From 65c257469f746e64364e5df94f3ed8c6698a9d0a Mon Sep 17 00:00:00 2001 From: Apple Date: Tue, 29 Oct 2013 00:03:35 +0000 Subject: [PATCH] ipsec-258.1.3.tar.gz --- entitlements.plist | 2 + ipsec-tools/Common/config.h | 50 +- ipsec-tools/Common/ipsecMessageTracer.h | 2 +- ipsec-tools/Common/key_debug.c | 36 +- ipsec-tools/Common/libpfkey.h | 125 +- ipsec-tools/Common/pfkey.c | 273 +- ipsec-tools/Common/pfkey_dump.c | 245 +- ipsec-tools/libipsec/ipsec_dump_policy.c | 12 +- ipsec-tools/libipsec/ipsec_get_policylen.c | 2 +- ipsec-tools/libipsec/ipsec_strerror.h | 2 +- ipsec-tools/libipsec/policy_parse.y | 28 +- ipsec-tools/libipsec/policy_token.l | 8 +- ipsec-tools/libipsec/test-policy.c | 12 +- ipsec-tools/racoon/Crypto/boxes-fst.dat | 957 ------ ipsec-tools/racoon/Crypto/rijndael-alg-fst.c | 492 ---- ipsec-tools/racoon/Crypto/rijndael-alg-fst.h | 34 - ipsec-tools/racoon/Crypto/rijndael-api-fst.c | 495 ---- ipsec-tools/racoon/Crypto/rijndael-api-fst.h | 104 - ipsec-tools/racoon/Crypto/rijndael.h | 10 - ipsec-tools/racoon/Crypto/rijndael_local.h | 17 - ipsec-tools/racoon/Documents/FAQ | 106 - .../racoon/Documents/README.certificate | 1 - ipsec-tools/racoon/Documents/README.gssapi | 106 - ipsec-tools/racoon/Documents/TODO | 131 - ipsec-tools/racoon/Preferences.c | 57 + ipsec-tools/racoon/Preferences.h | 34 + ipsec-tools/racoon/Sample/racoon.conf | 2 +- ipsec-tools/racoon/admin.c | 733 ----- ipsec-tools/racoon/admin.h | 117 - ipsec-tools/racoon/admin_var.h | 39 - ipsec-tools/racoon/algorithm.c | 79 +- ipsec-tools/racoon/algorithm.h | 88 +- ipsec-tools/racoon/algorithm_types.h | 12 +- ipsec-tools/racoon/api_support.c | 24 + ipsec-tools/racoon/api_support.h | 152 + ipsec-tools/racoon/arc4random.h | 2 +- ipsec-tools/racoon/backupsa.c | 486 ---- ipsec-tools/racoon/backupsa.h | 42 - ipsec-tools/racoon/cfparse.y | 584 ++-- ipsec-tools/racoon/cfparse_proto.h | 6 +- ipsec-tools/racoon/cftoken.l | 80 +- ipsec-tools/racoon/cftoken_proto.h | 18 +- ipsec-tools/racoon/com.apple.racoon.plist | Bin 307 -> 357 bytes ipsec-tools/racoon/crypto_cssm.c | 296 +- ipsec-tools/racoon/crypto_cssm.h | 5 +- ipsec-tools/racoon/crypto_openssl.c | 971 +------ ipsec-tools/racoon/crypto_openssl.h | 189 +- ipsec-tools/racoon/debugrm.h | 100 - ipsec-tools/racoon/dnssec.c | 17 +- ipsec-tools/racoon/dnssec.h | 2 +- ipsec-tools/racoon/dump.h | 6 +- ipsec-tools/racoon/eap.c | 42 + ipsec-tools/racoon/eap.h | 245 ++ ipsec-tools/racoon/eap_aka.c | 340 +++ ipsec-tools/racoon/eap_sim.c | 336 +++ ipsec-tools/racoon/eap_sim.h | 141 + ipsec-tools/racoon/eaytest.c | 1059 ------- ipsec-tools/racoon/evt.c | 158 - ipsec-tools/racoon/evt.h | 88 - ipsec-tools/racoon/fsm.c | 392 +++ ipsec-tools/racoon/fsm.h | 210 ++ ipsec-tools/racoon/gcmalloc.h | 11 - ipsec-tools/racoon/genlist.h | 4 +- ipsec-tools/racoon/getcertsbyname.c | 4 +- ipsec-tools/racoon/gnuc.h | 44 - ipsec-tools/racoon/grabmyaddr.c | 255 +- ipsec-tools/racoon/grabmyaddr.h | 29 +- ipsec-tools/racoon/gssapi.c | 747 ----- ipsec-tools/racoon/gssapi.h | 95 - ipsec-tools/racoon/handler.c | 1674 +++++------ ipsec-tools/racoon/handler.h | 400 ++- ipsec-tools/racoon/ike_session.c | 1135 ++++---- ipsec-tools/racoon/ike_session.h | 127 +- ipsec-tools/racoon/ikev2_ike_sa_rfc.c | 24 + ipsec-tools/racoon/ikev2_ike_sa_rfc.h | 22 + ipsec-tools/racoon/ikev2_info_rfc.c | 22 + ipsec-tools/racoon/ikev2_info_rfc.h | 22 + ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c | 23 + ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h | 22 + ipsec-tools/racoon/ikev2_rfc.c | 23 + ipsec-tools/racoon/ikev2_rfc.h | 27 + ipsec-tools/racoon/ikev2_sessresume_rfc.c | 23 + ipsec-tools/racoon/ikev2_sessresume_rfc.h | 22 + ipsec-tools/racoon/ipsecSessionTracer.c | 60 +- ipsec-tools/racoon/ipsec_doi.c | 1190 ++++---- ipsec-tools/racoon/ipsec_doi.h | 85 +- ipsec-tools/racoon/ipsec_interface.c | 224 ++ ipsec-tools/racoon/ipsec_interface.h | 31 + ipsec-tools/racoon/ipsec_xpc.h | 101 + ipsec-tools/racoon/isakmp.c | 2557 +++++++---------- ipsec-tools/racoon/isakmp.h | 22 +- ipsec-tools/racoon/isakmp_agg.c | 471 +-- ipsec-tools/racoon/isakmp_agg.h | 16 +- ipsec-tools/racoon/isakmp_base.c | 1523 ---------- ipsec-tools/racoon/isakmp_base.h | 46 - ipsec-tools/racoon/isakmp_cfg.c | 933 +----- ipsec-tools/racoon/isakmp_cfg.h | 69 +- ipsec-tools/racoon/isakmp_frag.c | 144 +- ipsec-tools/racoon/isakmp_frag.h | 14 +- ipsec-tools/racoon/isakmp_ident.c | 713 ++--- ipsec-tools/racoon/isakmp_ident.h | 28 +- ipsec-tools/racoon/isakmp_inf.c | 632 ++-- ipsec-tools/racoon/isakmp_inf.h | 38 +- ipsec-tools/racoon/isakmp_newg.c | 232 -- ipsec-tools/racoon/isakmp_newg.h | 37 - ipsec-tools/racoon/isakmp_quick.c | 583 ++-- ipsec-tools/racoon/isakmp_quick.h | 24 +- ipsec-tools/racoon/isakmp_unity.c | 26 +- ipsec-tools/racoon/isakmp_unity.h | 13 +- ipsec-tools/racoon/isakmp_var.h | 149 +- ipsec-tools/racoon/isakmp_xauth.c | 976 +------ ipsec-tools/racoon/isakmp_xauth.h | 72 +- ipsec-tools/racoon/kmpstat.c | 20 +- ipsec-tools/racoon/localconf.c | 69 +- ipsec-tools/racoon/localconf.h | 47 +- ipsec-tools/racoon/logger.c | 355 --- ipsec-tools/racoon/logger.h | 53 - ipsec-tools/racoon/main.c | 185 +- ipsec-tools/racoon/misc.c | 25 +- ipsec-tools/racoon/misc.h | 17 +- ipsec-tools/racoon/nattraversal.c | 41 +- ipsec-tools/racoon/nattraversal.h | 24 +- ipsec-tools/racoon/netdb_dnssec.h | 4 +- ipsec-tools/racoon/oakley.c | 2062 ++++++------- ipsec-tools/racoon/oakley.h | 99 +- ipsec-tools/racoon/open_dir.c | 48 +- ipsec-tools/racoon/open_dir.h | 2 +- ipsec-tools/racoon/pfkey.h | 55 +- ipsec-tools/racoon/pfkey_racoon.c | 1067 ++++--- ipsec-tools/racoon/plainrsa-gen.8 | 137 - ipsec-tools/racoon/plainrsa-gen.c | 210 -- ipsec-tools/racoon/plog.c | 487 ++-- ipsec-tools/racoon/plog.h | 126 +- ipsec-tools/racoon/policy.c | 53 +- ipsec-tools/racoon/policy.h | 35 +- ipsec-tools/racoon/power_mgmt.c | 98 +- ipsec-tools/racoon/power_mgmt.h | 5 +- ipsec-tools/racoon/privsep.c | 1353 --------- ipsec-tools/racoon/privsep.h | 72 - ipsec-tools/racoon/proposal.c | 218 +- ipsec-tools/racoon/proposal.h | 77 +- ipsec-tools/racoon/prsa_par.y | 352 --- ipsec-tools/racoon/prsa_tok.l | 92 - ipsec-tools/racoon/racoon.conf.5 | 473 +-- ipsec-tools/racoon/racoon_types.h | 32 + ipsec-tools/racoon/racoonctl.8 | 199 -- ipsec-tools/racoon/racoonctl.c | 1813 ------------ ipsec-tools/racoon/racoonctl.h | 53 - ipsec-tools/racoon/remoteconf.c | 329 +-- ipsec-tools/racoon/remoteconf.h | 90 +- ipsec-tools/racoon/rsalist.c | 216 -- ipsec-tools/racoon/rsalist.h | 65 - ipsec-tools/racoon/safefile.c | 8 +- ipsec-tools/racoon/safefile.h | 2 +- ipsec-tools/racoon/sainfo.c | 172 +- ipsec-tools/racoon/sainfo.h | 51 +- ipsec-tools/racoon/schedule.c | 349 +-- ipsec-tools/racoon/schedule.h | 62 +- ipsec-tools/racoon/session.c | 753 ++--- ipsec-tools/racoon/session.h | 8 +- ipsec-tools/racoon/sockmisc.c | 173 +- ipsec-tools/racoon/sockmisc.h | 49 +- ipsec-tools/racoon/str2val.h | 4 +- ipsec-tools/racoon/strnames.c | 196 +- ipsec-tools/racoon/strnames.h | 78 +- ipsec-tools/racoon/throttle.c | 2 +- ipsec-tools/racoon/throttle.h | 4 +- ipsec-tools/racoon/vendorid.c | 15 +- ipsec-tools/racoon/vendorid.h | 8 +- ipsec-tools/racoon/vmbuf.c | 21 +- ipsec-tools/racoon/vmbuf.h | 9 +- ipsec-tools/racoon/vpn.c | 128 +- ipsec-tools/racoon/vpn.h | 2 +- ipsec-tools/racoon/vpn_control.c | 289 +- ipsec-tools/racoon/vpn_control.h | 2 + ipsec-tools/racoon/vpn_control_var.h | 32 +- ipsec-tools/racoon/xpc_racoon.c | 24 + ipsec-tools/setkey/extern.h | 18 +- ipsec-tools/setkey/parse.y | 31 +- ipsec-tools/setkey/setkey.c | 38 +- ipsec-tools/setkey/test-pfkey.c | 26 +- ipsec-tools/setkey/token.l | 2 +- ipsec.plist | 122 +- ipsec.xcodeproj/project.pbxproj | 1211 +++----- racoon.sb | 14 +- 185 files changed, 12463 insertions(+), 28364 deletions(-) delete mode 100644 ipsec-tools/racoon/Crypto/boxes-fst.dat delete mode 100644 ipsec-tools/racoon/Crypto/rijndael-alg-fst.c delete mode 100644 ipsec-tools/racoon/Crypto/rijndael-alg-fst.h delete mode 100644 ipsec-tools/racoon/Crypto/rijndael-api-fst.c delete mode 100644 ipsec-tools/racoon/Crypto/rijndael-api-fst.h delete mode 100644 ipsec-tools/racoon/Crypto/rijndael.h delete mode 100644 ipsec-tools/racoon/Crypto/rijndael_local.h delete mode 100644 ipsec-tools/racoon/Documents/FAQ delete mode 100644 ipsec-tools/racoon/Documents/README.certificate delete mode 100644 ipsec-tools/racoon/Documents/README.gssapi delete mode 100644 ipsec-tools/racoon/Documents/TODO create mode 100644 ipsec-tools/racoon/Preferences.c create mode 100644 ipsec-tools/racoon/Preferences.h delete mode 100644 ipsec-tools/racoon/admin.c delete mode 100644 ipsec-tools/racoon/admin.h delete mode 100644 ipsec-tools/racoon/admin_var.h create mode 100644 ipsec-tools/racoon/api_support.c create mode 100644 ipsec-tools/racoon/api_support.h delete mode 100644 ipsec-tools/racoon/backupsa.c delete mode 100644 ipsec-tools/racoon/backupsa.h delete mode 100644 ipsec-tools/racoon/debugrm.h create mode 100644 ipsec-tools/racoon/eap.c create mode 100644 ipsec-tools/racoon/eap.h create mode 100644 ipsec-tools/racoon/eap_aka.c create mode 100644 ipsec-tools/racoon/eap_sim.c create mode 100644 ipsec-tools/racoon/eap_sim.h delete mode 100644 ipsec-tools/racoon/eaytest.c delete mode 100644 ipsec-tools/racoon/evt.c delete mode 100644 ipsec-tools/racoon/evt.h create mode 100644 ipsec-tools/racoon/fsm.c create mode 100644 ipsec-tools/racoon/fsm.h delete mode 100644 ipsec-tools/racoon/gnuc.h delete mode 100644 ipsec-tools/racoon/gssapi.c delete mode 100644 ipsec-tools/racoon/gssapi.h create mode 100644 ipsec-tools/racoon/ikev2_ike_sa_rfc.c create mode 100644 ipsec-tools/racoon/ikev2_ike_sa_rfc.h create mode 100644 ipsec-tools/racoon/ikev2_info_rfc.c create mode 100644 ipsec-tools/racoon/ikev2_info_rfc.h create mode 100644 ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c create mode 100644 ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h create mode 100644 ipsec-tools/racoon/ikev2_rfc.c create mode 100644 ipsec-tools/racoon/ikev2_rfc.h create mode 100644 ipsec-tools/racoon/ikev2_sessresume_rfc.c create mode 100644 ipsec-tools/racoon/ikev2_sessresume_rfc.h create mode 100644 ipsec-tools/racoon/ipsec_interface.c create mode 100644 ipsec-tools/racoon/ipsec_interface.h create mode 100644 ipsec-tools/racoon/ipsec_xpc.h delete mode 100644 ipsec-tools/racoon/isakmp_base.c delete mode 100644 ipsec-tools/racoon/isakmp_base.h delete mode 100644 ipsec-tools/racoon/isakmp_newg.c delete mode 100644 ipsec-tools/racoon/isakmp_newg.h delete mode 100644 ipsec-tools/racoon/logger.c delete mode 100644 ipsec-tools/racoon/logger.h delete mode 100644 ipsec-tools/racoon/plainrsa-gen.8 delete mode 100644 ipsec-tools/racoon/plainrsa-gen.c delete mode 100644 ipsec-tools/racoon/privsep.c delete mode 100644 ipsec-tools/racoon/privsep.h delete mode 100644 ipsec-tools/racoon/prsa_par.y delete mode 100644 ipsec-tools/racoon/prsa_tok.l create mode 100644 ipsec-tools/racoon/racoon_types.h delete mode 100644 ipsec-tools/racoon/racoonctl.8 delete mode 100644 ipsec-tools/racoon/racoonctl.c delete mode 100644 ipsec-tools/racoon/racoonctl.h delete mode 100644 ipsec-tools/racoon/rsalist.c delete mode 100644 ipsec-tools/racoon/rsalist.h create mode 100644 ipsec-tools/racoon/xpc_racoon.c diff --git a/entitlements.plist b/entitlements.plist index f05fcbf..a40c33f 100644 --- a/entitlements.plist +++ b/entitlements.plist @@ -2,6 +2,8 @@ + com.apple.coretelephony.SimAuthentication.allow + keychain-access-groups apple diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index ce2538f..b172131 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -2,12 +2,6 @@ #define __IPSEC_BUILD__ 1 -/* If printf doesn't support %zu. */ -#undef BROKEN_PRINTF - -/* Enable admin port */ -#define ENABLE_ADMINPORT 1 - /* Enable VPN control port */ #define ENABLE_VPNCONTROL_PORT 1 @@ -68,10 +62,6 @@ /* Define to 1 if you have the `gettimeofday' function. */ #define HAVE_GETTIMEOFDAY 1 -/* Enable GSS API */ -/* %%%%%%% change this back when conflict fixed */ -#undef HAVE_GSSAPI - /* Have iconv using const */ #define HAVE_ICONV_2ND_CONST 1 @@ -81,13 +71,6 @@ /* Have ipsec_policy_t */ #undef HAVE_IPSEC_POLICY_T -/* Hybrid authentication uses PAM */ -//#define HAVE_LIBPAM 1 -#undef HAVE_LIBPAM - -/* Hybrid authentication uses RADIUS */ -#undef HAVE_LIBRADIUS - /* Define to 1 if you have the header file. */ #define HAVE_LIMITS_H 1 @@ -116,12 +99,6 @@ #define HAVE_OPENDIR 1 #endif -#if TARGET_OS_EMBEDDED -#undef HAVE_LIBLDAP -#else -#define HAVE_LIBLDAP 1 -#endif - #define HAVE_NETINET6_IPSEC 1 #define HAVE_GETIFADDRS 1 @@ -139,22 +116,12 @@ #endif -/* Define to 1 if you have the `pam_start' function. */ -#if TARGET_OS_EMBEDDED -#undef HAVE_PAM_START -#else -#define HAVE_PAM_START 1 -#endif - /* Are PF_KEY policy priorities supported? */ #undef HAVE_PFKEY_POLICY_PRIORITY /* Have forward policy */ #undef HAVE_POLICY_FWD -/* Define to 1 if you have the `rad_create_request' function. */ -#undef HAVE_RAD_CREATE_REQUEST - /* Is readline available? */ #undef HAVE_READLINE @@ -250,7 +217,7 @@ #undef PACKAGE_VERSION /* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE int +#define RETSIGTYPE void /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 @@ -261,12 +228,6 @@ /* Define to 1 if your declares `struct tm'. */ #define TM_IN_SYS_TIME 1 -/* A 'va_copy' style function */ -#undef VA_COPY - -/* Version number of package */ -#undef VERSION - /* SHA2 support */ #define WITH_SHA2 1 @@ -274,13 +235,4 @@ `char[]'. */ #define YYTEXT_POINTER 1 -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to `int' if does not define. */ -#undef pid_t - -/* Define to `unsigned' if does not define. */ -#undef size_t - #define USE_SYSTEMCONFIGURATION_PRIVATE_HEADERS 1 diff --git a/ipsec-tools/Common/ipsecMessageTracer.h b/ipsec-tools/Common/ipsecMessageTracer.h index 126926d..051c54e 100644 --- a/ipsec-tools/Common/ipsecMessageTracer.h +++ b/ipsec-tools/Common/ipsecMessageTracer.h @@ -69,7 +69,7 @@ #endif #if 1 //TARGET_OS_EMBEDDED -#define IPSECLOGASLMSG(format, args...) syslog(LOG_NOTICE, format, ##args); +#define IPSECLOGASLMSG(format, args...) plog(ASL_LEVEL_NOTICE, format, ##args); #else #define IPSECLOGASLMSG(format, args...) do { \ aslmsg m = asl_new(ASL_TYPE_MSG); \ diff --git a/ipsec-tools/Common/key_debug.c b/ipsec-tools/Common/key_debug.c index e7822a1..e1bec26 100644 --- a/ipsec-tools/Common/key_debug.c +++ b/ipsec-tools/Common/key_debug.c @@ -70,26 +70,26 @@ #include "var.h" #include "libpfkey.h" -static void kdebug_sadb_prop __P((struct sadb_ext *)); -static void kdebug_sadb_identity __P((struct sadb_ext *)); -static void kdebug_sadb_supported __P((struct sadb_ext *)); -static void kdebug_sadb_lifetime __P((struct sadb_ext *)); -static void kdebug_sadb_sa __P((struct sadb_ext *)); -static void kdebug_sadb_address __P((struct sadb_ext *)); -static void kdebug_sadb_key __P((struct sadb_ext *)); -static void kdebug_sadb_x_sa2 __P((struct sadb_ext *)); -static void kdebug_sadb_session_id __P((struct sadb_ext *)); -static void kdebug_sadb_sastat __P((struct sadb_ext *)); -static void kdebug_sadb_x_policy __P((struct sadb_ext *ext)); -static void kdebug_sockaddr __P((struct sockaddr_storage *addr)); +static void kdebug_sadb_prop (struct sadb_ext *); +static void kdebug_sadb_identity (struct sadb_ext *); +static void kdebug_sadb_supported (struct sadb_ext *); +static void kdebug_sadb_lifetime (struct sadb_ext *); +static void kdebug_sadb_sa (struct sadb_ext *); +static void kdebug_sadb_address (struct sadb_ext *); +static void kdebug_sadb_key (struct sadb_ext *); +static void kdebug_sadb_x_sa2 (struct sadb_ext *); +static void kdebug_sadb_session_id (struct sadb_ext *); +static void kdebug_sadb_sastat (struct sadb_ext *); +static void kdebug_sadb_x_policy (struct sadb_ext *ext); +static void kdebug_sockaddr (struct sockaddr_storage *addr); #ifdef SADB_X_EXT_NAT_T_TYPE -static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext)); -static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext)); +static void kdebug_sadb_x_nat_t_type (struct sadb_ext *ext); +static void kdebug_sadb_x_nat_t_port (struct sadb_ext *ext); #endif #ifdef _KERNEL -static void kdebug_secreplay __P((struct secreplay *)); +static void kdebug_secreplay (struct secreplay *); #endif #ifndef _KERNEL @@ -146,6 +146,10 @@ kdebug_sadb(base) case SADB_EXT_ADDRESS_SRC: case SADB_EXT_ADDRESS_DST: case SADB_EXT_ADDRESS_PROXY: + case SADB_X_EXT_ADDR_RANGE_SRC_START: + case SADB_X_EXT_ADDR_RANGE_SRC_END: + case SADB_X_EXT_ADDR_RANGE_DST_START: + case SADB_X_EXT_ADDR_RANGE_DST_END: kdebug_sadb_address(ext); break; case SADB_EXT_KEY_AUTH: @@ -180,6 +184,8 @@ kdebug_sadb(base) case SADB_EXT_SASTAT: kdebug_sadb_sastat(ext); break; + case SADB_X_EXT_IPSECIF: + break; #ifdef SADB_X_EXT_NAT_T_TYPE case SADB_X_EXT_NAT_T_TYPE: kdebug_sadb_x_nat_t_type(ext); diff --git a/ipsec-tools/Common/libpfkey.h b/ipsec-tools/Common/libpfkey.h index 1bb0f27..4baec55 100644 --- a/ipsec-tools/Common/libpfkey.h +++ b/ipsec-tools/Common/libpfkey.h @@ -45,10 +45,10 @@ #define PRIORITY_OFFSET_NEGATIVE_MAX 0x40000000 struct sadb_msg; -extern void pfkey_sadump __P((struct sadb_msg *)); -extern void pfkey_sadump_withports __P((struct sadb_msg *)); -extern void pfkey_spdump __P((struct sadb_msg *)); -extern void pfkey_spdump_withports __P((struct sadb_msg *)); +extern void pfkey_sadump (struct sadb_msg *); +extern void pfkey_sadump_withports (struct sadb_msg *); +extern void pfkey_spdump (struct sadb_msg *); +extern void pfkey_spdump_withports (struct sadb_msg *); struct sockaddr_storage; struct sadb_alg; @@ -70,70 +70,77 @@ typedef caddr_t ipsec_policy_t; /* IPsec Library Routines */ -int ipsec_check_keylen __P((u_int, u_int, u_int)); -int ipsec_check_keylen2 __P((u_int, u_int, u_int)); -int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *)); -char *ipsec_dump_policy_withports __P((void *, const char *)); -void ipsec_hexdump __P((const void *, int)); -const char *ipsec_strerror __P((void)); -void kdebug_sadb __P((struct sadb_msg *)); -ipsec_policy_t ipsec_set_policy __P((__ipsec_const char *, int)); -int ipsec_get_policylen __P((ipsec_policy_t)); -char *ipsec_dump_policy __P((ipsec_policy_t, __ipsec_const char *)); +int ipsec_check_keylen (u_int, u_int, u_int); +int ipsec_check_keylen2 (u_int, u_int, u_int); +int ipsec_get_keylen (u_int, u_int, struct sadb_alg *); +char *ipsec_dump_policy_withports (void *, const char *); +void ipsec_hexdump (const void *, int); +const char *ipsec_strerror (void); +void kdebug_sadb (struct sadb_msg *); +ipsec_policy_t ipsec_set_policy (__ipsec_const char *, int); +int ipsec_get_policylen (ipsec_policy_t); +char *ipsec_dump_policy (ipsec_policy_t, __ipsec_const char *); /* PFKey Routines */ -u_int pfkey_set_softrate __P((u_int, u_int)); -u_int pfkey_get_softrate __P((u_int)); -int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr_storage *, - struct sockaddr_storage *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -int pfkey_send_update __P((int, u_int, u_int, struct sockaddr_storage *, +u_int pfkey_set_softrate (u_int, u_int); +u_int pfkey_get_softrate (u_int); +int pfkey_send_getspi (int, u_int, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t, u_int32_t, u_int32_t, u_int, u_int64_t, u_int32_t, u_int); +int pfkey_send_update (int, u_int, u_int, struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t, u_int16_t)); -int pfkey_send_add __P((int, u_int, u_int, struct sockaddr_storage *, + u_int64_t, u_int64_t, u_int32_t, u_int16_t, u_int); +int pfkey_send_add (int, u_int, u_int, struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t, u_int16_t)); - -int pfkey_send_delete __P((int, u_int, u_int, - struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); -int pfkey_send_delete_all __P((int, u_int, u_int, - struct sockaddr_storage *, struct sockaddr_storage *)); -int pfkey_send_get __P((int, u_int, u_int, - struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); -int pfkey_send_register __P((int, u_int)); -int pfkey_recv_register __P((int)); -int pfkey_set_supported __P((struct sadb_msg *, int)); -int pfkey_send_flush __P((int, u_int)); -int pfkey_send_dump __P((int, u_int)); -int pfkey_send_promisc_toggle __P((int, int)); -int pfkey_send_spdadd __P((int, struct sockaddr_storage *, u_int, - struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spdadd2 __P((int, struct sockaddr_storage *, u_int, + u_int64_t, u_int64_t, u_int32_t, u_int16_t, u_int); + +int pfkey_send_delete (int, u_int, u_int, + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t); +int pfkey_send_delete_all (int, u_int, u_int, + struct sockaddr_storage *, struct sockaddr_storage *); +int pfkey_send_get (int, u_int, u_int, + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t); +int pfkey_send_register (int, u_int); +int pfkey_recv_register (int); +int pfkey_set_supported (struct sadb_msg *, int); +int pfkey_send_flush (int, u_int); +int pfkey_send_dump (int, u_int); +int pfkey_send_promisc_toggle (int, int); +int pfkey_send_spdadd (int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t); +int pfkey_send_spdadd_with_interface(int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t, char *, + char *, char *, u_int); +int pfkey_send_spdadd2 (int, struct sockaddr_storage *, u_int, struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, - caddr_t, int, u_int32_t)); -int pfkey_send_spdupdate __P((int, struct sockaddr_storage *, u_int, - struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spdupdate2 __P((int, struct sockaddr_storage *, u_int, + caddr_t, int, u_int32_t); +int pfkey_send_spdupdate (int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t); +int pfkey_send_spdupdate2 (int, struct sockaddr_storage *, u_int, struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, - caddr_t, int, u_int32_t)); -int pfkey_send_spddelete __P((int, struct sockaddr_storage *, u_int, - struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spddelete2 __P((int, u_int32_t)); -int pfkey_send_spdget __P((int, u_int32_t)); -int pfkey_send_spdsetidx __P((int, struct sockaddr_storage *, u_int, - struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spdflush __P((int)); -int pfkey_send_spddump __P((int)); - -int pfkey_open __P((void)); -void pfkey_close __P((int)); -struct sadb_msg *pfkey_recv __P((int)); -int pfkey_send __P((int, struct sadb_msg *, int)); -int pfkey_align __P((struct sadb_msg *, caddr_t *)); -int pfkey_check __P((caddr_t *)); -int pfkey_send_getsastats __P((int, u_int32_t, u_int64_t [], u_int32_t, u_int8_t, struct sastat [], u_int32_t)); + caddr_t, int, u_int32_t); +int pfkey_send_spddelete (int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t); +int pfkey_send_spddelete2 (int, u_int32_t); +int pfkey_send_spdenable(int so, u_int32_t spid); +int pfkey_send_spddisable(int so, u_int32_t spid); +int pfkey_send_spdget (int, u_int32_t); +int pfkey_send_spdsetidx (int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t); +int pfkey_send_spdflush (int); +int pfkey_send_spddump (int); + +int pfkey_open (void); +void pfkey_close (void); +void pfkey_close_sock(int); +struct sadb_msg *pfkey_recv (int); +int pfkey_send (int, struct sadb_msg *, int); +int pfkey_align (struct sadb_msg *, caddr_t *); +int pfkey_check (caddr_t *); +int pfkey_send_getsastats (int, u_int32_t, u_int64_t [], u_int32_t, u_int8_t, struct sastat [], u_int32_t); #ifndef __SYSDEP_SA_LEN__ #define __SYSDEP_SA_LEN__ diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index fe1edb7..2e7b526 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -36,7 +36,7 @@ #include #include #include -#include +#include #include #include #ifdef HAVE_NETINET6_IPSEC @@ -58,38 +58,40 @@ #define CALLOC(size, cast) (cast)calloc(1, (size)) -static int findsupportedmap __P((int)); -static int setsupportedmap __P((struct sadb_supported *)); -static struct sadb_alg *findsupportedalg __P((u_int, u_int)); -static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr_storage *, +static int findsupportedmap (int); +static int setsupportedmap (struct sadb_supported *); +static struct sadb_alg *findsupportedalg (u_int, u_int); +static int pfkey_send_x1 (int, u_int, u_int, u_int, struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, - u_int32_t, u_int32_t, u_int32_t, u_int16_t)); -static int pfkey_send_x2 __P((int, u_int, u_int, u_int, - struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); -static int pfkey_send_x3 __P((int, u_int, u_int)); -static int pfkey_send_x4 __P((int, u_int, struct sockaddr_storage *, u_int, - struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, - char *, int, u_int32_t)); -static int pfkey_send_x5 __P((int, u_int, u_int32_t)); - -static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int, - u_int, u_int32_t, pid_t)); -static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int, - u_int, u_int, u_int32_t, u_int16_t)); -static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int, - struct sockaddr_storage *, u_int, u_int)); -static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int)); -static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t, - u_int32_t, u_int32_t, u_int32_t)); -static caddr_t pfkey_setsadbxsa2 __P((caddr_t, caddr_t, u_int32_t, u_int32_t)); + u_int32_t, u_int32_t, u_int32_t, u_int16_t, u_int); +static int pfkey_send_x2 (int, u_int, u_int, u_int, + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t); +static int pfkey_send_x3 (int, u_int, u_int); +static int pfkey_send_x4 (int, u_int, struct sockaddr_storage *, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, + char *, int, u_int32_t, char *, char *, char *, u_int); +static int pfkey_send_x5 (int, u_int, u_int32_t); + +static caddr_t pfkey_setsadbmsg (caddr_t, caddr_t, u_int, u_int, + u_int, u_int32_t, pid_t); +static caddr_t pfkey_setsadbsa (caddr_t, caddr_t, u_int32_t, u_int, + u_int, u_int, u_int32_t, u_int16_t); +static caddr_t pfkey_setsadbaddr (caddr_t, caddr_t, u_int, + struct sockaddr_storage *, u_int, u_int); +static caddr_t pfkey_setsadbkey (caddr_t, caddr_t, u_int, caddr_t, u_int); +static caddr_t pfkey_setsadblifetime (caddr_t, caddr_t, u_int, u_int32_t, + u_int32_t, u_int32_t, u_int32_t); +static caddr_t pfkey_setsadbipsecif(caddr_t, caddr_t, char *, + char *, char *, int); +static caddr_t pfkey_setsadbxsa2 (caddr_t, caddr_t, u_int32_t, u_int32_t, u_int); #ifdef SADB_X_EXT_NAT_T_TYPE -static caddr_t pfkey_set_natt_type __P((caddr_t, caddr_t, u_int, u_int8_t)); -static caddr_t pfkey_set_natt_port __P((caddr_t, caddr_t, u_int, u_int16_t)); +static caddr_t pfkey_set_natt_type (caddr_t, caddr_t, u_int, u_int8_t); +static caddr_t pfkey_set_natt_port (caddr_t, caddr_t, u_int, u_int16_t); #endif #ifdef SADB_X_EXT_NAT_T_FRAG -static caddr_t pfkey_set_natt_frag __P((caddr_t, caddr_t, u_int, u_int16_t)); +static caddr_t pfkey_set_natt_frag (caddr_t, caddr_t, u_int, u_int16_t); #endif /* @@ -353,7 +355,7 @@ pfkey_get_softrate(u_int type) */ int pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, - u_int32_t min, u_int32_t max, u_int32_t reqid, u_int32_t seq) + u_int32_t min, u_int32_t max, u_int32_t reqid, u_int use_addtime, u_int64_t l_addtime, u_int32_t seq, u_int always_expire) { struct sadb_msg *newmsg; caddr_t ep; @@ -393,7 +395,8 @@ pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src + sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)); + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)) + + ((use_addtime) ? sizeof(struct sadb_lifetime) : 0); if (min > 255 && max < (u_int)~0) { need_spirange++; @@ -413,7 +416,7 @@ pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src return -1; } - p = pfkey_setsadbxsa2(p, ep, mode, reqid); + p = pfkey_setsadbxsa2(p, ep, mode, reqid, always_expire); if (!p) { free(newmsg); return -1; @@ -434,6 +437,16 @@ pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src free(newmsg); return -1; } + + if (use_addtime) { + /* set sadb_lifetime, only hard lifetime applicable for larval SAs */ + p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, + 0, 0, l_addtime, 0); + if (!p) { + free(newmsg); + return -1; + } + } /* proccessing spi range */ if (need_spirange) { @@ -482,14 +495,14 @@ int pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, - u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port) + u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port, u_int always_expire) { int len; if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, port)) < 0) + (u_int)l_usetime, seq, port, always_expire)) < 0) return -1; return len; @@ -507,14 +520,14 @@ int pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, - u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port) + u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port, u_int always_expire) { int len; if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, reqid, wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags, l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, port)) < 0) + (u_int)l_usetime, seq, port, always_expire)) < 0) return -1; return len; @@ -852,14 +865,36 @@ pfkey_send_spdadd(int so, struct sockaddr_storage *src, u_int prefs, struct sock int len; if ((len = pfkey_send_x4(so, SADB_X_SPDADD, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, (u_int64_t)0, (u_int64_t)0, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; } +/* + * sending SADB_X_SPDADD message to the kernel. + * OUT: + * positive: success and return length sent. + * -1 : error occured, and set errno. + */ +int +pfkey_send_spdadd_with_interface(int so, struct sockaddr_storage *src, struct sockaddr_storage *src_end, u_int prefs, struct sockaddr_storage *dst, + struct sockaddr_storage *dst_end, u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq, char *ipsec_if, + char *internal_if, char *outgoing_if, u_int disabled) +{ + int len; + + if ((len = pfkey_send_x4(so, SADB_X_SPDADD, + src, src_end, prefs, dst, dst_end, prefd, proto, + (u_int64_t)0, (u_int64_t)0, + policy, policylen, seq, ipsec_if, internal_if, outgoing_if, disabled)) < 0) + return -1; + + return len; +} + /* * sending SADB_X_SPDADD message to the kernel. * OUT: @@ -873,9 +908,9 @@ pfkey_send_spdadd2(int so, struct sockaddr_storage *src, u_int prefs, struct soc int len; if ((len = pfkey_send_x4(so, SADB_X_SPDADD, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, ltime, vtime, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; @@ -894,9 +929,9 @@ pfkey_send_spdupdate(int so, struct sockaddr_storage *src, u_int prefs, struct s int len; if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, (u_int64_t)0, (u_int64_t)0, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; @@ -916,9 +951,9 @@ pfkey_send_spdupdate2(int so, struct sockaddr_storage *src, u_int prefs, struct int len; if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, ltime, vtime, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; @@ -942,9 +977,9 @@ pfkey_send_spddelete(int so, struct sockaddr_storage *src, u_int prefs, struct s } if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, (u_int64_t)0, (u_int64_t)0, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; @@ -967,6 +1002,28 @@ pfkey_send_spddelete2(int so, u_int32_t spid) return len; } +int +pfkey_send_spdenable(int so, u_int32_t spid) +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDENABLE, spid)) < 0) + return -1; + + return len; +} + +int +pfkey_send_spddisable(int so, u_int32_t spid) +{ + int len; + + if ((len = pfkey_send_x5(so, SADB_X_SPDDISABLE, spid)) < 0) + return -1; + + return len; +} + /* * sending SADB_X_SPDGET message to the kernel. * OUT: @@ -1002,9 +1059,9 @@ pfkey_send_spdsetidx(int so, struct sockaddr_storage *src, u_int prefs, struct s } if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, - src, prefs, dst, prefd, proto, + src, NULL, prefs, dst, NULL, prefd, proto, (u_int64_t)0, (u_int64_t)0, - policy, policylen, seq)) < 0) + policy, policylen, seq, NULL, NULL, NULL, 0)) < 0) return -1; return len; @@ -1050,7 +1107,8 @@ static int pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags, - u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port) + u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port, + u_int always_expire) { struct sadb_msg *newmsg; int len; @@ -1156,7 +1214,7 @@ pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, struct sockaddr_stor free(newmsg); return -1; } - p = pfkey_setsadbxsa2(p, ep, mode, reqid); + p = pfkey_setsadbxsa2(p, ep, mode, reqid, always_expire); if (!p) { free(newmsg); return -1; @@ -1368,14 +1426,16 @@ pfkey_send_x3(int so, u_int type, u_int satype) /* sending SADB_X_SPDADD message to the kernel */ static int -pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto, - u_int64_t ltime, u_int64_t vtime, char *policy, int policylen, u_int32_t seq) +pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, struct sockaddr_storage *src_end, u_int prefs, struct sockaddr_storage *dst, struct sockaddr_storage *dst_end, + u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime, char *policy, int policylen, u_int32_t seq, char *ipsec_if, char *internal_if, char *outgoing_if, + u_int disabled) { struct sadb_msg *newmsg; int len; caddr_t p; int plen; caddr_t ep; + int include_ipsec_if_msg = 0; /* validity check */ if (src == NULL || dst == NULL) { @@ -1402,15 +1462,22 @@ pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, u_int prefs, str __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; return -1; } + + if (ipsec_if || internal_if || outgoing_if || disabled) { + include_ipsec_if_msg = 1; + } /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) - + sizeof(struct sadb_lifetime) - + policylen; + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + + ((src_end) ? sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src_end)) : 0) + + sizeof(struct sadb_address) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + + ((dst_end) ? sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst_end)) : 0) + + ((include_ipsec_if_msg) ? sizeof(struct sadb_x_ipsecif) : 0) + + sizeof(struct sadb_lifetime) + + policylen; if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { __ipsec_set_strerror(strerror(errno)); @@ -1424,16 +1491,49 @@ pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, u_int prefs, str free(newmsg); return -1; } - p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); - if (!p) { - free(newmsg); - return -1; - } + if (src_end) { + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_SRC_START, src, prefs, proto); + if (!p) { + free(newmsg); + return -1; + } + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_SRC_END, src_end, prefs, proto); + if (!p) { + free(newmsg); + return -1; + } + } else { + p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); + if (!p) { + free(newmsg); + return -1; + } + } + if (dst_end) { + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_DST_START, dst, prefd, proto); + if (!p) { + free(newmsg); + return -1; + } + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_DST_END, dst_end, prefd, proto); + if (!p) { + free(newmsg); + return -1; + } + } else { + p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); + if (!p) { + free(newmsg); + return -1; + } + } + if (include_ipsec_if_msg) { + p = pfkey_setsadbipsecif(p, ep, internal_if, outgoing_if, ipsec_if, disabled); + if (!p) { + free(newmsg); + return -1; + } + } p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 0, 0, (u_int)ltime, (u_int)vtime); if (!p || p + policylen != ep) { @@ -1521,7 +1621,7 @@ pfkey_open() __ipsec_set_strerror(strerror(errno)); return -1; } - + /* * This is a temporary workaround for KAME PR 154. * Don't really care even if it fails. @@ -1548,7 +1648,7 @@ pfkey_open() * -1: fail. */ void -pfkey_close(int so) +pfkey_close_sock(int so) { (void)close(so); @@ -1727,7 +1827,11 @@ pfkey_align(struct sadb_msg *msg, caddr_t *mhp) #ifdef SADB_X_EXT_PACKET case SADB_X_EXT_PACKET: #endif - + case SADB_X_EXT_IPSECIF: + case SADB_X_EXT_ADDR_RANGE_SRC_START: + case SADB_X_EXT_ADDR_RANGE_SRC_END: + case SADB_X_EXT_ADDR_RANGE_DST_START: + case SADB_X_EXT_ADDR_RANGE_DST_END: mhp[ext->sadb_ext_type] = (void *)ext; break; default: @@ -2035,12 +2139,40 @@ pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc, return buf + len; } +static caddr_t +pfkey_setsadbipsecif(caddr_t buf, caddr_t lim, char *internal_if, char *outgoing_if, char *ipsec_if, int init_disabled) +{ + struct sadb_x_ipsecif *p; + u_int len; + + p = (void *)buf; + len = sizeof(struct sadb_x_ipsecif); + + if (buf + len > lim) + return NULL; + + memset(p, 0, len); + p->sadb_x_ipsecif_len = PFKEY_UNIT64(len); + p->sadb_x_ipsecif_exttype = SADB_X_EXT_IPSECIF; + + if (internal_if != NULL) + strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if)); + if (outgoing_if != NULL) + strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if)); + if (ipsec_if != NULL) + strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if)); + + p->sadb_x_ipsecif_init_disabled = init_disabled; + + return (buf + len); +} + /* * copy secasvar data into sadb_address. * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid) +pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid, u_int always_expire) { struct sadb_x_sa2 *p; u_int8_t mode = mode0 & 0xff; @@ -2057,6 +2189,7 @@ pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid) p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; p->sadb_x_sa2_mode = mode; p->sadb_x_sa2_reqid = reqid; + p->sadb_x_sa2_alwaysexpire = always_expire; return(buf + len); } diff --git a/ipsec-tools/Common/pfkey_dump.c b/ipsec-tools/Common/pfkey_dump.c index 6ee8a4b..ecfa1a0 100644 --- a/ipsec-tools/Common/pfkey_dump.c +++ b/ipsec-tools/Common/pfkey_dump.c @@ -42,7 +42,7 @@ # include #endif -#include +#include #include #include @@ -105,14 +105,14 @@ do { \ printf("%u ", (num)); \ } while (/*CONSTCOND*/0) -static char *str_ipaddr __P((struct sockaddr *)); -static char *str_ipport __P((struct sockaddr *)); -static char *str_prefport __P((u_int, u_int, u_int, u_int)); -static void str_upperspec __P((u_int, u_int, u_int)); -static char *str_time __P((time_t)); -static void str_lifetime_byte __P((struct sadb_lifetime *, char *)); -static void pfkey_sadump1(struct sadb_msg *, int); -static void pfkey_spdump1(struct sadb_msg *, int); +static char *str_ipaddr (struct sockaddr *); +static char *str_ipport (struct sockaddr *); +static char *str_prefport (u_int, u_int, u_int, u_int); +static void str_upperspec (u_int, u_int, u_int); +static char *str_time (time_t); +static void str_lifetime_byte (struct sadb_lifetime *, char *); +static void pfkey_sadump1 (struct sadb_msg *, int); +static void pfkey_spdump1 (struct sadb_msg *, int); struct val2str { int val; @@ -458,22 +458,52 @@ pfkey_spdump_withports(m) pfkey_spdump1(m, 1); } +static void +pfkey_dump_single_address (struct sadb_address *addr) +{ + u_int16_t port = 0; + char pbuf[NI_MAXSERV]; + struct sockaddr *sa; + sa = (void *)(addr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)addr->sadb_address_prefixlen, + (u_int)port, + (u_int)addr->sadb_address_proto)); + break; + default: + printf("unknown-af"); + break; + } + +} + static void pfkey_spdump1(m, withports) - struct sadb_msg *m; - int withports; +struct sadb_msg *m; +int withports; { char pbuf[NI_MAXSERV]; caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_address *m_saddr, *m_daddr; + struct sadb_address *m_saddr_s, *m_saddr_e, *m_daddr_s, *m_daddr_e; #ifdef SADB_X_EXT_TAG struct sadb_x_tag *m_tag; #endif struct sadb_x_policy *m_xpl; struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL; + struct sadb_x_ipsecif *m_ipif = NULL; struct sockaddr *sa; u_int16_t sport = 0, dport = 0; - + /* check pfkey message. */ if (pfkey_align(m, mhp)) { printf("%s\n", ipsec_strerror()); @@ -483,67 +513,88 @@ pfkey_spdump1(m, withports) printf("%s\n", ipsec_strerror()); return; } - + m_saddr = (void *)mhp[SADB_EXT_ADDRESS_SRC]; m_daddr = (void *)mhp[SADB_EXT_ADDRESS_DST]; + m_saddr_s = (void *)mhp[SADB_X_EXT_ADDR_RANGE_SRC_START]; + m_saddr_e = (void *)mhp[SADB_X_EXT_ADDR_RANGE_SRC_END]; + m_daddr_s = (void *)mhp[SADB_X_EXT_ADDR_RANGE_DST_START]; + m_daddr_e = (void *)mhp[SADB_X_EXT_ADDR_RANGE_DST_END]; #ifdef SADB_X_EXT_TAG m_tag = (void *)mhp[SADB_X_EXT_TAG]; #endif m_xpl = (void *)mhp[SADB_X_EXT_POLICY]; m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT]; m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD]; - - if (m_saddr && m_daddr) { + m_ipif = (void *)mhp[SADB_X_EXT_IPSECIF]; + + if ((m_saddr || (m_saddr_s && m_saddr_e)) && (m_daddr || (m_daddr_s && m_daddr_e))) { /* source address */ - sa = (void *)(m_saddr + 1); - switch (sa->sa_family) { - case AF_INET: - case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, - 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) - sport = 0; /*XXX*/ - else - sport = atoi(pbuf); - printf("%s%s ", str_ipaddr(sa), - str_prefport((u_int)sa->sa_family, - (u_int)m_saddr->sadb_address_prefixlen, - (u_int)sport, - (u_int)m_saddr->sadb_address_proto)); - break; - default: - printf("unknown-af "); - break; - } - + if (m_saddr_s && m_saddr_e) { + pfkey_dump_single_address(m_saddr_s); + printf("-"); + pfkey_dump_single_address(m_saddr_e); + printf(" "); + } else if (m_saddr) { + sa = (void *)(m_saddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + sport = 0; /*XXX*/ + else + sport = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)m_saddr->sadb_address_prefixlen, + (u_int)sport, + (u_int)m_saddr->sadb_address_proto)); + break; + default: + printf("unknown-af "); + break; + } + } + /* destination address */ - sa = (void *)(m_daddr + 1); - switch (sa->sa_family) { - case AF_INET: - case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, - 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) - dport = 0; /*XXX*/ - else - dport = atoi(pbuf); - printf("%s%s ", str_ipaddr(sa), - str_prefport((u_int)sa->sa_family, - (u_int)m_daddr->sadb_address_prefixlen, - (u_int)dport, - (u_int)m_saddr->sadb_address_proto)); - break; - default: - printf("unknown-af "); - break; - } - + if (m_daddr_s && m_daddr_e) { + pfkey_dump_single_address(m_daddr_s); + printf("-"); + pfkey_dump_single_address(m_daddr_e); + printf(" "); + } else if (m_daddr) { + sa = (void *)(m_daddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + dport = 0; /*XXX*/ + else + dport = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)m_daddr->sadb_address_prefixlen, + (u_int)dport, + (u_int)m_daddr->sadb_address_proto)); + break; + default: + printf("unknown-af "); + break; + } + } + /* upper layer protocol */ - if (m_saddr->sadb_address_proto != - m_daddr->sadb_address_proto) { - printf("upper layer protocol mismatched.\n"); - return; - } - str_upperspec((u_int)m_saddr->sadb_address_proto, (u_int)sport, - (u_int)dport); + if (m_saddr && m_daddr) { + if (m_saddr->sadb_address_proto != + m_daddr->sadb_address_proto) { + printf("upper layer protocol mismatched.\n"); + return; + } + str_upperspec((u_int)m_saddr->sadb_address_proto, (u_int)sport, + (u_int)dport); + } } #ifdef SADB_X_EXT_TAG else if (m_tag) @@ -551,52 +602,62 @@ pfkey_spdump1(m, withports) #endif else printf("(no selector, probably per-socket policy) "); - + /* policy */ { - char *d_xpl; - - if (m_xpl == NULL) { - printf("no X_POLICY extension.\n"); - return; - } - if (withports) - d_xpl = ipsec_dump_policy_withports(m_xpl, "\n\t"); - else - d_xpl = ipsec_dump_policy((ipsec_policy_t)m_xpl, "\n\t"); + char *d_xpl; + + if (m_xpl == NULL) { + printf("no X_POLICY extension.\n"); + return; + } + if (withports) + d_xpl = ipsec_dump_policy_withports(m_xpl, "\n\t"); + else + d_xpl = ipsec_dump_policy((ipsec_policy_t)m_xpl, "\n\t"); - if (!d_xpl) - printf("\n\tPolicy:[%s]\n", ipsec_strerror()); - else { - /* dump SPD */ - printf("\n\t%s\n", d_xpl); - free(d_xpl); - } + if (!d_xpl) + printf("\n\tPolicy:[%s]\n", ipsec_strerror()); + else { + /* dump SPD */ + printf("\n\t%s\n", d_xpl); + free(d_xpl); + } } - + /* lifetime */ if (m_lftc) { printf("\tcreated: %s ", - str_time((long)m_lftc->sadb_lifetime_addtime)); + str_time((long)m_lftc->sadb_lifetime_addtime)); printf("lastused: %s\n", - str_time((long)m_lftc->sadb_lifetime_usetime)); + str_time((long)m_lftc->sadb_lifetime_usetime)); } if (m_lfth) { printf("\tlifetime: %lu(s) ", - (u_long)m_lfth->sadb_lifetime_addtime); + (u_long)m_lfth->sadb_lifetime_addtime); printf("validtime: %lu(s)\n", - (u_long)m_lfth->sadb_lifetime_usetime); + (u_long)m_lfth->sadb_lifetime_usetime); } - - + + if (m_ipif) { + printf("\t"); + if (m_ipif->sadb_x_ipsecif_internal_if[0]) + printf("Internal interface: %s ", m_ipif->sadb_x_ipsecif_internal_if); + if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) + printf("Outgoing interface: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); + if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) + printf("IPSec interface: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); + printf("Disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); + } + printf("\tspid=%ld seq=%ld pid=%ld\n", - (u_long)m_xpl->sadb_x_policy_id, - (u_long)m->sadb_msg_seq, - (u_long)m->sadb_msg_pid); - + (u_long)m_xpl->sadb_x_policy_id, + (u_long)m->sadb_msg_seq, + (u_long)m->sadb_msg_pid); + /* XXX TEST */ printf("\trefcnt=%u\n", m->sadb_msg_reserved); - + return; } diff --git a/ipsec-tools/libipsec/ipsec_dump_policy.c b/ipsec-tools/libipsec/ipsec_dump_policy.c index d69776b..6a03fd8 100644 --- a/ipsec-tools/libipsec/ipsec_dump_policy.c +++ b/ipsec-tools/libipsec/ipsec_dump_policy.c @@ -62,12 +62,12 @@ static const char *ipsp_policy_strs[] = { "discard", "none", "ipsec", "entrust", "bypass", "generate", }; -static char *ipsec_dump_ipsecrequest __P((char *, size_t, - struct sadb_x_ipsecrequest *, size_t, int)); -static char *ipsec_dump_policy1 __P((void *, const char *, int)); -static int set_addresses __P((char *, size_t, struct sockaddr *, - struct sockaddr *, int)); -static char *set_address __P((char *, size_t, struct sockaddr *, int)); +static char *ipsec_dump_ipsecrequest (char *, size_t, + struct sadb_x_ipsecrequest *, size_t, int); +static char *ipsec_dump_policy1 (void *, const char *, int); +static int set_addresses (char *, size_t, struct sockaddr *, + struct sockaddr *, int); +static char *set_address (char *, size_t, struct sockaddr *, int); /* * policy is sadb_x_policy buffer. diff --git a/ipsec-tools/libipsec/ipsec_get_policylen.c b/ipsec-tools/libipsec/ipsec_get_policylen.c index 7de42e7..8d0174a 100644 --- a/ipsec-tools/libipsec/ipsec_get_policylen.c +++ b/ipsec-tools/libipsec/ipsec_get_policylen.c @@ -45,7 +45,7 @@ #endif #ifdef __APPPLE__ -#include +#include #else #include #endif diff --git a/ipsec-tools/libipsec/ipsec_strerror.h b/ipsec-tools/libipsec/ipsec_strerror.h index 7c8c6dd..1903993 100644 --- a/ipsec-tools/libipsec/ipsec_strerror.h +++ b/ipsec-tools/libipsec/ipsec_strerror.h @@ -33,7 +33,7 @@ #define _IPSEC_STRERROR_H extern int __ipsec_errcode; -extern void __ipsec_set_strerror __P((const char *)); +extern void __ipsec_set_strerror (const char *); #define EIPSEC_NO_ERROR 0 /*success*/ #define EIPSEC_NOT_SUPPORTED 1 /*not supported*/ diff --git a/ipsec-tools/libipsec/policy_parse.y b/ipsec-tools/libipsec/policy_parse.y index 7e84cc3..337c944 100644 --- a/ipsec-tools/libipsec/policy_parse.y +++ b/ipsec-tools/libipsec/policy_parse.y @@ -109,20 +109,20 @@ static struct sockaddr_storage *p_src = NULL; static struct sockaddr_storage *p_dst = NULL; struct _val; -extern void yyerror __P((char *msg)); -static struct sockaddr_storage *parse_sockaddr __P((struct _val *addrbuf, - struct _val *portbuf)); -static int rule_check __P((void)); -static int init_x_policy __P((void)); -static int set_x_request __P((struct sockaddr_storage *, struct sockaddr_storage *)); -static int set_sockaddr __P((struct sockaddr_storage *)); -static void policy_parse_request_init __P((void)); -static void *policy_parse __P((const char *, int)); - -extern void __policy__strbuffer__init__ __P((const char *)); -extern void __policy__strbuffer__free__ __P((void)); -extern int yyparse __P((void)); -extern int yylex __P((void)); +extern void yyerror (char *msg); +static struct sockaddr_storage *parse_sockaddr (struct _val *addrbuf, + struct _val *portbuf); +static int rule_check (void); +static int init_x_policy(void); +static int set_x_request (struct sockaddr_storage *, struct sockaddr_storage *); +static int set_sockaddr (struct sockaddr_storage *); +static void policy_parse_request_init (void); +static void *policy_parse (const char *, int); + +extern void __policy__strbuffer__init__ (const char *); +extern void __policy__strbuffer__free__ (void); +extern int yyparse (void); +extern int yylex (void); extern char *__libipsectext; /*XXX*/ diff --git a/ipsec-tools/libipsec/policy_token.l b/ipsec-tools/libipsec/policy_token.l index 4e746a3..5f1fa56 100644 --- a/ipsec-tools/libipsec/policy_token.l +++ b/ipsec-tools/libipsec/policy_token.l @@ -37,7 +37,7 @@ #include #include #include -#include +#include #include #ifdef HAVE_NETINET6_IPSEC # include @@ -56,7 +56,7 @@ #include "y.tab.h" #define yylval __libipseclval /* XXX */ -int yylex __P((void)); +int yylex (void); %} %option noyywrap @@ -164,8 +164,8 @@ unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); } %% -void __policy__strbuffer__init__ __P((char *)); -void __policy__strbuffer__free__ __P((void)); +void __policy__strbuffer__init__ (char *); +void __policy__strbuffer__free__ (void); static YY_BUFFER_STATE strbuffer; diff --git a/ipsec-tools/libipsec/test-policy.c b/ipsec-tools/libipsec/test-policy.c index d6eb599..2d872d2 100644 --- a/ipsec-tools/libipsec/test-policy.c +++ b/ipsec-tools/libipsec/test-policy.c @@ -36,7 +36,7 @@ #include #include -#include +#include #include #include @@ -82,11 +82,11 @@ struct req_t { { 0, "out ipsec esp/transport/fec0::10-fec0::11/use" }, }; -int test1 __P((void)); -int test1sub1 __P((struct req_t *)); -int test1sub2 __P((char *, int)); -int test2 __P((void)); -int test2sub __P((int)); +int test1 (void); +int test1sub1 (struct req_t *); +int test1sub2 (char *, int); +int test2 (void); +int test2sub (int); int main(ac, av) diff --git a/ipsec-tools/racoon/Crypto/boxes-fst.dat b/ipsec-tools/racoon/Crypto/boxes-fst.dat deleted file mode 100644 index 50e6cb3..0000000 --- a/ipsec-tools/racoon/Crypto/boxes-fst.dat +++ /dev/null @@ -1,957 +0,0 @@ -/* $KAME: boxes-fst.dat,v 1.6 2001/05/27 00:23:22 itojun Exp $ */ - -const word8 S[256] = { - 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, -202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, -183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, - 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, - 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, - 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, -208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, - 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, -205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, - 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, -224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, -231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, -186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, -112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, -225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, -140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22 -}; - -#ifdef INTERMEDIATE_VALUE_KAT -static const word8 Si[256] = { - 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251, -124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203, - 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, 250, 195, 78, - 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109, 139, 209, 37, -114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146, -108, 112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132, -144, 216, 171, 0, 140, 188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6, -208, 44, 30, 143, 202, 63, 15, 2, 193, 175, 189, 3, 1, 19, 138, 107, - 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, -150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, - 71, 241, 26, 113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, -252, 86, 62, 75, 198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, - 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, - 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, -160, 224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, - 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, 125 -}; -#endif /* INTERMEDIATE_VALUE_KAT */ - -union xtab { - word32 xt32[256]; - word8 xt8[256][4]; -}; - -static const union xtab xT1 = { - .xt8 = { -{0xc6,0x63,0x63,0xa5}, {0xf8,0x7c,0x7c,0x84}, {0xee,0x77,0x77,0x99}, {0xf6,0x7b,0x7b,0x8d}, -{0xff,0xf2,0xf2,0x0d}, {0xd6,0x6b,0x6b,0xbd}, {0xde,0x6f,0x6f,0xb1}, {0x91,0xc5,0xc5,0x54}, -{0x60,0x30,0x30,0x50}, {0x02,0x01,0x01,0x03}, {0xce,0x67,0x67,0xa9}, {0x56,0x2b,0x2b,0x7d}, -{0xe7,0xfe,0xfe,0x19}, {0xb5,0xd7,0xd7,0x62}, {0x4d,0xab,0xab,0xe6}, {0xec,0x76,0x76,0x9a}, -{0x8f,0xca,0xca,0x45}, {0x1f,0x82,0x82,0x9d}, {0x89,0xc9,0xc9,0x40}, {0xfa,0x7d,0x7d,0x87}, -{0xef,0xfa,0xfa,0x15}, {0xb2,0x59,0x59,0xeb}, {0x8e,0x47,0x47,0xc9}, {0xfb,0xf0,0xf0,0x0b}, -{0x41,0xad,0xad,0xec}, {0xb3,0xd4,0xd4,0x67}, {0x5f,0xa2,0xa2,0xfd}, {0x45,0xaf,0xaf,0xea}, -{0x23,0x9c,0x9c,0xbf}, {0x53,0xa4,0xa4,0xf7}, {0xe4,0x72,0x72,0x96}, {0x9b,0xc0,0xc0,0x5b}, -{0x75,0xb7,0xb7,0xc2}, {0xe1,0xfd,0xfd,0x1c}, {0x3d,0x93,0x93,0xae}, {0x4c,0x26,0x26,0x6a}, -{0x6c,0x36,0x36,0x5a}, {0x7e,0x3f,0x3f,0x41}, {0xf5,0xf7,0xf7,0x02}, {0x83,0xcc,0xcc,0x4f}, -{0x68,0x34,0x34,0x5c}, {0x51,0xa5,0xa5,0xf4}, {0xd1,0xe5,0xe5,0x34}, {0xf9,0xf1,0xf1,0x08}, -{0xe2,0x71,0x71,0x93}, {0xab,0xd8,0xd8,0x73}, {0x62,0x31,0x31,0x53}, {0x2a,0x15,0x15,0x3f}, -{0x08,0x04,0x04,0x0c}, {0x95,0xc7,0xc7,0x52}, {0x46,0x23,0x23,0x65}, {0x9d,0xc3,0xc3,0x5e}, -{0x30,0x18,0x18,0x28}, {0x37,0x96,0x96,0xa1}, {0x0a,0x05,0x05,0x0f}, {0x2f,0x9a,0x9a,0xb5}, -{0x0e,0x07,0x07,0x09}, {0x24,0x12,0x12,0x36}, {0x1b,0x80,0x80,0x9b}, {0xdf,0xe2,0xe2,0x3d}, -{0xcd,0xeb,0xeb,0x26}, {0x4e,0x27,0x27,0x69}, {0x7f,0xb2,0xb2,0xcd}, {0xea,0x75,0x75,0x9f}, -{0x12,0x09,0x09,0x1b}, {0x1d,0x83,0x83,0x9e}, {0x58,0x2c,0x2c,0x74}, {0x34,0x1a,0x1a,0x2e}, -{0x36,0x1b,0x1b,0x2d}, {0xdc,0x6e,0x6e,0xb2}, {0xb4,0x5a,0x5a,0xee}, {0x5b,0xa0,0xa0,0xfb}, -{0xa4,0x52,0x52,0xf6}, {0x76,0x3b,0x3b,0x4d}, {0xb7,0xd6,0xd6,0x61}, {0x7d,0xb3,0xb3,0xce}, -{0x52,0x29,0x29,0x7b}, {0xdd,0xe3,0xe3,0x3e}, {0x5e,0x2f,0x2f,0x71}, {0x13,0x84,0x84,0x97}, -{0xa6,0x53,0x53,0xf5}, {0xb9,0xd1,0xd1,0x68}, {0x00,0x00,0x00,0x00}, {0xc1,0xed,0xed,0x2c}, -{0x40,0x20,0x20,0x60}, {0xe3,0xfc,0xfc,0x1f}, {0x79,0xb1,0xb1,0xc8}, {0xb6,0x5b,0x5b,0xed}, -{0xd4,0x6a,0x6a,0xbe}, {0x8d,0xcb,0xcb,0x46}, {0x67,0xbe,0xbe,0xd9}, {0x72,0x39,0x39,0x4b}, -{0x94,0x4a,0x4a,0xde}, {0x98,0x4c,0x4c,0xd4}, {0xb0,0x58,0x58,0xe8}, {0x85,0xcf,0xcf,0x4a}, -{0xbb,0xd0,0xd0,0x6b}, {0xc5,0xef,0xef,0x2a}, {0x4f,0xaa,0xaa,0xe5}, {0xed,0xfb,0xfb,0x16}, -{0x86,0x43,0x43,0xc5}, {0x9a,0x4d,0x4d,0xd7}, {0x66,0x33,0x33,0x55}, {0x11,0x85,0x85,0x94}, -{0x8a,0x45,0x45,0xcf}, {0xe9,0xf9,0xf9,0x10}, {0x04,0x02,0x02,0x06}, {0xfe,0x7f,0x7f,0x81}, -{0xa0,0x50,0x50,0xf0}, {0x78,0x3c,0x3c,0x44}, {0x25,0x9f,0x9f,0xba}, {0x4b,0xa8,0xa8,0xe3}, -{0xa2,0x51,0x51,0xf3}, {0x5d,0xa3,0xa3,0xfe}, {0x80,0x40,0x40,0xc0}, {0x05,0x8f,0x8f,0x8a}, -{0x3f,0x92,0x92,0xad}, {0x21,0x9d,0x9d,0xbc}, {0x70,0x38,0x38,0x48}, {0xf1,0xf5,0xf5,0x04}, -{0x63,0xbc,0xbc,0xdf}, {0x77,0xb6,0xb6,0xc1}, {0xaf,0xda,0xda,0x75}, {0x42,0x21,0x21,0x63}, -{0x20,0x10,0x10,0x30}, {0xe5,0xff,0xff,0x1a}, {0xfd,0xf3,0xf3,0x0e}, {0xbf,0xd2,0xd2,0x6d}, -{0x81,0xcd,0xcd,0x4c}, {0x18,0x0c,0x0c,0x14}, {0x26,0x13,0x13,0x35}, {0xc3,0xec,0xec,0x2f}, -{0xbe,0x5f,0x5f,0xe1}, {0x35,0x97,0x97,0xa2}, {0x88,0x44,0x44,0xcc}, {0x2e,0x17,0x17,0x39}, -{0x93,0xc4,0xc4,0x57}, {0x55,0xa7,0xa7,0xf2}, {0xfc,0x7e,0x7e,0x82}, {0x7a,0x3d,0x3d,0x47}, -{0xc8,0x64,0x64,0xac}, {0xba,0x5d,0x5d,0xe7}, {0x32,0x19,0x19,0x2b}, {0xe6,0x73,0x73,0x95}, -{0xc0,0x60,0x60,0xa0}, {0x19,0x81,0x81,0x98}, {0x9e,0x4f,0x4f,0xd1}, {0xa3,0xdc,0xdc,0x7f}, -{0x44,0x22,0x22,0x66}, {0x54,0x2a,0x2a,0x7e}, {0x3b,0x90,0x90,0xab}, {0x0b,0x88,0x88,0x83}, -{0x8c,0x46,0x46,0xca}, {0xc7,0xee,0xee,0x29}, {0x6b,0xb8,0xb8,0xd3}, {0x28,0x14,0x14,0x3c}, -{0xa7,0xde,0xde,0x79}, {0xbc,0x5e,0x5e,0xe2}, {0x16,0x0b,0x0b,0x1d}, {0xad,0xdb,0xdb,0x76}, -{0xdb,0xe0,0xe0,0x3b}, {0x64,0x32,0x32,0x56}, {0x74,0x3a,0x3a,0x4e}, {0x14,0x0a,0x0a,0x1e}, -{0x92,0x49,0x49,0xdb}, {0x0c,0x06,0x06,0x0a}, {0x48,0x24,0x24,0x6c}, {0xb8,0x5c,0x5c,0xe4}, -{0x9f,0xc2,0xc2,0x5d}, {0xbd,0xd3,0xd3,0x6e}, {0x43,0xac,0xac,0xef}, {0xc4,0x62,0x62,0xa6}, -{0x39,0x91,0x91,0xa8}, {0x31,0x95,0x95,0xa4}, {0xd3,0xe4,0xe4,0x37}, {0xf2,0x79,0x79,0x8b}, -{0xd5,0xe7,0xe7,0x32}, {0x8b,0xc8,0xc8,0x43}, {0x6e,0x37,0x37,0x59}, {0xda,0x6d,0x6d,0xb7}, -{0x01,0x8d,0x8d,0x8c}, {0xb1,0xd5,0xd5,0x64}, {0x9c,0x4e,0x4e,0xd2}, {0x49,0xa9,0xa9,0xe0}, -{0xd8,0x6c,0x6c,0xb4}, {0xac,0x56,0x56,0xfa}, {0xf3,0xf4,0xf4,0x07}, {0xcf,0xea,0xea,0x25}, -{0xca,0x65,0x65,0xaf}, {0xf4,0x7a,0x7a,0x8e}, {0x47,0xae,0xae,0xe9}, {0x10,0x08,0x08,0x18}, -{0x6f,0xba,0xba,0xd5}, {0xf0,0x78,0x78,0x88}, {0x4a,0x25,0x25,0x6f}, {0x5c,0x2e,0x2e,0x72}, -{0x38,0x1c,0x1c,0x24}, {0x57,0xa6,0xa6,0xf1}, {0x73,0xb4,0xb4,0xc7}, {0x97,0xc6,0xc6,0x51}, -{0xcb,0xe8,0xe8,0x23}, {0xa1,0xdd,0xdd,0x7c}, {0xe8,0x74,0x74,0x9c}, {0x3e,0x1f,0x1f,0x21}, -{0x96,0x4b,0x4b,0xdd}, {0x61,0xbd,0xbd,0xdc}, {0x0d,0x8b,0x8b,0x86}, {0x0f,0x8a,0x8a,0x85}, -{0xe0,0x70,0x70,0x90}, {0x7c,0x3e,0x3e,0x42}, {0x71,0xb5,0xb5,0xc4}, {0xcc,0x66,0x66,0xaa}, -{0x90,0x48,0x48,0xd8}, {0x06,0x03,0x03,0x05}, {0xf7,0xf6,0xf6,0x01}, {0x1c,0x0e,0x0e,0x12}, -{0xc2,0x61,0x61,0xa3}, {0x6a,0x35,0x35,0x5f}, {0xae,0x57,0x57,0xf9}, {0x69,0xb9,0xb9,0xd0}, -{0x17,0x86,0x86,0x91}, {0x99,0xc1,0xc1,0x58}, {0x3a,0x1d,0x1d,0x27}, {0x27,0x9e,0x9e,0xb9}, -{0xd9,0xe1,0xe1,0x38}, {0xeb,0xf8,0xf8,0x13}, {0x2b,0x98,0x98,0xb3}, {0x22,0x11,0x11,0x33}, -{0xd2,0x69,0x69,0xbb}, {0xa9,0xd9,0xd9,0x70}, {0x07,0x8e,0x8e,0x89}, {0x33,0x94,0x94,0xa7}, -{0x2d,0x9b,0x9b,0xb6}, {0x3c,0x1e,0x1e,0x22}, {0x15,0x87,0x87,0x92}, {0xc9,0xe9,0xe9,0x20}, -{0x87,0xce,0xce,0x49}, {0xaa,0x55,0x55,0xff}, {0x50,0x28,0x28,0x78}, {0xa5,0xdf,0xdf,0x7a}, -{0x03,0x8c,0x8c,0x8f}, {0x59,0xa1,0xa1,0xf8}, {0x09,0x89,0x89,0x80}, {0x1a,0x0d,0x0d,0x17}, -{0x65,0xbf,0xbf,0xda}, {0xd7,0xe6,0xe6,0x31}, {0x84,0x42,0x42,0xc6}, {0xd0,0x68,0x68,0xb8}, -{0x82,0x41,0x41,0xc3}, {0x29,0x99,0x99,0xb0}, {0x5a,0x2d,0x2d,0x77}, {0x1e,0x0f,0x0f,0x11}, -{0x7b,0xb0,0xb0,0xcb}, {0xa8,0x54,0x54,0xfc}, {0x6d,0xbb,0xbb,0xd6}, {0x2c,0x16,0x16,0x3a} - } -}; -#define T1 xT1.xt8 - -static const union xtab xT2 = { - .xt8 = { -{0xa5,0xc6,0x63,0x63}, {0x84,0xf8,0x7c,0x7c}, {0x99,0xee,0x77,0x77}, {0x8d,0xf6,0x7b,0x7b}, -{0x0d,0xff,0xf2,0xf2}, {0xbd,0xd6,0x6b,0x6b}, {0xb1,0xde,0x6f,0x6f}, {0x54,0x91,0xc5,0xc5}, -{0x50,0x60,0x30,0x30}, {0x03,0x02,0x01,0x01}, {0xa9,0xce,0x67,0x67}, {0x7d,0x56,0x2b,0x2b}, -{0x19,0xe7,0xfe,0xfe}, {0x62,0xb5,0xd7,0xd7}, {0xe6,0x4d,0xab,0xab}, {0x9a,0xec,0x76,0x76}, -{0x45,0x8f,0xca,0xca}, {0x9d,0x1f,0x82,0x82}, {0x40,0x89,0xc9,0xc9}, {0x87,0xfa,0x7d,0x7d}, -{0x15,0xef,0xfa,0xfa}, {0xeb,0xb2,0x59,0x59}, {0xc9,0x8e,0x47,0x47}, {0x0b,0xfb,0xf0,0xf0}, -{0xec,0x41,0xad,0xad}, {0x67,0xb3,0xd4,0xd4}, {0xfd,0x5f,0xa2,0xa2}, {0xea,0x45,0xaf,0xaf}, -{0xbf,0x23,0x9c,0x9c}, {0xf7,0x53,0xa4,0xa4}, {0x96,0xe4,0x72,0x72}, {0x5b,0x9b,0xc0,0xc0}, -{0xc2,0x75,0xb7,0xb7}, {0x1c,0xe1,0xfd,0xfd}, {0xae,0x3d,0x93,0x93}, {0x6a,0x4c,0x26,0x26}, -{0x5a,0x6c,0x36,0x36}, {0x41,0x7e,0x3f,0x3f}, {0x02,0xf5,0xf7,0xf7}, {0x4f,0x83,0xcc,0xcc}, -{0x5c,0x68,0x34,0x34}, {0xf4,0x51,0xa5,0xa5}, {0x34,0xd1,0xe5,0xe5}, {0x08,0xf9,0xf1,0xf1}, -{0x93,0xe2,0x71,0x71}, {0x73,0xab,0xd8,0xd8}, {0x53,0x62,0x31,0x31}, {0x3f,0x2a,0x15,0x15}, -{0x0c,0x08,0x04,0x04}, {0x52,0x95,0xc7,0xc7}, {0x65,0x46,0x23,0x23}, {0x5e,0x9d,0xc3,0xc3}, -{0x28,0x30,0x18,0x18}, {0xa1,0x37,0x96,0x96}, {0x0f,0x0a,0x05,0x05}, {0xb5,0x2f,0x9a,0x9a}, -{0x09,0x0e,0x07,0x07}, {0x36,0x24,0x12,0x12}, {0x9b,0x1b,0x80,0x80}, {0x3d,0xdf,0xe2,0xe2}, -{0x26,0xcd,0xeb,0xeb}, {0x69,0x4e,0x27,0x27}, {0xcd,0x7f,0xb2,0xb2}, {0x9f,0xea,0x75,0x75}, -{0x1b,0x12,0x09,0x09}, {0x9e,0x1d,0x83,0x83}, {0x74,0x58,0x2c,0x2c}, {0x2e,0x34,0x1a,0x1a}, -{0x2d,0x36,0x1b,0x1b}, {0xb2,0xdc,0x6e,0x6e}, {0xee,0xb4,0x5a,0x5a}, {0xfb,0x5b,0xa0,0xa0}, -{0xf6,0xa4,0x52,0x52}, {0x4d,0x76,0x3b,0x3b}, {0x61,0xb7,0xd6,0xd6}, {0xce,0x7d,0xb3,0xb3}, -{0x7b,0x52,0x29,0x29}, {0x3e,0xdd,0xe3,0xe3}, {0x71,0x5e,0x2f,0x2f}, {0x97,0x13,0x84,0x84}, -{0xf5,0xa6,0x53,0x53}, {0x68,0xb9,0xd1,0xd1}, {0x00,0x00,0x00,0x00}, {0x2c,0xc1,0xed,0xed}, -{0x60,0x40,0x20,0x20}, {0x1f,0xe3,0xfc,0xfc}, {0xc8,0x79,0xb1,0xb1}, {0xed,0xb6,0x5b,0x5b}, -{0xbe,0xd4,0x6a,0x6a}, {0x46,0x8d,0xcb,0xcb}, {0xd9,0x67,0xbe,0xbe}, {0x4b,0x72,0x39,0x39}, -{0xde,0x94,0x4a,0x4a}, {0xd4,0x98,0x4c,0x4c}, {0xe8,0xb0,0x58,0x58}, {0x4a,0x85,0xcf,0xcf}, -{0x6b,0xbb,0xd0,0xd0}, {0x2a,0xc5,0xef,0xef}, {0xe5,0x4f,0xaa,0xaa}, {0x16,0xed,0xfb,0xfb}, -{0xc5,0x86,0x43,0x43}, {0xd7,0x9a,0x4d,0x4d}, {0x55,0x66,0x33,0x33}, {0x94,0x11,0x85,0x85}, -{0xcf,0x8a,0x45,0x45}, {0x10,0xe9,0xf9,0xf9}, {0x06,0x04,0x02,0x02}, {0x81,0xfe,0x7f,0x7f}, -{0xf0,0xa0,0x50,0x50}, {0x44,0x78,0x3c,0x3c}, {0xba,0x25,0x9f,0x9f}, {0xe3,0x4b,0xa8,0xa8}, -{0xf3,0xa2,0x51,0x51}, {0xfe,0x5d,0xa3,0xa3}, {0xc0,0x80,0x40,0x40}, {0x8a,0x05,0x8f,0x8f}, -{0xad,0x3f,0x92,0x92}, {0xbc,0x21,0x9d,0x9d}, {0x48,0x70,0x38,0x38}, {0x04,0xf1,0xf5,0xf5}, -{0xdf,0x63,0xbc,0xbc}, {0xc1,0x77,0xb6,0xb6}, {0x75,0xaf,0xda,0xda}, {0x63,0x42,0x21,0x21}, -{0x30,0x20,0x10,0x10}, {0x1a,0xe5,0xff,0xff}, {0x0e,0xfd,0xf3,0xf3}, {0x6d,0xbf,0xd2,0xd2}, -{0x4c,0x81,0xcd,0xcd}, {0x14,0x18,0x0c,0x0c}, {0x35,0x26,0x13,0x13}, {0x2f,0xc3,0xec,0xec}, -{0xe1,0xbe,0x5f,0x5f}, {0xa2,0x35,0x97,0x97}, {0xcc,0x88,0x44,0x44}, {0x39,0x2e,0x17,0x17}, -{0x57,0x93,0xc4,0xc4}, {0xf2,0x55,0xa7,0xa7}, {0x82,0xfc,0x7e,0x7e}, {0x47,0x7a,0x3d,0x3d}, -{0xac,0xc8,0x64,0x64}, {0xe7,0xba,0x5d,0x5d}, {0x2b,0x32,0x19,0x19}, {0x95,0xe6,0x73,0x73}, -{0xa0,0xc0,0x60,0x60}, {0x98,0x19,0x81,0x81}, {0xd1,0x9e,0x4f,0x4f}, {0x7f,0xa3,0xdc,0xdc}, -{0x66,0x44,0x22,0x22}, {0x7e,0x54,0x2a,0x2a}, {0xab,0x3b,0x90,0x90}, {0x83,0x0b,0x88,0x88}, -{0xca,0x8c,0x46,0x46}, {0x29,0xc7,0xee,0xee}, {0xd3,0x6b,0xb8,0xb8}, {0x3c,0x28,0x14,0x14}, -{0x79,0xa7,0xde,0xde}, {0xe2,0xbc,0x5e,0x5e}, {0x1d,0x16,0x0b,0x0b}, {0x76,0xad,0xdb,0xdb}, -{0x3b,0xdb,0xe0,0xe0}, {0x56,0x64,0x32,0x32}, {0x4e,0x74,0x3a,0x3a}, {0x1e,0x14,0x0a,0x0a}, -{0xdb,0x92,0x49,0x49}, {0x0a,0x0c,0x06,0x06}, {0x6c,0x48,0x24,0x24}, {0xe4,0xb8,0x5c,0x5c}, -{0x5d,0x9f,0xc2,0xc2}, {0x6e,0xbd,0xd3,0xd3}, {0xef,0x43,0xac,0xac}, {0xa6,0xc4,0x62,0x62}, -{0xa8,0x39,0x91,0x91}, {0xa4,0x31,0x95,0x95}, {0x37,0xd3,0xe4,0xe4}, {0x8b,0xf2,0x79,0x79}, -{0x32,0xd5,0xe7,0xe7}, {0x43,0x8b,0xc8,0xc8}, {0x59,0x6e,0x37,0x37}, {0xb7,0xda,0x6d,0x6d}, -{0x8c,0x01,0x8d,0x8d}, {0x64,0xb1,0xd5,0xd5}, {0xd2,0x9c,0x4e,0x4e}, {0xe0,0x49,0xa9,0xa9}, -{0xb4,0xd8,0x6c,0x6c}, {0xfa,0xac,0x56,0x56}, {0x07,0xf3,0xf4,0xf4}, {0x25,0xcf,0xea,0xea}, -{0xaf,0xca,0x65,0x65}, {0x8e,0xf4,0x7a,0x7a}, {0xe9,0x47,0xae,0xae}, {0x18,0x10,0x08,0x08}, -{0xd5,0x6f,0xba,0xba}, {0x88,0xf0,0x78,0x78}, {0x6f,0x4a,0x25,0x25}, {0x72,0x5c,0x2e,0x2e}, -{0x24,0x38,0x1c,0x1c}, {0xf1,0x57,0xa6,0xa6}, {0xc7,0x73,0xb4,0xb4}, {0x51,0x97,0xc6,0xc6}, -{0x23,0xcb,0xe8,0xe8}, {0x7c,0xa1,0xdd,0xdd}, {0x9c,0xe8,0x74,0x74}, {0x21,0x3e,0x1f,0x1f}, -{0xdd,0x96,0x4b,0x4b}, {0xdc,0x61,0xbd,0xbd}, {0x86,0x0d,0x8b,0x8b}, {0x85,0x0f,0x8a,0x8a}, -{0x90,0xe0,0x70,0x70}, {0x42,0x7c,0x3e,0x3e}, {0xc4,0x71,0xb5,0xb5}, {0xaa,0xcc,0x66,0x66}, -{0xd8,0x90,0x48,0x48}, {0x05,0x06,0x03,0x03}, {0x01,0xf7,0xf6,0xf6}, {0x12,0x1c,0x0e,0x0e}, -{0xa3,0xc2,0x61,0x61}, {0x5f,0x6a,0x35,0x35}, {0xf9,0xae,0x57,0x57}, {0xd0,0x69,0xb9,0xb9}, -{0x91,0x17,0x86,0x86}, {0x58,0x99,0xc1,0xc1}, {0x27,0x3a,0x1d,0x1d}, {0xb9,0x27,0x9e,0x9e}, -{0x38,0xd9,0xe1,0xe1}, {0x13,0xeb,0xf8,0xf8}, {0xb3,0x2b,0x98,0x98}, {0x33,0x22,0x11,0x11}, -{0xbb,0xd2,0x69,0x69}, {0x70,0xa9,0xd9,0xd9}, {0x89,0x07,0x8e,0x8e}, {0xa7,0x33,0x94,0x94}, -{0xb6,0x2d,0x9b,0x9b}, {0x22,0x3c,0x1e,0x1e}, {0x92,0x15,0x87,0x87}, {0x20,0xc9,0xe9,0xe9}, -{0x49,0x87,0xce,0xce}, {0xff,0xaa,0x55,0x55}, {0x78,0x50,0x28,0x28}, {0x7a,0xa5,0xdf,0xdf}, -{0x8f,0x03,0x8c,0x8c}, {0xf8,0x59,0xa1,0xa1}, {0x80,0x09,0x89,0x89}, {0x17,0x1a,0x0d,0x0d}, -{0xda,0x65,0xbf,0xbf}, {0x31,0xd7,0xe6,0xe6}, {0xc6,0x84,0x42,0x42}, {0xb8,0xd0,0x68,0x68}, -{0xc3,0x82,0x41,0x41}, {0xb0,0x29,0x99,0x99}, {0x77,0x5a,0x2d,0x2d}, {0x11,0x1e,0x0f,0x0f}, -{0xcb,0x7b,0xb0,0xb0}, {0xfc,0xa8,0x54,0x54}, {0xd6,0x6d,0xbb,0xbb}, {0x3a,0x2c,0x16,0x16} - } -}; -#define T2 xT2.xt8 - -static const union xtab xT3 = { - .xt8 = { -{0x63,0xa5,0xc6,0x63}, {0x7c,0x84,0xf8,0x7c}, {0x77,0x99,0xee,0x77}, {0x7b,0x8d,0xf6,0x7b}, -{0xf2,0x0d,0xff,0xf2}, {0x6b,0xbd,0xd6,0x6b}, {0x6f,0xb1,0xde,0x6f}, {0xc5,0x54,0x91,0xc5}, -{0x30,0x50,0x60,0x30}, {0x01,0x03,0x02,0x01}, {0x67,0xa9,0xce,0x67}, {0x2b,0x7d,0x56,0x2b}, -{0xfe,0x19,0xe7,0xfe}, {0xd7,0x62,0xb5,0xd7}, {0xab,0xe6,0x4d,0xab}, {0x76,0x9a,0xec,0x76}, -{0xca,0x45,0x8f,0xca}, {0x82,0x9d,0x1f,0x82}, {0xc9,0x40,0x89,0xc9}, {0x7d,0x87,0xfa,0x7d}, -{0xfa,0x15,0xef,0xfa}, {0x59,0xeb,0xb2,0x59}, {0x47,0xc9,0x8e,0x47}, {0xf0,0x0b,0xfb,0xf0}, -{0xad,0xec,0x41,0xad}, {0xd4,0x67,0xb3,0xd4}, {0xa2,0xfd,0x5f,0xa2}, {0xaf,0xea,0x45,0xaf}, -{0x9c,0xbf,0x23,0x9c}, {0xa4,0xf7,0x53,0xa4}, {0x72,0x96,0xe4,0x72}, {0xc0,0x5b,0x9b,0xc0}, -{0xb7,0xc2,0x75,0xb7}, {0xfd,0x1c,0xe1,0xfd}, {0x93,0xae,0x3d,0x93}, {0x26,0x6a,0x4c,0x26}, -{0x36,0x5a,0x6c,0x36}, {0x3f,0x41,0x7e,0x3f}, {0xf7,0x02,0xf5,0xf7}, {0xcc,0x4f,0x83,0xcc}, -{0x34,0x5c,0x68,0x34}, {0xa5,0xf4,0x51,0xa5}, {0xe5,0x34,0xd1,0xe5}, {0xf1,0x08,0xf9,0xf1}, -{0x71,0x93,0xe2,0x71}, {0xd8,0x73,0xab,0xd8}, {0x31,0x53,0x62,0x31}, {0x15,0x3f,0x2a,0x15}, -{0x04,0x0c,0x08,0x04}, {0xc7,0x52,0x95,0xc7}, {0x23,0x65,0x46,0x23}, {0xc3,0x5e,0x9d,0xc3}, -{0x18,0x28,0x30,0x18}, {0x96,0xa1,0x37,0x96}, {0x05,0x0f,0x0a,0x05}, {0x9a,0xb5,0x2f,0x9a}, -{0x07,0x09,0x0e,0x07}, {0x12,0x36,0x24,0x12}, {0x80,0x9b,0x1b,0x80}, {0xe2,0x3d,0xdf,0xe2}, -{0xeb,0x26,0xcd,0xeb}, {0x27,0x69,0x4e,0x27}, {0xb2,0xcd,0x7f,0xb2}, {0x75,0x9f,0xea,0x75}, -{0x09,0x1b,0x12,0x09}, {0x83,0x9e,0x1d,0x83}, {0x2c,0x74,0x58,0x2c}, {0x1a,0x2e,0x34,0x1a}, -{0x1b,0x2d,0x36,0x1b}, {0x6e,0xb2,0xdc,0x6e}, {0x5a,0xee,0xb4,0x5a}, {0xa0,0xfb,0x5b,0xa0}, -{0x52,0xf6,0xa4,0x52}, {0x3b,0x4d,0x76,0x3b}, {0xd6,0x61,0xb7,0xd6}, {0xb3,0xce,0x7d,0xb3}, -{0x29,0x7b,0x52,0x29}, {0xe3,0x3e,0xdd,0xe3}, {0x2f,0x71,0x5e,0x2f}, {0x84,0x97,0x13,0x84}, -{0x53,0xf5,0xa6,0x53}, {0xd1,0x68,0xb9,0xd1}, {0x00,0x00,0x00,0x00}, {0xed,0x2c,0xc1,0xed}, -{0x20,0x60,0x40,0x20}, {0xfc,0x1f,0xe3,0xfc}, {0xb1,0xc8,0x79,0xb1}, {0x5b,0xed,0xb6,0x5b}, -{0x6a,0xbe,0xd4,0x6a}, {0xcb,0x46,0x8d,0xcb}, {0xbe,0xd9,0x67,0xbe}, {0x39,0x4b,0x72,0x39}, -{0x4a,0xde,0x94,0x4a}, {0x4c,0xd4,0x98,0x4c}, {0x58,0xe8,0xb0,0x58}, {0xcf,0x4a,0x85,0xcf}, -{0xd0,0x6b,0xbb,0xd0}, {0xef,0x2a,0xc5,0xef}, {0xaa,0xe5,0x4f,0xaa}, {0xfb,0x16,0xed,0xfb}, -{0x43,0xc5,0x86,0x43}, {0x4d,0xd7,0x9a,0x4d}, {0x33,0x55,0x66,0x33}, {0x85,0x94,0x11,0x85}, -{0x45,0xcf,0x8a,0x45}, {0xf9,0x10,0xe9,0xf9}, {0x02,0x06,0x04,0x02}, {0x7f,0x81,0xfe,0x7f}, -{0x50,0xf0,0xa0,0x50}, {0x3c,0x44,0x78,0x3c}, {0x9f,0xba,0x25,0x9f}, {0xa8,0xe3,0x4b,0xa8}, -{0x51,0xf3,0xa2,0x51}, {0xa3,0xfe,0x5d,0xa3}, {0x40,0xc0,0x80,0x40}, {0x8f,0x8a,0x05,0x8f}, -{0x92,0xad,0x3f,0x92}, {0x9d,0xbc,0x21,0x9d}, {0x38,0x48,0x70,0x38}, {0xf5,0x04,0xf1,0xf5}, -{0xbc,0xdf,0x63,0xbc}, {0xb6,0xc1,0x77,0xb6}, {0xda,0x75,0xaf,0xda}, {0x21,0x63,0x42,0x21}, -{0x10,0x30,0x20,0x10}, {0xff,0x1a,0xe5,0xff}, {0xf3,0x0e,0xfd,0xf3}, {0xd2,0x6d,0xbf,0xd2}, -{0xcd,0x4c,0x81,0xcd}, {0x0c,0x14,0x18,0x0c}, {0x13,0x35,0x26,0x13}, {0xec,0x2f,0xc3,0xec}, -{0x5f,0xe1,0xbe,0x5f}, {0x97,0xa2,0x35,0x97}, {0x44,0xcc,0x88,0x44}, {0x17,0x39,0x2e,0x17}, -{0xc4,0x57,0x93,0xc4}, {0xa7,0xf2,0x55,0xa7}, {0x7e,0x82,0xfc,0x7e}, {0x3d,0x47,0x7a,0x3d}, -{0x64,0xac,0xc8,0x64}, {0x5d,0xe7,0xba,0x5d}, {0x19,0x2b,0x32,0x19}, {0x73,0x95,0xe6,0x73}, -{0x60,0xa0,0xc0,0x60}, {0x81,0x98,0x19,0x81}, {0x4f,0xd1,0x9e,0x4f}, {0xdc,0x7f,0xa3,0xdc}, -{0x22,0x66,0x44,0x22}, {0x2a,0x7e,0x54,0x2a}, {0x90,0xab,0x3b,0x90}, {0x88,0x83,0x0b,0x88}, -{0x46,0xca,0x8c,0x46}, {0xee,0x29,0xc7,0xee}, {0xb8,0xd3,0x6b,0xb8}, {0x14,0x3c,0x28,0x14}, -{0xde,0x79,0xa7,0xde}, {0x5e,0xe2,0xbc,0x5e}, {0x0b,0x1d,0x16,0x0b}, {0xdb,0x76,0xad,0xdb}, -{0xe0,0x3b,0xdb,0xe0}, {0x32,0x56,0x64,0x32}, {0x3a,0x4e,0x74,0x3a}, {0x0a,0x1e,0x14,0x0a}, -{0x49,0xdb,0x92,0x49}, {0x06,0x0a,0x0c,0x06}, {0x24,0x6c,0x48,0x24}, {0x5c,0xe4,0xb8,0x5c}, -{0xc2,0x5d,0x9f,0xc2}, {0xd3,0x6e,0xbd,0xd3}, {0xac,0xef,0x43,0xac}, {0x62,0xa6,0xc4,0x62}, -{0x91,0xa8,0x39,0x91}, {0x95,0xa4,0x31,0x95}, {0xe4,0x37,0xd3,0xe4}, {0x79,0x8b,0xf2,0x79}, -{0xe7,0x32,0xd5,0xe7}, {0xc8,0x43,0x8b,0xc8}, {0x37,0x59,0x6e,0x37}, {0x6d,0xb7,0xda,0x6d}, -{0x8d,0x8c,0x01,0x8d}, {0xd5,0x64,0xb1,0xd5}, {0x4e,0xd2,0x9c,0x4e}, {0xa9,0xe0,0x49,0xa9}, -{0x6c,0xb4,0xd8,0x6c}, {0x56,0xfa,0xac,0x56}, {0xf4,0x07,0xf3,0xf4}, {0xea,0x25,0xcf,0xea}, -{0x65,0xaf,0xca,0x65}, {0x7a,0x8e,0xf4,0x7a}, {0xae,0xe9,0x47,0xae}, {0x08,0x18,0x10,0x08}, -{0xba,0xd5,0x6f,0xba}, {0x78,0x88,0xf0,0x78}, {0x25,0x6f,0x4a,0x25}, {0x2e,0x72,0x5c,0x2e}, -{0x1c,0x24,0x38,0x1c}, {0xa6,0xf1,0x57,0xa6}, {0xb4,0xc7,0x73,0xb4}, {0xc6,0x51,0x97,0xc6}, -{0xe8,0x23,0xcb,0xe8}, {0xdd,0x7c,0xa1,0xdd}, {0x74,0x9c,0xe8,0x74}, {0x1f,0x21,0x3e,0x1f}, -{0x4b,0xdd,0x96,0x4b}, {0xbd,0xdc,0x61,0xbd}, {0x8b,0x86,0x0d,0x8b}, {0x8a,0x85,0x0f,0x8a}, -{0x70,0x90,0xe0,0x70}, {0x3e,0x42,0x7c,0x3e}, {0xb5,0xc4,0x71,0xb5}, {0x66,0xaa,0xcc,0x66}, -{0x48,0xd8,0x90,0x48}, {0x03,0x05,0x06,0x03}, {0xf6,0x01,0xf7,0xf6}, {0x0e,0x12,0x1c,0x0e}, -{0x61,0xa3,0xc2,0x61}, {0x35,0x5f,0x6a,0x35}, {0x57,0xf9,0xae,0x57}, {0xb9,0xd0,0x69,0xb9}, -{0x86,0x91,0x17,0x86}, {0xc1,0x58,0x99,0xc1}, {0x1d,0x27,0x3a,0x1d}, {0x9e,0xb9,0x27,0x9e}, -{0xe1,0x38,0xd9,0xe1}, {0xf8,0x13,0xeb,0xf8}, {0x98,0xb3,0x2b,0x98}, {0x11,0x33,0x22,0x11}, -{0x69,0xbb,0xd2,0x69}, {0xd9,0x70,0xa9,0xd9}, {0x8e,0x89,0x07,0x8e}, {0x94,0xa7,0x33,0x94}, -{0x9b,0xb6,0x2d,0x9b}, {0x1e,0x22,0x3c,0x1e}, {0x87,0x92,0x15,0x87}, {0xe9,0x20,0xc9,0xe9}, -{0xce,0x49,0x87,0xce}, {0x55,0xff,0xaa,0x55}, {0x28,0x78,0x50,0x28}, {0xdf,0x7a,0xa5,0xdf}, -{0x8c,0x8f,0x03,0x8c}, {0xa1,0xf8,0x59,0xa1}, {0x89,0x80,0x09,0x89}, {0x0d,0x17,0x1a,0x0d}, -{0xbf,0xda,0x65,0xbf}, {0xe6,0x31,0xd7,0xe6}, {0x42,0xc6,0x84,0x42}, {0x68,0xb8,0xd0,0x68}, -{0x41,0xc3,0x82,0x41}, {0x99,0xb0,0x29,0x99}, {0x2d,0x77,0x5a,0x2d}, {0x0f,0x11,0x1e,0x0f}, -{0xb0,0xcb,0x7b,0xb0}, {0x54,0xfc,0xa8,0x54}, {0xbb,0xd6,0x6d,0xbb}, {0x16,0x3a,0x2c,0x16} - } -}; -#define T3 xT3.xt8 - -static const union xtab xT4 = { - .xt8 = { -{0x63,0x63,0xa5,0xc6}, {0x7c,0x7c,0x84,0xf8}, {0x77,0x77,0x99,0xee}, {0x7b,0x7b,0x8d,0xf6}, -{0xf2,0xf2,0x0d,0xff}, {0x6b,0x6b,0xbd,0xd6}, {0x6f,0x6f,0xb1,0xde}, {0xc5,0xc5,0x54,0x91}, -{0x30,0x30,0x50,0x60}, {0x01,0x01,0x03,0x02}, {0x67,0x67,0xa9,0xce}, {0x2b,0x2b,0x7d,0x56}, -{0xfe,0xfe,0x19,0xe7}, {0xd7,0xd7,0x62,0xb5}, {0xab,0xab,0xe6,0x4d}, {0x76,0x76,0x9a,0xec}, -{0xca,0xca,0x45,0x8f}, {0x82,0x82,0x9d,0x1f}, {0xc9,0xc9,0x40,0x89}, {0x7d,0x7d,0x87,0xfa}, -{0xfa,0xfa,0x15,0xef}, {0x59,0x59,0xeb,0xb2}, {0x47,0x47,0xc9,0x8e}, {0xf0,0xf0,0x0b,0xfb}, -{0xad,0xad,0xec,0x41}, {0xd4,0xd4,0x67,0xb3}, {0xa2,0xa2,0xfd,0x5f}, {0xaf,0xaf,0xea,0x45}, -{0x9c,0x9c,0xbf,0x23}, {0xa4,0xa4,0xf7,0x53}, {0x72,0x72,0x96,0xe4}, {0xc0,0xc0,0x5b,0x9b}, -{0xb7,0xb7,0xc2,0x75}, {0xfd,0xfd,0x1c,0xe1}, {0x93,0x93,0xae,0x3d}, {0x26,0x26,0x6a,0x4c}, -{0x36,0x36,0x5a,0x6c}, {0x3f,0x3f,0x41,0x7e}, {0xf7,0xf7,0x02,0xf5}, {0xcc,0xcc,0x4f,0x83}, -{0x34,0x34,0x5c,0x68}, {0xa5,0xa5,0xf4,0x51}, {0xe5,0xe5,0x34,0xd1}, {0xf1,0xf1,0x08,0xf9}, -{0x71,0x71,0x93,0xe2}, {0xd8,0xd8,0x73,0xab}, {0x31,0x31,0x53,0x62}, {0x15,0x15,0x3f,0x2a}, -{0x04,0x04,0x0c,0x08}, {0xc7,0xc7,0x52,0x95}, {0x23,0x23,0x65,0x46}, {0xc3,0xc3,0x5e,0x9d}, -{0x18,0x18,0x28,0x30}, {0x96,0x96,0xa1,0x37}, {0x05,0x05,0x0f,0x0a}, {0x9a,0x9a,0xb5,0x2f}, -{0x07,0x07,0x09,0x0e}, {0x12,0x12,0x36,0x24}, {0x80,0x80,0x9b,0x1b}, {0xe2,0xe2,0x3d,0xdf}, -{0xeb,0xeb,0x26,0xcd}, {0x27,0x27,0x69,0x4e}, {0xb2,0xb2,0xcd,0x7f}, {0x75,0x75,0x9f,0xea}, -{0x09,0x09,0x1b,0x12}, {0x83,0x83,0x9e,0x1d}, {0x2c,0x2c,0x74,0x58}, {0x1a,0x1a,0x2e,0x34}, -{0x1b,0x1b,0x2d,0x36}, {0x6e,0x6e,0xb2,0xdc}, {0x5a,0x5a,0xee,0xb4}, {0xa0,0xa0,0xfb,0x5b}, -{0x52,0x52,0xf6,0xa4}, {0x3b,0x3b,0x4d,0x76}, {0xd6,0xd6,0x61,0xb7}, {0xb3,0xb3,0xce,0x7d}, -{0x29,0x29,0x7b,0x52}, {0xe3,0xe3,0x3e,0xdd}, {0x2f,0x2f,0x71,0x5e}, {0x84,0x84,0x97,0x13}, -{0x53,0x53,0xf5,0xa6}, {0xd1,0xd1,0x68,0xb9}, {0x00,0x00,0x00,0x00}, {0xed,0xed,0x2c,0xc1}, -{0x20,0x20,0x60,0x40}, {0xfc,0xfc,0x1f,0xe3}, {0xb1,0xb1,0xc8,0x79}, {0x5b,0x5b,0xed,0xb6}, -{0x6a,0x6a,0xbe,0xd4}, {0xcb,0xcb,0x46,0x8d}, {0xbe,0xbe,0xd9,0x67}, {0x39,0x39,0x4b,0x72}, -{0x4a,0x4a,0xde,0x94}, {0x4c,0x4c,0xd4,0x98}, {0x58,0x58,0xe8,0xb0}, {0xcf,0xcf,0x4a,0x85}, -{0xd0,0xd0,0x6b,0xbb}, {0xef,0xef,0x2a,0xc5}, {0xaa,0xaa,0xe5,0x4f}, {0xfb,0xfb,0x16,0xed}, -{0x43,0x43,0xc5,0x86}, {0x4d,0x4d,0xd7,0x9a}, {0x33,0x33,0x55,0x66}, {0x85,0x85,0x94,0x11}, -{0x45,0x45,0xcf,0x8a}, {0xf9,0xf9,0x10,0xe9}, {0x02,0x02,0x06,0x04}, {0x7f,0x7f,0x81,0xfe}, -{0x50,0x50,0xf0,0xa0}, {0x3c,0x3c,0x44,0x78}, {0x9f,0x9f,0xba,0x25}, {0xa8,0xa8,0xe3,0x4b}, -{0x51,0x51,0xf3,0xa2}, {0xa3,0xa3,0xfe,0x5d}, {0x40,0x40,0xc0,0x80}, {0x8f,0x8f,0x8a,0x05}, -{0x92,0x92,0xad,0x3f}, {0x9d,0x9d,0xbc,0x21}, {0x38,0x38,0x48,0x70}, {0xf5,0xf5,0x04,0xf1}, -{0xbc,0xbc,0xdf,0x63}, {0xb6,0xb6,0xc1,0x77}, {0xda,0xda,0x75,0xaf}, {0x21,0x21,0x63,0x42}, -{0x10,0x10,0x30,0x20}, {0xff,0xff,0x1a,0xe5}, {0xf3,0xf3,0x0e,0xfd}, {0xd2,0xd2,0x6d,0xbf}, -{0xcd,0xcd,0x4c,0x81}, {0x0c,0x0c,0x14,0x18}, {0x13,0x13,0x35,0x26}, {0xec,0xec,0x2f,0xc3}, -{0x5f,0x5f,0xe1,0xbe}, {0x97,0x97,0xa2,0x35}, {0x44,0x44,0xcc,0x88}, {0x17,0x17,0x39,0x2e}, -{0xc4,0xc4,0x57,0x93}, {0xa7,0xa7,0xf2,0x55}, {0x7e,0x7e,0x82,0xfc}, {0x3d,0x3d,0x47,0x7a}, -{0x64,0x64,0xac,0xc8}, {0x5d,0x5d,0xe7,0xba}, {0x19,0x19,0x2b,0x32}, {0x73,0x73,0x95,0xe6}, -{0x60,0x60,0xa0,0xc0}, {0x81,0x81,0x98,0x19}, {0x4f,0x4f,0xd1,0x9e}, {0xdc,0xdc,0x7f,0xa3}, -{0x22,0x22,0x66,0x44}, {0x2a,0x2a,0x7e,0x54}, {0x90,0x90,0xab,0x3b}, {0x88,0x88,0x83,0x0b}, -{0x46,0x46,0xca,0x8c}, {0xee,0xee,0x29,0xc7}, {0xb8,0xb8,0xd3,0x6b}, {0x14,0x14,0x3c,0x28}, -{0xde,0xde,0x79,0xa7}, {0x5e,0x5e,0xe2,0xbc}, {0x0b,0x0b,0x1d,0x16}, {0xdb,0xdb,0x76,0xad}, -{0xe0,0xe0,0x3b,0xdb}, {0x32,0x32,0x56,0x64}, {0x3a,0x3a,0x4e,0x74}, {0x0a,0x0a,0x1e,0x14}, -{0x49,0x49,0xdb,0x92}, {0x06,0x06,0x0a,0x0c}, {0x24,0x24,0x6c,0x48}, {0x5c,0x5c,0xe4,0xb8}, -{0xc2,0xc2,0x5d,0x9f}, {0xd3,0xd3,0x6e,0xbd}, {0xac,0xac,0xef,0x43}, {0x62,0x62,0xa6,0xc4}, -{0x91,0x91,0xa8,0x39}, {0x95,0x95,0xa4,0x31}, {0xe4,0xe4,0x37,0xd3}, {0x79,0x79,0x8b,0xf2}, -{0xe7,0xe7,0x32,0xd5}, {0xc8,0xc8,0x43,0x8b}, {0x37,0x37,0x59,0x6e}, {0x6d,0x6d,0xb7,0xda}, -{0x8d,0x8d,0x8c,0x01}, {0xd5,0xd5,0x64,0xb1}, {0x4e,0x4e,0xd2,0x9c}, {0xa9,0xa9,0xe0,0x49}, -{0x6c,0x6c,0xb4,0xd8}, {0x56,0x56,0xfa,0xac}, {0xf4,0xf4,0x07,0xf3}, {0xea,0xea,0x25,0xcf}, -{0x65,0x65,0xaf,0xca}, {0x7a,0x7a,0x8e,0xf4}, {0xae,0xae,0xe9,0x47}, {0x08,0x08,0x18,0x10}, -{0xba,0xba,0xd5,0x6f}, {0x78,0x78,0x88,0xf0}, {0x25,0x25,0x6f,0x4a}, {0x2e,0x2e,0x72,0x5c}, -{0x1c,0x1c,0x24,0x38}, {0xa6,0xa6,0xf1,0x57}, {0xb4,0xb4,0xc7,0x73}, {0xc6,0xc6,0x51,0x97}, -{0xe8,0xe8,0x23,0xcb}, {0xdd,0xdd,0x7c,0xa1}, {0x74,0x74,0x9c,0xe8}, {0x1f,0x1f,0x21,0x3e}, -{0x4b,0x4b,0xdd,0x96}, {0xbd,0xbd,0xdc,0x61}, {0x8b,0x8b,0x86,0x0d}, {0x8a,0x8a,0x85,0x0f}, -{0x70,0x70,0x90,0xe0}, {0x3e,0x3e,0x42,0x7c}, {0xb5,0xb5,0xc4,0x71}, {0x66,0x66,0xaa,0xcc}, -{0x48,0x48,0xd8,0x90}, {0x03,0x03,0x05,0x06}, {0xf6,0xf6,0x01,0xf7}, {0x0e,0x0e,0x12,0x1c}, -{0x61,0x61,0xa3,0xc2}, {0x35,0x35,0x5f,0x6a}, {0x57,0x57,0xf9,0xae}, {0xb9,0xb9,0xd0,0x69}, -{0x86,0x86,0x91,0x17}, {0xc1,0xc1,0x58,0x99}, {0x1d,0x1d,0x27,0x3a}, {0x9e,0x9e,0xb9,0x27}, -{0xe1,0xe1,0x38,0xd9}, {0xf8,0xf8,0x13,0xeb}, {0x98,0x98,0xb3,0x2b}, {0x11,0x11,0x33,0x22}, -{0x69,0x69,0xbb,0xd2}, {0xd9,0xd9,0x70,0xa9}, {0x8e,0x8e,0x89,0x07}, {0x94,0x94,0xa7,0x33}, -{0x9b,0x9b,0xb6,0x2d}, {0x1e,0x1e,0x22,0x3c}, {0x87,0x87,0x92,0x15}, {0xe9,0xe9,0x20,0xc9}, -{0xce,0xce,0x49,0x87}, {0x55,0x55,0xff,0xaa}, {0x28,0x28,0x78,0x50}, {0xdf,0xdf,0x7a,0xa5}, -{0x8c,0x8c,0x8f,0x03}, {0xa1,0xa1,0xf8,0x59}, {0x89,0x89,0x80,0x09}, {0x0d,0x0d,0x17,0x1a}, -{0xbf,0xbf,0xda,0x65}, {0xe6,0xe6,0x31,0xd7}, {0x42,0x42,0xc6,0x84}, {0x68,0x68,0xb8,0xd0}, -{0x41,0x41,0xc3,0x82}, {0x99,0x99,0xb0,0x29}, {0x2d,0x2d,0x77,0x5a}, {0x0f,0x0f,0x11,0x1e}, -{0xb0,0xb0,0xcb,0x7b}, {0x54,0x54,0xfc,0xa8}, {0xbb,0xbb,0xd6,0x6d}, {0x16,0x16,0x3a,0x2c} - } -}; -#define T4 xT4.xt8 - -static const union xtab xT5 = { - .xt8 = { -{0x51,0xf4,0xa7,0x50}, {0x7e,0x41,0x65,0x53}, {0x1a,0x17,0xa4,0xc3}, {0x3a,0x27,0x5e,0x96}, -{0x3b,0xab,0x6b,0xcb}, {0x1f,0x9d,0x45,0xf1}, {0xac,0xfa,0x58,0xab}, {0x4b,0xe3,0x03,0x93}, -{0x20,0x30,0xfa,0x55}, {0xad,0x76,0x6d,0xf6}, {0x88,0xcc,0x76,0x91}, {0xf5,0x02,0x4c,0x25}, -{0x4f,0xe5,0xd7,0xfc}, {0xc5,0x2a,0xcb,0xd7}, {0x26,0x35,0x44,0x80}, {0xb5,0x62,0xa3,0x8f}, -{0xde,0xb1,0x5a,0x49}, {0x25,0xba,0x1b,0x67}, {0x45,0xea,0x0e,0x98}, {0x5d,0xfe,0xc0,0xe1}, -{0xc3,0x2f,0x75,0x02}, {0x81,0x4c,0xf0,0x12}, {0x8d,0x46,0x97,0xa3}, {0x6b,0xd3,0xf9,0xc6}, -{0x03,0x8f,0x5f,0xe7}, {0x15,0x92,0x9c,0x95}, {0xbf,0x6d,0x7a,0xeb}, {0x95,0x52,0x59,0xda}, -{0xd4,0xbe,0x83,0x2d}, {0x58,0x74,0x21,0xd3}, {0x49,0xe0,0x69,0x29}, {0x8e,0xc9,0xc8,0x44}, -{0x75,0xc2,0x89,0x6a}, {0xf4,0x8e,0x79,0x78}, {0x99,0x58,0x3e,0x6b}, {0x27,0xb9,0x71,0xdd}, -{0xbe,0xe1,0x4f,0xb6}, {0xf0,0x88,0xad,0x17}, {0xc9,0x20,0xac,0x66}, {0x7d,0xce,0x3a,0xb4}, -{0x63,0xdf,0x4a,0x18}, {0xe5,0x1a,0x31,0x82}, {0x97,0x51,0x33,0x60}, {0x62,0x53,0x7f,0x45}, -{0xb1,0x64,0x77,0xe0}, {0xbb,0x6b,0xae,0x84}, {0xfe,0x81,0xa0,0x1c}, {0xf9,0x08,0x2b,0x94}, -{0x70,0x48,0x68,0x58}, {0x8f,0x45,0xfd,0x19}, {0x94,0xde,0x6c,0x87}, {0x52,0x7b,0xf8,0xb7}, -{0xab,0x73,0xd3,0x23}, {0x72,0x4b,0x02,0xe2}, {0xe3,0x1f,0x8f,0x57}, {0x66,0x55,0xab,0x2a}, -{0xb2,0xeb,0x28,0x07}, {0x2f,0xb5,0xc2,0x03}, {0x86,0xc5,0x7b,0x9a}, {0xd3,0x37,0x08,0xa5}, -{0x30,0x28,0x87,0xf2}, {0x23,0xbf,0xa5,0xb2}, {0x02,0x03,0x6a,0xba}, {0xed,0x16,0x82,0x5c}, -{0x8a,0xcf,0x1c,0x2b}, {0xa7,0x79,0xb4,0x92}, {0xf3,0x07,0xf2,0xf0}, {0x4e,0x69,0xe2,0xa1}, -{0x65,0xda,0xf4,0xcd}, {0x06,0x05,0xbe,0xd5}, {0xd1,0x34,0x62,0x1f}, {0xc4,0xa6,0xfe,0x8a}, -{0x34,0x2e,0x53,0x9d}, {0xa2,0xf3,0x55,0xa0}, {0x05,0x8a,0xe1,0x32}, {0xa4,0xf6,0xeb,0x75}, -{0x0b,0x83,0xec,0x39}, {0x40,0x60,0xef,0xaa}, {0x5e,0x71,0x9f,0x06}, {0xbd,0x6e,0x10,0x51}, -{0x3e,0x21,0x8a,0xf9}, {0x96,0xdd,0x06,0x3d}, {0xdd,0x3e,0x05,0xae}, {0x4d,0xe6,0xbd,0x46}, -{0x91,0x54,0x8d,0xb5}, {0x71,0xc4,0x5d,0x05}, {0x04,0x06,0xd4,0x6f}, {0x60,0x50,0x15,0xff}, -{0x19,0x98,0xfb,0x24}, {0xd6,0xbd,0xe9,0x97}, {0x89,0x40,0x43,0xcc}, {0x67,0xd9,0x9e,0x77}, -{0xb0,0xe8,0x42,0xbd}, {0x07,0x89,0x8b,0x88}, {0xe7,0x19,0x5b,0x38}, {0x79,0xc8,0xee,0xdb}, -{0xa1,0x7c,0x0a,0x47}, {0x7c,0x42,0x0f,0xe9}, {0xf8,0x84,0x1e,0xc9}, {0x00,0x00,0x00,0x00}, -{0x09,0x80,0x86,0x83}, {0x32,0x2b,0xed,0x48}, {0x1e,0x11,0x70,0xac}, {0x6c,0x5a,0x72,0x4e}, -{0xfd,0x0e,0xff,0xfb}, {0x0f,0x85,0x38,0x56}, {0x3d,0xae,0xd5,0x1e}, {0x36,0x2d,0x39,0x27}, -{0x0a,0x0f,0xd9,0x64}, {0x68,0x5c,0xa6,0x21}, {0x9b,0x5b,0x54,0xd1}, {0x24,0x36,0x2e,0x3a}, -{0x0c,0x0a,0x67,0xb1}, {0x93,0x57,0xe7,0x0f}, {0xb4,0xee,0x96,0xd2}, {0x1b,0x9b,0x91,0x9e}, -{0x80,0xc0,0xc5,0x4f}, {0x61,0xdc,0x20,0xa2}, {0x5a,0x77,0x4b,0x69}, {0x1c,0x12,0x1a,0x16}, -{0xe2,0x93,0xba,0x0a}, {0xc0,0xa0,0x2a,0xe5}, {0x3c,0x22,0xe0,0x43}, {0x12,0x1b,0x17,0x1d}, -{0x0e,0x09,0x0d,0x0b}, {0xf2,0x8b,0xc7,0xad}, {0x2d,0xb6,0xa8,0xb9}, {0x14,0x1e,0xa9,0xc8}, -{0x57,0xf1,0x19,0x85}, {0xaf,0x75,0x07,0x4c}, {0xee,0x99,0xdd,0xbb}, {0xa3,0x7f,0x60,0xfd}, -{0xf7,0x01,0x26,0x9f}, {0x5c,0x72,0xf5,0xbc}, {0x44,0x66,0x3b,0xc5}, {0x5b,0xfb,0x7e,0x34}, -{0x8b,0x43,0x29,0x76}, {0xcb,0x23,0xc6,0xdc}, {0xb6,0xed,0xfc,0x68}, {0xb8,0xe4,0xf1,0x63}, -{0xd7,0x31,0xdc,0xca}, {0x42,0x63,0x85,0x10}, {0x13,0x97,0x22,0x40}, {0x84,0xc6,0x11,0x20}, -{0x85,0x4a,0x24,0x7d}, {0xd2,0xbb,0x3d,0xf8}, {0xae,0xf9,0x32,0x11}, {0xc7,0x29,0xa1,0x6d}, -{0x1d,0x9e,0x2f,0x4b}, {0xdc,0xb2,0x30,0xf3}, {0x0d,0x86,0x52,0xec}, {0x77,0xc1,0xe3,0xd0}, -{0x2b,0xb3,0x16,0x6c}, {0xa9,0x70,0xb9,0x99}, {0x11,0x94,0x48,0xfa}, {0x47,0xe9,0x64,0x22}, -{0xa8,0xfc,0x8c,0xc4}, {0xa0,0xf0,0x3f,0x1a}, {0x56,0x7d,0x2c,0xd8}, {0x22,0x33,0x90,0xef}, -{0x87,0x49,0x4e,0xc7}, {0xd9,0x38,0xd1,0xc1}, {0x8c,0xca,0xa2,0xfe}, {0x98,0xd4,0x0b,0x36}, -{0xa6,0xf5,0x81,0xcf}, {0xa5,0x7a,0xde,0x28}, {0xda,0xb7,0x8e,0x26}, {0x3f,0xad,0xbf,0xa4}, -{0x2c,0x3a,0x9d,0xe4}, {0x50,0x78,0x92,0x0d}, {0x6a,0x5f,0xcc,0x9b}, {0x54,0x7e,0x46,0x62}, -{0xf6,0x8d,0x13,0xc2}, {0x90,0xd8,0xb8,0xe8}, {0x2e,0x39,0xf7,0x5e}, {0x82,0xc3,0xaf,0xf5}, -{0x9f,0x5d,0x80,0xbe}, {0x69,0xd0,0x93,0x7c}, {0x6f,0xd5,0x2d,0xa9}, {0xcf,0x25,0x12,0xb3}, -{0xc8,0xac,0x99,0x3b}, {0x10,0x18,0x7d,0xa7}, {0xe8,0x9c,0x63,0x6e}, {0xdb,0x3b,0xbb,0x7b}, -{0xcd,0x26,0x78,0x09}, {0x6e,0x59,0x18,0xf4}, {0xec,0x9a,0xb7,0x01}, {0x83,0x4f,0x9a,0xa8}, -{0xe6,0x95,0x6e,0x65}, {0xaa,0xff,0xe6,0x7e}, {0x21,0xbc,0xcf,0x08}, {0xef,0x15,0xe8,0xe6}, -{0xba,0xe7,0x9b,0xd9}, {0x4a,0x6f,0x36,0xce}, {0xea,0x9f,0x09,0xd4}, {0x29,0xb0,0x7c,0xd6}, -{0x31,0xa4,0xb2,0xaf}, {0x2a,0x3f,0x23,0x31}, {0xc6,0xa5,0x94,0x30}, {0x35,0xa2,0x66,0xc0}, -{0x74,0x4e,0xbc,0x37}, {0xfc,0x82,0xca,0xa6}, {0xe0,0x90,0xd0,0xb0}, {0x33,0xa7,0xd8,0x15}, -{0xf1,0x04,0x98,0x4a}, {0x41,0xec,0xda,0xf7}, {0x7f,0xcd,0x50,0x0e}, {0x17,0x91,0xf6,0x2f}, -{0x76,0x4d,0xd6,0x8d}, {0x43,0xef,0xb0,0x4d}, {0xcc,0xaa,0x4d,0x54}, {0xe4,0x96,0x04,0xdf}, -{0x9e,0xd1,0xb5,0xe3}, {0x4c,0x6a,0x88,0x1b}, {0xc1,0x2c,0x1f,0xb8}, {0x46,0x65,0x51,0x7f}, -{0x9d,0x5e,0xea,0x04}, {0x01,0x8c,0x35,0x5d}, {0xfa,0x87,0x74,0x73}, {0xfb,0x0b,0x41,0x2e}, -{0xb3,0x67,0x1d,0x5a}, {0x92,0xdb,0xd2,0x52}, {0xe9,0x10,0x56,0x33}, {0x6d,0xd6,0x47,0x13}, -{0x9a,0xd7,0x61,0x8c}, {0x37,0xa1,0x0c,0x7a}, {0x59,0xf8,0x14,0x8e}, {0xeb,0x13,0x3c,0x89}, -{0xce,0xa9,0x27,0xee}, {0xb7,0x61,0xc9,0x35}, {0xe1,0x1c,0xe5,0xed}, {0x7a,0x47,0xb1,0x3c}, -{0x9c,0xd2,0xdf,0x59}, {0x55,0xf2,0x73,0x3f}, {0x18,0x14,0xce,0x79}, {0x73,0xc7,0x37,0xbf}, -{0x53,0xf7,0xcd,0xea}, {0x5f,0xfd,0xaa,0x5b}, {0xdf,0x3d,0x6f,0x14}, {0x78,0x44,0xdb,0x86}, -{0xca,0xaf,0xf3,0x81}, {0xb9,0x68,0xc4,0x3e}, {0x38,0x24,0x34,0x2c}, {0xc2,0xa3,0x40,0x5f}, -{0x16,0x1d,0xc3,0x72}, {0xbc,0xe2,0x25,0x0c}, {0x28,0x3c,0x49,0x8b}, {0xff,0x0d,0x95,0x41}, -{0x39,0xa8,0x01,0x71}, {0x08,0x0c,0xb3,0xde}, {0xd8,0xb4,0xe4,0x9c}, {0x64,0x56,0xc1,0x90}, -{0x7b,0xcb,0x84,0x61}, {0xd5,0x32,0xb6,0x70}, {0x48,0x6c,0x5c,0x74}, {0xd0,0xb8,0x57,0x42} - } -}; -#define T5 xT5.xt8 - -static const union xtab xT6 = { - .xt8 = { -{0x50,0x51,0xf4,0xa7}, {0x53,0x7e,0x41,0x65}, {0xc3,0x1a,0x17,0xa4}, {0x96,0x3a,0x27,0x5e}, -{0xcb,0x3b,0xab,0x6b}, {0xf1,0x1f,0x9d,0x45}, {0xab,0xac,0xfa,0x58}, {0x93,0x4b,0xe3,0x03}, -{0x55,0x20,0x30,0xfa}, {0xf6,0xad,0x76,0x6d}, {0x91,0x88,0xcc,0x76}, {0x25,0xf5,0x02,0x4c}, -{0xfc,0x4f,0xe5,0xd7}, {0xd7,0xc5,0x2a,0xcb}, {0x80,0x26,0x35,0x44}, {0x8f,0xb5,0x62,0xa3}, -{0x49,0xde,0xb1,0x5a}, {0x67,0x25,0xba,0x1b}, {0x98,0x45,0xea,0x0e}, {0xe1,0x5d,0xfe,0xc0}, -{0x02,0xc3,0x2f,0x75}, {0x12,0x81,0x4c,0xf0}, {0xa3,0x8d,0x46,0x97}, {0xc6,0x6b,0xd3,0xf9}, -{0xe7,0x03,0x8f,0x5f}, {0x95,0x15,0x92,0x9c}, {0xeb,0xbf,0x6d,0x7a}, {0xda,0x95,0x52,0x59}, -{0x2d,0xd4,0xbe,0x83}, {0xd3,0x58,0x74,0x21}, {0x29,0x49,0xe0,0x69}, {0x44,0x8e,0xc9,0xc8}, -{0x6a,0x75,0xc2,0x89}, {0x78,0xf4,0x8e,0x79}, {0x6b,0x99,0x58,0x3e}, {0xdd,0x27,0xb9,0x71}, -{0xb6,0xbe,0xe1,0x4f}, {0x17,0xf0,0x88,0xad}, {0x66,0xc9,0x20,0xac}, {0xb4,0x7d,0xce,0x3a}, -{0x18,0x63,0xdf,0x4a}, {0x82,0xe5,0x1a,0x31}, {0x60,0x97,0x51,0x33}, {0x45,0x62,0x53,0x7f}, -{0xe0,0xb1,0x64,0x77}, {0x84,0xbb,0x6b,0xae}, {0x1c,0xfe,0x81,0xa0}, {0x94,0xf9,0x08,0x2b}, -{0x58,0x70,0x48,0x68}, {0x19,0x8f,0x45,0xfd}, {0x87,0x94,0xde,0x6c}, {0xb7,0x52,0x7b,0xf8}, -{0x23,0xab,0x73,0xd3}, {0xe2,0x72,0x4b,0x02}, {0x57,0xe3,0x1f,0x8f}, {0x2a,0x66,0x55,0xab}, -{0x07,0xb2,0xeb,0x28}, {0x03,0x2f,0xb5,0xc2}, {0x9a,0x86,0xc5,0x7b}, {0xa5,0xd3,0x37,0x08}, -{0xf2,0x30,0x28,0x87}, {0xb2,0x23,0xbf,0xa5}, {0xba,0x02,0x03,0x6a}, {0x5c,0xed,0x16,0x82}, -{0x2b,0x8a,0xcf,0x1c}, {0x92,0xa7,0x79,0xb4}, {0xf0,0xf3,0x07,0xf2}, {0xa1,0x4e,0x69,0xe2}, -{0xcd,0x65,0xda,0xf4}, {0xd5,0x06,0x05,0xbe}, {0x1f,0xd1,0x34,0x62}, {0x8a,0xc4,0xa6,0xfe}, -{0x9d,0x34,0x2e,0x53}, {0xa0,0xa2,0xf3,0x55}, {0x32,0x05,0x8a,0xe1}, {0x75,0xa4,0xf6,0xeb}, -{0x39,0x0b,0x83,0xec}, {0xaa,0x40,0x60,0xef}, {0x06,0x5e,0x71,0x9f}, {0x51,0xbd,0x6e,0x10}, -{0xf9,0x3e,0x21,0x8a}, {0x3d,0x96,0xdd,0x06}, {0xae,0xdd,0x3e,0x05}, {0x46,0x4d,0xe6,0xbd}, -{0xb5,0x91,0x54,0x8d}, {0x05,0x71,0xc4,0x5d}, {0x6f,0x04,0x06,0xd4}, {0xff,0x60,0x50,0x15}, -{0x24,0x19,0x98,0xfb}, {0x97,0xd6,0xbd,0xe9}, {0xcc,0x89,0x40,0x43}, {0x77,0x67,0xd9,0x9e}, -{0xbd,0xb0,0xe8,0x42}, {0x88,0x07,0x89,0x8b}, {0x38,0xe7,0x19,0x5b}, {0xdb,0x79,0xc8,0xee}, -{0x47,0xa1,0x7c,0x0a}, {0xe9,0x7c,0x42,0x0f}, {0xc9,0xf8,0x84,0x1e}, {0x00,0x00,0x00,0x00}, -{0x83,0x09,0x80,0x86}, {0x48,0x32,0x2b,0xed}, {0xac,0x1e,0x11,0x70}, {0x4e,0x6c,0x5a,0x72}, -{0xfb,0xfd,0x0e,0xff}, {0x56,0x0f,0x85,0x38}, {0x1e,0x3d,0xae,0xd5}, {0x27,0x36,0x2d,0x39}, -{0x64,0x0a,0x0f,0xd9}, {0x21,0x68,0x5c,0xa6}, {0xd1,0x9b,0x5b,0x54}, {0x3a,0x24,0x36,0x2e}, -{0xb1,0x0c,0x0a,0x67}, {0x0f,0x93,0x57,0xe7}, {0xd2,0xb4,0xee,0x96}, {0x9e,0x1b,0x9b,0x91}, -{0x4f,0x80,0xc0,0xc5}, {0xa2,0x61,0xdc,0x20}, {0x69,0x5a,0x77,0x4b}, {0x16,0x1c,0x12,0x1a}, -{0x0a,0xe2,0x93,0xba}, {0xe5,0xc0,0xa0,0x2a}, {0x43,0x3c,0x22,0xe0}, {0x1d,0x12,0x1b,0x17}, -{0x0b,0x0e,0x09,0x0d}, {0xad,0xf2,0x8b,0xc7}, {0xb9,0x2d,0xb6,0xa8}, {0xc8,0x14,0x1e,0xa9}, -{0x85,0x57,0xf1,0x19}, {0x4c,0xaf,0x75,0x07}, {0xbb,0xee,0x99,0xdd}, {0xfd,0xa3,0x7f,0x60}, -{0x9f,0xf7,0x01,0x26}, {0xbc,0x5c,0x72,0xf5}, {0xc5,0x44,0x66,0x3b}, {0x34,0x5b,0xfb,0x7e}, -{0x76,0x8b,0x43,0x29}, {0xdc,0xcb,0x23,0xc6}, {0x68,0xb6,0xed,0xfc}, {0x63,0xb8,0xe4,0xf1}, -{0xca,0xd7,0x31,0xdc}, {0x10,0x42,0x63,0x85}, {0x40,0x13,0x97,0x22}, {0x20,0x84,0xc6,0x11}, -{0x7d,0x85,0x4a,0x24}, {0xf8,0xd2,0xbb,0x3d}, {0x11,0xae,0xf9,0x32}, {0x6d,0xc7,0x29,0xa1}, -{0x4b,0x1d,0x9e,0x2f}, {0xf3,0xdc,0xb2,0x30}, {0xec,0x0d,0x86,0x52}, {0xd0,0x77,0xc1,0xe3}, -{0x6c,0x2b,0xb3,0x16}, {0x99,0xa9,0x70,0xb9}, {0xfa,0x11,0x94,0x48}, {0x22,0x47,0xe9,0x64}, -{0xc4,0xa8,0xfc,0x8c}, {0x1a,0xa0,0xf0,0x3f}, {0xd8,0x56,0x7d,0x2c}, {0xef,0x22,0x33,0x90}, -{0xc7,0x87,0x49,0x4e}, {0xc1,0xd9,0x38,0xd1}, {0xfe,0x8c,0xca,0xa2}, {0x36,0x98,0xd4,0x0b}, -{0xcf,0xa6,0xf5,0x81}, {0x28,0xa5,0x7a,0xde}, {0x26,0xda,0xb7,0x8e}, {0xa4,0x3f,0xad,0xbf}, -{0xe4,0x2c,0x3a,0x9d}, {0x0d,0x50,0x78,0x92}, {0x9b,0x6a,0x5f,0xcc}, {0x62,0x54,0x7e,0x46}, -{0xc2,0xf6,0x8d,0x13}, {0xe8,0x90,0xd8,0xb8}, {0x5e,0x2e,0x39,0xf7}, {0xf5,0x82,0xc3,0xaf}, -{0xbe,0x9f,0x5d,0x80}, {0x7c,0x69,0xd0,0x93}, {0xa9,0x6f,0xd5,0x2d}, {0xb3,0xcf,0x25,0x12}, -{0x3b,0xc8,0xac,0x99}, {0xa7,0x10,0x18,0x7d}, {0x6e,0xe8,0x9c,0x63}, {0x7b,0xdb,0x3b,0xbb}, -{0x09,0xcd,0x26,0x78}, {0xf4,0x6e,0x59,0x18}, {0x01,0xec,0x9a,0xb7}, {0xa8,0x83,0x4f,0x9a}, -{0x65,0xe6,0x95,0x6e}, {0x7e,0xaa,0xff,0xe6}, {0x08,0x21,0xbc,0xcf}, {0xe6,0xef,0x15,0xe8}, -{0xd9,0xba,0xe7,0x9b}, {0xce,0x4a,0x6f,0x36}, {0xd4,0xea,0x9f,0x09}, {0xd6,0x29,0xb0,0x7c}, -{0xaf,0x31,0xa4,0xb2}, {0x31,0x2a,0x3f,0x23}, {0x30,0xc6,0xa5,0x94}, {0xc0,0x35,0xa2,0x66}, -{0x37,0x74,0x4e,0xbc}, {0xa6,0xfc,0x82,0xca}, {0xb0,0xe0,0x90,0xd0}, {0x15,0x33,0xa7,0xd8}, -{0x4a,0xf1,0x04,0x98}, {0xf7,0x41,0xec,0xda}, {0x0e,0x7f,0xcd,0x50}, {0x2f,0x17,0x91,0xf6}, -{0x8d,0x76,0x4d,0xd6}, {0x4d,0x43,0xef,0xb0}, {0x54,0xcc,0xaa,0x4d}, {0xdf,0xe4,0x96,0x04}, -{0xe3,0x9e,0xd1,0xb5}, {0x1b,0x4c,0x6a,0x88}, {0xb8,0xc1,0x2c,0x1f}, {0x7f,0x46,0x65,0x51}, -{0x04,0x9d,0x5e,0xea}, {0x5d,0x01,0x8c,0x35}, {0x73,0xfa,0x87,0x74}, {0x2e,0xfb,0x0b,0x41}, -{0x5a,0xb3,0x67,0x1d}, {0x52,0x92,0xdb,0xd2}, {0x33,0xe9,0x10,0x56}, {0x13,0x6d,0xd6,0x47}, -{0x8c,0x9a,0xd7,0x61}, {0x7a,0x37,0xa1,0x0c}, {0x8e,0x59,0xf8,0x14}, {0x89,0xeb,0x13,0x3c}, -{0xee,0xce,0xa9,0x27}, {0x35,0xb7,0x61,0xc9}, {0xed,0xe1,0x1c,0xe5}, {0x3c,0x7a,0x47,0xb1}, -{0x59,0x9c,0xd2,0xdf}, {0x3f,0x55,0xf2,0x73}, {0x79,0x18,0x14,0xce}, {0xbf,0x73,0xc7,0x37}, -{0xea,0x53,0xf7,0xcd}, {0x5b,0x5f,0xfd,0xaa}, {0x14,0xdf,0x3d,0x6f}, {0x86,0x78,0x44,0xdb}, -{0x81,0xca,0xaf,0xf3}, {0x3e,0xb9,0x68,0xc4}, {0x2c,0x38,0x24,0x34}, {0x5f,0xc2,0xa3,0x40}, -{0x72,0x16,0x1d,0xc3}, {0x0c,0xbc,0xe2,0x25}, {0x8b,0x28,0x3c,0x49}, {0x41,0xff,0x0d,0x95}, -{0x71,0x39,0xa8,0x01}, {0xde,0x08,0x0c,0xb3}, {0x9c,0xd8,0xb4,0xe4}, {0x90,0x64,0x56,0xc1}, -{0x61,0x7b,0xcb,0x84}, {0x70,0xd5,0x32,0xb6}, {0x74,0x48,0x6c,0x5c}, {0x42,0xd0,0xb8,0x57} - } -}; -#define T6 xT6.xt8 - -static const union xtab xT7 = { - .xt8 = { -{0xa7,0x50,0x51,0xf4}, {0x65,0x53,0x7e,0x41}, {0xa4,0xc3,0x1a,0x17}, {0x5e,0x96,0x3a,0x27}, -{0x6b,0xcb,0x3b,0xab}, {0x45,0xf1,0x1f,0x9d}, {0x58,0xab,0xac,0xfa}, {0x03,0x93,0x4b,0xe3}, -{0xfa,0x55,0x20,0x30}, {0x6d,0xf6,0xad,0x76}, {0x76,0x91,0x88,0xcc}, {0x4c,0x25,0xf5,0x02}, -{0xd7,0xfc,0x4f,0xe5}, {0xcb,0xd7,0xc5,0x2a}, {0x44,0x80,0x26,0x35}, {0xa3,0x8f,0xb5,0x62}, -{0x5a,0x49,0xde,0xb1}, {0x1b,0x67,0x25,0xba}, {0x0e,0x98,0x45,0xea}, {0xc0,0xe1,0x5d,0xfe}, -{0x75,0x02,0xc3,0x2f}, {0xf0,0x12,0x81,0x4c}, {0x97,0xa3,0x8d,0x46}, {0xf9,0xc6,0x6b,0xd3}, -{0x5f,0xe7,0x03,0x8f}, {0x9c,0x95,0x15,0x92}, {0x7a,0xeb,0xbf,0x6d}, {0x59,0xda,0x95,0x52}, -{0x83,0x2d,0xd4,0xbe}, {0x21,0xd3,0x58,0x74}, {0x69,0x29,0x49,0xe0}, {0xc8,0x44,0x8e,0xc9}, -{0x89,0x6a,0x75,0xc2}, {0x79,0x78,0xf4,0x8e}, {0x3e,0x6b,0x99,0x58}, {0x71,0xdd,0x27,0xb9}, -{0x4f,0xb6,0xbe,0xe1}, {0xad,0x17,0xf0,0x88}, {0xac,0x66,0xc9,0x20}, {0x3a,0xb4,0x7d,0xce}, -{0x4a,0x18,0x63,0xdf}, {0x31,0x82,0xe5,0x1a}, {0x33,0x60,0x97,0x51}, {0x7f,0x45,0x62,0x53}, -{0x77,0xe0,0xb1,0x64}, {0xae,0x84,0xbb,0x6b}, {0xa0,0x1c,0xfe,0x81}, {0x2b,0x94,0xf9,0x08}, -{0x68,0x58,0x70,0x48}, {0xfd,0x19,0x8f,0x45}, {0x6c,0x87,0x94,0xde}, {0xf8,0xb7,0x52,0x7b}, -{0xd3,0x23,0xab,0x73}, {0x02,0xe2,0x72,0x4b}, {0x8f,0x57,0xe3,0x1f}, {0xab,0x2a,0x66,0x55}, -{0x28,0x07,0xb2,0xeb}, {0xc2,0x03,0x2f,0xb5}, {0x7b,0x9a,0x86,0xc5}, {0x08,0xa5,0xd3,0x37}, -{0x87,0xf2,0x30,0x28}, {0xa5,0xb2,0x23,0xbf}, {0x6a,0xba,0x02,0x03}, {0x82,0x5c,0xed,0x16}, -{0x1c,0x2b,0x8a,0xcf}, {0xb4,0x92,0xa7,0x79}, {0xf2,0xf0,0xf3,0x07}, {0xe2,0xa1,0x4e,0x69}, -{0xf4,0xcd,0x65,0xda}, {0xbe,0xd5,0x06,0x05}, {0x62,0x1f,0xd1,0x34}, {0xfe,0x8a,0xc4,0xa6}, -{0x53,0x9d,0x34,0x2e}, {0x55,0xa0,0xa2,0xf3}, {0xe1,0x32,0x05,0x8a}, {0xeb,0x75,0xa4,0xf6}, -{0xec,0x39,0x0b,0x83}, {0xef,0xaa,0x40,0x60}, {0x9f,0x06,0x5e,0x71}, {0x10,0x51,0xbd,0x6e}, -{0x8a,0xf9,0x3e,0x21}, {0x06,0x3d,0x96,0xdd}, {0x05,0xae,0xdd,0x3e}, {0xbd,0x46,0x4d,0xe6}, -{0x8d,0xb5,0x91,0x54}, {0x5d,0x05,0x71,0xc4}, {0xd4,0x6f,0x04,0x06}, {0x15,0xff,0x60,0x50}, -{0xfb,0x24,0x19,0x98}, {0xe9,0x97,0xd6,0xbd}, {0x43,0xcc,0x89,0x40}, {0x9e,0x77,0x67,0xd9}, -{0x42,0xbd,0xb0,0xe8}, {0x8b,0x88,0x07,0x89}, {0x5b,0x38,0xe7,0x19}, {0xee,0xdb,0x79,0xc8}, -{0x0a,0x47,0xa1,0x7c}, {0x0f,0xe9,0x7c,0x42}, {0x1e,0xc9,0xf8,0x84}, {0x00,0x00,0x00,0x00}, -{0x86,0x83,0x09,0x80}, {0xed,0x48,0x32,0x2b}, {0x70,0xac,0x1e,0x11}, {0x72,0x4e,0x6c,0x5a}, -{0xff,0xfb,0xfd,0x0e}, {0x38,0x56,0x0f,0x85}, {0xd5,0x1e,0x3d,0xae}, {0x39,0x27,0x36,0x2d}, -{0xd9,0x64,0x0a,0x0f}, {0xa6,0x21,0x68,0x5c}, {0x54,0xd1,0x9b,0x5b}, {0x2e,0x3a,0x24,0x36}, -{0x67,0xb1,0x0c,0x0a}, {0xe7,0x0f,0x93,0x57}, {0x96,0xd2,0xb4,0xee}, {0x91,0x9e,0x1b,0x9b}, -{0xc5,0x4f,0x80,0xc0}, {0x20,0xa2,0x61,0xdc}, {0x4b,0x69,0x5a,0x77}, {0x1a,0x16,0x1c,0x12}, -{0xba,0x0a,0xe2,0x93}, {0x2a,0xe5,0xc0,0xa0}, {0xe0,0x43,0x3c,0x22}, {0x17,0x1d,0x12,0x1b}, -{0x0d,0x0b,0x0e,0x09}, {0xc7,0xad,0xf2,0x8b}, {0xa8,0xb9,0x2d,0xb6}, {0xa9,0xc8,0x14,0x1e}, -{0x19,0x85,0x57,0xf1}, {0x07,0x4c,0xaf,0x75}, {0xdd,0xbb,0xee,0x99}, {0x60,0xfd,0xa3,0x7f}, -{0x26,0x9f,0xf7,0x01}, {0xf5,0xbc,0x5c,0x72}, {0x3b,0xc5,0x44,0x66}, {0x7e,0x34,0x5b,0xfb}, -{0x29,0x76,0x8b,0x43}, {0xc6,0xdc,0xcb,0x23}, {0xfc,0x68,0xb6,0xed}, {0xf1,0x63,0xb8,0xe4}, -{0xdc,0xca,0xd7,0x31}, {0x85,0x10,0x42,0x63}, {0x22,0x40,0x13,0x97}, {0x11,0x20,0x84,0xc6}, -{0x24,0x7d,0x85,0x4a}, {0x3d,0xf8,0xd2,0xbb}, {0x32,0x11,0xae,0xf9}, {0xa1,0x6d,0xc7,0x29}, -{0x2f,0x4b,0x1d,0x9e}, {0x30,0xf3,0xdc,0xb2}, {0x52,0xec,0x0d,0x86}, {0xe3,0xd0,0x77,0xc1}, -{0x16,0x6c,0x2b,0xb3}, {0xb9,0x99,0xa9,0x70}, {0x48,0xfa,0x11,0x94}, {0x64,0x22,0x47,0xe9}, -{0x8c,0xc4,0xa8,0xfc}, {0x3f,0x1a,0xa0,0xf0}, {0x2c,0xd8,0x56,0x7d}, {0x90,0xef,0x22,0x33}, -{0x4e,0xc7,0x87,0x49}, {0xd1,0xc1,0xd9,0x38}, {0xa2,0xfe,0x8c,0xca}, {0x0b,0x36,0x98,0xd4}, -{0x81,0xcf,0xa6,0xf5}, {0xde,0x28,0xa5,0x7a}, {0x8e,0x26,0xda,0xb7}, {0xbf,0xa4,0x3f,0xad}, -{0x9d,0xe4,0x2c,0x3a}, {0x92,0x0d,0x50,0x78}, {0xcc,0x9b,0x6a,0x5f}, {0x46,0x62,0x54,0x7e}, -{0x13,0xc2,0xf6,0x8d}, {0xb8,0xe8,0x90,0xd8}, {0xf7,0x5e,0x2e,0x39}, {0xaf,0xf5,0x82,0xc3}, -{0x80,0xbe,0x9f,0x5d}, {0x93,0x7c,0x69,0xd0}, {0x2d,0xa9,0x6f,0xd5}, {0x12,0xb3,0xcf,0x25}, -{0x99,0x3b,0xc8,0xac}, {0x7d,0xa7,0x10,0x18}, {0x63,0x6e,0xe8,0x9c}, {0xbb,0x7b,0xdb,0x3b}, -{0x78,0x09,0xcd,0x26}, {0x18,0xf4,0x6e,0x59}, {0xb7,0x01,0xec,0x9a}, {0x9a,0xa8,0x83,0x4f}, -{0x6e,0x65,0xe6,0x95}, {0xe6,0x7e,0xaa,0xff}, {0xcf,0x08,0x21,0xbc}, {0xe8,0xe6,0xef,0x15}, -{0x9b,0xd9,0xba,0xe7}, {0x36,0xce,0x4a,0x6f}, {0x09,0xd4,0xea,0x9f}, {0x7c,0xd6,0x29,0xb0}, -{0xb2,0xaf,0x31,0xa4}, {0x23,0x31,0x2a,0x3f}, {0x94,0x30,0xc6,0xa5}, {0x66,0xc0,0x35,0xa2}, -{0xbc,0x37,0x74,0x4e}, {0xca,0xa6,0xfc,0x82}, {0xd0,0xb0,0xe0,0x90}, {0xd8,0x15,0x33,0xa7}, -{0x98,0x4a,0xf1,0x04}, {0xda,0xf7,0x41,0xec}, {0x50,0x0e,0x7f,0xcd}, {0xf6,0x2f,0x17,0x91}, -{0xd6,0x8d,0x76,0x4d}, {0xb0,0x4d,0x43,0xef}, {0x4d,0x54,0xcc,0xaa}, {0x04,0xdf,0xe4,0x96}, -{0xb5,0xe3,0x9e,0xd1}, {0x88,0x1b,0x4c,0x6a}, {0x1f,0xb8,0xc1,0x2c}, {0x51,0x7f,0x46,0x65}, -{0xea,0x04,0x9d,0x5e}, {0x35,0x5d,0x01,0x8c}, {0x74,0x73,0xfa,0x87}, {0x41,0x2e,0xfb,0x0b}, -{0x1d,0x5a,0xb3,0x67}, {0xd2,0x52,0x92,0xdb}, {0x56,0x33,0xe9,0x10}, {0x47,0x13,0x6d,0xd6}, -{0x61,0x8c,0x9a,0xd7}, {0x0c,0x7a,0x37,0xa1}, {0x14,0x8e,0x59,0xf8}, {0x3c,0x89,0xeb,0x13}, -{0x27,0xee,0xce,0xa9}, {0xc9,0x35,0xb7,0x61}, {0xe5,0xed,0xe1,0x1c}, {0xb1,0x3c,0x7a,0x47}, -{0xdf,0x59,0x9c,0xd2}, {0x73,0x3f,0x55,0xf2}, {0xce,0x79,0x18,0x14}, {0x37,0xbf,0x73,0xc7}, -{0xcd,0xea,0x53,0xf7}, {0xaa,0x5b,0x5f,0xfd}, {0x6f,0x14,0xdf,0x3d}, {0xdb,0x86,0x78,0x44}, -{0xf3,0x81,0xca,0xaf}, {0xc4,0x3e,0xb9,0x68}, {0x34,0x2c,0x38,0x24}, {0x40,0x5f,0xc2,0xa3}, -{0xc3,0x72,0x16,0x1d}, {0x25,0x0c,0xbc,0xe2}, {0x49,0x8b,0x28,0x3c}, {0x95,0x41,0xff,0x0d}, -{0x01,0x71,0x39,0xa8}, {0xb3,0xde,0x08,0x0c}, {0xe4,0x9c,0xd8,0xb4}, {0xc1,0x90,0x64,0x56}, -{0x84,0x61,0x7b,0xcb}, {0xb6,0x70,0xd5,0x32}, {0x5c,0x74,0x48,0x6c}, {0x57,0x42,0xd0,0xb8} - } -}; -#define T7 xT7.xt8 - -static const union xtab xT8 = { - .xt8 = { -{0xf4,0xa7,0x50,0x51}, {0x41,0x65,0x53,0x7e}, {0x17,0xa4,0xc3,0x1a}, {0x27,0x5e,0x96,0x3a}, -{0xab,0x6b,0xcb,0x3b}, {0x9d,0x45,0xf1,0x1f}, {0xfa,0x58,0xab,0xac}, {0xe3,0x03,0x93,0x4b}, -{0x30,0xfa,0x55,0x20}, {0x76,0x6d,0xf6,0xad}, {0xcc,0x76,0x91,0x88}, {0x02,0x4c,0x25,0xf5}, -{0xe5,0xd7,0xfc,0x4f}, {0x2a,0xcb,0xd7,0xc5}, {0x35,0x44,0x80,0x26}, {0x62,0xa3,0x8f,0xb5}, -{0xb1,0x5a,0x49,0xde}, {0xba,0x1b,0x67,0x25}, {0xea,0x0e,0x98,0x45}, {0xfe,0xc0,0xe1,0x5d}, -{0x2f,0x75,0x02,0xc3}, {0x4c,0xf0,0x12,0x81}, {0x46,0x97,0xa3,0x8d}, {0xd3,0xf9,0xc6,0x6b}, -{0x8f,0x5f,0xe7,0x03}, {0x92,0x9c,0x95,0x15}, {0x6d,0x7a,0xeb,0xbf}, {0x52,0x59,0xda,0x95}, -{0xbe,0x83,0x2d,0xd4}, {0x74,0x21,0xd3,0x58}, {0xe0,0x69,0x29,0x49}, {0xc9,0xc8,0x44,0x8e}, -{0xc2,0x89,0x6a,0x75}, {0x8e,0x79,0x78,0xf4}, {0x58,0x3e,0x6b,0x99}, {0xb9,0x71,0xdd,0x27}, -{0xe1,0x4f,0xb6,0xbe}, {0x88,0xad,0x17,0xf0}, {0x20,0xac,0x66,0xc9}, {0xce,0x3a,0xb4,0x7d}, -{0xdf,0x4a,0x18,0x63}, {0x1a,0x31,0x82,0xe5}, {0x51,0x33,0x60,0x97}, {0x53,0x7f,0x45,0x62}, -{0x64,0x77,0xe0,0xb1}, {0x6b,0xae,0x84,0xbb}, {0x81,0xa0,0x1c,0xfe}, {0x08,0x2b,0x94,0xf9}, -{0x48,0x68,0x58,0x70}, {0x45,0xfd,0x19,0x8f}, {0xde,0x6c,0x87,0x94}, {0x7b,0xf8,0xb7,0x52}, -{0x73,0xd3,0x23,0xab}, {0x4b,0x02,0xe2,0x72}, {0x1f,0x8f,0x57,0xe3}, {0x55,0xab,0x2a,0x66}, -{0xeb,0x28,0x07,0xb2}, {0xb5,0xc2,0x03,0x2f}, {0xc5,0x7b,0x9a,0x86}, {0x37,0x08,0xa5,0xd3}, -{0x28,0x87,0xf2,0x30}, {0xbf,0xa5,0xb2,0x23}, {0x03,0x6a,0xba,0x02}, {0x16,0x82,0x5c,0xed}, -{0xcf,0x1c,0x2b,0x8a}, {0x79,0xb4,0x92,0xa7}, {0x07,0xf2,0xf0,0xf3}, {0x69,0xe2,0xa1,0x4e}, -{0xda,0xf4,0xcd,0x65}, {0x05,0xbe,0xd5,0x06}, {0x34,0x62,0x1f,0xd1}, {0xa6,0xfe,0x8a,0xc4}, -{0x2e,0x53,0x9d,0x34}, {0xf3,0x55,0xa0,0xa2}, {0x8a,0xe1,0x32,0x05}, {0xf6,0xeb,0x75,0xa4}, -{0x83,0xec,0x39,0x0b}, {0x60,0xef,0xaa,0x40}, {0x71,0x9f,0x06,0x5e}, {0x6e,0x10,0x51,0xbd}, -{0x21,0x8a,0xf9,0x3e}, {0xdd,0x06,0x3d,0x96}, {0x3e,0x05,0xae,0xdd}, {0xe6,0xbd,0x46,0x4d}, -{0x54,0x8d,0xb5,0x91}, {0xc4,0x5d,0x05,0x71}, {0x06,0xd4,0x6f,0x04}, {0x50,0x15,0xff,0x60}, -{0x98,0xfb,0x24,0x19}, {0xbd,0xe9,0x97,0xd6}, {0x40,0x43,0xcc,0x89}, {0xd9,0x9e,0x77,0x67}, -{0xe8,0x42,0xbd,0xb0}, {0x89,0x8b,0x88,0x07}, {0x19,0x5b,0x38,0xe7}, {0xc8,0xee,0xdb,0x79}, -{0x7c,0x0a,0x47,0xa1}, {0x42,0x0f,0xe9,0x7c}, {0x84,0x1e,0xc9,0xf8}, {0x00,0x00,0x00,0x00}, -{0x80,0x86,0x83,0x09}, {0x2b,0xed,0x48,0x32}, {0x11,0x70,0xac,0x1e}, {0x5a,0x72,0x4e,0x6c}, -{0x0e,0xff,0xfb,0xfd}, {0x85,0x38,0x56,0x0f}, {0xae,0xd5,0x1e,0x3d}, {0x2d,0x39,0x27,0x36}, -{0x0f,0xd9,0x64,0x0a}, {0x5c,0xa6,0x21,0x68}, {0x5b,0x54,0xd1,0x9b}, {0x36,0x2e,0x3a,0x24}, -{0x0a,0x67,0xb1,0x0c}, {0x57,0xe7,0x0f,0x93}, {0xee,0x96,0xd2,0xb4}, {0x9b,0x91,0x9e,0x1b}, -{0xc0,0xc5,0x4f,0x80}, {0xdc,0x20,0xa2,0x61}, {0x77,0x4b,0x69,0x5a}, {0x12,0x1a,0x16,0x1c}, -{0x93,0xba,0x0a,0xe2}, {0xa0,0x2a,0xe5,0xc0}, {0x22,0xe0,0x43,0x3c}, {0x1b,0x17,0x1d,0x12}, -{0x09,0x0d,0x0b,0x0e}, {0x8b,0xc7,0xad,0xf2}, {0xb6,0xa8,0xb9,0x2d}, {0x1e,0xa9,0xc8,0x14}, -{0xf1,0x19,0x85,0x57}, {0x75,0x07,0x4c,0xaf}, {0x99,0xdd,0xbb,0xee}, {0x7f,0x60,0xfd,0xa3}, -{0x01,0x26,0x9f,0xf7}, {0x72,0xf5,0xbc,0x5c}, {0x66,0x3b,0xc5,0x44}, {0xfb,0x7e,0x34,0x5b}, -{0x43,0x29,0x76,0x8b}, {0x23,0xc6,0xdc,0xcb}, {0xed,0xfc,0x68,0xb6}, {0xe4,0xf1,0x63,0xb8}, -{0x31,0xdc,0xca,0xd7}, {0x63,0x85,0x10,0x42}, {0x97,0x22,0x40,0x13}, {0xc6,0x11,0x20,0x84}, -{0x4a,0x24,0x7d,0x85}, {0xbb,0x3d,0xf8,0xd2}, {0xf9,0x32,0x11,0xae}, {0x29,0xa1,0x6d,0xc7}, -{0x9e,0x2f,0x4b,0x1d}, {0xb2,0x30,0xf3,0xdc}, {0x86,0x52,0xec,0x0d}, {0xc1,0xe3,0xd0,0x77}, -{0xb3,0x16,0x6c,0x2b}, {0x70,0xb9,0x99,0xa9}, {0x94,0x48,0xfa,0x11}, {0xe9,0x64,0x22,0x47}, -{0xfc,0x8c,0xc4,0xa8}, {0xf0,0x3f,0x1a,0xa0}, {0x7d,0x2c,0xd8,0x56}, {0x33,0x90,0xef,0x22}, -{0x49,0x4e,0xc7,0x87}, {0x38,0xd1,0xc1,0xd9}, {0xca,0xa2,0xfe,0x8c}, {0xd4,0x0b,0x36,0x98}, -{0xf5,0x81,0xcf,0xa6}, {0x7a,0xde,0x28,0xa5}, {0xb7,0x8e,0x26,0xda}, {0xad,0xbf,0xa4,0x3f}, -{0x3a,0x9d,0xe4,0x2c}, {0x78,0x92,0x0d,0x50}, {0x5f,0xcc,0x9b,0x6a}, {0x7e,0x46,0x62,0x54}, -{0x8d,0x13,0xc2,0xf6}, {0xd8,0xb8,0xe8,0x90}, {0x39,0xf7,0x5e,0x2e}, {0xc3,0xaf,0xf5,0x82}, -{0x5d,0x80,0xbe,0x9f}, {0xd0,0x93,0x7c,0x69}, {0xd5,0x2d,0xa9,0x6f}, {0x25,0x12,0xb3,0xcf}, -{0xac,0x99,0x3b,0xc8}, {0x18,0x7d,0xa7,0x10}, {0x9c,0x63,0x6e,0xe8}, {0x3b,0xbb,0x7b,0xdb}, -{0x26,0x78,0x09,0xcd}, {0x59,0x18,0xf4,0x6e}, {0x9a,0xb7,0x01,0xec}, {0x4f,0x9a,0xa8,0x83}, -{0x95,0x6e,0x65,0xe6}, {0xff,0xe6,0x7e,0xaa}, {0xbc,0xcf,0x08,0x21}, {0x15,0xe8,0xe6,0xef}, -{0xe7,0x9b,0xd9,0xba}, {0x6f,0x36,0xce,0x4a}, {0x9f,0x09,0xd4,0xea}, {0xb0,0x7c,0xd6,0x29}, -{0xa4,0xb2,0xaf,0x31}, {0x3f,0x23,0x31,0x2a}, {0xa5,0x94,0x30,0xc6}, {0xa2,0x66,0xc0,0x35}, -{0x4e,0xbc,0x37,0x74}, {0x82,0xca,0xa6,0xfc}, {0x90,0xd0,0xb0,0xe0}, {0xa7,0xd8,0x15,0x33}, -{0x04,0x98,0x4a,0xf1}, {0xec,0xda,0xf7,0x41}, {0xcd,0x50,0x0e,0x7f}, {0x91,0xf6,0x2f,0x17}, -{0x4d,0xd6,0x8d,0x76}, {0xef,0xb0,0x4d,0x43}, {0xaa,0x4d,0x54,0xcc}, {0x96,0x04,0xdf,0xe4}, -{0xd1,0xb5,0xe3,0x9e}, {0x6a,0x88,0x1b,0x4c}, {0x2c,0x1f,0xb8,0xc1}, {0x65,0x51,0x7f,0x46}, -{0x5e,0xea,0x04,0x9d}, {0x8c,0x35,0x5d,0x01}, {0x87,0x74,0x73,0xfa}, {0x0b,0x41,0x2e,0xfb}, -{0x67,0x1d,0x5a,0xb3}, {0xdb,0xd2,0x52,0x92}, {0x10,0x56,0x33,0xe9}, {0xd6,0x47,0x13,0x6d}, -{0xd7,0x61,0x8c,0x9a}, {0xa1,0x0c,0x7a,0x37}, {0xf8,0x14,0x8e,0x59}, {0x13,0x3c,0x89,0xeb}, -{0xa9,0x27,0xee,0xce}, {0x61,0xc9,0x35,0xb7}, {0x1c,0xe5,0xed,0xe1}, {0x47,0xb1,0x3c,0x7a}, -{0xd2,0xdf,0x59,0x9c}, {0xf2,0x73,0x3f,0x55}, {0x14,0xce,0x79,0x18}, {0xc7,0x37,0xbf,0x73}, -{0xf7,0xcd,0xea,0x53}, {0xfd,0xaa,0x5b,0x5f}, {0x3d,0x6f,0x14,0xdf}, {0x44,0xdb,0x86,0x78}, -{0xaf,0xf3,0x81,0xca}, {0x68,0xc4,0x3e,0xb9}, {0x24,0x34,0x2c,0x38}, {0xa3,0x40,0x5f,0xc2}, -{0x1d,0xc3,0x72,0x16}, {0xe2,0x25,0x0c,0xbc}, {0x3c,0x49,0x8b,0x28}, {0x0d,0x95,0x41,0xff}, -{0xa8,0x01,0x71,0x39}, {0x0c,0xb3,0xde,0x08}, {0xb4,0xe4,0x9c,0xd8}, {0x56,0xc1,0x90,0x64}, -{0xcb,0x84,0x61,0x7b}, {0x32,0xb6,0x70,0xd5}, {0x6c,0x5c,0x74,0x48}, {0xb8,0x57,0x42,0xd0} - } -}; -#define T8 xT8.xt8 - -static const word8 S5[256] = { -0x52,0x09,0x6a,0xd5, -0x30,0x36,0xa5,0x38, -0xbf,0x40,0xa3,0x9e, -0x81,0xf3,0xd7,0xfb, -0x7c,0xe3,0x39,0x82, -0x9b,0x2f,0xff,0x87, -0x34,0x8e,0x43,0x44, -0xc4,0xde,0xe9,0xcb, -0x54,0x7b,0x94,0x32, -0xa6,0xc2,0x23,0x3d, -0xee,0x4c,0x95,0x0b, -0x42,0xfa,0xc3,0x4e, -0x08,0x2e,0xa1,0x66, -0x28,0xd9,0x24,0xb2, -0x76,0x5b,0xa2,0x49, -0x6d,0x8b,0xd1,0x25, -0x72,0xf8,0xf6,0x64, -0x86,0x68,0x98,0x16, -0xd4,0xa4,0x5c,0xcc, -0x5d,0x65,0xb6,0x92, -0x6c,0x70,0x48,0x50, -0xfd,0xed,0xb9,0xda, -0x5e,0x15,0x46,0x57, -0xa7,0x8d,0x9d,0x84, -0x90,0xd8,0xab,0x00, -0x8c,0xbc,0xd3,0x0a, -0xf7,0xe4,0x58,0x05, -0xb8,0xb3,0x45,0x06, -0xd0,0x2c,0x1e,0x8f, -0xca,0x3f,0x0f,0x02, -0xc1,0xaf,0xbd,0x03, -0x01,0x13,0x8a,0x6b, -0x3a,0x91,0x11,0x41, -0x4f,0x67,0xdc,0xea, -0x97,0xf2,0xcf,0xce, -0xf0,0xb4,0xe6,0x73, -0x96,0xac,0x74,0x22, -0xe7,0xad,0x35,0x85, -0xe2,0xf9,0x37,0xe8, -0x1c,0x75,0xdf,0x6e, -0x47,0xf1,0x1a,0x71, -0x1d,0x29,0xc5,0x89, -0x6f,0xb7,0x62,0x0e, -0xaa,0x18,0xbe,0x1b, -0xfc,0x56,0x3e,0x4b, -0xc6,0xd2,0x79,0x20, -0x9a,0xdb,0xc0,0xfe, -0x78,0xcd,0x5a,0xf4, -0x1f,0xdd,0xa8,0x33, -0x88,0x07,0xc7,0x31, -0xb1,0x12,0x10,0x59, -0x27,0x80,0xec,0x5f, -0x60,0x51,0x7f,0xa9, -0x19,0xb5,0x4a,0x0d, -0x2d,0xe5,0x7a,0x9f, -0x93,0xc9,0x9c,0xef, -0xa0,0xe0,0x3b,0x4d, -0xae,0x2a,0xf5,0xb0, -0xc8,0xeb,0xbb,0x3c, -0x83,0x53,0x99,0x61, -0x17,0x2b,0x04,0x7e, -0xba,0x77,0xd6,0x26, -0xe1,0x69,0x14,0x63, -0x55,0x21,0x0c,0x7d -}; - -static const union xtab xU1 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0e,0x09,0x0d,0x0b}, {0x1c,0x12,0x1a,0x16}, {0x12,0x1b,0x17,0x1d}, -{0x38,0x24,0x34,0x2c}, {0x36,0x2d,0x39,0x27}, {0x24,0x36,0x2e,0x3a}, {0x2a,0x3f,0x23,0x31}, -{0x70,0x48,0x68,0x58}, {0x7e,0x41,0x65,0x53}, {0x6c,0x5a,0x72,0x4e}, {0x62,0x53,0x7f,0x45}, -{0x48,0x6c,0x5c,0x74}, {0x46,0x65,0x51,0x7f}, {0x54,0x7e,0x46,0x62}, {0x5a,0x77,0x4b,0x69}, -{0xe0,0x90,0xd0,0xb0}, {0xee,0x99,0xdd,0xbb}, {0xfc,0x82,0xca,0xa6}, {0xf2,0x8b,0xc7,0xad}, -{0xd8,0xb4,0xe4,0x9c}, {0xd6,0xbd,0xe9,0x97}, {0xc4,0xa6,0xfe,0x8a}, {0xca,0xaf,0xf3,0x81}, -{0x90,0xd8,0xb8,0xe8}, {0x9e,0xd1,0xb5,0xe3}, {0x8c,0xca,0xa2,0xfe}, {0x82,0xc3,0xaf,0xf5}, -{0xa8,0xfc,0x8c,0xc4}, {0xa6,0xf5,0x81,0xcf}, {0xb4,0xee,0x96,0xd2}, {0xba,0xe7,0x9b,0xd9}, -{0xdb,0x3b,0xbb,0x7b}, {0xd5,0x32,0xb6,0x70}, {0xc7,0x29,0xa1,0x6d}, {0xc9,0x20,0xac,0x66}, -{0xe3,0x1f,0x8f,0x57}, {0xed,0x16,0x82,0x5c}, {0xff,0x0d,0x95,0x41}, {0xf1,0x04,0x98,0x4a}, -{0xab,0x73,0xd3,0x23}, {0xa5,0x7a,0xde,0x28}, {0xb7,0x61,0xc9,0x35}, {0xb9,0x68,0xc4,0x3e}, -{0x93,0x57,0xe7,0x0f}, {0x9d,0x5e,0xea,0x04}, {0x8f,0x45,0xfd,0x19}, {0x81,0x4c,0xf0,0x12}, -{0x3b,0xab,0x6b,0xcb}, {0x35,0xa2,0x66,0xc0}, {0x27,0xb9,0x71,0xdd}, {0x29,0xb0,0x7c,0xd6}, -{0x03,0x8f,0x5f,0xe7}, {0x0d,0x86,0x52,0xec}, {0x1f,0x9d,0x45,0xf1}, {0x11,0x94,0x48,0xfa}, -{0x4b,0xe3,0x03,0x93}, {0x45,0xea,0x0e,0x98}, {0x57,0xf1,0x19,0x85}, {0x59,0xf8,0x14,0x8e}, -{0x73,0xc7,0x37,0xbf}, {0x7d,0xce,0x3a,0xb4}, {0x6f,0xd5,0x2d,0xa9}, {0x61,0xdc,0x20,0xa2}, -{0xad,0x76,0x6d,0xf6}, {0xa3,0x7f,0x60,0xfd}, {0xb1,0x64,0x77,0xe0}, {0xbf,0x6d,0x7a,0xeb}, -{0x95,0x52,0x59,0xda}, {0x9b,0x5b,0x54,0xd1}, {0x89,0x40,0x43,0xcc}, {0x87,0x49,0x4e,0xc7}, -{0xdd,0x3e,0x05,0xae}, {0xd3,0x37,0x08,0xa5}, {0xc1,0x2c,0x1f,0xb8}, {0xcf,0x25,0x12,0xb3}, -{0xe5,0x1a,0x31,0x82}, {0xeb,0x13,0x3c,0x89}, {0xf9,0x08,0x2b,0x94}, {0xf7,0x01,0x26,0x9f}, -{0x4d,0xe6,0xbd,0x46}, {0x43,0xef,0xb0,0x4d}, {0x51,0xf4,0xa7,0x50}, {0x5f,0xfd,0xaa,0x5b}, -{0x75,0xc2,0x89,0x6a}, {0x7b,0xcb,0x84,0x61}, {0x69,0xd0,0x93,0x7c}, {0x67,0xd9,0x9e,0x77}, -{0x3d,0xae,0xd5,0x1e}, {0x33,0xa7,0xd8,0x15}, {0x21,0xbc,0xcf,0x08}, {0x2f,0xb5,0xc2,0x03}, -{0x05,0x8a,0xe1,0x32}, {0x0b,0x83,0xec,0x39}, {0x19,0x98,0xfb,0x24}, {0x17,0x91,0xf6,0x2f}, -{0x76,0x4d,0xd6,0x8d}, {0x78,0x44,0xdb,0x86}, {0x6a,0x5f,0xcc,0x9b}, {0x64,0x56,0xc1,0x90}, -{0x4e,0x69,0xe2,0xa1}, {0x40,0x60,0xef,0xaa}, {0x52,0x7b,0xf8,0xb7}, {0x5c,0x72,0xf5,0xbc}, -{0x06,0x05,0xbe,0xd5}, {0x08,0x0c,0xb3,0xde}, {0x1a,0x17,0xa4,0xc3}, {0x14,0x1e,0xa9,0xc8}, -{0x3e,0x21,0x8a,0xf9}, {0x30,0x28,0x87,0xf2}, {0x22,0x33,0x90,0xef}, {0x2c,0x3a,0x9d,0xe4}, -{0x96,0xdd,0x06,0x3d}, {0x98,0xd4,0x0b,0x36}, {0x8a,0xcf,0x1c,0x2b}, {0x84,0xc6,0x11,0x20}, -{0xae,0xf9,0x32,0x11}, {0xa0,0xf0,0x3f,0x1a}, {0xb2,0xeb,0x28,0x07}, {0xbc,0xe2,0x25,0x0c}, -{0xe6,0x95,0x6e,0x65}, {0xe8,0x9c,0x63,0x6e}, {0xfa,0x87,0x74,0x73}, {0xf4,0x8e,0x79,0x78}, -{0xde,0xb1,0x5a,0x49}, {0xd0,0xb8,0x57,0x42}, {0xc2,0xa3,0x40,0x5f}, {0xcc,0xaa,0x4d,0x54}, -{0x41,0xec,0xda,0xf7}, {0x4f,0xe5,0xd7,0xfc}, {0x5d,0xfe,0xc0,0xe1}, {0x53,0xf7,0xcd,0xea}, -{0x79,0xc8,0xee,0xdb}, {0x77,0xc1,0xe3,0xd0}, {0x65,0xda,0xf4,0xcd}, {0x6b,0xd3,0xf9,0xc6}, -{0x31,0xa4,0xb2,0xaf}, {0x3f,0xad,0xbf,0xa4}, {0x2d,0xb6,0xa8,0xb9}, {0x23,0xbf,0xa5,0xb2}, -{0x09,0x80,0x86,0x83}, {0x07,0x89,0x8b,0x88}, {0x15,0x92,0x9c,0x95}, {0x1b,0x9b,0x91,0x9e}, -{0xa1,0x7c,0x0a,0x47}, {0xaf,0x75,0x07,0x4c}, {0xbd,0x6e,0x10,0x51}, {0xb3,0x67,0x1d,0x5a}, -{0x99,0x58,0x3e,0x6b}, {0x97,0x51,0x33,0x60}, {0x85,0x4a,0x24,0x7d}, {0x8b,0x43,0x29,0x76}, -{0xd1,0x34,0x62,0x1f}, {0xdf,0x3d,0x6f,0x14}, {0xcd,0x26,0x78,0x09}, {0xc3,0x2f,0x75,0x02}, -{0xe9,0x10,0x56,0x33}, {0xe7,0x19,0x5b,0x38}, {0xf5,0x02,0x4c,0x25}, {0xfb,0x0b,0x41,0x2e}, -{0x9a,0xd7,0x61,0x8c}, {0x94,0xde,0x6c,0x87}, {0x86,0xc5,0x7b,0x9a}, {0x88,0xcc,0x76,0x91}, -{0xa2,0xf3,0x55,0xa0}, {0xac,0xfa,0x58,0xab}, {0xbe,0xe1,0x4f,0xb6}, {0xb0,0xe8,0x42,0xbd}, -{0xea,0x9f,0x09,0xd4}, {0xe4,0x96,0x04,0xdf}, {0xf6,0x8d,0x13,0xc2}, {0xf8,0x84,0x1e,0xc9}, -{0xd2,0xbb,0x3d,0xf8}, {0xdc,0xb2,0x30,0xf3}, {0xce,0xa9,0x27,0xee}, {0xc0,0xa0,0x2a,0xe5}, -{0x7a,0x47,0xb1,0x3c}, {0x74,0x4e,0xbc,0x37}, {0x66,0x55,0xab,0x2a}, {0x68,0x5c,0xa6,0x21}, -{0x42,0x63,0x85,0x10}, {0x4c,0x6a,0x88,0x1b}, {0x5e,0x71,0x9f,0x06}, {0x50,0x78,0x92,0x0d}, -{0x0a,0x0f,0xd9,0x64}, {0x04,0x06,0xd4,0x6f}, {0x16,0x1d,0xc3,0x72}, {0x18,0x14,0xce,0x79}, -{0x32,0x2b,0xed,0x48}, {0x3c,0x22,0xe0,0x43}, {0x2e,0x39,0xf7,0x5e}, {0x20,0x30,0xfa,0x55}, -{0xec,0x9a,0xb7,0x01}, {0xe2,0x93,0xba,0x0a}, {0xf0,0x88,0xad,0x17}, {0xfe,0x81,0xa0,0x1c}, -{0xd4,0xbe,0x83,0x2d}, {0xda,0xb7,0x8e,0x26}, {0xc8,0xac,0x99,0x3b}, {0xc6,0xa5,0x94,0x30}, -{0x9c,0xd2,0xdf,0x59}, {0x92,0xdb,0xd2,0x52}, {0x80,0xc0,0xc5,0x4f}, {0x8e,0xc9,0xc8,0x44}, -{0xa4,0xf6,0xeb,0x75}, {0xaa,0xff,0xe6,0x7e}, {0xb8,0xe4,0xf1,0x63}, {0xb6,0xed,0xfc,0x68}, -{0x0c,0x0a,0x67,0xb1}, {0x02,0x03,0x6a,0xba}, {0x10,0x18,0x7d,0xa7}, {0x1e,0x11,0x70,0xac}, -{0x34,0x2e,0x53,0x9d}, {0x3a,0x27,0x5e,0x96}, {0x28,0x3c,0x49,0x8b}, {0x26,0x35,0x44,0x80}, -{0x7c,0x42,0x0f,0xe9}, {0x72,0x4b,0x02,0xe2}, {0x60,0x50,0x15,0xff}, {0x6e,0x59,0x18,0xf4}, -{0x44,0x66,0x3b,0xc5}, {0x4a,0x6f,0x36,0xce}, {0x58,0x74,0x21,0xd3}, {0x56,0x7d,0x2c,0xd8}, -{0x37,0xa1,0x0c,0x7a}, {0x39,0xa8,0x01,0x71}, {0x2b,0xb3,0x16,0x6c}, {0x25,0xba,0x1b,0x67}, -{0x0f,0x85,0x38,0x56}, {0x01,0x8c,0x35,0x5d}, {0x13,0x97,0x22,0x40}, {0x1d,0x9e,0x2f,0x4b}, -{0x47,0xe9,0x64,0x22}, {0x49,0xe0,0x69,0x29}, {0x5b,0xfb,0x7e,0x34}, {0x55,0xf2,0x73,0x3f}, -{0x7f,0xcd,0x50,0x0e}, {0x71,0xc4,0x5d,0x05}, {0x63,0xdf,0x4a,0x18}, {0x6d,0xd6,0x47,0x13}, -{0xd7,0x31,0xdc,0xca}, {0xd9,0x38,0xd1,0xc1}, {0xcb,0x23,0xc6,0xdc}, {0xc5,0x2a,0xcb,0xd7}, -{0xef,0x15,0xe8,0xe6}, {0xe1,0x1c,0xe5,0xed}, {0xf3,0x07,0xf2,0xf0}, {0xfd,0x0e,0xff,0xfb}, -{0xa7,0x79,0xb4,0x92}, {0xa9,0x70,0xb9,0x99}, {0xbb,0x6b,0xae,0x84}, {0xb5,0x62,0xa3,0x8f}, -{0x9f,0x5d,0x80,0xbe}, {0x91,0x54,0x8d,0xb5}, {0x83,0x4f,0x9a,0xa8}, {0x8d,0x46,0x97,0xa3} - } -}; -#define U1 xU1.xt8 - -static const union xtab xU2 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0b,0x0e,0x09,0x0d}, {0x16,0x1c,0x12,0x1a}, {0x1d,0x12,0x1b,0x17}, -{0x2c,0x38,0x24,0x34}, {0x27,0x36,0x2d,0x39}, {0x3a,0x24,0x36,0x2e}, {0x31,0x2a,0x3f,0x23}, -{0x58,0x70,0x48,0x68}, {0x53,0x7e,0x41,0x65}, {0x4e,0x6c,0x5a,0x72}, {0x45,0x62,0x53,0x7f}, -{0x74,0x48,0x6c,0x5c}, {0x7f,0x46,0x65,0x51}, {0x62,0x54,0x7e,0x46}, {0x69,0x5a,0x77,0x4b}, -{0xb0,0xe0,0x90,0xd0}, {0xbb,0xee,0x99,0xdd}, {0xa6,0xfc,0x82,0xca}, {0xad,0xf2,0x8b,0xc7}, -{0x9c,0xd8,0xb4,0xe4}, {0x97,0xd6,0xbd,0xe9}, {0x8a,0xc4,0xa6,0xfe}, {0x81,0xca,0xaf,0xf3}, -{0xe8,0x90,0xd8,0xb8}, {0xe3,0x9e,0xd1,0xb5}, {0xfe,0x8c,0xca,0xa2}, {0xf5,0x82,0xc3,0xaf}, -{0xc4,0xa8,0xfc,0x8c}, {0xcf,0xa6,0xf5,0x81}, {0xd2,0xb4,0xee,0x96}, {0xd9,0xba,0xe7,0x9b}, -{0x7b,0xdb,0x3b,0xbb}, {0x70,0xd5,0x32,0xb6}, {0x6d,0xc7,0x29,0xa1}, {0x66,0xc9,0x20,0xac}, -{0x57,0xe3,0x1f,0x8f}, {0x5c,0xed,0x16,0x82}, {0x41,0xff,0x0d,0x95}, {0x4a,0xf1,0x04,0x98}, -{0x23,0xab,0x73,0xd3}, {0x28,0xa5,0x7a,0xde}, {0x35,0xb7,0x61,0xc9}, {0x3e,0xb9,0x68,0xc4}, -{0x0f,0x93,0x57,0xe7}, {0x04,0x9d,0x5e,0xea}, {0x19,0x8f,0x45,0xfd}, {0x12,0x81,0x4c,0xf0}, -{0xcb,0x3b,0xab,0x6b}, {0xc0,0x35,0xa2,0x66}, {0xdd,0x27,0xb9,0x71}, {0xd6,0x29,0xb0,0x7c}, -{0xe7,0x03,0x8f,0x5f}, {0xec,0x0d,0x86,0x52}, {0xf1,0x1f,0x9d,0x45}, {0xfa,0x11,0x94,0x48}, -{0x93,0x4b,0xe3,0x03}, {0x98,0x45,0xea,0x0e}, {0x85,0x57,0xf1,0x19}, {0x8e,0x59,0xf8,0x14}, -{0xbf,0x73,0xc7,0x37}, {0xb4,0x7d,0xce,0x3a}, {0xa9,0x6f,0xd5,0x2d}, {0xa2,0x61,0xdc,0x20}, -{0xf6,0xad,0x76,0x6d}, {0xfd,0xa3,0x7f,0x60}, {0xe0,0xb1,0x64,0x77}, {0xeb,0xbf,0x6d,0x7a}, -{0xda,0x95,0x52,0x59}, {0xd1,0x9b,0x5b,0x54}, {0xcc,0x89,0x40,0x43}, {0xc7,0x87,0x49,0x4e}, -{0xae,0xdd,0x3e,0x05}, {0xa5,0xd3,0x37,0x08}, {0xb8,0xc1,0x2c,0x1f}, {0xb3,0xcf,0x25,0x12}, -{0x82,0xe5,0x1a,0x31}, {0x89,0xeb,0x13,0x3c}, {0x94,0xf9,0x08,0x2b}, {0x9f,0xf7,0x01,0x26}, -{0x46,0x4d,0xe6,0xbd}, {0x4d,0x43,0xef,0xb0}, {0x50,0x51,0xf4,0xa7}, {0x5b,0x5f,0xfd,0xaa}, -{0x6a,0x75,0xc2,0x89}, {0x61,0x7b,0xcb,0x84}, {0x7c,0x69,0xd0,0x93}, {0x77,0x67,0xd9,0x9e}, -{0x1e,0x3d,0xae,0xd5}, {0x15,0x33,0xa7,0xd8}, {0x08,0x21,0xbc,0xcf}, {0x03,0x2f,0xb5,0xc2}, -{0x32,0x05,0x8a,0xe1}, {0x39,0x0b,0x83,0xec}, {0x24,0x19,0x98,0xfb}, {0x2f,0x17,0x91,0xf6}, -{0x8d,0x76,0x4d,0xd6}, {0x86,0x78,0x44,0xdb}, {0x9b,0x6a,0x5f,0xcc}, {0x90,0x64,0x56,0xc1}, -{0xa1,0x4e,0x69,0xe2}, {0xaa,0x40,0x60,0xef}, {0xb7,0x52,0x7b,0xf8}, {0xbc,0x5c,0x72,0xf5}, -{0xd5,0x06,0x05,0xbe}, {0xde,0x08,0x0c,0xb3}, {0xc3,0x1a,0x17,0xa4}, {0xc8,0x14,0x1e,0xa9}, -{0xf9,0x3e,0x21,0x8a}, {0xf2,0x30,0x28,0x87}, {0xef,0x22,0x33,0x90}, {0xe4,0x2c,0x3a,0x9d}, -{0x3d,0x96,0xdd,0x06}, {0x36,0x98,0xd4,0x0b}, {0x2b,0x8a,0xcf,0x1c}, {0x20,0x84,0xc6,0x11}, -{0x11,0xae,0xf9,0x32}, {0x1a,0xa0,0xf0,0x3f}, {0x07,0xb2,0xeb,0x28}, {0x0c,0xbc,0xe2,0x25}, -{0x65,0xe6,0x95,0x6e}, {0x6e,0xe8,0x9c,0x63}, {0x73,0xfa,0x87,0x74}, {0x78,0xf4,0x8e,0x79}, -{0x49,0xde,0xb1,0x5a}, {0x42,0xd0,0xb8,0x57}, {0x5f,0xc2,0xa3,0x40}, {0x54,0xcc,0xaa,0x4d}, -{0xf7,0x41,0xec,0xda}, {0xfc,0x4f,0xe5,0xd7}, {0xe1,0x5d,0xfe,0xc0}, {0xea,0x53,0xf7,0xcd}, -{0xdb,0x79,0xc8,0xee}, {0xd0,0x77,0xc1,0xe3}, {0xcd,0x65,0xda,0xf4}, {0xc6,0x6b,0xd3,0xf9}, -{0xaf,0x31,0xa4,0xb2}, {0xa4,0x3f,0xad,0xbf}, {0xb9,0x2d,0xb6,0xa8}, {0xb2,0x23,0xbf,0xa5}, -{0x83,0x09,0x80,0x86}, {0x88,0x07,0x89,0x8b}, {0x95,0x15,0x92,0x9c}, {0x9e,0x1b,0x9b,0x91}, -{0x47,0xa1,0x7c,0x0a}, {0x4c,0xaf,0x75,0x07}, {0x51,0xbd,0x6e,0x10}, {0x5a,0xb3,0x67,0x1d}, -{0x6b,0x99,0x58,0x3e}, {0x60,0x97,0x51,0x33}, {0x7d,0x85,0x4a,0x24}, {0x76,0x8b,0x43,0x29}, -{0x1f,0xd1,0x34,0x62}, {0x14,0xdf,0x3d,0x6f}, {0x09,0xcd,0x26,0x78}, {0x02,0xc3,0x2f,0x75}, -{0x33,0xe9,0x10,0x56}, {0x38,0xe7,0x19,0x5b}, {0x25,0xf5,0x02,0x4c}, {0x2e,0xfb,0x0b,0x41}, -{0x8c,0x9a,0xd7,0x61}, {0x87,0x94,0xde,0x6c}, {0x9a,0x86,0xc5,0x7b}, {0x91,0x88,0xcc,0x76}, -{0xa0,0xa2,0xf3,0x55}, {0xab,0xac,0xfa,0x58}, {0xb6,0xbe,0xe1,0x4f}, {0xbd,0xb0,0xe8,0x42}, -{0xd4,0xea,0x9f,0x09}, {0xdf,0xe4,0x96,0x04}, {0xc2,0xf6,0x8d,0x13}, {0xc9,0xf8,0x84,0x1e}, -{0xf8,0xd2,0xbb,0x3d}, {0xf3,0xdc,0xb2,0x30}, {0xee,0xce,0xa9,0x27}, {0xe5,0xc0,0xa0,0x2a}, -{0x3c,0x7a,0x47,0xb1}, {0x37,0x74,0x4e,0xbc}, {0x2a,0x66,0x55,0xab}, {0x21,0x68,0x5c,0xa6}, -{0x10,0x42,0x63,0x85}, {0x1b,0x4c,0x6a,0x88}, {0x06,0x5e,0x71,0x9f}, {0x0d,0x50,0x78,0x92}, -{0x64,0x0a,0x0f,0xd9}, {0x6f,0x04,0x06,0xd4}, {0x72,0x16,0x1d,0xc3}, {0x79,0x18,0x14,0xce}, -{0x48,0x32,0x2b,0xed}, {0x43,0x3c,0x22,0xe0}, {0x5e,0x2e,0x39,0xf7}, {0x55,0x20,0x30,0xfa}, -{0x01,0xec,0x9a,0xb7}, {0x0a,0xe2,0x93,0xba}, {0x17,0xf0,0x88,0xad}, {0x1c,0xfe,0x81,0xa0}, -{0x2d,0xd4,0xbe,0x83}, {0x26,0xda,0xb7,0x8e}, {0x3b,0xc8,0xac,0x99}, {0x30,0xc6,0xa5,0x94}, -{0x59,0x9c,0xd2,0xdf}, {0x52,0x92,0xdb,0xd2}, {0x4f,0x80,0xc0,0xc5}, {0x44,0x8e,0xc9,0xc8}, -{0x75,0xa4,0xf6,0xeb}, {0x7e,0xaa,0xff,0xe6}, {0x63,0xb8,0xe4,0xf1}, {0x68,0xb6,0xed,0xfc}, -{0xb1,0x0c,0x0a,0x67}, {0xba,0x02,0x03,0x6a}, {0xa7,0x10,0x18,0x7d}, {0xac,0x1e,0x11,0x70}, -{0x9d,0x34,0x2e,0x53}, {0x96,0x3a,0x27,0x5e}, {0x8b,0x28,0x3c,0x49}, {0x80,0x26,0x35,0x44}, -{0xe9,0x7c,0x42,0x0f}, {0xe2,0x72,0x4b,0x02}, {0xff,0x60,0x50,0x15}, {0xf4,0x6e,0x59,0x18}, -{0xc5,0x44,0x66,0x3b}, {0xce,0x4a,0x6f,0x36}, {0xd3,0x58,0x74,0x21}, {0xd8,0x56,0x7d,0x2c}, -{0x7a,0x37,0xa1,0x0c}, {0x71,0x39,0xa8,0x01}, {0x6c,0x2b,0xb3,0x16}, {0x67,0x25,0xba,0x1b}, -{0x56,0x0f,0x85,0x38}, {0x5d,0x01,0x8c,0x35}, {0x40,0x13,0x97,0x22}, {0x4b,0x1d,0x9e,0x2f}, -{0x22,0x47,0xe9,0x64}, {0x29,0x49,0xe0,0x69}, {0x34,0x5b,0xfb,0x7e}, {0x3f,0x55,0xf2,0x73}, -{0x0e,0x7f,0xcd,0x50}, {0x05,0x71,0xc4,0x5d}, {0x18,0x63,0xdf,0x4a}, {0x13,0x6d,0xd6,0x47}, -{0xca,0xd7,0x31,0xdc}, {0xc1,0xd9,0x38,0xd1}, {0xdc,0xcb,0x23,0xc6}, {0xd7,0xc5,0x2a,0xcb}, -{0xe6,0xef,0x15,0xe8}, {0xed,0xe1,0x1c,0xe5}, {0xf0,0xf3,0x07,0xf2}, {0xfb,0xfd,0x0e,0xff}, -{0x92,0xa7,0x79,0xb4}, {0x99,0xa9,0x70,0xb9}, {0x84,0xbb,0x6b,0xae}, {0x8f,0xb5,0x62,0xa3}, -{0xbe,0x9f,0x5d,0x80}, {0xb5,0x91,0x54,0x8d}, {0xa8,0x83,0x4f,0x9a}, {0xa3,0x8d,0x46,0x97} - } -}; -#define U2 xU2.xt8 - -static const union xtab xU3 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0d,0x0b,0x0e,0x09}, {0x1a,0x16,0x1c,0x12}, {0x17,0x1d,0x12,0x1b}, -{0x34,0x2c,0x38,0x24}, {0x39,0x27,0x36,0x2d}, {0x2e,0x3a,0x24,0x36}, {0x23,0x31,0x2a,0x3f}, -{0x68,0x58,0x70,0x48}, {0x65,0x53,0x7e,0x41}, {0x72,0x4e,0x6c,0x5a}, {0x7f,0x45,0x62,0x53}, -{0x5c,0x74,0x48,0x6c}, {0x51,0x7f,0x46,0x65}, {0x46,0x62,0x54,0x7e}, {0x4b,0x69,0x5a,0x77}, -{0xd0,0xb0,0xe0,0x90}, {0xdd,0xbb,0xee,0x99}, {0xca,0xa6,0xfc,0x82}, {0xc7,0xad,0xf2,0x8b}, -{0xe4,0x9c,0xd8,0xb4}, {0xe9,0x97,0xd6,0xbd}, {0xfe,0x8a,0xc4,0xa6}, {0xf3,0x81,0xca,0xaf}, -{0xb8,0xe8,0x90,0xd8}, {0xb5,0xe3,0x9e,0xd1}, {0xa2,0xfe,0x8c,0xca}, {0xaf,0xf5,0x82,0xc3}, -{0x8c,0xc4,0xa8,0xfc}, {0x81,0xcf,0xa6,0xf5}, {0x96,0xd2,0xb4,0xee}, {0x9b,0xd9,0xba,0xe7}, -{0xbb,0x7b,0xdb,0x3b}, {0xb6,0x70,0xd5,0x32}, {0xa1,0x6d,0xc7,0x29}, {0xac,0x66,0xc9,0x20}, -{0x8f,0x57,0xe3,0x1f}, {0x82,0x5c,0xed,0x16}, {0x95,0x41,0xff,0x0d}, {0x98,0x4a,0xf1,0x04}, -{0xd3,0x23,0xab,0x73}, {0xde,0x28,0xa5,0x7a}, {0xc9,0x35,0xb7,0x61}, {0xc4,0x3e,0xb9,0x68}, -{0xe7,0x0f,0x93,0x57}, {0xea,0x04,0x9d,0x5e}, {0xfd,0x19,0x8f,0x45}, {0xf0,0x12,0x81,0x4c}, -{0x6b,0xcb,0x3b,0xab}, {0x66,0xc0,0x35,0xa2}, {0x71,0xdd,0x27,0xb9}, {0x7c,0xd6,0x29,0xb0}, -{0x5f,0xe7,0x03,0x8f}, {0x52,0xec,0x0d,0x86}, {0x45,0xf1,0x1f,0x9d}, {0x48,0xfa,0x11,0x94}, -{0x03,0x93,0x4b,0xe3}, {0x0e,0x98,0x45,0xea}, {0x19,0x85,0x57,0xf1}, {0x14,0x8e,0x59,0xf8}, -{0x37,0xbf,0x73,0xc7}, {0x3a,0xb4,0x7d,0xce}, {0x2d,0xa9,0x6f,0xd5}, {0x20,0xa2,0x61,0xdc}, -{0x6d,0xf6,0xad,0x76}, {0x60,0xfd,0xa3,0x7f}, {0x77,0xe0,0xb1,0x64}, {0x7a,0xeb,0xbf,0x6d}, -{0x59,0xda,0x95,0x52}, {0x54,0xd1,0x9b,0x5b}, {0x43,0xcc,0x89,0x40}, {0x4e,0xc7,0x87,0x49}, -{0x05,0xae,0xdd,0x3e}, {0x08,0xa5,0xd3,0x37}, {0x1f,0xb8,0xc1,0x2c}, {0x12,0xb3,0xcf,0x25}, -{0x31,0x82,0xe5,0x1a}, {0x3c,0x89,0xeb,0x13}, {0x2b,0x94,0xf9,0x08}, {0x26,0x9f,0xf7,0x01}, -{0xbd,0x46,0x4d,0xe6}, {0xb0,0x4d,0x43,0xef}, {0xa7,0x50,0x51,0xf4}, {0xaa,0x5b,0x5f,0xfd}, -{0x89,0x6a,0x75,0xc2}, {0x84,0x61,0x7b,0xcb}, {0x93,0x7c,0x69,0xd0}, {0x9e,0x77,0x67,0xd9}, -{0xd5,0x1e,0x3d,0xae}, {0xd8,0x15,0x33,0xa7}, {0xcf,0x08,0x21,0xbc}, {0xc2,0x03,0x2f,0xb5}, -{0xe1,0x32,0x05,0x8a}, {0xec,0x39,0x0b,0x83}, {0xfb,0x24,0x19,0x98}, {0xf6,0x2f,0x17,0x91}, -{0xd6,0x8d,0x76,0x4d}, {0xdb,0x86,0x78,0x44}, {0xcc,0x9b,0x6a,0x5f}, {0xc1,0x90,0x64,0x56}, -{0xe2,0xa1,0x4e,0x69}, {0xef,0xaa,0x40,0x60}, {0xf8,0xb7,0x52,0x7b}, {0xf5,0xbc,0x5c,0x72}, -{0xbe,0xd5,0x06,0x05}, {0xb3,0xde,0x08,0x0c}, {0xa4,0xc3,0x1a,0x17}, {0xa9,0xc8,0x14,0x1e}, -{0x8a,0xf9,0x3e,0x21}, {0x87,0xf2,0x30,0x28}, {0x90,0xef,0x22,0x33}, {0x9d,0xe4,0x2c,0x3a}, -{0x06,0x3d,0x96,0xdd}, {0x0b,0x36,0x98,0xd4}, {0x1c,0x2b,0x8a,0xcf}, {0x11,0x20,0x84,0xc6}, -{0x32,0x11,0xae,0xf9}, {0x3f,0x1a,0xa0,0xf0}, {0x28,0x07,0xb2,0xeb}, {0x25,0x0c,0xbc,0xe2}, -{0x6e,0x65,0xe6,0x95}, {0x63,0x6e,0xe8,0x9c}, {0x74,0x73,0xfa,0x87}, {0x79,0x78,0xf4,0x8e}, -{0x5a,0x49,0xde,0xb1}, {0x57,0x42,0xd0,0xb8}, {0x40,0x5f,0xc2,0xa3}, {0x4d,0x54,0xcc,0xaa}, -{0xda,0xf7,0x41,0xec}, {0xd7,0xfc,0x4f,0xe5}, {0xc0,0xe1,0x5d,0xfe}, {0xcd,0xea,0x53,0xf7}, -{0xee,0xdb,0x79,0xc8}, {0xe3,0xd0,0x77,0xc1}, {0xf4,0xcd,0x65,0xda}, {0xf9,0xc6,0x6b,0xd3}, -{0xb2,0xaf,0x31,0xa4}, {0xbf,0xa4,0x3f,0xad}, {0xa8,0xb9,0x2d,0xb6}, {0xa5,0xb2,0x23,0xbf}, -{0x86,0x83,0x09,0x80}, {0x8b,0x88,0x07,0x89}, {0x9c,0x95,0x15,0x92}, {0x91,0x9e,0x1b,0x9b}, -{0x0a,0x47,0xa1,0x7c}, {0x07,0x4c,0xaf,0x75}, {0x10,0x51,0xbd,0x6e}, {0x1d,0x5a,0xb3,0x67}, -{0x3e,0x6b,0x99,0x58}, {0x33,0x60,0x97,0x51}, {0x24,0x7d,0x85,0x4a}, {0x29,0x76,0x8b,0x43}, -{0x62,0x1f,0xd1,0x34}, {0x6f,0x14,0xdf,0x3d}, {0x78,0x09,0xcd,0x26}, {0x75,0x02,0xc3,0x2f}, -{0x56,0x33,0xe9,0x10}, {0x5b,0x38,0xe7,0x19}, {0x4c,0x25,0xf5,0x02}, {0x41,0x2e,0xfb,0x0b}, -{0x61,0x8c,0x9a,0xd7}, {0x6c,0x87,0x94,0xde}, {0x7b,0x9a,0x86,0xc5}, {0x76,0x91,0x88,0xcc}, -{0x55,0xa0,0xa2,0xf3}, {0x58,0xab,0xac,0xfa}, {0x4f,0xb6,0xbe,0xe1}, {0x42,0xbd,0xb0,0xe8}, -{0x09,0xd4,0xea,0x9f}, {0x04,0xdf,0xe4,0x96}, {0x13,0xc2,0xf6,0x8d}, {0x1e,0xc9,0xf8,0x84}, -{0x3d,0xf8,0xd2,0xbb}, {0x30,0xf3,0xdc,0xb2}, {0x27,0xee,0xce,0xa9}, {0x2a,0xe5,0xc0,0xa0}, -{0xb1,0x3c,0x7a,0x47}, {0xbc,0x37,0x74,0x4e}, {0xab,0x2a,0x66,0x55}, {0xa6,0x21,0x68,0x5c}, -{0x85,0x10,0x42,0x63}, {0x88,0x1b,0x4c,0x6a}, {0x9f,0x06,0x5e,0x71}, {0x92,0x0d,0x50,0x78}, -{0xd9,0x64,0x0a,0x0f}, {0xd4,0x6f,0x04,0x06}, {0xc3,0x72,0x16,0x1d}, {0xce,0x79,0x18,0x14}, -{0xed,0x48,0x32,0x2b}, {0xe0,0x43,0x3c,0x22}, {0xf7,0x5e,0x2e,0x39}, {0xfa,0x55,0x20,0x30}, -{0xb7,0x01,0xec,0x9a}, {0xba,0x0a,0xe2,0x93}, {0xad,0x17,0xf0,0x88}, {0xa0,0x1c,0xfe,0x81}, -{0x83,0x2d,0xd4,0xbe}, {0x8e,0x26,0xda,0xb7}, {0x99,0x3b,0xc8,0xac}, {0x94,0x30,0xc6,0xa5}, -{0xdf,0x59,0x9c,0xd2}, {0xd2,0x52,0x92,0xdb}, {0xc5,0x4f,0x80,0xc0}, {0xc8,0x44,0x8e,0xc9}, -{0xeb,0x75,0xa4,0xf6}, {0xe6,0x7e,0xaa,0xff}, {0xf1,0x63,0xb8,0xe4}, {0xfc,0x68,0xb6,0xed}, -{0x67,0xb1,0x0c,0x0a}, {0x6a,0xba,0x02,0x03}, {0x7d,0xa7,0x10,0x18}, {0x70,0xac,0x1e,0x11}, -{0x53,0x9d,0x34,0x2e}, {0x5e,0x96,0x3a,0x27}, {0x49,0x8b,0x28,0x3c}, {0x44,0x80,0x26,0x35}, -{0x0f,0xe9,0x7c,0x42}, {0x02,0xe2,0x72,0x4b}, {0x15,0xff,0x60,0x50}, {0x18,0xf4,0x6e,0x59}, -{0x3b,0xc5,0x44,0x66}, {0x36,0xce,0x4a,0x6f}, {0x21,0xd3,0x58,0x74}, {0x2c,0xd8,0x56,0x7d}, -{0x0c,0x7a,0x37,0xa1}, {0x01,0x71,0x39,0xa8}, {0x16,0x6c,0x2b,0xb3}, {0x1b,0x67,0x25,0xba}, -{0x38,0x56,0x0f,0x85}, {0x35,0x5d,0x01,0x8c}, {0x22,0x40,0x13,0x97}, {0x2f,0x4b,0x1d,0x9e}, -{0x64,0x22,0x47,0xe9}, {0x69,0x29,0x49,0xe0}, {0x7e,0x34,0x5b,0xfb}, {0x73,0x3f,0x55,0xf2}, -{0x50,0x0e,0x7f,0xcd}, {0x5d,0x05,0x71,0xc4}, {0x4a,0x18,0x63,0xdf}, {0x47,0x13,0x6d,0xd6}, -{0xdc,0xca,0xd7,0x31}, {0xd1,0xc1,0xd9,0x38}, {0xc6,0xdc,0xcb,0x23}, {0xcb,0xd7,0xc5,0x2a}, -{0xe8,0xe6,0xef,0x15}, {0xe5,0xed,0xe1,0x1c}, {0xf2,0xf0,0xf3,0x07}, {0xff,0xfb,0xfd,0x0e}, -{0xb4,0x92,0xa7,0x79}, {0xb9,0x99,0xa9,0x70}, {0xae,0x84,0xbb,0x6b}, {0xa3,0x8f,0xb5,0x62}, -{0x80,0xbe,0x9f,0x5d}, {0x8d,0xb5,0x91,0x54}, {0x9a,0xa8,0x83,0x4f}, {0x97,0xa3,0x8d,0x46} - } -}; -#define U3 xU3.xt8 - -static const union xtab xU4 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x09,0x0d,0x0b,0x0e}, {0x12,0x1a,0x16,0x1c}, {0x1b,0x17,0x1d,0x12}, -{0x24,0x34,0x2c,0x38}, {0x2d,0x39,0x27,0x36}, {0x36,0x2e,0x3a,0x24}, {0x3f,0x23,0x31,0x2a}, -{0x48,0x68,0x58,0x70}, {0x41,0x65,0x53,0x7e}, {0x5a,0x72,0x4e,0x6c}, {0x53,0x7f,0x45,0x62}, -{0x6c,0x5c,0x74,0x48}, {0x65,0x51,0x7f,0x46}, {0x7e,0x46,0x62,0x54}, {0x77,0x4b,0x69,0x5a}, -{0x90,0xd0,0xb0,0xe0}, {0x99,0xdd,0xbb,0xee}, {0x82,0xca,0xa6,0xfc}, {0x8b,0xc7,0xad,0xf2}, -{0xb4,0xe4,0x9c,0xd8}, {0xbd,0xe9,0x97,0xd6}, {0xa6,0xfe,0x8a,0xc4}, {0xaf,0xf3,0x81,0xca}, -{0xd8,0xb8,0xe8,0x90}, {0xd1,0xb5,0xe3,0x9e}, {0xca,0xa2,0xfe,0x8c}, {0xc3,0xaf,0xf5,0x82}, -{0xfc,0x8c,0xc4,0xa8}, {0xf5,0x81,0xcf,0xa6}, {0xee,0x96,0xd2,0xb4}, {0xe7,0x9b,0xd9,0xba}, -{0x3b,0xbb,0x7b,0xdb}, {0x32,0xb6,0x70,0xd5}, {0x29,0xa1,0x6d,0xc7}, {0x20,0xac,0x66,0xc9}, -{0x1f,0x8f,0x57,0xe3}, {0x16,0x82,0x5c,0xed}, {0x0d,0x95,0x41,0xff}, {0x04,0x98,0x4a,0xf1}, -{0x73,0xd3,0x23,0xab}, {0x7a,0xde,0x28,0xa5}, {0x61,0xc9,0x35,0xb7}, {0x68,0xc4,0x3e,0xb9}, -{0x57,0xe7,0x0f,0x93}, {0x5e,0xea,0x04,0x9d}, {0x45,0xfd,0x19,0x8f}, {0x4c,0xf0,0x12,0x81}, -{0xab,0x6b,0xcb,0x3b}, {0xa2,0x66,0xc0,0x35}, {0xb9,0x71,0xdd,0x27}, {0xb0,0x7c,0xd6,0x29}, -{0x8f,0x5f,0xe7,0x03}, {0x86,0x52,0xec,0x0d}, {0x9d,0x45,0xf1,0x1f}, {0x94,0x48,0xfa,0x11}, -{0xe3,0x03,0x93,0x4b}, {0xea,0x0e,0x98,0x45}, {0xf1,0x19,0x85,0x57}, {0xf8,0x14,0x8e,0x59}, -{0xc7,0x37,0xbf,0x73}, {0xce,0x3a,0xb4,0x7d}, {0xd5,0x2d,0xa9,0x6f}, {0xdc,0x20,0xa2,0x61}, -{0x76,0x6d,0xf6,0xad}, {0x7f,0x60,0xfd,0xa3}, {0x64,0x77,0xe0,0xb1}, {0x6d,0x7a,0xeb,0xbf}, -{0x52,0x59,0xda,0x95}, {0x5b,0x54,0xd1,0x9b}, {0x40,0x43,0xcc,0x89}, {0x49,0x4e,0xc7,0x87}, -{0x3e,0x05,0xae,0xdd}, {0x37,0x08,0xa5,0xd3}, {0x2c,0x1f,0xb8,0xc1}, {0x25,0x12,0xb3,0xcf}, -{0x1a,0x31,0x82,0xe5}, {0x13,0x3c,0x89,0xeb}, {0x08,0x2b,0x94,0xf9}, {0x01,0x26,0x9f,0xf7}, -{0xe6,0xbd,0x46,0x4d}, {0xef,0xb0,0x4d,0x43}, {0xf4,0xa7,0x50,0x51}, {0xfd,0xaa,0x5b,0x5f}, -{0xc2,0x89,0x6a,0x75}, {0xcb,0x84,0x61,0x7b}, {0xd0,0x93,0x7c,0x69}, {0xd9,0x9e,0x77,0x67}, -{0xae,0xd5,0x1e,0x3d}, {0xa7,0xd8,0x15,0x33}, {0xbc,0xcf,0x08,0x21}, {0xb5,0xc2,0x03,0x2f}, -{0x8a,0xe1,0x32,0x05}, {0x83,0xec,0x39,0x0b}, {0x98,0xfb,0x24,0x19}, {0x91,0xf6,0x2f,0x17}, -{0x4d,0xd6,0x8d,0x76}, {0x44,0xdb,0x86,0x78}, {0x5f,0xcc,0x9b,0x6a}, {0x56,0xc1,0x90,0x64}, -{0x69,0xe2,0xa1,0x4e}, {0x60,0xef,0xaa,0x40}, {0x7b,0xf8,0xb7,0x52}, {0x72,0xf5,0xbc,0x5c}, -{0x05,0xbe,0xd5,0x06}, {0x0c,0xb3,0xde,0x08}, {0x17,0xa4,0xc3,0x1a}, {0x1e,0xa9,0xc8,0x14}, -{0x21,0x8a,0xf9,0x3e}, {0x28,0x87,0xf2,0x30}, {0x33,0x90,0xef,0x22}, {0x3a,0x9d,0xe4,0x2c}, -{0xdd,0x06,0x3d,0x96}, {0xd4,0x0b,0x36,0x98}, {0xcf,0x1c,0x2b,0x8a}, {0xc6,0x11,0x20,0x84}, -{0xf9,0x32,0x11,0xae}, {0xf0,0x3f,0x1a,0xa0}, {0xeb,0x28,0x07,0xb2}, {0xe2,0x25,0x0c,0xbc}, -{0x95,0x6e,0x65,0xe6}, {0x9c,0x63,0x6e,0xe8}, {0x87,0x74,0x73,0xfa}, {0x8e,0x79,0x78,0xf4}, -{0xb1,0x5a,0x49,0xde}, {0xb8,0x57,0x42,0xd0}, {0xa3,0x40,0x5f,0xc2}, {0xaa,0x4d,0x54,0xcc}, -{0xec,0xda,0xf7,0x41}, {0xe5,0xd7,0xfc,0x4f}, {0xfe,0xc0,0xe1,0x5d}, {0xf7,0xcd,0xea,0x53}, -{0xc8,0xee,0xdb,0x79}, {0xc1,0xe3,0xd0,0x77}, {0xda,0xf4,0xcd,0x65}, {0xd3,0xf9,0xc6,0x6b}, -{0xa4,0xb2,0xaf,0x31}, {0xad,0xbf,0xa4,0x3f}, {0xb6,0xa8,0xb9,0x2d}, {0xbf,0xa5,0xb2,0x23}, -{0x80,0x86,0x83,0x09}, {0x89,0x8b,0x88,0x07}, {0x92,0x9c,0x95,0x15}, {0x9b,0x91,0x9e,0x1b}, -{0x7c,0x0a,0x47,0xa1}, {0x75,0x07,0x4c,0xaf}, {0x6e,0x10,0x51,0xbd}, {0x67,0x1d,0x5a,0xb3}, -{0x58,0x3e,0x6b,0x99}, {0x51,0x33,0x60,0x97}, {0x4a,0x24,0x7d,0x85}, {0x43,0x29,0x76,0x8b}, -{0x34,0x62,0x1f,0xd1}, {0x3d,0x6f,0x14,0xdf}, {0x26,0x78,0x09,0xcd}, {0x2f,0x75,0x02,0xc3}, -{0x10,0x56,0x33,0xe9}, {0x19,0x5b,0x38,0xe7}, {0x02,0x4c,0x25,0xf5}, {0x0b,0x41,0x2e,0xfb}, -{0xd7,0x61,0x8c,0x9a}, {0xde,0x6c,0x87,0x94}, {0xc5,0x7b,0x9a,0x86}, {0xcc,0x76,0x91,0x88}, -{0xf3,0x55,0xa0,0xa2}, {0xfa,0x58,0xab,0xac}, {0xe1,0x4f,0xb6,0xbe}, {0xe8,0x42,0xbd,0xb0}, -{0x9f,0x09,0xd4,0xea}, {0x96,0x04,0xdf,0xe4}, {0x8d,0x13,0xc2,0xf6}, {0x84,0x1e,0xc9,0xf8}, -{0xbb,0x3d,0xf8,0xd2}, {0xb2,0x30,0xf3,0xdc}, {0xa9,0x27,0xee,0xce}, {0xa0,0x2a,0xe5,0xc0}, -{0x47,0xb1,0x3c,0x7a}, {0x4e,0xbc,0x37,0x74}, {0x55,0xab,0x2a,0x66}, {0x5c,0xa6,0x21,0x68}, -{0x63,0x85,0x10,0x42}, {0x6a,0x88,0x1b,0x4c}, {0x71,0x9f,0x06,0x5e}, {0x78,0x92,0x0d,0x50}, -{0x0f,0xd9,0x64,0x0a}, {0x06,0xd4,0x6f,0x04}, {0x1d,0xc3,0x72,0x16}, {0x14,0xce,0x79,0x18}, -{0x2b,0xed,0x48,0x32}, {0x22,0xe0,0x43,0x3c}, {0x39,0xf7,0x5e,0x2e}, {0x30,0xfa,0x55,0x20}, -{0x9a,0xb7,0x01,0xec}, {0x93,0xba,0x0a,0xe2}, {0x88,0xad,0x17,0xf0}, {0x81,0xa0,0x1c,0xfe}, -{0xbe,0x83,0x2d,0xd4}, {0xb7,0x8e,0x26,0xda}, {0xac,0x99,0x3b,0xc8}, {0xa5,0x94,0x30,0xc6}, -{0xd2,0xdf,0x59,0x9c}, {0xdb,0xd2,0x52,0x92}, {0xc0,0xc5,0x4f,0x80}, {0xc9,0xc8,0x44,0x8e}, -{0xf6,0xeb,0x75,0xa4}, {0xff,0xe6,0x7e,0xaa}, {0xe4,0xf1,0x63,0xb8}, {0xed,0xfc,0x68,0xb6}, -{0x0a,0x67,0xb1,0x0c}, {0x03,0x6a,0xba,0x02}, {0x18,0x7d,0xa7,0x10}, {0x11,0x70,0xac,0x1e}, -{0x2e,0x53,0x9d,0x34}, {0x27,0x5e,0x96,0x3a}, {0x3c,0x49,0x8b,0x28}, {0x35,0x44,0x80,0x26}, -{0x42,0x0f,0xe9,0x7c}, {0x4b,0x02,0xe2,0x72}, {0x50,0x15,0xff,0x60}, {0x59,0x18,0xf4,0x6e}, -{0x66,0x3b,0xc5,0x44}, {0x6f,0x36,0xce,0x4a}, {0x74,0x21,0xd3,0x58}, {0x7d,0x2c,0xd8,0x56}, -{0xa1,0x0c,0x7a,0x37}, {0xa8,0x01,0x71,0x39}, {0xb3,0x16,0x6c,0x2b}, {0xba,0x1b,0x67,0x25}, -{0x85,0x38,0x56,0x0f}, {0x8c,0x35,0x5d,0x01}, {0x97,0x22,0x40,0x13}, {0x9e,0x2f,0x4b,0x1d}, -{0xe9,0x64,0x22,0x47}, {0xe0,0x69,0x29,0x49}, {0xfb,0x7e,0x34,0x5b}, {0xf2,0x73,0x3f,0x55}, -{0xcd,0x50,0x0e,0x7f}, {0xc4,0x5d,0x05,0x71}, {0xdf,0x4a,0x18,0x63}, {0xd6,0x47,0x13,0x6d}, -{0x31,0xdc,0xca,0xd7}, {0x38,0xd1,0xc1,0xd9}, {0x23,0xc6,0xdc,0xcb}, {0x2a,0xcb,0xd7,0xc5}, -{0x15,0xe8,0xe6,0xef}, {0x1c,0xe5,0xed,0xe1}, {0x07,0xf2,0xf0,0xf3}, {0x0e,0xff,0xfb,0xfd}, -{0x79,0xb4,0x92,0xa7}, {0x70,0xb9,0x99,0xa9}, {0x6b,0xae,0x84,0xbb}, {0x62,0xa3,0x8f,0xb5}, -{0x5d,0x80,0xbe,0x9f}, {0x54,0x8d,0xb5,0x91}, {0x4f,0x9a,0xa8,0x83}, {0x46,0x97,0xa3,0x8d} - } -}; -#define U4 xU4.xt8 - -static const word32 rcon[30] = { - 0x01,0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 -}; diff --git a/ipsec-tools/racoon/Crypto/rijndael-alg-fst.c b/ipsec-tools/racoon/Crypto/rijndael-alg-fst.c deleted file mode 100644 index 8ccf9e1..