); - - /* prefix mask: 128bit */ - addreq6.ifra_prefixmask.sin6_family = AF_INET6; - addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6); - in6_len2mask(&mask, prefix); - memcpy(&addreq6.ifra_prefixmask.sin6_addr, &mask, sizeof(struct in6_addr)); - - /* address lifetime (infty) */ - addreq6.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME; - addreq6.ifra_lifetime.ia6t_vltime = ND6_INFINITE_LIFETIME; - if (IN6_IS_ADDR_LINKLOCAL(addr6)) { - if (ioctl(ip_sockfd, SIOCLL_START, &addreq6) < 0) { - plog(ASL_LEVEL_ERR, "Couldn't set link-local IPv6 address, %s", strerror(errno)); - close(ip_sockfd); - return 0; - } - } else { - if (ioctl(ip_sockfd, SIOCAIFADDR_IN6, &addreq6) < 0) { - plog(ASL_LEVEL_ERR, "Couldn't set IPv6 address, %s", strerror(errno)); - close(ip_sockfd); - return 0; - } - } - close(ip_sockfd); - } else { - return 0; - } - - return 1; -} diff --git a/ipsec-tools/racoon/ipsec_interface.h b/ipsec-tools/racoon/ipsec_interface.h deleted file mode 100644 index 020528c..0000000 --- a/ipsec-tools/racoon/ipsec_interface.h +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#ifndef __IPSEC_INTERFACE__ -#define __IPSEC_INTERFACE__ - -int ipsec_interface_create(char *name, int name_max_len, int *index, int flags); -int ipsec_interface_set_mtu(char *ifname, int mtu); -int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix); - -#endif diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index 8133c95..8a40905 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -128,7 +128,6 @@ #include "ipsecMessageTracer.h" #include "power_mgmt.h" - extern caddr_t val2str (const char *, size_t); u_char i_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the i_ck. */ u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ @@ -367,8 +366,7 @@ isakmp_main(vchar_t *msg, struct sockaddr_storage *remote, struct sockaddr_stor * I think it may no be here because the version depends * on exchange status. */ - if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1 && - ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV2) { + if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1) { plog(ASL_LEVEL_ERR, "invalid major version %d.\n", isakmp_version); return; } @@ -387,14 +385,14 @@ isakmp_main(vchar_t *msg, struct sockaddr_storage *remote, struct sockaddr_stor if (isakmp_version == ISAKMP_VERSION_NUMBER_IKEV1) { /* check the Flags field. */ /* XXX How is the exclusive check, E and A ? */ - if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { //%%%%%%%%%%%% any other flags for IKEv2 ????? + if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { plog(ASL_LEVEL_ERR, "invalid flag 0x%02x.\n", isakmp->flags); return; } /* ignore commit bit. */ if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { - if (isakmp->msgid == 0) { //%%%%% does this apply to V2 + if (isakmp->msgid == 0) { isakmp_info_send_nx(isakmp, remote, local, ISAKMP_NTYPE_INVALID_FLAGS, NULL); plog(ASL_LEVEL_ERR, "Commit bit on Phase 1 forbidden.\n"); @@ -450,7 +448,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka ! (iph1->natt_flags & NAT_PORTS_CHANGED) && ((cmpsaddrstrict(iph1->remote, remote) != 0) || (cmpsaddrstrict(iph1->local, local) != 0))) - { //%%%%%%%%%%%%%%%%%%%% make this a separate function - ikev2 needs it + { /* prevent memory leak */ racoon_free(iph1->remote); racoon_free(iph1->local); @@ -1241,7 +1239,6 @@ ikev1_phase1_established(phase1_handle_t *iph1) return 0; } - /* * parse ISAKMP payloads, without ISAKMP base header. */ @@ -1522,6 +1519,16 @@ isakmp_open(void) if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0) goto err_and_next; + if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEADDR, (const void *)&yes, sizeof(yes)) < 0) { + plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEADDR (%s)\n", strerror(errno)); + goto err_and_next; + } + + if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEPORT, (const void *)&yes, sizeof(yes)) < 0) { + plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEPORT (%s)\n", strerror(errno)); + goto err_and_next; + } + if (extract_port(p->addr) == PORT_ISAKMP) { if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, (void *)&yes, sizeof(yes)) < 0) { @@ -1706,6 +1713,7 @@ isakmp_send(iph1, sbuf) int len = 0; int s; vchar_t *vbuf = NULL; + #ifdef ENABLE_NATT size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; @@ -1799,7 +1807,6 @@ isakmp_ph1resend(iph1) phase1_handle_t *iph1; { time_t retry_interval; - // make sure there is a buffer to send // isakmp_plist_set_all() could have returned NULL @@ -1888,7 +1895,6 @@ isakmp_ph2resend(iph2) "Internal error - attempt to re-send Phase 2 with no Phase 1 bound.\n"); return -1; } - if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)){ IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, @@ -1954,7 +1960,6 @@ isakmp_ph2resend(iph2) return 0; } - /* called from scheduler */ void isakmp_ph1expire_stub(p) @@ -1999,7 +2004,6 @@ isakmp_ph1expire(iph1) iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); return; } - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); } @@ -2048,11 +2052,9 @@ int ignore_sess_drop_policy; isakmp_pindex(&iph1->index, 0)); racoon_free(src); racoon_free(dst); - - { - if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { - return; - } + + if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { + return; } // exit if there is another ph1 that is established (with a pending rekey timer) @@ -2082,12 +2084,10 @@ int ignore_sess_drop_policy; plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n"); /* start phase 1 negotiation as a initiator. */ - { - if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { - plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); - } - iph1->is_rekey = TRUE; + if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { + plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); } + iph1->is_rekey = TRUE; } else { plog(ASL_LEVEL_ERR, "Phase1 rekey failed: no configuration found for %s.\n", @@ -2260,12 +2260,13 @@ isakmp_ph2expire(iph2) ipsecdoi2pfkey_proto(pr->proto_id), IPSEC_MODE_ANY, iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */); + } } } if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); - + return; } @@ -2348,37 +2349,32 @@ isakmp_post_acquire(phase2_handle_t *iph2) } if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) iph1 = ike_session_update_ph2_ph1bind(iph2); - else - iph1 = ike_session_get_established_or_negoing_ph1(iph2->parent_session); /* no IKE-SA found. */ if (iph1 == NULL) { iph2->retry_checkph1 = lcconf->retry_checkph1; /* start phase 1 negotiation as a initiator. */ - { - sched_new(1, isakmp_chkph1there_stub, iph2); - - plog(ASL_LEVEL_INFO, - "IPsec-SA request for %s queued due to no Phase 1 found.\n", - saddrwop2str((struct sockaddr *)iph2->dst)); - - // exit if there is another ph1 that is established (with a pending rekey timer) - if (ike_session_has_negoing_ph1(iph2->parent_session)) { - plog(ASL_LEVEL_INFO, - "Request for Phase 1 was ignored due to another negotiating Phase 1.\n"); - return 0; - } - - if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { - plog(ASL_LEVEL_INFO, - "Request for Phase 1 failed. Will try later.\n"); - } + sched_new(1, isakmp_chkph1there_stub, iph2); + + plog(ASL_LEVEL_INFO, + "IPsec-SA request for %s queued due to no Phase 1 found.