From 4aae5213ac6b23efbfc7eda20872343e43247100 Mon Sep 17 00:00:00 2001 From: Apple Date: Fri, 31 Jan 2020 01:57:36 +0000 Subject: [PATCH] ipsec-326.tar.gz --- ipsec-tools/Common/config.h | 18 ++--- ipsec-tools/Common/ipsecMessageTracer.h | 8 +- ipsec-tools/racoon/crypto_cssm.c | 24 +++--- ipsec-tools/racoon/handler.h | 2 +- ipsec-tools/racoon/isakmp_var.h | 2 +- ipsec-tools/racoon/localconf.h | 8 +- ipsec-tools/racoon/main.c | 8 +- ipsec-tools/racoon/pfkey_racoon.c | 4 +- ipsec-tools/racoon/power_mgmt.c | 4 +- ipsec-tools/racoon/remoteconf.c | 8 +- ipsec-tools/racoon/session.c | 32 +++++--- ipsec-tools/racoon/vpn_control.c | 98 ++++--------------------- ipsec.xcodeproj/project.pbxproj | 6 ++ 13 files changed, 85 insertions(+), 137 deletions(-) diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index 5ded22d..0aff053 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -84,26 +84,26 @@ #define ENABLE_DNSSEC_CERTS 0 /* Define to 1 if keychain is used */ -#if TARGET_OS_EMBEDDED +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #undef HAVE_KEYCHAIN -#else +#else // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define HAVE_KEYCHAIN 1 -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) /* Define to 1 if keychain is used */ -#if TARGET_OS_EMBEDDED +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #undef HAVE_SECURITY_FRAMEWORK -#else +#else // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define HAVE_SECURITY_FRAMEWORK 1 -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) /* Define to 1 if Open Dir available */ -#if TARGET_OS_EMBEDDED +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #undef HAVE_OPENDIR -#else +#else // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define HAVE_OPENDIR 1 -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define HAVE_NETINET6_IPSEC 1 diff --git a/ipsec-tools/Common/ipsecMessageTracer.h b/ipsec-tools/Common/ipsecMessageTracer.h index 051c54e..4f6c80b 100644 --- a/ipsec-tools/Common/ipsecMessageTracer.h +++ b/ipsec-tools/Common/ipsecMessageTracer.h @@ -44,7 +44,7 @@ #define IPSECASLDOMAIN CONSTSTR("com.apple.Networking.ipsec.asl") #define IPSECASLKEY CONSTSTR("IPSEC") -#if TARGET_OS_EMBEDDED +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason) @@ -55,7 +55,7 @@ #define IPSECSESSIONTRACERSTOP(session, is_failure, reason) #define IPSECSESSIONTRACERESTABLISHED(session) -#else +#else // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason) ipsecConfigTracerEvent(config, eventCode, message, failure_reason) @@ -66,9 +66,9 @@ #define IPSECSESSIONTRACERSTOP(session, is_failure, reason) ipsecSessionTracerStop(session, is_failure, reason) #define IPSECSESSIONTRACERESTABLISHED(session) ipsecSessionTracerLogEstablished(session) -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) -#if 1 //TARGET_OS_EMBEDDED +#if 1 #define IPSECLOGASLMSG(format, args...) plog(ASL_LEVEL_NOTICE, format, ##args); #else #define IPSECLOGASLMSG(format, args...) do { \ diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index 008ba51..4e367d0 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -51,13 +51,13 @@ #include #endif #include -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include #include #include #include #include -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include "plog.h" #include "debug.h" #include "misc.h" @@ -307,14 +307,14 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) CFDictionaryRef persistFind = NULL; const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass, -#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) kSecUseSystemKeychain, -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) }; const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity, -#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) kCFBooleanTrue, -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) }; #define SIG_BUF_SIZE 1024 @@ -383,14 +383,14 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, CFDataRef certData = NULL; SecIdentityRef identityRef = NULL; const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass, -#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) kSecUseSystemKeychain, -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) }; const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity, -#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) kCFBooleanTrue, -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) }; /* find identity by persistent ref */ @@ -568,14 +568,14 @@ GetSecurityErrorString(OSStatus err) case errSecNotAvailable: return "errSecNotAvailable"; -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) case memFullErr: return "memFullErr"; case paramErr: return "paramErr"; case unimpErr: return "unimpErr"; -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #ifndef HAVE_OPENSSL /* SecBase.h: */ diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index dbef8b7..1756c09 