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael-alg-fst.c +++ /dev/null @@ -1,492 +0,0 @@ -/* $KAME: rijndael-alg-fst.c,v 1.9 2001/06/19 15:21:05 itojun Exp $ */ - -/* - * rijndael-alg-fst.c v2.3 April '2000 - * - * Optimised ANSI C code - * - * authors: v1.0: Antoon Bosselaers - * v2.0: Vincent Rijmen - * v2.3: Paulo Barreto - * - * This code is placed in the public domain. - */ - -#include -#include -#ifdef _KERNEL -#include -#else -#include -#endif -#include -#include - -#include "boxes-fst.dat" - -#include -#define bcopy(a, b, c) memcpy((b), (a), (c)) -#define bzero(a, b) memset((a), 0, (b)) -#define panic(a) err(1, (a)) - -int rijndaelKeySched(word8 k[MAXKC][4], word8 W[MAXROUNDS+1][4][4], int ROUNDS) { - /* Calculate the necessary round keys - * The number of calculations depends on keyBits and blockBits - */ - int j, r, t, rconpointer = 0; - union { - word8 x8[MAXKC][4]; - word32 x32[MAXKC]; - } xtk; -#define tk xtk.x8 - int KC = ROUNDS - 6; - - for (j = KC-1; j >= 0; j--) { - *((word32*)tk[j]) = *((word32*)k[j]); - } - r = 0; - t = 0; - /* copy values into round key array */ - for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { - for (; (j < KC) && (t < 4); j++, t++) { - *((word32*)W[r][t]) = *((word32*)tk[j]); - } - if (t == 4) { - r++; - t = 0; - } - } - - while (r < ROUNDS + 1) { /* while not enough round key material calculated */ - /* calculate new values */ - tk[0][0] ^= S[tk[KC-1][1]]; - tk[0][1] ^= S[tk[KC-1][2]]; - tk[0][2] ^= S[tk[KC-1][3]]; - tk[0][3] ^= S[tk[KC-1][0]]; - tk[0][0] ^= rcon[rconpointer++]; - - if (KC != 8) { - for (j = 1; j < KC; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - } else { - for (j = 1; j < KC/2; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - tk[KC/2][0] ^= S[tk[KC/2 - 1][0]]; - tk[KC/2][1] ^= S[tk[KC/2 - 1][1]]; - tk[KC/2][2] ^= S[tk[KC/2 - 1][2]]; - tk[KC/2][3] ^= S[tk[KC/2 - 1][3]]; - for (j = KC/2 + 1; j < KC; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - } - /* copy values into round key array */ - for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { - for (; (j < KC) && (t < 4); j++, t++) { - *((word32*)W[r][t]) = *((word32*)tk[j]); - } - if (t == 4) { - r++; - t = 0; - } - } - } - return 0; -#undef tk -} - -int rijndaelKeyEncToDec(word8 W[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - word8 *w; - - for (r = 1; r < ROUNDS; r++) { - w = W[r][0]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][1]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][2]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][3]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - } - return 0; -} - -/** - * Encrypt a single block. - */ -int rijndaelEncrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - union { - word8 x8[16]; - word32 x32[4]; - } xa, xb; -#define a xa.x8 -#define b xb.x8 - union { - word8 x8[4][4]; - word32 x32[4]; - } xtemp; -#define temp xtemp.x8 - - memcpy(a, in, sizeof a); - - *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[0][0]); - *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[0][1]); - *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[0][2]); - *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[0][3]); - *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) - ^ *((const word32*)T2[temp[1][1]]) - ^ *((const word32*)T3[temp[2][2]]) - ^ *((const word32*)T4[temp[3][3]]); - *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) - ^ *((const word32*)T2[temp[2][1]]) - ^ *((const word32*)T3[temp[3][2]]) - ^ *((const word32*)T4[temp[0][3]]); - *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) - ^ *((const word32*)T2[temp[3][1]]) - ^ *((const word32*)T3[temp[0][2]]) - ^ *((const word32*)T4[temp[1][3]]); - *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) - ^ *((const word32*)T2[temp[0][1]]) - ^ *((const word32*)T3[temp[1][2]]) - ^ *((const word32*)T4[temp[2][3]]); - for (r = 1; r < ROUNDS-1; r++) { - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); - - *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) - ^ *((const word32*)T2[temp[1][1]]) - ^ *((const word32*)T3[temp[2][2]]) - ^ *((const word32*)T4[temp[3][3]]); - *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) - ^ *((const word32*)T2[temp[2][1]]) - ^ *((const word32*)T3[temp[3][2]]) - ^ *((const word32*)T4[temp[0][3]]); - *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) - ^ *((const word32*)T2[temp[3][1]]) - ^ *((const word32*)T3[temp[0][2]]) - ^ *((const word32*)T4[temp[1][3]]); - *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) - ^ *((const word32*)T2[temp[0][1]]) - ^ *((const word32*)T3[temp[1][2]]) - ^ *((const word32*)T4[temp[2][3]]); - } - /* last round is special */ - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[ROUNDS-1][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[ROUNDS-1][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[ROUNDS-1][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[ROUNDS-1][3]); - b[ 0] = T1[temp[0][0]][1]; - b[ 1] = T1[temp[1][1]][1]; - b[ 2] = T1[temp[2][2]][1]; - b[ 3] = T1[temp[3][3]][1]; - b[ 4] = T1[temp[1][0]][1]; - b[ 5] = T1[temp[2][1]][1]; - b[ 6] = T1[temp[3][2]][1]; - b[ 7] = T1[temp[0][3]][1]; - b[ 8] = T1[temp[2][0]][1]; - b[ 9] = T1[temp[3][1]][1]; - b[10] = T1[temp[0][2]][1]; - b[11] = T1[temp[1][3]][1]; - b[12] = T1[temp[3][0]][1]; - b[13] = T1[temp[0][1]][1]; - b[14] = T1[temp[1][2]][1]; - b[15] = T1[temp[2][3]][1]; - *((word32*)(b )) ^= *((word32*)rk[ROUNDS][0]); - *((word32*)(b+ 4)) ^= *((word32*)rk[ROUNDS][1]); - *((word32*)(b+ 8)) ^= *((word32*)rk[ROUNDS][2]); - *((word32*)(b+12)) ^= *((word32*)rk[ROUNDS][3]); - - memcpy(out, b, sizeof b /* XXX out */); - - return 0; -#undef a -#undef b -#undef temp -} - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * Encrypt only a certain number of rounds. - * Only used in the Intermediate Value Known Answer Test. - */ -int rijndaelEncryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { - int r; - word8 temp[4][4]; - - /* make number of rounds sane */ - if (rounds > ROUNDS) { - rounds = ROUNDS; - } - - *((word32*)a[0]) = *((word32*)a[0]) ^ *((word32*)rk[0][0]); - *((word32*)a[1]) = *((word32*)a[1]) ^ *((word32*)rk[0][1]); - *((word32*)a[2]) = *((word32*)a[2]) ^ *((word32*)rk[0][2]); - *((word32*)a[3]) = *((word32*)a[3]) ^ *((word32*)rk[0][3]); - - for (r = 1; (r <= rounds) && (r < ROUNDS); r++) { - *((word32*)temp[0]) = *((const word32*)T1[a[0][0]]) - ^ *((const word32*)T2[a[1][1]]) - ^ *((const word32*)T3[a[2][2]]) - ^ *((const word32*)T4[a[3][3]]); - *((word32*)temp[1]) = *((const word32*)T1[a[1][0]]) - ^ *((const word32*)T2[a[2][1]]) - ^ *((const word32*)T3[a[3][2]]) - ^ *((const word32*)T4[a[0][3]]); - *((word32*)temp[2]) = *((const word32*)T1[a[2][0]]) - ^ *((const word32*)T2[a[3][1]]) - ^ *((const word32*)T3[a[0][2]]) - ^ *((const word32*)T4[a[1][3]]); - *((word32*)temp[3]) = *((const word32*)T1[a[3][0]]) - ^ *((const word32*)T2[a[0][1]]) - ^ *((const word32*)T3[a[1][2]]) - ^ *((const word32*)T4[a[2][3]]); - *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[r][0]); - *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[r][1]); - *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[r][2]); - *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[r][3]); - } - if (rounds == ROUNDS) { - /* last round is special */ - temp[0][0] = T1[a[0][0]][1]; - temp[0][1] = T1[a[1][1]][1]; - temp[0][2] = T1[a[2][2]][1]; - temp[0][3] = T1[a[3][3]][1]; - temp[1][0] = T1[a[1][0]][1]; - temp[1][1] = T1[a[2][1]][1]; - temp[1][2] = T1[a[3][2]][1]; - temp[1][3] = T1[a[0][3]][1]; - temp[2][0] = T1[a[2][0]][1]; - temp[2][1] = T1[a[3][1]][1]; - temp[2][2] = T1[a[0][2]][1]; - temp[2][3] = T1[a[1][3]][1]; - temp[3][0] = T1[a[3][0]][1]; - temp[3][1] = T1[a[0][1]][1]; - temp[3][2] = T1[a[1][2]][1]; - temp[3][3] = T1[a[2][3]][1]; - *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[ROUNDS][0]); - *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[ROUNDS][1]); - *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[ROUNDS][2]); - *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[ROUNDS][3]); - } - - return 0; -} -#endif /* INTERMEDIATE_VALUE_KAT */ - -/** - * Decrypt a single block. - */ -int rijndaelDecrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - union { - word8 x8[16]; - word32 x32[4]; - } xa, xb; -#define a xa.x8 -#define b xb.x8 - union { - word8 x8[4][4]; - word32 x32[4]; - } xtemp; -#define temp xtemp.x8 - - memcpy(a, in, sizeof a); - - *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[ROUNDS][0]); - *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[ROUNDS][1]); - *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[ROUNDS][2]); - *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[ROUNDS][3]); - - *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) - ^ *((const word32*)T6[temp[3][1]]) - ^ *((const word32*)T7[temp[2][2]]) - ^ *((const word32*)T8[temp[1][3]]); - *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) - ^ *((const word32*)T6[temp[0][1]]) - ^ *((const word32*)T7[temp[3][2]]) - ^ *((const word32*)T8[temp[2][3]]); - *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) - ^ *((const word32*)T6[temp[1][1]]) - ^ *((const word32*)T7[temp[0][2]]) - ^ *((const word32*)T8[temp[3][3]]); - *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) - ^ *((const word32*)T6[temp[2][1]]) - ^ *((const word32*)T7[temp[1][2]]) - ^ *((const word32*)T8[temp[0][3]]); - for (r = ROUNDS-1; r > 1; r--) { - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); - *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) - ^ *((const word32*)T6[temp[3][1]]) - ^ *((const word32*)T7[temp[2][2]]) - ^ *((const word32*)T8[temp[1][3]]); - *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) - ^ *((const word32*)T6[temp[0][1]]) - ^ *((const word32*)T7[temp[3][2]]) - ^ *((const word32*)T8[temp[2][3]]); - *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) - ^ *((const word32*)T6[temp[1][1]]) - ^ *((const word32*)T7[temp[0][2]]) - ^ *((const word32*)T8[temp[3][3]]); - *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) - ^ *((const word32*)T6[temp[2][1]]) - ^ *((const word32*)T7[temp[1][2]]) - ^ *((const word32*)T8[temp[0][3]]); - } - /* last round is special */ - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[1][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[1][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[1][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[1][3]); - b[ 0] = S5[temp[0][0]]; - b[ 1] = S5[temp[3][1]]; - b[ 2] = S5[temp[2][2]]; - b[ 3] = S5[temp[1][3]]; - b[ 4] = S5[temp[1][0]]; - b[ 5] = S5[temp[0][1]]; - b[ 6] = S5[temp[3][2]]; - b[ 7] = S5[temp[2][3]]; - b[ 8] = S5[temp[2][0]]; - b[ 9] = S5[temp[1][1]]; - b[10] = S5[temp[0][2]]; - b[11] = S5[temp[3][3]]; - b[12] = S5[temp[3][0]]; - b[13] = S5[temp[2][1]]; - b[14] = S5[temp[1][2]]; - b[15] = S5[temp[0][3]]; - *((word32*)(b )) ^= *((word32*)rk[0][0]); - *((word32*)(b+ 4)) ^= *((word32*)rk[0][1]); - *((word32*)(b+ 8)) ^= *((word32*)rk[0][2]); - *((word32*)(b+12)) ^= *((word32*)rk[0][3]); - - memcpy(out, b, sizeof b /* XXX out */); - - return 0; -#undef a -#undef b -#undef temp -} - - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * Decrypt only a certain number of rounds. - * Only used in the Intermediate Value Known Answer Test. - * Operations rearranged such that the intermediate values - * of decryption correspond with the intermediate values - * of encryption. - */ -int rijndaelDecryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { - int r, i; - word8 temp[4], shift; - - /* make number of rounds sane */ - if (rounds > ROUNDS) { - rounds = ROUNDS; - } - /* first round is special: */ - *(word32 *)a[0] ^= *(word32 *)rk[ROUNDS][0]; - *(word32 *)a[1] ^= *(word32 *)rk[ROUNDS][1]; - *(word32 *)a[2] ^= *(word32 *)rk[ROUNDS][2]; - *(word32 *)a[3] ^= *(word32 *)rk[ROUNDS][3]; - for (i = 0; i < 4; i++) { - a[i][0] = Si[a[i][0]]; - a[i][1] = Si[a[i][1]]; - a[i][2] = Si[a[i][2]]; - a[i][3] = Si[a[i][3]]; - } - for (i = 1; i < 4; i++) { - shift = (4 - i) & 3; - temp[0] = a[(0 + shift) & 3][i]; - temp[1] = a[(1 + shift) & 3][i]; - temp[2] = a[(2 + shift) & 3][i]; - temp[3] = a[(3 + shift) & 3][i]; - a[0][i] = temp[0]; - a[1][i] = temp[1]; - a[2][i] = temp[2]; - a[3][i] = temp[3]; - } - /* ROUNDS-1 ordinary rounds */ - for (r = ROUNDS-1; r > rounds; r--) { - *(word32 *)a[0] ^= *(word32 *)rk[r][0]; - *(word32 *)a[1] ^= *(word32 *)rk[r][1]; - *(word32 *)a[2] ^= *(word32 *)rk[r][2]; - *(word32 *)a[3] ^= *(word32 *)rk[r][3]; - - *((word32*)a[0]) = - *((const word32*)U1[a[0][0]]) - ^ *((const word32*)U2[a[0][1]]) - ^ *((const word32*)U3[a[0][2]]) - ^ *((const word32*)U4[a[0][3]]); - - *((word32*)a[1]) = - *((const word32*)U1[a[1][0]]) - ^ *((const word32*)U2[a[1][1]]) - ^ *((const word32*)U3[a[1][2]]) - ^ *((const word32*)U4[a[1][3]]); - - *((word32*)a[2]) = - *((const word32*)U1[a[2][0]]) - ^ *((const word32*)U2[a[2][1]]) - ^ *((const word32*)U3[a[2][2]]) - ^ *((const word32*)U4[a[2][3]]); - - *((word32*)a[3]) = - *((const word32*)U1[a[3][0]]) - ^ *((const word32*)U2[a[3][1]]) - ^ *((const word32*)U3[a[3][2]]) - ^ *((const word32*)U4[a[3][3]]); - for (i = 0; i < 4; i++) { - a[i][0] = Si[a[i][0]]; - a[i][1] = Si[a[i][1]]; - a[i][2] = Si[a[i][2]]; - a[i][3] = Si[a[i][3]]; - } - for (i = 1; i < 4; i++) { - shift = (4 - i) & 3; - temp[0] = a[(0 + shift) & 3][i]; - temp[1] = a[(1 + shift) & 3][i]; - temp[2] = a[(2 + shift) & 3][i]; - temp[3] = a[(3 + shift) & 3][i]; - a[0][i] = temp[0]; - a[1][i] = temp[1]; - a[2][i] = temp[2]; - a[3][i] = temp[3]; - } - } - if (rounds == 0) { - /* End with the extra key addition */ - *(word32 *)a[0] ^= *(word32 *)rk[0][0]; - *(word32 *)a[1] ^= *(word32 *)rk[0][1]; - *(word32 *)a[2] ^= *(word32 *)rk[0][2]; - *(word32 *)a[3] ^= *(word32 *)rk[0][3]; - } - return 0; -} -#endif /* INTERMEDIATE_VALUE_KAT */ diff --git a/ipsec-tools/racoon/Crypto/rijndael-alg-fst.h b/ipsec-tools/racoon/Crypto/rijndael-alg-fst.h deleted file mode 100644 index 7a725ae..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael-alg-fst.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $KAME: rijndael-alg-fst.h,v 1.4 2000/10/02 17:14:26 itojun Exp $ */ - -/* - * rijndael-alg-fst.h v2.3 April '2000 - * - * Optimised ANSI C code - * - * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test. - */ - -#ifndef __RIJNDAEL_ALG_FST_H__ -#define __RIJNDAEL_ALG_FST_H__ - -#define RIJNDAEL_MAXKC (256/32) -#define RIJNDAEL_MAXROUNDS 14 - -int rijndaelKeySched(u_int8_t k[RIJNDAEL_MAXKC][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -int rijndaelKeyEncToDec(u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -int rijndaelEncrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndaelEncryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -int rijndaelDecrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndaelDecryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -#endif /* __RIJNDAEL_ALG_FST_H__ */ - diff --git a/ipsec-tools/racoon/Crypto/rijndael-api-fst.c b/ipsec-tools/racoon/Crypto/rijndael-api-fst.c deleted file mode 100644 index a3104c2..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael-api-fst.c +++ /dev/null @@ -1,495 +0,0 @@ -/* $KAME: rijndael-api-fst.c,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $ */ - -/* - * rijndael-api-fst.c v2.3 April '2000 - * - * Optimised ANSI C code - * - * authors: v1.0: Antoon Bosselaers - * v2.0: Vincent Rijmen - * v2.1: Vincent Rijmen - * v2.2: Vincent Rijmen - * v2.3: Paulo Barreto - * v2.4: Vincent Rijmen - * - * This code is placed in the public domain. - */ - -#include -#include -#ifdef _KERNEL -#include -#include -#else -#include -#endif -#include -#include -#include - -#include -#define bcopy(a, b, c) memcpy(b, a, c) -#define bzero(a, b) memset(a, 0, b) -#define panic(a) err(1, (a)) - -int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) { - word8 k[MAXKC][4]; - int i; - char *keyMat; - - if (key == NULL) { - return BAD_KEY_INSTANCE; - } - - if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { - key->direction = direction; - } else { - return BAD_KEY_DIR; - } - - if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { - key->keyLen = keyLen; - } else { - return BAD_KEY_MAT; - } - - if (keyMaterial != NULL) { - bcopy(keyMaterial, key->keyMaterial, keyLen/8); - } - - key->ROUNDS = keyLen/32 + 6; - - /* initialize key schedule: */ - keyMat = key->keyMaterial; - for (i = 0; i < key->keyLen/8; i++) { - k[i >> 2][i & 3] = (word8)keyMat[i]; - } - rijndaelKeySched(k, key->keySched, key->ROUNDS); - if (direction == DIR_DECRYPT) { - rijndaelKeyEncToDec(key->keySched, key->ROUNDS); - } - - return TRUE; -} - -int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { - if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { - cipher->mode = mode; - } else { - return BAD_CIPHER_MODE; - } - if (IV != NULL) { - bcopy(IV, cipher->IV, MAX_IV_SIZE); - } else { - bzero(cipher->IV, MAX_IV_SIZE); - } - return TRUE; -} - -int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer) { - int i, k, numBlocks; - word8 block[16], iv[4][4]; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_DECRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputLen <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputLen/128; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - break; - - case MODE_CBC: -#if 0 /*STRICT_ALIGN*/ - bcopy(cipher->IV, block, 16); - bcopy(input, iv, 16); - ((word32*)block)[0] ^= ((word32*)iv)[0]; - ((word32*)block)[1] ^= ((word32*)iv)[1]; - ((word32*)block)[2] ^= ((word32*)iv)[2]; - ((word32*)block)[3] ^= ((word32*)iv)[3]; -#else - ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)input)[0]; - ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)input)[1]; - ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)input)[2]; - ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)input)[3]; -#endif - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - input += 16; - for (i = numBlocks - 1; i > 0; i--) { -#if 0 /*STRICT_ALIGN*/ - bcopy(outBuffer, block, 16); - ((word32*)block)[0] ^= ((word32*)iv)[0]; - ((word32*)block)[1] ^= ((word32*)iv)[1]; - ((word32*)block)[2] ^= ((word32*)iv)[2]; - ((word32*)block)[3] ^= ((word32*)iv)[3]; -#else - ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0]; - ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1]; - ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2]; - ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3]; -#endif - outBuffer += 16; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - input += 16; - } - break; - - case MODE_CFB1: -#if 0 /*STRICT_ALIGN*/ - bcopy(cipher->IV, iv, 16); -#else /* !STRICT_ALIGN */ - *((word32*)iv[0]) = *((word32*)(cipher->IV )); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif /* ?STRICT_ALIGN */ - for (i = numBlocks; i > 0; i--) { - for (k = 0; k < 128; k++) { - *((word32*) block ) = *((word32*)iv[0]); - *((word32*)(block+ 4)) = *((word32*)iv[1]); - *((word32*)(block+ 8)) = *((word32*)iv[2]); - *((word32*)(block+12)) = *((word32*)iv[3]); - rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); - outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); - iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); - iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); - iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); - iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); - iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); - iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); - iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); - iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); - iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); - iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); - iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); - iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); - iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); - iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); - iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); - iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); - } - } - break; - - default: - return BAD_CIPHER_STATE; - } - - return 128*numBlocks; -} - -/** - * Encrypt data partitioned in octets, using RFC 2040-like padding. - * - * @param input data to be encrypted (octet sequence) - * @param inputOctets input length in octets (not bits) - * @param outBuffer encrypted output data - * - * @return length in octets (not bits) of the encrypted output buffer. - */ -int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputOctets, BYTE *outBuffer) { - int i, numBlocks, padLen; - word8 block[16], *iv, *cp; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_DECRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputOctets <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputOctets/16; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - padLen = 16 - (inputOctets - 16*numBlocks); - if (padLen > 0 && padLen <= 16) - panic("rijndael_padEncrypt(ECB)"); - bcopy(input, block, 16 - padLen); - for (cp = block + 16 - padLen; cp < block + 16; cp++) - *cp = padLen; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - break; - - case MODE_CBC: - iv = cipher->IV; - for (i = numBlocks; i > 0; i--) { - ((word32*)block)[0] = ((word32*)input)[0] ^ ((word32*)iv)[0]; - ((word32*)block)[1] = ((word32*)input)[1] ^ ((word32*)iv)[1]; - ((word32*)block)[2] = ((word32*)input)[2] ^ ((word32*)iv)[2]; - ((word32*)block)[3] = ((word32*)input)[3] ^ ((word32*)iv)[3]; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - iv = outBuffer; - input += 16; - outBuffer += 16; - } -#if 0 /*XXX i'm not sure that is correct. sakane@kame.net */ - padLen = 16 - (inputOctets - 16*numBlocks); -#else - padLen = 16 - inputOctets % 16; - if (padLen == 16) - padLen = 0; -#endif - if (padLen > 0 && padLen <= 16) - panic("rijndael_padEncrypt(CBC)"); - for (i = 0; i < 16 - padLen; i++) { - block[i] = input[i] ^ iv[i]; - } - for (i = 16 - padLen; i < 16; i++) { - block[i] = (BYTE)padLen ^ iv[i]; - } - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - break; - - default: - return BAD_CIPHER_STATE; - } - - return 16*(numBlocks + 1); -} - -int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer) { - int i, k, numBlocks; - word8 block[16], iv[4][4]; - - if (cipher == NULL || - key == NULL || - (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputLen <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputLen/128; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - break; - - case MODE_CBC: -#if 0 /*STRICT_ALIGN */ - bcopy(cipher->IV, iv, 16); -#else - *((word32*)iv[0]) = *((word32*)(cipher->IV )); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif - for (i = numBlocks; i > 0; i--) { - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= *((word32*)iv[0]); - ((word32*)block)[1] ^= *((word32*)iv[1]); - ((word32*)block)[2] ^= *((word32*)iv[2]); - ((word32*)block)[3] ^= *((word32*)iv[3]); -#if 0 /*STRICT_ALIGN*/ - bcopy(input, iv, 16); - bcopy(block, outBuffer, 16); -#else - *((word32*)iv[0]) = ((word32*)input)[0]; ((word32*)outBuffer)[0] = ((word32*)block)[0]; - *((word32*)iv[1]) = ((word32*)input)[1]; ((word32*)outBuffer)[1] = ((word32*)block)[1]; - *((word32*)iv[2]) = ((word32*)input)[2]; ((word32*)outBuffer)[2] = ((word32*)block)[2]; - *((word32*)iv[3]) = ((word32*)input)[3]; ((word32*)outBuffer)[3] = ((word32*)block)[3]; -#endif - input += 16; - outBuffer += 16; - } - break; - - case MODE_CFB1: -#if 0 /*STRICT_ALIGN */ - bcopy(cipher->IV, iv, 16); -#else - *((word32*)iv[0]) = *((word32*)(cipher->IV)); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif - for (i = numBlocks; i > 0; i--) { - for (k = 0; k < 128; k++) { - *((word32*) block ) = *((word32*)iv[0]); - *((word32*)(block+ 4)) = *((word32*)iv[1]); - *((word32*)(block+ 8)) = *((word32*)iv[2]); - *((word32*)(block+12)) = *((word32*)iv[3]); - rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); - iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); - iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); - iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); - iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); - iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); - iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); - iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); - iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); - iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); - iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); - iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); - iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); - iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); - iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); - iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); - iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); - outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); - } - } - break; - - default: - return BAD_CIPHER_STATE; - } - - return 128*numBlocks; -} - -int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputOctets, BYTE *outBuffer) { - int i, numBlocks, padLen; - word8 block[16]; - word32 iv[4]; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_ENCRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputOctets <= 0) { - return 0; /* nothing to do */ - } - if (inputOctets % 16 != 0) { - return BAD_DATA; - } - - numBlocks = inputOctets/16; - - switch (cipher->mode) { - case MODE_ECB: - /* all blocks but last */ - for (i = numBlocks - 1; i > 0; i--) { - rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - /* last block */ - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - padLen = block[15]; - if (padLen >= 16) { - return BAD_DATA; - } - for (i = 16 - padLen; i < 16; i++) { - if (block[i] != padLen) { - return BAD_DATA; - } - } - bcopy(block, outBuffer, 16 - padLen); - break; - - case MODE_CBC: - bcopy(cipher->IV, iv, 16); - /* all blocks but last */ - for (i = numBlocks - 1; i > 0; i--) { - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= iv[0]; - ((word32*)block)[1] ^= iv[1]; - ((word32*)block)[2] ^= iv[2]; - ((word32*)block)[3] ^= iv[3]; - bcopy(input, iv, 16); - bcopy(block, outBuffer, 16); - input += 16; - outBuffer += 16; - } - /* last block */ - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= iv[0]; - ((word32*)block)[1] ^= iv[1]; - ((word32*)block)[2] ^= iv[2]; - ((word32*)block)[3] ^= iv[3]; - padLen = block[15]; - if (padLen <= 0 || padLen > 16) { - return BAD_DATA; - } - for (i = 16 - padLen; i < 16; i++) { - if (block[i] != padLen) { - return BAD_DATA; - } - } - bcopy(block, outBuffer, 16 - padLen); - break; - - default: - return BAD_CIPHER_STATE; - } - - return 16*numBlocks - padLen; -} - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * cipherUpdateRounds: - * - * Encrypts/Decrypts exactly one full block a specified number of rounds. - * Only used in the Intermediate Value Known Answer Test. - * - * Returns: - * TRUE - on success - * BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized) - */ -int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer, int rounds) { - int j; - word8 block[4][4]; - - if (cipher == NULL || key == NULL) { - return BAD_CIPHER_STATE; - } - - for (j = 3; j >= 0; j--) { - /* parse input stream into rectangular array */ - *((word32*)block[j]) = *((word32*)(input+4*j)); - } - - switch (key->direction) { - case DIR_ENCRYPT: - rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds); - break; - - case DIR_DECRYPT: - rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds); - break; - - default: - return BAD_KEY_DIR; - } - - for (j = 3; j >= 0; j--) { - /* parse rectangular array into output ciphertext bytes */ - *((word32*)(outBuffer+4*j)) = *((word32*)block[j]); - } - - return TRUE; -} -#endif /* INTERMEDIATE_VALUE_KAT */ diff --git a/ipsec-tools/racoon/Crypto/rijndael-api-fst.h b/ipsec-tools/racoon/Crypto/rijndael-api-fst.h deleted file mode 100644 index 9e0ed3a..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael-api-fst.h +++ /dev/null @@ -1,104 +0,0 @@ -/* $KAME: rijndael-api-fst.h,v 1.6 2001/05/27 00:23:23 itojun Exp $ */ - -/* - * rijndael-api-fst.h v2.3 April '2000 - * - * Optimised ANSI C code - * - * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test. - */ - -#ifndef __RIJNDAEL_API_FST_H__ -#define __RIJNDAEL_API_FST_H__ - -#include - -/* Defines: - Add any additional defines you need -*/ - -#define DIR_ENCRYPT 0 /* Are we encrpyting? */ -#define DIR_DECRYPT 1 /* Are we decrpyting? */ -#define MODE_ECB 1 /* Are we ciphering in ECB mode? */ -#define MODE_CBC 2 /* Are we ciphering in CBC mode? */ -#define MODE_CFB1 3 /* Are we ciphering in 1-bit CFB mode? */ -#define TRUE 1 -#define FALSE 0 -#define BITSPERBLOCK 128 /* Default number of bits in a cipher block */ - -/* Error Codes - CHANGE POSSIBLE: inclusion of additional error codes */ -#define BAD_KEY_DIR -1 /* Key direction is invalid, e.g., unknown value */ -#define BAD_KEY_MAT -2 /* Key material not of correct length */ -#define BAD_KEY_INSTANCE -3 /* Key passed is not valid */ -#define BAD_CIPHER_MODE -4 /* Params struct passed to cipherInit invalid */ -#define BAD_CIPHER_STATE -5 /* Cipher in wrong state (e.g., not initialized) */ -#define BAD_BLOCK_LENGTH -6 -#define BAD_CIPHER_INSTANCE -7 -#define BAD_DATA -8 /* Data contents are invalid, e.g., invalid padding */ -#define BAD_OTHER -9 /* Unknown error */ - -/* CHANGE POSSIBLE: inclusion of algorithm specific defines */ -#define MAX_KEY_SIZE 64 /* # of ASCII char's needed to represent a key */ -#define MAX_IV_SIZE 16 /* # bytes needed to represent an IV */ - -/* Typedefs: - - Typedef'ed data storage elements. Add any algorithm specific -parameters at the bottom of the structs as appropriate. -*/ - -/* The structure for key information */ -typedef struct { - u_int8_t direction; /* Key used for encrypting or decrypting? */ - int keyLen; /* Length of the key */ - char keyMaterial[MAX_KEY_SIZE+1]; /* Raw key data in ASCII, e.g., user input or KAT values */ - /* The following parameters are algorithm dependent, replace or add as necessary */ - int ROUNDS; /* key-length-dependent number of rounds */ - int blockLen; /* block length */ - union { - u_int8_t xkS8[RIJNDAEL_MAXROUNDS+1][4][4]; /* key schedule */ - u_int32_t xkS32[RIJNDAEL_MAXROUNDS+1][4]; /* key schedule */ - } xKeySched; -#define keySched xKeySched.xkS8 -} keyInstance; - -/* The structure for cipher information */ -typedef struct { /* changed order of the components */ - u_int8_t mode; /* MODE_ECB, MODE_CBC, or MODE_CFB1 */ - u_int8_t IV[MAX_IV_SIZE]; /* A possible Initialization Vector for ciphering */ - /* Add any algorithm specific parameters needed here */ - int blockLen; /* Sample: Handles non-128 bit block sizes (if available) */ -} cipherInstance; - -/* Function prototypes */ -/* CHANGED: nothing - TODO: implement the following extensions to setup 192-bit and 256-bit block lengths: - makeKeyEx(): parameter blockLen added - -- this parameter is absolutely necessary if you want to - setup the round keys in a variable block length setting - cipherInitEx(): parameter blockLen added (for obvious reasons) - */ - -int rijndael_makeKey(keyInstance *key, u_int8_t direction, int keyLen, char *keyMaterial); - -int rijndael_cipherInit(cipherInstance *cipher, u_int8_t mode, char *IV); - -int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer); - -int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputOctets, u_int8_t *outBuffer); - -int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer); - -int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputOctets, u_int8_t *outBuffer); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer, int Rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -#endif /* __RIJNDAEL_API_FST_H__ */ - diff --git a/ipsec-tools/racoon/Crypto/rijndael.h b/ipsec-tools/racoon/Crypto/rijndael.h deleted file mode 100644 index 6af4aa0..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael.h +++ /dev/null @@ -1,10 +0,0 @@ -/* $KAME: rijndael.h,v 1.2 2000/10/02 17:14:27 itojun Exp $ */ - -#ifndef __RIJNDAEL_H__ -#define __RIJNDAEL_H__ - -#include - - -#endif /* __RIJNDAEL_H__ */ - diff --git a/ipsec-tools/racoon/Crypto/rijndael_local.h b/ipsec-tools/racoon/Crypto/rijndael_local.h deleted file mode 100644 index 652b328..0000000 --- a/ipsec-tools/racoon/Crypto/rijndael_local.h +++ /dev/null @@ -1,17 +0,0 @@ -/* $KAME: rijndael_local.h,v 1.3 2000/10/02 17:14:27 itojun Exp $ */ - -#ifndef __RIJNDAEL_LOCAL_H__ -#define __RIJNDAEL_LOCAL_H__ - -/* the file should not be used from outside */ -typedef u_int8_t BYTE; -typedef u_int8_t word8; -typedef u_int16_t word16; -typedef u_int32_t word32; - -#define MAXKC RIJNDAEL_MAXKC -#define MAXROUNDS RIJNDAEL_MAXROUNDS - - -#endif /* __RIJNDAEL_LOCAL_H__ */ - diff --git a/ipsec-tools/racoon/Documents/FAQ b/ipsec-tools/racoon/Documents/FAQ deleted file mode 100644 index 924c73f..0000000 --- a/ipsec-tools/racoon/Documents/FAQ +++ /dev/null @@ -1,106 +0,0 @@ -This document is derived from the KAME racoon FAQ. Some answers do not -apply to ipsec-tools (they are obsolete or not up to date). They are -tagged [KAME] - -Q: With what other IKE/IPsec implementation racoon is known to be interoperable? - -A: [KAME] - See "IMPLEMENTATION" document supplied with KAME kit, or: - http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION - As we have tested/got test reports in the past, and our end and - the other end may have changed their implemenations, we are not sure - if we can interoperate with them today (we hope them to interoperate, - but we are not sure). - Also note that, IKE interoperability highly depends on configuration - on both ends. You must configure both ends exactly the same. - -Q: How can I make racoon interoperate with ? - -A: - Configure both ends exactly the same. With just a tiny little - differnce, you will be in trouble. - -Q: How to build racoon on my platform? - -A: - As usual: configure && make && make install - ipsec-tools is also available as a package in the NetBSD pkgsrc - -Q: Describe me the options to "configure". - -A: - --enable-adminport: - Lets racoon to listen to racoon admin port, which is to - be contacted by racoonctl(8). - --enable-natt: - Enable NAT-Traversal. This needs kernel support, which is - available on Linux. On NetBSD, NAT-Traversal kernel support - has not been integrated yet, you can get it from here: - http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff - If you live in a country where software patents are legal, - using NAT-Traversal might infringe a patent. - --enable-frag: - Enable IKE fragmentation, which is a workaround for - broken routers that drop fragmented packets - --enable-hybrid: - Enable hybrid authentication, and ISAKMP mode config and - Xauth as well. Note that plain Xauth (without hybrid auth) - is not implemented. - --with-libradius: - Enable the use of RADIUS with hybrid authentication on the - server side. RADIUS is used for authentication, configuration - and accounting. - --with-libpam: - Enable the use of PAM with hybrid authentication on the - server side. PAM can be used for authentication and accounting. - --enable-gssapi: - Enable GSS-API, for Kerberos V support. - --enable-stats: - Enable statistics logging function. - --enable-samode-unspec: - Enable to use unspecified a mode of SA. - --enable-ipv6: - Enable IPv6 support. - --with-kernel-headers: - Supply the location of Linux kernel headers. - --with-readline: - Support readline input (yes by default). - --with-openssl: - Specify OpenSSL directory. - --sysconfdir: - Where racoon config file goes. Default is /etc, which means - that racoon will look for /etc/racoon.conf - --localstatedir: - Where is the directory where racoon stores the control socket - (when using --enable-adminport). Default is /var, which - means racoon will use /var/racoon/racoon.sock - --prefix: - Where racoon gets installed. - -Q: How can I get help? - -A: - Always identify your operating system platforms, the versions you are - using (like "ipsec-tools-0.5"), and information to repeat the - problem. The more revelant information you supply, the better your - chances of getting help are. Useful informations include, depending - of the problem: - - version identification - - trace from racoon, taken by "racoon -d 0xffffffff" - (maximum debug level) - - configuration file you are using - - probabaly, tcpdump trace - http://orange.kame.net/dev/send-pr.html has the guideline. - - If your question is not confidential, send your questions to: - - - If your question is confidential, send your questions to: - - -Q: Other documents to look at? - -A: - http://www.netbsd.org/Documentation/network/ipsec/ - http://www.kame.net/ - http://www.kame.net/newsletter/ diff --git a/ipsec-tools/racoon/Documents/README.certificate b/ipsec-tools/racoon/Documents/README.certificate deleted file mode 100644 index a8bbfa2..0000000 --- a/ipsec-tools/racoon/Documents/README.certificate +++ /dev/null @@ -1 +0,0 @@ -See http://www.kame.net/newsletter/20001119b/ diff --git a/ipsec-tools/racoon/Documents/README.gssapi b/ipsec-tools/racoon/Documents/README.gssapi deleted file mode 100644 index 9cb3fbb..0000000 --- a/ipsec-tools/racoon/Documents/README.gssapi +++ /dev/null @@ -1,106 +0,0 @@ -The gss-api authentication mechanism implementation for racoon was -based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt. - -The implementation uses the Heimdal gss-api library, i.e. gss-api -on top of Kerberos 5. The Heimdal gss-api library had to be modified -to meet the requirements of using gss-api in a daemon. More specifically, -the gss_acquire_cred() call did not work for other cases than -GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started -as root, and have no Kerberos 5 credentials, so racoon explicitly -needs to acquire its credentials. The usual method (already used -by login authentication daemons) in these situations is to add -a set of special credentials to be used. For example, authentication -by daemons concerned with login credentials, uses 'host/fqdn' as -its credential, where fqdn is the hostname on the interface that -is being used. These special credentials need to be extracted into -a local keytab from the kdc. The default value used in racoon -is 'ike/fqdn', but it can be overridden in the racoon config file. - -The modification to the Heimdal gss-api library implements the -mechanism above. If a credential other than GSS_C_NO_CREDENTIAL -is specified to gss_acquire_cred(), it first looks in the default -credential cache if it its principal matches the desired credential. -If not, it extracts it from the default keytab file, and stores -it in a memory-based credential cache, part of the gss credential -structure. - - - -The modifcations to racoon itself are as follows: - - * The racoon.conf config file accepts a new keyword, "gssapi_id", - to be used inside a proposal specification. It specifies - a string (a Kerberos 5 principal in this case), specifying the - credential that racoon will try to acquire. The default value - is 'ike/fqdn', where fqdn is the hostname for the interface - being used for the exchange. If the id is not specified, no - GSS endpoint attribute will be specified in the first SA sent. - However, if the initiator does specify a GSS endpoint attribute, - racoon will always respond with its own GSS endpoint name - in the SA (the default one if not specified by this option). - - * The racoon.conf file accepts "gssapi_krb" as authentication - method inside a proposal specification. The number used - for this method is 65001, which is a temporary number as - specified in the draft. - - * The cftoken.l and cfparse.y source files were modified to - pick up the configuration options. The original sources - stored algorithms in bitmask, which unfortunately meant - that the maximum value was 32, clearly not enough for 65001. - After consulting with the author (sakane@kame.net), it turned - out that method was a leftover, and no longer needed. I replaced - it with plain integers. - - * The gss-api specific code was concentrated as much as possible - in gssapi.c and gssapi.h. The code to call functions defined - in these files is conditional on HAVE_GSSAPI, except for the - config scan code. Specifying this flag on the compiler commandline - is conditional on the --enable-gssapi option to the configure - script. - - * Racoon seems to want to send accepted SA proposals back to - the initiator in a verbatim fashion, leaving no room to - insert the (variable-length) GSS endpoint name attribute. - I worked around this by re-assembling the extracted SA - into a new SA if the gssapi_krb method is used, and the - initiator sent the name attribute. This scheme should - possibly be re-examined by the racoon maintainers, storing - the SAs (the transformations, to be more precise) in a different - fashion to allow for variable-length attributes to be - re-inserted would be a good change, but I considered it to be - beyond the scope of this project. - - * The various state functions for aggressive and main mode - (in isakmp_agg.c and isakmp_ident.c respectively) were - changed to conditionally change their behavior if the - gssapi_krb method is specified. - - -This implementation tried to follow the specification in the ietf draft -as close as possible. However, it has not been tested against other -IKE daemon implementations. The only other one I know of is Windows 2000, -and it has some caveats. I attempted to be Windows 2000 compatible. -Should racoon be tried against Windows 2000, the gssapi_id option in -the config file must be used, as Windows 2000 expects the GSS endpoint -name to be sent at all times. I have my doubts as to the W2K compatibility, -because the spec describes the GSS endpoint name sent by W2K as -an unicode string 'xxx@domain', which doesn't seem to match the -required standard for gss-api + kerberos 5 (i.e. I am fairly certain -that such a string will be rejected by the Heimdal gss-api library, as it -is not a valid Kerberos 5 principal). - -With the Heimdal gss-api implementation, the gssapi_krb authentication -method will only work in main mode. Aggressive mode does not allow -for the extra round-trips needed by gss_init_sec_context and -gss_accept_sec_context when mutual authentication is requested. -The draft specifies that the a fallback should be done to main mode, -through the return of INVALID-EXCHANGE-TYPE if it turns out that -the gss-api mechanisms needs more roundtrips. This is implemented. -Unfortunately, racoon does not seem to properly fall back to -its next mode, and this is not specific to the gssapi_krb method. -So, to avoid problems, only specify main mode in the config file. - - - -- Frank van der Linden - diff --git a/ipsec-tools/racoon/Documents/TODO b/ipsec-tools/racoon/Documents/TODO deleted file mode 100644 index 1507167..0000000 --- a/ipsec-tools/racoon/Documents/TODO +++ /dev/null @@ -1,131 +0,0 @@ -$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $ - -Please send any questions or bug reports to snap-users@kame.net. - -TODO list - -URGENT -o The documents for users convenience. -o split log file based on client. printf-like config directive, i.e. - "logfile racoon.%s.log", should be useful here. - -> beware of possible security issue, don't use sprintf() directly! - make validation before giving a string to sprintf(). -o save decrypted IKE packet in tcpdump format -o IPComp SA with wellknown CPI in CPI field. how to handle it? -o better rekey - -MUST -o multiple certificate payload handling. -o To consider the use with certificate infrastructure. PXIX ??? -o kmstat should be improved. -o Informational Exchange processing properly. -o require less configuration. phase 2 is easier (as kernel presents racoon - some hints), phase 1 is harder. for example, - - grab phase 2 lifetime and algorith configuration from sadb_comb payloads in - ACQUIRE message. - - give reasonable default behavior when no configuration file is present. - - difficult items: - how to guess a reasonable phase 1 SA lifetime - (hardcoded default? guess from phase 2 lifetime?) - guess what kind of ID payload to use - guess what kind of authentication to be used - guess phase 1 DH group (for aggressive mode, we cannot negotiate it) - guess if we need phase 2 PFS or not (we cannot negotiate it. so - we may need to pick from "no PFS" or "same as phase 1 DH group") - guess how we should negotiate lifetime - (is "strict" a reasonable default?) - guess which mode to use for phase 1 negotiation (is main mode useful? - is base mode popular enough?) -o more acceptable check. - -SHOULD -o psk.txt should be a database? (psk.db?) psk_mkdb? -o Dynamically retry to exchange and resend the packet per nodes. -o To make the list of supported algorithm by sadb_supported payload - in the SADB_REGISTER message which happens asynchronously. -o fix the structure of ph2handle. - We can handle the below case. - - node A node B - +--------------SA1----------------+ - +--------------SA2----------------+ - - at node A: - kernel - acquire(A-B) ------> ph2handle(A=B) -----> ph1handle - | - policy - A=B - A=B - - But we can not handle the below case because there is no x?handle. - - node A node B node C - +--------------SA1----------------+ - +------------------------------------------------SA2---------------+ - - at node A: - kernel - acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle - | | | - acquire(A-B) ---+ policy +---> ph2handle(A=C) -------> ph1handle - A=B - A=C - -o consistency of function name. -o deep copy configuration entry to hander. It's easy to reload configuration. -o don't keep to hold keymat values, do it ? -o local address's field in isakmpsa handler must be kicked out to rmconf. -o responder policy and initiator policy should be separated. -o for lifetime and key length, something like this should be useful. - - propose N - - accept between X and Y -o wildcard "accept any proposal" policy should be allowed. -o replay prevention - - limited total number of session - - limited session per peer - - number of proposal -o full support for variable length SPI. quickhack support for IPComp is done. - -MAY -o Effective code. -o interaction between IKE/IPsec and socket layer. - at this moment, IKE/IPsec failure is modeled as total packet loss to other - part of network subsystem, including socket layer. this presents the - following behaviors: - - annoyingly long timeouts on tcp connection attempt, and IKE failure; - need to wait till tcp socket timeouts. - - blackhole if there's mismatching SAs. - we may be able to give socket layer some feedback from IKE/IPsec layer. - still not sure if those make sense or not. - for example: - - send PRU_HOSTDEAD to sockets if IKE negotiation failed - (sys/netkey/key.c:key_acquire2) - to do this, we need to remember which ACQUIRE was caused by which socket, - possibly into larval SAs. - - PRU_QUENCH on "no SA found on output" - - kick tcp retransmission timer on first SA establishment -o IKE daemon should handle situations where peer does not run IKE daemon - (UDP port unreach for port 500) better. - should use connected UDP sockets for sending IKE datagrams. -o rate-limit log messages from kernel IPsec errors, like "no SA found". - -TO BE TESTED. -o IKE retransmit behavior - see, draft-*-ipsec-rekeying*.txt -o Reboot recovery (peer reboot losing it's security associations) - see, draft-*-ipsec-rekeying*.txt -o Scenarios - - End-to-End transport long lived security associations - (over night, data transfer >1Gb) with frequent dynamic rekey - - End-to-GW tunnel long lived security associations - (over night, data transfer >1Gb) with frequent dynamic rekey - - Policy change events while under SA load - - End-to-End SA through IPsec tunnels, initiation both ways - - Client End-to-End through client-to-GW tunnel SA, initiate from - client for tunnel, then initiation both ways for end-to-end - - Client-to-GW transport SA for secure management -o behavior to receive multiple auth method proposals and AND proposal - -and to be written many many. - diff --git a/ipsec-tools/racoon/Preferences.c b/ipsec-tools/racoon/Preferences.c new file mode 100644 index 0000000..08039f6 --- /dev/null +++ b/ipsec-tools/racoon/Preferences.c @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include "preferences.h" +#include "plog.h" + +SCPreferencesRef gPrefs = NULL; + +static SCPreferencesContext prefsContext = { 0, NULL, NULL, NULL, NULL }; + +static void +prefscallout (SCPreferencesRef prefs, + SCPreferencesNotification notificationType, + void *context) +{ + if ((notificationType & kSCPreferencesNotificationApply) != 0) { + // other prefs here + plogreadprefs(); + } + + return; +} + +void +prefsinit (void) +{ + if (!gPrefs) { + if ((gPrefs = SCPreferencesCreate(0, CFSTR("racoon"), CFSTR("com.apple.ipsec.plist")))) { + if (SCPreferencesSetCallback(gPrefs, prefscallout, &prefsContext)) { + if (!SCPreferencesSetDispatchQueue(gPrefs, dispatch_get_main_queue())) { + errx(1, "failed to initialize dispatch queue.\n"); + } + } + } + } +} + diff --git a/ipsec-tools/racoon/Preferences.h b/ipsec-tools/racoon/Preferences.h new file mode 100644 index 0000000..d73c5fe --- /dev/null +++ b/ipsec-tools/racoon/Preferences.h @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef __PREFERENCES_H_ +#define __PREFERENCES_H_ + +#include + +extern SCPreferencesRef gPrefs; + +void prefsinit (void); + + + +#endif // __PREFERENCES_H_ diff --git a/ipsec-tools/racoon/Sample/racoon.conf b/ipsec-tools/racoon/Sample/racoon.conf index c484cd4..4728313 100644 --- a/ipsec-tools/racoon/Sample/racoon.conf +++ b/ipsec-tools/racoon/Sample/racoon.conf @@ -94,7 +94,7 @@ remote ::1 [8000] lifetime time 1 min; # sec,min,hour proposal { - encryption_algorithm aes; + encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; diff --git a/ipsec-tools/racoon/admin.c b/ipsec-tools/racoon/admin.c deleted file mode 100644 index 03d095c..0000000 --- a/ipsec-tools/racoon/admin.c +++ /dev/null @@ -1,733 +0,0 @@ -/* $NetBSD: admin.c,v 1.17.6.1 2007/08/01 11:52:19 vanhu Exp $ */ - -/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include -#include -#include -#include - -#include - -#include -#ifndef HAVE_NETINET6_IPSEC -#include -#else -#include -#endif - - -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef ENABLE_HYBRID -#include -#endif -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "localconf.h" -#include "remoteconf.h" -#include "grabmyaddr.