\n", + saddrwop2str((struct sockaddr *)iph2->dst)); + + // exit if there is another ph1 that is established (with a pending rekey timer) + if (ike_session_has_negoing_ph1(iph2->parent_session)) { + plog(ASL_LEVEL_INFO, + "Request for Phase 1 was ignored due to another negotiating Phase 1.\n"); + return 0; + } + + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + plog(ASL_LEVEL_INFO, + "Request for Phase 1 failed. Will try later.\n"); } return 0; /*NOTREACHED*/ } - /* found ISAKMP-SA, but on negotiation. */ if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { @@ -2395,11 +2391,9 @@ isakmp_post_acquire(phase2_handle_t *iph2) /* found ISAKMP-SA. */ /* begin quick mode */ - { - plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n"); - if (ikev1_ph2begin_i(iph1, iph2)) - return -1; - } + plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n"); + if (ikev1_ph2begin_i(iph1, iph2)) + return -1; return 0; } @@ -2516,10 +2510,8 @@ isakmp_chkph1there(iph2) plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); /* begin quick mode */ - { - if (ikev1_ph2begin_i(iph1, iph2)) { - ike_session_unlink_phase2(iph2); - } + if (ikev1_ph2begin_i(iph1, iph2)) { + ike_session_unlink_phase2(iph2); } return; } @@ -2527,11 +2519,9 @@ isakmp_chkph1there(iph2) struct remoteconf *rmconf = getrmconf(iph2->dst); /* start phase 1 negotiation as a initiator. */ if (rmconf) { - { - if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { - plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); - } - } + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); + } } else if (rmconf == NULL) { plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n"); } diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index 6d0af82..fbf4b9a 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -1346,7 +1346,6 @@ isakmp_cfg_rmstate(phase1_handle_t *iph1) { struct isakmp_cfg_state **state = &iph1->mode_cfg; - if (*state == NULL) return; diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index 487c5ba..f90ac07 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -92,7 +92,6 @@ #include "isakmp_cfg.h" #endif #include "isakmp_inf.h" -#include "ikev2_info_rfc.h" #include "oakley.h" #include "ipsec_doi.h" #include "crypto_openssl.h" @@ -680,7 +679,9 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t if (del_ph1->sce_rekey && del_ph1->parent_session && del_ph1->parent_session->is_client && - del_ph1->parent_session->established) { + del_ph1->parent_session->established && + !(del_ph1->rmconf->natt_multiple_user && + del_ph1->parent_session->is_l2tpvpn_ipsec)) { isakmp_ph1rekeyexpire(del_ph1, FALSE); } @@ -700,7 +701,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t #endif if (del_ph1->rmconf->natt_multiple_user && del_ph1->parent_session->is_l2tpvpn_ipsec) { - plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n"); + plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n"); break; } isakmp_ph1expire(del_ph1); @@ -718,8 +719,14 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t } if (iph1->rmconf->natt_multiple_user && iph1->parent_session->is_l2tpvpn_ipsec) { - plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n"); - break; + uint32_t *ph2_spi = ALIGNED_CAST(u_int32_t *)(delete + 1); + phase2_handle_t *iph2 = ike_session_getph2bysaidx(iph1->local, iph1->remote, delete->proto_id, ph2_spi[0]); + + if (iph2 != NULL) { + iph2->is_defunct = 1; + plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n"); + break; + } } purge_ipsec_spi(iph1->remote, delete->proto_id, ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi, NULL, NULL); // Wcast-align fix (void*) - delete payload is aligned @@ -827,7 +834,7 @@ isakmp_info_send_d2(phase2_handle_t *iph2) if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) return 0; - + /* * don't send delete information if there is no phase 1 handler. * It's nonsensical to negotiate phase 1 to send the information. diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 9b45afd..631b86c 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -82,9 +82,6 @@ #include "vendorid.h" #include -#ifndef TARGET_OS_EMBEDDED -#include -#endif // !TARGET_OS_EMBEDDED #include "power_mgmt.h" #include "preferences.h" @@ -152,9 +149,6 @@ main(ac, av) char **av; { int error; -#ifndef TARGET_OS_EMBEDDED - char *sb_errorbuf = NULL; -#endif // !TARGET_OS_EMBEDDED /* * Check IPSec plist @@ -162,17 +156,10 @@ main(ac, av) prefsinit(); ploginit(); -#ifndef TARGET_OS_EMBEDDED - if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) { - if (sb_errorbuf) { - plog(ASL_LEVEL_ERR, "sandbox_init failed: %s\n", sb_errorbuf); - sandbox_free_error(sb_errorbuf); - sb_errorbuf = NULL; - } else { - plog(ASL_LEVEL_ERR, "sandbox_init failed\n"); - } - } -#endif // !TARGET_OS_EMBEDDED + /* + * racoon is not sandboxed on Mac OS. + * On embedded, racoon is sandboxed with a seatbelt-profiles entitlement. + */ if (geteuid() != 0) { errx(1, "must be root to invoke this program."); diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index d2dab6b..6fbd832 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -103,7 +103,6 @@ #include #endif #include "vpn_control_var.h" -#include "ikev2_rfc.h" #include "extern.h" #define OUTBOUND_SA 0 @@ -151,11 +150,9 @@ struct dhgroup dh_modp8192; static int oakley_check_dh_pub (vchar_t *, vchar_t **); static int oakley_compute_keymat_x (phase2_handle_t *, int, int); -static int oakley_compute_ikev2_keymat_x (phase2_handle_t *); static int get_cert_fromlocal (phase1_handle_t *, int); static int oakley_check_certid (phase1_handle_t *iph1); static int oakley_check_certid_1 (vchar_t *, int, int, void*, cert_status_t *certStatus); -static vchar_t * oakley_prf_plus (vchar_t *, vchar_t *, int, phase1_handle_t *iph1); #ifdef HAVE_OPENSSL static int check_typeofcertname (int, int); #endif @@ -536,7 +533,7 @@ vchar_t * oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1) { vchar_t *res = NULL; - int type; + int type = OAKLEY_ATTR_HASH_ALG_MD5; if (iph1->approval == NULL) { if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { @@ -545,8 +542,6 @@ oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1) * We use md5 as default. */ type = OAKLEY_ATTR_HASH_ALG_MD5; - } else { - type = OAKLEY_ATTR_HASH_ALG_SHA; } } else { @@ -569,7 +564,7 @@ vchar_t * oakley_hash(vchar_t *buf, phase1_handle_t *iph1) { vchar_t *res = NULL; - int type; + int type = OAKLEY_ATTR_HASH_ALG_MD5; if (iph1->approval == NULL) { if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { @@ -578,14 +573,10 @@ oakley_hash(vchar_t *buf, phase1_handle_t *iph1) * We use md5 as default. */ type = OAKLEY_ATTR_HASH_ALG_MD5; - } else { - type = OAKLEY_ATTR_HASH_ALG_SHA; } } else { if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { type = iph1->approval->hashtype; - } else { - type = OAKLEY_ATTR_HASH_ALG_SHA; } } @@ -632,7 +623,6 @@ end: return error; } - /* * compute KEYMAT. * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). @@ -1366,8 +1356,6 @@ oakley_validate_auth(phase1_handle_t *iph1) "invalid etype %d\n", iph1->etype); return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; } - } else { - my_hash = oakley_ph1hash_common(iph1, VALIDATE); } if (my_hash == NULL) return ISAKMP_INTERNAL_ERROR; @@ -1520,10 +1508,6 @@ oakley_validate_auth(phase1_handle_t *iph1) "invalid etype %d\n", iph1->etype); return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; } - } else { - vchar_t *octets = NULL; - octets = ikev2_ike_sa_auth_get_octets(iph1, (iph1->side == INITIATOR)? FALSE : TRUE); - my_hash = alg_oakley_hashdef_one(OAKLEY_ATTR_HASH_ALG_SHA, octets); } if (my_hash == NULL) return ISAKMP_INTERNAL_ERROR; @@ -1547,8 +1531,6 @@ oakley_validate_auth(phase1_handle_t *iph1) } if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, FALSE); - } else { - error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, TRUE); } if (error) { plog(ASL_LEVEL_ERR, "error verifying signature %s\n", GetSecurityErrorString(error)); @@ -1951,7 +1933,9 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu } } CFRelease(certificate); - CFRelease(subject); + if (subject != NULL) { + CFRelease(subject); + } return 0; } break; @@ -2573,8 +2557,7 @@ oakley_getpskall(phase1_handle_t *iph1) } memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l); } - } else if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || - iph1->etype != ISAKMP_ETYPE_IDENT) { + } else if (iph1->etype != ISAKMP_ETYPE_IDENT) { secret = getpskbyname(iph1->id_p); if (!secret) { if (iph1->rmconf->verify_identifier) { @@ -2613,8 +2596,7 @@ oakley_skeyid(phase1_handle_t *iph1) char *p; int len; int error = -1; - - + /* SKEYID */ switch (AUTHMETHOD(iph1)) { case OAKLEY_ATTR_AUTH_METHOD_PSKEY: @@ -2719,97 +2701,13 @@ end: return error; } -static vchar_t * -oakley_prf_plus (vchar_t *key, vchar_t *buf, int result_len, phase1_handle_t *iph1) -{ - vchar_t *t = 0; - uint8_t byte_value; - vchar_t *result = 0; - uint8_t *p; - vchar_t *bp; - int bp_len; - uint8_t *tmp; - vchar_t *prf; - - /* - * (draft-17) - prf+ (K,S) = T1 | T2 | T3 | T4 | ... - - where: - T1 = prf (K, S | 0x01) - T2 = prf (K, T1 | S | 0x02) - T3 = prf (K, T2 | S | 0x03) - T4 = prf (K, T3 | S | 0x04) - */ - - if (!(result = vmalloc(result_len))) { - return NULL; - } - - /* - * initial T0 = empty - */ - t = 0; - p = (uint8_t *)result->v; - for (byte_value = 1; result_len > 0; ++byte_value) { - /* - * prf_output = prf(K, Ti-1 | S | byte) - */ - bp_len = buf->l + sizeof(byte_value); - if (t) { - bp_len += t->l; - } - bp = vmalloc(bp_len); - if (!bp) { - return NULL; - } - tmp = (__typeof__(tmp))bp->v; - - if (t) { - memcpy(tmp, t->v, t->l); - tmp += t->l; - } - memcpy(tmp, buf->v, buf->l); - tmp += buf->l; - memcpy(tmp, &byte_value, sizeof(byte_value)); - tmp += sizeof(byte_value); - - if (!(prf = oakley_prf(key, bp, iph1))) { - VPTRINIT(bp); - return (vchar_t *)-1; - } - VPTRINIT(bp); - - /* - * concat prf_output - */ - memcpy(p, prf->v, prf->l > (size_t)result_len ? (size_t)result_len : prf->l); - p += prf->l; - result_len -= prf->l; - - /* - * Ti = prf_output - */ - if (t) { - bzero(t->v, t->l); - vfree(t); - } - t = prf; - } - if (t) { - bzero(t->v, t->l); - vfree(t); - } - return result; -} - /* * compute SKEYID_[dae] */ int oakley_skeyid_dae(phase1_handle_t *iph1) { - vchar_t *buf = NULL, *bp = NULL; + vchar_t *buf = NULL; char *p; int len; int error = -1; @@ -2818,6 +2716,7 @@ oakley_skeyid_dae(phase1_handle_t *iph1) plog(ASL_LEVEL_ERR, "no SKEYID found.\n"); goto end; } + /* * see seciton 5. Exchanges in RFC 2409 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) @@ -2942,43 +2841,6 @@ oakley_compute_enckey(phase1_handle_t *iph1) "failed to get key buffer\n"); goto end; } - if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) { - iph1->key_p = vmalloc(keylen >> 3); - if (iph1->key_p == NULL) { - plog(ASL_LEVEL_ERR, - "failed to get key buffer\n"); - goto end; - } - - if (iph1->key->l <= iph1->skeyid_e->l) { - plog(ASL_LEVEL_DEBUG, - "%s setting key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key->l, (int)iph1->skeyid_e->v[0], iph1->skeyid_e->l); - /* - * if length(Ka) <= length(SKEYID_e) - * Ka = first length(K) bit of SKEYID_e - */ - memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l); - } else { - plog(ASL_LEVEL_ERR, - "unexpected key length error (exp %zd, got %zd)", - iph1->key->l, iph1->skeyid_e->l); - goto end; - } - if (iph1->key_p->l <= iph1->skeyid_e_p->l) { - plog(ASL_LEVEL_DEBUG, - "%s setting peer key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key_p->l, (int)iph1->skeyid_e_p->v[0], iph1->skeyid_e_p->l); - /* - * if length(Ka) <= length(SKEYID_e) - * Ka = first length(K) bit of SKEYID_e - */ - memcpy(iph1->key_p->v, iph1->skeyid_e_p->v, iph1->key_p->l); - } else { - plog(ASL_LEVEL_ERR, - "unexpected peer key length error (exp %zd, got %zd)", - iph1->key_p->l, iph1->skeyid_e_p->l); - goto end; - } - } /* set prf length */ prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype); @@ -3001,12 +2863,6 @@ oakley_compute_enckey(phase1_handle_t *iph1) int cplen; int subkey; - if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) { - plog(ASL_LEVEL_ERR, - "invalid key len (got %zu, expected %zu.\n", iph1->key->l, iph1->skeyid_e->l); - goto end; - } - /* * otherwise, * Ka = K1 | K2 | K3 @@ -3304,64 +3160,6 @@ end: return newivm; } -/* - * Compute unpredictable IV for IKEv2. - */ -int -oakley_newiv_ikev2(phase1_handle_t * iph1) -{ - struct isakmp_ivm *newivm = NULL; - int iv_length; - - /* Get IV length */ - iv_length = alg_oakley_encdef_blocklen(iph1->approval->enctype); - if (iv_length == -1) { - plog(ASL_LEVEL_ERR, "Invalid encryption algorithm %d.\n", iph1->approval->enctype); - } - - /* Allocate IV Manager */ - newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); - if (newivm == NULL) { - plog(ASL_LEVEL_ERR, "Failed to allocate IV buffer.\n"); - return -1; - } - - /* Compute IV */ - /* There are two recommended methods for generating unpredictable IVs. The first method is to apply the forward cipher function, under the same key that is used for the encryption of the plaintext, to a nonce. The nonce must be a data block that is unique to each execution of the encryption operation. For example, the nonce may be a counter, as described in Appendix B, or a message number. The second method is to generate a random data block using a FIPS- approved random number generator. - [National Institute of Standards and Technology, U.S. - Department of Commerce, "Recommendation for Block Cipher - Modes of Operation", SP 800-38A, 2001.] - */ - /* Currently, we implement the second scheme, which uses a random block */ - newivm->iv = eay_set_random(iv_length); - if (newivm->iv == NULL) { - oakley_delivm(newivm); - return -1; - } - - /* Adjust length of IV */ - if (newivm->iv->l != iv_length) { - plog(ASL_LEVEL_WARNING, "IV length was adjusted.