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -51,7 +51,7 @@ #endif #include -#include +#include "schedule.h" #if __has_include() #include diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h index bdec506..f9719dd 100644 --- a/ipsec-tools/racoon/isakmp_var.h +++ b/ipsec-tools/racoon/isakmp_var.h @@ -34,7 +34,7 @@ #include "vmbuf.h" #include "racoon_types.h" -#include +#include "schedule.h" #if __has_include() #include #else diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index 629c485..49a30f1 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -32,9 +32,9 @@ #ifndef _LOCALCONF_H #define _LOCALCONF_H -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include #if __has_include() #include @@ -172,9 +172,9 @@ struct localconf { * is enable, racoon uses old format. */ -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) vproc_transaction_t vt; /* returned by vproc_transaction_begin */ -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) }; diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 80ec2e4..42b9199 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -80,9 +80,9 @@ #include "crypto_openssl.h" #include "vendorid.h" -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include -#endif // !TARGET_OS_EMBEDDED +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include @@ -154,14 +154,14 @@ main(ac, av) { int error; -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) char *errorbuf; if (sandbox_init("racoon", SANDBOX_NAMED, &errorbuf) == -1) { plog(ASL_LEVEL_ERR, "initializing sandbox failed %s", errorbuf); sandbox_free_error(errorbuf); return -1; } -#endif // !TARGET_OS_EMBEDDED +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) /* * Check IPSec plist diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 672a9fd..efa1f6c 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -1987,13 +1987,13 @@ pk_recvacquire(mhp) goto err; } -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) if ( lcconf->vt == NULL){ if (!(lcconf->vt = vproc_transaction_begin(NULL))) plog(ASL_LEVEL_ERR, "vproc_transaction_begin returns NULL.\n"); } -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) return 0; diff --git a/ipsec-tools/racoon/power_mgmt.c b/ipsec-tools/racoon/power_mgmt.c index 370b25f..a67bf36 100644 --- a/ipsec-tools/racoon/power_mgmt.c +++ b/ipsec-tools/racoon/power_mgmt.c @@ -16,9 +16,9 @@ #include #include #include -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) #include -#endif /* !TARGET_OS_EMBEDDED */ +#endif /* !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) */ #include #include "var.h" diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 59a6341..b24954e 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -216,17 +216,17 @@ no_remote_configs(ignore_anonymous) { struct remoteconf *p; -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) static const char default_idv[] = "macuser@localhost"; static const int default_idv_len = sizeof(default_idv) - 1; -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) TAILQ_FOREACH(p, &rmtree, chain) { if (ignore_anonymous) { if (p->remote->ss_family == AF_UNSPEC) /* anonymous */ continue; } -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) // ignore the default btmm ipv6 config thats always present in racoon.conf if (p->remote->ss_family == AF_INET6 && p->idvtype == IDTYPE_USERFQDN && @@ -235,7 +235,7 @@ no_remote_configs(ignore_anonymous) strncmp(p->idv->v, default_idv, p->idv->l) == 0) { continue; } -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) return 0; } return 1; diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index 208ff5d..14ea97e 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -72,6 +72,7 @@ #include #include #include +#include #include "libpfkey.h" @@ -109,6 +110,8 @@ #include +#define IKEv1_TRANSACTION "IKEv1_Transaction" + extern pid_t racoon_pid; extern int launchdlaunched; static void close_session (int); @@ -129,6 +132,8 @@ dispatch_queue_t main_queue; static NEPolicySessionRef policySession = NULL; +static os_transaction_t g_ikev1_transaction = NULL; + /* * This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly) * launched on demand and for requires a keepalive on dirty/failure exits. @@ -314,13 +319,15 @@ session(void) "cannot open %s", pid_file); } } + + if (g_ikev1_transaction == NULL) { + g_ikev1_transaction = os_transaction_create(IKEv1_TRANSACTION); + } - xpc_transaction_begin(); - -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) // enable keepalive for recovery (from crashes and bad exits... after init) (void)launchd_update_racoon_keepalive(true); -#endif // !TARGET_OS_EMBEDDED +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) // Off to the races! if (!terminated) { @@ -342,12 +349,15 @@ close_session(int error) ike_session_flush_all_phase1(false); close_sockets(); - xpc_transaction_end(); + if (g_ikev1_transaction != NULL) { + os_release(g_ikev1_transaction); + g_ikev1_transaction = NULL; + } -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) // a clean exit, so disable launchd keepalive (void)launchd_update_racoon_keepalive(false); -#endif // !TARGET_OS_EMBEDDED +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) plog(ASL_LEVEL_NOTICE, "racoon shutdown\n"); exit(0); @@ -425,10 +435,10 @@ check_flushsa() return; } -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) if (lcconf->vt) vproc_transaction_end(NULL, lcconf->vt); -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) close_session(0); } @@ -535,7 +545,7 @@ check_sigreq() if (lcconf->logfile_param == NULL && logFileStr[0] == 0) plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); -#if TARGET_OS_EMBEDDED +#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) if (no_remote_configs(TRUE)) { #if ENABLE_NO_SA_FLUSH close_session(0); @@ -549,7 +559,7 @@ check_sigreq() dying(); #endif /* ENABLE_NO_SA_FLUSH */ } -#endif +#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) break; diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index be334db..e20c823 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -51,9 +51,6 @@ * SUCH DAMAGE. */ -//#define LION_TEST 1 - - #include "config.h" #include @@ -82,9 +79,6 @@ #include #endif #include -#ifndef LION_TEST -#include -#endif #include #include "var.h" @@ -130,87 +124,25 @@ extern int vpn_xauth_reply (u_int32_t, void *, size_t); int checklaunchd() { - launch_data_t checkin_response = NULL; -#ifdef LION_TEST - launch_data_t checkin_request = NULL; -#endif - launch_data_t sockets_dict, listening_fd_array; - launch_data_t listening_fd; - struct sockaddr_storage fdsockaddr; - socklen_t fdsockaddrlen = sizeof(fdsockaddr); - int socketct; - int i; - int listenerct; int returnval = 0; - int fd; - - /* check in with launchd */ -#ifdef LION_TEST - if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) { -#else - if ((checkin_response = launch_socket_service_check_in()) == NULL) { -#endif - plog(ASL_LEVEL_ERR, - "failed to launch_socket_service_check_in.\n"); - goto done; - } -#ifdef LION_TEST - if ((checkin_response = launch_msg(checkin_request)) == NULL) { - plog(ASL_LEVEL_ERR, "failed to launch_msg.\n"); - goto done; - } -#endif - if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) { - plog(ASL_LEVEL_ERR, - "launch_data_get_type error %d\n", - launch_data_get_errno(checkin_response)); - goto done; - } - if ( (sockets_dict = launch_data_dict_lookup(checkin_response, LAUNCH_JOBKEY_SOCKETS)) == NULL){ - plog(ASL_LEVEL_ERR, - "failed to launch_data_dict_lookup.\n"); - goto done; - } - if ( !(socketct = launch_data_dict_get_count(sockets_dict))){ - plog(ASL_LEVEL_ERR, - "launch_data_dict_get_count returns no socket defined.\n"); - goto done; - } - - if ( (listening_fd_array = launch_data_dict_lookup(sockets_dict, "Listeners")) == NULL ){ - plog(ASL_LEVEL_ERR, - "failed to launch_data_dict_lookup.\n"); - goto done; + int *listening_fd_array = NULL; + size_t fd_count = 0; + + int result = launch_activate_socket("Listeners", &listening_fd_array, &fd_count); + if (result != 0) { + plog(ASL_LEVEL_ERR, "failed to launch_activate_socket with error %s.\n", strerror(result)); + return returnval; } - listenerct = launch_data_array_get_count(listening_fd_array); - for (i = 0; i < listenerct; i++) { - listening_fd = launch_data_array_get_index(listening_fd_array, i); - fd = launch_data_get_fd( listening_fd ); - if ( getsockname( fd , (struct sockaddr *)&fdsockaddr, &fdsockaddrlen)){ - continue; - } - - /* Is this the VPN control socket? */ - if ( fdsockaddr.ss_family == AF_UNIX && - (!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path)))) - { - plog(ASL_LEVEL_NOTICE, - "found launchd socket.\n"); - returnval = fd; - break; + + if (listening_fd_array != NULL) { + if (fd_count > 0) { + returnval = listening_fd_array[0]; } + free(listening_fd_array); + listening_fd_array = NULL; } - // TODO: check if we have any leaked fd - if ( listenerct == i){ - plog(ASL_LEVEL_ERR, - "failed to find launchd socket\n"); - returnval = 0; - } - -done: - if (checkin_response) - launch_data_free(checkin_response); - return(returnval); + + return returnval; } diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 37cc7f3..7ef6c45 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -1726,6 +1726,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; @@ -1757,6 +1758,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; @@ -1786,6 +1788,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; @@ -2792,6 +2795,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; @@ -2826,6 +2830,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; WARNING_CFLAGS = "-Wcast-align"; @@ -2858,6 +2863,7 @@ INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; INSTALL_PATH = /usr/lib; + IS_ZIPPERED = YES; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; WARNING_CFLAGS = "-Wcast-align"; -- 2.45.2