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "evt.h" -#include "pfkey.h" -#include "ipsec_doi.h" -#include "admin.h" -#include "admin_var.h" -#include "isakmp_inf.h" -#ifdef ENABLE_HYBRID -#include "isakmp_cfg.h" -#endif -#include "session.h" -#include "gcmalloc.h" -#include "vpn.h" -#include "vpn_control_var.h" - - -#ifdef ENABLE_ADMINPORT -char *adminsock_path = ADMINSOCK_PATH; -uid_t adminsock_owner = 0; -gid_t adminsock_group = 0; -mode_t adminsock_mode = 0600; - -static struct sockaddr_un sunaddr; -static int admin_process __P((int, char *)); -static int admin_reply __P((int, struct admin_com *, vchar_t *)); - -int -admin_handler() -{ - int so2; - struct sockaddr_storage from; - socklen_t fromlen = sizeof(from); - struct admin_com com; - char *combuf = NULL; - int len, error = -1; - - so2 = accept(lcconf->sock_admin, (struct sockaddr_storage *)&from, &fromlen); - if (so2 < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to accept admin command: %s\n", - strerror(errno)); - return -1; - } - - /* get buffer length */ - while ((len = recv(so2, (char *)&com, sizeof(com), MSG_PEEK)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv admin command: %s\n", - strerror(errno)); - goto end; - } - - /* sanity check */ - if (len < sizeof(com)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid header length of admin command\n"); - goto end; - } - - /* get buffer to receive */ - if ((combuf = racoon_malloc(com.ac_len)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to alloc buffer for admin command\n"); - goto end; - } - - /* get real data */ - while ((len = recv(so2, combuf, com.ac_len, 0)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv admin command: %s\n", - strerror(errno)); - goto end; - } - - if (com.ac_cmd == ADMIN_RELOAD_CONF) { - siginfo_t sigi; - bzero(&sigi, sizeof(sigi)); - sigi.si_signo = SIGUSR1; - sigi.si_pid = getpid(); - sigi.si_uid = getuid(); - /* reload does not work at all! */ - signal_handler(SIGUSR1, &sigi, (void *)NULL); - goto end; - } - - error = admin_process(so2, combuf); - - end: - (void)close(so2); - if (combuf) - racoon_free(combuf); - - return error; -} - -/* - * main child's process. - */ -static int -admin_process(so2, combuf) - int so2; - char *combuf; -{ - struct admin_com *com = (struct admin_com *)combuf; - vchar_t *buf = NULL; - vchar_t *id = NULL; - vchar_t *key = NULL; - int idtype = 0; - int error = -1; - - com->ac_errno = 0; - - switch (com->ac_cmd) { - case ADMIN_RELOAD_CONF: - /* don't entered because of proccessing it in other place. */ - plog(LLV_ERROR, LOCATION, NULL, "should never reach here\n"); - goto out; - - case ADMIN_SHOW_SCHED: - { - caddr_t p = NULL; - int len; - - com->ac_errno = -1; - - if (sched_dump(&p, &len) == -1) - goto out2; - - if ((buf = vmalloc(len)) == NULL) - goto out2; - - memcpy(buf->v, p, len); - - com->ac_errno = 0; -out2: - racoon_free(p); - break; - } - - case ADMIN_SHOW_EVT: - /* It's not really an error, don't force racoonctl to quit */ - if ((buf = evt_dump()) == NULL) - com->ac_errno = 0; - break; - - case ADMIN_SHOW_SA: - case ADMIN_FLUSH_SA: - { - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - buf = dumpph1(); - if (buf == NULL) - com->ac_errno = -1; - break; - case ADMIN_FLUSH_SA: - flushph1(false); - break; - } - break; - case ADMIN_PROTO_IPSEC: - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - { - u_int p; - p = admin2pfkey_proto(com->ac_proto); - if (p == -1) - goto out; - buf = pfkey_dump_sadb(p); - if (buf == NULL) - com->ac_errno = -1; - } - break; - case ADMIN_FLUSH_SA: - pfkey_flush_sadb(com->ac_proto); - break; - } - break; - - case ADMIN_PROTO_INTERNAL: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - buf = NULL; /*XXX dumpph2(&error);*/ - if (buf == NULL) - com->ac_errno = error; - break; - case ADMIN_FLUSH_SA: - /*XXX flushph2(false);*/ - com->ac_errno = 0; - break; - } - break; - - default: - /* ignore */ - com->ac_errno = -1; - } - } - break; - - case ADMIN_DELETE_SA: { - struct ph1handle *iph1; - struct sockaddr_storage *dst; - struct sockaddr_storage *src; - char *loc, *rem; - - src = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->src; - dst = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - - loc = racoon_strdup(saddrwop2str(src)); - rem = racoon_strdup(saddrwop2str(dst)); - STRDUP_FATAL(loc); - STRDUP_FATAL(rem); - - if ((iph1 = getph1byaddrwop(src, dst)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "phase 1 for %s -> %s not found\n", loc, rem); - } else { - if (iph1->status == PHASE1ST_ESTABLISHED) - isakmp_info_send_d1(iph1); - purge_remote(iph1); - } - - racoon_free(loc); - racoon_free(rem); - - break; - } - -#ifdef ENABLE_HYBRID - case ADMIN_LOGOUT_USER: { - struct ph1handle *iph1; - char user[LOGINLEN+1]; - int found = 0, len = com->ac_len - sizeof(com); - - if (len > LOGINLEN) { - plog(LLV_ERROR, LOCATION, NULL, - "malformed message (login too long)\n"); - break; - } - - memcpy(user, (char *)(com + 1), len); - user[len] = 0; - - found = purgeph1bylogin(user); - plog(LLV_INFO, LOCATION, NULL, - "deleted %d SA for user \"%s\"\n", found, user); - - break; - } -#endif - - case ADMIN_DELETE_ALL_SA_DST: { - struct ph1handle *iph1; - struct sockaddr_storage *dst; - char *loc, *rem; - - dst = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - - rem = racoon_strdup(saddrwop2str(dst)); - STRDUP_FATAL(rem); - - plog(LLV_INFO, LOCATION, NULL, - "Flushing all SAs for peer %s\n", rem); - - while ((iph1 = getph1bydstaddrwop(dst)) != NULL) { - loc = racoon_strdup(saddrwop2str(iph1->local)); - STRDUP_FATAL(loc); - - if (iph1->status == PHASE1ST_ESTABLISHED) - isakmp_info_send_d1(iph1); - purge_remote(iph1); - - racoon_free(loc); - } - - racoon_free(rem); - - break; - } - - //%%%%%% test code - case ADMIN_ESTABLISH_SA_VPNCONTROL: - { - struct admin_com_psk *acp; - char *data; - struct sockaddr_storage *dst; - struct bound_addr *target; - - com->ac_errno = -1; - - acp = (struct admin_com_psk *) - ((char *)com + sizeof(*com) + - sizeof(struct admin_com_indexes)); - - target = (struct bound_addr *)racoon_malloc(sizeof(struct bound_addr)); - if (target == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - break; - } - - if ((id = vmalloc(acp->id_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - goto outofhere; - } - data = (char *)(acp + 1); - memcpy(id->v, data, id->l); - - if ((key = vmalloc(acp->key_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - vfree(id); - id = NULL; - goto outofhere; - } - data = (char *)(data + acp->id_len); - memcpy(key->v, data, key->l); - - dst = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - - // assume IPv4 - target->address = ((struct sockaddr_in *)dst)->sin_addr.s_addr; - -#ifdef ENABLE_HYBRID - /* Set the id and key */ - if (id && key) { - - target->user_id = id; - target->user_pw = key; - } -#endif - vpn_connect(target, VPN_STARTED_BY_ADMIN); - com->ac_errno = 0; -outofhere: - if (target->user_id != NULL) - vfree(target->user_id); - if (target->user_pw != NULL) - vfree(target->user_pw); - if (target != NULL) - racoon_free(target); - break; - } - - case ADMIN_ESTABLISH_SA_PSK: { - struct admin_com_psk *acp; - char *data; - - com->ac_cmd = ADMIN_ESTABLISH_SA; - - acp = (struct admin_com_psk *) - ((char *)com + sizeof(*com) + - sizeof(struct admin_com_indexes)); - - idtype = acp->id_type; - - if ((id = vmalloc(acp->id_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - break; - } - data = (char *)(acp + 1); - memcpy(id->v, data, id->l); - - if ((key = vmalloc(acp->key_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - vfree(id); - id = NULL; - break; - } - data = (char *)(data + acp->id_len); - memcpy(key->v, data, key->l); - } - /* FALLTHROUGH */ - case ADMIN_ESTABLISH_SA: - { - struct sockaddr_storage *dst; - struct sockaddr_storage *src; - src = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->src; - dst = (struct sockaddr_storage *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: { - struct remoteconf *rmconf; - struct sockaddr_storage *remote = NULL; - struct sockaddr_storage *local = NULL; - u_int16_t port; - - com->ac_errno = -1; - - /* search appropreate configuration */ - rmconf = getrmconf(dst); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found " - "for %s\n", saddrwop2str(dst)); - goto out1; - } - - /* get remote IP address and port number. */ - if ((remote = dupsaddr(dst)) == NULL) - goto out1; - - switch (remote->ss_family) { - case AF_INET: - ((struct sockaddr_in *)remote)->sin_port = - ((struct sockaddr_in *)rmconf->remote)->sin_port; - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)remote)->sin6_port = - ((struct sockaddr_in6 *)rmconf->remote)->sin6_port; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", - remote->ss_family); - com->ac_errno = -1; - break; - } - -// port = extract_port(rmconf->remote); -// if (set_port(remote, port) == NULL) -// goto out1; - - /* get local address */ - if ((local = dupsaddr(src)) == NULL) - goto out1; - - port = ntohs(getmyaddrsport(local)); - if (set_port(local, port) == NULL) - goto out1; - -#ifdef ENABLE_HYBRID - /* Set the id and key */ - if (id && key) { - if (xauth_rmconf_used(&rmconf->xauth) == -1) - goto out1; - - if (rmconf->xauth->login != NULL) { - vfree(rmconf->xauth->login); - rmconf->xauth->login = NULL; - } - if (rmconf->xauth->pass != NULL) { - vfree(rmconf->xauth->pass); - rmconf->xauth->pass = NULL; - } - - rmconf->xauth->login = id; - rmconf->xauth->pass = key; - } -#endif - - plog(LLV_INFO, LOCATION, NULL, - "accept a request to establish IKE-SA: " - "%s\n", saddrwop2str(remote)); - - /* begin ident mode */ - if (isakmp_ph1begin_i(rmconf, remote, local, 0) < 0) - goto out1; - - com->ac_errno = 0; -out1: - if (local != NULL) - racoon_free(local); - if (remote != NULL) - racoon_free(remote); - break; - } - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - break; - default: - /* ignore */ - com->ac_errno = -1; - } - } - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid command: %d\n", com->ac_cmd); - com->ac_errno = -1; - } - - if ((error = admin_reply(so2, com, buf)) != 0) - goto out; - - error = 0; -out: - if (buf != NULL) - vfree(buf); - - return error; -} - -static int -admin_reply(so, combuf, buf) - int so; - struct admin_com *combuf; - vchar_t *buf; -{ - int tlen; - char *retbuf = NULL; - - if (buf != NULL) - tlen = sizeof(*combuf) + buf->l; - else - tlen = sizeof(*combuf); - - retbuf = racoon_calloc(1, tlen); - if (retbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate admin buffer\n"); - return -1; - } - - memcpy(retbuf, combuf, sizeof(*combuf)); - ((struct admin_com *)retbuf)->ac_len = tlen; - - if (buf != NULL) - memcpy(retbuf + sizeof(*combuf), buf->v, buf->l); - - tlen = send(so, retbuf, tlen, 0); - racoon_free(retbuf); - if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to send admin command: %s\n", - strerror(errno)); - return -1; - } - - return 0; -} - -/* ADMIN_PROTO -> SADB_SATYPE */ -int -admin2pfkey_proto(proto) - u_int proto; -{ - switch (proto) { - case ADMIN_PROTO_IPSEC: - return SADB_SATYPE_UNSPEC; - case ADMIN_PROTO_AH: - return SADB_SATYPE_AH; - case ADMIN_PROTO_ESP: - return SADB_SATYPE_ESP; - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported proto for admin: %d\n", proto); - return -1; - } - /*NOTREACHED*/ -} - -int -admin_init() -{ - if (adminsock_path == NULL) { - lcconf->sock_admin = -1; - return 0; - } - - memset(&sunaddr, 0, sizeof(sunaddr)); - sunaddr.sun_family = AF_UNIX; - snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), - "%s", adminsock_path); - - lcconf->sock_admin = socket(AF_UNIX, SOCK_STREAM, 0); - if (lcconf->sock_admin == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "socket: %s\n", strerror(errno)); - return -1; - } - - if (fcntl(lcconf->sock_admin, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put admin socket in non-blocking mode\n"); - } - - unlink(sunaddr.sun_path); - if (bind(lcconf->sock_admin, (struct sockaddr_storage *)&sunaddr, - sizeof(sunaddr)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "bind(sockname:%s): %s\n", - sunaddr.sun_path, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - - if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chown(%s, %d, %d): %s\n", - sunaddr.sun_path, adminsock_owner, - adminsock_group, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - - if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chmod(%s, 0%03o): %s\n", - sunaddr.sun_path, adminsock_mode, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - - if (listen(lcconf->sock_admin, 5) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "listen(sockname:%s): %s\n", - sunaddr.sun_path, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "open %s as racoon management.\n", sunaddr.sun_path); - - return 0; -} - -int -admin_close() -{ - close(lcconf->sock_admin); - return 0; -} -#endif diff --git a/ipsec-tools/racoon/admin.h b/ipsec-tools/racoon/admin.h deleted file mode 100644 index d6ec706..0000000 --- a/ipsec-tools/racoon/admin.h +++ /dev/null @@ -1,117 +0,0 @@ -/* $NetBSD: admin.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */ - -/* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _ADMIN_H -#define _ADMIN_H - -#define ADMINSOCK_PATH ADMINPORTDIR "/racoon.sock" - -extern char *adminsock_path; -extern uid_t adminsock_owner; -extern gid_t adminsock_group; -extern mode_t adminsock_mode; - -/* command for administration. */ -/* NOTE: host byte order. */ -struct admin_com { - u_int16_t ac_len; /* total packet length including data */ - u_int16_t ac_cmd; - int16_t ac_errno; - u_int16_t ac_proto; -}; - -/* - * No data follows as the data. - * These don't use proto field. - */ -#define ADMIN_RELOAD_CONF 0x0001 -#define ADMIN_SHOW_SCHED 0x0002 -#define ADMIN_SHOW_EVT 0x0003 - -/* - * No data follows as the data. - * These use proto field. - */ -#define ADMIN_SHOW_SA 0x0101 -#define ADMIN_FLUSH_SA 0x0102 - -/* - * The admin_com_indexes follows, see below. - */ -#define ADMIN_DELETE_SA 0x0201 -#define ADMIN_ESTABLISH_SA 0x0202 -#define ADMIN_DELETE_ALL_SA_DST 0x0204 /* All SA for a given peer */ - -/* - * The admin_com_indexes and admin_com_psk follow, see below. - */ -#define ADMIN_ESTABLISH_SA_PSK 0x0203 - -/* - * user login follows - */ -#define ADMIN_LOGOUT_USER 0x0205 /* Delete SA for a given Xauth user */ - -//%%%% for test -#define ADMIN_ESTABLISH_SA_VPNCONTROL 0x0206 - -/* - * Range 0x08xx is reserved for privilege separation, see privsep.h - */ - -/* the value of proto */ -#define ADMIN_PROTO_ISAKMP 0x01ff -#define ADMIN_PROTO_IPSEC 0x02ff -#define ADMIN_PROTO_AH 0x0201 -#define ADMIN_PROTO_ESP 0x0202 -#define ADMIN_PROTO_INTERNAL 0x0301 - -struct admin_com_indexes { - u_int8_t prefs; - u_int8_t prefd; - u_int8_t ul_proto; - u_int8_t reserved; - struct sockaddr_storage src; - struct sockaddr_storage dst; -}; - -struct admin_com_psk { - int id_type; - size_t id_len; - size_t key_len; - /* Followed by id and key */ -}; - -extern int admin2pfkey_proto __P((u_int)); - -#endif /* _ADMIN_H */ diff --git a/ipsec-tools/racoon/admin_var.h b/ipsec-tools/racoon/admin_var.h deleted file mode 100644 index 4054695..0000000 --- a/ipsec-tools/racoon/admin_var.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $Id: admin_var.h,v 1.7 2004/12/30 00:08:30 manubsd Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _ADMIN_VAR_H -#define _ADMIN_VAR_H - -extern int admin_handler __P((void)); -extern int admin_init __P((void)); -extern int admin_close __P((void)); - -#endif /* _ADMIN_VAR_H */ diff --git a/ipsec-tools/racoon/algorithm.c b/ipsec-tools/racoon/algorithm.c index 9ed1ef9..31291b5 100644 --- a/ipsec-tools/racoon/algorithm.c +++ b/ipsec-tools/racoon/algorithm.c @@ -50,6 +50,7 @@ #include "ipsec_doi.h" #include "gcmalloc.h" + static struct hash_algorithm oakley_hashdef[] = { { "md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5, eay_md5_init, eay_md5_update, @@ -75,12 +76,13 @@ static struct hash_algorithm oakley_hashdef[] = { #endif }; + static struct hmac_algorithm oakley_hmacdef[] = { -{ "hmac_md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5, +{ "hmac_md5", algtype_hmac_md5_128, OAKLEY_ATTR_HASH_ALG_MD5, eay_hmacmd5_init, eay_hmacmd5_update, eay_hmacmd5_final, NULL, eay_hmacmd5_one, }, -{ "hmac_sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA, +{ "hmac_sha1", algtype_hmac_sha1_160, OAKLEY_ATTR_HASH_ALG_SHA, eay_hmacsha1_init, eay_hmacsha1_update, eay_hmacsha1_final, NULL, eay_hmacsha1_one, }, @@ -101,13 +103,16 @@ static struct hmac_algorithm oakley_hmacdef[] = { }; static struct enc_algorithm oakley_encdef[] = { -{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8, +{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, + 8, eay_des_encrypt, eay_des_decrypt, eay_des_weakkey, eay_des_keylen, }, -{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8, +{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, + 8, eay_3des_encrypt, eay_3des_decrypt, eay_3des_weakkey, eay_3des_keylen, }, -{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, +{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, + 16, eay_aes_encrypt, eay_aes_decrypt, eay_aes_weakkey, eay_aes_keylen, }, }; @@ -134,16 +139,24 @@ static struct enc_algorithm ipsec_encdef[] = { }; static struct hmac_algorithm ipsec_hmacdef[] = { -{ "md5", algtype_hmac_md5, IPSECDOI_ATTR_AUTH_HMAC_MD5, +{ "hmac_md5_96", algtype_hmac_md5_96, IPSECDOI_ATTR_AUTH_HMAC_MD5_96, NULL, NULL, NULL, eay_md5_hashlen, NULL, }, -{ "sha1", algtype_hmac_sha1, IPSECDOI_ATTR_AUTH_HMAC_SHA1, +{ "hmac_sha1_96", algtype_hmac_sha1_96, IPSECDOI_ATTR_AUTH_HMAC_SHA1_96, NULL, NULL, NULL, eay_sha1_hashlen, NULL, }, -{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE, +{ "md5", algtype_hmac_md5_128, IPSECDOI_ATTR_AUTH_HMAC_MD5, + NULL, NULL, + NULL, eay_md5_hashlen, + NULL, }, +{ "sha1", algtype_hmac_sha1_160, IPSECDOI_ATTR_AUTH_HMAC_SHA1, NULL, NULL, + NULL, eay_sha1_hashlen, + NULL, }, +{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE, + NULL, NULL, NULL, eay_null_hashlen, NULL, }, #ifdef WITH_SHA2 @@ -152,7 +165,7 @@ static struct hmac_algorithm ipsec_hmacdef[] = { NULL, eay_sha2_256_hashlen, NULL, }, { "hmac_sha2_384", algtype_hmac_sha2_384,IPSECDOI_ATTR_AUTH_HMAC_SHA2_384, - NULL, NULL, + NULL, NULL, NULL, eay_sha2_384_hashlen, NULL, }, { "hmac_sha2_512", algtype_hmac_sha2_512,IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, @@ -208,6 +221,12 @@ static struct misc_algorithm oakley_authdef[] = { { "xauth_rsa_client", algtype_xauth_rsa_c, OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I, }, + +{ "eap_psk_client", algtype_eap_psk_c, + OAKLEY_ATTR_AUTH_METHOD_EAP_PSKEY_I, }, + +{ "eap_rsa_client", algtype_eap_rsa_c, + OAKLEY_ATTR_AUTH_METHOD_EAP_RSASIG_I, }, #endif }; @@ -230,12 +249,12 @@ static struct dh_algorithm oakley_dhdef[] = { &dh_modp8192, }, }; -static struct hash_algorithm *alg_oakley_hashdef __P((int)); -static struct hmac_algorithm *alg_oakley_hmacdef __P((int)); -static struct enc_algorithm *alg_oakley_encdef __P((int)); -static struct enc_algorithm *alg_ipsec_encdef __P((int)); -static struct hmac_algorithm *alg_ipsec_hmacdef __P((int)); -static struct dh_algorithm *alg_oakley_dhdef __P((int)); +static struct hash_algorithm *alg_oakley_hashdef (int); +static struct hmac_algorithm *alg_oakley_hmacdef (int); +static struct enc_algorithm *alg_oakley_encdef (int); +static struct enc_algorithm *alg_ipsec_encdef (int); +static struct hmac_algorithm *alg_ipsec_hmacdef (int); +static struct dh_algorithm *alg_oakley_dhdef (int); /* oakley hash algorithm */ static struct hash_algorithm * @@ -246,7 +265,7 @@ alg_oakley_hashdef(doi) for (i = 0; i < ARRAYLEN(oakley_hashdef); i++) if (doi == oakley_hashdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hash(%s)\n", + plog(ASL_LEVEL_DEBUG, "hash(%s)\n", oakley_hashdef[i].name); return &oakley_hashdef[i]; } @@ -329,7 +348,7 @@ alg_oakley_hmacdef(doi) for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++) if (doi == oakley_hmacdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", + plog(ASL_LEVEL_DEBUG, "hmac(%s)\n", oakley_hmacdef[i].name); return &oakley_hmacdef[i]; } @@ -373,7 +392,7 @@ alg_oakley_hmacdef_one(doi, key, buf) #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s size=%zu): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s size=%zu): %8.6f", __func__, f->name, buf->l, timedelta(&start, &end)); #endif @@ -389,7 +408,7 @@ alg_oakley_encdef(doi) for (i = 0; i < ARRAYLEN(oakley_encdef); i++) if (doi == oakley_encdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n", + plog(ASL_LEVEL_DEBUG, "encryption(%s)\n", oakley_encdef[i].name); return &oakley_encdef[i]; } @@ -485,7 +504,7 @@ alg_oakley_encdef_decrypt(doi, buf, key, iv) #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__, f->name, key->l << 3, buf->l, timedelta(&start, &end)); #endif return res; @@ -514,7 +533,7 @@ alg_oakley_encdef_encrypt(doi, buf, key, iv) #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__, f->name, key->l << 3, buf->l, timedelta(&start, &end)); #endif return res; @@ -529,7 +548,7 @@ alg_ipsec_encdef(doi) for (i = 0; i < ARRAYLEN(ipsec_encdef); i++) if (doi == ipsec_encdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n", + plog(ASL_LEVEL_DEBUG, "encryption(%s)\n", ipsec_encdef[i].name); return &ipsec_encdef[i]; } @@ -572,7 +591,7 @@ alg_ipsec_hmacdef(doi) for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++) if (doi == ipsec_hmacdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", + plog(ASL_LEVEL_DEBUG, "hmac(%s)\n", ipsec_hmacdef[i].name); return &ipsec_hmacdef[i]; } @@ -630,7 +649,7 @@ alg_oakley_dhdef(doi) for (i = 0; i < ARRAYLEN(oakley_dhdef); i++) if (doi == oakley_dhdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", + plog(ASL_LEVEL_DEBUG, "hmac(%s)\n", oakley_dhdef[i].name); return &oakley_dhdef[i]; } @@ -717,6 +736,7 @@ alg_oakley_authdef_name (doi) return "*UNKNOWN*"; } + /* * give the default key length * OUT: -1: NG @@ -765,8 +785,8 @@ check_keylen(class, type, len) break; default: /* unknown class, punt */ - plog(LLV_ERROR, LOCATION, NULL, - "unknown algclass %d\n", class); + plog(ASL_LEVEL_ERR, + "unknown algorithm class %d\n", class); return -1; } @@ -778,7 +798,7 @@ check_keylen(class, type, len) case algtype_aes: case algtype_twofish: if (len % 8 != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "key length %d is not multiple of 8\n", len); return -1; } @@ -810,14 +830,14 @@ check_keylen(class, type, len) break; default: if (len) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "key length is not allowed"); return -1; } break; } if (badrange) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "key length out of range\n"); return -1; } @@ -862,6 +882,7 @@ algtype2doi(class, type) return res; } + /* * convert algorithm class to DOI value. * OUT -1 : NG diff --git a/ipsec-tools/racoon/algorithm.h b/ipsec-tools/racoon/algorithm.h index 3d1d51b..c6acef4 100644 --- a/ipsec-tools/racoon/algorithm.h +++ b/ipsec-tools/racoon/algorithm.h @@ -32,7 +32,6 @@ #ifndef _ALGORITHM_H #define _ALGORITHM_H -#include #include "Algorithm_types.h" @@ -40,22 +39,22 @@ struct hmac_algorithm { char *name; int type; int doi; - caddr_t (*init) __P((vchar_t *)); - void (*update) __P((caddr_t, vchar_t *)); - vchar_t *(*final) __P((caddr_t)); - int (*hashlen) __P((void)); - vchar_t *(*one) __P((vchar_t *, vchar_t *)); + caddr_t (*init) (vchar_t *); + void (*update) (caddr_t, vchar_t *); + vchar_t *(*final) (caddr_t); + int (*hashlen) (void); + vchar_t *(*one) (vchar_t *, vchar_t *); }; struct hash_algorithm { char *name; int type; int doi; - caddr_t (*init) __P((void)); - void (*update) __P((caddr_t, vchar_t *)); - vchar_t *(*final) __P((caddr_t)); - int (*hashlen) __P((void)); - vchar_t *(*one) __P((vchar_t *)); + caddr_t (*init) (void); + void (*update) (caddr_t, vchar_t *); + vchar_t *(*final) (caddr_t); + int (*hashlen) (void); + vchar_t *(*one) (vchar_t *); }; struct enc_algorithm { @@ -63,10 +62,10 @@ struct enc_algorithm { int type; int doi; int blocklen; - vchar_t *(*encrypt) __P((vchar_t *, vchar_t *, vchar_t *)); - vchar_t *(*decrypt) __P((vchar_t *, vchar_t *, vchar_t *)); - int (*weakkey) __P((vchar_t *)); - int (*keylen) __P((int)); + vchar_t *(*encrypt) (vchar_t *, vchar_t *, vchar_t *); + vchar_t *(*decrypt) (vchar_t *, vchar_t *, vchar_t *); + int (*weakkey) (vchar_t *); + int (*keylen) (int); }; /* dh group */ @@ -84,43 +83,44 @@ struct misc_algorithm { int doi; }; -extern int alg_oakley_hashdef_ok __P((int)); -extern int alg_oakley_hashdef_doi __P((int)); -extern int alg_oakley_hashdef_hashlen __P((int)); -extern vchar_t *alg_oakley_hashdef_one __P((int, vchar_t *)); +extern int alg_oakley_hashdef_ok (int); +extern int alg_oakley_hashdef_doi (int); +extern int alg_oakley_hashdef_hashlen (int); +extern vchar_t *alg_oakley_hashdef_one (int, vchar_t *); -extern int alg_oakley_hmacdef_doi __P((int)); -extern vchar_t *alg_oakley_hmacdef_one __P((int, vchar_t *, vchar_t *)); +extern int alg_oakley_hmacdef_doi (int); +extern vchar_t *alg_oakley_hmacdef_one (int, vchar_t *, vchar_t *); -extern int alg_oakley_encdef_ok __P((int)); -extern int alg_oakley_encdef_doi __P((int)); -extern int alg_oakley_encdef_keylen __P((int, int)); -extern int alg_oakley_encdef_blocklen __P((int)); -extern vchar_t *alg_oakley_encdef_decrypt __P((int, vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *alg_oakley_encdef_encrypt __P((int, vchar_t *, vchar_t *, vchar_t *)); +extern int alg_oakley_encdef_ok (int); +extern int alg_oakley_encdef_doi (int); +extern int alg_oakley_encdef_keylen (int, int); +extern int alg_oakley_encdef_blocklen (int); +extern vchar_t *alg_oakley_encdef_decrypt (int, vchar_t *, vchar_t *, vchar_t *); +extern vchar_t *alg_oakley_encdef_encrypt (int, vchar_t *, vchar_t *, vchar_t *); -extern int alg_ipsec_encdef_doi __P((int)); -extern int alg_ipsec_encdef_keylen __P((int, int)); +extern int alg_ipsec_encdef_doi (int); +extern int alg_ipsec_encdef_keylen (int, int); -extern int alg_ipsec_hmacdef_doi __P((int)); -extern int alg_ipsec_hmacdef_hashlen __P((int)); +extern int alg_ipsec_hmacdef_doi (int); +extern int alg_ipsec_hmacdef_hashlen (int); -extern int alg_ipsec_compdef_doi __P((int)); +extern int alg_ipsec_compdef_doi (int); -extern int alg_oakley_dhdef_doi __P((int)); -extern int alg_oakley_dhdef_ok __P((int)); -extern struct dhgroup *alg_oakley_dhdef_group __P((int)); +extern int alg_oakley_dhdef_doi (int); +extern int alg_oakley_dhdef_ok (int); +extern struct dhgroup *alg_oakley_dhdef_group (int); -extern int alg_oakley_authdef_doi __P((int)); +extern int alg_oakley_authdef_doi (int); -extern int default_keylen __P((int, int)); -extern int check_keylen __P((int, int, int)); -extern int algtype2doi __P((int, int)); -extern int algclass2doi __P((int)); +extern int default_keylen (int, int); +extern int check_keylen (int, int, int); +extern int algtype2doi (int, int); +extern int algclass2doi (int); + +extern const char *alg_oakley_encdef_name (int); +extern const char *alg_oakley_hashdef_name (int); +extern const char *alg_oakley_dhdef_name (int); +extern const char *alg_oakley_authdef_name (int); -extern const char *alg_oakley_encdef_name __P((int)); -extern const char *alg_oakley_hashdef_name __P((int)); -extern const char *alg_oakley_dhdef_name __P((int)); -extern const char *alg_oakley_authdef_name __P((int)); #endif /* _ALGORITHM_H */ diff --git a/ipsec-tools/racoon/algorithm_types.h b/ipsec-tools/racoon/algorithm_types.h index aca2f18..b5cd55e 100644 --- a/ipsec-tools/racoon/algorithm_types.h +++ b/ipsec-tools/racoon/algorithm_types.h @@ -42,7 +42,9 @@ enum { algclass_isakmp_hash, algclass_isakmp_dh, algclass_isakmp_ameth, /* authentication method. */ -#define MAXALGCLASS 7 + algclass_ikev2_prf, + algclass_ikev2_integ, +#define MAXALGCLASS 9 }; #define ALG_DEFAULT_KEYLEN 64 @@ -69,14 +71,16 @@ enum algtype { algtype_twofish, /* ipsec auth */ - algtype_hmac_md5, - algtype_hmac_sha1, + algtype_hmac_md5_128, + algtype_hmac_sha1_160, algtype_des_mac, algtype_kpdk, algtype_non_auth, algtype_hmac_sha2_256, algtype_hmac_sha2_384, algtype_hmac_sha2_512, + algtype_hmac_md5_96, + algtype_hmac_sha1_96, /* ipcomp */ algtype_oui, @@ -119,6 +123,8 @@ enum algtype { algtype_xauth_psk_c, algtype_xauth_rsa_s, algtype_xauth_rsa_c, + algtype_eap_psk_c, + algtype_eap_rsa_c, #endif }; diff --git a/ipsec-tools/racoon/api_support.c b/ipsec-tools/racoon/api_support.c new file mode 100644 index 0000000..fc804a9 --- /dev/null +++ b/ipsec-tools/racoon/api_support.c @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" diff --git a/ipsec-tools/racoon/api_support.h b/ipsec-tools/racoon/api_support.h new file mode 100644 index 0000000..7b028d2 --- /dev/null +++ b/ipsec-tools/racoon/api_support.h @@ -0,0 +1,152 @@ +/* + * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef __API_SUPPORT__ +#define __API_SUPPORT__ + +#include +#include +#include "racoon_types.h" +#include +#include +#include +#include +#include + +struct isakmp_cfg_state; +struct ikev2_traffic_selector; + +#define kSNIPSecDBSrcRangeEndAddress CFSTR("SrcRangeEndAddress") /* CFString */ +#define kSNIPSecDBDstRangeEndAddress CFSTR("DstRangeEndAddress") /* CFString */ +#define kSNIPSecDBSrcRangeEndPort CFSTR("SrcRangeEndPort") /* CFNumber */ +#define kSNIPSecDBDstRangeEndPort CFSTR("DstRangeEndPort") /* CFNumber */ + +#define kSNIPSecDBPolicyID CFSTR("PolicyID") /* CFNumber */ + +#define kSNIPSecDBPolicyType CFSTR("PolicyType") /* CFString */ +#define kSNIPSecDBValPolicyTypeDiscard CFSTR("Discard") +#define kSNIPSecDBValPolicyTypeNone CFSTR("None") +#define kSNIPSecDBValPolicyTypeIPSec CFSTR("IPSec") +#define kSNIPSecDBValPolicyTypeEntrust CFSTR("Entrust") +#define kSNIPSecDBValPolicyTypeBypass CFSTR("Bypass") +#define kSNIPSecDBValPolicyTypeGenerate CFSTR("Generate") + +#define kSNIPSecDBSACreateTime CFSTR("CreateTime") +#define kSNIPSecDBSACurrentTime CFSTR("CurrentTime") +#define kSNIPSecDBSADiffTime CFSTR("DiffTime") +#define kSNIPSecDBSAHardLifetime CFSTR("HardLifetime") +#define kSNIPSecDBSASoftLifetime CFSTR("SoftLifetime") +#define kSNIPSecDBSALastUseTime CFSTR("LastUseTime") +#define kSNIPSecDBSAHardUseTime CFSTR("HardUseTime") +#define kSNIPSecDBSASoftUseTime CFSTR("SoftUseTime") +#define kSNIPSecDBSACurrentBytes CFSTR("CurrentBytes") +#define kSNIPSecDBSAHardBytes CFSTR("HardBytes") +#define kSNIPSecDBSASoftBytes CFSTR("SoftBytes") +#define kSNIPSecDBSACurrentAllocations CFSTR("CurrentAllocations") +#define kSNIPSecDBSAHardAllocations CFSTR("HardAllocations") +#define kSNIPSecDBSASoftAllocations CFSTR("SoftAllocations") + +#define kSNIPSecDBSAState CFSTR("State") +#define kSNIPSecDBValSAStateLarval CFSTR("Larval") +#define kSNIPSecDBValSAStateMature CFSTR("Mature") +#define kSNIPSecDBValSAStateDying CFSTR("Dying") +#define kSNIPSecDBValSAStateDead CFSTR("Dead") + +#define kSNIPSecIKEAssignedPCSCFIPv6Address CFSTR("AssignedPCSCFIPv6Address") + +typedef uint32_t InternalSessionRef; +typedef uint32_t InternalItemRef; + +/* IPSec DB API Types */ +typedef InternalSessionRef InternalDBRef; +typedef InternalItemRef InternalDBSARef; +typedef InternalItemRef InternalDBPolicyRef; +typedef InternalItemRef InternalDBInterfaceRef; +#define kInternalDBRefInvalid 0 +#define kInternalDBSARefInvalid 0 +#define kInternalDBPolicyRefInvalid 0 +#define kInternalDBInterfaceRefInvalid 0 + +/* IKE API Types */ +typedef InternalSessionRef InternalIKESARef; +typedef InternalItemRef InternalChildSARef; +#define kInternalIKESARefInvalid 0 +#define kInternalChildSARefInvalid 0 + +/* Internal support functions -- Dictionaries should be verified for required keys and valid types before calling these */ +void ASSendXPCReply (InternalSessionRef sessionRef, InternalItemRef objRef, int callType, void *retVal, Boolean success); +void ASSendXPCMessage(uint32_t message, void *messageobj, uint32_t sessionID, uint32_t itemID); + +/* IPSec DB API Functions */ +InternalDBRef ASDBCreate (void); +InternalDBSARef ASDBGetSPI (InternalDBRef ref, CFDictionaryRef sadata); +InternalDBSARef ASDBCreateSA (InternalDBRef ref, CFDictionaryRef sadata); +Boolean ASDBUpdateSA (InternalDBRef ref, InternalDBSARef saref, CFDictionaryRef sadata); +Boolean ASDBDeleteSA (InternalDBRef ref, InternalDBSARef saref); +Boolean ASDBCopySA (InternalDBRef ref, InternalDBSARef saref); +Boolean ASDBFlushSA (InternalDBRef ref, Boolean *blockForResponse); +CFArrayRef ASDBCopySAIDs (InternalDBRef ref); +InternalDBPolicyRef ASDBAddPolicy (InternalDBRef ref, CFDictionaryRef spdata); +Boolean ASDBDeletePolicy (InternalDBRef ref, InternalDBPolicyRef policyref); +Boolean ASDBCopyPolicy (InternalDBRef ref, InternalDBPolicyRef policyref); +Boolean ASDBFlushPolicy (InternalDBRef ref, Boolean *blockForResponse); +CFArrayRef ASDBCopyPolicyIDs (InternalDBRef ref); +Boolean ASDBFlushAll (InternalDBRef ref, Boolean *blockForResponse); +Boolean ASDBDispose (InternalDBRef ref, Boolean *blockForResponse); + +/* IPSec DB Interface Functions */ +InternalDBInterfaceRef ASDBCreateIPSecInterface (InternalDBRef ref, struct sockaddr_storage *address, struct sockaddr_storage *netmask, struct sockaddr_storage *v6address, int v6prefix); +Boolean ASDBFlushInterfaces (InternalDBRef ref); + +/* IKE API Functions */ +InternalIKESARef ASIKECreate (CFDictionaryRef ikedata, CFDictionaryRef childData); +InternalChildSARef ASIKEStartConnection (InternalIKESARef ref); +Boolean ASIKEStopConnection (InternalIKESARef ref); +InternalChildSARef ASIKEStartChildSA (InternalIKESARef ref, CFDictionaryRef ikechilddata); +Boolean ASIKEStopChildSA (InternalIKESARef ref, InternalChildSARef childref); +SNIPSecIKEStatus ASIKEGetConnectionStatus (InternalIKESARef ref); +SNIPSecIKEStatus ASIKEGetChildStatus (InternalIKESARef ref, InternalChildSARef childref); +Boolean ASIKEDispose (InternalIKESARef ref, Boolean *blockForResponse); +Boolean ASIKEEnableAll (InternalIKESARef ref); +Boolean ASIKEDisableAll (InternalIKESARef ref); + +/* Functions to support racoon */ +InternalDBSARef ASDBGetSPIFromIKE (InternalDBRef ref, phase2_handle_t *phase2); +Boolean ASDBAddSAFromIKE (InternalDBRef ref, phase2_handle_t *phase2, Boolean update); +Boolean ASDBDeleteSAFromIKE (InternalDBRef ref, struct sockaddr_storage *dst, uint32_t spi, int ipsecProtocol); +Boolean ASDBFlushAllForIKEChildSA (InternalDBRef ref, InternalChildSARef childRef); +InternalDBPolicyRef ASDBAddPolicyFromIKE (InternalDBRef ref, phase2_handle_t *phase2); +Boolean ASDBReceivePFKeyMessage (caddr_t *message, int array_size); /* Returns TRUE if handled message */ +Boolean ASDBGetIPSecInterfaceName (InternalDBRef ref, char *buf, int bufLen); +Boolean ASIKEConnectionAddChildSAFromIKE (InternalIKESARef ref, phase2_handle_t *childSA); +Boolean ASIKEConnectionSwapChildSAs (InternalIKESARef ref, InternalChildSARef oldChildSA, InternalChildSARef newChildSA); +void ASIKEConnectionExpireChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef); +Boolean ASHasValidSessions (void); +void ASIKEUpdateLocalAddressesFromIKE (void); +void ASIKEUpdateStatusFromIKE (InternalIKESARef ref, InternalChildSARef childRef, uint32_t status, uint32_t reason); +phase2_handle_t *ASIKEConnectionGetChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef); +void ASIKEUpdateConfigurationFromIKE (InternalIKESARef ref, struct isakmp_cfg_state *config); +void ASIKEUpdateTrafficSelectorsFromIKE (InternalIKESARef ref, InternalChildSARef childRef, struct ikev2_traffic_selector *local, struct ikev2_traffic_selector *remote); +void ASIKEStopConnectionFromIKE (InternalIKESARef ref); + +#endif diff --git a/ipsec-tools/racoon/arc4random.h b/ipsec-tools/racoon/arc4random.h index 1957945..b469af3 100644 --- a/ipsec-tools/racoon/arc4random.h +++ b/ipsec-tools/racoon/arc4random.h @@ -32,7 +32,7 @@ #ifndef __ARC4RANDOM_H__ #define __ARC4RANDOM_H__ -extern u_int32_t arc4random __P((void)); +extern u_int32_t arc4random (void); #endif /* __ARC4RANDOM_H__ */ diff --git a/ipsec-tools/racoon/backupsa.c b/ipsec-tools/racoon/backupsa.c deleted file mode 100644 index 180a09a..0000000 --- a/ipsec-tools/racoon/backupsa.c +++ /dev/null @@ -1,486 +0,0 @@ -/* $KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include - -#include -#include -#include -#include - -#include -#ifndef HAVE_NETINET6_IPSEC -#include -#else -#include -#endif - -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "str2val.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "sockmisc.h" -#include "safefile.h" -#include "backupsa.h" -#include "libpfkey.h" - -/* - * (time string)%(sa parameter) - * (time string) := ex. Nov 24 18:22:48 1986 - * (sa parameter) := - * src dst satype spi mode reqid wsize \ - * e_type e_keylen a_type a_keylen flags \ - * l_alloc l_bytes l_addtime l_usetime seq keymat - */ -static char *format = "%b %d %T %Y"; /* time format */ -static char *strmon[12] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" -}; - -static char *str2tmx __P((char *, struct tm *)); -static int str2num __P((char *, int)); - -/* - * output the sa parameter. - */ -int -backupsa_to_file(satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq) - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; -{ - char buf[1024]; - struct tm *tm; - time_t t; - char *p, *k; - int len, l, i; - FILE *fp; - - p = buf; - len = sizeof(buf); - - t = time(NULL); - tm = localtime(&t); - l = strftime(p, len, format, tm); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, "%%"); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - i = getnameinfo(src, sysdep_sa_len(src), p, len, NULL, 0, NIFLAGS); - if (i != 0) - goto err; - l = strlen(p); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, " "); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - i = getnameinfo(dst, sysdep_sa_len(dst), p, len, NULL, 0, NIFLAGS); - if (i != 0) - goto err; - l = strlen(p); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, - " %u %lu %u %u %u " - "%u %u %u %u %u " - "%u %llu %llu %llu %u", - satype, (unsigned long)ntohl(spi), mode, reqid, wsize, - e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (unsigned long long)l_bytes, - (unsigned long long)l_addtime, (unsigned long long)l_usetime, - seq); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - k = val2str(keymat, e_keylen + a_keylen); - l = snprintf(p, len, " %s", k); - if (l < 0 || l >= len) - goto err; - racoon_free(k); - p += l; - len -= l; - if (len < 0) - goto err; - - /* open the file and write the SA parameter */ - if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) != 0 || - (fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "a")) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to open the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - fprintf(fp, "%s\n", buf); - fclose(fp); - - return 0; - -err: - plog(LLV_ERROR, LOCATION, NULL, - "SA cannot be saved to a file.\n"); - return -1; -} - -int -backupsa_from_file() -{ - FILE *fp; - char buf[512]; - struct tm tm; - time_t created, current; - char *p, *q; - u_int satype, mode; - struct sockaddr_storage *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - size_t keymatlen; - u_int wsize, e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - int line; - - if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) == 0) - fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "r"); - else - fp = NULL; - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to open the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - - current = time(NULL); - - for(line = 1; fgets(buf, sizeof(buf), fp) != NULL; line++) { - /* comment line */ - if (buf[0] == '#') - continue; - - memset(&tm, 0, sizeof(tm)); - p = str2tmx(buf, &tm); - if (*p != '%') { - err: - plog(LLV_ERROR, LOCATION, NULL, - "illegal format line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf); - continue; - } - created = mktime(&tm); - p++; - - for (q = p; *q != '\0' && !isspace((int)*q); q++) - ; - *q = '\0'; - src = str2saddr(p, NULL); - if (src == NULL) - goto err; - p = q + 1; - - for (q = p; *q != '\0' && !isspace((int)*q); q++) - ; - *q = '\0'; - dst = str2saddr(p, NULL); - if (dst == NULL) { - racoon_free(src); - goto err; - } - p = q + 1; - -#define GETNEXTNUM(value, function) \ -do { \ - char *y; \ - for (q = p; *q != '\0' && !isspace((int)*q); q++) \ - ; \ - *q = '\0'; \ - (value) = function(p, &y, 10); \ - if ((value) == 0 && *y != '\0') \ - goto err; \ - p = q + 1; \ -} while (0); - - GETNEXTNUM(satype, strtoul); - GETNEXTNUM(spi, strtoul); - spi = ntohl(spi); - GETNEXTNUM(mode, strtoul); - GETNEXTNUM(reqid, strtoul); - GETNEXTNUM(wsize, strtoul); - GETNEXTNUM(e_type, strtoul); - GETNEXTNUM(e_keylen, strtoul); - GETNEXTNUM(a_type, strtoul); - GETNEXTNUM(a_keylen, strtoul); - GETNEXTNUM(flags, strtoul); - GETNEXTNUM(l_alloc, strtoul); - GETNEXTNUM(l_bytes, strtouq); - GETNEXTNUM(l_addtime, strtouq); - GETNEXTNUM(l_usetime, strtouq); - GETNEXTNUM(seq, strtoul); - -#undef GETNEXTNUM - - keymat = str2val(p, 16, &keymatlen); - if (keymat == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "illegal format(keymat) line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf); - racoon_free(src); - racoon_free(dst); - continue; - } - - if (created + l_addtime < current) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignore this line#%d in %s due to expiration\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - racoon_free(src); - racoon_free(dst); - racoon_free(keymat); - continue; - } - l_addtime -= current - created; - if (pfkey_send_add( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - spi, - reqid, - wsize, - keymat, - e_type, e_keylen, a_type, a_keylen, flags, - 0, l_bytes, l_addtime, 0, seq, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "restore SA filed line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror()); - } - racoon_free(src); - racoon_free(dst); - racoon_free(keymat); - } - - fclose(fp); - - /* - * There is a possibility that an abnormal system down will happen - * again before new negotiation will be started. so racoon clears - * the backup file here. it's ok that old SAs are remained in the - * file. any old SA will not be installed because racoon checks the - * lifetime and compare with current time. - */ - - return 0; -} - -int -backupsa_clean() -{ - FILE *fp; - - /* simply return if the file is not defined. */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - return 0; - - fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "w+"); - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to clean the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - fclose(fp); - return 0; -} - -/* - * convert fixed string into the tm structure. - * The fixed string is like 'Nov 24 18:22:48 1986'. - * static char *format = "%b %d %T %Y"; - */ -static char * -str2tmx(char *p, struct tm *tm) -{ - int i, len; - - /* Month */ - for (i = 0; i < sizeof(strmon)/sizeof(strmon[0]); i++) { - if (strncasecmp(p, strmon[i], strlen(strmon[i])) == 0) { - tm->tm_mon = i; - break; - } - } - if (i == sizeof(strmon)/sizeof(strmon[0])) - return 0; - p += strlen(strmon[i]); - if (*p++ != ' ') - return 0; - - /* Day */ - len = 2; - tm->tm_mday = str2num(p, len); - if (tm->tm_mday == -1 || tm->tm_mday > 31) - return 0; - p += len; - if (*p++ != ' ') - return 0; - - /* Hour */ - len = 2; - tm->tm_hour = str2num(p, len); - if (tm->tm_hour == -1 || tm->tm_hour > 24) - return 0; - p += len; - if (*p++ != ':') - return 0; - - /* Min */ - len = 2; - tm->tm_min = str2num(p, len); - if (tm->tm_min == -1 || tm->tm_min > 60) - return 0; - p += len; - if (*p++ != ':') - return 0; - - /* Sec */ - len = 2; - tm->tm_sec = str2num(p, len); - if (tm->tm_sec == -1 || tm->tm_sec > 60) - return 0; - p += len; - if (*p++ != ' ') - return 0; - - /* Year */ - len = 4; - tm->tm_year = str2num(p, len); - if (tm->tm_year == -1 || tm->tm_year < 1900) - return 0; - tm->tm_year -= 1900; - p += len; - - return p; -} - -static int -str2num(p, len) - char *p; - int len; -{ - int res, i; - - res = 0; - for (i = len; i > 0; i--) { - if (!isdigit((int)*p)) - return -1; - res *= 10; - res += *p - '0'; - p++; - } - - return res; -} - -#ifdef TEST -#include -int -main() -{ - struct tm tm; - time_t t; - char *buf = "Nov 24 18:22:48 1986 "; - char *p; - - memset(&tm, 0, sizeof(tm)); - p = str2tmx(buf, &tm); - printf("[%x]\n", *p); - t = mktime(&tm); - if (t == -1) - printf("mktime failed."); - p = ctime(&t); - printf("[%s]\n", p); - - exit(0); -} -#endif diff --git a/ipsec-tools/racoon/backupsa.h b/ipsec-tools/racoon/backupsa.h deleted file mode 100644 index 67cb67c..0000000 --- a/ipsec-tools/racoon/backupsa.h +++ /dev/null @@ -1,42 +0,0 @@ -/* $Id: backupsa.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _BACKUPSA_H -#define _BACKUPSA_H - -extern int backupsa_to_file __P((u_int, u_int, - struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, - u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t)); -extern int backupsa_from_file __P((void)); -extern int backupsa_clean __P((void)); - -#endif /* _BACKUPSA_H */ diff --git a/ipsec-tools/racoon/cfparse.y b/ipsec-tools/racoon/cfparse.y index 9089a3e..74aa040 100644 --- a/ipsec-tools/racoon/cfparse.y +++ b/ipsec-tools/racoon/cfparse.y @@ -68,8 +68,6 @@ #include "genlist.h" #include "debug.h" -#include "admin.h" -#include "privsep.h" #include "cfparse_proto.h" #include "cftoken_proto.h" #include "algorithm.h" @@ -95,14 +93,10 @@ #include "ipsec_doi.h" #include "strnames.h" #include "gcmalloc.h" -#ifdef HAVE_GSSAPI -#include "gssapi.h" -#endif #include "vendorid.h" #include "ipsecConfigTracer.h" #include "ipsecMessageTracer.h" - static int num2dhgroup[] = { 0, OAKLEY_ATTR_GRP_DESC_MODP768, @@ -134,25 +128,22 @@ static struct remoteconf *cur_rmconf; static int tmpalgtype[MAXALGCLASS]; static struct sainfo *cur_sainfo; static int cur_algclass; -static int oldloglevel = LLV_BASE; -static struct proposalspec *newprspec __P((void)); -static void insprspec __P((struct proposalspec *, struct proposalspec **)); -static struct secprotospec *newspspec __P((void)); -static void insspspec __P((struct secprotospec *, struct proposalspec **)); -static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); +static struct proposalspec *newprspec (void); +static void insprspec (struct proposalspec *, struct proposalspec **); +static struct secprotospec *newspspec (void); +static void insspspec (struct secprotospec *, struct proposalspec **); -static int set_isakmp_proposal - __P((struct remoteconf *, struct proposalspec *)); -static void clean_tmpalgtype __P((void)); -static int expand_isakmpspec __P((int, int, int *, - int, int, time_t, int, int, int, char *, struct remoteconf *)); -static int listen_addr __P((struct sockaddr_storage *addr, int udp_encap)); +static int set_isakmp_proposal (struct remoteconf *, struct proposalspec *); +static void clean_tmpalgtype (void); +static int expand_isakmpspec (int, int, int *, + int, int, time_t, int, int, int, char *, struct remoteconf *); +static int listen_addr (struct sockaddr_storage *addr, int udp_encap); void freeetypes (struct etypes **etypes); #if 0 -static int fix_lifebyte __P((u_long)); +static int fix_lifebyte (u_long); #endif %} @@ -165,8 +156,6 @@ static int fix_lifebyte __P((u_long)); struct remote_index_val *rmidx; } - /* privsep */ -%token PRIVSEP USER GROUP CHROOT /* path */ %token PATH PATHTYPE /* include */ @@ -191,7 +180,7 @@ static int fix_lifebyte __P((u_long)); /* algorithm */ %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE /* sainfo */ -%token SAINFO FROM +%token SAINFO FROM GROUP /* remote */ %token REMOTE ANONYMOUS INHERIT %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE @@ -214,19 +203,18 @@ static int fix_lifebyte __P((u_long)); %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION %token XAUTH_LOGIN WEAK_PHASE1_CHECK +%token EAP_TYPE EAP_TYPES EAP_OPTIONS %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID -%token SCRIPT PHASE1_UP PHASE1_DOWN - %token NUMBER SWITCH BOOLEAN %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR %token EOS BOC EOC COMMA %token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE -%token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY +%token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY IKE_VERSION %type NUMBER BOOLEAN SWITCH keylength %type PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE @@ -235,7 +223,7 @@ static int fix_lifebyte __P((u_long)); %type ALGORITHMTYPE STRENGTHTYPE %type PREFIX prefix PORT port ike_port %type ul_proto UL_PROTO -%type EXCHANGETYPE DOITYPE SITUATIONTYPE +%type EXCHANGETYPE DOITYPE SITUATIONTYPE EAP_TYPE %type CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL %type VERIFICATION_MODULE VERIFICATION_OPTION %type unittype_time unittype_byte @@ -254,10 +242,8 @@ statements | statements statement ; statement - : privsep_statement - | path_statement + : path_statement | include_statement - | gssenc_statement | identifier_statement | logging_statement | padding_statement @@ -269,42 +255,6 @@ statement | special_statement ; - /* privsep */ -privsep_statement - : PRIVSEP BOC privsep_stmts EOC - ; -privsep_stmts - : /* nothing */ - | privsep_stmts privsep_stmt - ; -privsep_stmt - : USER QUOTEDSTRING - { - struct passwd *pw; - - if ((pw = getpwnam($2->v)) == NULL) { - racoon_yyerror("unknown user \"%s\"", $2->v); - return -1; - } - lcconf->uid = pw->pw_uid; - } - EOS - | USER NUMBER { lcconf->uid = $2; } EOS - | GROUP QUOTEDSTRING - { - struct group *gr; - - if ((gr = getgrnam($2->v)) == NULL) { - racoon_yyerror("unknown group \"%s\"", $2->v); - return -1; - } - lcconf->gid = gr->gr_gid; - } - EOS - | GROUP NUMBER { lcconf->gid = $2; } EOS - | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS - ; - /* path */ path_statement : PATH PATHTYPE QUOTEDSTRING @@ -345,18 +295,6 @@ include_statement } ; - /* gss_id_enc */ -gssenc_statement - : GSS_ID_ENC GSS_ID_ENCTYPE EOS - { - if ($2 >= LC_GSSENC_MAX) { - racoon_yyerror("invalid GSS ID encoding %d", $2); - return -1; - } - lcconf->gss_id_enc = $2; - } - ; - /* self information */ identifier_statement : IDENTIFIER identifier_stmt @@ -386,24 +324,18 @@ logging_statement : LOGGING log_level EOS ; log_level - : HEXSTRING + : QUOTEDSTRING { /* * XXX ignore it because this specification * will be obsoleted. */ - racoon_yywarn("see racoon.conf(5), such a log specification will be obsoleted."); + plogsetlevelquotedstr($1->v); vfree($1); } | LOGLEV { - /* - * set the loglevel to the value specified - * in the configuration file plus the number - * of -d options specified on the command line - */ - loglevel += $1 - oldloglevel; - oldloglevel = $1; + plogsetlevel($1); } ; @@ -453,29 +385,17 @@ listen_stmt PORT EOS | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER { -#ifdef ENABLE_ADMINPORT - adminsock_conf($2, $3, $4, $5); -#else racoon_yywarn("admin port support not compiled in"); -#endif } EOS | ADMINSOCK QUOTEDSTRING { -#ifdef ENABLE_ADMINPORT - adminsock_conf($2, NULL, NULL, -1); -#else racoon_yywarn("admin port support not compiled in"); -#endif } EOS | ADMINSOCK DISABLED { -#ifdef ENABLE_ADMINPORT - adminsock_path = NULL; -#else racoon_yywarn("admin port support not compiled in"); -#endif } EOS | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS @@ -604,11 +524,7 @@ modecfg_stmt | CFG_AUTH_SOURCE CFG_RADIUS { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBRADIUS - isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; -#else /* HAVE_LIBRADIUS */ racoon_yyerror("racoon not configured with --with-libradius"); -#endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -617,11 +533,7 @@ modecfg_stmt | CFG_AUTH_SOURCE CFG_PAM { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBPAM - isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; -#else /* HAVE_LIBPAM */ racoon_yyerror("racoon not configured with --with-libpam"); -#endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -630,11 +542,7 @@ modecfg_stmt | CFG_AUTH_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBLDAP - isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; -#else /* HAVE_LIBLDAP */ racoon_yyerror("racoon not configured with --with-libldap"); -#endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -659,11 +567,7 @@ modecfg_stmt | CFG_GROUP_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBLDAP - isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; -#else /* HAVE_LIBLDAP */ racoon_yyerror("racoon not configured with --with-libldap"); -#endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -690,11 +594,7 @@ modecfg_stmt | CFG_ACCOUNTING CFG_RADIUS { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBRADIUS - isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; -#else /* HAVE_LIBRADIUS */ racoon_yyerror("racoon not configured with --with-libradius"); -#endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -703,11 +603,7 @@ modecfg_stmt | CFG_ACCOUNTING CFG_PAM { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBPAM - isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; -#else /* HAVE_LIBPAM */ racoon_yyerror("racoon not configured with --with-libpam"); -#endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -727,13 +623,22 @@ modecfg_stmt { #ifdef ENABLE_HYBRID isakmp_cfg_config.pfs_group = $2; -#ifndef HAVE_OPENSSL - if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 - && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { - racoon_yyerror("PFS group must be 2 or 5"); - return -1; - } -#endif + switch (isakmp_cfg_config.pfs_group) + { + case OAKLEY_ATTR_GRP_DESC_MODP768: + case OAKLEY_ATTR_GRP_DESC_MODP1024: + case OAKLEY_ATTR_GRP_DESC_MODP1536: + case OAKLEY_ATTR_GRP_DESC_MODP2048: + case OAKLEY_ATTR_GRP_DESC_MODP3072: + case OAKLEY_ATTR_GRP_DESC_MODP4096: + case OAKLEY_ATTR_GRP_DESC_MODP6144: + case OAKLEY_ATTR_GRP_DESC_MODP8192: + break; + default: + racoon_yyerror("Invalid PFS group specified"); + return -1; + break; + } #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -769,11 +674,7 @@ modecfg_stmt | CFG_CONF_SOURCE CFG_RADIUS { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBRADIUS - isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; -#else /* HAVE_LIBRADIUS */ racoon_yyerror("racoon not configured with --with-libradius"); -#endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -782,11 +683,7 @@ modecfg_stmt | CFG_CONF_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID -#ifdef HAVE_LIBLDAP - isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; -#else /* HAVE_LIBLDAP */ racoon_yyerror("racoon not configured with --with-libldap"); -#endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -814,8 +711,10 @@ addrdns #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; - if (icc->dns4_index > MAXNS) + if (icc->dns4_index > MAXNS) { racoon_yyerror("No more than %d DNS", MAXNS); + return -1; + } if (inet_pton(AF_INET, $1->v, &icc->dns4[icc->dns4_index++]) != 1) racoon_yyerror("bad IPv4 DNS address."); @@ -837,8 +736,10 @@ addrwins #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; - if (icc->nbns4_index > MAXWINS) + if (icc->nbns4_index > MAXWINS) { racoon_yyerror("No more than %d WINS", MAXWINS); + return -1; + } if (inet_pton(AF_INET, $1->v, &icc->nbns4[icc->nbns4_index++]) != 1) racoon_yyerror("bad IPv4 WINS address."); @@ -1004,7 +905,7 @@ timer_stmt sainfo_statement : SAINFO { - cur_sainfo = newsainfo(); + cur_sainfo = create_sainfo(); if (cur_sainfo == NULL) { racoon_yyerror("failed to allocate sainfo"); return -1; @@ -1259,13 +1160,22 @@ sainfo_spec : PFS_GROUP dh_group_num { cur_sainfo->pfs_group = $2; -#ifndef HAVE_OPENSSL - if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 - && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { - racoon_yyerror("PFS group must be 2 or 5"); - return -1; + switch (cur_sainfo->pfs_group) + { + case OAKLEY_ATTR_GRP_DESC_MODP768: + case OAKLEY_ATTR_GRP_DESC_MODP1024: + case OAKLEY_ATTR_GRP_DESC_MODP1536: + case OAKLEY_ATTR_GRP_DESC_MODP2048: + case OAKLEY_ATTR_GRP_DESC_MODP3072: + case OAKLEY_ATTR_GRP_DESC_MODP4096: + case OAKLEY_ATTR_GRP_DESC_MODP6144: + case OAKLEY_ATTR_GRP_DESC_MODP8192: + break; + default: + racoon_yyerror("Invalid PFS group specified"); + return -1; + break; } -#endif } EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time @@ -1428,7 +1338,7 @@ remote_statement struct remoteconf *new; struct proposalspec *prspec; - new = newrmconf(); + new = create_rmconf(); if (new == NULL) { racoon_yyerror("failed to get new remoteconf."); racoon_free($2->addr); @@ -1463,8 +1373,7 @@ remote_specs_block if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { - if (cur_rmconf->mycertfile - || cur_rmconf->identity_in_keychain) + if (cur_rmconf->identity_in_keychain) { if (cur_rmconf->idv) racoon_yywarn("Both CERT and ASN1 ID " @@ -1496,8 +1405,9 @@ remote_specs_block if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) return -1; - /* DH group settting if aggressive mode is there. */ - if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { + /* DH group settting if aggressive mode or IKEv2. */ + if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL + ) { struct isakmpsa *p; int b = 0; @@ -1574,74 +1484,16 @@ remote_spec exchange_types EOS | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS + | IKE_VERSION NUMBER + { + if ($2 == 1) + cur_rmconf->ike_version = ISAKMP_VERSION_NUMBER_IKEV1; + else { + racoon_yyerror("invalid IKE version specified.\n"); + return -1; + } + } EOS | CERTIFICATE_TYPE cert_spec - | PEERS_CERTFILE QUOTEDSTRING - { -#ifdef HAVE_OPENSSL - racoon_yywarn("This directive without certtype will be removed!\n"); - racoon_yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); - cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; - - if (cur_rmconf->peerscertfile != NULL) - racoon_free(cur_rmconf->peerscertfile); - cur_rmconf->peerscertfile = racoon_strdup($2->v); - STRDUP_FATAL(cur_rmconf->peerscertfile); - vfree($2); -#else - racoon_yyerror("cert files not supported.\n"); - return -1; -#endif - } - EOS - | CA_TYPE CERT_X509 QUOTEDSTRING - { -#ifdef HAVE_OPENSSL - cur_rmconf->cacerttype = $2; - cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE; - if (cur_rmconf->cacertfile != NULL) - racoon_free(cur_rmconf->cacertfile); - cur_rmconf->cacertfile = racoon_strdup($3->v); - STRDUP_FATAL(cur_rmconf->cacertfile); - vfree($3); -#else - racoon_yyerror("cert files not supported.\n"); - return -1; -#endif - - } - EOS - | PEERS_CERTFILE CERT_X509 QUOTEDSTRING - { -#ifdef HAVE_OPENSSL - cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; - if (cur_rmconf->peerscertfile != NULL) - racoon_free(cur_rmconf->peerscertfile); - cur_rmconf->peerscertfile = racoon_strdup($3->v); - STRDUP_FATAL(cur_rmconf->peerscertfile); - vfree($3); -#else - racoon_yyerror("cert files not supported.\n"); - return -1; -#endif - - } - EOS - | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING - { - racoon_yyerror("plainrsa not supported.\n"); - return -1; - } - EOS - | PEERS_CERTFILE DNSSEC - { - if (cur_rmconf->getcert_method) { - racoon_yyerror("Different peers_certfile method already defined!\n"); - return -1; - } - cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; - cur_rmconf->peerscertfile = NULL; - } - EOS | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS @@ -1772,24 +1624,36 @@ remote_spec racoon_yywarn("Your kernel does not support esp_frag"); #endif } EOS - | SCRIPT QUOTEDSTRING PHASE1_UP { - if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) - vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); - - cur_rmconf->script[SCRIPT_PHASE1_UP] = - script_path_add(vdup($2)); - } EOS - | SCRIPT QUOTEDSTRING PHASE1_DOWN { - if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) - vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); - - cur_rmconf->script[SCRIPT_PHASE1_DOWN] = - script_path_add(vdup($2)); - } EOS | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS | WEAK_PHASE1_CHECK SWITCH { cur_rmconf->weak_phase1_check = $2; } EOS + | EAP_TYPES { cur_rmconf->eap_types = NULL; } eap_types EOS + | EAP_OPTIONS QUOTEDSTRING { + vchar_t *options_path = $2; + cur_rmconf->eap_options = NULL; + if (options_path) { + CFStringRef option_path_str = CFStringCreateWithCString(kCFAllocatorDefault, options_path->v, kCFStringEncodingASCII); + if (option_path_str) { + CFURLRef plist_url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, option_path_str, kCFURLPOSIXPathStyle, false); + if (plist_url) { + CFReadStreamRef read_stream = CFReadStreamCreateWithFile(kCFAllocatorDefault, plist_url); + if (read_stream) { + CFReadStreamOpen (read_stream); + cur_rmconf->eap_options = CFPropertyListCreateWithStream(kCFAllocatorDefault, read_stream, 0, kCFPropertyListImmutable, NULL, NULL); + CFRelease (read_stream); + } + CFRelease (plist_url); + } else { + racoon_yywarn("eap_options must contain a path to a property list"); + } + CFRelease(option_path_str); + } else { + racoon_yywarn("eap_options string could not be processed"); + } + vfree(options_path); + } + } EOS | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS @@ -1885,7 +1749,7 @@ remote_spec | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 - racoon_yyerror("byte lifetime support is deprecated in Phase1"); + racoon_yyerror("byte lifetime support is deprecated in Phase 1"); return -1; #else racoon_yywarn("the lifetime of bytes in phase 1 " @@ -1931,23 +1795,32 @@ exchange_types } } ; -cert_spec - : CERT_X509 QUOTEDSTRING QUOTEDSTRING - { - cur_rmconf->certtype = $1; - if (cur_rmconf->mycertfile != NULL) - racoon_free(cur_rmconf->mycertfile); - cur_rmconf->mycertfile = racoon_strdup($2->v); - STRDUP_FATAL(cur_rmconf->mycertfile); - vfree($2); - if (cur_rmconf->myprivfile != NULL) - racoon_free(cur_rmconf->myprivfile); - cur_rmconf->myprivfile = racoon_strdup($3->v); - STRDUP_FATAL(cur_rmconf->myprivfile); - vfree($3); +eap_types + : /* nothing */ + | eap_types EAP_TYPE + { + struct etypes *new_eaps; + new_eaps = racoon_malloc(sizeof(struct etypes)); + if (new_eaps == NULL) { + racoon_yyerror("failed to allocate etypes"); + return -1; + } + new_eaps->type = $2; + new_eaps->next = NULL; + if (cur_rmconf->eap_types == NULL) + cur_rmconf->eap_types = new_eaps; + else { + struct etypes *p; + for (p = cur_rmconf->eap_types; + p->next != NULL; + p = p->next) + ; + p->next = new_eaps; + } } - EOS - | CERT_X509 IN_KEYCHAIN + ; +cert_spec + : CERT_X509 IN_KEYCHAIN { cur_rmconf->certtype = $1; cur_rmconf->identity_in_keychain = 1; @@ -1963,13 +1836,6 @@ cert_spec } EOS ; - | CERT_PLAINRSA QUOTEDSTRING - { - racoon_yyerror("plainrsa not supported.\n"); - return -1; - } - EOS - ; dh_group_num : ALGORITHMTYPE { @@ -1978,12 +1844,22 @@ dh_group_num racoon_yyerror("must be DH group"); return -1; } -#ifndef HAVE_OPENSSL - if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { - racoon_yyerror("DH group must be 2 or 5"); - return -1; + switch ($$) + { + case OAKLEY_ATTR_GRP_DESC_MODP768: + case OAKLEY_ATTR_GRP_DESC_MODP1024: + case OAKLEY_ATTR_GRP_DESC_MODP1536: + case OAKLEY_ATTR_GRP_DESC_MODP2048: + case OAKLEY_ATTR_GRP_DESC_MODP3072: + case OAKLEY_ATTR_GRP_DESC_MODP4096: + case OAKLEY_ATTR_GRP_DESC_MODP6144: + case OAKLEY_ATTR_GRP_DESC_MODP8192: + break; + default: + racoon_yyerror("Invalid DH group specified"); + return -1; + break; } -#endif } | NUMBER { @@ -1994,13 +1870,23 @@ dh_group_num $$ = 0; return -1; } -#ifndef HAVE_OPENSSL - if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { - racoon_yyerror("DH group must be 2 or 5"); - return -1; + switch ($$) + { + case OAKLEY_ATTR_GRP_DESC_MODP768: + case OAKLEY_ATTR_GRP_DESC_MODP1024: + case OAKLEY_ATTR_GRP_DESC_MODP1536: + case OAKLEY_ATTR_GRP_DESC_MODP2048: + case OAKLEY_ATTR_GRP_DESC_MODP3072: + case OAKLEY_ATTR_GRP_DESC_MODP4096: + case OAKLEY_ATTR_GRP_DESC_MODP6144: + case OAKLEY_ATTR_GRP_DESC_MODP8192: + break; + default: + racoon_yyerror("Invalid DH group specified"); + return -1; + break; } -#endif - } + } ; identifierstring : /* nothing */ { $$ = NULL; } @@ -2055,12 +1941,13 @@ isakmpproposal_spec { int doi; int defklen; - - doi = algtype2doi($1, $2); - if (doi == -1) { - racoon_yyerror("algorithm mismatched 1"); - return -1; - } + { + doi = algtype2doi($1, $2); + if (doi == -1) { + racoon_yyerror("algorithm mismatched 1"); + return -1; + } + } switch ($1) { case algclass_isakmp_enc: @@ -2221,7 +2108,7 @@ set_isakmp_proposal(rmconf, prspec) p = prspec; if (p->next != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "multiple proposal definition.\n"); return -1; } @@ -2239,8 +2126,8 @@ set_isakmp_proposal(rmconf, prspec) return -1; } if (s->algclass[algclass_isakmp_hash] == 0) { - racoon_yyerror("hash algorithm required."); - return -1; + racoon_yyerror("hash algorithm required."); + return -1; } if (s->algclass[algclass_isakmp_dh] == 0) { racoon_yyerror("DH group required."); @@ -2257,18 +2144,18 @@ set_isakmp_proposal(rmconf, prspec) ; while (s != NULL) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "lifetime = %ld\n", (long) (s->lifetime ? s->lifetime : p->lifetime)); - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "lifebyte = %d\n", s->lifebyte ? s->lifebyte : p->lifebyte); - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "encklen=%d\n", s->encklen); memset(types, 0, ARRAYLEN(types)); types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; - types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; + types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; types[algclass_isakmp_ameth] = s->algclass[algclass_isakmp_ameth]; @@ -2282,7 +2169,7 @@ set_isakmp_proposal(rmconf, prspec) s->encklen, s->vendorid, s->gssid, rmconf); if (trns_no == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to expand isakmp proposal.\n"); return -1; } @@ -2291,7 +2178,7 @@ set_isakmp_proposal(rmconf, prspec) } if (rmconf->proposal == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no proposal found.\n"); return -1; } @@ -2326,18 +2213,18 @@ expand_isakmpspec(prop_no, trns_no, types, { int j; char tb[10]; - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "p:%d t:%d\n", prop_no, trns_no); for (j = class; j < MAXALGCLASS; j++) { snprintf(tb, sizeof(tb), "%d", types[j]); - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s%s%s%s\n", s_algtype(j, types[j]), types[j] ? "(" : "", tb[0] == '0' ? "" : tb, types[j] ? ")" : ""); } - plog(LLV_DEBUG2, LOCATION, NULL, "\n"); + plog(ASL_LEVEL_DEBUG, "\n"); } #define TMPALGTYPE2STR(n) \ @@ -2345,7 +2232,6 @@ expand_isakmpspec(prop_no, trns_no, types, /* check mandatory values */ if (types[algclass_isakmp_enc] == 0 || types[algclass_isakmp_ameth] == 0 - || types[algclass_isakmp_hash] == 0 || types[algclass_isakmp_dh] == 0) { racoon_yyerror("few definition of algorithm " "enc=%s ameth=%s hash=%s dhgroup=%s.\n", @@ -2370,29 +2256,10 @@ expand_isakmpspec(prop_no, trns_no, types, new->enctype = types[algclass_isakmp_enc]; new->encklen = encklen; new->authmethod = types[algclass_isakmp_ameth]; - new->hashtype = types[algclass_isakmp_hash]; + new->hashtype = types[algclass_isakmp_hash]; + new->prf = types[algclass_isakmp_hash]; new->dh_group = types[algclass_isakmp_dh]; new->vendorid = vendorid; -#ifdef HAVE_GSSAPI - if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - if (gssid != NULL) { - if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { - racoon_free(new); - racoon_yyerror("failed to allocate gssid"); - return -1; - } - memcpy(new->gssid->v, gssid, new->gssid->l); - racoon_free(gssid); - } else { - /* - * Allocate the default ID so that it gets put - * into a GSS ID attribute during the Phase 1 - * exchange. - */ - new->gssid = gssapi_get_default_gss_id(); - } - } -#endif insisakmpsa(new, rmconf); return trns_no; @@ -2451,7 +2318,7 @@ cfparse() { int error; - plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n"); + plog(ASL_LEVEL_DEBUG, "===== parsing configuration\n"); yycf_init_buffer(); @@ -2460,7 +2327,7 @@ cfparse() IPSECCONFIGEVENTCODE_PARSE_ERROR, CONSTSTR("could not read configuration file"), CONSTSTR("cfparse: yycf_switch_buffer erred")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "could not read configuration file \"%s\"\n", lcconf->racoon_conf); return -1; @@ -2469,11 +2336,11 @@ cfparse() error = yyparse(); if (error != 0) { if (yyerrorcount) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "fatal parse failure (%d errors)\n", yyerrorcount); } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "fatal parse failure.\n"); } IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), @@ -2485,7 +2352,7 @@ cfparse() } if (error == 0 && yyerrorcount) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "parse error is nothing, but yyerrorcount is %d.\n", yyerrorcount); IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), @@ -2498,7 +2365,7 @@ cfparse() yycf_clean_buffer(); - plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); + plog(ASL_LEVEL_DEBUG, "parse succeeded.\n"); return 0; } @@ -2506,101 +2373,30 @@ cfparse() int cfreparse(int sig) { + int result; int ignore_estab_or_assert_handles = (sig == SIGUSR1); if (sig >= 0 && sig < NSIG) { - plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]); + plog(ASL_LEVEL_DEBUG, "==== Got %s signal - re-parsing configuration.\n", sys_signame[sig]); } else { - plog(LLV_ERROR, LOCATION, NULL, "==== Got Unknown signal - re-parsing.\n"); + plog(ASL_LEVEL_ERR, "==== Got Unknown signal - re-parsing configuration.\n"); IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"), IPSECCONFIGEVENTCODE_REPARSE_ERROR, CONSTSTR("Unknown signal"), CONSTSTR("cfreparse: triggered by unknown signal")); } + plog(ASL_LEVEL_DEBUG, "==== %s sessions.\n", ignore_estab_or_assert_handles? "flush negotiating" : "flush all"); - flushph2(ignore_estab_or_assert_handles); - flushph1(ignore_estab_or_assert_handles); + ike_session_flush_all_phase2(ignore_estab_or_assert_handles); + ike_session_flush_all_phase1(ignore_estab_or_assert_handles); flushrmconf(); flushsainfo(); - flushlcconf(); -#ifdef HAVE_LIBLDAP - xauth_ldap_flush(); -#endif check_auto_exit(); /* check/change state of auto exit */ clean_tmpalgtype(); - - return(cfparse()); + savelcconf(); + result = cfparse(); + restorelcconf(); + return result; } -#ifdef ENABLE_ADMINPORT -static void -adminsock_conf(path, owner, group, mode_dec) - vchar_t *path; - vchar_t *owner; - vchar_t *group; - int mode_dec; -{ - struct passwd *pw = NULL; - struct group *gr = NULL; - mode_t mode = 0; - uid_t uid; - gid_t gid; - int isnum; - - adminsock_path = path->v; - - if (owner == NULL) - return; - - errno = 0; - uid = atoi(owner->v); - isnum = !errno; - if (((pw = getpwnam(owner->v)) == NULL) && !isnum) - racoon_yyerror("User \"%s\" does not exist", owner->v); - - if (pw) - adminsock_owner = pw->pw_uid; - else - adminsock_owner = uid; - - if (group == NULL) - return; - - errno = 0; - gid = atoi(group->v); - isnum = !errno; - if (((gr = getgrnam(group->v)) == NULL) && !isnum) - racoon_yyerror("Group \"%s\" does not exist", group->v); - - if (gr) - adminsock_group = gr->gr_gid; - else - adminsock_group = gid; - - if (mode_dec == -1) - return; - - if (mode_dec > 777) - racoon_yyerror("Mode 0%03o is invalid", mode_dec); - if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } - if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } - if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } - - if (mode_dec > 77) - racoon_yyerror("Mode 0%03o is invalid", mode_dec); - if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } - if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } - if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } - - if (mode_dec > 7) - racoon_yyerror("Mode 0%03o is invalid", mode_dec); - if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } - if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } - if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } - - adminsock_mode = mode; - - return; -} -#endif diff --git a/ipsec-tools/racoon/cfparse_proto.h b/ipsec-tools/racoon/cfparse_proto.h index 010cdcd..bf4be3f 100644 --- a/ipsec-tools/racoon/cfparse_proto.h +++ b/ipsec-tools/racoon/cfparse_proto.h @@ -33,8 +33,8 @@ #define _CFPARSE_PROTO_H /* cfparse.y */ -extern int yyparse __P((void)); -extern int cfparse __P((void)); -extern int cfreparse __P((int)); +extern int yyparse (void); +extern int cfparse (void); +extern int cfreparse (int); #endif /* _CFPARSE_PROTO_H */ diff --git a/ipsec-tools/racoon/cftoken.l b/ipsec-tools/racoon/cftoken.l index f103c3f..5428f97 100644 --- a/ipsec-tools/racoon/cftoken.l +++ b/ipsec-tools/racoon/cftoken.l @@ -88,15 +88,16 @@ #endif #include "y.tab.h" +#include "eap_sim.h" int yyerrorcount = 0; #if defined(YIPS_DEBUG) -# define YYDB plog(LLV_DEBUG2, LOCATION, NULL, \ +# define YYDB plog(ASL_LEVEL_DEBUG, \ "begin <%d>%s\n", yy_start, yytext); # define YYD { \ - plog(LLV_DEBUG2, LOCATION, NULL, "<%d>%s", \ - yy_start, loglevel >= LLV_DEBUG2 ? "\n" : ""); \ + plog(ASL_LEVEL_DEBUG, "<%d>%s", \ + yy_start, loglevel >= ASL_LEVEL_DEBUG ? "\n" : ""); \ } #else # define YYDB @@ -159,13 +160,6 @@ hexstring 0x{hexdigit}+ } %} - /* privsep */ -privsep { BEGIN S_PRIV; YYDB; return(PRIVSEP); } -{bcl} { return(BOC); } -user { YYD; return(USER); } -group { YYD; return(GROUP); } -chroot { YYD; return(CHROOT); } -{ecl} { BEGIN S_INI; return(EOC); } /* path */ path { BEGIN S_PTH; YYDB; return(PATH); } @@ -175,10 +169,6 @@ hexstring 0x{hexdigit}+ return(PATHTYPE); } certificate { YYD; yylval.num = LC_PATHTYPE_CERT; return(PATHTYPE); } -script { YYD; yylval.num = LC_PATHTYPE_SCRIPT; - return(PATHTYPE); } -backupsa { YYD; yylval.num = LC_PATHTYPE_BACKUPSA; - return(PATHTYPE); } pidfile { YYD; yylval.num = LC_PATHTYPE_PIDFILE; return(PATHTYPE); } logfile { YYD; yylval.num = LC_PATHTYPE_LOGFILE; @@ -197,14 +187,14 @@ hexstring 0x{hexdigit}+ /* logging */ log { BEGIN S_LOG; YYDB; return(LOGGING); } -error { YYD; yylval.num = LLV_ERROR; return(LOGLEV); } -warning { YYD; yylval.num = LLV_WARNING; return(LOGLEV); } -notify { YYD; yylval.num = LLV_NOTIFY; return(LOGLEV); } -info { YYD; yylval.num = LLV_INFO; return(LOGLEV); } -debug { YYD; yylval.num = LLV_DEBUG; return(LOGLEV); } -debug2 { YYD; yylval.num = LLV_DEBUG2; return(LOGLEV); } -debug3 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } -debug4 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } +error { YYD; yylval.num = ASL_LEVEL_ERR; return(LOGLEV); } +warning { YYD; yylval.num = ASL_LEVEL_WARNING; return(LOGLEV); } +notify { YYD; yylval.num = ASL_LEVEL_NOTICE; return(LOGLEV); } +info { YYD; yylval.num = ASL_LEVEL_INFO; return(LOGLEV); } +debug { YYD; yylval.num = ASL_LEVEL_DEBUG; return(LOGLEV); } +debug2 { YYD; yylval.num = ASL_LEVEL_DEBUG; return(LOGLEV); } +debug3 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = ASL_LEVEL_DEBUG; return(LOGLEV); } +debug4 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = ASL_LEVEL_DEBUG; return(LOGLEV); } {semi} { BEGIN S_INI; return(EOS); } /* padding */ @@ -302,12 +292,12 @@ hexstring 0x{hexdigit}+ {ecl} { BEGIN S_INI; return(EOC); } exchange_mode { YYD; return(EXCHANGE_MODE); } {comma} { YYD; /* XXX ignored, but to be handled. */ ; } -base { YYD; yylval.num = ISAKMP_ETYPE_BASE; return(EXCHANGETYPE); } main { YYD; yylval.num = ISAKMP_ETYPE_IDENT; return(EXCHANGETYPE); } aggressive { YYD; yylval.num = ISAKMP_ETYPE_AGG; return(EXCHANGETYPE); } doi { YYD; return(DOI); } ipsec_doi { YYD; yylval.num = IPSEC_DOI; return(DOITYPE); } situation { YYD; return(SITUATION); } +ike_version { YYD; return(IKE_VERSION); } identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); } secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); } integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); } @@ -383,11 +373,13 @@ hexstring 0x{hexdigit}+ idle_direction { YYD; return(IDLE_DIRECTION); } ike_frag { YYD; return(IKE_FRAG); } esp_frag { YYD; return(ESP_FRAG); } -script { YYD; return(SCRIPT); } -phase1_up { YYD; return(PHASE1_UP); } -phase1_down { YYD; return(PHASE1_DOWN); } mode_cfg { YYD; return(MODE_CFG); } weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); } +eap_types { YYD; return(EAP_TYPES); } +eap_any { YYD; yylval.num = EAP_TYPE_NONE; return(EAP_TYPE); } +eap_sim { YYD; yylval.num = EAP_TYPE_SIM; return(EAP_TYPE); } +eap_aka { YYD; yylval.num = EAP_TYPE_AKA; return(EAP_TYPE); } +eap_options { YYD; return(EAP_OPTIONS); } /* remote proposal */ proposal { BEGIN S_RMTP; YYDB; return(PROPOSAL); } {bcl} { return(BOC); } @@ -398,6 +390,8 @@ hexstring 0x{hexdigit}+ encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); } authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); } hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); } +prf_algorithm { YYD; yylval.num = algclass_ikev2_prf; return(ALGORITHM_CLASS); } +integ_algorithm { YYD; yylval.num = algclass_ikev2_integ; return(ALGORITHM_CLASS); } dh_group { YYD; return(DH_GROUP); } gss_id { YYD; return(GSS_ID); } gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */ @@ -472,14 +466,16 @@ aes { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); } rijndael { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); } twofish { YYD; yylval.num = algtype_twofish; return(ALGORITHMTYPE); } non_auth { YYD; yylval.num = algtype_non_auth; return(ALGORITHMTYPE); } -hmac_md5 { YYD; yylval.num = algtype_hmac_md5; return(ALGORITHMTYPE); } -hmac_sha1 { YYD; yylval.num = algtype_hmac_sha1; return(ALGORITHMTYPE); } +hmac_md5 { YYD; yylval.num = algtype_hmac_md5_128; return(ALGORITHMTYPE); } +hmac_sha1 { YYD; yylval.num = algtype_hmac_sha1_160; return(ALGORITHMTYPE); } hmac_sha2_256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); } hmac_sha256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); } hmac_sha2_384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); } hmac_sha384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); } hmac_sha2_512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); } hmac_sha512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); } +hmac_md5_96 { YYD; yylval.num = algtype_hmac_md5_96; return(ALGORITHMTYPE); } +hmac_sha1_96 { YYD; yylval.num = algtype_hmac_sha1_96; return(ALGORITHMTYPE); } des_mac { YYD; yylval.num = algtype_des_mac; return(ALGORITHMTYPE); } kpdk { YYD; yylval.num = algtype_kpdk; return(ALGORITHMTYPE); } md5 { YYD; yylval.num = algtype_md5; return(ALGORITHMTYPE); } @@ -567,6 +563,20 @@ xauth_rsa_client { racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } +eap_psk_client { + #ifdef ENABLE_HYBRID + YYD; yylval.num = algtype_eap_psk_c; return(ALGORITHMTYPE); + #else + racoon_yyerror("racoon not configured with --enable-hybrid"); + #endif +} +eap_rsa_client { + #ifdef ENABLE_HYBRID + YYD; yylval.num = algtype_eap_rsa_c; return(ALGORITHMTYPE); + #else + racoon_yyerror("racoon not configured with --enable-hybrid"); + #endif +} @@ -756,14 +766,14 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } void yyerror(const char *msg) { - plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); + plog(ASL_LEVEL_ERR, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); yyerrorcount++; } void yywarn(const char *msg) { - plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); + plog(ASL_LEVEL_ERR, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); } void @@ -800,14 +810,14 @@ yycf_switch_buffer(path) /* got the include file name */ if (incstackp >= MAX_INCLUDE_DEPTH) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Includes nested too deeply"); return -1; } if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 || incstack[incstackp].matches.gl_pathc == 0) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "glob found no matches for path \"%s\"\n", path); return 0; } @@ -842,7 +852,7 @@ yycf_set_buffer(path) if (yyin == NULL) { fprintf(stderr, "failed to open file %s (%s)\n", path, strerror(errno)); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to open file %s (%s)\n", path, strerror(errno)); return -1; @@ -857,8 +867,8 @@ yycf_set_buffer(path) incstack[incstackp].path = racoon_strdup(path); STRDUP_FATAL(incstack[incstackp].path); incstack[incstackp].lineno = 1; - plog(LLV_DEBUG, LOCATION, NULL, - "reading config file %s\n", path); + plog(ASL_LEVEL_DEBUG, + "reading configuration file %s\n", path); return 0; } diff --git a/ipsec-tools/racoon/cftoken_proto.h b/ipsec-tools/racoon/cftoken_proto.h index a0d5d99..b837ef3 100644 --- a/ipsec-tools/racoon/cftoken_proto.h +++ b/ipsec-tools/racoon/cftoken_proto.h @@ -36,15 +36,15 @@ extern int yyerrorcount; -extern int yylex __P((void)); -extern void yyerror __P((const char *)); -extern void yywarn __P((const char *)); -extern void racoon_yyerror __P((const char *, ...)); -extern void racoon_yywarn __P((const char *, ...)); +extern int yylex (void); +extern void yyerror (const char *); +extern void yywarn (const char *); +extern void racoon_yyerror (const char *, ...); +extern void racoon_yywarn (const char *, ...); -extern int yycf_switch_buffer __P((char *)); -extern int yycf_set_buffer __P((char *)); -extern void yycf_init_buffer __P((void)); -extern void yycf_clean_buffer __P((void)); +extern int yycf_switch_buffer (char *); +extern int yycf_set_buffer (char *); +extern void yycf_init_buffer (void); +extern void yycf_clean_buffer (void); #endif /* _CFTOKEN_PROTO_H */ diff --git a/ipsec-tools/racoon/com.apple.racoon.plist b/ipsec-tools/racoon/com.apple.racoon.plist index 67e2353219d4cb6e5335962a82f6179fec97c278..f0c233ba9bc42df47b1dd9f286017460c0771f16 100644 GIT binary patch delta 239 zcmdnY^pwdrsURn_xWvHV8Y2@k3o9Etm#~PqSiFEhKv8~rQDUxRQF>`^YF2YEF!AVsb`sYEfBca%yp8P-&iHiBEoF%0vZG=0zNw6VHoHEQqNGnv$HK ztCv_%kdvxcl$e~KpLbCdXtn}EG&nW6v?$dtwWK`1C_6JRUC%QBD8$LZ$-u!N%Amnu zz+lGU%;3wA#E{BR!BEXm$I!vh&oGN&Il~r)oeX;zt~0!1c*`ijD99+p00vBq5Sl@f Lfgj3(P>jL=E9O7X delta 239 zcmaFLw3(?ssURn_xWvHVIwKP^3o9Et2Pc=Xn3zOFXmM(hUt(@*ynv8vUSd*CYDiIH zUU6b_NoIatad>cka&~G-alC*)Kv8~rQDUxRQF>`^YF2YEDQ|etrq(MQ)x*AE1q?d8tLkmw6|4`KB)t5d|8gUs_zGU!0Vgr(cwq zoS&Z;r0c@L0TfTp&(%vTD9B0GgNSp8E122_M5Scq7ZlgF^v_wjZsVErkDfkz&Hx6C Nj1ZbZ5=z6UUjU$~OiTa( diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index 3f0bbfa..1b28547 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -45,19 +45,21 @@ #include #include #include - +#include #include #include #include #include #endif - #include +#if !TARGET_OS_EMBEDDED #include +#endif #include "plog.h" #include "debug.h" #include "misc.h" #include "oakley.h" +#include "gcmalloc.h" #include "crypto_cssm.h" @@ -66,54 +68,61 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef); #if !TARGET_OS_EMBEDDED -static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef); -static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef); #endif static SecPolicyRef crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) { SecPolicyRef policyRef = NULL; -#if !TARGET_OS_EMBEDDED - OSStatus status; - CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; + CFDictionaryRef properties = NULL; + const void *key[] = { kSecPolicyName }; + const void *value[] = { hostname }; - // get our policy object - status = FindPolicy(&ourPolicyOID, &policyRef); - if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - } -#else if (hostname) { - policyRef = SecPolicyCreateIPSec(FALSE, hostname); - if (policyRef == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to create a SSL policyRef.\n"); + properties = CFDictionaryCreate(NULL, key, value, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (properties == NULL) { + plog(ASL_LEVEL_ERR, + "unable to create dictionary for policy properties.\n"); } } -#endif + policyRef = SecPolicyCreateWithProperties(kSecPolicyAppleIPsec, properties); + if (properties) + CFRelease(properties); return policyRef; } SecCertificateRef -crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert) +crypto_cssm_x509cert_CreateSecCertificateRef (vchar_t *cert) { SecCertificateRef certRef = NULL; - CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull); + CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, (uint8_t*)cert->v, cert->l, kCFAllocatorNull); if (cert_data) { certRef = SecCertificateCreateWithData(NULL, cert_data); CFRelease(cert_data); } if (certRef == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to create a certRef.\n"); + plog(ASL_LEVEL_ERR, + "unable to get a certifcate reference.\n"); } return certRef; } +/* HACK!!! - temporary until this prototype gets moved */ +extern CFDataRef SecCertificateCopySubjectSequence( SecCertificateRef certificate); + +CFDataRef +crypto_cssm_CopySubjectSequence(SecCertificateRef certRef) +{ + CFDataRef subject = NULL; + + subject = SecCertificateCopySubjectSequence(certRef); + return subject; + +} + + static cert_status_t crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) { @@ -141,14 +150,14 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) /* get kSecPropertyKeyLabel */ if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){ if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){ - if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue)) { + if ( (notvalidbeforedate = CFDateGetAbsoluteTime(datevalue))) { if (notvalidbeforedatedata) { CFRelease(notvalidbeforedatedata); } notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); } }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){ - if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue)) { + if ( (notvalidafterdate = CFDateGetAbsoluteTime(datevalue))) { if (notvalidafterdatedata) { CFRelease(notvalidafterdatedata); } @@ -165,21 +174,21 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){ if ( notvalidbeforedatedata ){ gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); + plog(ASL_LEVEL_DEBUG, + "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); + plog(ASL_LEVEL_DEBUG, + "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "current time before valid time\n"); certStatus = CERT_STATUS_PREMATURE; } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "current time after valid time\n"); certStatus = CERT_STATUS_EXPIRED; }else { - plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n"); + plog(ASL_LEVEL_INFO, "Certificate expiration date is OK\n"); certStatus = CERT_STATUS_OK; } } @@ -218,8 +227,8 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef // find the total number of certs for (p = certchain; p; p = p->chain, n++); if (n> 1) { - plog(LLV_DEBUG2, LOCATION, NULL, - "%s: checking chain of %d certificates.\n", __FUNCTION__, n); + plog(ASL_LEVEL_DEBUG, + "%s: checking chain of %d certificates.\n", __FUNCTION__, (int)n); } certArraySiz = n * sizeof(CFTypeRef); @@ -228,12 +237,12 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef return -1; } bzero(certArrayRef, certArraySiz); - if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&hostcert->cert))) { + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_CreateSecCertificateRef(&hostcert->cert))) { /* don't overwrite any pending status */ if (!hostcert->status) { hostcert->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); if (hostcert->status) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "host certificate failed date verification: %d.\n", hostcert->status); certStatus = hostcert->status; } @@ -242,12 +251,12 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } for (p = certchain; p && certArrayRefNumValues < n; p = p->chain) { if (p != hostcert) { - if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&p->cert))) { + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_CreateSecCertificateRef(&p->cert))) { /* don't overwrite any pending status */ if (!p->status) { p->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); if (p->status) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "other certificate in chain failed date verification: %d.\n", p->status); if (!certStatus) { certStatus = p->status; @@ -271,8 +280,8 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef CFRelease(policyRef); if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) { status = -1; @@ -282,9 +291,9 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } -int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature) +int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature, Boolean useSHA1) { - return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l); + return SecKeyRawVerify(publicKeyRef, useSHA1 ? kSecPaddingPKCS1SHA1 : kSecPaddingPKCS1, (uint8_t*)hash->v, hash->l, (uint8_t*)signature->v, signature->l); } /* @@ -325,8 +334,8 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) if (sig == NULL) goto end; - status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, hash->v, - hash->l, sig->v, &sig->l); + status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, (uint8_t*)hash->v, + hash->l, (uint8_t*)sig->v, &sig->l); end: @@ -346,8 +355,8 @@ end: } if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return sig; @@ -364,78 +373,21 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, OSStatus status = -1; vchar_t *cert = NULL; + SecCertificateRef certificateRef = NULL; + CFDictionaryRef persistFind = NULL; + size_t dataLen; + CFDataRef certData = NULL; SecIdentityRef identityRef = NULL; - SecCertificateRef certificateRef = NULL; - -#if !TARGET_OS_EMBEDDED - CSSM_DATA cssmData; - SecIdentitySearchRef idSearchRef = NULL; - SecKeychainRef keychainRef = NULL; - - // get cert ref - if (persistentCertRef) { - status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef); - if (status != noErr) - goto end; - } else { - // copy system keychain - status = CopySystemKeychain(&keychainRef); - if (status != noErr) - goto end; - - // find first identity in system keychain - status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef); - if (status != noErr) - goto end; - - status = SecIdentitySearchCopyNext(idSearchRef, &identityRef); - if (status != noErr) - goto end; - - // get certificate from identity - status = SecIdentityCopyCertificate(identityRef, &certificateRef); - if (status != noErr) - goto end; - - } - - // get certificate data - cssmData.Length = 0; - cssmData.Data = NULL; - status = SecCertificateGetData(certificateRef, &cssmData); - if (status != noErr) - goto end; - - if (cssmData.Length == 0) - goto end; - - cert = vmalloc(cssmData.Length); - if (cert == NULL) - goto end; - - // cssmData struct just points to the data - // data must be copied to be returned - memcpy(cert->v, cssmData.Data, cssmData.Length); - - // verify expiry or missing fields - if (certStatus) { - *certStatus = CERT_STATUS_OK; - } -#else - - CFDictionaryRef persistFind = NULL; - const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef }; - const void *values_persist[] = { kCFBooleanTrue, persistentCertRef }; - size_t dataLen; - CFDataRef certData = NULL; + const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass }; + const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity }; /* find identity by persistent ref */ persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist, (sizeof(keys_persist) / sizeof(*keys_persist)), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (persistFind == NULL) goto end; - - status = SecItemCopyMatching(persistFind, (CFTypeRef *)&identityRef); + + status = SecItemCopyMatching(persistFind, (CFTypeRef *)&identityRef); if (status != noErr) goto end; @@ -455,70 +407,32 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, if (cert == NULL) goto end; - CFDataGetBytes(certData, CFRangeMake(0, dataLen), cert->v); + CFDataGetBytes(certData, CFRangeMake(0, dataLen), (uint8_t*)cert->v); // verify expiry or missing fields if (certStatus) { *certStatus = crypto_cssm_check_x509cert_dates(certificateRef); } - -#endif end: + if (identityRef) + CFRelease(identityRef); if (certificateRef) CFRelease(certificateRef); - if (identityRef) - CFRelease(identityRef); -#if !TARGET_OS_EMBEDDED - if (idSearchRef) - CFRelease(idSearchRef); - if (keychainRef) - CFRelease(keychainRef); -#else if (persistFind) CFRelease(persistFind); if (certData) CFRelease(certData); -#endif if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return cert; } -#if !TARGET_OS_EMBEDDED -/* - * Find a policy ref by OID - */ -static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef) -{ - - OSStatus status; - SecPolicySearchRef searchRef = nil; - - status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef); - if (status != noErr) - goto end; - - status = SecPolicySearchCopyNext(searchRef, policyRef); - -end: - if (searchRef) - CFRelease(searchRef); - - if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - status = -1; - } - return status; -} -#endif - /* * Evaluate the trust of a cert using the policy provided */ @@ -534,7 +448,7 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert &kCFTypeArrayCallBacks); if (!cfCertRef) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to create CFArray.\n"); return -1; } @@ -548,32 +462,32 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert goto end; if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) { - plog(LLV_ERROR, LOCATION, NULL, "Error evaluating certificate.\n"); + plog(ASL_LEVEL_ERR, "Error evaluating certificate.\n"); switch (evalResult) { case kSecTrustResultInvalid: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultInvalid.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultInvalid.\n"); break; case kSecTrustResultProceed: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultProceed.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultProceed.\n"); break; case kSecTrustResultDeny: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultDeny.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultDeny.\n"); break; case kSecTrustResultUnspecified: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultUnspecified.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultUnspecified.\n"); break; case kSecTrustResultRecoverableTrustFailure: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultRecoverableTrustFailure.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultRecoverableTrustFailure.\n"); break; case kSecTrustResultFatalTrustFailure: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultFatalTrustFailure.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultFatalTrustFailure.\n"); break; case kSecTrustResultOtherError: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultOtherError.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultOtherError.\n"); break; default: - plog(LLV_DEBUG, LOCATION, NULL, "eval result unknown: value = %d.\n", (int)evalResult); + plog(ASL_LEVEL_DEBUG, "eval result unknown: value = %d.\n", (int)evalResult); break; } @@ -585,7 +499,7 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert const char *str; CFIndex count, maxcount = CFArrayGetCount(errorStrings); - plog(LLV_ERROR, LOCATION, NULL, "---------------Returned error strings: ---------------.\n"); + plog(ASL_LEVEL_ERR, "---------------Returned error strings: ---------------.\n"); for (count = 0; count < maxcount; count++) { dict = CFArrayGetValueAtIndex(errorStrings, count); if (dict && (CFGetTypeID(dict) == CFDictionaryGetTypeID())) { @@ -593,17 +507,17 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert if (val && (CFGetTypeID(val) == CFStringGetTypeID())) { str = CFStringGetCStringPtr(val, kCFStringEncodingMacRoman); if (str) - plog(LLV_ERROR, LOCATION, NULL, "type = %s.\n", str); + plog(ASL_LEVEL_ERR, "type = %s.\n", str); } val = CFDictionaryGetValue(dict, kSecPropertyKeyValue); if (val && (CFGetTypeID(val) == CFStringGetTypeID())) { str = CFStringGetCStringPtr(val, kCFStringEncodingMacRoman); if (str) - plog(LLV_ERROR, LOCATION, NULL, "value = %s.\n", str); + plog(ASL_LEVEL_ERR, "value = %s.\n", str); } } } - plog(LLV_ERROR, LOCATION, NULL, "-----------------------------------------------------.\n"); + plog(ASL_LEVEL_ERR, "-----------------------------------------------------.\n"); CFRelease(errorStrings); } @@ -621,40 +535,13 @@ end: CFRelease(trustRef); if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return status; } -#if !TARGET_OS_EMBEDDED -/* - * Copy the system keychain - */ -static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef) -{ - - OSStatus status; - - status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem); - if (status != noErr) - goto end; - - status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef); - -end: - - if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - status = -1; - } - return status; - -} -#endif - /* * Return string representation of Security-related OSStatus. */ @@ -664,17 +551,20 @@ GetSecurityErrorString(OSStatus err) switch(err) { case noErr: return "noErr"; - case memFullErr: - return "memFullErr"; - case paramErr: - return "paramErr"; - case unimpErr: - return "unimpErr"; /* SecBase.h: */ case errSecNotAvailable: return "errSecNotAvailable"; + #if !TARGET_OS_EMBEDDED + case memFullErr: + return "memFullErr"; + case paramErr: + return "paramErr"; + case unimpErr: + return "unimpErr"; + + /* SecBase.h: */ case errSecReadOnly: return "errSecReadOnly"; case errSecAuthFailed: diff --git a/ipsec-tools/racoon/crypto_cssm.h b/ipsec-tools/racoon/crypto_cssm.h index be59c91..aa17d59 100644 --- a/ipsec-tools/racoon/crypto_cssm.h +++ b/ipsec-tools/racoon/crypto_cssm.h @@ -35,11 +35,12 @@ extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef); -extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature); -extern SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert); +extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature, Boolean useSHA1); +extern SecCertificateRef crypto_cssm_x509cert_CreateSecCertificateRef (vchar_t *cert); extern vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash); extern vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus); extern const char *GetSecurityErrorString(OSStatus err); +extern CFDataRef crypto_cssm_CopySubjectSequence(SecCertificateRef certRef); #endif /* __CRYPTO_CSSM_H__ */ diff --git a/ipsec-tools/racoon/crypto_openssl.c b/ipsec-tools/racoon/crypto_openssl.c index e930edf..c94093c 100644 --- a/ipsec-tools/racoon/crypto_openssl.c +++ b/ipsec-tools/racoon/crypto_openssl.c @@ -62,8 +62,6 @@ #ifdef HAVE_OPENSSL_ENGINE_H #include #endif -#include -#include #include #else /* HAVE_OPENSSL */ #include @@ -82,7 +80,7 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; #define USE_NEW_DES_API #endif -#define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0) +#define OpenSSL_BUG() do { plog(ASL_LEVEL_ERR, "OpenSSL function failed\n"); } while(0) #endif #include "crypto_openssl.h" @@ -100,154 +98,12 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; */ #ifdef HAVE_OPENSSL -static int cb_check_cert_local __P((int, X509_STORE_CTX *)); -static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); -static X509 *mem2x509 __P((vchar_t *)); +static X509 *mem2x509(vchar_t *); #endif -static caddr_t eay_hmac_init __P((vchar_t *, CCHmacAlgorithm)); +static caddr_t eay_hmac_init (vchar_t *, CCHmacAlgorithm); #ifdef HAVE_OPENSSL -/* X509 Certificate */ -/* - * convert the string of the subject name into DER - * e.g. str = "C=JP, ST=Kanagawa"; - */ -vchar_t * -eay_str2asn1dn(str, len) - const char *str; - int len; -{ - X509_NAME *name; - char *buf; - char *field, *value; - int i, j; - vchar_t *ret = NULL; - caddr_t p; - - if (len == -1) - len = strlen(str); - - buf = racoon_malloc(len + 1); - if (!buf) { - plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n"); - return NULL; - } - memcpy(buf, str, len); - - name = X509_NAME_new(); - - field = &buf[0]; - value = NULL; - for (i = 0; i < len; i++) { - if (!value && buf[i] == '=') { - buf[i] = '\0'; - value = &buf[i + 1]; - continue; - } else if (buf[i] == ',' || buf[i] == '/') { - buf[i] = '\0'; - - plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n", - field, value); - - if (!value) goto err; - if (!X509_NAME_add_entry_by_txt(name, field, - (value[0] == '*' && value[1] == 0) ? - V_ASN1_PRINTABLESTRING : MBSTRING_ASC, - (unsigned char *) value, -1, -1, 0)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid DN field: %s=%s\n", - field, value); - plog(LLV_ERROR, LOCATION, NULL, - "%s\n", eay_strerror()); - goto err; - } - for (j = i + 1; j < len; j++) { - if (buf[j] != ' ') - break; - } - field = &buf[j]; - value = NULL; - continue; - } - } - buf[len] = '\0'; - - plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n", - field, value); - - if (!value) goto err; - if (!X509_NAME_add_entry_by_txt(name, field, - (value[0] == '*' && value[1] == 0) ? - V_ASN1_PRINTABLESTRING : MBSTRING_ASC, - (unsigned char *) value, -1, -1, 0)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid DN field: %s=%s\n", - field, value); - plog(LLV_ERROR, LOCATION, NULL, - "%s\n", eay_strerror()); - goto err; - } - - i = i2d_X509_NAME(name, NULL); - if (!i) - goto err; - ret = vmalloc(i); - if (!ret) - goto err; - p = ret->v; - i = i2d_X509_NAME(name, (void *)&p); - if (!i) - goto err; - - return ret; - - err: - if (buf) - racoon_free(buf); - if (name) - X509_NAME_free(name); - if (ret) - vfree(ret); - return NULL; -} - -/* - * convert the hex string of the subject name into DER - */ -vchar_t * -eay_hex2asn1dn(const char *hex, int len) -{ - BIGNUM *bn = BN_new(); - char *binbuf; - size_t binlen; - vchar_t *ret = NULL; - - if (len == -1) - len = strlen(hex); - - if (BN_hex2bn(&bn, hex) != len) { - plog(LLV_ERROR, LOCATION, NULL, - "conversion of Hex-encoded ASN1 string to binary failed: %s\n", - eay_strerror()); - goto out; - } - - binlen = BN_num_bytes(bn); - ret = vmalloc(binlen); - if (!ret) { - plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n"); - return NULL; - } - binbuf = ret->v; - - BN_bn2bin(bn, (unsigned char *) binbuf); - -out: - BN_free(bn); - - return ret; -} /* * The following are derived from code in crypto/x509/x509_cmp.c @@ -419,208 +275,6 @@ eay_cmp_asn1dn(n1, n2) return i; } -/* - * this functions is derived from apps/verify.c in OpenSSL0.9.5 - */ -int -eay_check_x509cert(cert, CApath, CAfile, local) - vchar_t *cert; - char *CApath; - char *CAfile; - int local; -{ - X509_STORE *cert_ctx = NULL; - X509_LOOKUP *lookup = NULL; - X509 *x509 = NULL; - X509_STORE_CTX *csc; - int error = -1; - - cert_ctx = X509_STORE_new(); - if (cert_ctx == NULL) - goto end; - - if (local) - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); - else - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); - if (lookup == NULL) - goto end; - - X509_LOOKUP_load_file(lookup, CAfile, - (CAfile == NULL) ? X509_FILETYPE_DEFAULT : X509_FILETYPE_PEM); - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); - if (lookup == NULL) - goto end; - error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); - if(!error) { - error = -1; - goto end; - } - error = -1; /* initialized */ - - /* read the certificate to be verified */ - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - csc = X509_STORE_CTX_new(); - if (csc == NULL) - goto end; - X509_STORE_CTX_init(csc, cert_ctx, x509, NULL); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK); - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL); -#endif - error = X509_verify_cert(csc); - X509_STORE_CTX_free(csc); - - /* - * if x509_verify_cert() is successful then the value of error is - * set non-zero. - */ - error = error ? 0 : -1; - -end: - if (error) - plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror()); - if (cert_ctx != NULL) - X509_STORE_free(cert_ctx); - if (x509 != NULL) - X509_free(x509); - - return(error); -} - -/* - * callback function for verifing certificate. - * this function is derived from cb() in openssl/apps/s_server.c - */ -static int -cb_check_cert_local(ok, ctx) - int ok; - X509_STORE_CTX *ctx; -{ - char buf[256]; - int log_tag; - - if (!ok) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), - buf, - 256); - /* - * since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - switch (ctx->error) { - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_PURPOSE: - case X509_V_ERR_UNABLE_TO_GET_CRL: - ok = 1; - log_tag = LLV_WARNING; - break; - default: - log_tag = LLV_ERROR; - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, - buf); - } - ERR_clear_error(); - - return ok; -} - -/* - * callback function for verifing remote certificates. - * this function is derived from cb() in openssl/apps/s_server.c - */ -static int -cb_check_cert_remote(ok, ctx) - int ok; - X509_STORE_CTX *ctx; -{ - char buf[256]; - int log_tag; - - if (!ok) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), - buf, - 256); - switch (ctx->error) { - case X509_V_ERR_UNABLE_TO_GET_CRL: - ok = 1; - log_tag = LLV_WARNING; - break; - default: - log_tag = LLV_ERROR; - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, - buf); - } - ERR_clear_error(); - - return ok; -} - -/* - * get a subjectAltName from X509 certificate. - */ -vchar_t * -eay_get_x509asn1subjectname(cert) - vchar_t *cert; -{ - X509 *x509 = NULL; - u_char *bp; - vchar_t *name = NULL; - int len; - - bp = (unsigned char *) cert->v; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto error; - - /* get the length of the name */ - len = i2d_X509_NAME(x509->cert_info->subject, NULL); - name = vmalloc(len); - if (!name) - goto error; - /* get the name */ - bp = (unsigned char *) name->v; - len = i2d_X509_NAME(x509->cert_info->subject, &bp); - - X509_free(x509); - - return name; - -error: - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - - if (name != NULL) - vfree(name); - - if (x509 != NULL) - X509_free(x509); - - return NULL; -} - /* * Get the common name from a cert */ @@ -635,7 +289,7 @@ eay_get_x509_common_name(cert) commonName = vmalloc(EAY_MAX_CN_LEN); if (commonName == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no memory\n"); + plog(ASL_LEVEL_ERR, "no memory\n"); return NULL; } @@ -698,7 +352,7 @@ eay_get_x509subjectaltname(cert, altname, type, pos, len) /* make sure the data is terminated by '\0'. */ if (gen->d.ia5->data[gen->d.ia5->length] != '\0') { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "data is not terminated by 0."); hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); goto end; @@ -738,7 +392,7 @@ eay_get_x509subjectaltname(cert, altname, type, pos, len) *altname = NULL; } #ifndef EAYDEBUG - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); + plog(ASL_LEVEL_ERR, "%s\n", eay_strerror()); #else printf("%s\n", eay_strerror()); #endif @@ -752,59 +406,6 @@ eay_get_x509subjectaltname(cert, altname, type, pos, len) return error; } -/* - * decode a X509 certificate and make a readable text terminated '\n'. - * return the buffer allocated, so must free it later. - */ -char * -eay_get_x509text(cert) - vchar_t *cert; -{ - X509 *x509 = NULL; - BIO *bio = NULL; - char *text = NULL; - u_char *bp = NULL; - int len = 0; - int error = -1; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) - goto end; - - error = X509_print(bio, x509); - if (error != 1) { - error = -1; - goto end; - } - - len = BIO_get_mem_data(bio, &bp); - text = racoon_malloc(len + 1); - if (text == NULL) - goto end; - memcpy(text, bp, len); - text[len] = '\0'; - - error = 0; - - end: - if (error) { - if (text) { - racoon_free(text); - text = NULL; - } - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - } - if (bio) - BIO_free(bio); - if (x509) - X509_free(x509); - - return text; -} /* get X509 structure from buffer. */ static X509 * @@ -839,301 +440,6 @@ mem2x509(cert) return x509; } -/* - * get a X509 certificate from local file. - * a certificate must be PEM format. - * Input: - * path to a certificate. - * Output: - * NULL if error occured - * other is the cert. - */ -vchar_t * -eay_get_x509cert(path) - char *path; -{ - FILE *fp; - X509 *x509; - vchar_t *cert; - u_char *bp; - int len; - int error; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; - x509 = PEM_read_X509(fp, NULL, NULL, NULL); - fclose (fp); - - if (x509 == NULL) - return NULL; - - len = i2d_X509(x509, NULL); - cert = vmalloc(len); - if (cert == NULL) { - X509_free(x509); - return NULL; - } - bp = (unsigned char *) cert->v; - error = i2d_X509(x509, &bp); - X509_free(x509); - - if (error == 0) { - vfree(cert); - return NULL; - } - - return cert; -} - -/* - * check a X509 signature - * XXX: to be get hash type from my cert ? - * to be handled EVP_dss(). - * OUT: return -1 when error. - * 0 - */ -int -eay_check_x509sign(source, sig, cert) - vchar_t *source; - vchar_t *sig; - vchar_t *cert; -{ - X509 *x509; - u_char *bp; - EVP_PKEY *evp; - int res; - - bp = (unsigned char *) cert->v; - - x509 = d2i_X509(NULL, (void *)&bp, cert->l); - if (x509 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror()); - return -1; - } - - evp = X509_get_pubkey(x509); - if (! evp) { - plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror()); - X509_free(x509); - return -1; - } - - res = eay_rsa_verify(source, sig, evp->pkey.rsa); - - EVP_PKEY_free(evp); - X509_free(x509); - - return res; -} - -/* - * check RSA signature - * OUT: return -1 when error. - * 0 on success - */ -int -eay_check_rsasign(source, sig, rsa) - vchar_t *source; - vchar_t *sig; - RSA *rsa; -{ - return eay_rsa_verify(source, sig, rsa); -} - -/* - * get PKCS#1 Private Key of PEM format from local file. - */ -vchar_t * -eay_get_pkcs1privkey(path) - char *path; -{ - FILE *fp; - EVP_PKEY *evp = NULL; - vchar_t *pkey = NULL; - u_char *bp; - int pkeylen; - int error = -1; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; - - evp = PEM_read_PrivateKey(fp, NULL, NULL, NULL); - - fclose (fp); - - if (evp == NULL) - return NULL; - - pkeylen = i2d_PrivateKey(evp, NULL); - if (pkeylen == 0) - goto end; - pkey = vmalloc(pkeylen); - if (pkey == NULL) - goto end; - bp = (unsigned char *) pkey->v; - pkeylen = i2d_PrivateKey(evp, &bp); - if (pkeylen == 0) - goto end; - - error = 0; - -end: - if (evp != NULL) - EVP_PKEY_free(evp); - if (error != 0 && pkey != NULL) { - vfree(pkey); - pkey = NULL; - } - - return pkey; -} - -/* - * get PKCS#1 Public Key of PEM format from local file. - */ -vchar_t * -eay_get_pkcs1pubkey(path) - char *path; -{ - FILE *fp; - EVP_PKEY *evp = NULL; - vchar_t *pkey = NULL; - X509 *x509 = NULL; - u_char *bp; - int pkeylen; - int error = -1; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; - - x509 = PEM_read_X509(fp, NULL, NULL, NULL); - - fclose (fp); - - if (x509 == NULL) - return NULL; - - /* Get public key - eay */ - evp = X509_get_pubkey(x509); - if (evp == NULL) - return NULL; - - pkeylen = i2d_PublicKey(evp, NULL); - if (pkeylen == 0) - goto end; - pkey = vmalloc(pkeylen); - if (pkey == NULL) - goto end; - bp = (unsigned char *) pkey->v; - pkeylen = i2d_PublicKey(evp, &bp); - if (pkeylen == 0) - goto end; - - error = 0; -end: - if (evp != NULL) - EVP_PKEY_free(evp); - if (error != 0 && pkey != NULL) { - vfree(pkey); - pkey = NULL; - } - - return pkey; -} - -vchar_t * -eay_get_x509sign(src, privkey) - vchar_t *src, *privkey; -{ - EVP_PKEY *evp; - u_char *bp = (unsigned char *) privkey->v; - vchar_t *sig = NULL; - int len; - int pad = RSA_PKCS1_PADDING; - - /* XXX to be handled EVP_PKEY_DSA */ - evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (void *)&bp, privkey->l); - if (evp == NULL) - return NULL; - - sig = eay_rsa_sign(src, evp->pkey.rsa); - - EVP_PKEY_free(evp); - - return sig; -} - -vchar_t * -eay_get_rsasign(src, rsa) - vchar_t *src; - RSA *rsa; -{ - return eay_rsa_sign(src, rsa); -} - -vchar_t * -eay_rsa_sign(vchar_t *src, RSA *rsa) -{ - int len; - vchar_t *sig = NULL; - int pad = RSA_PKCS1_PADDING; - - len = RSA_size(rsa); - - sig = vmalloc(len); - if (sig == NULL) - return NULL; - - len = RSA_private_encrypt(src->l, (unsigned char *) src->v, - (unsigned char *) sig->v, rsa, pad); - - if (len == 0 || len != sig->l) { - vfree(sig); - sig = NULL; - } - - return sig; -} - -int -eay_rsa_verify(src, sig, rsa) - vchar_t *src, *sig; - RSA *rsa; -{ - vchar_t *xbuf = NULL; - int pad = RSA_PKCS1_PADDING; - int len = 0; - int error; - - len = RSA_size(rsa); - xbuf = vmalloc(len); - if (xbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - return -1; - } - - len = RSA_public_decrypt(sig->l, (unsigned char *) sig->v, - (unsigned char *) xbuf->v, rsa, pad); - if (len == 0 || len != src->l) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - vfree(xbuf); - return -1; - } - - error = memcmp(src->v, xbuf->v, src->l); - vfree(xbuf); - if (error != 0) - return -1; - - return 0; -} - /* * get error string * MUST load ERR_load_crypto_strings() first. @@ -1166,104 +472,6 @@ eay_strerror() return ebuf; } -vchar_t * -evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) -{ - vchar_t *res; - EVP_CIPHER_CTX ctx; - - if (!e) - return NULL; - - if (data->l % EVP_CIPHER_block_size(e)) - return NULL; - - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - EVP_CIPHER_CTX_init(&ctx); - - switch(EVP_CIPHER_nid(e)){ - case NID_bf_cbc: - case NID_bf_ecb: - case NID_bf_cfb64: - case NID_bf_ofb64: - case NID_cast5_cbc: - case NID_cast5_ecb: - case NID_cast5_cfb64: - case NID_cast5_ofb64: - /* XXX: can we do that also for algos with a fixed key size ? - */ - /* init context without key/iv - */ - if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) - { - OpenSSL_BUG(); - vfree(res); - return NULL; - } - - /* update key size - */ - if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) - { - OpenSSL_BUG(); - vfree(res); - return NULL; - } - - /* finalize context init with desired key size - */ - if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, - (u_char *) iv->v, enc)) - { - OpenSSL_BUG(); - vfree(res); - return NULL; - } - break; - default: - if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, - (u_char *) iv->v, enc)) { - OpenSSL_BUG(); - vfree(res); - return NULL; - } - } - - /* disable openssl padding */ - EVP_CIPHER_CTX_set_padding(&ctx, 0); - - if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { - OpenSSL_BUG(); - vfree(res); - return NULL; - } - - EVP_CIPHER_CTX_cleanup(&ctx); - - return res; -} - -int -evp_weakkey(vchar_t *key, const EVP_CIPHER *e) -{ - return 0; -} - -int -evp_keylen(int len, const EVP_CIPHER *e) -{ - if (!e) - return -1; - /* EVP functions return lengths in bytes, ipsec-tools - * uses lengths in bits, therefore conversion is required. --AK - */ - if (len != 0 && len != (EVP_CIPHER_key_length(e) << 3)) - return -1; - - return EVP_CIPHER_key_length(e) << 3; -} #endif /* HAVE_OPENSSL */ vchar_t * @@ -1291,13 +499,13 @@ eay_CCCrypt(CCOperation oper, res->v, res->l, &res_len); if (status == kCCSuccess) { if (res->l != res_len) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "crypt %d %d length mismatch. expected: %zd. got: %zd.\n", oper, algo, res->l, res_len); } return res; } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "crypt %d %d error. status %d.\n", oper, algo, (int)status); } @@ -1702,6 +910,7 @@ eay_hmacmd5_final(c) } + #ifdef WITH_SHA2 /* * SHA2-512 functions @@ -2033,7 +1242,7 @@ eay_set_random(u_int32_t size) if (res == NULL) return NULL; - if (SecRandomCopyBytes(kSecRandomDefault, size, res->v)) { + if (SecRandomCopyBytes(kSecRandomDefault, size, (uint8_t*)res->v)) { vfree(res); return NULL; } @@ -2192,164 +1401,6 @@ eay_init() ENGINE_register_all_complete(); #endif } - -vchar_t * -base64_decode(char *in, long inlen) -{ - BIO *bio=NULL, *b64=NULL; - vchar_t *res = NULL; - char *outb; - long outlen; - - outb = malloc(inlen * 2); - if (outb == NULL) - goto out; - bio = BIO_new_mem_buf(in, inlen); - b64 = BIO_new(BIO_f_base64()); - BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); - bio = BIO_push(b64, bio); - - outlen = BIO_read(bio, outb, inlen * 2); - if (outlen <= 0) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - goto out; - } - - res = vmalloc(outlen); - if (!res) - goto out; - - memcpy(res->v, outb, outlen); - -out: - if (outb) - free(outb); - if (bio) - BIO_free_all(bio); - - return res; -} - -vchar_t * -base64_encode(char *in, long inlen) -{ - BIO *bio=NULL, *b64=NULL; - char *ptr; - long plen = -1; - vchar_t *res = NULL; - - bio = BIO_new(BIO_s_mem()); - b64 = BIO_new(BIO_f_base64()); - BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); - bio = BIO_push(b64, bio); - - BIO_write(bio, in, inlen); - BIO_flush(bio); - - plen = BIO_get_mem_data(bio, &ptr); - res = vmalloc(plen+1); - if (!res) - goto out; - - memcpy (res->v, ptr, plen); - res->v[plen] = '\0'; - -out: - if (bio) - BIO_free_all(bio); - - return res; -} - -static RSA * -binbuf_pubkey2rsa(vchar_t *binbuf) -{ - BIGNUM *exp, *mod; - RSA *rsa_pub = NULL; - - if (binbuf->v[0] > binbuf->l - 1) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n"); - goto out; - } - - exp = BN_bin2bn((unsigned char *) (binbuf->v + 1), binbuf->v[0], NULL); - mod = BN_bin2bn((unsigned char *) (binbuf->v + binbuf->v[0] + 1), - binbuf->l - binbuf->v[0] - 1, NULL); - rsa_pub = RSA_new(); - - if (!exp || !mod || !rsa_pub) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey parsing error: %s\n", eay_strerror()); - if (exp) - BN_free(exp); - if (mod) - BN_free(exp); - if (rsa_pub) - RSA_free(rsa_pub); - rsa_pub = NULL; - goto out; - } - - rsa_pub->n = mod; - rsa_pub->e = exp; - -out: - return rsa_pub; -} - -RSA * -base64_pubkey2rsa(char *in) -{ - BIGNUM *exp, *mod; - RSA *rsa_pub = NULL; - vchar_t *binbuf; - - if (strncmp(in, "0s", 2) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: doesn't start with '0s'\n"); - return NULL; - } - - binbuf = base64_decode(in + 2, strlen(in + 2)); - if (!binbuf) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: Base64 decoding failed.\n"); - return NULL; - } - - if (binbuf->v[0] > binbuf->l - 1) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n"); - goto out; - } - - rsa_pub = binbuf_pubkey2rsa(binbuf); - -out: - if (binbuf) - vfree(binbuf); - - return rsa_pub; -} - -RSA * -bignum_pubkey2rsa(BIGNUM *in) -{ - RSA *rsa_pub = NULL; - vchar_t *binbuf; - - binbuf = vmalloc(BN_num_bytes(in)); - if (!binbuf) { - plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey conversion: memory allocation failed..\n"); - return NULL; - } - - BN_bn2bin(in, (unsigned char *) binbuf->v); - - rsa_pub = binbuf_pubkey2rsa(binbuf); - -out: - if (binbuf) - vfree(binbuf); - - return rsa_pub; -} #endif /* HAVE_OPENSSL */ u_int32_t @@ -2371,4 +1422,4 @@ eay_version() { return SSLeay_version(SSLEAY_VERSION); } -#endif \ No newline at end of file +#endif diff --git a/ipsec-tools/racoon/crypto_openssl.h b/ipsec-tools/racoon/crypto_openssl.h index 1bf364f..d365a5b 100644 --- a/ipsec-tools/racoon/crypto_openssl.h +++ b/ipsec-tools/racoon/crypto_openssl.h @@ -41,166 +41,123 @@ #define GENT_OTHERNAME GEN_OTHERNAME #define GENT_EMAIL GEN_EMAIL #define GENT_DNS GEN_DNS -#define GENT_X400 GEN_X400 -#define GENT_DIRNAME GEN_DIRNAME -#define GENT_EDIPARTY GEN_EDIPARTY -#define GENT_URI GEN_URI #define GENT_IPADD GEN_IPADD -#define GENT_RID GEN_RID - -extern vchar_t *eay_str2asn1dn __P((const char *, int)); -extern vchar_t *eay_hex2asn1dn __P((const char *, int)); -extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); -extern int eay_check_x509cert __P((vchar_t *, char *, char *, int)); -extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); -extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int, int*)); -extern vchar_t *eay_get_x509_common_name __P((vchar_t *)); -extern char *eay_get_x509text __P((vchar_t *)); -extern vchar_t *eay_get_x509cert __P((char *)); -extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *)); -extern int eay_check_x509sign __P((vchar_t *, vchar_t *, vchar_t *)); - -extern int eay_check_rsasign __P((vchar_t *, vchar_t *, RSA *)); -extern vchar_t *eay_get_rsasign __P((vchar_t *, RSA *)); - -/* RSA */ -extern vchar_t *eay_rsa_sign __P((vchar_t *, RSA *)); -extern int eay_rsa_verify __P((vchar_t *, vchar_t *, RSA *)); - -/* ASN.1 */ -extern vchar_t *eay_get_pkcs1privkey __P((char *)); -extern vchar_t *eay_get_pkcs1pubkey __P((char *)); + +extern int eay_cmp_asn1dn (vchar_t *, vchar_t *); +extern int eay_get_x509subjectaltname (vchar_t *, char **, int *, int, int*); +extern vchar_t *eay_get_x509_common_name (vchar_t *); /* string error */ -extern char *eay_strerror __P((void)); +extern char *eay_strerror (void); /* OpenSSL initialization */ -extern void eay_init __P((void)); - -/* Generic EVP */ -extern vchar_t *evp_crypt __P((vchar_t *data, vchar_t *key, vchar_t *iv, - const EVP_CIPHER *e, int enc)); -extern int evp_weakkey __P((vchar_t *key, const EVP_CIPHER *e)); -extern int evp_keylen __P((int len, const EVP_CIPHER *e)); +extern void eay_init (void); #endif /* HAVE_OPENSSL */ /* DES */ -extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_des_weakkey __P((vchar_t *)); -extern int eay_des_keylen __P((int)); +extern vchar_t *eay_des_encrypt (vchar_t *, vchar_t *, vchar_t *); +extern vchar_t *eay_des_decrypt (vchar_t *, vchar_t *, vchar_t *); +extern int eay_des_weakkey (vchar_t *); +extern int eay_des_keylen (int); /* 3DES */ -extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_3des_weakkey __P((vchar_t *)); -extern int eay_3des_keylen __P((int)); +extern vchar_t *eay_3des_encrypt (vchar_t *, vchar_t *, vchar_t *); +extern vchar_t *eay_3des_decrypt (vchar_t *, vchar_t *, vchar_t *); +extern int eay_3des_weakkey (vchar_t *); +extern int eay_3des_keylen (int); /* AES(RIJNDAEL) */ -extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_aes_weakkey __P((vchar_t *)); -extern int eay_aes_keylen __P((int)); +extern vchar_t *eay_aes_encrypt (vchar_t *, vchar_t *, vchar_t *); +extern vchar_t *eay_aes_decrypt (vchar_t *, vchar_t *, vchar_t *); +extern int eay_aes_weakkey (vchar_t *); +extern int eay_aes_keylen (int); /* misc */ -extern int eay_null_keylen __P((int)); -extern int eay_null_hashlen __P((void)); -#ifdef HAVE_OPENSSL -extern int eay_kpdk_hashlen __P((void)); -extern int eay_twofish_keylen __P((int)); -#endif +extern int eay_null_keylen (int); +extern int eay_null_hashlen (void); /* hash */ #if defined(WITH_SHA2) /* HMAC SHA2 */ -extern vchar_t *eay_hmacsha2_512_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_512_init __P((vchar_t *)); -extern void eay_hmacsha2_512_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_512_final __P((caddr_t)); -extern vchar_t *eay_hmacsha2_384_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_384_init __P((vchar_t *)); -extern void eay_hmacsha2_384_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_384_final __P((caddr_t)); -extern vchar_t *eay_hmacsha2_256_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_256_init __P((vchar_t *)); -extern void eay_hmacsha2_256_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_256_final __P((caddr_t)); +extern vchar_t *eay_hmacsha2_512_one (vchar_t *, vchar_t *); +extern caddr_t eay_hmacsha2_512_init (vchar_t *); +extern void eay_hmacsha2_512_update (caddr_t, vchar_t *); +extern vchar_t *eay_hmacsha2_512_final (caddr_t); +extern vchar_t *eay_hmacsha2_384_one (vchar_t *, vchar_t *); +extern caddr_t eay_hmacsha2_384_init (vchar_t *); +extern void eay_hmacsha2_384_update (caddr_t, vchar_t *); +extern vchar_t *eay_hmacsha2_384_final (caddr_t); +extern vchar_t *eay_hmacsha2_256_one (vchar_t *, vchar_t *); +extern caddr_t eay_hmacsha2_256_init (vchar_t *); +extern void eay_hmacsha2_256_update (caddr_t, vchar_t *); +extern vchar_t *eay_hmacsha2_256_final (caddr_t); #endif /* HMAC SHA1 */ -extern vchar_t *eay_hmacsha1_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha1_init __P((vchar_t *)); -extern void eay_hmacsha1_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha1_final __P((caddr_t)); +extern vchar_t *eay_hmacsha1_one (vchar_t *, vchar_t *); +extern caddr_t eay_hmacsha1_init (vchar_t *); +extern void eay_hmacsha1_update (caddr_t, vchar_t *); +extern vchar_t *eay_hmacsha1_final (caddr_t); /* HMAC MD5 */ -extern vchar_t *eay_hmacmd5_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacmd5_init __P((vchar_t *)); -extern void eay_hmacmd5_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacmd5_final __P((caddr_t)); +extern vchar_t *eay_hmacmd5_one (vchar_t *, vchar_t *); +extern caddr_t eay_hmacmd5_init (vchar_t *); +extern void eay_hmacmd5_update (caddr_t, vchar_t *); +extern vchar_t *eay_hmacmd5_final (caddr_t); + #if defined(WITH_SHA2) /* SHA2 functions */ -extern caddr_t eay_sha2_512_init __P((void)); -extern void eay_sha2_512_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_512_final __P((caddr_t)); -extern vchar_t *eay_sha2_512_one __P((vchar_t *)); +extern caddr_t eay_sha2_512_init (void); +extern void eay_sha2_512_update (caddr_t, vchar_t *); +extern vchar_t *eay_sha2_512_final (caddr_t); +extern vchar_t *eay_sha2_512_one (vchar_t *); #endif -extern int eay_sha2_512_hashlen __P((void)); +extern int eay_sha2_512_hashlen (void); #if defined(WITH_SHA2) -extern caddr_t eay_sha2_384_init __P((void)); -extern void eay_sha2_384_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_384_final __P((caddr_t)); -extern vchar_t *eay_sha2_384_one __P((vchar_t *)); +extern caddr_t eay_sha2_384_init (void); +extern void eay_sha2_384_update (caddr_t, vchar_t *); +extern vchar_t *eay_sha2_384_final (caddr_t); +extern vchar_t *eay_sha2_384_one (vchar_t *); #endif -extern int eay_sha2_384_hashlen __P((void)); +extern int eay_sha2_384_hashlen (void); #if defined(WITH_SHA2) -extern caddr_t eay_sha2_256_init __P((void)); -extern void eay_sha2_256_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_256_final __P((caddr_t)); -extern vchar_t *eay_sha2_256_one __P((vchar_t *)); +extern caddr_t eay_sha2_256_init (void); +extern void eay_sha2_256_update (caddr_t, vchar_t *); +extern vchar_t *eay_sha2_256_final (caddr_t); +extern vchar_t *eay_sha2_256_one (vchar_t *); #endif -extern int eay_sha2_256_hashlen __P((void)); +extern int eay_sha2_256_hashlen (void); /* SHA functions */ -extern caddr_t eay_sha1_init __P((void)); -extern void eay_sha1_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha1_final __P((caddr_t)); -extern vchar_t *eay_sha1_one __P((vchar_t *)); -extern int eay_sha1_hashlen __P((void)); +extern caddr_t eay_sha1_init (void); +extern void eay_sha1_update (caddr_t, vchar_t *); +extern vchar_t *eay_sha1_final (caddr_t); +extern vchar_t *eay_sha1_one (vchar_t *); +extern int eay_sha1_hashlen (void); /* MD5 functions */ -extern caddr_t eay_md5_init __P((void)); -extern void eay_md5_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_md5_final __P((caddr_t)); -extern vchar_t *eay_md5_one __P((vchar_t *)); -extern int eay_md5_hashlen __P((void)); +extern caddr_t eay_md5_init (void); +extern void eay_md5_update (caddr_t, vchar_t *); +extern vchar_t *eay_md5_final (caddr_t); +extern vchar_t *eay_md5_one (vchar_t *); +extern int eay_md5_hashlen (void); /* RNG */ -extern vchar_t *eay_set_random __P((u_int32_t)); -extern u_int32_t eay_random __P((void)); +extern vchar_t *eay_set_random (u_int32_t); +extern u_int32_t eay_random (void); /* DH */ -extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **)); -extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **)); - -#ifdef HAVE_OPENSSL -/* Base 64 */ -vchar_t *base64_encode(char *in, long inlen); -vchar_t *base64_decode(char *in, long inlen); - -RSA *base64_pubkey2rsa(char *in); -RSA *bignum_pubkey2rsa(BIGNUM *in); -#endif +extern int eay_dh_generate (vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **); +extern int eay_dh_compute (vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **); /* misc */ #ifdef HAVE_OPENSSL -extern int eay_revbnl __P((vchar_t *)); #include -extern int eay_v2bn __P((BIGNUM **, vchar_t *)); -extern int eay_bn2v __P((vchar_t **, BIGNUM *)); +extern int eay_v2bn (BIGNUM **, vchar_t *); +extern int eay_bn2v (vchar_t **, BIGNUM *); -extern const char *eay_version __P((void)); +extern const char *eay_version (void); #endif #define CBC_BLOCKLEN 8 diff --git a/ipsec-tools/racoon/debugrm.h b/ipsec-tools/racoon/debugrm.h deleted file mode 100644 index 960c3a5..0000000 --- a/ipsec-tools/racoon/debugrm.h +++ /dev/null @@ -1,100 +0,0 @@ -/* $Id: debugrm.