\n"); - newivm->iv->l = iv_length; - } - - /* Make copy of IV in IVe */ - if ((newivm->ive = vdup(newivm->iv)) == NULL) { - plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno)); - oakley_delivm(newivm); - return -1; - } - - /* Delete old IV if there is one */ - if (iph1->ivm != NULL) - oakley_delivm(iph1->ivm); - - iph1->ivm = newivm; - - return 0; -} - - void oakley_delivm(struct isakmp_ivm *ivm) { @@ -3498,6 +3296,7 @@ oakley_do_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *i if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { return(oakley_do_ikev1_decrypt(iph1, msg, ivdp, ivep)); } + plog(ASL_LEVEL_ERR, "Failed to decrypt invalid IKE version"); return NULL; } @@ -3608,7 +3407,6 @@ end: return buf; } - /* * encrypt packet. */ @@ -3618,6 +3416,7 @@ oakley_do_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *i if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { return(oakley_do_ikev1_encrypt(iph1, msg, ivep, ivp)); } + plog(ASL_LEVEL_ERR, "Failed to encrypt invalid IKE version"); return NULL; } diff --git a/ipsec-tools/racoon/oakley.h b/ipsec-tools/racoon/oakley.h index 026b05c..597e132 100644 --- a/ipsec-tools/racoon/oakley.h +++ b/ipsec-tools/racoon/oakley.h @@ -222,7 +222,6 @@ extern vchar_t *oakley_prf (vchar_t *, vchar_t *, phase1_handle_t *); extern vchar_t *oakley_hash (vchar_t *, phase1_handle_t *); extern int oakley_compute_keymat (phase2_handle_t *, int); -extern int oakley_compute_ikev2_keymat (phase2_handle_t *); #if notyet extern vchar_t *oakley_compute_hashx (void); @@ -255,7 +254,6 @@ extern cert_t *oakley_newcert (void); extern void oakley_delcert (cert_t *); extern int oakley_newiv (phase1_handle_t *); extern struct isakmp_ivm *oakley_newiv2 (phase1_handle_t *, u_int32_t); -extern int oakley_newiv_ikev2(phase1_handle_t *iph1); extern void oakley_delivm (struct isakmp_ivm *); extern vchar_t *oakley_do_decrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); extern vchar_t *oakley_do_encrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index f977c02..665f69e 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -101,8 +101,6 @@ #include "ipsecMessageTracer.h" #include "power_mgmt.h" #include "session.h" -#include "ikev2_rfc.h" -#include "api_support.h" #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC @@ -234,7 +232,6 @@ pfkey_process(msg) strerror(msg->sadb_msg_errno)); goto end; } - /* safety check */ if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { @@ -794,6 +791,7 @@ pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype, if ((*a_keylen = keylen_aalg(hashtype)) == ~0) goto bad; *a_keylen >>= 3; + if (*e_type == SADB_EALG_NONE) { plog(ASL_LEVEL_ERR, "no ESP algorithm.\n"); goto bad; @@ -1096,7 +1094,6 @@ pk_sendupdate(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; - struct satrns *tr; int authtype; /* sanity check */ @@ -1296,7 +1293,6 @@ pk_recvupdate(mhp) iph2->status); return -1; } - //%%%% fix for IKEv2 if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA && iph2->status != IKEV1_STATE_QUICK_R_ADDSA) { plog(ASL_LEVEL_ERR, @@ -1409,7 +1405,6 @@ pk_sendadd(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; - struct satrns *tr; int authtype; /* sanity check */ @@ -1709,31 +1704,29 @@ pk_recvexpire(mhp) /* turn off the timer for calling isakmp_ph2expire() */ SCHED_KILL(iph2->sce); + + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); + + /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ + /* allocate buffer for status management of pfkey message */ + if (iph2->side == INITIATOR && + !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && + !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { + + ike_session_initph2(iph2); + + /* start isakmp initiation by using ident exchange */ + if (isakmp_post_acquire(iph2) < 0) { + plog(ASL_LEVEL_ERR, + "failed to begin ipsec sa " + "re-negotiation.\n"); + ike_session_unlink_phase2(iph2); + return -1; + } - fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); - - { - /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ - /* allocate buffer for status management of pfkey message */ - if (iph2->side == INITIATOR && - !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && - !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { - - ike_session_initph2(iph2); - - /* start isakmp initiation by using ident exchange */ - if (isakmp_post_acquire(iph2) < 0) { - plog(ASL_LEVEL_ERR, - "failed to begin ipsec sa " - "re-negotiation.\n"); - ike_session_unlink_phase2(iph2); - return -1; - } - - return 0; - /*NOTREACHED*/ - } - } + return 0; + /*NOTREACHED*/ + } /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ diff --git a/ipsec-tools/racoon/plog.c b/ipsec-tools/racoon/plog.c index e3d33a3..93ad352 100644 --- a/ipsec-tools/racoon/plog.c +++ b/ipsec-tools/racoon/plog.c @@ -258,7 +258,7 @@ plogsetfile(file) } logfile = racoon_strdup(file); STRDUP_FATAL(logfile); - if ((logfile_fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND | O_NOFOLLOW, 0)) >= 0) { + if ((logfile_fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND | O_NOFOLLOW, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) >= 0) { asl_add_log_file(logRef, logfile_fd); } else { syslog(LOG_NOTICE, "%s: failed to add racoon log file: %s. error %d\n", __FUNCTION__, file? file:"bad file path", errno); diff --git a/ipsec-tools/racoon/proposal.c b/ipsec-tools/racoon/proposal.c index abb5a4c..62d3db6 100644 --- a/ipsec-tools/racoon/proposal.c +++ b/ipsec-tools/racoon/proposal.c @@ -72,7 +72,6 @@ #ifdef ENABLE_NATT #include "nattraversal.h" #endif -#include "ikev2_rfc.h" /* %%% * modules for ipsec sa spec @@ -640,7 +639,7 @@ set_satrnsbysainfo(struct saproto *pr, struct sainfo *sainfo, u_int8_t ike_versi } newtr->trns_no = t++; - newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); // IKEv1 only + newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); // IKEv1 only newtr->authtype = a->alg; inssatrns(pr, newtr); @@ -703,7 +702,7 @@ set_satrnsbysainfo(struct saproto *pr, struct sainfo *sainfo, u_int8_t ike_versi "unknown proto_id (%d).\n", pr->proto_id); goto err; } - + /* no proposal found */ if (pr->head == NULL) { plog(ASL_LEVEL_ERR, "no algorithms found.\n"); @@ -1050,8 +1049,6 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) } skip1: - //%%%%%%s IKEv2 - no support for bundle - fix this - return error if bundle ??? - // %%%% need special handling for ipcomp for (req = sp_main->req; req; req = req->next) { struct saproto *newpr; caddr_t paddr = NULL; @@ -1153,13 +1150,14 @@ set_proposal_from_proposal(iph2) { struct saprop *newpp = NULL, *pp0, *pp_peer = NULL; struct saproto *newpr = NULL, *pr; - struct prop_pair **pair; + struct prop_pair **pair = NULL; int error = -1; int i; /* get proposal pair */ if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); + if (pair == NULL) goto end; @@ -1266,7 +1264,6 @@ dupsatrns_1(struct satrns *tr) if (newtr == NULL) return NULL; newtr->trns_no = tr->trns_no; - newtr->trns_type = tr->trns_type; newtr->trns_id = tr->trns_id; newtr->encklen = tr->encklen; newtr->authtype = tr->authtype; @@ -1285,7 +1282,6 @@ dupsatrns(newpr, head) newtr = newsatrns(); if (newtr) { newtr->trns_no = p->trns_no; - newtr->trns_type = p->trns_type; newtr->trns_id = p->trns_id; newtr->encklen = p->encklen; newtr->authtype = p->authtype; diff --git a/ipsec-tools/racoon/proposal.h b/ipsec-tools/racoon/proposal.h index 381b43d..85eadbd 100644 --- a/ipsec-tools/racoon/proposal.h +++ b/ipsec-tools/racoon/proposal.h @@ -93,7 +93,6 @@ struct saproto { /* SA algorithm specification */ struct satrns { int trns_no; - int trns_type; /* IKEv2 only - transform type */ int trns_id; /* transform id */ int encklen; /* key length of encryption algorithm */ int authtype; /* authentication algorithm if ESP */ @@ -177,7 +176,6 @@ struct prop_pair { #define PROP_CHECK_STRICT 2 #define PROP_CHECK_CLAIM 3 #define PROP_CHECK_EXACT 4 -#define PROP_CHECK_IKEV2 5 struct sainfo; struct secpolicy; diff --git a/ipsec-tools/racoon/racoon_types.h b/ipsec-tools/racoon/racoon_types.h index bf1cbbd..ea8d017 100644 --- a/ipsec-tools/racoon/racoon_types.h +++ b/ipsec-tools/racoon/racoon_types.h @@ -28,5 +28,4 @@ typedef struct ike_session ike_session_t; typedef struct phase1handle phase1_handle_t; typedef struct phase2handle phase2_handle_t; -typedef struct ikev2_ike_sa_window ikev2_ike_sa_window_t; #endif /* _RACOON_TYPES_H */ diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 09139c6..aea9b0b 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -358,6 +358,7 @@ duprmconf (struct remoteconf *rmconf) // zero-out pointers new->remote = NULL; + new->forced_local = NULL; new->keychainCertRef = NULL; /* peristant keychain ref for cert */ new->shared_secret = NULL; /* shared secret */ new->open_dir_auth_group = NULL; /* group to be used to authorize user */ @@ -420,6 +421,8 @@ delrmconf(struct remoteconf *rmconf) { if (rmconf->remote) racoon_free(rmconf->remote); + if (rmconf->forced_local) + racoon_free(rmconf->forced_local); #ifdef ENABLE_HYBRID if (rmconf->xauth) xauth_rmconf_delete(&rmconf->xauth); @@ -444,13 +447,6 @@ delrmconf(struct remoteconf *rmconf) vfree(rmconf->keychainCertRef); if (rmconf->open_dir_auth_group) vfree(rmconf->open_dir_auth_group); - - if (rmconf->eap_options) - CFRelease(rmconf->eap_options); - if (rmconf->eap_types) - deletypes(rmconf->eap_types); - if (rmconf->ikev2_cfg_request) - CFRelease(rmconf->ikev2_cfg_request); racoon_free(rmconf); } diff --git a/ipsec-tools/racoon/remoteconf.h b/ipsec-tools/racoon/remoteconf.h index aef7e76..7eed12f 100644 --- a/ipsec-tools/racoon/remoteconf.h +++ b/ipsec-tools/racoon/remoteconf.h @@ -168,11 +168,8 @@ struct remoteconf { int in_list; // in the linked list int refcount; // ref count - in use int ike_version; - - // IKEV2 configs - struct etypes *eap_types; - CFDictionaryRef eap_options; - CFDictionaryRef ikev2_cfg_request; + + struct sockaddr_storage *forced_local; /* forced local IP address */ TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ }; diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index f561076..694ca2f 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -104,6 +104,9 @@ #include "sainfo.h" #include "power_mgmt.h" +#include +#include +#include extern pid_t racoon_pid; @@ -124,6 +127,8 @@ static int64_t racoon_keepalive = -1; dispatch_queue_t main_queue; +static NEPolicySessionRef policySession = NULL; + /* * This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly) * launched on demand and for requires a keepalive on dirty/failure exits. @@ -146,6 +151,85 @@ launchd_update_racoon_keepalive (Boolean enabled) return racoon_keepalive; } +static CFUUIDRef +copy_racoon_proc_uuid(void) +{ + struct proc_uniqidentifierinfo procu; + CFUUIDBytes uuidBytes; + int size = 0; + + memset(&procu, 0, sizeof(procu)); + size = proc_pidinfo(getpid(), PROC_PIDUNIQIDENTIFIERINFO, 1, &procu, PROC_PIDUNIQIDENTIFIERINFO_SIZE); + if (size != PROC_PIDUNIQIDENTIFIERINFO_SIZE) { + return (NULL); + } + + memcpy(&uuidBytes, procu.p_uuid, sizeof(CFUUIDBytes)); + return CFUUIDCreateFromUUIDBytes(kCFAllocatorDefault, uuidBytes); +} + +static bool +policy_session_init(void) +{ + bool success = true; + policySession = NEPolicyCreateSession(kCFAllocatorDefault, CFSTR("racoon"), NULL, NULL); + if (policySession == NULL) { + return false; + } + + CFUUIDRef proc_uuid = copy_racoon_proc_uuid(); + if (proc_uuid == NULL) { + return false; + } + + CFMutableArrayRef conditions = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + if (conditions) { + CFMutableDictionaryRef uuidCondition = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (uuidCondition) { + CFDictionarySetValue(uuidCondition, kNEPolicyConditionType, kNEPolicyValPolicyConditionTypeApplication); + CFDictionarySetValue(uuidCondition, kNEPolicyApplicationUUID, proc_uuid); + CFArrayAppendValue(conditions, uuidCondition); + CFRelease(uuidCondition); + } else { + success = false; + } + + CFMutableDictionaryRef interfacesCondition = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (interfacesCondition) { + CFDictionarySetValue(interfacesCondition, kNEPolicyConditionType, kNEPolicyValPolicyConditionTypeAllInterfaces); + CFArrayAppendValue(conditions, interfacesCondition); + CFRelease(interfacesCondition); + } else { + success = false; + } + } else { + success = false; + } + + CFMutableDictionaryRef result = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (result) { + CFDictionaryAddValue(result, kNEPolicyResult, kNEPolicyValPolicyResultPass); + } else { + success = false; + } + + if (success) { + success = (NEPolicyAdd(policySession, 0, conditions, result, NULL) != kNEPolicyIDInvalid); + } + + if (result) { + CFRelease(result); + } + if (conditions) { + CFRelease(conditions); + } + if (proc_uuid) { + CFRelease(proc_uuid); + } + + return (success && NEPolicyApply(policySession)); +} + // // Session // @@ -176,6 +260,11 @@ session(void) plog(ASL_LEVEL_ERR, "failed to initialize route socket.\n"); exit(1); } + + if (!policy_session_init()) { + plog(ASL_LEVEL_ERR, "failed to initialize NEPolicy session.\n"); + } + if (initmyaddr()) { plog(ASL_LEVEL_ERR, "failed to initialize listening addresses.\n"); exit(1); @@ -343,9 +432,13 @@ auto_exit_do(void *p) { plog(ASL_LEVEL_DEBUG, "performing auto exit\n"); +#if ENABLE_NO_SA_FLUSH + close_session(0); +#else pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); sched_new(1, check_flushsa_stub, NULL); dying(); +#endif /* ENABLE_NO_SA_FLUSH */ } void @@ -439,13 +532,17 @@ check_sigreq() #if TARGET_OS_EMBEDDED if (no_remote_configs(TRUE)) { +#if ENABLE_NO_SA_FLUSH + close_session(0); +#else pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); #ifdef ENABLE_FASTQUIT close_session(0); #else sched_new(1, check_flushsa_stub, NULL); -#endif +#endif /* ENABLE_FASTQUIT */ dying(); +#endif /* ENABLE_NO_SA_FLUSH */ } #endif @@ -455,7 +552,10 @@ check_sigreq() case SIGTERM: plog(ASL_LEVEL_INFO, "caught signal %d\n", sig); - pfkey_send_flush(lcconf->sock_pfkey, +#if ENABLE_NO_SA_FLUSH + close_session(0); +#else + pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); if ( sig == SIGTERM ){ terminated = 1; /* in case if it hasn't been set yet */ @@ -465,6 +565,7 @@ check_sigreq() sched_new(1, check_flushsa_stub, NULL); dying(); +#endif /* ENABLE_NO_SA_FLUSH */ break; default: diff --git a/ipsec-tools/racoon/strnames.c b/ipsec-tools/racoon/strnames.c index 7f6733f..1987a37 100644 --- a/ipsec-tools/racoon/strnames.c +++ b/ipsec-tools/racoon/strnames.c @@ -70,7 +70,6 @@ #include "pfkey.h" #include "strnames.h" #include "algorithm.h" -#include "ikev2_rfc.h" struct ksmap { int key; diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index 11adf7c..29f6aef 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -135,15 +135,6 @@ vpn_connect(struct bound_addr *srv, int oper) ((struct sockaddr_in *)(dst))->sin_port = 500; ((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address; - /* - * Find the source address - */ - if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) { - plog(ASL_LEVEL_ERR, - "cannot get local address\n"); - goto out1; - } - /* find appropreate configuration */ rmconf = getrmconf(dst); if (rmconf == NULL) { @@ -152,7 +143,20 @@ vpn_connect(struct bound_addr *srv, int oper) "for %s\n", saddrwop2str((struct sockaddr *)dst)); goto out1; } - + + /* + * Find the source address + */ + if (rmconf->forced_local != NULL) { + if ((local = dupsaddr(rmconf->forced_local)) == NULL) { + plog(ASL_LEVEL_ERR, "failed to duplicate local address\n"); + goto out1; + } + } else if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) { + plog(ASL_LEVEL_ERR, "cannot get local address\n"); + goto out1; + } + /* get remote IP address and port number. */ if ((remote = dupsaddr(dst)) == NULL) { plog(ASL_LEVEL_ERR, @@ -189,10 +193,8 @@ vpn_connect(struct bound_addr *srv, int oper) IPSECLOGASLMSG("IPSec connecting to server %s\n", saddrwop2str((struct sockaddr *)remote)); - { - if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0) - goto out1; - } + if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0) + goto out1; error = 0; out1: @@ -487,7 +489,6 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s return 0; } - int vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) { diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index 39c20a9..c26b310 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -222,6 +222,7 @@ vpncontrol_handler(void *unused) int sock; struct vpnctl_socket_elem *sock_elem; + sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem)); if (sock_elem == NULL) { @@ -1021,6 +1022,7 @@ vpncontrol_close_comm(struct vpnctl_socket_elem *elem) } racoon_free(elem); check_auto_exit(); + } int diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 64d7e29..33ec9e6 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -46,6 +46,29 @@ name = ipsec_libraries; productName = ipsec_libraries; }; + 78C83A04189841E800DB2F64 /* ipsec_libraries_embedded */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 78C83A08189841E800DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_libraries_embedded" */; + buildPhases = ( + ); + dependencies = ( + 78C83A131898421900DB2F64 /* PBXTargetDependency */, + ); + name = ipsec_libraries_embedded; + productName = ipsec_libraries_embedded; + }; + 78C83A09189841FA00DB2F64 /* ipsec_executables_embedded */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 78C83A0A189841FA00DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_executables_embedded" */; + buildPhases = ( + ); + dependencies = ( + 78C83A111898421300DB2F64 /* PBXTargetDependency */, + 78C83A0F1898421100DB2F64 /* PBXTargetDependency */, + ); + name = ipsec_executables_embedded; + productName = ipsec_executables_embedded; + }; 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */ = { isa = PBXAggregateTarget; buildConfigurationList = 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */; @@ -126,17 +149,16 @@ 25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; }; 25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; }; 25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */ = {isa = PBXBuildFile; fileRef = 72171DAE166443AB0050B3B9 /* eap_aka.c */; }; 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; 724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; 724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; - 727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; }; - 727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; }; 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; 72F5C72E1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; 72F5C72F1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; + 7822D11E188DB07300874E91 /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7822D11D188DB07300874E91 /* NetworkExtension.framework */; }; + 7822D120188DB07C00874E91 /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7822D11F188DB07C00874E91 /* NetworkExtension.framework */; }; 812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; 812530C50D3FE9DC006BDF4F /* cfparse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B40988657000D15623 /* cfparse.y */; }; 812530C60D3FE9DC006BDF4F /* cftoken.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B60988657000D15623 /* cftoken.l */; }; @@ -224,7 +246,6 @@ 834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; 8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; - BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA04622A1562E6E400EF348A /* EAP8021X.framework */; }; BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; }; @@ -236,26 +257,13 @@ BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; }; BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; }; BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; }; - BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; }; BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; - BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */ = {isa = PBXBuildFile; fileRef = BA8BE71615655D360068DEB9 /* eap_sim.c */; }; - BA952E79156704DF00B07934 /* eap.c in Sources */ = {isa = PBXBuildFile; fileRef = BA952E77156704DF00B07934 /* eap.c */; }; - BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; }; - BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; }; - BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; }; - BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; }; - BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; }; - BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; }; BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; - BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; }; - BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; }; - BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; }; - BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; }; /* End PBXBuildFile section */ /* Begin PBXContainerItemProxy section */ @@ -294,28 +302,35 @@ remoteGlobalIDString = 72B3C2081684F5C4004E4548; remoteInfo = ipsec_executables; }; - 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { + 78C83A0E1898421100DB2F64 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; - remoteInfo = "racoon arm"; + remoteInfo = "racoon Embedded"; }; - 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = { + 78C83A101898421300DB2F64 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 81DDFDB80D622C2700C5CB87; - remoteInfo = "libipsec Embedded"; + remoteGlobalIDString = 81DDFD970D622C1700C5CB87; + remoteInfo = "setkey Embedded"; }; - 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */ = { + 78C83A121898421900DB2F64 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 81DDFDB80D622C2700C5CB87; remoteInfo = "libipsec Embedded"; }; - 81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */ = { + 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 23D2D790087071FC00C51098 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; + remoteInfo = "racoon arm"; + }; + 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; @@ -519,16 +534,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - BA64A932114EFE4400F3574C /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /usr/local/share/sandbox/profiles/embedded/builtin; - dstSubfolderSpec = 0; - files = ( - BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; BAA6806112B17CF900ACF6D3 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -673,15 +678,14 @@ 25F259270988657000D15623 /* vmbuf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vmbuf.h; sourceTree = ""; }; 25F777B909ABE3E100C99783 /* key_debug.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = key_debug.c; path = Common/key_debug.c; sourceTree = ""; }; 25F777ED09ABE58400C99783 /* pfkey_dump.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey_dump.c; path = Common/pfkey_dump.c; sourceTree = ""; }; - 72171DAE166443AB0050B3B9 /* eap_aka.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_aka.c; sourceTree = ""; }; 72265DDB0F818F9300730A7D /* ipsec.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; path = ipsec.plist; sourceTree = ""; }; 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = xpc_racoon.c; sourceTree = ""; }; 723B6A33162F7C1100895EE5 /* ipsec_xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsec_xpc.h; sourceTree = ""; }; 724F99500E3672FD00C56897 /* com.apple.racoon.