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _DEBUGRM_H -#define _DEBUGRM_H - -#define DRMDUMPFILE "/var/tmp/debugrm.dump" - -#ifdef NONEED_DRM -#ifndef racoon_malloc -#define racoon_malloc(sz) malloc((sz)) -#endif -#ifndef racoon_calloc -#define racoon_calloc(cnt, sz) calloc((cnt), (sz)) -#endif -#ifndef racoon_realloc -#define racoon_realloc(old, sz) realloc((old), (sz)) -#endif -#ifndef racoon_free -#define racoon_free(p) free((p)) -#endif -#ifndef racoon_strdup -#define racoon_strdup(p) strdup((p)) -#endif -#else /*!NONEED_DRM*/ -#ifndef racoon_malloc -#define racoon_malloc(sz) \ - DRM_malloc(__FILE__, __LINE__, __func__, (sz)) -#endif -#ifndef racoon_calloc -#define racoon_calloc(cnt, sz) \ - DRM_calloc(__FILE__, __LINE__, __func__, (cnt), (sz)) -#endif -#ifndef racoon_realloc -#define racoon_realloc(old, sz) \ - DRM_realloc(__FILE__, __LINE__, __func__, (old), (sz)) -#endif -#ifndef racoon_free -#define racoon_free(p) \ - DRM_free(__FILE__, __LINE__, __func__, (p)) -#endif -#ifndef racoon_strdup -#define racoon_strdup(p) \ - DRM_strdup(__FILE__, __LINE__, __func__, (p)) -#endif -#endif /*NONEED_DRM*/ - -extern void DRM_init __P((void)); -extern void DRM_dump __P((void)); -extern void *DRM_malloc __P((char *, int, char *, size_t)); -extern void *DRM_calloc __P((char *, int, char *, size_t, size_t)); -extern void *DRM_realloc __P((char *, int, char *, void *, size_t)); -extern void DRM_free __P((char *, int, char *, void *)); -extern char *DRM_strdup __P((char *, int, char *, const char *)); - -#ifndef NONEED_DRM -#define vmalloc(sz) \ - DRM_vmalloc(__FILE__, __LINE__, __func__, (sz)) -#define vdup(old) \ - DRM_vdup(__FILE__, __LINE__, __func__, (old)) -#define vrealloc(old, sz) \ - DRM_vrealloc(__FILE__, __LINE__, __func__, (old), (sz)) -#define vfree(p) \ - DRM_vfree(__FILE__, __LINE__, __func__, (p)) -#endif - -extern void *DRM_vmalloc __P((char *, int, char *, size_t)); -extern void *DRM_vrealloc __P((char *, int, char *, void *, size_t)); -extern void DRM_vfree __P((char *, int, char *, void *)); -extern void *DRM_vdup __P((char *, int, char *, void *)); - -#endif /* _DEBUGRM_H */ diff --git a/ipsec-tools/racoon/dnssec.c b/ipsec-tools/racoon/dnssec.c index cb0cb02..d7c5148 100644 --- a/ipsec-tools/racoon/dnssec.c +++ b/ipsec-tools/racoon/dnssec.c @@ -72,7 +72,7 @@ dnssec_getcert(id) namelen = id->l - sizeof(*id_b); name = racoon_malloc(namelen + 1); if (!name) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); return NULL; } @@ -83,7 +83,7 @@ dnssec_getcert(id) case IPSECDOI_ID_FQDN: error = getcertsbyname(name, &res); if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getcertsbyname(\"%s\") failed.\n", name); goto err; } @@ -92,7 +92,7 @@ dnssec_getcert(id) case IPSECDOI_ID_IPV6_ADDR: /* XXX should be processed to query PTR ? */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "impropper ID type passed %s " "though getcert method is dnssec.\n", s_ipsecdoi_ident(id_b->type)); @@ -101,7 +101,7 @@ dnssec_getcert(id) /* check response */ if (res->ci_next != NULL) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "not supported multiple CERT RR.\n"); } switch (res->ci_type) { @@ -110,7 +110,7 @@ dnssec_getcert(id) type = ISAKMP_CERT_X509SIGN; break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not supported CERT RR type %d.\n", res->ci_type); goto err; } @@ -118,13 +118,13 @@ dnssec_getcert(id) /* create cert holder */ cert = oakley_newcert(); if (cert == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cert buffer.\n"); goto err; } cert->pl = vmalloc(res->ci_certlen + 1); if (cert->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cert buffer.\n"); goto err; } @@ -133,8 +133,7 @@ dnssec_getcert(id) cert->cert.v = cert->pl->v + 1; cert->cert.l = cert->pl->l - 1; - plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); - plogdump(LLV_DEBUG, cert->pl->v, cert->pl->l); + plog(ASL_LEVEL_DEBUG, "created CERT payload:\n"); end: if (res) diff --git a/ipsec-tools/racoon/dnssec.h b/ipsec-tools/racoon/dnssec.h index e43ed81..b57b4a3 100644 --- a/ipsec-tools/racoon/dnssec.h +++ b/ipsec-tools/racoon/dnssec.h @@ -32,6 +32,6 @@ #ifndef _DNSSEC_H #define _DNSSEC_H -extern cert_t *dnssec_getcert __P((vchar_t *)); +extern cert_t *dnssec_getcert (vchar_t *); #endif /* _DNSSEC_H */ diff --git a/ipsec-tools/racoon/dump.h b/ipsec-tools/racoon/dump.h index 22b0645..eba55c7 100644 --- a/ipsec-tools/racoon/dump.h +++ b/ipsec-tools/racoon/dump.h @@ -32,8 +32,8 @@ #ifndef _DUMP_H #define _DUMP_H -extern int isakmp_dump_open __P((char *)); -extern int isakmp_dump_close __P((void)); -extern int isakmp_dump __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *)); +extern int isakmp_dump_open (char *); +extern int isakmp_dump_close (void); +extern int isakmp_dump (vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); #endif /* _DUMP_H */ diff --git a/ipsec-tools/racoon/eap.c b/ipsec-tools/racoon/eap.c new file mode 100644 index 0000000..d1bc6a5 --- /dev/null +++ b/ipsec-tools/racoon/eap.c @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +/* + * eap.c - Extensible Authentication Protocol. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by Gregory M. Christy. The name of the author may not be used to + * endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#define RCSID "$Id: eap.c,v 1.25 2005/12/13 06:30:15 lindak Exp $" + +#include "config.h" diff --git a/ipsec-tools/racoon/eap.h b/ipsec-tools/racoon/eap.h new file mode 100644 index 0000000..eff068a --- /dev/null +++ b/ipsec-tools/racoon/eap.h @@ -0,0 +1,245 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +/* + * eap.h - Extensible Authentication Protocol definitions. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the author. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * + * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $ + */ + +#ifndef __EAP_H__ +#define __EAP_H__ + +#include "vmbuf.h" +#include + +/* + * Challenge lengths (for challenges we send) and other limits. + */ +#define MAX_EAP_RESPONSE_LENGTH 1024 /* Max len for the EAP data part */ +#define MAX_NAME_LENGTH 256 + +/* Code + ID + length */ +#define EAP_HEADERLEN 4 + +/* + * EAP codes. + */ + +/* support for request types 1..4 is mandatory */ +#define EAP_TYPE_NONE 0 /* No EAP type */ +#define EAP_TYPE_IDENTITY 1 /* request for identity */ +#define EAP_TYPE_NOTIFICATION 2 /* notification message */ +#define EAP_TYPE_NAK 3 /* nak (response only) */ +#define EAP_TYPE_MD5CHALLENGE 4 /* password MD5 coded */ + +#define EAP_TYPE_OTP 5 /* One Time Password (OTP) */ +#define EAP_TYPE_TOKEN 6 /* Generic Token Card */ + +#define EAP_TYPE_RSA 9 /* RSA Public Key Authentication */ +#define EAP_TYPE_DSS 10 /* DSS Unilateral */ +#define EAP_TYPE_KEA 11 /* KEA */ +#define EAP_TYPE_KEA_VALIDATE 12 /* KEA-VALIDATE */ +#define EAP_TYPE_TLS 13 /* EAP-TLS */ +#define EAP_TYPE_AXENT 14 /* Defender Token (AXENT) */ +#define EAP_TYPE_RSA_SECURID 15 /* RSA Security SecurID EAP */ +#define EAP_TYPE_ARCOT 16 /* Arcot Systems EAP */ +#define EAP_TYPE_CISCO 17 /* EAP-Cisco Wireless */ +#define EAP_TYPE_SIM 18 /* EAP-SIM */ +#define EAP_TYPE_SRP_SHA1_1 19 /* SRP-SHA1 Part 1 */ +#define EAP_TYPE_SRP_SHA1_2 20 /* SRP-SHA1 Part 2 */ +#define EAP_TYPE_TTLS 21 /* EAP-TTLS */ +#define EAP_TYPE_RAS 22 /* Remote Access Service */ +#define EAP_TYPE_AKA 23 /* EAP-AKA */ +#define EAP_TYPE_3COM 24 /* EAP-3Com Wireless */ +#define EAP_TYPE_PEAP 25 /* PEAP */ +#define EAP_TYPE_MS 26 /* MS-EAP-Authentication */ +#define EAP_TYPE_MAKE 27 /* Mutual Authentication w/Key Exchange (MAKE) */ +#define EAP_TYPE_CRYPTO 28 /* CRYPTOCard */ +#define EAP_TYPE_MSCHAP_V2 29 /* EAP-MSCHAP-V2 */ +#define EAP_TYPE_DYNAM_ID 30 /* DynamID */ +#define EAP_TYPE_ROB 31 /* Rob EAP */ +#define EAP_TYPE_SECUR_ID 32 /* SecurID EAP */ +#define EAP_TYPE_MS_TLV 33 /* MS-Authentication-TLV */ +#define EAP_TYPE_SENTRINET 34 /* SentriNET */ +#define EAP_TYPE_ACTIONTEC 35 /* EAP-Actiontec Wireless */ +#define EAP_TYPE_COGENT 36 /* Cogent Systems Biometrics Authentication EAP */ + +#define kEAPPropertiesTypeEAPSIM CFSTR("EAPSIMProperties") +#define kEAPPropertiesTypeEAPAKA CFSTR("EAPAKAProperties") + +#define EAP_REQUEST 1 +#define EAP_RESPONSE 2 +#define EAP_SUCCESS 3 +#define EAP_FAILURE 4 + + +struct EAP_Packet +{ + u_int8_t code; // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure + u_int8_t id; // packet id + u_int16_t len; // packet len (network order) + u_int8_t data[1]; // packet data +} __attribute__((__packed__)); + +#define EAP_NOTIFICATION_NONE 0 +#define EAP_NOTIFICATION_START 1 +#define EAP_NOTIFICATION_RESTART 2 +#define EAP_NOTIFICATION_SUCCESS 3 +#define EAP_NOTIFICATION_PACKET 4 +#define EAP_NOTIFICATION_DATA_FROM_UI 5 +#define EAP_NOTIFICATION_TIMEOUT 6 + +typedef struct EAP_Input { + u_int16_t size; // size of the structure (for future extension) + u_int8_t mode; // 0 for client, 1 for server + u_int8_t initial_id; // initial EAP ID + u_int16_t mtu; // mtu wll determine the maximum packet size to send + u_int16_t notification; // notification the EAP engine sends to the module + u_int16_t data_len; // len of the data + void *data; // data to be consumed depending on the notification + char *identity; // authenticatee identity + char *username; // authenticatee user name + char *password; // authenticatee password +} EAP_Input_t; + +#define EAP_ACTION_NONE 0 +#define EAP_ACTION_SEND 1 +#define EAP_ACTION_INVOKE_UI 2 +#define EAP_ACTION_ACCESS_GRANTED 3 +#define EAP_ACTION_ACCESS_DENIED 4 +#define EAP_ACTION_SEND_WITH_TIMEOUT 5 +#define EAP_ACTION_SEND_AND_DONE 6 +#define EAP_ACTION_CANCEL 7 + + +typedef struct EAP_Output { + u_int16_t size; // size of the structure (for future extension) + u_int16_t action; // action the EAP engine needs to perform + u_int16_t data_len; // len of the data + void *data; // data to be consumed depending on the action + char *username; // authenticatee user name (useful in server mode) +} EAP_Output_t; + +enum { + EAP_NO_ERROR = 0, + EAP_ERROR_GENERIC, + EAP_ERROR_INVALID_PACKET +}; + +/* attribute information returned upon successful authentication */ + +#define EAP_ATTRIBUTE_NONE 0 +#define EAP_ATTRIBUTE_MPPE_SEND_KEY 1 +#define EAP_ATTRIBUTE_MPPE_RECV_KEY 2 + +typedef struct EAP_Attribute { + u_int16_t type; // type of the attribute + u_int16_t data_len; // len of the data + void *data; // data to be consumed depending on the type + /* data follow according to the size */ +} __attribute__((__packed__)) EAP_Attribute_t; + +/* + * Extension structure for eap types. + */ + +#define EAP_EXT_CLIENT 0x1 // support client mode + +typedef struct eap_ext { + struct eap_ext *next; // next extensiopn structure + u_int8_t type; // eap type + char *name; // extension name + u_int32_t flags; // support flags + void *plugin; // used to keep ref of the plugin + int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options); + //int (*reinit) (void *context); + int (*dispose) (void *context); + int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); + int (*free) (void *context, EAP_Output_t *eap_out); + int (*attribute) (void *context, EAP_Attribute_t *eap_attr); + int (*identity) (char *identity, int maxlen); + +} eap_ext_t; + +typedef struct eap_state { + int clientstate; /* Client state */ + + char *our_identity; /* Our identity name */ + char *username; /* the user name (only for client mode) */ + char *password; /* the password (only for client mode) */ + char peer_identity[MAX_NAME_LENGTH]; /* peer name discovered with identity request */ + + u_char req_id; /* ID of last challenge */ + u_char resp_id; /* ID of last response */ + u_char req_type; /* last request type */ + vchar_t *rcvd_msg; + vchar_t *send_key; + vchar_t *recv_key; + + eap_ext_t *client_ext; /* client eap extension */ + void *client_ext_ctx; /* client eap extension context */ + EAP_Input_t *client_ext_input; /* client eap extension input structure */ + EAP_Output_t *client_ext_output; /* client eap extension output structure */ + + struct etypes *supported_eap_types; + CFDictionaryRef extra_options; +} eap_state_t; + +#define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */ + +int EapExtAdd(eap_ext_t *newext); + +/* + * Client (peer) states. + */ +#define EAPCS_INITIAL 0 /* Lower layer down, not opened */ +#define EAPCS_CLOSED 1 /* Lower layer up, not opened */ +#define EAPCS_PENDING 2 /* Auth us to peer when lower up */ +#define EAPCS_LISTEN 3 /* Listening for a challenge */ +#define EAPCS_OPEN 4 /* We've received Success */ + +int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *); +void EapLostFailure (eap_state_t *state); + +int EAPLoad(eap_state_t *cstate); + +void EapInit(eap_state_t *cstate); + +void EapStart(eap_state_t *cstate, int); + +void EapStop(eap_state_t *cstate); + +int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len); + +#endif diff --git a/ipsec-tools/racoon/eap_aka.c b/ipsec-tools/racoon/eap_aka.c new file mode 100644 index 0000000..ff314ab --- /dev/null +++ b/ipsec-tools/racoon/eap_aka.c @@ -0,0 +1,340 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#if !TARGET_OS_EMBEDDED // This file is not built for Embedded +#include +#include +#include +#include +#endif /* TARGET_OS_EMBEDDED */ +#include +#include "plog.h" +#include "eap.h" +#include "eap_sim.h" + +/*--------------------------------------------------------------------------- + ** Internal routines + **--------------------------------------------------------------------------- + */ + +static CFBundleRef bundle = 0; /* our bundle ref */ +static char eapaka_unique[17]; + +static EAPClientModuleRef eapRef = NULL; +static EAPClientPluginData eapData; +static CFMutableDictionaryRef eapProperties = NULL; +static CFDictionaryRef eapOptions = NULL; +static struct EAP_Packet *eapSavePacket = NULL; + +extern EAPClientPluginFuncRef +eapaka_introspect(EAPClientPluginFuncName name); + +/* ------------------------------------------------------------------------------------ + get the EAP dictionary from the options + ------------------------------------------------------------------------------------ */ +static void +EAPAKAGetOptions (void) +{ + if (eapOptions) + return; + + // no option, use empty dictionary + if (!eapOptions) + eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +static int +EAPAKALoad (void) +{ + EAPClientModuleStatus status; + + if (eapRef) + return EAP_NO_ERROR; + + status = EAPClientModuleAddBuiltinModule(eapaka_introspect); + if (status != kEAPClientModuleStatusOK) { + plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientAddBuiltinModule(eapaka) failed %d\n", status); + return EAP_ERROR_GENERIC; + } + + eapRef = EAPClientModuleLookup(kEAPTypeEAPAKA); + if (eapRef == NULL) { + plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientModuleLookup(eapaka) failed\n"); + return EAP_ERROR_GENERIC; + } + + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int EAPAKAIdentity (char *identity, int maxlen) +{ + CFStringRef identRef = NULL; + int error; + int ret = EAP_ERROR_GENERIC; + + error = EAPAKALoad(); + if (error) + return error; + + EAPAKAGetOptions(); + if (eapOptions == NULL) + return ret; + + identRef = EAPClientModulePluginUserName(eapRef, eapOptions); + if (identRef) { + if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8)) + ret = EAP_NO_ERROR; + CFRelease(identRef); + } + + return ret; +} + +/* ------------------------------------------------------------------------------------ + Init routine called by the EAP engine when it needs the module. + Identity of the peer is known at this point. + mode is 0 for client, 1 for server. + cookie is the EAP engine context, to pass to subsequent calls to EAP. + context is EAP module context, that will be passed to subsequent calls to the module + ------------------------------------------------------------------------------------ */ +int +EAPAKAInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions) +{ + int error; + EAPClientModuleStatus status; + int ret = EAP_ERROR_GENERIC; + + error = EAPAKALoad(); + if (error) + return error; + + bundle = (CFBundleRef)eap_in->data; + if (bundle) + CFRetain(bundle); + + EAPAKAGetOptions(); + + bzero(&eapData, sizeof(eapData)); + + /* remaining fields are read-only: */ + uint32_t username_len = strlen(eap_in->username); + eapData.username = (uint8_t *)strndup(eap_in->username, username_len); + memcpy((void*)&eapData.username_length, &username_len, sizeof(uint32_t)); + *((bool *)&eapData.log_enabled) = 1; + *((uint32_t *)&eapData.log_level) = LOG_NOTICE; + *((uint32_t *)&eapData.mtu) = eap_in->mtu; + *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */ + + arc4random_buf(eapaka_unique, sizeof(eapaka_unique) - 1); + eapaka_unique[sizeof(eapaka_unique)-1] = 0; + + eapData.unique_id = eapaka_unique; /* used for TLS session resumption??? */ + *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id); + + if (eapOptions) { + CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPAKA); + if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) { + eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value); + } else { + eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions); + } + } else + eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (eapProperties == NULL) { + plog(ASL_LEVEL_ERR, "EAP-AKA: Cannot allocate memory\n"); + goto failed; + } + + *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties; + + status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error); + if (status != kEAPClientStatusOK) { + plog(ASL_LEVEL_ERR, "EAP-AKA: EAPClientPluginInit(eapaka) failed, error %d\n", status); + goto failed; + } + + eapSavePacket = NULL; + + return EAP_NO_ERROR; + +failed: + + return ret; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int EAPAKADispose (void *context) +{ + + EAPClientModulePluginFree(eapRef, &eapData); + eapRef = 0; + + if (bundle) { + CFRelease(bundle); + bundle = 0; + } + + if (eapOptions) { + CFRelease(eapOptions); + eapOptions = 0; + } + + if (eapProperties) { + CFRelease(eapProperties); + eapProperties = 0; + } + + if (eapSavePacket) { + free(eapSavePacket); + eapSavePacket = 0; + } + + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPAKAProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out) +{ + struct EAP_Packet *pkt_in = NULL; + struct EAP_Packet *pkt_out = NULL; + EAPClientStatus status; + EAPClientState state; + EAPClientDomainSpecificError error; + int do_process = 0; + + // by default, ignore the message + eap_out->action = EAP_ACTION_NONE; + eap_out->data = 0; + eap_out->data_len = 0; + + switch (eap_in->notification) { + + case EAP_NOTIFICATION_DATA_FROM_UI: + plog(ASL_LEVEL_ERR, "unexpected EAP UI event"); + break; + + case EAP_NOTIFICATION_PACKET: + + pkt_in = (struct EAP_Packet *)eap_in->data; + do_process = 1; + break; + } + + if (do_process) { + + state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error); + switch(state) { + case kEAPClientStateAuthenticating: + switch (status) { + + case kEAPClientStatusOK: + eap_out->data = pkt_out; + eap_out->data_len = ntohs(pkt_out->len); + eap_out->action = EAP_ACTION_SEND; + break; + + case kEAPClientStatusUserInputRequired: + plog(ASL_LEVEL_ERR, "unsupported EAP UI input"); + default: + eap_out->action = EAP_ACTION_ACCESS_DENIED; + } + break; + + case kEAPClientStateSuccess: + eap_out->action = EAP_ACTION_ACCESS_GRANTED; + break; + + default: + case kEAPClientStateFailure: + eap_out->action = EAP_ACTION_ACCESS_DENIED; + break; + } + } + + if (eapSavePacket) { + free(eapSavePacket); + eapSavePacket = 0; + } + + return 0; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPAKAFree (void *context, EAP_Output_t *eap_out) +{ + + EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data); + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPAKAGetAttribute (void *context, EAP_Attribute_t *eap_attr) +{ + void *data = NULL; + int len = 0; + + eap_attr->data = 0; + + switch (eap_attr->type) { + + case EAP_ATTRIBUTE_MPPE_SEND_KEY: + data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len); + break; + case EAP_ATTRIBUTE_MPPE_RECV_KEY: + data = EAPClientModulePluginServerKey(eapRef, &eapData, &len); + break; + } + + if (data == NULL) + return -1; + + eap_attr->data = data; + if (len == 32) + eap_attr->data_len = 64; + else + eap_attr->data_len = len; + return 0; +} diff --git a/ipsec-tools/racoon/eap_sim.c b/ipsec-tools/racoon/eap_sim.c new file mode 100644 index 0000000..2e276d5 --- /dev/null +++ b/ipsec-tools/racoon/eap_sim.c @@ -0,0 +1,336 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#if !TARGET_OS_EMBEDDED // This file is not built for Embedded +#include +#include +#include +#include +#endif /* TARGET_OS_EMBEDDED */ +#include +#include "plog.h" +#include "eap.h" +#include "eap_sim.h" + +/*--------------------------------------------------------------------------- + ** Internal routines + **--------------------------------------------------------------------------- + */ + +static CFBundleRef bundle = 0; /* our bundle ref */ +static char eapsim_unique[17]; + +static EAPClientModuleRef eapRef = NULL; +static EAPClientPluginData eapData; +static CFMutableDictionaryRef eapProperties = NULL; +static CFDictionaryRef eapOptions = NULL; +static struct EAP_Packet *eapSavePacket = NULL; + +extern EAPClientPluginFuncRef eapsim_introspect(EAPClientPluginFuncName name); + +/* ------------------------------------------------------------------------------------ + get the EAP dictionary from the options + ------------------------------------------------------------------------------------ */ +static void +EAPSIMGetOptions (void) +{ + if (eapOptions) + return; + + // no option, use empty dictionary + if (!eapOptions) + eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +static int +EAPSIMLoad (void) +{ + EAPClientModuleStatus status; + + if (eapRef) + return EAP_NO_ERROR; + + status = EAPClientModuleAddBuiltinModule(eapsim_introspect); + if (status != kEAPClientModuleStatusOK) { + plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientAddBuiltinModule(eapsim) failed %d\n", status); + return EAP_ERROR_GENERIC; + } + + eapRef = EAPClientModuleLookup(kEAPTypeEAPSIM); + if (eapRef == NULL) { + plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientModuleLookup(eapsim) failed\n"); + return EAP_ERROR_GENERIC; + } + + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int EAPSIMIdentity (char *identity, int maxlen) +{ + CFStringRef identRef = NULL; + int error; + int ret = EAP_ERROR_GENERIC; + + error = EAPSIMLoad(); + if (error) + return error; + + EAPSIMGetOptions(); + if (eapOptions == NULL) + return ret; + + identRef = EAPClientModulePluginUserName(eapRef, eapOptions); + if (identRef) { + if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8)) + ret = EAP_NO_ERROR; + CFRelease(identRef); + } + + return ret; +} + +/* ------------------------------------------------------------------------------------ + Init routine called by the EAP engine when it needs the module. + Identity of the peer is known at this point. + mode is 0 for client, 1 for server. + cookie is the EAP engine context, to pass to subsequent calls to EAP. + context is EAP module context, that will be passed to subsequent calls to the module + ------------------------------------------------------------------------------------ */ +int +EAPSIMInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions) +{ + int error; + EAPClientModuleStatus status; + int ret = EAP_ERROR_GENERIC; + + error = EAPSIMLoad(); + if (error) + return error; + + bundle = (CFBundleRef)eap_in->data; + if (bundle) + CFRetain(bundle); + + EAPSIMGetOptions(); + + bzero(&eapData, sizeof(eapData)); + + /* remaining fields are read-only: */ + *((bool *)&eapData.log_enabled) = 1; + *((uint32_t *)&eapData.log_level) = LOG_NOTICE; + *((uint32_t *)&eapData.mtu) = eap_in->mtu; + *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */ + + arc4random_buf(eapsim_unique, sizeof(eapsim_unique) - 1); + eapsim_unique[sizeof(eapsim_unique)-1] = 0; + + eapData.unique_id = eapsim_unique; /* used for TLS session resumption??? */ + *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id); + + if (eapOptions) { + CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPSIM); + if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) { + eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value); + } else { + eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions); + } + } else + eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (eapProperties == NULL) { + plog(ASL_LEVEL_ERR, "EAP-SIM: Cannot allocate memory\n"); + goto failed; + } + + *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties; + + status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error); + if (status != kEAPClientStatusOK) { + plog(ASL_LEVEL_ERR, "EAP-SIM: EAPClientPluginInit(eapsim) failed, error %d\n", status); + goto failed; + } + + eapSavePacket = NULL; + + return EAP_NO_ERROR; + +failed: + + return ret; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int EAPSIMDispose (void *context) +{ + + EAPClientModulePluginFree(eapRef, &eapData); + eapRef = 0; + + if (bundle) { + CFRelease(bundle); + bundle = 0; + } + + if (eapOptions) { + CFRelease(eapOptions); + eapOptions = 0; + } + + if (eapProperties) { + CFRelease(eapProperties); + eapProperties = 0; + } + + if (eapSavePacket) { + free(eapSavePacket); + eapSavePacket = 0; + } + + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPSIMProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out) +{ + struct EAP_Packet *pkt_in = NULL; + struct EAP_Packet *pkt_out = NULL; + EAPClientStatus status; + EAPClientState state; + EAPClientDomainSpecificError error; + int do_process = 0; + + // by default, ignore the message + eap_out->action = EAP_ACTION_NONE; + eap_out->data = 0; + eap_out->data_len = 0; + + switch (eap_in->notification) { + + case EAP_NOTIFICATION_DATA_FROM_UI: + plog(ASL_LEVEL_ERR, "unexpected EAP UI event"); + break; + + case EAP_NOTIFICATION_PACKET: + + pkt_in = (struct EAP_Packet *)eap_in->data; + do_process = 1; + break; + } + + if (do_process) { + + state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error); + switch(state) { + case kEAPClientStateAuthenticating: + switch (status) { + + case kEAPClientStatusOK: + eap_out->data = pkt_out; + eap_out->data_len = ntohs(pkt_out->len); + eap_out->action = EAP_ACTION_SEND; + break; + + case kEAPClientStatusUserInputRequired: + plog(ASL_LEVEL_ERR, "unsupported EAP UI input"); + default: + eap_out->action = EAP_ACTION_ACCESS_DENIED; + } + break; + + case kEAPClientStateSuccess: + eap_out->action = EAP_ACTION_ACCESS_GRANTED; + break; + + default: + case kEAPClientStateFailure: + eap_out->action = EAP_ACTION_ACCESS_DENIED; + break; + } + } + + if (eapSavePacket) { + free(eapSavePacket); + eapSavePacket = 0; + } + + return 0; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPSIMFree (void *context, EAP_Output_t *eap_out) +{ + + EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data); + return EAP_NO_ERROR; +} + +/* ------------------------------------------------------------------------------------ + ------------------------------------------------------------------------------------ */ +int +EAPSIMGetAttribute (void *context, EAP_Attribute_t *eap_attr) +{ + void *data = NULL; + int len = 0; + + eap_attr->data = 0; + + switch (eap_attr->type) { + + case EAP_ATTRIBUTE_MPPE_SEND_KEY: + data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len); + break; + case EAP_ATTRIBUTE_MPPE_RECV_KEY: + data = EAPClientModulePluginServerKey(eapRef, &eapData, &len); + break; + } + + if (data == NULL) + return -1; + + eap_attr->data = data; + if (len == 32) + eap_attr->data_len = 64; + else + eap_attr->data_len = len; + return 0; +} diff --git a/ipsec-tools/racoon/eap_sim.h b/ipsec-tools/racoon/eap_sim.h new file mode 100644 index 0000000..536c6d4 --- /dev/null +++ b/ipsec-tools/racoon/eap_sim.h @@ -0,0 +1,141 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +/* + * eap_plugin.h - Extensible Authentication Protocol Plugin API. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the author. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * + * $Id: eap_plugin.h,v 1.4 2003/08/14 00:00:29 callie Exp $ + */ + +/* ---------------------------------------------------------------------- + IMPORTANT: EAP Plugin API is not stable. + The API will change in the upcoming releases + ---------------------------------------------------------------------- */ + +#ifndef __EAP_SIM__ +#define __EAP_SIM__ + +#include "eap.h" + +/* EAP-AKA Subtypes */ +#define EAP_AKA_SUBTYPE_CHALLENGE 1 +#define EAP_AKA_SUBTYPE_AUTH_REJECT 2 +#define EAP_AKA_SUBTYPE_SYNC_FAIL 4 +#define EAP_AKA_SUBTYPE_IDENTITY 5 +#define EAP_AKA_SUBTYPE_NOTIFICATION 12 +#define EAP_AKA_SUBTYPE_REAUTH 13 +#define EAP_AKA_SUBTYPE_CLIENT_ERROR 14 + +/* EAP-SIM Subtypes */ +#define EAP_SIM_SUBTYPE_START 10 +#define EAP_SIM_SUBTYPE_CHALLENGE 11 +#define EAP_SIM_SUBTYPE_NOTIFICATION 12 +#define EAP_SIM_SUBTYPE_REAUTH 13 +#define EAP_SIM_SUBTYPE_CLIENT_ERROR 14 + +/* Non-skippable attributes */ +#define EAP_AT_RAND 1 +#define EAP_AT_AUTN 2 +#define EAP_AT_RES 3 +#define EAP_AT_AUTS 4 +#define EAP_AT_PADDING 6 +#define EAP_AT_NONCE_MT 7 +#define EAP_AT_PERMANENT_ID_REQ 10 +#define EAP_AT_MAC 11 +#define EAP_AT_NOTIFICATION 12 +#define EAP_AT_ANY_ID_REQ 13 +#define EAP_AT_IDENTITY 14 +#define EAP_AT_VERSION_LIST 15 +#define EAP_AT_SELECTED_VERSION 16 +#define EAP_AT_FULL_AUTH_ID_REQ 17 +#define EAP_AT_COUNTER 19 +#define EAP_AT_COUNTER_TOO_SMALL 20 +#define EAP_AT_NONCE_S 21 +#define EAP_AT_CLIENT_ERROR_CODE 22 +#define EAP_AT_KDF_INPUT 23 +#define EAP_AT_KDF 24 + +/* Skippable attributes */ +#define EAP_AT_IV 129 +#define EAP_AT_ENCR_DATA 130 +#define EAP_AT_NEXT_PSEUDONYM 132 +#define EAP_AT_NEXT_REAUTH_ID 133 +#define EAP_AT_CHECKCODE 134 +#define EAP_AT_RESULT_IND 135 +#define EAP_AT_BIDDING 136 +#define EAP_AT_IPMS_IND 137 +#define EAP_AT_IPMS_RES 138 +#define EAP_AT_TRUST_IND 139 + +/* Attribute notification values */ +#define EAP_AT_NOTIFICATION_GEN_FAIL_POST_AUTH 0 /* General failure after authentication */ +#define EAP_AT_NOTIFICATION_USER_DENIED 1026 /* User has been temporarily denied access */ +#define EAP_AT_NOTIFICATION_NOT_SUBSCRIBED 1031 /* User has not subscribed to the requested service */ +#define EAP_AT_NOTIFICATION_GEN_FAIL 16384 /* General failure */ +#define EAP_AT_NOTIFICATION_SUCCESS 32768 /* Success */ + +#define EAP_SIM_VERSION_1 1 + +typedef struct eap_sim_hdr { + u_int8_t eap_type; /* Must be EAP-SIM, 18 */ + u_int8_t eap_subtype; + u_int16_t reserved; +} __attribute__((__packed__)) eap_sim_hdr_t; + +typedef struct eap_sim_attribute { + u_int8_t at_type; + u_int8_t at_len; + u_int16_t at_value; + /* Followed by variable-length value */ +} __attribute__((__packed__)) eap_sim_attr_t; + +typedef struct eap_sim_msg { + eap_sim_hdr_t eap_hdr; + eap_sim_attr_t payload[0]; /* Multiple attributes */ +} __attribute__((__packed__)) eap_sim_t; + +int EAPSIMIdentity(char *identity, int maxlen); +int EAPSIMInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options); +int EAPSIMDispose(void *context); +int EAPSIMProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); +int EAPSIMFree(void *context, EAP_Output_t *eap_out); +int EAPSIMGetAttribute(void *context, EAP_Attribute_t *eap_attr); + +int EAPAKAIdentity(char *identity, int maxlen); +int EAPAKAInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options); +int EAPAKADispose(void *context); +int EAPAKAProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); +int EAPAKAFree(void *context, EAP_Output_t *eap_out); +int EAPAKAGetAttribute(void *context, EAP_Attribute_t *eap_attr); + +#endif diff --git a/ipsec-tools/racoon/eaytest.c b/ipsec-tools/racoon/eaytest.c deleted file mode 100644 index df6a65a..0000000 --- a/ipsec-tools/racoon/eaytest.c +++ /dev/null @@ -1,1059 +0,0 @@ -/* $Id: eaytest.c,v 1.20.4.2 2005/06/28 22:38:02 manubsd Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include "var.h" -#include "vmbuf.h" -#include "misc.h" -#include "debug.h" -#include "str2val.h" -#include "plog.h" - -#include "oakley.h" -#include "dhgroup.h" -#include "crypto_openssl.h" -#include "gnuc.h" - -//#include "package_version.h" - -#define PVDUMP(var) hexdump((var)->v, (var)->l) - -/*#define CERTTEST_BROKEN */ - -/* prototype */ - -static vchar_t *pem_read_buf __P((char *)); -void Usage __P((void)); - -int rsatest __P((int, char **)); -int ciphertest __P((int, char **)); -int hmactest __P((int, char **)); -int sha1test __P((int, char **)); -int md5test __P((int, char **)); -int dhtest __P((int, char **)); -int bntest __P((int, char **)); -#ifndef CERTTEST_BROKEN -static char **getcerts __P((char *)); -int certtest __P((int, char **)); -#endif - -/* test */ - -static int -rsa_verify_with_pubkey(src, sig, pubkey_txt) - vchar_t *src, *sig; - char *pubkey_txt; -{ - BIO *bio; - EVP_PKEY *evp; - int error; - - bio = BIO_new_mem_buf(pubkey_txt, strlen(pubkey_txt)); - evp = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); - if (! evp) { - printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); - return -1; - } - error = eay_check_rsasign(src, sig, evp->pkey.rsa); - - return error; -} - -int -rsatest(ac, av) - int ac; - char **av; -{ - char *text = "this is test."; - vchar_t src; - vchar_t *priv, *sig; - int loglevel_saved; - - char *pkcs1 = -"-----BEGIN RSA PRIVATE KEY-----\n" -"MIICXQIBAAKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9oLv50PeuEfQojhakY+OH8A3Q\n" -"M8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFyP3kyd2yXHIZ/MN8g1nh4FsB0\n" -"iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCMt8vO+NFHZYKAQeynyQIDAQAB\n" -"AoGAOfDcnCHxjhDGrwyoNNWl6Yqi7hAtQm67YAbrH14UO7nnmxAENM9MyNgpFLaW\n" -"07v5m8IZQIcradcDXAJOUwNBN8E06UflwEYCaScIwndvr5UpVlN3e2NC6Wyg2yC7\n" -"GarxQput3zj35XNR5bK42UneU0H6zDxpHWqI1SwE+ToAHu0CQQDNl9gUJTpg0L09\n" -"HkbE5jeb8bA5I20nKqBOBP0v5tnzpwu41umQwk9I7Ru0ucD7j+DW4k8otadW+FnI\n" -"G1M1MpSjAkEAyRMt4bN8otfpOpsOQWzw4jQtouohOxRFCrQTntHhU20PrQnQLZWs\n" -"pOVzqCjRytYtkPEUA1z8QK5gGcVPcOQsowJBALmt2rwPB1NrEo5Bat7noO+Zb3Ob\n" -"WDiYWeE8xkHd95gDlSWiC53ur9aINo6ZeP556jGIgL+el/yHHecJLrQL84sCQH48\n" -"zUxq/C/cb++8UzneJGlPqusiJNTLiAENR1gpmlZfHT1c8Nb9phMsfu0vG29GAfuC\n" -"bzchVLljALCNQK+2gRMCQQCNIgN+R9mRWZhFAcC1sq++YnuSBlw4VwdL/fd1Yg9e\n" -"Ul+U98yPl/NXt8Rs4TRBFcOZjkFI8xv0hQtevTgTmgz+\n" -"-----END RSA PRIVATE KEY-----\n\n"; - char *pubkey = -"-----BEGIN PUBLIC KEY-----\n" -"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9\n" -"oLv50PeuEfQojhakY+OH8A3QM8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFy\n" -"P3kyd2yXHIZ/MN8g1nh4FsB0iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCM\n" -"t8vO+NFHZYKAQeynyQIDAQAB\n" -"-----END PUBLIC KEY-----\n\n"; - char *pubkey_wrong = -"-----BEGIN PUBLIC KEY-----\n" -"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDncG2tSokRBhK8la1mO\n" -"QnUpxg6KvpoFUjEyRiIE1GRap5V6jCCEOmA9ZAz4Oa/97oxewwMWtchIxSBZVCia\n" -"H9oGasbOFzrtSR+MKl6Cb/Ow3Fu+PKbHTsnfTk/nOOWyaQh91PRD7fdwHe8L9P7w\n" -"2kFPmDW6+RNKIR4OErhXf1O0eSShPe0TO3vx43O7dWqhmh3Kgr4Jq7zAGqHtwu0B\n" -"RFZnmsocOnVZb2yAHndp51/Mk1H37ThHwN7qMx7RqrS3ru3XtchpJd9IQJPBIRfY\n" -"VYQ68u5ix/Z80Y6VkRf0qnAvel8B6D3N3Zyq5u7G60PfvvtCybeMn7nVrSMxqMW/\n" -"xwIDAQAB\n" -"-----END PUBLIC KEY-----\n\n"; - - printf ("%s", pkcs1); - printf ("%s", pubkey); - priv = pem_read_buf(pkcs1); - - src.v = text; - src.l = strlen(text); - - /* sign */ - sig = eay_get_x509sign(&src, priv); - if (sig == NULL) { - printf("sign failed. %s\n", eay_strerror()); - return -1; - } - - printf("RSA signed data.\n"); - PVDUMP(sig); - - printf("Verification with correct pubkey: "); - if (rsa_verify_with_pubkey (&src, sig, pubkey) != 0) { - printf ("Failed.\n"); - return -1; - } - else - printf ("Verified. Good.\n"); - - loglevel_saved = loglevel; - loglevel = 0; - printf("Verification with wrong pubkey: "); - if (rsa_verify_with_pubkey (&src, sig, pubkey_wrong) != 0) - printf ("Not verified. Good.\n"); - else { - printf ("Verified. This is bad...\n"); - loglevel = loglevel_saved; - return -1; - } - loglevel = loglevel_saved; - - return 0; -} - -static vchar_t * -pem_read_buf(buf) - char *buf; -{ - BIO *bio; - char *nm = NULL, *header = NULL; - unsigned char *data = NULL; - long len; - vchar_t *ret; - int error; - - bio = BIO_new_mem_buf(buf, strlen(buf)); - error = PEM_read_bio(bio, &nm, &header, &data, &len); - if (error == 0) - errx(1, "%s", eay_strerror()); - ret = vmalloc(len); - if (ret == NULL) - err(1, "vmalloc"); - memcpy(ret->v, data, len); - - return ret; -} - -#ifndef CERTTEST_BROKEN -int -certtest(ac, av) - int ac; - char **av; -{ - char *certpath; - char **certs; - int type; - int error; - - printf("\n**Test for Certificate.**\n"); - - { - vchar_t *asn1dn = NULL, asn1dn0; -#ifdef ORIG_DN - char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane/Email=sakane@kame.net"; - char *dnstr_w1 = 0; - char *dnstr_w2 = 0; - char dn0[] = { - 0x30,0x81,0x9a,0x31,0x0b,0x30,0x09,0x06, - 0x03,0x55,0x04,0x06,0x13,0x02,0x4a,0x50, - 0x31,0x11,0x30,0x0f,0x06,0x03,0x55,0x04, - 0x08,0x13,0x08,0x4b,0x61,0x6e,0x61,0x67, - 0x61,0x77,0x61,0x31,0x11,0x30,0x0f,0x06, - 0x03,0x55,0x04,0x07,0x13,0x08,0x46,0x75, - 0x6a,0x69,0x73,0x61,0x77,0x61,0x31,0x15, - 0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13, - 0x0c,0x57,0x49,0x44,0x45,0x20,0x50,0x72, - 0x6f,0x6a,0x65,0x63,0x74,0x31,0x15,0x30, - 0x13,0x06,0x03,0x55,0x04,0x0b,0x13,0x0c, - 0x4b,0x41,0x4d,0x45,0x20,0x50,0x72,0x6f, - 0x6a,0x65,0x63,0x74,0x31,0x17,0x30,0x15, - 0x06,0x03,0x55,0x04,0x03,0x13,0x0e,0x53, - 0x68,0x6f,0x69,0x63,0x68,0x69,0x20,0x53, - 0x61,0x6b,0x61,0x6e,0x65,0x31,0x1e,0x30, - 0x1c,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7, - 0x0d,0x01,0x09,0x01, - 0x0c, /* <== XXX */ - 0x0f,0x73,0x61, - 0x6b,0x61,0x6e,0x65,0x40,0x6b,0x61,0x6d, - 0x65,0x2e,0x6e,0x65,0x74, - }; -#else /* not ORIG_DN */ - char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane"; - char dnstr_w1[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=*, CN=Shoichi Sakane"; - char dnstr_w2[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=*"; - char dn0[] = { - 0x30,0x7a,0x31,0x0b,0x30,0x09,0x06,0x03, - 0x55,0x04,0x06,0x13,0x02,0x4a,0x50,0x31, - 0x11,0x30,0x0f,0x06,0x03,0x55,0x04,0x08, - 0x13,0x08,0x4b,0x61,0x6e,0x61,0x67,0x61, - 0x77,0x61,0x31,0x11,0x30,0x0f,0x06,0x03, - 0x55,0x04,0x07,0x13,0x08,0x46,0x75,0x6a, - 0x69,0x73,0x61,0x77,0x61,0x31,0x15,0x30, - 0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c, - 0x57,0x49,0x44,0x45,0x20,0x50,0x72,0x6f, - 0x6a,0x65,0x63,0x74,0x31,0x15,0x30,0x13, - 0x06,0x03,0x55,0x04,0x0b,0x13,0x0c,0x4b, - 0x41,0x4d,0x45,0x20,0x50,0x72,0x6f,0x6a, - 0x65,0x63,0x74,0x31,0x17,0x30,0x15,0x06, - 0x03,0x55,0x04,0x03,0x13,0x0e,0x53,0x68, - 0x6f,0x69,0x63,0x68,0x69,0x20,0x53,0x61, - 0x6b,0x61,0x6e,0x65, - }; -#endif /* ORIG_DN */ - - printf("check to convert the string into subjectName.\n"); - printf("%s\n", dnstr); - - asn1dn0.v = dn0; - asn1dn0.l = sizeof(dn0); - - asn1dn = eay_str2asn1dn(dnstr, strlen(dnstr)); - if (asn1dn == NULL || asn1dn->l != asn1dn0.l) -#ifdef OUTPUT_VALID_ASN1DN - { - unsigned char *cp; int i; - printf("asn1dn length mismatched (%zu != %zu).\n", asn1dn ? asn1dn->l : -1, asn1dn0.l); - for (cp = asn1dn->v, i = 0; i < asn1dn->l; i++) - printf ("0x%02x,", *cp++); - exit (1); - } -#else - errx(1, "asn1dn length mismatched (%zu != %zu).\n", asn1dn ? asn1dn->l : -1, asn1dn0.l); -#endif - - /* - * NOTE: The value pointed by "<==" above is different from the - * return of eay_str2asn1dn(). but eay_cmp_asn1dn() can distinguish - * both of the names are same name. - */ - if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) - errx(1, "asn1dn mismatched.\n"); - vfree(asn1dn); - - printf("exact match: succeed.\n"); - - if (dnstr_w1) { - asn1dn = eay_str2asn1dn(dnstr_w1, strlen(dnstr_w1)); - if (asn1dn == NULL || asn1dn->l == asn1dn0.l) - errx(1, "asn1dn length wrong for wildcard 1\n"); - if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) - errx(1, "asn1dn mismatched for wildcard 1.\n"); - vfree(asn1dn); - printf("wildcard 1 match: succeed.\n"); - } - - if (dnstr_w1) { - asn1dn = eay_str2asn1dn(dnstr_w2, strlen(dnstr_w2)); - if (asn1dn == NULL || asn1dn->l == asn1dn0.l) - errx(1, "asn1dn length wrong for wildcard 2\n"); - if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) - errx(1, "asn1dn mismatched for wildcard 2.\n"); - vfree(asn1dn); - printf("wildcard 2 match: succeed.\n"); - } - - } - eay_init(); - - /* get certs */ - if (ac > 1) { - certpath = *(av + 1); - certs = getcerts(certpath); - } else { -#ifdef ORIG_DN - printf("\nCAUTION: These certificates are probably invalid " - "on your environment because you don't have their " - "issuer's certs in your environment.\n\n"); - - certpath = "/usr/local/openssl/certs"; - certs = getcerts(NULL); -#else - printf("\nWARNING: The main certificates are probably invalid " - "on your environment\nbecause you don't have their " - "issuer's certs in your environment\nso not doing " - "this test.\n\n"); - return (0); -#endif - } - - while (*certs != NULL) { - - vchar_t c; - char *str; - vchar_t *vstr; - - printf("===CERT===\n"); - - c.v = *certs; - c.l = strlen(*certs); - - /* print text */ - str = eay_get_x509text(&c); - printf("%s", str); - racoon_free(str); - - /* print ASN.1 of subject name */ - vstr = eay_get_x509asn1subjectname(&c); - if (!vstr) - return 0; - PVDUMP(vstr); - printf("\n"); - vfree(vstr); - - /* print subject alt name */ - { - int pos; - int len; - for (pos = 1; ; pos++) { - error = eay_get_x509subjectaltname(&c, &str, &type, pos, &len); - if (error) { - printf("no subjectaltname found.\n"); - break; - } - if (!str) - break; - printf("SubjectAltName: %d: %s\n", type, str); - racoon_free(str); - } - } - - /* NULL => name of the certificate file */ - error = eay_check_x509cert(&c, certpath, NULL, 1); - if (error) - printf("ERROR: cert is invalid.\n"); - printf("\n"); - - certs++; - } - return 0; -} - -static char ** -getcerts(path) - char *path; -{ - char **certs = NULL, **p; - DIR *dirp; - struct dirent *dp; - struct stat sb; - char buf[512]; - int len; - int n; - int fd; - - static char *samplecerts[] = { -/* self signed */ -"-----BEGIN CERTIFICATE-----\n" -"MIICpTCCAg4CAQAwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAkpQMREwDwYD\n" -"VQQIEwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUg\n" -"UHJvamVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hp\n" -"IFNha2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MB4XDTAwMDgy\n" -"NDAxMzc0NFoXDTAwMDkyMzAxMzc0NFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n" -"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n" -"a2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n" -"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n" -"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n" -"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n" -"twIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACKs6X/BYycuHI3iop403R3XWMHHnNBN\n" -"5XTHVWiWgR1cMWkq/dp51gn+nPftpdAaYGpqGkiHGhZcXLoBaX9uON3p+7av+sQN\n" -"plXwnvUf2Zsgu+fojskS0gKcDlYiq1O8TOaBgJouFZgr1q6PiYjVEJGogAP28+HN\n" -"M4o+GBFbFoqK\n" -"-----END CERTIFICATE-----\n\n", -/* signed by SSH testing CA + CA1 + CA2 */ -"-----BEGIN X509 CERTIFICATE-----\n" -"MIICtTCCAj+gAwIBAgIEOaR8NjANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJG\n" -"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n" -"EwhXZWIgdGVzdDEbMBkGA1UEAxMSVGVzdCBDQSAxIHN1YiBjYSAyMB4XDTAwMDgy\n" -"NDAwMDAwMFoXDTAwMTAwMTAwMDAwMFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n" -"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n" -"a2FuZTEeMBwGCSqGSIb3DQEJAQwPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n" -"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n" -"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n" -"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n" -"twIDAQABo18wXTALBgNVHQ8EBAMCBaAwGgYDVR0RBBMwEYEPc2FrYW5lQGthbWUu\n" -"bmV0MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2Nh\n" -"MS0yLmNybDANBgkqhkiG9w0BAQUFAANhADtaqual41OWshF/rwCTuR6zySBJysGp\n" -"+qjkp5efCiYKhAu1L4WXlMsV/SNdzspui5tHasPBvUw8gzFsU/VW/B2zuQZkimf1\n" -"u6ZPjUb/vt8vLOPScP5MeH7xrTk9iigsqQ==\n" -"-----END X509 CERTIFICATE-----\n\n", -/* VP100 */ -"-----BEGIN CERTIFICATE-----\n" -"MIICXzCCAcigAwIBAgIEOXGBIzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJG\n" -"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n" -"EwhXZWIgdGVzdDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTAwMDcxNjAwMDAwMFoX\n" -"DTAwMDkwMTAwMDAwMFowNTELMAkGA1UEBhMCanAxETAPBgNVBAoTCHRhaGl0ZXN0\n" -"MRMwEQYDVQQDEwpmdXJ1a2F3YS0xMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB\n" -"gQDUmI2RaAuoLvtRDbASwRhbkj/Oq0BBIKgAqbFknc/EanJSQwZQu82gD88nf7gG\n" -"VEioWmKPLDuEjz5JCuM+k5f7HYHI1wWmz1KFr7UA+avZm4Kp6YKnhuH7soZp7kBL\n" -"hTiZEpL0jdmCWLW3ZXoro55rmPrBsCd+bt8VU6tRZm5dUwIBKaNZMFcwCwYDVR0P\n" -"BAQDAgWgMBYGA1UdEQQPMA2CBVZQMTAwhwQKFIaFMDAGA1UdHwQpMCcwJaAjoCGG\n" -"H2h0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2NhMS5jcmwwDQYJKoZIhvcNAQEFBQAD\n" -"gYEAKJ/2Co/KYW65mwpGG3CBvsoRL8xyUMHGt6gQpFLHiiHuAdix1ADTL6uoFuYi\n" -"4sE5omQm1wKVv2ZhS03zDtUfKoVEv0HZ7IY3AU/FZT/M5gQvbt43Dki/ma3ock2I\n" -"PPhbLsvXm+GCVh3jvkYGk1zr7VERVeTPtmT+hW63lcxfFp4=\n" -"-----END CERTIFICATE-----\n\n", -/* IKED */ -"-----BEGIN CERTIFICATE-----\n" -"MIIEFTCCA7+gAwIBAgIKYU5X6AAAAAAACTANBgkqhkiG9w0BAQUFADCBljEpMCcG\n" -"CSqGSIb3DQEJARYaeS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYT\n" -"AkpQMREwDwYDVQQIEwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNV\n" -"BAoTB0hJVEFDSEkxDDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBD\n" -"QTAeFw0wMDA3MTUwMjUxNDdaFw0wMTA3MTUwMzAxNDdaMEUxCzAJBgNVBAYTAkpQ\n" -"MREwDwYDVQQIEwhLQU5BR0FXQTEQMA4GA1UEChMHSElUQUNISTERMA8GA1UEAxMI\n" -"V0FUQU5BQkUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA6Wja5A7Ldzrtx+rMWHEB\n" -"Cyt+/ZoG0qdFQbuuUiU1vOSq+1f+ZSCYAdTq13Lrr6Xfz3jDVFEZLPID9PSTFwq+\n" -"yQIDAQABo4ICPTCCAjkwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUF\n" -"CAICMB0GA1UdDgQWBBTkv7/MH5Ra+S1zBAmnUIH5w8ZTUTCB0gYDVR0jBIHKMIHH\n" -"gBQsF2qoaTl5F3GFLKrttaxPJ8j4faGBnKSBmTCBljEpMCcGCSqGSIb3DQEJARYa\n" -"eS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNVBAoTB0hJVEFDSEkx\n" -"DDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBDQYIQeccIf4GYDIBA\n" -"rS6HSUt8XjB7BgNVHR8EdDByMDagNKAyhjBodHRwOi8vZmxvcmEyMjAvQ2VydEVu\n" -"cm9sbC9JUHNlYyUyMFRlc3QlMjBDQS5jcmwwOKA2oDSGMmZpbGU6Ly9cXGZsb3Jh\n" -"MjIwXENlcnRFbnJvbGxcSVBzZWMlMjBUZXN0JTIwQ0EuY3JsMIGgBggrBgEFBQcB\n" -"AQSBkzCBkDBFBggrBgEFBQcwAoY5aHR0cDovL2Zsb3JhMjIwL0NlcnRFbnJvbGwv\n" -"ZmxvcmEyMjBfSVBzZWMlMjBUZXN0JTIwQ0EuY3J0MEcGCCsGAQUFBzAChjtmaWxl\n" -"Oi8vXFxmbG9yYTIyMFxDZXJ0RW5yb2xsXGZsb3JhMjIwX0lQc2VjJTIwVGVzdCUy\n" -"MENBLmNydDANBgkqhkiG9w0BAQUFAANBAG8yZAWHb6g3zba453Hw5loojVDZO6fD\n" -"9lCsyaxeo9/+7x1JEEcdZ6qL7KKqe7ZBwza+hIN0ITkp2WEWo22gTz4=\n" -"-----END CERTIFICATE-----\n\n", -/* From Entrust */ -"-----BEGIN CERTIFICATE-----\n" -"MIIDXTCCAsagAwIBAgIEOb6khTANBgkqhkiG9w0BAQUFADA4MQswCQYDVQQGEwJV\n" -"UzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8wHhcN\n" -"MDAwOTE4MjMwMDM3WhcNMDMwOTE4MjMzMDM3WjBTMQswCQYDVQQGEwJVUzEQMA4G\n" -"A1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8xGTAXBgNVBAMT\n" -"EFNob2ljaGkgU2FrYW5lIDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKj3\n" -"eXSt1qXxFXzpa265B/NQYk5BZN7pNJg0tlTKBTVV3UgpQ92Bx5DoNfZh11oIv0Sw\n" -"6YnG5p9F9ma36U9HDoD3hVTjAvQKy4ssCsnU1y6v5XOU1QvYQo6UTzgsXUTaIau4\n" -"Lrccl+nyoiNzy3lG51tLR8CxuA+3OOAK9xPjszClAgMBAAGjggFXMIIBUzBABgNV\n" -"HREEOTA3gQ9zYWthbmVAa2FtZS5uZXSHBM6vIHWCHjIwNi0xNzUtMzItMTE3LnZw\n" -"bndvcmtzaG9wLmNvbTATBgNVHSUEDDAKBggrBgEFBQgCAjALBgNVHQ8EBAMCAKAw\n" -"KwYDVR0QBCQwIoAPMjAwMDA5MTgyMzAwMzdagQ8yMDAyMTAyNTExMzAzN1owWgYD\n" -"VR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0\n" -"MRcwFQYDVQQLEw5WUE4gSW50ZXJvcCBSTzENMAsGA1UEAxMEQ1JMMTAfBgNVHSME\n" -"GDAWgBTzVmhu0tBoWKwkZE5mXpooE9630DAdBgNVHQ4EFgQUEgBHPtXggJqei5Xz\n" -"92CrWXTJxfAwCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWNS4wAwIEsDAN\n" -"BgkqhkiG9w0BAQUFAAOBgQCIFriNGMUE8GH5LuDrTJfA8uGx8vLy2seljuo694TR\n" -"et/ojp9QnfOJ1PF9iAdGaEaSLfkwhY4fZNZzxic5HBoHLeo9BXLP7i7FByXjvOZC\n" -"Y8++0dC8NVvendIILcJBM5nbDq1TqIbb8K3SP80XhO5JLVJkoZiQftAMjo0peZPO\n" -"EQ==\n" -"-----END CERTIFICATE-----\n\n", - NULL, - }; - - if (path == NULL) - return (char **)&samplecerts; - - stat(path, &sb); - if (!(sb.st_mode & S_IFDIR)) { - printf("ERROR: %s is not directory.\n", path); - exit(0); - } - - dirp = opendir(path); - if (dirp == NULL) { - printf("opendir failed.\n"); - exit(0); - } - - n = 0; - while ((dp = readdir(dirp)) != NULL) { - if (dp->d_type != DT_REG) - continue; - if (strcmp(dp->d_name + strlen(dp->d_name) - 4, "cert")) - continue; - snprintf(buf, sizeof(buf), "%s/%s", path, dp->d_name); - stat(buf, &sb); - - p = (char **)realloc(certs, (n + 1) * sizeof(certs)); - if (p == NULL) - err(1, "realloc"); - certs = p; - - certs[n] = malloc(sb.st_size + 1); - if (certs[n] == NULL) - err(1, "malloc"); - - fd = open(buf, O_RDONLY); - if (fd == -1) - err(1, "open"); - len = read(fd, certs[n], sb.st_size); - if (len == -1) - err(1, "read"); - if (len != sb.st_size) - errx(1, "read: length mismatch"); - certs[n][sb.st_size] = '\0'; - close(fd); - - printf("%s: %d\n", dp->d_name, (int)sb.st_size); - - n++; - } - - p = (char **)realloc(certs, (n + 1) * sizeof(certs)); - if (p == NULL) - err(1, "realloc"); - certs = p; - certs[n] = NULL; - - return certs; -} -#endif /* CERTTEST_BROKEN */ - -typedef vchar_t* (eay_func) (vchar_t *, vchar_t *, vchar_t *); - -static int -ciphertest_1 (const char *name, - vchar_t *data, - size_t data_align, - vchar_t *key, - size_t min_keysize, - vchar_t *iv0, - size_t iv_length, - eay_func encrypt, - eay_func decrypt) -{ - int padlen; - vchar_t *buf, *iv, *res1, *res2; - iv = vmalloc(iv_length); - - printf("Test for cipher %s\n", name); - printf("data:\n"); - PVDUMP(data); - - if (data_align <= 1 || (data->l % data_align) == 0) - padlen = 0; - else - padlen = data_align - data->l % data_align; - - buf = vmalloc(data->l + padlen); - memcpy(buf->v, data->v, data->l); - - memcpy(iv->v, iv0->v, iv_length); - res1 = (encrypt)(buf, key, iv); - if (res1 == NULL) { - printf("%s encryption failed.\n", name); - return -1; - } - printf("encrypted:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0->v, iv_length); - res2 = (decrypt)(res1, key, iv); - if (res2 == NULL) { - printf("%s decryption failed.\n", name); - return -1; - } - printf("decrypted:\n"); - PVDUMP(res2); - - if (memcmp(data->v, res2->v, data->l)) { - printf("XXXX NG (%s) XXXX\n", name); - return -1; - } - else - printf("%s cipher verified.\n", name); - vfree(res1); - vfree(res2); - vfree(buf); - vfree(iv); - - return 0; -} - -int -ciphertest(ac, av) - int ac; - char **av; -{ - vchar_t data; - vchar_t key; - vchar_t iv0; - - printf("\n**Testing CIPHERS**\n"); - - data.v = str2val("\ -06000017 03000000 73616b61 6e65406b 616d652e 6e657409 0002c104 308202b8 \ -04f05a90 \ - ", 16, &data.l); - key.v = str2val("f59bd70f 81b9b9cc 2a32c7fd 229a4b37", 16, &key.l); - iv0.v = str2val("26b68c90 9467b4ab 7ec29fa0 0b696b55", 16, &iv0.l); - - if (ciphertest_1 ("DES", - &data, 8, - &key, 8, - &iv0, 8, - eay_des_encrypt, eay_des_decrypt) < 0) - return -1; - - if (ciphertest_1 ("3DES", - &data, 8, - &key, 24, - &iv0, 8, - eay_3des_encrypt, eay_3des_decrypt) < 0) - return -1; - - if (ciphertest_1 ("AES", - &data, 16, - &key, key.l, - &iv0, 16, - eay_aes_encrypt, eay_aes_decrypt) < 0) - return -1; - - if (ciphertest_1 ("BLOWFISH", - &data, 8, - &key, key.l, - &iv0, 8, - eay_bf_encrypt, eay_bf_decrypt) < 0) - return -1; - - if (ciphertest_1 ("CAST", - &data, 8, - &key, key.l, - &iv0, 8, - eay_cast_encrypt, eay_cast_decrypt) < 0) - return -1; - -#ifdef HAVE_OPENSSL_IDEA_H - if (ciphertest_1 ("IDEA", - &data, 8, - &key, key.l, - &iv0, 8, - eay_idea_encrypt, eay_idea_decrypt) < 0) - return -1; -#endif - -#ifdef HAVE_OPENSSL_RC5_H - if (ciphertest_1 ("RC5", - &data, 8, - &key, key.l, - &iv0, 8, - eay_rc5_encrypt, eay_rc5_decrypt) < 0) - return -1; -#endif - return 0; -} - -int -hmactest(ac, av) - int ac; - char **av; -{ - char *keyword = "hehehe test secret!"; - char *object = "d7e6a6c1876ef0488bb74958b9fee94e"; - char *object1 = "d7e6a6c1876ef048"; - char *object2 = "8bb74958b9fee94e"; - char *r_hmd5 = "5702d7d1 fd1bfc7e 210fc9fa cda7d02c"; - char *r_hsha1 = "309999aa 9779a43e ebdea839 1b4e7ee1 d8646874"; -#ifdef WITH_SHA2 - char *r_hsha2 = "d47262d8 a5b6f39d d8686939 411b3e79 ed2e27f9 2c4ea89f dd0a06ae 0c0aa396"; -#endif - vchar_t *key, *data, *data1, *data2, *res; - vchar_t mod; - caddr_t ctx; - -#ifdef WITH_SHA2 - printf("\n**Test for HMAC MD5, SHA1, and SHA256.**\n"); -#else - printf("\n**Test for HMAC MD5 & SHA1.**\n"); -#endif - - key = vmalloc(strlen(keyword)); - memcpy(key->v, keyword, key->l); - - data = vmalloc(strlen(object)); - data1 = vmalloc(strlen(object1)); - data2 = vmalloc(strlen(object2)); - memcpy(data->v, object, data->l); - memcpy(data1->v, object1, data1->l); - memcpy(data2->v, object2, data2->l); - - /* HMAC MD5 */ - printf("HMAC MD5 by eay_hmacmd5_one()\n"); - res = eay_hmacmd5_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hmd5, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) { - printf(" XXX NG XXX\n"); - return -1; - } - free(mod.v); - vfree(res); - - /* HMAC MD5 */ - printf("HMAC MD5 by eay_hmacmd5_xxx()\n"); - ctx = eay_hmacmd5_init(key); - eay_hmacmd5_update(ctx, data1); - eay_hmacmd5_update(ctx, data2); - res = eay_hmacmd5_final(ctx); - PVDUMP(res); - mod.v = str2val(r_hmd5, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) { - printf(" XXX NG XXX\n"); - return -1; - } - free(mod.v); - vfree(res); - - /* HMAC SHA1 */ - printf("HMAC SHA1 by eay_hmacsha1_one()\n"); - res = eay_hmacsha1_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hsha1, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) { - printf(" XXX NG XXX\n"); - return -1; - } - free(mod.v); - vfree(res); - - /* HMAC SHA1 */ - printf("HMAC SHA1 by eay_hmacsha1_xxx()\n"); - ctx = eay_hmacsha1_init(key); - eay_hmacsha1_update(ctx, data1); - eay_hmacsha1_update(ctx, data2); - res = eay_hmacsha1_final(ctx); - PVDUMP(res); - mod.v = str2val(r_hsha1, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) { - printf(" XXX NG XXX\n"); - return -1; - } - free(mod.v); - vfree(res); - -#ifdef WITH_SHA2 - /* HMAC SHA2 */ - printf("HMAC SHA2 by eay_hmacsha2_256_one()\n"); - res = eay_hmacsha2_256_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hsha2, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) { - printf(" XXX NG XXX\n"); - return -1; - } - free(mod.v); - vfree(res); -#endif - - vfree(data); - vfree(data1); - vfree(data2); - vfree(key); - - return 0; -} - -int -sha1test(ac, av) - int ac; - char **av; -{ - char *word1 = "1234567890", *word2 = "12345678901234567890"; - caddr_t ctx; - vchar_t *buf, *res; - - printf("\n**Test for SHA1.**\n"); - - ctx = eay_sha1_init(); - buf = vmalloc(strlen(word1)); - memcpy(buf->v, word1, buf->l); - eay_sha1_update(ctx, buf); - eay_sha1_update(ctx, buf); - res = eay_sha1_final(ctx); - PVDUMP(res); - vfree(res); - vfree(buf); - - ctx = eay_sha1_init(); - buf = vmalloc(strlen(word2)); - memcpy(buf->v, word2, buf->l); - eay_sha1_update(ctx, buf); - res = eay_sha1_final(ctx); - PVDUMP(res); - vfree(res); - - res = eay_sha1_one(buf); - PVDUMP(res); - vfree(res); - vfree(buf); - - return 0; -} - -int -md5test(ac, av) - int ac; - char **av; -{ - char *word1 = "1234567890", *word2 = "12345678901234567890"; - caddr_t ctx; - vchar_t *buf, *res; - - printf("\n**Test for MD5.**\n"); - - ctx = eay_md5_init(); - buf = vmalloc(strlen(word1)); - memcpy(buf->v, word1, buf->l); - eay_md5_update(ctx, buf); - eay_md5_update(ctx, buf); - res = eay_md5_final(ctx); - PVDUMP(res); - vfree(res); - vfree(buf); - - ctx = eay_md5_init(); - buf = vmalloc(strlen(word2)); - memcpy(buf->v, word2, buf->l); - eay_md5_update(ctx, buf); - res = eay_md5_final(ctx); - PVDUMP(res); - vfree(res); - - res = eay_md5_one(buf); - PVDUMP(res); - vfree(res); - vfree(buf); - - return 0; -} - -int -dhtest(ac, av) - int ac; - char **av; -{ - static struct { - char *name; - char *p; - } px[] = { - { "modp768", OAKLEY_PRIME_MODP768, }, - { "modp1024", OAKLEY_PRIME_MODP1024, }, - { "modp1536", OAKLEY_PRIME_MODP1536, }, - { "modp2048", OAKLEY_PRIME_MODP2048, }, - { "modp3072", OAKLEY_PRIME_MODP3072, }, - { "modp4096", OAKLEY_PRIME_MODP4096, }, - { "modp6144", OAKLEY_PRIME_MODP6144, }, - { "modp8192", OAKLEY_PRIME_MODP8192, }, - }; - vchar_t p1, *pub1, *priv1, *gxy1; - vchar_t p2, *pub2, *priv2, *gxy2; - int i; - - printf("\n**Test for DH.**\n"); - - for (i = 0; i < sizeof(px)/sizeof(px[0]); i++) { - printf("\n**Test for DH %s.**\n", px[i].name); - - p1.v = str2val(px[i].p, 16, &p1.l); - p2.v = str2val(px[i].p, 16, &p2.l); - printf("prime number = \n"); PVDUMP(&p1); - - if (eay_dh_generate(&p1, 2, 96, &pub1, &priv1) < 0) { - printf("error\n"); - return -1; - } - printf("private key for user 1 = \n"); PVDUMP(priv1); - printf("public key for user 1 = \n"); PVDUMP(pub1); - - if (eay_dh_generate(&p2, 2, 96, &pub2, &priv2) < 0) { - printf("error\n"); - return -1; - } - printf("private key for user 2 = \n"); PVDUMP(priv2); - printf("public key for user 2 = \n"); PVDUMP(pub2); - - /* process to generate key for user 1 */ - gxy1 = vmalloc(p1.l); - memset(gxy1->v, 0, gxy1->l); - eay_dh_compute(&p1, 2, pub1, priv1, pub2, &gxy1); - printf("sharing gxy1 of user 1 = \n"); PVDUMP(gxy1); - - /* process to generate key for user 2 */ - gxy2 = vmalloc(p1.l); - memset(gxy2->v, 0, gxy2->l); - eay_dh_compute(&p2, 2, pub2, priv2, pub1, &gxy2); - printf("sharing gxy2 of user 2 = \n"); PVDUMP(gxy2); - - if (memcmp(gxy1->v, gxy2->v, gxy1->l)) { - printf("ERROR: sharing gxy mismatched.\n"); - return -1; - } - - vfree(pub1); - vfree(pub2); - vfree(priv1); - vfree(priv2); - vfree(gxy1); - vfree(gxy2); - } - - return 0; -} - -int -bntest(ac, av) - int ac; - char **av; -{ - vchar_t *rn; - - printf("\n**Test for generate a random number.**\n"); - - rn = eay_set_random((u_int32_t)96); - PVDUMP(rn); - vfree(rn); - - return 0; -} - -struct { - char *name; - int (*func) __P((int, char **)); -} func[] = { - { "random", bntest, }, - { "dh", dhtest, }, - { "md5", md5test, }, - { "sha1", sha1test, }, - { "hmac", hmactest, }, - { "cipher", ciphertest, }, -#ifndef CERTTEST_BROKEN - { "cert", certtest, }, -#endif - { "rsa", rsatest, }, -}; - -int -main(ac, av) - int ac; - char **av; -{ - int i; - int len = sizeof(func)/sizeof(func[0]); - - f_foreground = 1; - ploginit(); - - //printf ("\nTestsuite of the %s\nlinked with %s\n\n", TOP_PACKAGE_STRING, eay_version()); - - if (strcmp(*av, "-h") == 0) - Usage(); - - ac--; - av++; - - for (i = 0; i < len; i++) { - if ((ac == 0) || (strcmp(*av, func[i].name) == 0)) { - if ((func[i].func)(ac, av) != 0) { - printf ("\n!!!!! Test '%s' failed. !!!!!\n\n", func[i].name); - exit(1); - } - if (ac) - break; - } - } - if (ac && i == len) - Usage(); - - printf ("\n===== All tests passed =====\n\n"); - exit(0); -} - -void -Usage() -{ - int i; - int len = sizeof(func)/sizeof(func[0]); - - printf("Usage: eaytest ["); - for (i = 0; i < len; i++) - printf("%s%s", func[i].name, (i -#include -#include -#include -#include -#include -#include -#include - -#include "vmbuf.h" -#include "plog.h" -#include "misc.h" -#include "admin.h" -#include "gcmalloc.h" -#include "evt.h" - -#ifdef ENABLE_ADMINPORT -struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist); -int evtlist_len = 0; - -void -evt_push(src, dst, type, optdata) - struct sockaddr_storage *src; - struct sockaddr_storage *dst; - int type; - vchar_t *optdata; -{ - struct evtdump *evtdump; - struct evt *evt; - size_t len; - - /* If admin socket is disabled, silently discard anything */ - if (adminsock_path == NULL) - return; - - /* If we are above the limit, don't record anything */ - if (evtlist_len > EVTLIST_MAX) { - plog(LLV_DEBUG, LOCATION, NULL, - "Cannot record event: event queue overflowed\n"); - return; - } - - /* If we hit the limit, record an overflow event instead */ - if (evtlist_len == EVTLIST_MAX) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot record event: event queue overflow\n"); - src = NULL; - dst = NULL; - type = EVTT_OVERFLOW; - optdata = NULL; - } - - len = sizeof(*evtdump); - if (optdata) - len += optdata->l; - - if ((evtdump = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n", - strerror(errno)); - return; - } - - if ((evt = racoon_malloc(sizeof(*evt))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n", - strerror(errno)); - racoon_free(evtdump); - return; - } - - if (src) - memcpy(&evtdump->src, src, sysdep_sa_len((struct sockaddr *)src)); - if (dst) - memcpy(&evtdump->dst, dst, sysdep_sa_len((struct sockaddr *)dst)); - evtdump->len = len; - evtdump->type = type; - time(&evtdump->timestamp); - - if (optdata) - memcpy(evtdump + 1, optdata->v, optdata->l); - - evt->dump = evtdump; - TAILQ_INSERT_TAIL(&evtlist, evt, next); - - evtlist_len++; - - return; -} - -struct evtdump * -evt_pop(void) { - struct evtdump *evtdump; - struct evt *evt; - - if ((evt = TAILQ_FIRST(&evtlist)) == NULL) - return NULL; - - evtdump = evt->dump; - TAILQ_REMOVE(&evtlist, evt, next); - racoon_free(evt); - evtlist_len--; - - return evtdump; -} - -vchar_t * -evt_dump(void) { - struct evtdump *evtdump; - vchar_t *buf = NULL; - - if ((evtdump = evt_pop()) != NULL) { - if ((buf = vmalloc(evtdump->len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "evt_dump failed: %s\n", strerror(errno)); - return NULL; - } - memcpy(buf->v, evtdump, evtdump->len); - racoon_free(evtdump); - } - - return buf; -} - -#endif /* ENABLE_ADMINPORT */ diff --git a/ipsec-tools/racoon/evt.h b/ipsec-tools/racoon/evt.h deleted file mode 100644 index 9707da1..0000000 --- a/ipsec-tools/racoon/evt.h +++ /dev/null @@ -1,88 +0,0 @@ -/* $NetBSD: evt.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */ - -/* Id: evt.h,v 1.5 2006/01/19 10:24:09 fredsen Exp */ - -/* - * Copyright (C) 2004 Emmanuel Dreyfus - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _EVT_H -#define _EVT_H - -struct evtdump { - size_t len; - struct sockaddr_storage src; - struct sockaddr_storage dst; - time_t timestamp; - int type; - /* - * Optionnal list of struct isakmp_data - * for type EVTT_ISAKMP_CFG_DONE - */ -}; - -/* type */ -#define EVTT_UNSEPC 0 -#define EVTT_PHASE1_UP 1 -#define EVTT_PHASE1_DOWN 2 -#define EVTT_XAUTH_SUCCESS 3 -#define EVTT_ISAKMP_CFG_DONE 4 -#define EVTT_PHASE2_UP 5 -#define EVTT_PHASE2_DOWN 6 -#define EVTT_DPD_TIMEOUT 7 -#define EVTT_PEER_NO_RESPONSE 8 -#define EVTT_PEER_DELETE 9 -#define EVTT_RACOON_QUIT 10 -#define EVTT_XAUTH_FAILED 11 -#define EVTT_OVERFLOW 12 /* Event queue overflowed */ -#define EVTT_PEERPH1AUTH_FAILED 13 -#define EVTT_PEERPH1_NOPROP 14 /* NO_PROPOSAL_CHOSEN & friends */ -#define EVTT_NO_ISAKMP_CFG 15 /* no need to wait for mode_cfg */ - -struct evt { - struct evtdump *dump; - TAILQ_ENTRY(evt) next; -}; - -TAILQ_HEAD(evtlist, evt); - -#define EVTLIST_MAX 32 - -#ifdef ENABLE_ADMINPORT -struct evtdump *evt_pop(void); -vchar_t *evt_dump(void); -void evt_push(struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *); -#endif - -#ifdef ENABLE_ADMINPORT -#define EVT_PUSH(src, dst, type, optdata) evt_push(src, dst, type, optdata); -#else -#define EVT_PUSH(src, dst, type, optdata) ; -#endif - -#endif /* _EVT_H */ diff --git a/ipsec-tools/racoon/fsm.c b/ipsec-tools/racoon/fsm.c new file mode 100644 index 0000000..5e5a054 --- /dev/null +++ b/ipsec-tools/racoon/fsm.c @@ -0,0 +1,392 @@ +/* + * Copyright (c) 2008, 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#include "fsm.h" + +#include +#include +#include +#include + +#include "var.h" +#include "misc.h" +#include "session.h" +#include "isakmp.h" +#include "ike_session.h" +#include "isakmp_var.h" +#include "isakmp_ident.h" +#include "isakmp_agg.h" +#include "isakmp_quick.h" +#include "isakmp_inf.h" +#include "vpn_control_var.h" + +#include "plog.h" +#include "schedule.h" + +void +fsm_set_state(int *var, int state) +{ + *var = state; + plog(ASL_LEVEL_DEBUG, "****** state changed to: %s\n", s_isakmp_state(0, 0, state)); +} + + +//================================ +// Version Agnostic Events +//================================ +void +fsm_api_handle_connect (struct sockaddr_storage *remote, const int connect_mode) +{ + + +} + +void +fsm_api_handle_disconnect (struct sockaddr_storage *remote, const char *reason) +{ + + +} + +void +fsm_pfkey_handle_acquire (phase2_handle_t *iph2) +{ + + +} + +void +fsm_pfkey_getspi_complete (phase2_handle_t *iph2) +{ + +} + +void +fsm_isakmp_initial_pkt (vchar_t *pkt, struct sockaddr_storage *local, struct sockaddr_storage *remote) +{ + + +} + +//================================ +// IKEv1 Events +//================================ + +int +fsm_ikev1_phase1_process_payloads (phase1_handle_t *iph1, vchar_t *msg) +{ + + int error = 0; +#ifdef ENABLE_STATS + struct timeval start, end; + + gettimeofday(&start, NULL); +#endif + + switch (iph1->status) { + case IKEV1_STATE_PHASE1_ESTABLISHED: + return 0; // ignore - already established + + case IKEV1_STATE_IDENT_I_MSG1SENT: + error = ident_i2recv(iph1, msg); + break; + + case IKEV1_STATE_IDENT_I_MSG3SENT: + error = ident_i4recv(iph1, msg); + break; + + case IKEV1_STATE_IDENT_I_MSG5SENT: + error = ident_i6recv(iph1, msg); + break; + + case IKEV1_STATE_IDENT_R_START: + error = ident_r1recv(iph1, msg); + if (error) { + plog(ASL_LEVEL_ERR, "failed to pre-process packet.\n"); + goto fail; + } + break; + + case IKEV1_STATE_IDENT_R_MSG2SENT: + error = ident_r3recv(iph1, msg); + break; + + case IKEV1_STATE_IDENT_R_MSG4SENT: + error = ident_r5recv(iph1, msg); + break; + + case IKEV1_STATE_AGG_R_START: + error = agg_r1recv(iph1, msg); + if (error) { + plog(ASL_LEVEL_ERR, "failed to pre-process packet.\n"); + goto fail; + } + break; + + case IKEV1_STATE_AGG_I_MSG1SENT: + error = agg_i2recv(iph1, msg); + break; + + case IKEV1_STATE_AGG_R_MSG2SENT: + error = agg_r3recv(iph1, msg); + break; + + default: + // log invalid state + error = -1; + break; + } + if (error) + return 0; // ignore error and keep phase 1 handle + + VPTRINIT(iph1->sendbuf); + /* turn off schedule */ + SCHED_KILL(iph1->scr); + + /* send */ + plog(ASL_LEVEL_DEBUG, "===\n"); + if ((error = fsm_ikev1_phase1_send_response(iph1, msg))) { + plog(ASL_LEVEL_ERR, "failed to process packet.\n"); + goto fail; + } + +#ifdef ENABLE_STATS + gettimeofday(&end, NULL); + syslog(LOG_NOTICE, "%s(%s): %8.6f", + "Phase 1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), + timedelta(&start, &end)); +#endif + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) + ikev1_phase1_established(iph1); + + return 0; + +fail: + plog(ASL_LEVEL_ERR, "Phase 1 negotiation failed.\n"); + ike_session_unlink_phase1(iph1); + return error; + +} + + +int +fsm_ikev1_phase1_send_response(phase1_handle_t *iph1, vchar_t *msg) +{ + + int error = 0; + + switch (iph1->status) { + case IKEV1_STATE_IDENT_I_START: + error = ident_i1send(iph1, msg); + break; + + case IKEV1_STATE_IDENT_I_MSG2RCVD: + error = ident_i3send(iph1, msg); + break; + + case IKEV1_STATE_IDENT_I_MSG4RCVD: + error = ident_i5send(iph1, msg); + break; + + case IKEV1_STATE_IDENT_I_MSG6RCVD: + error = ident_ifinalize(iph1, msg); + break; + + case IKEV1_STATE_IDENT_R_MSG1RCVD: + error = ident_r2send(iph1, msg); + break; + + case IKEV1_STATE_IDENT_R_MSG3RCVD: + error = ident_r4send(iph1, msg); + break; + + case IKEV1_STATE_IDENT_R_MSG5RCVD: + error = ident_r6send(iph1, msg); + break; + + case IKEV1_STATE_AGG_I_START: + error = agg_i1send(iph1, msg); + break; + + case IKEV1_STATE_AGG_I_MSG2RCVD: + error = agg_i3send(iph1, msg); + break; + + case IKEV1_STATE_AGG_R_MSG1RCVD: + error = agg_r2send(iph1, msg); + break; + + case IKEV1_STATE_AGG_R_MSG3RCVD: + error = agg_rfinalize(iph1, msg); + break; + + default: + // log invalid state + error = -1; + break;; + } + + if (error) { + u_int32_t address; + if (iph1->remote->ss_family == AF_INET) + address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; + else { + address = 0; + } + vpncontrol_notify_ike_failed(error, FROM_LOCAL, address, 0, NULL); + } + + return error; +} + +int +fsm_ikev1_phase2_process_payloads (phase2_handle_t *iph2, vchar_t *msg) +{ + + int error = 0; +#ifdef ENABLE_STATS + struct timeval start, end; + + gettimeofday(&start, NULL); +#endif + + switch (iph2->status) { + /* ignore a packet */ + case IKEV1_STATE_PHASE2_ESTABLISHED: + case IKEV1_STATE_QUICK_I_GETSPISENT: + case IKEV1_STATE_QUICK_R_GETSPISENT: + return 0; + + case IKEV1_STATE_QUICK_I_MSG1SENT: + error = quick_i2recv(iph2, msg); + break; + + case IKEV1_STATE_QUICK_I_MSG3SENT: + error = quick_i4recv(iph2, msg); + break; + + case IKEV1_STATE_QUICK_R_START: + error = quick_r1recv(iph2, msg); + break; + + case IKEV1_STATE_QUICK_R_MSG2SENT: + error = quick_r3recv(iph2, msg); + break; + + default: + // log invalid state + error = -1; + break; + } + + if (error) { + plog(ASL_LEVEL_ERR, "failed to pre-process packet.\n"); + if (error == ISAKMP_INTERNAL_ERROR) + fatal_error(-1); + isakmp_info_send_n1(iph2->ph1, error, NULL); + goto fail; + } + + /* when using commit bit, status will be reached here. */ + //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place + // return 0; + + /* free resend buffer */ + if (iph2->sendbuf == NULL && iph2->status != IKEV1_STATE_QUICK_R_MSG1RCVD) { + plog(ASL_LEVEL_ERR, + "no buffer found as sendbuf\n"); + error = -1; + goto fail; + } + VPTRINIT(iph2->sendbuf); + + /* turn off schedule */ + SCHED_KILL(iph2->scr); + + /* when using commit bit, will be finished here - no more packets to send */ + if (iph2->status == IKEV1_STATE_QUICK_I_ADDSA) + return 0; + + error = fsm_ikev1_phase2_send_response(iph2, msg); + if (error) { + plog(ASL_LEVEL_ERR, "failed to process packet.\n"); + goto fail; + } + +#ifdef ENABLE_STATS + gettimeofday(&end, NULL); + syslog(LOG_NOTICE, "%s(%s): %8.6f", + "Phase 2", + s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), + timedelta(&start, &end)); +#endif + + return 0; + +fail: + plog(ASL_LEVEL_ERR, "Phase 2 negotiation failed.\n"); + ike_session_unlink_phase2(iph2); + return error; + +} + +int +fsm_ikev1_phase2_send_response(phase2_handle_t *iph2, vchar_t *msg) +{ + + int error = 0; + + switch (iph2->status) { + case IKEV1_STATE_QUICK_R_MSG1RCVD: + error = quick_rprep(iph2, msg); + break; + + case IKEV1_STATE_QUICK_I_GETSPIDONE: + error = quick_i1send(iph2, msg); + break; + + case IKEV1_STATE_QUICK_I_MSG2RCVD: + error = quick_i3send(iph2, msg); + break; + + case IKEV1_STATE_QUICK_R_GETSPIDONE: + error = quick_r2send(iph2, msg); + break; + + case IKEV1_STATE_QUICK_R_MSG3RCVD: + error = quick_r4send(iph2, msg); + break; + + case IKEV1_STATE_QUICK_R_COMMIT: + error = quick_rfinalize(iph2, msg); + break; + + default: + // log invalid state + error = -1; + break;; + } + return error; + +} + diff --git a/ipsec-tools/racoon/fsm.h b/ipsec-tools/racoon/fsm.h new file mode 100644 index 0000000..4a43c0d --- /dev/null +++ b/ipsec-tools/racoon/fsm.h @@ -0,0 +1,210 @@ +/* + * Copyright (c) 2008 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef _FSM_H +#define _FSM_H + +#include +#include +#include +#include + +#include "vmbuf.h" +#include "ike_session.h" +#include "handler.h" +#include "strnames.h" +#include "ipsec_xpc.h" + +//================================ +// Defines +//================================ +// + +// +// State Flags +// +// bit# +// 0 Ike Version 0 = v1 1= v2 +// 1 Expired +// 2 Established +// 3 Negotiating +// 4-5 Ike Phase 1 = Phase1 2 = phase2 +// 6 Reserved +// 7 Direction 0 = Initiator 1 = Responder +// + +// STATE FLAG MASKS +#define IKE_STATE_MASK_VERSION 0x8000 +#define IKE_STATE_MASK_EXPIRED 0x4000 +#define IKE_STATE_MASK_ESTABLISHED 0x2000 +#define IKE_STATE_MASK_NEGOTIATING 0x1000 +#define IKE_STATE_MASK_PHASE 0x0C00 +#define IKE_STATE_MASK_XAUTH_OR_EAP_SUCC 0x0200 +#define IKE_STATE_MASK_DIRECTION 0x0100 +#define IKE_STATE_MASK_MODE 0x00C0 +#define IKE_STATE_MASK_STATE 0X003F + +#define IKE_STATE_FLAG_VALUE_IKEV1 0x0000 +#define IKE_STATE_FLAG_VALUE_IKEV2 0x8000 +#define IKE_STATE_FLAG_VALUE_EXPIRED 0x4000 +#define IKE_STATE_FLAG_VALUE_ESTABLISED 0x2000 +#define IKE_STATE_FLAG_VALUE_NEGOTIATING 0x1000 +#define IKE_STATE_FLAG_VALUE_PHASE1 0x0400 +#define IKE_STATE_FLAG_VALUE_PHASE2 0x0800 +#define IKE_STATE_FLAG_XAUTH_OR_EAP_SUCC 0x0200 +#define IKE_STATE_FLAG_VALUE_INITIATOR 0x0000 +#define IKE_STATE_FLAG_VALUE_RESPONDER 0x0100 + + +//================================ +// MACROS +//================================ + +#define FSM_STATE_IS_EXPIRED(s) \ + ((s) & IKE_STATE_MASK_EXPIRED) + +#define FSM_STATE_IS_ESTABLISHED(s) \ + ((s) & IKE_STATE_MASK_ESTABLISHED) + +#define FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(s) \ + (((s) & IKE_STATE_MASK_ESTABLISHED) | ((s) & IKE_STATE_MASK_EXPIRED)) + +#define FSM_STATE_IS_NEGOTIATING(s) \ +((s) & IKE_STATE_MASK_NEGOTIATING) + +#define FSM_STATE_IS_INITIATOR(s) \ + ((s & IKE_STATE_MASK_DIRECTION) == IKE_STATE_FLAG_VALUE_INITIATOR) + +#define FSM_STATE_IS_RESPONDER(s) \ +((s & IKE_STATE_MASK_DIRECTION) == IKE_STATE_FLAG_VALUE_RESPONDER) + +//================================ +// API States +//================================ + +//================================ +// IKEv1 States +//================================ + +#define IKEV1_STATE_FLAG_VALUE_INFO (IKE_STATE_FLAG_VALUE_IKEV1 | 0x0000) +#define IKEV1_STATE_FLAG_VALUE_IDENTMODE (IKE_STATE_FLAG_VALUE_IKEV1 | 0x0040) +#define IKEV1_STATE_FLAG_VALUE_AGGMODE (IKE_STATE_FLAG_VALUE_IKEV1 | 0x0080) +#define IKEV1_STATE_FLAG_VALUE_QUICKMODE (IKE_STATE_FLAG_VALUE_IKEV1 | 0x00C0) + + +#define IKEV1_STATE_FLAG_VALUE_SENT 0x0020 +#define IKEV1_STATE_FLAG_VALUE_SPI 0x0010 +#define IKEV1_STATE_FLAG_VALUE_ADDSA 0x0008 + + +#define IKEV1_STATE_INITIATOR_IDENT (IKE_STATE_FLAG_VALUE_PHASE1 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_INITIATOR | IKEV1_STATE_FLAG_VALUE_IDENTMODE) + +#define IKEV1_STATE_RESPONDER_IDENT (IKE_STATE_FLAG_VALUE_PHASE1 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_RESPONDER | IKEV1_STATE_FLAG_VALUE_IDENTMODE) + +#define IKEV1_STATE_INITIATOR_AGG (IKE_STATE_FLAG_VALUE_PHASE1 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_INITIATOR | IKEV1_STATE_FLAG_VALUE_AGGMODE) + +#define IKEV1_STATE_RESPONDER_AGG (IKE_STATE_FLAG_VALUE_PHASE1 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_RESPONDER | IKEV1_STATE_FLAG_VALUE_AGGMODE) + +#define IKEV1_STATE_INITIATOR_QUICK (IKE_STATE_FLAG_VALUE_PHASE2 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_INITIATOR | IKEV1_STATE_FLAG_VALUE_QUICKMODE) + +#define IKEV1_STATE_RESPONDER_QUICK (IKE_STATE_FLAG_VALUE_PHASE2 | IKE_STATE_MASK_NEGOTIATING \ + | IKE_STATE_FLAG_VALUE_RESPONDER | IKEV1_STATE_FLAG_VALUE_QUICKMODE) + + +#define IKEV1_STATE_PHASE1_ESTABLISHED (IKE_STATE_FLAG_VALUE_IKEV1 | IKE_STATE_FLAG_VALUE_PHASE1| IKE_STATE_FLAG_VALUE_ESTABLISED) +#define IKEV1_STATE_PHASE2_ESTABLISHED (IKE_STATE_FLAG_VALUE_IKEV1 | IKE_STATE_FLAG_VALUE_PHASE2| IKE_STATE_FLAG_VALUE_ESTABLISED) +#define IKEV1_STATE_PHASE1_EXPIRED (IKE_STATE_FLAG_VALUE_IKEV1 | IKE_STATE_FLAG_VALUE_PHASE1| IKE_STATE_FLAG_VALUE_EXPIRED) +#define IKEV1_STATE_PHASE2_EXPIRED (IKE_STATE_FLAG_VALUE_IKEV1 | IKE_STATE_FLAG_VALUE_PHASE2| IKE_STATE_FLAG_VALUE_EXPIRED) + + // PHASE 1 INFO +#define IKEV1_STATE_INFO (IKE_STATE_FLAG_VALUE_IKEV1 | IKEV1_STATE_FLAG_VALUE_INFO | 0x3F) + + // IDENT MODE +#define IKEV1_STATE_IDENT_I_START (IKEV1_STATE_INITIATOR_IDENT) +#define IKEV1_STATE_IDENT_I_MSG1SENT (IKEV1_STATE_INITIATOR_IDENT | IKEV1_STATE_FLAG_VALUE_SENT | 1) +#define IKEV1_STATE_IDENT_I_MSG2RCVD (IKEV1_STATE_INITIATOR_IDENT | 2) +#define IKEV1_STATE_IDENT_I_MSG3SENT (IKEV1_STATE_INITIATOR_IDENT | IKEV1_STATE_FLAG_VALUE_SENT | 3) +#define IKEV1_STATE_IDENT_I_MSG4RCVD (IKEV1_STATE_INITIATOR_IDENT | 4) +#define IKEV1_STATE_IDENT_I_MSG5SENT (IKEV1_STATE_INITIATOR_IDENT | IKEV1_STATE_FLAG_VALUE_SENT | 5) +#define IKEV1_STATE_IDENT_I_MSG6RCVD (IKEV1_STATE_INITIATOR_IDENT | 6) + +#define IKEV1_STATE_IDENT_R_START (IKEV1_STATE_RESPONDER_IDENT) +#define IKEV1_STATE_IDENT_R_MSG1RCVD (IKEV1_STATE_RESPONDER_IDENT | 1) +#define IKEV1_STATE_IDENT_R_MSG2SENT (IKEV1_STATE_RESPONDER_IDENT | IKEV1_STATE_FLAG_VALUE_SENT | 2) +#define IKEV1_STATE_IDENT_R_MSG3RCVD (IKEV1_STATE_RESPONDER_IDENT | 3) +#define IKEV1_STATE_IDENT_R_MSG4SENT (IKEV1_STATE_RESPONDER_IDENT | IKEV1_STATE_FLAG_VALUE_SENT | 4) +#define IKEV1_STATE_IDENT_R_MSG5RCVD (IKEV1_STATE_RESPONDER_IDENT | 5) + // AGG MODE +#define IKEV1_STATE_AGG_I_START (IKEV1_STATE_INITIATOR_AGG) +#define IKEV1_STATE_AGG_I_MSG1SENT (IKEV1_STATE_INITIATOR_AGG | IKEV1_STATE_FLAG_VALUE_SENT | 1) +#define IKEV1_STATE_AGG_I_MSG2RCVD (IKEV1_STATE_INITIATOR_AGG | 2) +#define IKEV1_STATE_AGG_I_MSG3SENT (IKEV1_STATE_INITIATOR_AGG | IKEV1_STATE_FLAG_VALUE_SENT | 3) +#define IKEV1_STATE_AGG_R_START (IKEV1_STATE_RESPONDER_AGG) +#define IKEV1_STATE_AGG_R_MSG1RCVD (IKEV1_STATE_RESPONDER_AGG | 1) +#define IKEV1_STATE_AGG_R_MSG2SENT (IKEV1_STATE_RESPONDER_AGG | IKEV1_STATE_FLAG_VALUE_SENT | 2) +#define IKEV1_STATE_AGG_R_MSG3RCVD (IKEV1_STATE_RESPONDER_AGG | 3) + // QUICK MODE +#define IKEV1_STATE_QUICK_I_START (IKEV1_STATE_INITIATOR_QUICK) +#define IKEV1_STATE_QUICK_I_GETSPISENT (IKEV1_STATE_INITIATOR_QUICK | IKEV1_STATE_FLAG_VALUE_SENT | IKEV1_STATE_FLAG_VALUE_SPI) +#define IKEV1_STATE_QUICK_I_GETSPIDONE (IKEV1_STATE_INITIATOR_QUICK | IKEV1_STATE_FLAG_VALUE_SPI) +#define IKEV1_STATE_QUICK_I_MSG1SENT (IKEV1_STATE_INITIATOR_QUICK | IKEV1_STATE_FLAG_VALUE_SENT | 1) +#define IKEV1_STATE_QUICK_I_MSG2RCVD (IKEV1_STATE_INITIATOR_QUICK | 2) +#define IKEV1_STATE_QUICK_I_MSG3SENT (IKEV1_STATE_INITIATOR_QUICK | IKEV1_STATE_FLAG_VALUE_SENT | 3) +#define IKEV1_STATE_QUICK_I_ADDSA (IKEV1_STATE_INITIATOR_QUICK | IKEV1_STATE_FLAG_VALUE_ADDSA) +#define IKEV1_STATE_QUICK_R_START (IKEV1_STATE_RESPONDER_QUICK) +#define IKEV1_STATE_QUICK_R_MSG1RCVD (IKEV1_STATE_RESPONDER_QUICK | 1) +#define IKEV1_STATE_QUICK_R_GETSPISENT (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_SENT | IKEV1_STATE_FLAG_VALUE_SPI) +#define IKEV1_STATE_QUICK_R_GETSPIDONE (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_SPI) +#define IKEV1_STATE_QUICK_R_MSG2SENT (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_SENT | 2) +#define IKEV1_STATE_QUICK_R_MSG3RCVD (IKEV1_STATE_RESPONDER_QUICK | 3) +#define IKEV1_STATE_QUICK_R_COMMIT (IKEV1_STATE_RESPONDER_QUICK | 4) +#define IKEV1_STATE_QUICK_R_ADDSA (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_ADDSA) + + +extern void fsm_set_state(int *var, int state); +//================================ +// Version Agnostic Events +//================================ +extern void fsm_api_handle_connect (struct sockaddr_storage *remote, const int connect_mode); +extern void fsm_api_handle_disconnect (struct sockaddr_storage *remote, const char *reason); + +extern void fsm_pfkey_handle_acquire (phase2_handle_t *iph2); +extern void fsm_pfkey_getspi_complete (phase2_handle_t *iph2); + +extern void fsm_isakmp_initial_pkt (vchar_t *msg, struct sockaddr_storage *local, struct sockaddr_storage *remote); + +//================================ +// IKEv1 Events +//================================ + +extern int fsm_ikev1_phase1_process_payloads (phase1_handle_t *iph1, vchar_t *msg); +extern int fsm_ikev1_phase2_process_payloads (phase2_handle_t *iph2, vchar_t *msg); +extern int fsm_ikev1_phase1_send_response(phase1_handle_t *iph1, vchar_t *msg); +extern int fsm_ikev1_phase2_send_response(phase2_handle_t *iph2, vchar_t *msg); + + +#endif /* _FSM_H */ diff --git a/ipsec-tools/racoon/gcmalloc.h b/ipsec-tools/racoon/gcmalloc.h index acdf7fa..c759fde 100644 --- a/ipsec-tools/racoon/gcmalloc.h +++ b/ipsec-tools/racoon/gcmalloc.h @@ -96,17 +96,7 @@ strdup(const char *str) #endif /* GC */ -/* - * Dmalloc only requires that you pull in a header file and link - * against libdmalloc. - */ -#ifdef DMALLOC -#include -#endif /* DMALLOC */ -#ifdef DEBUG_RECORD_MALLOCATION -#include -#else #ifndef racoon_malloc #define racoon_malloc(sz) malloc((sz)) #endif @@ -122,6 +112,5 @@ strdup(const char *str) #ifndef racoon_strdup #define racoon_strdup(s) strdup((s)) #endif -#endif /* DEBUG_RECORD_MALLOCATION */ #endif /* _GCMALLOC_H_DEFINED */ diff --git a/ipsec-tools/racoon/genlist.h b/ipsec-tools/racoon/genlist.h index 089e624..28d91e1 100644 --- a/ipsec-tools/racoon/genlist.h +++ b/ipsec-tools/racoon/genlist.h @@ -55,7 +55,7 @@ struct genlist_entry *genlist_append (struct genlist *head, void *data); /* Create a function with this prototype for use with genlist_foreach(). * See genlist_foreach() description below for details. */ -typedef void *(genlist_func_t)(void *entry, void *arg); +typedef void *(genlist_func_t) (void *entry, void *arg); /* Traverse the list and call 'func' for each entry. As long as func() returns * NULL the list traversal continues, once it returns non-NULL (usually the @@ -71,7 +71,7 @@ void *genlist_next (struct genlist *head, struct genlist_entry **buf); /* Create a function with this prototype for use with genlist_free() * to free any storage associated with genlist_entry.data */ -typedef void (genlist_freedata_t)(void *entry); +typedef void (genlist_freedata_t) (void *entry); /* Free all storage associated with list at head using func to free any * alloc()d data in data field of genlist_entry */ diff --git a/ipsec-tools/racoon/getcertsbyname.c b/ipsec-tools/racoon/getcertsbyname.c index d88ece9..74a8501 100644 --- a/ipsec-tools/racoon/getcertsbyname.c +++ b/ipsec-tools/racoon/getcertsbyname.c @@ -59,8 +59,8 @@ /* XXX should it use ci_errno to hold errno instead of h_errno ? */ extern int h_errno; -static struct certinfo *getnewci __P((int, int, int, int, int, - unsigned char *)); +static struct certinfo *getnewci (int, int, int, int, int, + unsigned char *); static struct certinfo * getnewci(qtype, keytag, algorithm, flags, certlen, cert) diff --git a/ipsec-tools/racoon/gnuc.h b/ipsec-tools/racoon/gnuc.h deleted file mode 100644 index a923f77..0000000 --- a/ipsec-tools/racoon/gnuc.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp $ */ - -/* Define __P() macro, if necessary */ -#undef __P -#ifndef __P -#if __STDC__ -#define __P(protos) protos -#else -#define __P(protos) () -#endif -#endif - -/* inline foo */ -#ifdef __GNUC__ -#define inline __inline -#else -#define inline -#endif - -/* - * Handle new and old "dead" routine prototypes - * - * For example: - * - * __dead void foo(void) __attribute__((volatile)); - * - */ -#ifdef __GNUC__ -#ifndef __dead -#define __dead volatile -#endif -#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) -#ifndef __attribute__ -#define __attribute__(args) -#endif -#endif -#else -#ifndef __dead -#define __dead -#endif -#ifndef __attribute__ -#define __attribute__(args) -#endif -#endif diff --git a/ipsec-tools/racoon/grabmyaddr.c b/ipsec-tools/racoon/grabmyaddr.c index 66f2457..c8bcaee 100644 --- a/ipsec-tools/racoon/grabmyaddr.c +++ b/ipsec-tools/racoon/grabmyaddr.c @@ -72,12 +72,12 @@ #include "nattraversal.h" #ifndef HAVE_GETIFADDRS -static unsigned int if_maxindex __P((void)); +static unsigned int if_maxindex (void); #endif -static int suitable_ifaddr __P((const char *, const struct sockaddr *)); +static int suitable_ifaddr (const char *, const struct sockaddr *); #ifdef INET6 -static int suitable_ifaddr6 __P((const char *, const struct sockaddr *)); +static int suitable_ifaddr6 (const char *, const struct sockaddr *); #endif #ifndef HAVE_GETIFADDRS @@ -129,8 +129,8 @@ find_myaddr(addr, udp_encap) for (q = lcconf->myaddrs; q; q = q->next) { if (!q->addr) continue; - if (q->udp_encap && !udp_encap - || !q->udp_encap && udp_encap) + if ((q->udp_encap && !udp_encap) + || (!q->udp_encap && udp_encap)) continue; if (addr->sa_family != q->addr->ss_family) continue; @@ -152,14 +152,13 @@ find_myaddr(addr, udp_encap) void grab_myaddrs() { -#ifdef HAVE_GETIFADDRS struct myaddrs *p, *q; struct ifaddrs *ifa0, *ifap; char addr1[NI_MAXHOST]; if (getifaddrs(&ifa0)) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getifaddrs failed: %s\n", strerror(errno)); exit(1); /*NOTREACHED*/ @@ -179,7 +178,7 @@ grab_myaddrs() continue; if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "unsuitable address: %s %s\n", ifap->ifa_name, saddrwop2str(ifap->ifa_addr)); @@ -193,31 +192,38 @@ grab_myaddrs() q = find_myaddr(ifap->ifa_addr, 1); if (q) q->in_use = 1; + else if (natt_enabled_in_rmconf ()) { + q = dupmyaddr(p); + if (q == NULL) { + plog(ASL_LEVEL_ERR, + "unable to allocate space for natt addr.\n"); + exit(1); + } + q->udp_encap = 1; + } #endif } else { p = newmyaddr(); if (p == NULL) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to allocate space for addr.\n"); exit(1); /*NOTREACHED*/ } - p->addr = dupsaddr(ifap->ifa_addr); + p->addr = dupsaddr(ALIGNED_CAST(struct sockaddr_storage*)ifap->ifa_addr); if (p->addr == NULL) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to duplicate addr.\n"); exit(1); /*NOTREACHED*/ } p->ifname = racoon_strdup(ifap->ifa_name); if (p->ifname == NULL) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to duplicate ifname.\n"); exit(1); /*NOTREACHED*/ - } - - p->sock = -1; + } p->in_use = 1; if (getnameinfo((struct sockaddr *)p->addr, p->addr->ss_len, @@ -225,7 +231,7 @@ grab_myaddrs() NULL, 0, NI_NUMERICHOST | niflags)) strlcpy(addr1, "(invalid)", sizeof(addr1)); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "my interface: %s (%s)\n", addr1, ifap->ifa_name); @@ -236,7 +242,7 @@ grab_myaddrs() if (natt_enabled_in_rmconf ()) { q = dupmyaddr(p); if (q == NULL) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to allocate space for natt addr.\n"); exit(1); } @@ -248,11 +254,6 @@ grab_myaddrs() } freeifaddrs(ifa0); - - -#else /*!HAVE_GETIFADDRS*/ -#error "NOT SUPPORTED" -#endif /*HAVE_GETIFADDRS*/ } @@ -296,14 +297,13 @@ suitable_ifaddr6(ifname, ifaddr) s = socket(PF_INET6, SOCK_DGRAM, 0); if (s == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "socket(SOCK_DGRAM) failed:%s\n", strerror(errno)); return 0; } - if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put IPv6 socket in non-blocking mode\n"); + if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { + plog(ASL_LEVEL_ERR, "failed to put IPv6 socket in non-blocking mode\n"); } memset(&ifr6, 0, sizeof(ifr6)); @@ -312,7 +312,7 @@ suitable_ifaddr6(ifname, ifaddr) memcpy(&ifr6.ifr_addr, ifaddr, sizeof(struct sockaddr_in6)); // Wcast-align fix - copy instread of assign with cast if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ioctl(SIOCGIFAFLAG_IN6) failed:%s\n", strerror(errno)); close(s); return 0; @@ -322,7 +322,9 @@ suitable_ifaddr6(ifname, ifaddr) if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED - || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST) + || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST + /* Deprecated addresses will now be dropped by isakmp_close_unused */ + || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED) return 0; /* suitable */ @@ -330,58 +332,6 @@ suitable_ifaddr6(ifname, ifaddr) } #endif -int -update_myaddrs() -{ - struct rtmessage { // Wcast-align fix - force alignment - struct rt_msghdr rtm; - char discard[BUFSIZ]; - } msg; - - int len; - - while((len = read(lcconf->rtsock, &msg, sizeof(msg))) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "read(PF_ROUTE) failed: %s\n", - strerror(errno)); - return 0; - } - if (len < msg.rtm.rtm_msglen) { - plog(LLV_ERROR, LOCATION, NULL, - "read(PF_ROUTE) short read\n"); - return 0; - } - if (msg.rtm.rtm_version != RTM_VERSION) { - plog(LLV_ERROR, LOCATION, NULL, - "routing socket version mismatch\n"); - close(lcconf->rtsock); - lcconf->rtsock = -1; - return 0; - } - switch (msg.rtm.rtm_type) { - case RTM_NEWADDR: - case RTM_DELADDR: - case RTM_DELETE: - case RTM_IFINFO: - break; - case RTM_MISS: - /* ignore this message silently */ - return 0; - default: - //plog(LLV_DEBUG, LOCATION, NULL, - // "msg %d not interesting\n", msg.rtm.rtm_type); - return 0; - } - /* XXX more filters here? */ - - //plog(LLV_DEBUG, LOCATION, NULL, - // "caught rtm:%d, need update interface address list\n", - // msg.rtm.rtm_type); - - return 1; -} /* * initialize default port for ISAKMP to send, if no "listen" @@ -397,13 +347,13 @@ autoconf_myaddrsport() struct myaddrs *p; int n; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "configuring default isakmp port.\n"); for (p = lcconf->myaddrs, n = 0; p; p = p->next, n++) { set_port (p->addr, p->udp_encap ? lcconf->port_isakmp_natt : lcconf->port_isakmp); } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%d addrs are configured successfully\n", n); return 0; @@ -448,7 +398,7 @@ getmyaddrsport(local) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported AF %d\n", p->addr->ss_family); continue; } @@ -465,13 +415,15 @@ newmyaddr() new = racoon_calloc(1, sizeof(*new)); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer for myaddrs.\n"); return NULL; } new->next = NULL; new->addr = NULL; + new->source = NULL; + new->sock = -1; #ifdef __APPLE_ new->ifname = NULL; #endif @@ -486,16 +438,16 @@ dupmyaddr(struct myaddrs *old) new = racoon_calloc(1, sizeof(*new)); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer for myaddrs.\n"); return NULL; } /* Copy the whole structure and set the differences. */ memcpy (new, old, sizeof (*new)); - new->addr = dupsaddr ((struct sockaddr *)old->addr); + new->addr = dupsaddr (old->addr); if (new->addr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer for duplicate addr.\n"); racoon_free(new); return NULL; @@ -503,14 +455,16 @@ dupmyaddr(struct myaddrs *old) if (old->ifname) { new->ifname = racoon_strdup(old->ifname); if (new->ifname == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer for duplicate ifname.\n"); racoon_free(new->addr); racoon_free(new); return NULL; } } - + new->source = NULL; + new->sock = -1; + new->next = old->next; old->next = new; @@ -537,22 +491,20 @@ delmyaddr(myaddr) racoon_free(myaddr); } +void +update_myaddrs(void *unused) +{ + grab_myaddrs(); + isakmp_close_unused(); + autoconf_myaddrsport(); + isakmp_open(); + ASIKEUpdateLocalAddressesFromIKE(); +} + + int -initmyaddr() +initmyaddr(void) { - /* initialize routing socket */ - lcconf->rtsock = socket(PF_ROUTE, SOCK_RAW, PF_UNSPEC); - if (lcconf->rtsock < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket(PF_ROUTE) failed: %s", - strerror(errno)); - return -1; - } - - if (fcntl(lcconf->rtsock, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put PF_ROUTE socket in non-blocking mode\n"); - } if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) { grab_myaddrs(); @@ -564,11 +516,11 @@ initmyaddr() return 0; } + /* select the socket to be sent */ /* should implement other method. */ int -getsockmyaddr(my) - struct sockaddr *my; +getsockmyaddr(struct sockaddr *my) { struct myaddrs *p, *lastresort = NULL; @@ -586,7 +538,7 @@ getsockmyaddr(my) if (!p) p = lastresort; if (!p) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no socket matches address family %d\n", my->sa_family); return -1; @@ -594,3 +546,94 @@ getsockmyaddr(my) return p->sock; } + +void +pfroute_handler(void *unused) +{ + + struct rtmessage { // Wcast-align fix - force alignment + struct rt_msghdr rtm; + char discard[BUFSIZ]; + } msg; + + int len; + + while((len = read(lcconf->rtsock, &msg, sizeof(msg))) < 0) { + if (errno == EINTR) + continue; + plog(ASL_LEVEL_DEBUG, + "read(PF_ROUTE) failed: %s\n", + strerror(errno)); + return; + } + if (len < msg.rtm.rtm_msglen) { + plog(ASL_LEVEL_DEBUG, + "read(PF_ROUTE) short read\n"); + return; + } + switch (msg.rtm.rtm_type) { + case RTM_NEWADDR: + case RTM_DELADDR: + case RTM_DELETE: + case RTM_IFINFO: + break; + case RTM_MISS: + /* ignore this message silently */ + return; + default: + //plog(ASL_LEVEL_DEBUG, + // "msg %d not interesting\n", msg.rtm.rtm_type); + return; + } + /* XXX more filters here? */ + + plog(ASL_LEVEL_DEBUG, + "caught rtm:%d, need update interface address list\n", + msg.rtm.rtm_type); + + // Interface changes occurred - update addrs + update_myaddrs(NULL); +} + +void +pfroute_close(void) +{ + + dispatch_source_cancel(lcconf->rt_source); + lcconf->rt_source = NULL; +} + +int +pfroute_init(void) +{ + int sock; + + /* initialize routing socket */ + lcconf->rtsock = socket(PF_ROUTE, SOCK_RAW, PF_UNSPEC); + if (lcconf->rtsock < 0) { + plog(ASL_LEVEL_DEBUG, + "socket(PF_ROUTE) failed: %s", + strerror(errno)); + return -1; + } + if (fcntl(lcconf->rtsock, F_SETFL, O_NONBLOCK) == -1) { + plog(ASL_LEVEL_DEBUG, "failed to put PF_ROUTE socket in non-blocking mode\n"); + } + + lcconf->rt_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->rtsock, 0, dispatch_get_main_queue()); + if (lcconf->rt_source == NULL) { + plog(ASL_LEVEL_DEBUG, "could not create pfroute socket source."); + return -1; + } + dispatch_source_set_event_handler_f(lcconf->rt_source, pfroute_handler); + sock = lcconf->rtsock; + dispatch_source_set_cancel_handler(lcconf->rt_source, + ^{ + close(sock); + }); + dispatch_resume(lcconf->rt_source); + return 0; +} + + + diff --git a/ipsec-tools/racoon/grabmyaddr.h b/ipsec-tools/racoon/grabmyaddr.h index 4c74029..d5fb037 100644 --- a/ipsec-tools/racoon/grabmyaddr.h +++ b/ipsec-tools/racoon/grabmyaddr.h @@ -32,27 +32,32 @@ #ifndef _GRABMYADDR_H #define _GRABMYADDR_H +#include + struct myaddrs { struct myaddrs *next; struct sockaddr_storage *addr; int sock; + dispatch_source_t source; int udp_encap; int in_use; char *ifname; }; -extern void clear_myaddr __P((void)); -extern void grab_myaddrs __P((void)); -extern int update_myaddrs __P((void)); -extern int autoconf_myaddrsport __P((void)); -extern u_short getmyaddrsport __P((struct sockaddr_storage *)); -extern struct myaddrs *newmyaddr __P((void)); -extern struct myaddrs *dupmyaddr __P((struct myaddrs *)); -extern void insmyaddr __P((struct myaddrs *, struct myaddrs **)); -extern void delmyaddr __P((struct myaddrs *)); -extern int initmyaddr __P((void)); -extern int getsockmyaddr __P((struct sockaddr *)); -extern struct myaddrs *find_myaddr __P((struct sockaddr *, int)); +extern void clear_myaddr (void); +extern void grab_myaddrs (void); +extern void update_myaddrs (void*); +extern int autoconf_myaddrsport (void); +extern u_short getmyaddrsport (struct sockaddr_storage *); +extern struct myaddrs *newmyaddr (void); +extern struct myaddrs *dupmyaddr (struct myaddrs *); +extern void insmyaddr (struct myaddrs *, struct myaddrs **); +extern void delmyaddr (struct myaddrs *); +extern int initmyaddr (void); +extern int getsockmyaddr (struct sockaddr *); +extern struct myaddrs *find_myaddr (struct sockaddr *, int); +extern int pfroute_init(void); +extern void pfroute_close(void); #endif /* _GRABMYADDR_H */ diff --git a/ipsec-tools/racoon/gssapi.c b/ipsec-tools/racoon/gssapi.c deleted file mode 100644 index bc401cd..0000000 --- a/ipsec-tools/racoon/gssapi.c +++ /dev/null @@ -1,747 +0,0 @@ -/* $KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $ */ - -/* - * Copyright 2000 Wasabi Systems, Inc. - * All rights reserved. - * - * This software was written by Frank van der Linden of Wasabi Systems - * for Zembu Labs, Inc. http://www.zembu.com/ - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of Wasabi Systems, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "config.h" - -#ifdef HAVE_GSSAPI - -#include -#include -#include -#include -#include - -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_ident.h" -#include "isakmp_inf.h" -#include "vendorid.h" -#include "gcmalloc.h" - -#include "gssapi.h" - -static void -gssapi_error(OM_uint32 status_code, const char *where, - const char *fmt, ...) -{ - OM_uint32 message_context, maj_stat, min_stat; - gss_buffer_desc status_string; - va_list ap; - - va_start(ap, fmt); - plogv(LLV_ERROR, where, NULL, fmt, &ap); - va_end(ap); - - message_context = 0; - - do { - maj_stat = gss_display_status(&min_stat, status_code, - GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context, - &status_string); - if (GSS_ERROR(maj_stat)) - plog(LLV_ERROR, LOCATION, NULL, - "UNABLE TO GET GSSAPI ERROR CODE\n"); - else { - plog(LLV_ERROR, where, NULL, - "%s\n", (char *)status_string.value); - gss_release_buffer(&min_stat, &status_string); - } - } while (message_context != 0); -} - -/* - * vmbufs and gss_buffer_descs are really just the same on NetBSD, but - * this is to be portable. - */ -static int -gssapi_vm2gssbuf(vchar_t *vmbuf, gss_buffer_t gsstoken) -{ - - gsstoken->value = racoon_malloc(vmbuf->l); - if (gsstoken->value == NULL) - return -1; - memcpy(gsstoken->value, vmbuf->v, vmbuf->l); - gsstoken->length = vmbuf->l; - - return 0; -} - -static int -gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf) -{ - - *vmbuf = vmalloc(gsstoken->length); - if (*vmbuf == NULL) - return -1; - memcpy((*vmbuf)->v, gsstoken->value, gsstoken->length); - (*vmbuf)->l = gsstoken->length; - - return 0; -} - -vchar_t * -gssapi_get_default_gss_id(void) -{ - char name[NI_MAXHOST]; - vchar_t *gssid; - - if (gethostname(name, sizeof(name)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n", - strerror(errno)); - return (NULL); - } - name[sizeof(name) - 1] = '\0'; - - gssid = racoon_malloc(sizeof(*gssid)); - gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name); - - return (gssid); -} - -static int -gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service) -{ - char name[NI_MAXHOST]; - struct sockaddr_storage *sa; - char* buf = NULL; - gss_buffer_desc name_token; - OM_uint32 min_stat, maj_stat; - - sa = remote ? iph1->remote : iph1->local; - - if (getnameinfo(sa, sysdep_sa_len((struct sockaddr *)sa), name, NI_MAXHOST, NULL, 0, 0) != 0) - return -1; - - name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name); - name_token.value = buf; - - maj_stat = gss_import_name(&min_stat, &name_token, - GSS_C_NT_HOSTBASED_SERVICE, service); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import name\n"); - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name_token"); - return -1; - } - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name_token"); - - return 0; -} - -static int -gssapi_init(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc id_token, cred_token; - gss_buffer_t cred = &cred_token; - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); - return -1; - } - gps->gss_context = GSS_C_NO_CONTEXT; - gps->gss_cred = GSS_C_NO_CREDENTIAL; - - gssapi_set_state(iph1, gps); - - if (iph1->rmconf->proposal->gssid != NULL) { - id_token.length = iph1->rmconf->proposal->gssid->l; - id_token.value = iph1->rmconf->proposal->gssid->v; - maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID, - &princ); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import name\n"); - gssapi_free_state(iph1); - return -1; - } - } else - gssapi_get_default_name(iph1, 0, &princ); - - maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID, - &canon_princ); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); - maj_stat = gss_release_name(&min_stat, &princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release princ\n"); - gssapi_free_state(iph1); - return -1; - } - maj_stat = gss_release_name(&min_stat, &princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release princ\n"); - - maj_stat = gss_export_name(&min_stat, canon_princ, cred); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "export name\n"); - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canon_princ\n"); - gssapi_free_state(iph1); - return -1; - } - -#if 0 - /* - * XXXJRT Did this debug message ever work? This is a GSS name - * blob at this point. - */ - plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n", - cred->length, cred->value); -#endif - - maj_stat = gss_release_buffer(&min_stat, cred); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release cred buffer\n"); - - maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "acquire cred\n"); - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canon_princ\n"); - gssapi_free_state(iph1); - return -1; - } - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release canon_princ\n"); - - return 0; -} - -int -gssapi_get_itoken(struct ph1handle *iph1, int *lenp) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc empty, name_token; - gss_buffer_t itoken, rtoken, dummy; - OM_uint32 maj_stat, min_stat; - gss_name_t partner; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - empty.length = 0; - empty.value = NULL; - dummy = ∅ - - if (iph1->approval != NULL && iph1->approval->gssid != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "using provided service '%.*s'\n", - (int)iph1->approval->gssid->l, iph1->approval->gssid->v); - name_token.length = iph1->approval->gssid->l; - name_token.value = iph1->approval->gssid->v; - maj_stat = gss_import_name(&min_stat, &name_token, - GSS_C_NO_OID, &partner); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import of %.*s\n", - name_token.length, name_token.value); - return -1; - } - } else - if (gssapi_get_default_name(iph1, 1, &partner) < 0) - return -1; - - rtoken = gps->gsscnt_p == 0 ? dummy : &gps->gss_p[gps->gsscnt_p - 1]; - itoken = &gps->gss[gps->gsscnt]; - - gps->gss_status = gss_init_sec_context(&min_stat, gps->gss_cred, - &gps->gss_context, partner, GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | - GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG, - 0, GSS_C_NO_CHANNEL_BINDINGS, rtoken, NULL, - itoken, NULL, NULL); - - if (GSS_ERROR(gps->gss_status)) { - gssapi_error(min_stat, LOCATION, "init_sec_context\n"); - maj_stat = gss_release_name(&min_stat, &partner); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name\n"); - return -1; - } - maj_stat = gss_release_name(&min_stat, &partner); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name\n"); - - plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n", - gps->gss_status); - - if (lenp) - *lenp = itoken->length; - - if (itoken->length != 0) - gps->gsscnt++; - - return 0; -} - -/* - * Call gss_accept_context, with token just read from the wire. - */ -int -gssapi_get_rtoken(struct ph1handle *iph1, int *lenp) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc name_token; - gss_buffer_t itoken, rtoken; - OM_uint32 min_stat, maj_stat; - gss_name_t client_name; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - rtoken = &gps->gss_p[gps->gsscnt_p - 1]; - itoken = &gps->gss[gps->gsscnt]; - - gps->gss_status = gss_accept_sec_context(&min_stat, &gps->gss_context, - gps->gss_cred, rtoken, GSS_C_NO_CHANNEL_BINDINGS, &client_name, - NULL, itoken, NULL, NULL, NULL); - - if (GSS_ERROR(gps->gss_status)) { - gssapi_error(min_stat, LOCATION, "accept_sec_context\n"); - return -1; - } - - maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "gss_display_name\n"); - maj_stat = gss_release_name(&min_stat, &client_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release client_name\n"); - return -1; - } - maj_stat = gss_release_name(&min_stat, &client_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release client_name\n"); - - plog(LLV_DEBUG, LOCATION, NULL, - "gss_accept_sec_context: other side is %s\n", - (char *)name_token.value); - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name buffer\n"); - - if (itoken->length != 0) - gps->gsscnt++; - - if (lenp) - *lenp = itoken->length; - - return 0; -} - -int -gssapi_save_received_token(struct ph1handle *iph1, vchar_t *token) -{ - struct gssapi_ph1_state *gps; - gss_buffer_t gsstoken; - int ret; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - gsstoken = &gps->gss_p[gps->gsscnt_p]; - - ret = gssapi_vm2gssbuf(token, gsstoken); - if (ret < 0) - return ret; - gps->gsscnt_p++; - - return 0; -} - -int -gssapi_get_token_to_send(struct ph1handle *iph1, vchar_t **token) -{ - struct gssapi_ph1_state *gps; - gss_buffer_t gsstoken; - int ret; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - gsstoken = &gps->gss[gps->gsscnt - 1]; - ret = gssapi_gss2vmbuf(gsstoken, token); - if (ret < 0) - return ret; - - return 0; -} - -int -gssapi_get_itokens(struct ph1handle *iph1, vchar_t **tokens) -{ - struct gssapi_ph1_state *gps; - int len, i; - vchar_t *toks; - char *p; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - - for (i = len = 0; i < gps->gsscnt; i++) - len += gps->gss[i].length; - - toks = vmalloc(len); - if (toks == 0) - return -1; - p = (char *)toks->v; - for (i = 0; i < gps->gsscnt; i++) { - memcpy(p, gps->gss[i].value, gps->gss[i].length); - p += gps->gss[i].length; - } - - *tokens = toks; - - plog(LLV_DEBUG, LOCATION, NULL, - "%d itokens of length %zu\n", gps->gsscnt, (*tokens)->l); - - return 0; -} - -int -gssapi_get_rtokens(struct ph1handle *iph1, vchar_t **tokens) -{ - struct gssapi_ph1_state *gps; - int len, i; - vchar_t *toks; - char *p; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - - if (gssapi_more_tokens(iph1)) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi roundtrips not complete\n"); - return -1; - } - - for (i = len = 0; i < gps->gsscnt_p; i++) - len += gps->gss_p[i].length; - - toks = vmalloc(len); - if (toks == 0) - return -1; - p = (char *)toks->v; - for (i = 0; i < gps->gsscnt_p; i++) { - memcpy(p, gps->gss_p[i].value, gps->gss_p[i].length); - p += gps->gss_p[i].length; - } - - *tokens = toks; - - return 0; -} - -vchar_t * -gssapi_wraphash(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc hash_in_buf, hash_out_buf; - gss_buffer_t hash_in = &hash_in_buf, hash_out = &hash_out_buf; - vchar_t *outbuf; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return NULL; - } - - if (gssapi_more_tokens(iph1)) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi roundtrips not complete\n"); - return NULL; - } - - if (gssapi_vm2gssbuf(iph1->hash, hash_in) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "vm2gssbuf failed\n"); - return NULL; - } - - maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT, - hash_in, NULL, hash_out); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "wrapping hash value\n"); - maj_stat = gss_release_buffer(&min_stat, hash_in); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_in buffer\n"); - return NULL; - } - - plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %zu olen %zu\n", - hash_in->length, hash_out->length); - - maj_stat = gss_release_buffer(&min_stat, hash_in); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_in buffer\n"); - - if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_out buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_out buffer\n"); - - return outbuf; -} - -vchar_t * -gssapi_unwraphash(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc hashbuf, hash_outbuf; - gss_buffer_t hash_in = &hashbuf, hash_out = &hash_outbuf; - vchar_t *outbuf; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return NULL; - } - - - hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash); - hashbuf.value = (char *)(iph1->pl_hash + 1); - - plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %zu\n", - hashbuf.length); - - maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out, - NULL, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "unwrapping hash value\n"); - return NULL; - } - - if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_out buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_out buffer\n"); - - return outbuf; -} - -void -gssapi_set_id_sent(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - gps->gss_flags |= GSSFLAG_ID_SENT; -} - -int -gssapi_id_sent(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - return (gps->gss_flags & GSSFLAG_ID_SENT) != 0; -} - -void -gssapi_set_id_rcvd(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - gps->gss_flags |= GSSFLAG_ID_RCVD; -} - -int -gssapi_id_rcvd(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - return (gps->gss_flags & GSSFLAG_ID_RCVD) != 0; -} - -void -gssapi_free_state(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - - gps = gssapi_get_state(iph1); - - if (gps == NULL) - return; - - gssapi_set_state(iph1, NULL); - - if (gps->gss_cred != GSS_C_NO_CREDENTIAL) { - maj_stat = gss_release_cred(&min_stat, &gps->gss_cred); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "releasing credentials\n"); - } - racoon_free(gps); -} - -vchar_t * -gssapi_get_id(struct ph1handle *iph1) -{ - gss_buffer_desc id_buffer; - gss_buffer_t id = &id_buffer; - gss_name_t defname, canon_name; - OM_uint32 min_stat, maj_stat; - vchar_t *vmbuf; - - if (iph1->rmconf->proposal->gssid != NULL) - return (vdup(iph1->rmconf->proposal->gssid)); - - if (gssapi_get_default_name(iph1, 0, &defname) < 0) - return NULL; - - maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID, - &canon_name); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); - maj_stat = gss_release_name(&min_stat, &defname); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release default name\n"); - return NULL; - } - maj_stat = gss_release_name(&min_stat, &defname); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release default name\n"); - - maj_stat = gss_export_name(&min_stat, canon_name, id); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "export name\n"); - maj_stat = gss_release_name(&min_stat, &canon_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canonical name\n"); - return NULL; - } - maj_stat = gss_release_name(&min_stat, &canon_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release canonical name\n"); - -#if 0 - /* - * XXXJRT Did this debug message ever work? This is a GSS name - * blob at this point. - */ - plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n", - id->length, id->value); -#endif - - if (gssapi_gss2vmbuf(id, &vmbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, id); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release id buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, id); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release id buffer\n"); - - return vmbuf; -} -#else -int __gssapi_dUmMy; -#endif diff --git a/ipsec-tools/racoon/gssapi.h b/ipsec-tools/racoon/gssapi.h deleted file mode 100644 index 8994281..0000000 --- a/ipsec-tools/racoon/gssapi.h +++ /dev/null @@ -1,95 +0,0 @@ -/* $Id: gssapi.h,v 1.5 2005/02/11 06:59:01 manubsd Exp $ */ - -/* - * Copyright 2000 Wasabi Systems, Inc. - * All rights reserved. - * - * This software was written by Frank van der Linden of Wasabi Systems - * for Zembu Labs, Inc. http://www.zembu.com/ - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of Wasabi Systems, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __GSSAPI_H__ -#define __GSSAPI_H__ - -#ifdef __FreeBSD__ -#include "/usr/include/gssapi.h" -#else -#include -#endif - -#define GSSAPI_DEF_NAME "host" - -struct ph1handle; -struct isakmpsa; - -struct gssapi_ph1_state { - int gsscnt; /* # of token we're working on */ - int gsscnt_p; /* # of token we're working on */ - - gss_buffer_desc gss[3]; /* gss-api tokens. */ - /* NOTE: XXX this restricts the max # */ - /* to 3. More should never happen */ - - gss_buffer_desc gss_p[3]; - - gss_ctx_id_t gss_context; /* context for gss_init_sec_context */ - - OM_uint32 gss_status; /* retval from gss_init_sec_context */ - gss_cred_id_t gss_cred; /* acquired credentials */ - - int gss_flags; -#define GSSFLAG_ID_SENT 0x0001 -#define GSSFLAG_ID_RCVD 0x0001 -}; - -#define gssapi_get_state(ph) \ - ((struct gssapi_ph1_state *)((ph)->gssapi_state)) - -#define gssapi_set_state(ph, st) \ - (ph)->gssapi_state = (st) - -#define gssapi_more_tokens(ph) \ - ((gssapi_get_state(ph)->gss_status & GSS_S_CONTINUE_NEEDED) != 0) - -int gssapi_get_itoken __P((struct ph1handle *, int *)); -int gssapi_get_rtoken __P((struct ph1handle *, int *)); -int gssapi_save_received_token __P((struct ph1handle *, vchar_t *)); -int gssapi_get_token_to_send __P((struct ph1handle *, vchar_t **)); -int gssapi_get_itokens __P((struct ph1handle *, vchar_t **)); -int gssapi_get_rtokens __P((struct ph1handle *, vchar_t **)); -vchar_t *gssapi_wraphash __P((struct ph1handle *)); -vchar_t *gssapi_unwraphash __P((struct ph1handle *)); -void gssapi_set_id_sent __P((struct ph1handle *)); -int gssapi_id_sent __P((struct ph1handle *)); -void gssapi_set_id_rcvd __P((struct ph1handle *)); -int gssapi_id_rcvd __P((struct ph1handle *)); -void gssapi_free_state __P((struct ph1handle *)); -vchar_t *gssapi_get_id __P((struct ph1handle *)); -vchar_t *gssapi_get_default_gss_id __P((void)); - -#endif /* __GSSAPI_H__ */ - diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index 018087b..e287145 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -49,6 +49,7 @@ #include "plog.h" #include "sockmisc.h" #include "debug.h" +#include "fsm.h" #ifdef ENABLE_HYBRID #include @@ -61,7 +62,6 @@ #include "policy.h" #include "proposal.h" #include "isakmp_var.h" -#include "evt.h" #include "isakmp.h" #ifdef ENABLE_HYBRID #include "isakmp_xauth.h" @@ -75,22 +75,20 @@ #include "gcmalloc.h" #include "nattraversal.h" #include "ike_session.h" +#include "isakmp_frag.h" #include "sainfo.h" -#ifdef HAVE_GSSAPI -#include "gssapi.h" -#endif #include "power_mgmt.h" -static LIST_HEAD(_ph1tree_, ph1handle) ph1tree; -static LIST_HEAD(_ph2tree_, ph2handle) ph2tree; + +extern LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree; static LIST_HEAD(_ctdtree_, contacted) ctdtree; static LIST_HEAD(_rcptree_, recvdpkt) rcptree; -static void del_recvdpkt __P((struct recvdpkt *)); -static void rem_recvdpkt __P((struct recvdpkt *)); -static void sweep_recvdpkt __P((void *)); +static void ike_session_del_recvdpkt (struct recvdpkt *); +static void ike_session_rem_recvdpkt (struct recvdpkt *); +static void sweep_recvdpkt (void *); /* * functions about management of the isakmp status table @@ -100,40 +98,72 @@ static void sweep_recvdpkt __P((void *)); * search for isakmpsa handler with isakmp index. */ -extern caddr_t val2str(const char *, size_t); +extern caddr_t val2str (const char *, size_t); -struct ph1handle * -getph1byindex(index) - isakmp_index *index; +static phase1_handle_t * +getph1byindex(ike_session_t *session, isakmp_index *index) { - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) + phase1_handle_t *p = NULL; + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (FSM_STATE_IS_EXPIRED(p->status)) continue; if (memcmp(&p->index, index, sizeof(*index)) == 0) return p; } - + return NULL; } +phase1_handle_t * +ike_session_getph1byindex(ike_session_t *session, isakmp_index *index) +{ + phase1_handle_t *p; + ike_session_t *cur_session = NULL; + + if (session) + return getph1byindex(session, index); + + LIST_FOREACH(cur_session, &ike_session_tree, chain) { + if ((p = getph1byindex(cur_session, index)) != NULL) + return p; + } + return NULL; +} + + /* * search for isakmp handler by i_ck in index. */ -struct ph1handle * -getph1byindex0(index) - isakmp_index *index; -{ - struct ph1handle *p; - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) - continue; - if (memcmp(&p->index, index, sizeof(cookie_t)) == 0) - return p; - } +static phase1_handle_t * +getph1byindex0 (ike_session_t *session, isakmp_index *index) +{ + phase1_handle_t *p = NULL; + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (FSM_STATE_IS_EXPIRED(p->status)) + continue; + if (memcmp(&p->index.i_ck, &index->i_ck, sizeof(cookie_t)) == 0) + return p; + } + return NULL; +} +phase1_handle_t * +ike_session_getph1byindex0(ike_session_t *session, isakmp_index *index) +{ + phase1_handle_t *p = NULL; + ike_session_t *cur_session = NULL; + + if (session) + return getph1byindex0(session, index); + + LIST_FOREACH(cur_session, &ike_session_tree, chain) { + if ((p = getph1byindex0(cur_session, index)) != NULL) + return p; + } + return NULL; } @@ -142,47 +172,62 @@ getph1byindex0(index) * don't use port number to search because this function search * with phase 2's destinaion. */ -struct ph1handle * -getph1byaddr(local, remote) - struct sockaddr_storage *local, *remote; +phase1_handle_t * +ike_session_getph1byaddr(ike_session_t *session, struct sockaddr_storage *local, struct sockaddr_storage *remote) { - struct ph1handle *p; - - plog(LLV_DEBUG2, LOCATION, NULL, "getph1byaddr: start\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str((struct sockaddr *)local)); - plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str((struct sockaddr *)remote)); - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) + phase1_handle_t *p = NULL; + + plog(ASL_LEVEL_DEBUG, "getph1byaddr: start\n"); + plog(ASL_LEVEL_DEBUG, "local: %s\n", saddr2str((struct sockaddr *)local)); + plog(ASL_LEVEL_DEBUG, "remote: %s\n", saddr2str((struct sockaddr *)remote)); + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (FSM_STATE_IS_EXPIRED(p->status)) continue; - plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str((struct sockaddr *)p->local)); - plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str((struct sockaddr *)p->remote)); + plog(ASL_LEVEL_DEBUG, "p->local: %s\n", saddr2str((struct sockaddr *)p->local)); + plog(ASL_LEVEL_DEBUG, "p->remote: %s\n", saddr2str((struct sockaddr *)p->remote)); if (CMPSADDR(local, p->local) == 0 && CMPSADDR(remote, p->remote) == 0){ - plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); + plog(ASL_LEVEL_DEBUG, "matched\n"); return p; } } - - plog(LLV_DEBUG2, LOCATION, NULL, "no match\n"); - + + plog(ASL_LEVEL_DEBUG, "no match\n"); + return NULL; } -struct ph1handle * -getph1byaddrwop(local, remote) - struct sockaddr_storage *local, *remote; +static phase1_handle_t * +sgetph1byaddrwop(ike_session_t *session, struct sockaddr_storage *local, struct sockaddr_storage *remote) { - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) + phase1_handle_t *p = NULL; + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (FSM_STATE_IS_EXPIRED(p->status)) continue; if (cmpsaddrwop(local, p->local) == 0 - && cmpsaddrwop(remote, p->remote) == 0) + && cmpsaddrwop(remote, p->remote) == 0) return p; } + + return NULL; +} +phase1_handle_t * +ike_session_getph1byaddrwop(ike_session_t *session, struct sockaddr_storage *local, struct sockaddr_storage *remote) +{ + phase1_handle_t *p; + ike_session_t *cur_session = NULL; + + if (session) + return sgetph1byaddrwop(session, local, remote); + + LIST_FOREACH(cur_session, &ike_session_tree, chain) { + if ((p = sgetph1byaddrwop(cur_session, local, remote)) != NULL) + return p; + } + return NULL; } @@ -191,30 +236,45 @@ getph1byaddrwop(local, remote) * don't use port number to search because this function search * with phase 2's destinaion. */ -struct ph1handle * -getph1bydstaddrwop(remote) - struct sockaddr_storage *remote; +phase1_handle_t * +sike_session_getph1bydstaddrwop(ike_session_t *session, struct sockaddr_storage *remote) { - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) - continue; - if (cmpsaddrwop(remote, p->remote) == 0) - return p; - } + phase1_handle_t *p = NULL; + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (FSM_STATE_IS_EXPIRED(p->status)) + continue; + if (cmpsaddrwop(remote, p->remote) == 0) + return p; + } + + return NULL; +} - return NULL; +phase1_handle_t * +ike_session_getph1bydstaddrwop(ike_session_t *session, struct sockaddr_storage *remote) +{ + phase1_handle_t *p; + ike_session_t *cur_session = NULL; + + if (session) + return sike_session_getph1bydstaddrwop(session, remote); + else { + LIST_FOREACH(cur_session, &ike_session_tree, chain) { + if ((p = sike_session_getph1bydstaddrwop(cur_session, remote)) != NULL) + return p; + } + } + return NULL; } int -islast_ph1(ph1) - struct ph1handle *ph1; +ike_session_islast_ph1(phase1_handle_t *ph1) { - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->is_dying || p->status == PHASE1ST_EXPIRED) + phase1_handle_t *p = NULL; + + LIST_FOREACH(p, &ph1->parent_session->ph1tree, ph1ofsession_chain) { + if (p->is_dying || FSM_STATE_IS_EXPIRED(p->status)) continue; if (CMPSADDR(ph1->remote, p->remote) == 0) { if (p == ph1) @@ -225,59 +285,19 @@ islast_ph1(ph1) return 1; } -/* - * dump isakmp-sa - */ -vchar_t * -dumpph1() -{ - struct ph1handle *iph1; - struct ph1dump *pd; - int cnt = 0; - vchar_t *buf; - - /* get length of buffer */ - LIST_FOREACH(iph1, &ph1tree, chain) - cnt++; - - buf = vmalloc(cnt * sizeof(struct ph1dump)); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer\n"); - return NULL; - } - pd = ALIGNED_CAST(struct ph1dump *)buf->v; - - LIST_FOREACH(iph1, &ph1tree, chain) { - memcpy(&pd->index, &iph1->index, sizeof(iph1->index)); - pd->status = iph1->status; - pd->side = iph1->side; - memcpy(&pd->remote, iph1->remote, sysdep_sa_len((struct sockaddr *)iph1->remote)); - memcpy(&pd->local, iph1->local, sysdep_sa_len((struct sockaddr *)iph1->local)); - pd->version = iph1->version; - pd->etype = iph1->etype; - pd->created = iph1->created; - pd->ph2cnt = iph1->ph2cnt; - pd++; - } - - return buf; -} - /* * create new isakmp Phase 1 status record to handle isakmp in Phase1 */ -struct ph1handle * -newph1() +phase1_handle_t * +ike_session_newph1(unsigned int version) { - struct ph1handle *iph1; - + phase1_handle_t *iph1; + /* create new iph1 */ iph1 = racoon_calloc(1, sizeof(*iph1)); if (iph1 == NULL) return NULL; - - iph1->status = PHASE1ST_SPAWN; + iph1->version = version; #ifdef ENABLE_DPD iph1->dpd_support = 0; @@ -291,6 +311,7 @@ newph1() iph1->ping_sched = NULL; #endif iph1->is_dying = 0; + plog(ASL_LEVEL_DEBUG, "*** New Phase 1\n"); return iph1; } @@ -298,39 +319,33 @@ newph1() * delete new isakmp Phase 1 status record to handle isakmp in Phase1 */ void -delph1(iph1) - struct ph1handle *iph1; +ike_session_delph1(phase1_handle_t *iph1) { if (iph1 == NULL) return; - - /* SA down shell script hook */ - script_hook(iph1, SCRIPT_PHASE1_DOWN); - - EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); - + #ifdef ENABLE_NATT if (iph1->natt_options) { racoon_free(iph1->natt_options); iph1->natt_options = NULL; } #endif - + #ifdef ENABLE_HYBRID if (iph1->mode_cfg) isakmp_cfg_rmstate(iph1); VPTRINIT(iph1->xauth_awaiting_userinput_msg); #endif - + #ifdef ENABLE_DPD - if (iph1->dpd_r_u != NULL) + if (iph1->dpd_r_u) SCHED_KILL(iph1->dpd_r_u); #endif #ifdef ENABLE_VPNCONTROL_PORT - if (iph1->ping_sched != NULL) + if (iph1->ping_sched) SCHED_KILL(iph1->ping_sched); #endif - + if (iph1->remote) { racoon_free(iph1->remote); iph1->remote = NULL; @@ -339,21 +354,22 @@ delph1(iph1) racoon_free(iph1->local); iph1->local = NULL; } - + if (iph1->approval) { delisakmpsa(iph1->approval); iph1->approval = NULL; } - - VPTRINIT(iph1->authstr); - + sched_scrub_param(iph1); - iph1->sce = NULL; - iph1->sce_rekey = NULL; - iph1->scr = NULL; - + if (iph1->sce) + SCHED_KILL(iph1->sce); + if (iph1->sce_rekey) + SCHED_KILL(iph1->sce_rekey); + if (iph1->scr) + SCHED_KILL(iph1->scr); + VPTRINIT(iph1->sendbuf); - + VPTRINIT(iph1->dhpriv); VPTRINIT(iph1->dhpub); VPTRINIT(iph1->dhpub_p); @@ -363,8 +379,13 @@ delph1(iph1) VPTRINIT(iph1->skeyid); VPTRINIT(iph1->skeyid_d); VPTRINIT(iph1->skeyid_a); + VPTRINIT(iph1->skeyid_a_p); VPTRINIT(iph1->skeyid_e); + VPTRINIT(iph1->skeyid_e_p); + VPTRINIT(iph1->skeyid_p); + VPTRINIT(iph1->skeyid_p_p); VPTRINIT(iph1->key); + VPTRINIT(iph1->key_p); VPTRINIT(iph1->hash); VPTRINIT(iph1->sig); VPTRINIT(iph1->sig_p); @@ -378,266 +399,303 @@ delph1(iph1) iph1->cr_p = NULL; VPTRINIT(iph1->id); VPTRINIT(iph1->id_p); - + if(iph1->approval != NULL) delisakmpsa(iph1->approval); - + if (iph1->ivm) { oakley_delivm(iph1->ivm); iph1->ivm = NULL; } - + VPTRINIT(iph1->sa); VPTRINIT(iph1->sa_ret); - -#ifdef HAVE_GSSAPI - VPTRINIT(iph1->gi_i); - VPTRINIT(iph1->gi_r); - - gssapi_free_state(iph1); -#endif - - if (iph1->parent_session) { - ike_session_unlink_ph1_from_session(iph1); - } + if (iph1->rmconf) { - unlink_rmconf_from_ph1(iph1->rmconf); + release_rmconf(iph1->rmconf); iph1->rmconf = NULL; } - + racoon_free(iph1); } -/* - * create new isakmp Phase 1 status record to handle isakmp in Phase1 - */ -int -insph1(iph1) - struct ph1handle *iph1; -{ - /* validity check */ - if (iph1->remote == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid isakmp SA handler. no remote address.