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.racoon.plist; sourceTree = ""; }; - 727FA35F163A1A24000A3986 /* ipsec_interface.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsec_interface.c; sourceTree = ""; }; - 727FA362163A1A43000A3986 /* ipsec_interface.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipsec_interface.h; sourceTree = ""; }; 72F5C72D1607A1AE004C192F /* api_support.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = api_support.c; sourceTree = ""; }; 72F5C7311607A1DD004C192F /* api_support.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = api_support.h; sourceTree = ""; }; + 7822D11D188DB07300874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = ../../../../../System/Library/Frameworks/NetworkExtension.framework; sourceTree = ""; }; + 7822D11F188DB07C00874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.0.Internal.sdk/System/Library/Frameworks/NetworkExtension.framework; sourceTree = DEVELOPER_DIR; }; 8125310A0D3FE9DC006BDF4F /* racoon */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon; sourceTree = BUILT_PRODUCTS_DIR; }; 812A64EC0D4AA082004CB7EB /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = SDKs/Purple/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; 81657D551457582300B8A054 /* racoon_types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = racoon_types.h; sourceTree = ""; }; @@ -701,7 +705,6 @@ 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_dump_policy.3; path = libipsec/ipsec_dump_policy.3; sourceTree = ""; }; 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_get_policylen.3; path = libipsec/ipsec_get_policylen.3; sourceTree = ""; }; 8D5B16230E5F7E9300E72675 /* libresolv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libresolv.dylib; path = /usr/lib/libresolv.dylib; sourceTree = ""; }; - BA04622A1562E6E400EF348A /* EAP8021X.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = EAP8021X.framework; path = System/Library/PrivateFrameworks/EAP8021X.framework; sourceTree = SDKROOT; }; BA485FA1109C1ECA00545E19 /* power_mgmt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = power_mgmt.c; sourceTree = ""; }; BA485FA6109C243900545E19 /* power_mgmt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = power_mgmt.h; sourceTree = ""; }; BA48611B109C2BBA00545E19 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; @@ -716,23 +719,9 @@ BA64A933114EFE5C00F3574C /* racoon.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = racoon.sb; sourceTree = ""; }; BA6F10940EA1D67700546773 /* ike_session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ike_session.h; sourceTree = ""; }; BA6F109A0EA1DEC200546773 /* ike_session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ike_session.c; sourceTree = ""; }; - BA8BE71615655D360068DEB9 /* eap_sim.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_sim.c; sourceTree = ""; }; - BA8BE71715655D360068DEB9 /* eap_sim.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap_sim.h; sourceTree = ""; }; - BA952E77156704DF00B07934 /* eap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap.c; sourceTree = ""; }; - BA952E78156704DF00B07934 /* eap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap.h; sourceTree = ""; }; - BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ike_sa_rfc.c; sourceTree = ""; }; - BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ike_sa_rfc.h; sourceTree = ""; }; - BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_info_rfc.h; sourceTree = ""; }; - BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ipsec_sa_rfc.c; sourceTree = ""; }; - BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ipsec_sa_rfc.h; sourceTree = ""; }; - BAC2E172146DFD05009D4506 /* ikev2_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_rfc.c; sourceTree = ""; }; - BAC2E173146DFD06009D4506 /* ikev2_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_rfc.h; sourceTree = ""; }; - BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_sessresume_rfc.h; sourceTree = ""; }; BACBF18B10290AE000BBFC85 /* ipsec.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ipsec.txt; sourceTree = ""; }; BACD8C681496A50C0042DEA1 /* Preferences.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = Preferences.c; sourceTree = ""; }; BACD8C691496A50C0042DEA1 /* Preferences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Preferences.h; sourceTree = ""; }; - BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_info_rfc.c; sourceTree = ""; }; - BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_sessresume_rfc.c; sourceTree = ""; }; C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenSDK.xcconfig; path = AppleInternal/XcodeConfig/AspenSDK.xcconfig; sourceTree = DEVELOPER_DIR; }; /* End PBXFileReference section */ @@ -748,6 +737,7 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 7822D11E188DB07300874E91 /* NetworkExtension.framework in Frameworks */, 81C387570D45208700975D5E /* DirectoryService.framework in Frameworks */, 81C387560D45208700975D5E /* Security.framework in Frameworks */, 25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */, @@ -773,7 +763,7 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */, + 7822D120188DB07C00874E91 /* NetworkExtension.framework in Frameworks */, 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */, 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */, 812530F80D3FE9DC006BDF4F /* libiconv.dylib in Frameworks */, @@ -806,7 +796,6 @@ 23D2D78C087071FC00C51098 = { isa = PBXGroup; children = ( - BA04622A1562E6E400EF348A /* EAP8021X.framework */, BA64A933114EFE5C00F3574C /* racoon.sb */, BACBF18B10290AE000BBFC85 /* ipsec.txt */, 72265DDB0F818F9300730A7D /* ipsec.plist */, @@ -866,6 +855,8 @@ 25D3DB4C098998230025F703 /* Frameworks */ = { isa = PBXGroup; children = ( + 7822D11F188DB07C00874E91 /* NetworkExtension.framework */, + 7822D11D188DB07300874E91 /* NetworkExtension.framework */, 81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */, 81C9645D0DA2CC2D00257BC8 /* SystemConfiguration.framework */, 812A64EC0D4AA082004CB7EB /* Security.framework */, @@ -952,16 +943,6 @@ 25F258CE0988657000D15623 /* handler.h */, BA6F109A0EA1DEC200546773 /* ike_session.c */, BA6F10940EA1D67700546773 /* ike_session.h */, - BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */, - BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */, - BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */, - BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */, - BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */, - BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */, - BAC2E172146DFD05009D4506 /* ikev2_rfc.c */, - BAC2E173146DFD06009D4506 /* ikev2_rfc.h */, - BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */, - BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */, 25F258CF0988657000D15623 /* ipsec_doi.c */, 25F258D00988657000D15623 /* ipsec_doi.h */, BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */, @@ -1043,14 +1024,7 @@ 25DE2DE60A8BD40E0010A46D /* vpn_control.c */, 25DE2DE70A8BD40E0010A46D /* vpn_control.h */, 81CA08910CE3BC870055C0AF /* vpn.c */, - BA8BE71615655D360068DEB9 /* eap_sim.c */, - 72171DAE166443AB0050B3B9 /* eap_aka.c */, - BA8BE71715655D360068DEB9 /* eap_sim.h */, - BA952E77156704DF00B07934 /* eap.c */, - BA952E78156704DF00B07934 /* eap.h */, BA5B6F4F0EC1A136003774E7 /* vpn.h */, - 727FA35F163A1A24000A3986 /* ipsec_interface.c */, - 727FA362163A1A43000A3986 /* ipsec_interface.h */, 72F5C72D1607A1AE004C192F /* api_support.c */, 72F5C7311607A1DD004C192F /* api_support.h */, 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */, @@ -1183,14 +1157,12 @@ 812530FF0D3FE9DC006BDF4F /* CopyFiles */, 812531020D3FE9DC006BDF4F /* CopyFiles */, 725F453B0E36A15C005BB55C /* CopyFiles */, - BA64A932114EFE4400F3574C /* CopyFiles */, 812531040D3FE9DC006BDF4F /* ShellScript */, 834072BB0EDCC5C400B6CCE8 /* CopyFiles */, ); buildRules = ( ); dependencies = ( - 81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */, ); name = "racoon Embedded"; productName = racoon; @@ -1209,7 +1181,6 @@ buildRules = ( ); dependencies = ( - 81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */, ); name = "setkey Embedded"; productName = setkey; @@ -1265,6 +1236,8 @@ 25F258090987FC1500D15623 /* setkey */, 2537A1A709E4864800D0ECDA /* libipsec */, 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */, + 78C83A09189841FA00DB2F64 /* ipsec_executables_embedded */, + 78C83A04189841E800DB2F64 /* ipsec_libraries_embedded */, 812530BA0D3FE9DC006BDF4F /* racoon Embedded */, 81DDFD970D622C1700C5CB87 /* setkey Embedded */, 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */, @@ -1419,15 +1392,9 @@ BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */, 81CBCFE91447A1C20000D6E6 /* fsm.c in Sources */, - BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */, - BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */, - BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */, - BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */, - BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */, BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */, 72F5C72E1607A1AE004C192F /* api_support.c in Sources */, 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */, - 727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1497,18 +1464,9 @@ BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */, BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */, - BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */, - BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */, - BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */, - BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */, - BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */, BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */, - BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */, - BA952E79156704DF00B07934 /* eap.c in Sources */, 72F5C72F1607A1AE004C192F /* api_support.c in Sources */, 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */, - 727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */, - 72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1566,25 +1524,30 @@ target = 72B3C2081684F5C4004E4548 /* ipsec_executables */; targetProxy = 72B3C21816850CC5004E4548 /* PBXContainerItemProxy */; }; - 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { + 78C83A0F1898421100DB2F64 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; - targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; + targetProxy = 78C83A0E1898421100DB2F64 /* PBXContainerItemProxy */; }; - 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = { + 78C83A111898421300DB2F64 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; - targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */; + target = 81DDFD970D622C1700C5CB87 /* setkey Embedded */; + targetProxy = 78C83A101898421300DB2F64 /* PBXContainerItemProxy */; }; - 81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */ = { + 78C83A131898421900DB2F64 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; - targetProxy = 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */; + targetProxy = 78C83A121898421900DB2F64 /* PBXContainerItemProxy */; + }; + 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; + targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; }; - 81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */ = { + 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; - targetProxy = 81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */; + targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */; }; 81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; @@ -1747,6 +1710,8 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist"; + CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -1802,6 +1767,8 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist"; + CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; FRAMEWORK_SEARCH_PATHS = ""; @@ -1854,6 +1821,8 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist"; + CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; FRAMEWORK_SEARCH_PATHS = ""; @@ -2095,6 +2064,48 @@ }; name = Default; }; + 78C83A05189841E800DB2F64 /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Development; + }; + 78C83A06189841E800DB2F64 /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Deployment; + }; + 78C83A07189841E800DB2F64 /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Default; + }; + 78C83A0B189841FA00DB2F64 /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Development; + }; + 78C83A0C189841FA00DB2F64 /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Deployment; + }; + 78C83A0D189841FA00DB2F64 /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Default; + }; 812530B60D3FE994006BDF4F /* Development */ = { isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; @@ -2649,6 +2660,26 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Default; }; + 78C83A08189841E800DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_libraries_embedded" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 78C83A05189841E800DB2F64 /* Development */, + 78C83A06189841E800DB2F64 /* Deployment */, + 78C83A07189841E800DB2F64 /* Default */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Default; + }; + 78C83A0A189841FA00DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_executables_embedded" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 78C83A0B189841FA00DB2F64 /* Development */, + 78C83A0C189841FA00DB2F64 /* Deployment */, + 78C83A0D189841FA00DB2F64 /* Default */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Default; + }; 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = { isa = XCConfigurationList; buildConfigurations = ( diff --git a/racoon.sb b/racoon.sb index 8aefd9c..ec52313 100644 --- a/racoon.sb +++ b/racoon.sb @@ -23,7 +23,9 @@ (subpath "/Library/Managed\ Preferences") (subpath "/Library/Preferences") (subpath "/private/var/root") - (literal "/private/var/db/mds/messages/se_SecurityMessages")) + (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/private/var/db/mds/messages/se_SecurityMessages") + (literal "/private/var/db/icu")) (allow file-write* (literal "/private/var/run/racoon.sock") @@ -50,7 +52,16 @@ (allow mach-lookup (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.configd") - (global-name "com.apple.ocspd")) + (global-name "com.apple.ocspd") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.aggregated") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.cfprefsd.agent") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.nehelper")) + +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\.")) ;;;;;; Common system sandbox rules ;;;;;;