\n"); - return -1; - } - LIST_INSERT_HEAD(&ph1tree, iph1, chain); - - return 0; -} - void -remph1(iph1) - struct ph1handle *iph1; +ike_session_flush_all_phase1_for_session(ike_session_t *session, int ignore_estab_or_assert_handles) { - LIST_REMOVE(iph1, chain); + phase1_handle_t *p, *next; + + LIST_FOREACH_SAFE(p, &session->ph1tree, ph1ofsession_chain, next) { + if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { + plog(ASL_LEVEL_DEBUG, + "Skipping Phase 1 %s that's asserted...\n", + isakmp_pindex(&p->index, 0)); + continue; + } + + /* send delete information */ + if (FSM_STATE_IS_ESTABLISHED(p->status)) { + if (ignore_estab_or_assert_handles && + (ike_session_has_negoing_ph2(p->parent_session) || ike_session_has_established_ph2(p->parent_session))) { + plog(ASL_LEVEL_DEBUG, + "Skipping Phase 1 %s that's established... because it's needed by children Phase 2s\n", + isakmp_pindex(&p->index, 0)); + continue; + } + /* send delete information */ + plog(ASL_LEVEL_DEBUG, + "Got a Phase 1 %s to flush...\n", + isakmp_pindex(&p->index, 0)); + isakmp_info_send_d1(p); + } + + ike_session_stopped_by_controller(p->parent_session, + ike_session_stopped_by_flush); + + ike_session_unlink_phase1(p); + } } /* * flush isakmp-sa */ void -flushph1(int ignore_estab_or_assert_handles) +ike_session_flush_all_phase1(int ignore_estab_or_assert_handles) { - struct ph1handle *p, *next; + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; - plog(LLV_DEBUG2, LOCATION, NULL, - "flushing ph1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); - - for (p = LIST_FIRST(&ph1tree); p; p = next) { - next = LIST_NEXT(p, chain); - - if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { - plog(LLV_DEBUG2, LOCATION, NULL, - "skipping phase1 %s that's asserted...\n", - isakmp_pindex(&p->index, 0)); - continue; - } - - /* send delete information */ - if (p->status == PHASE1ST_ESTABLISHED) { - if (ignore_estab_or_assert_handles && - ike_session_has_negoing_ph2(p->parent_session)) { - plog(LLV_DEBUG2, LOCATION, NULL, - "skipping phase1 %s that's established... because it's needed by children phase2s\n", - isakmp_pindex(&p->index, 0)); - continue; - } - /* send delete information */ - plog(LLV_DEBUG2, LOCATION, NULL, - "got a phase1 %s to flush...\n", - isakmp_pindex(&p->index, 0)); - isakmp_info_send_d1(p); - } - - ike_session_stopped_by_controller(p->parent_session, - ike_session_stopped_by_flush); - remph1(p); - delph1(p); - } + plog(ASL_LEVEL_DEBUG, + "Flushing Phase 1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + ike_session_flush_all_phase1_for_session(session, ignore_estab_or_assert_handles); + } } -void -initph1tree() -{ - LIST_INIT(&ph1tree); -} -/* %%% management phase 2 handler */ + /* * search ph2handle with policy id. */ -struct ph2handle * -getph2byspid(spid) - u_int32_t spid; +phase2_handle_t * +ike_session_getph2byspid(u_int32_t spid) { - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - /* - * there are ph2handle independent on policy - * such like informational exchange. - */ - if (p->spid == spid) - return p; - } - + ike_session_t *session = NULL; + phase2_handle_t *p; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + /* + * there are ph2handle independent on policy + * such like informational exchange. + */ + if (p->spid == spid) + return p; + } + } + return NULL; } + /* * search ph2handle with sequence number. + * Used by PF_KEY functions to locate the phase2 */ -struct ph2handle * -getph2byseq(seq) - u_int32_t seq; +phase2_handle_t * +ike_session_getph2byseq(u_int32_t seq) { - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - if (p->seq == seq) - return p; - } - + ike_session_t *session; + phase2_handle_t *p; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + if (p->seq == seq) + return p; + } + } return NULL; } /* * search ph2handle with message id. */ -struct ph2handle * -getph2bymsgid(iph1, msgid) - struct ph1handle *iph1; - u_int32_t msgid; +phase2_handle_t * +ike_session_getph2bymsgid(phase1_handle_t *iph1, u_int32_t msgid) { - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { + phase2_handle_t *p; + + LIST_FOREACH(p, &iph1->parent_session->ph2tree, ph2ofsession_chain) { if (p->msgid == msgid) return p; } - + return NULL; } -struct ph2handle * -getph2byid(src, dst, spid) - struct sockaddr_storage *src, *dst; - u_int32_t spid; +phase2_handle_t * +ike_session_getonlyph2(phase1_handle_t *iph1) { - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - if (spid == p->spid && - CMPSADDR(src, p->src) == 0 && - CMPSADDR(dst, p->dst) == 0){ - /* Sanity check to detect zombie handlers - * XXX Sould be done "somewhere" more interesting, - * because we have lots of getph2byxxxx(), but this one - * is called by pk_recvacquire(), so is the most important. - */ - if(p->status < PHASE2ST_ESTABLISHED && - p->retry_counter == 0 - && p->sce == NULL && p->scr == NULL){ - plog(LLV_DEBUG, LOCATION, NULL, - "Zombie ph2 found, expiring it\n"); - isakmp_ph2expire(p); - }else - return p; - } - } + phase2_handle_t *only_ph2 = NULL; + phase2_handle_t *p = NULL; + + LIST_FOREACH(p, &iph1->bound_ph2tree, ph2ofsession_chain) { + if (only_ph2) return NULL; + only_ph2 = p; + } + + return only_ph2; +} +phase2_handle_t * +ike_session_getph2byid(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spid) +{ + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase2_handle_t *p; + phase2_handle_t *next_iph2; + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + LIST_FOREACH_SAFE(p, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (spid == p->spid && + CMPSADDR(src, p->src) == 0 && + CMPSADDR(dst, p->dst) == 0){ + /* Sanity check to detect zombie handlers + * XXX Sould be done "somewhere" more interesting, + * because we have lots of getph2byxxxx(), but this one + * is called by pk_recvacquire(), so is the most important. + */ + if(!FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(p->status) && + p->retry_counter == 0 + && p->sce == 0 && p->scr == 0 && + p->retry_checkph1 == 0){ + plog(ASL_LEVEL_DEBUG, + "Zombie ph2 found, expiring it\n"); + isakmp_ph2expire(p); + }else + return p; + } + } + } + return NULL; } -struct ph2handle * -getph2bysaddr(src, dst) - struct sockaddr_storage *src, *dst; +#ifdef NOT_USED +phase2_handle_t * +ike_session_getph2bysaddr(struct sockaddr_storage *src, struct sockaddr_storage *dst) { - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - if (cmpsaddrstrict(src, p->src) == 0 && - cmpsaddrstrict(dst, p->dst) == 0) - return p; - } - + ike_session_t *session; + phase2_handle_t *p; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(p, &session->ph2tree, chain) { + if (cmpsaddrstrict(src, p->src) == 0 && + cmpsaddrstrict(dst, p->dst) == 0) + return p; + } + } + return NULL; } +#endif /* NOT_USED */ /* * call by pk_recvexpire(). */ -struct ph2handle * -getph2bysaidx(src, dst, proto_id, spi) - struct sockaddr_storage *src, *dst; - u_int proto_id; - u_int32_t spi; +phase2_handle_t * +ike_session_getph2bysaidx(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id, u_int32_t spi) { - struct ph2handle *iph2; + ike_session_t *session; + phase2_handle_t *iph2; struct saproto *pr; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(iph2, &session->ph2tree, ph2ofsession_chain) { + if (iph2->proposal == NULL && iph2->approval == NULL) + continue; + if (iph2->approval != NULL) { + for (pr = iph2->approval->head; pr != NULL; + pr = pr->next) { + if (proto_id != pr->proto_id) + break; + if (spi == pr->spi || spi == pr->spi_p) + return iph2; + } + } else if (iph2->proposal != NULL) { + for (pr = iph2->proposal->head; pr != NULL; + pr = pr->next) { + if (proto_id != pr->proto_id) + break; + if (spi == pr->spi) + return iph2; + } + } + } + } + + return NULL; +} - LIST_FOREACH(iph2, &ph2tree, chain) { - if (iph2->proposal == NULL && iph2->approval == NULL) - continue; - if (iph2->approval != NULL) { - for (pr = iph2->approval->head; pr != NULL; - pr = pr->next) { - if (proto_id != pr->proto_id) - break; - if (spi == pr->spi || spi == pr->spi_p) - return iph2; - } - } else if (iph2->proposal != NULL) { - for (pr = iph2->proposal->head; pr != NULL; - pr = pr->next) { - if (proto_id != pr->proto_id) - break; - if (spi == pr->spi) - return iph2; - } - } - } - +phase2_handle_t * +ike_session_getph2bysaidx2(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id, u_int32_t spi, u_int32_t *opposite_spi) +{ + ike_session_t *session; + phase2_handle_t *iph2; + struct saproto *pr; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(iph2, &session->ph2tree, ph2ofsession_chain) { + if (iph2->proposal == NULL && iph2->approval == NULL) + continue; + if (iph2->approval != NULL) { + for (pr = iph2->approval->head; pr != NULL; + pr = pr->next) { + if (proto_id != pr->proto_id) + break; + if (spi == pr->spi || spi == pr->spi_p) { + if (opposite_spi) { + *opposite_spi = (spi == pr->spi)? pr->spi_p : pr->spi; + } + return iph2; + } + } + } else if (iph2->proposal != NULL) { + for (pr = iph2->proposal->head; pr != NULL; + pr = pr->next) { + if (proto_id != pr->proto_id) + break; + if (spi == pr->spi || spi == pr->spi_p) { + if (opposite_spi) { + *opposite_spi = (spi == pr->spi)? pr->spi_p : pr->spi; + } + return iph2; + } + } + } + } + } + return NULL; } /* * create new isakmp Phase 2 status record to handle isakmp in Phase2 */ -struct ph2handle * -newph2() +phase2_handle_t * +ike_session_newph2(unsigned int version, int type) { - struct ph2handle *iph2 = NULL; - + phase2_handle_t *iph2 = NULL; + /* create new iph2 */ iph2 = racoon_calloc(1, sizeof(*iph2)); if (iph2 == NULL) return NULL; - - iph2->status = PHASE1ST_SPAWN; + iph2->version = version; + iph2->phase2_type = type; iph2->is_dying = 0; - + + plog(ASL_LEVEL_DEBUG, "*** New Phase 2\n"); return iph2; } @@ -647,41 +705,40 @@ newph2() * SPI in the proposal is cleared. */ void -initph2(iph2) - struct ph2handle *iph2; +ike_session_initph2(phase2_handle_t *iph2) { sched_scrub_param(iph2); iph2->sce = NULL; iph2->scr = NULL; - + VPTRINIT(iph2->sendbuf); VPTRINIT(iph2->msg1); - + /* clear spi, keep variables in the proposal */ if (iph2->proposal) { struct saproto *pr; for (pr = iph2->proposal->head; pr != NULL; pr = pr->next) pr->spi = 0; } - + /* clear approval */ if (iph2->approval) { flushsaprop(iph2->approval); iph2->approval = NULL; } - + /* clear the generated policy */ if (iph2->spidx_gen) { delsp_bothdir(iph2->spidx_gen); racoon_free(iph2->spidx_gen); iph2->spidx_gen = NULL; } - + if (iph2->pfsgrp) { oakley_dhgrp_free(iph2->pfsgrp); iph2->pfsgrp = NULL; } - + VPTRINIT(iph2->dhpriv); VPTRINIT(iph2->dhpub); VPTRINIT(iph2->dhpub_p); @@ -692,7 +749,7 @@ initph2(iph2) VPTRINIT(iph2->nonce_p); VPTRINIT(iph2->sa); VPTRINIT(iph2->sa_ret); - + if (iph2->ivm) { oakley_delivm(iph2->ivm); iph2->ivm = NULL; @@ -703,11 +760,10 @@ initph2(iph2) * delete new isakmp Phase 2 status record to handle isakmp in Phase2 */ void -delph2(iph2) - struct ph2handle *iph2; +ike_session_delph2(phase2_handle_t *iph2) { - initph2(iph2); - + ike_session_initph2(iph2); + if (iph2->src) { racoon_free(iph2->src); iph2->src = NULL; @@ -717,103 +773,85 @@ delph2(iph2) iph2->dst = NULL; } if (iph2->src_id) { - racoon_free(iph2->src_id); - iph2->src_id = NULL; + racoon_free(iph2->src_id); + iph2->src_id = NULL; } if (iph2->dst_id) { - racoon_free(iph2->dst_id); - iph2->dst_id = NULL; + racoon_free(iph2->dst_id); + iph2->dst_id = NULL; } - + if (iph2->proposal) { flushsaprop(iph2->proposal); iph2->proposal = NULL; } - - if (iph2->parent_session) { - ike_session_unlink_ph2_from_session(iph2); - } + if (iph2->sainfo) { - unlink_sainfo_from_ph2(iph2->sainfo); + release_sainfo(iph2->sainfo); iph2->sainfo = NULL; } - if (iph2->ext_nat_id) { - vfree(iph2->ext_nat_id); - iph2->ext_nat_id = NULL; - } - if (iph2->ext_nat_id_p) { - vfree(iph2->ext_nat_id_p); - iph2->ext_nat_id_p = NULL; - } - + VPTRINIT(iph2->id); + VPTRINIT(iph2->id_p); + VPTRINIT(iph2->ext_nat_id); + VPTRINIT(iph2->ext_nat_id_p); + + if (iph2->sce) + SCHED_KILL(iph2->sce); + if (iph2->scr) + SCHED_KILL(iph2->scr); + + racoon_free(iph2); } -/* - * create new isakmp Phase 2 status record to handle isakmp in Phase2 - */ -int -insph2(iph2) - struct ph2handle *iph2; -{ - LIST_INSERT_HEAD(&ph2tree, iph2, chain); - - return 0; -} - -void -remph2(iph2) - struct ph2handle *iph2; -{ - LIST_REMOVE(iph2, chain); -} - void -initph2tree() +ike_session_flush_all_phase2_for_session(ike_session_t *session, int ignore_estab_or_assert_handles) { - LIST_INIT(&ph2tree); + phase2_handle_t *p = NULL; + phase2_handle_t *next = NULL; + LIST_FOREACH_SAFE(p, &session->ph2tree, ph2ofsession_chain, next) { + if (p->is_dying || FSM_STATE_IS_EXPIRED(p->status)) { + continue; + } + if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { + plog(ASL_LEVEL_DEBUG, + "skipping phase2 handle that's asserted...\n"); + continue; + } + if (FSM_STATE_IS_ESTABLISHED(p->status)){ + if (ignore_estab_or_assert_handles) { + plog(ASL_LEVEL_DEBUG, + "skipping ph2 handler that's established...\n"); + continue; + } + /* send delete information */ + plog(ASL_LEVEL_DEBUG, + "got an established ph2 handler to flush...\n"); + isakmp_info_send_d2(p); + }else{ + plog(ASL_LEVEL_DEBUG, + "got a ph2 handler to flush (state %d)\n", p->status); + } + + ike_session_stopped_by_controller(p->parent_session, + ike_session_stopped_by_flush); + delete_spd(p); + ike_session_unlink_phase2(p); + } } void -flushph2(int ignore_estab_or_assert_handles) +ike_session_flush_all_phase2(int ignore_estab_or_assert_handles) { - struct ph2handle *p, *next; - - plog(LLV_DEBUG2, LOCATION, NULL, + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + + plog(ASL_LEVEL_DEBUG, "flushing ph2 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); - - for (p = LIST_FIRST(&ph2tree); p; p = next) { - next = LIST_NEXT(p, chain); - if (p->is_dying || p->status == PHASE2ST_EXPIRED) { - continue; - } - if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { - plog(LLV_DEBUG2, LOCATION, NULL, - "skipping phase2 handle that's asserted...\n"); - continue; - } - if (p->status == PHASE2ST_ESTABLISHED){ - if (ignore_estab_or_assert_handles) { - plog(LLV_DEBUG2, LOCATION, NULL, - "skipping ph2 handler that's established...\n"); - continue; - } - /* send delete information */ - plog(LLV_DEBUG2, LOCATION, NULL, - "got an established ph2 handler to flush...\n"); - isakmp_info_send_d2(p); - }else{ - plog(LLV_DEBUG2, LOCATION, NULL, - "got a ph2 handler to flush (state %d)\n", p->status); - } - - ike_session_stopped_by_controller(p->parent_session, - ike_session_stopped_by_flush); - delete_spd(p); - unbindph12(p); - remph2(p); - delph2(p); - } + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + ike_session_flush_all_phase2_for_session(session, ignore_estab_or_assert_handles); + } } /* @@ -821,143 +859,97 @@ flushph2(int ignore_estab_or_assert_handles) * is used during INITIAL-CONTACT processing (so no need to * send a message to the peer). */ +//%%%%%%%%%%%%%%%%%%% make this smarter - find session using addresses ???? void -deleteallph2(src, dst, proto_id) - struct sockaddr_storage *src, *dst; - u_int proto_id; +ike_session_deleteallph2(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id) { - struct ph2handle *iph2, *next; + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase2_handle_t *iph2 = NULL; + phase2_handle_t *next_iph2 = NULL; struct saproto *pr; - - for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) { - next = LIST_NEXT(iph2, chain); - if (iph2->is_dying || iph2->status == PHASE2ST_EXPIRED) { - continue; - } - if (iph2->proposal == NULL && iph2->approval == NULL) - continue; - if (cmpsaddrwop(src, iph2->src) != 0 || - cmpsaddrwop(dst, iph2->dst) != 0) { + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (iph2->is_dying || FSM_STATE_IS_EXPIRED(iph2->status)) { + continue; + } + if (iph2->proposal == NULL && iph2->approval == NULL) + continue; + if (cmpsaddrwop(src, iph2->src) != 0 || + cmpsaddrwop(dst, iph2->dst) != 0) { + continue; + } + if (iph2->approval != NULL) { + for (pr = iph2->approval->head; pr != NULL; + pr = pr->next) { + if (proto_id == pr->proto_id) + goto zap_it; + } + } else if (iph2->proposal != NULL) { + for (pr = iph2->proposal->head; pr != NULL; + pr = pr->next) { + if (proto_id == pr->proto_id) + goto zap_it; + } + } continue; + zap_it: + plog(ASL_LEVEL_DEBUG, + "deleteallph2: got a ph2 handler...\n"); + if (FSM_STATE_IS_ESTABLISHED(iph2->status)) + isakmp_info_send_d2(iph2); + ike_session_stopped_by_controller(iph2->parent_session, + ike_session_stopped_by_flush); + ike_session_unlink_phase2(iph2); } - if (iph2->approval != NULL) { - for (pr = iph2->approval->head; pr != NULL; - pr = pr->next) { - if (proto_id == pr->proto_id) - goto zap_it; - } - } else if (iph2->proposal != NULL) { - for (pr = iph2->proposal->head; pr != NULL; - pr = pr->next) { - if (proto_id == pr->proto_id) - goto zap_it; - } - } - continue; - zap_it: - plog(LLV_DEBUG2, LOCATION, NULL, - "deleteallph2: got a ph2 handler...\n"); - if (iph2->status == PHASE2ST_ESTABLISHED) - isakmp_info_send_d2(iph2); - ike_session_stopped_by_controller(iph2->parent_session, - ike_session_stopped_by_flush); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - } + } } /* * Delete all Phase 1 handlers for this src/dst. */ void -deleteallph1(src, dst) -struct sockaddr_storage *src, *dst; +ike_session_deleteallph1(struct sockaddr_storage *src, struct sockaddr_storage *dst) { - struct ph1handle *iph1, *next; - - for (iph1 = LIST_FIRST(&ph1tree); iph1 != NULL; iph1 = next) { - next = LIST_NEXT(iph1, chain); - if (cmpsaddrwop(src, iph1->local) != 0 || - cmpsaddrwop(dst, iph1->remote) != 0) { - continue; + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *next_iph1 = NULL; + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { + if (cmpsaddrwop(src, iph1->local) != 0 || + cmpsaddrwop(dst, iph1->remote) != 0) { + continue; + } + plog(ASL_LEVEL_DEBUG, + "deleteallph1: got a ph1 handler...\n"); + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) + isakmp_info_send_d1(iph1); + + ike_session_stopped_by_controller(iph1->parent_session, ike_session_stopped_by_flush); + ike_session_unlink_phase1(iph1); } - plog(LLV_DEBUG2, LOCATION, NULL, - "deleteallph1: got a ph1 handler...\n"); - if (iph1->status == PHASE2ST_ESTABLISHED) - isakmp_info_send_d1(iph1); - - ike_session_stopped_by_controller(iph1->parent_session, - ike_session_stopped_by_flush); - remph1(iph1); - delph1(iph1); - } -} - -/* %%% */ -void -bindph12(iph1, iph2) - struct ph1handle *iph1; - struct ph2handle *iph2; -{ - if (iph2->ph1 && (struct ph1handle *)iph2->ph1bind.le_next == iph1) { - plog(LLV_ERROR, LOCATION, NULL, "duplicate %s.\n", __FUNCTION__); - } - iph2->ph1 = iph1; - LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind); -} - -void -unbindph12(iph2) - struct ph2handle *iph2; -{ - if (iph2->ph1 != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, "unbindph12.\n"); - iph2->ph1 = NULL; - LIST_REMOVE(iph2, ph1bind); - } + } } -void -rebindph12(new_ph1, iph2) -struct ph1handle *new_ph1; -struct ph2handle *iph2; -{ - if (!new_ph1) { - return; - } - - // reconcile the ph1-to-ph2 binding - plog(LLV_DEBUG, LOCATION, NULL, "rebindph12.\n"); - unbindph12(iph2); - bindph12(new_ph1, iph2); - // recalculate ivm since ph1 binding has changed - if (iph2->ivm != NULL) { - oakley_delivm(iph2->ivm); - if (new_ph1->status == PHASE1ST_ESTABLISHED) { - iph2->ivm = oakley_newiv2(new_ph1, iph2->msgid); - plog(LLV_DEBUG, LOCATION, NULL, "ph12 binding changed... recalculated ivm.\n"); - } else { - iph2->ivm = NULL; - } - } -} /* %%% management contacted list */ /* * search contacted list. */ struct contacted * -getcontacted(remote) - struct sockaddr_storage *remote; +ike_session_getcontacted(remote) +struct sockaddr_storage *remote; { struct contacted *p; - + LIST_FOREACH(p, &ctdtree, chain) { if (cmpsaddrstrict(remote, p->remote) == 0) return p; } - + return NULL; } @@ -965,37 +957,35 @@ getcontacted(remote) * create new isakmp Phase 2 status record to handle isakmp in Phase2 */ int -inscontacted(remote) - struct sockaddr_storage *remote; +ike_session_inscontacted(remote) +struct sockaddr_storage *remote; { struct contacted *new; - + /* create new iph2 */ new = racoon_calloc(1, sizeof(*new)); if (new == NULL) return -1; - - new->remote = dupsaddr((struct sockaddr *)remote); + + new->remote = dupsaddr(remote); if (new->remote == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); racoon_free(new); return -1; } - + LIST_INSERT_HEAD(&ctdtree, new, chain); - + return 0; } void -clear_contacted() +ike_session_clear_contacted() { struct contacted *c, *next; - - for (c = LIST_FIRST(&ctdtree); c; c = next) { - next = LIST_NEXT(c, chain); + LIST_FOREACH_SAFE(c, &ctdtree, chain, next) { LIST_REMOVE(c, chain); racoon_free(c->remote); racoon_free(c); @@ -1003,13 +993,13 @@ clear_contacted() } void -initctdtree() +ike_session_initctdtree() { LIST_INIT(&ctdtree); } time_t -get_exp_retx_interval (int num_retries, int fixed_retry_interval) +ike_session_get_exp_retx_interval (int num_retries, int fixed_retry_interval) { // first 3 retries aren't exponential if (num_retries <= 3) { @@ -1029,79 +1019,79 @@ get_exp_retx_interval (int num_retries, int fixed_retry_interval) * -1: error happened. */ int -check_recvdpkt(remote, local, rbuf) - struct sockaddr_storage *remote, *local; - vchar_t *rbuf; +ike_session_check_recvdpkt(remote, local, rbuf) +struct sockaddr_storage *remote, *local; +vchar_t *rbuf; { vchar_t *hash; struct recvdpkt *r; time_t t, d; int len, s; - + /* set current time */ t = time(NULL); - + hash = eay_md5_one(rbuf); if (!hash) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); return -1; } - + LIST_FOREACH(r, &rcptree, chain) { if (memcmp(hash->v, r->hash->v, r->hash->l) == 0) break; } vfree(hash); - + /* this is the first time to receive the packet */ if (r == NULL) return 0; - + /* * the packet was processed before, but the remote address mismatches. - * ignore the port to accomodate port changes (e.g. floating). + * ignore the port to accomodate port changes (e.g. floating). */ if (cmpsaddrwop(remote, r->remote) != 0) { - return 2; - } - + return 2; + } + /* * it should not check the local address because the packet * may arrive at other interface. */ - + /* check the previous time to send */ if (t - r->time_send < 1) { - plog(LLV_WARNING, LOCATION, NULL, - "the packet retransmitted in a short time from %s\n", - saddr2str((struct sockaddr *)remote)); + plog(ASL_LEVEL_WARNING, + "the packet retransmitted in a short time from %s\n", + saddr2str((struct sockaddr *)remote)); /*XXX should it be error ? */ } - + /* select the socket to be sent */ s = getsockmyaddr((struct sockaddr *)r->local); if (s == -1) return -1; - + // don't send if we recently sent a response. if (r->time_send && t > r->time_send) { d = t - r->time_send; if (d < r->retry_interval) { - plog(LLV_ERROR, LOCATION, NULL, "already responded within the past %ld secs\n", d); + plog(ASL_LEVEL_ERR, "already responded within the past %ld secs\n", d); return 1; } } - + #ifdef ENABLE_FRAG if (r->frag_flags && r->sendbuf->l > ISAKMP_FRAG_MAXLEN) { /* resend the packet if needed */ - plog(LLV_ERROR, LOCATION, NULL, "!!! retransmitting frags\n"); + plog(ASL_LEVEL_ERR, "!!! retransmitting frags\n"); len = sendfragsfromto(s, r->sendbuf, r->local, r->remote, lcconf->count_persend, r->frag_flags); } else { - plog(LLV_ERROR, LOCATION, NULL, "!!! skipped retransmitting frags: frag_flags %x, r->sendbuf->l %d, max %d\n", r->frag_flags, r->sendbuf->l, ISAKMP_FRAG_MAXLEN); + plog(ASL_LEVEL_ERR, "!!! skipped retransmitting frags: frag_flags %x, r->sendbuf->l %zu, max %d\n", r->frag_flags, r->sendbuf->l, ISAKMP_FRAG_MAXLEN); /* resend the packet if needed */ len = sendfromto(s, r->sendbuf->v, r->sendbuf->l, r->local, r->remote, lcconf->count_persend); @@ -1109,27 +1099,27 @@ check_recvdpkt(remote, local, rbuf) #else /* resend the packet if needed */ len = sendfromto(s, r->sendbuf->v, r->sendbuf->l, - r->local, r->remote, lcconf->count_persend); + r->local, r->remote, lcconf->count_persend); #endif if (len == -1) { - plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); + plog(ASL_LEVEL_ERR, "sendfromto failed\n"); return -1; } - + /* check the retry counter */ r->retry_counter--; if (r->retry_counter <= 0) { - rem_recvdpkt(r); - del_recvdpkt(r); - plog(LLV_DEBUG, LOCATION, NULL, - "deleted the retransmission packet to %s.\n", - saddr2str((struct sockaddr *)remote)); + ike_session_rem_recvdpkt(r); + ike_session_del_recvdpkt(r); + plog(ASL_LEVEL_DEBUG, + "deleted the retransmission packet to %s.\n", + saddr2str((struct sockaddr *)remote)); } else { r->time_send = t; - r->retry_interval = get_exp_retx_interval((lcconf->retry_counter - r->retry_counter), + r->retry_interval = ike_session_get_exp_retx_interval((lcconf->retry_counter - r->retry_counter), lcconf->retry_interval); } - + return 1; } @@ -1137,58 +1127,58 @@ check_recvdpkt(remote, local, rbuf) * adding a hash of received packet into the received list. */ int -add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) - struct sockaddr_storage *remote, *local; - vchar_t *sbuf, *rbuf; - size_t non_esp; - u_int32_t frag_flags; +ike_session_add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) +struct sockaddr_storage *remote, *local; +vchar_t *sbuf, *rbuf; +size_t non_esp; +u_int32_t frag_flags; { struct recvdpkt *new = NULL; - + if (lcconf->retry_counter == 0) { /* no need to add it */ return 0; } - + new = racoon_calloc(1, sizeof(*new)); if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); return -1; } - + new->hash = eay_md5_one(rbuf); if (!new->hash) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); + ike_session_del_recvdpkt(new); return -1; } - new->remote = dupsaddr((struct sockaddr *)remote); + new->remote = dupsaddr(remote); if (new->remote == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); + ike_session_del_recvdpkt(new); return -1; } - new->local = dupsaddr((struct sockaddr *)local); + new->local = dupsaddr(local); if (new->local == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); + plog(ASL_LEVEL_ERR, + "failed to allocate buffer.\n"); + ike_session_del_recvdpkt(new); return -1; } - + if (non_esp) { - plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); - + plog (ASL_LEVEL_DEBUG, "Adding NON-ESP marker\n"); + /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) must added just before the packet itself. For this we must allocate a new buffer and release it at the end. */ if ((new->sendbuf = vmalloc (sbuf->l + non_esp)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate extra buf for non-esp\n"); - del_recvdpkt(new); + ike_session_del_recvdpkt(new); return -1; } *ALIGNED_CAST(u_int32_t *)new->sendbuf->v = 0; @@ -1196,13 +1186,13 @@ add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) } else { new->sendbuf = vdup(sbuf); if (new->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer.\n"); - del_recvdpkt(new); + ike_session_del_recvdpkt(new); return -1; } } - + new->retry_counter = lcconf->retry_counter; new->time_send = 0; new->created = time(NULL); @@ -1211,17 +1201,17 @@ add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) new->frag_flags = frag_flags; } #endif - new->retry_interval = get_exp_retx_interval((lcconf->retry_counter - new->retry_counter), + new->retry_interval = ike_session_get_exp_retx_interval((lcconf->retry_counter - new->retry_counter), lcconf->retry_interval); - + LIST_INSERT_HEAD(&rcptree, new, chain); - + return 0; } void -del_recvdpkt(r) - struct recvdpkt *r; +ike_session_del_recvdpkt(r) +struct recvdpkt *r; { if (r->remote) racoon_free(r->remote); @@ -1235,235 +1225,247 @@ del_recvdpkt(r) } void -rem_recvdpkt(r) - struct recvdpkt *r; +ike_session_rem_recvdpkt(r) +struct recvdpkt *r; { LIST_REMOVE(r, chain); } void sweep_recvdpkt(dummy) - void *dummy; +void *dummy; { struct recvdpkt *r, *next; time_t t, lt; - + /* set current time */ t = time(NULL); - + /* set the lifetime of the retransmission */ lt = lcconf->retry_counter * lcconf->retry_interval; - - for (r = LIST_FIRST(&rcptree); r; r = next) { - next = LIST_NEXT(r, chain); - + + LIST_FOREACH_SAFE(r, &rcptree, chain, next) { if (t - r->created > lt) { - rem_recvdpkt(r); - del_recvdpkt(r); + ike_session_rem_recvdpkt(r); + ike_session_del_recvdpkt(r); } } - + sched_new(lt, sweep_recvdpkt, &rcptree); } void -clear_recvdpkt() +ike_session_clear_recvdpkt() { struct recvdpkt *r, *next; - for (r = LIST_FIRST(&rcptree); r; r = next) { - next = LIST_NEXT(r, chain); - rem_recvdpkt(r); - del_recvdpkt(r); + LIST_FOREACH_SAFE(r, &rcptree, chain, next) { + ike_session_rem_recvdpkt(r); + ike_session_del_recvdpkt(r); } sched_scrub_param(&rcptree); } void -init_recvdpkt() +ike_session_init_recvdpkt() { time_t lt = lcconf->retry_counter * lcconf->retry_interval; - + LIST_INIT(&rcptree); - + sched_new(lt, sweep_recvdpkt, &rcptree); } +#ifdef NOT_USED #ifdef ENABLE_HYBRID /* * Returns 0 if the address was obtained by ISAKMP mode config, 1 otherwise * This should be in isakmp_cfg.c but ph1tree being private, it must be there */ int -exclude_cfg_addr(addr) - const struct sockaddr_storage *addr; +exclude_cfg_addr(const struct sockaddr_storage *addr) { - struct ph1handle *p; + ike_session_t *session; + phase1_handle_t *p; struct sockaddr_in *sin; - - LIST_FOREACH(p, &ph1tree, chain) { - if ((p->mode_cfg != NULL) && - (p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) && - (addr->ss_family == AF_INET)) { - sin = (struct sockaddr_in *)addr; - if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr) - return 0; - } - } - + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(p, &session->ph1tree, chain) { + if ((p->mode_cfg != NULL) && + (p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) && + (addr->ss_family == AF_INET)) { + sin = (struct sockaddr_in *)addr; + if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr) + return 0; + } + } + } + return 1; } #endif - -#ifdef ENABLE_HYBRID -struct ph1handle * -getph1bylogin(login) - char *login; -{ - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->mode_cfg == NULL) - continue; - if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) - return p; - } - - return NULL; -} +#endif /* NOT_USED */ int -purgeph1bylogin(login) - char *login; -{ - struct ph1handle *p; - int found = 0; +ike_session_expire_session(ike_session_t *session) +{ + int found = 0; + phase1_handle_t *p; + phase1_handle_t *next; + phase2_handle_t *p2; + + if (session == NULL) + return 0; + + LIST_FOREACH(p2, &session->ph2tree, ph2ofsession_chain) { + if (p2->is_dying || FSM_STATE_IS_EXPIRED(p2->status)) { + continue; + } - LIST_FOREACH(p, &ph1tree, chain) { - if (p->mode_cfg == NULL) - continue; - if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) { - if (p->status == PHASE1ST_ESTABLISHED) - isakmp_info_send_d1(p); - purge_remote(p); - found++; - } - } + if (FSM_STATE_IS_ESTABLISHED(p2->status)) + isakmp_info_send_d2(p2); + isakmp_ph2expire(p2); + found++; + } + + LIST_FOREACH_SAFE(p, &session->ph1tree, ph1ofsession_chain, next) { + if (p->is_dying || FSM_STATE_IS_EXPIRED(p->status)) { + continue; + } + + ike_session_purge_ph2s_by_ph1(p); + if (FSM_STATE_IS_ESTABLISHED(p->status)) + isakmp_info_send_d1(p); + isakmp_ph1expire(p); + found++; + } return found; } +#ifdef ENABLE_HYBRID int -purgephXbydstaddrwop(remote) -struct sockaddr_storage *remote; +ike_session_purgephXbydstaddrwop(struct sockaddr_storage *remote) { int found = 0; - struct ph1handle *p; - struct ph2handle *p2; - - LIST_FOREACH(p2, &ph2tree, chain) { - if (p2->is_dying || p2->status == PHASE2ST_EXPIRED) { + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase1_handle_t *p; + phase2_handle_t *p2; + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + LIST_FOREACH(p2, &session->ph2tree, ph2ofsession_chain) { + if (p2->is_dying || FSM_STATE_IS_EXPIRED(p2->status)) { continue; } - if (cmpsaddrwop(remote, p2->dst) == 0) { - plog(LLV_WARNING, LOCATION, NULL, - "in %s... purging phase2s\n", __FUNCTION__); - if (p2->status == PHASE2ST_ESTABLISHED) - isakmp_info_send_d2(p2); - isakmp_ph2expire(p2); - found++; - } - } - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->is_dying || p->status == PHASE1ST_EXPIRED) { + if (cmpsaddrwop(remote, p2->dst) == 0) { + plog(ASL_LEVEL_DEBUG, + "in %s... purging Phase 2 structures\n", __FUNCTION__); + if (FSM_STATE_IS_ESTABLISHED(p2->status)) + isakmp_info_send_d2(p2); + isakmp_ph2expire(p2); + found++; + } + } + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (p->is_dying || FSM_STATE_IS_EXPIRED(p->status)) { continue; } - if (cmpsaddrwop(remote, p->remote) == 0) { - plog(LLV_WARNING, LOCATION, NULL, - "in %s... purging phase1 and related phase2s\n", __FUNCTION__); - ike_session_purge_ph2s_by_ph1(p); - if (p->status == PHASE1ST_ESTABLISHED) - isakmp_info_send_d1(p); - isakmp_ph1expire(p); - found++; - } - } - + if (cmpsaddrwop(remote, p->remote) == 0) { + plog(ASL_LEVEL_DEBUG, + "in %s... purging Phase 1 and related Phase 2 structures\n", __FUNCTION__); + ike_session_purge_ph2s_by_ph1(p); + if (FSM_STATE_IS_ESTABLISHED(p->status)) + isakmp_info_send_d1(p); + isakmp_ph1expire(p); + found++; + } + } + } + return found; } void -purgephXbyspid(u_int32_t spid, - int del_boundph1) +ike_session_purgephXbyspid(u_int32_t spid, int del_boundph1) { - struct ph2handle *iph2; - struct ph1handle *iph1; - - // do ph2's first... we need the ph1s for notifications - LIST_FOREACH(iph2, &ph2tree, chain) { - if (spid == iph2->spid) { - if (iph2->is_dying || iph2->status == PHASE2ST_EXPIRED) { - continue; - } - if (iph2->status == PHASE2ST_ESTABLISHED) { - isakmp_info_send_d2(iph2); + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase2_handle_t *iph2 = NULL; + phase2_handle_t *next_iph2 = NULL; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *next_iph1 = NULL; + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + // do ph2's first... we need the ph1s for notifications + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (spid == iph2->spid) { + if (iph2->is_dying || FSM_STATE_IS_EXPIRED(iph2->status)) { + continue; + } + if (FSM_STATE_IS_ESTABLISHED(iph2->status)) { + isakmp_info_send_d2(iph2); + } + ike_session_stopped_by_controller(iph2->parent_session, + ike_session_stopped_by_flush); + isakmp_ph2expire(iph2); // iph2 will go down 1 second later. } - ike_session_stopped_by_controller(iph2->parent_session, - ike_session_stopped_by_flush); - isakmp_ph2expire(iph2); // iph2 will go down 1 second later. } - } - - // do the ph1s last. - LIST_FOREACH(iph2, &ph2tree, chain) { - if (spid == iph2->spid) { - if (del_boundph1 && iph2->parent_session) { - for (iph1 = LIST_FIRST(&iph2->parent_session->ikev1_state.ph1tree); iph1; iph1 = LIST_NEXT(iph1, ph1ofsession_chain)) { - if (iph1->is_dying || iph1->status == PHASE1ST_EXPIRED) { - continue; - } - if (iph1->status == PHASE1ST_ESTABLISHED) { - isakmp_info_send_d1(iph1); + + // do the ph1s last. %%%%%%%%%%%%%%%%%% re-organize this - check del_boundph1 first + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (spid == iph2->spid) { + if (del_boundph1 && iph2->parent_session) { + LIST_FOREACH_SAFE(iph1, &iph2->parent_session->ph1tree, ph1ofsession_chain, next_iph1) { + if (iph1->is_dying || FSM_STATE_IS_EXPIRED(iph1->status)) { + continue; + } + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { + isakmp_info_send_d1(iph1); + } + isakmp_ph1expire(iph1); } - isakmp_ph1expire(iph1); } } - } - } + } + } } #endif #ifdef ENABLE_DPD int -ph1_force_dpd (struct sockaddr_storage *remote) +ike_session_ph1_force_dpd (struct sockaddr_storage *remote) { int status = -1; - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (cmpsaddrwop(remote, p->remote) == 0) { - if (p->status == PHASE1ST_ESTABLISHED && - !p->is_dying && - p->dpd_support && - p->rmconf->dpd_interval) { - if(!p->dpd_fails) { - isakmp_info_send_r_u(p); - status = 0; + ike_session_t *session = NULL; + phase1_handle_t *p = NULL; + + LIST_FOREACH(session, &ike_session_tree, chain) { + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (cmpsaddrwop(remote, p->remote) == 0) { + if (FSM_STATE_IS_ESTABLISHED(p->status) && + !p->is_dying && + p->dpd_support && + p->rmconf->dpd_interval) { + if(!p->dpd_fails) { + isakmp_info_send_r_u(p); + status = 0; + } else { + plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (dpd already in progress).\n"); + } + if (p->parent_session) { + p->parent_session->controller_awaiting_peer_resp = 1; + } } else { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (dpd already in progress).\n"); - } - if (p->parent_session) { - p->parent_session->controller_awaiting_peer_resp = 1; + plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n", + p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval); } - } else { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n", - p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval); } } } - + return status; } #endif @@ -1471,79 +1473,103 @@ ph1_force_dpd (struct sockaddr_storage *remote) void sweep_sleepwake(void) { - struct ph2handle *iph2; - struct ph1handle *iph1; - - // do the ph1s. - LIST_FOREACH(iph1, &ph1tree, chain) { - if (iph1->parent_session && iph1->parent_session->is_asserted) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's been asserted.\n", - isakmp_pindex(&iph1->index, 0)); - continue; - } - if (iph1->is_dying || iph1->status >= PHASE1ST_EXPIRED) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's already expired.\n", - isakmp_pindex(&iph1->index, 0)); - continue; - } - if (iph1->sce) { - if (iph1->sce->xtime <= swept_at) { - SCHED_KILL(iph1->sce); - SCHED_KILL(iph1->sce_rekey); - iph1->is_dying = 1; - iph1->status = PHASE1ST_EXPIRED; - ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1 - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); - plog(LLV_DEBUG2, LOCATION, NULL, "phase1 %s expired while sleeping: quick deletion.\n", - isakmp_pindex(&iph1->index, 0)); - } - } - if (iph1->sce_rekey) { - if (iph1->status == PHASE1ST_EXPIRED || iph1->sce_rekey->xtime <= swept_at) { - SCHED_KILL(iph1->sce_rekey); - } - } - if (iph1->scr) { - if (iph1->status == PHASE1ST_EXPIRED || iph1->scr->xtime <= swept_at) { - SCHED_KILL(iph1->scr); - } - } -#ifdef ENABLE_DPD - if (iph1->dpd_r_u) { - if (iph1->status == PHASE1ST_EXPIRED || iph1->dpd_r_u->xtime <= swept_at) { - SCHED_KILL(iph1->dpd_r_u); - } - } -#endif - } - - // do ph2's next - LIST_FOREACH(iph2, &ph2tree, chain) { - if (iph2->parent_session && iph2->parent_session->is_asserted) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's been asserted.\n"); - continue; - } - if (iph2->is_dying || iph2->status >= PHASE2ST_EXPIRED) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's already expired.\n"); - continue; - } - if (iph2->sce) { - if (iph2->sce->xtime <= swept_at) { - iph2->status = PHASE2ST_EXPIRED; - iph2->is_dying = 1; - isakmp_ph2expire(iph2); // iph2 will go down 1 second later. - ike_session_stopped_by_controller(iph2->parent_session, - ike_session_stopped_by_sleepwake); - plog(LLV_DEBUG2, LOCATION, NULL, "phase2 expired while sleeping: quick deletion.\n"); - } - } - if (iph2->scr) { - if (iph2->status == PHASE2ST_EXPIRED || iph2->scr->xtime <= swept_at) { - SCHED_KILL(iph2->scr); - } - } - } - + ike_session_t *session = NULL; + ike_session_t *next_session = NULL; + phase2_handle_t *iph2 = NULL; + phase2_handle_t *next_iph2 = NULL; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *next_iph1 = NULL; + + LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { + // do the ph1s. + LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { + if (iph1->parent_session && iph1->parent_session->is_asserted) { + plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's been asserted.\n", + isakmp_pindex(&iph1->index, 0)); + continue; + } + if (iph1->is_dying || FSM_STATE_IS_EXPIRED(iph1->status)) { + plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's already expired.\n", + isakmp_pindex(&iph1->index, 0)); + continue; + } + if (iph1->sce) { + time_t xtime; + if (sched_get_time(iph1->sce, &xtime)) { + if (xtime <= swept_at) { + SCHED_KILL(iph1->sce); + SCHED_KILL(iph1->sce_rekey); + iph1->is_dying = 1; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); + ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1 + iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); + plog(ASL_LEVEL_DEBUG, "Phase 1 %s expired while sleeping: quick deletion.\n", + isakmp_pindex(&iph1->index, 0)); + } + } + } + if (iph1->sce_rekey) { + time_t xtime; + if (sched_get_time(iph1->sce_rekey, &xtime)) { + if (FSM_STATE_IS_EXPIRED(iph1->status) || xtime <= swept_at) { + SCHED_KILL(iph1->sce_rekey); + } + } + } + if (iph1->scr) { + time_t xtime; + if (sched_get_time(iph1->scr, &xtime)) { + if (FSM_STATE_IS_EXPIRED(iph1->status) || xtime <= swept_at) { + SCHED_KILL(iph1->scr); + } + } + } + #ifdef ENABLE_DPD + if (iph1->dpd_r_u) { + time_t xtime; + if (sched_get_time(iph1->dpd_r_u, &xtime)) { + if (FSM_STATE_IS_EXPIRED(iph1->status) || xtime <= swept_at) { + SCHED_KILL(iph1->dpd_r_u); + } + } + } + #endif + } + + // do ph2's next + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (iph2->parent_session && iph2->parent_session->is_asserted) { + plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's been asserted.\n"); + continue; + } + if (iph2->is_dying || FSM_STATE_IS_EXPIRED(iph2->status)) { + plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's already expired.\n"); + continue; + } + if (iph2->sce) { + time_t xtime; + if (sched_get_time(iph2->sce, &xtime)) { + if (xtime <= swept_at) { + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); + iph2->is_dying = 1; + isakmp_ph2expire(iph2); // iph2 will go down 1 second later. + ike_session_stopped_by_controller(iph2->parent_session, + ike_session_stopped_by_sleepwake); + plog(ASL_LEVEL_DEBUG, "Phase 2 expired while sleeping: quick deletion.\n"); + } + } + } + if (iph2->scr) { + time_t xtime; + if (sched_get_time(iph2->scr, &xtime)) { + if (FSM_STATE_IS_EXPIRED(iph2->status) || xtime <= swept_at) { + SCHED_KILL(iph2->scr); + } + } + } + } + } + //%%%%%%%%%%%%%%% fix this // do the ike_session last ike_session_sweep_sleepwake(); } diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index 50cebd0..2f4dd31 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -35,6 +35,7 @@ #define _HANDLER_H #include "config.h" +#include "racoon_types.h" #include #ifdef HAVE_OPENSSL @@ -48,62 +49,10 @@ #ifndef HAVE_OPENSSL #include #endif +#include -typedef struct ike_session ike_session_t; +#include -/* Phase 1 handler */ -/* - * main mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 2nd msg sent 2nd msg sent - * 6 2nd valid msg received 3rd valid msg received - * 7 3rd msg sent 3rd msg sent - * 8 3rd valid msg received (---) - * 9 SA established SA established - * - * aggressive mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 (---) (---) - * 6 (---) (---) - * 7 (---) (---) - * 8 (---) (---) - * 9 SA established SA established - * - * base mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 2nd msg sent (---) - * 6 (---) (---) - * 7 (---) (---) - * 8 (---) (---) - * 9 SA established SA established - */ -#define PHASE1ST_SPAWN 0 -#define PHASE1ST_START 1 -#define PHASE1ST_MSG1RECEIVED 2 -#define PHASE1ST_MSG1SENT 3 -#define PHASE1ST_MSG2RECEIVED 4 -#define PHASE1ST_MSG2SENT 5 -#define PHASE1ST_MSG3RECEIVED 6 -#define PHASE1ST_MSG3SENT 7 -#define PHASE1ST_MSG4RECEIVED 8 -#define PHASE1ST_ESTABLISHED 9 -#define PHASE1ST_EXPIRED 10 -#define PHASE1ST_MAX 11 /* About address semantics in each case. * initiator(addr=I) responder(addr=R) @@ -118,24 +67,30 @@ typedef struct ike_session ike_session_t; #ifdef ENABLE_HYBRID struct isakmp_cfg_state; #endif -struct ph1handle { - isakmp_index index; +#define INVALID_MSGID 0xFFFFFFFF + +//======================================================================= +// PHASE 1 +//======================================================================= + +struct phase1handle { + isakmp_index index; + int status; /* status of this SA */ int side; /* INITIATOR or RESPONDER */ int started_by_api; /* connection started by VPNControl API */ - + struct sockaddr_storage *remote; /* remote address to negosiate ph1 */ struct sockaddr_storage *local; /* local address to negosiate ph1 */ - /* XXX copy from rmconf due to anonymous configuration. - * If anonymous will be forbidden, we do delete them. */ - + /* XXX copy from rmconf due to anonymous configuration. + * If anonymous will be forbidden, we do delete them. */ + struct remoteconf *rmconf; /* pointer to remote configuration */ - + struct isakmpsa *approval; /* pointer to SA(s) approved. */ - vchar_t *authstr; /* place holder of string for auth. */ - /* for example pre-shared key */ - + /* for example pre-shared key */ + u_int8_t version; /* ISAKMP version */ u_int8_t etype; /* Exchange type actually for use */ u_int8_t flags; /* Flags */ @@ -149,14 +104,14 @@ struct ph1handle { int frag; /* IKE phase 1 fragmentation */ struct isakmp_frag_item *frag_chain; /* Received fragments */ #endif - - struct sched *sce; /* schedule for expire */ - struct sched *sce_rekey; /* schedule for rekey */ - - struct sched *scr; /* schedule for resend */ + + schedule_ref sce; /* schedule for expire */ + schedule_ref sce_rekey; /* schedule for rekey */ + + schedule_ref scr; /* schedule for resend */ int retry_counter; /* for resend. */ vchar_t *sendbuf; /* buffer for re-sending */ - + #ifndef HAVE_OPENSSL SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */ size_t publicKeySize; @@ -169,9 +124,14 @@ struct ph1handle { vchar_t *nonce_p; /* partner's nonce value */ vchar_t *skeyid; /* SKEYID */ vchar_t *skeyid_d; /* SKEYID_d */ - vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ + vchar_t *skeyid_a; /* SKEYID_a, i.e. integrity protection */ + vchar_t *skeyid_a_p; /* SKEYID_a_p, i.e. integrity protection */ vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ + vchar_t *skeyid_e_p; /* peer's SKEYID_e, i.e. encryption */ + vchar_t *skeyid_p; /* SKEYID_p, i.e. for IKEv2 */ + vchar_t *skeyid_p_p; /* peer's SKEYID_p, i.e. for IKEv2 */ vchar_t *key; /* cipher key */ + vchar_t *key_p; /* peer's cipher key */ vchar_t *hash; /* HASH minus general header */ vchar_t *sig; /* SIG minus general header */ vchar_t *sig_p; /* peer's SIG minus general header */ @@ -181,138 +141,111 @@ struct ph1handle { cert_t *cr_p; /* peer's CR not including general */ vchar_t *id; /* ID minus gen header */ vchar_t *id_p; /* partner's ID minus general header */ - /* i.e. struct ipsecdoi_id_b*. */ + /* i.e. struct ipsecdoi_id_b*. */ struct isakmp_ivm *ivm; /* IVs */ - + vchar_t *sa; /* whole SA payload to send/to be sent*/ - /* to calculate HASH */ - /* NOT INCLUDING general header. */ - + /* to calculate HASH */ + /* NOT INCLUDING general header. */ + vchar_t *sa_ret; /* SA payload to reply/to be replyed */ - /* NOT INCLUDING general header. */ - /* NOTE: Should be release after use. */ - -#ifdef HAVE_GSSAPI - void *gssapi_state; /* GSS-API specific state. */ - /* Allocated when needed */ - vchar_t *gi_i; /* optional initiator GSS id */ - vchar_t *gi_r; /* optional responder GSS id */ -#endif - + /* NOT INCLUDING general header. */ + /* NOTE: Should be release after use. */ + struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ - + time_t created; /* timestamp for establish */ #ifdef ENABLE_STATS struct timeval start; struct timeval end; #endif - + #ifdef ENABLE_DPD int dpd_support; /* Does remote supports DPD ? */ time_t dpd_lastack; /* Last ack received */ u_int16_t dpd_seq; /* DPD seq number to receive */ u_int8_t dpd_fails; /* number of failures */ - u_int8_t peer_sent_ike; - struct sched *dpd_r_u; + u_int8_t peer_sent_ike; + schedule_ref dpd_r_u; #endif - + #ifdef ENABLE_VPNCONTROL_PORT - struct sched *ping_sched; /* for sending pings to keep FW open */ + schedule_ref ping_sched; /* for sending pings to keep FW open */ #endif u_int32_t msgid2; /* msgid counter for Phase 2 */ int ph2cnt; /* the number which is negotiated by this phase 1 */ - LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; - - LIST_ENTRY(ph1handle) chain; #ifdef ENABLE_HYBRID struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ u_int8_t pended_xauth_id; /* saved id for reply from vpn control socket */ u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */ - vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */ + vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */ #endif - int is_rekey:1; - int is_dying:1; - ike_session_t *parent_session; - LIST_ENTRY(ph1handle) ph1ofsession_chain; + int is_rekey:1; + int is_dying:1; + ike_session_t *parent_session; + LIST_HEAD(_ph2ofph1_, phase2handle) bound_ph2tree; + LIST_ENTRY(phase1handle) ph1ofsession_chain; + }; -/* Phase 2 handler */ -/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ -/* - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 acquire msg get 1st valid msg received - * 3 getspi request sent getspi request sent - * 4 getspi done getspi done - * 5 1st msg sent 1st msg sent - * 6 1st valid msg received 2nd valid msg received - * 7 (commit bit) (commit bit) - * 8 SAs added SAs added - * 9 SAs established SAs established - * 10 SAs expired SAs expired - */ -#define PHASE2ST_SPAWN 0 -#define PHASE2ST_START 1 -#define PHASE2ST_STATUS2 2 -#define PHASE2ST_GETSPISENT 3 -#define PHASE2ST_GETSPIDONE 4 -#define PHASE2ST_MSG1SENT 5 -#define PHASE2ST_STATUS6 6 -#define PHASE2ST_COMMIT 7 -#define PHASE2ST_ADDSA 8 -#define PHASE2ST_ESTABLISHED 9 -#define PHASE2ST_EXPIRED 10 -#define PHASE2ST_MAX 11 - -struct ph2handle { + +#define PHASE2_TYPE_SA 0 +#define PHASE2_TYPE_INFO 1 +#define PHASE2_TYPE_CFG 2 + +//======================================================================= +// PHASE 2 +//======================================================================= +struct phase2handle { struct sockaddr_storage *src; /* my address of SA. */ struct sockaddr_storage *dst; /* peer's address of SA. */ - - /* - * copy ip address from ID payloads when ID type is ip address. - * In other case, they must be null. - */ + + /* + * copy ip address from ID payloads when ID type is ip address. + * In other case, they must be null. + */ struct sockaddr_storage *src_id; struct sockaddr_storage *dst_id; - + + int phase2_type; /* what this phase2 struct is for - see defines for PHASE2_TYPE... */ u_int32_t spid; /* policy id by kernel */ - - int status; /* ipsec sa status */ + + int status; /* ipsec sa status */ u_int8_t side; /* INITIATOR or RESPONDER */ - - struct sched *sce; /* schedule for expire */ - struct sched *scr; /* schedule for resend */ + u_int8_t version; /* ISAKMP version */ + + schedule_ref sce; /* schedule for expire */ + schedule_ref scr; /* schedule for resend */ int retry_counter; /* for resend. */ vchar_t *sendbuf; /* buffer for re-sending */ vchar_t *msg1; /* buffer for re-sending */ - /* used for responder's first message */ - + /* used for responder's first message */ + int retry_checkph1; /* counter to wait phase 1 finished. */ - /* NOTE: actually it's timer. */ - + /* NOTE: actually it's timer. */ + u_int32_t seq; /* sequence number used by PF_KEY */ - /* - * NOTE: In responder side, we can't identify each SAs - * with same destination address for example, when - * socket based SA is required. So we set a identifier - * number to "seq", and sent kernel by pfkey. - */ + /* + * NOTE: In responder side, we can't identify each SAs + * with same destination address for example, when + * socket based SA is required. So we set a identifier + * number to "seq", and sent kernel by pfkey. + */ u_int8_t satype; /* satype in PF_KEY */ - /* - * saved satype in the original PF_KEY request from - * the kernel in order to reply a error. - */ - + /* + * saved satype in the original PF_KEY request from + * the kernel in order to reply a error. + */ + u_int8_t flags; /* Flags for phase 2 */ u_int32_t msgid; /* msgid for phase 2 */ - + struct sainfo *sainfo; /* place holder of sainfo */ struct saprop *proposal; /* SA(s) proposal. */ struct saprop *approval; /* SA(s) approved. */ struct policyindex * spidx_gen; /* policy from peer's proposal */ - + #ifndef HAVE_OPENSSL SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */ size_t publicKeySize; @@ -326,33 +259,32 @@ struct ph2handle { vchar_t *id_p; /* peer's ID minus general header */ vchar_t *nonce; /* nonce value in phase 2 */ vchar_t *nonce_p; /* partner's nonce value in phase 2 */ - + vchar_t *sa; /* whole SA payload to send/to be sent*/ - /* to calculate HASH */ - /* NOT INCLUDING general header. */ - + /* to calculate HASH */ + /* NOT INCLUDING general header. */ + vchar_t *sa_ret; /* SA payload to reply/to be replyed */ - /* NOT INCLUDING general header. */ - /* NOTE: Should be release after use. */ - + /* NOT INCLUDING general header. */ + /* NOTE: Should be release after use. */ + struct isakmp_ivm *ivm; /* IVs */ - + int generated_spidx; /* mark handlers whith generated policy */ - + #ifdef ENABLE_STATS struct timeval start; struct timeval end; #endif - struct ph1handle *ph1; /* back pointer to isakmp status */ + struct phase1handle *ph1; /* back pointer to isakmp status */ int is_rekey:1; int is_dying:1; ike_session_t *parent_session; - LIST_ENTRY(ph2handle) ph2ofsession_chain; vchar_t *ext_nat_id; vchar_t *ext_nat_id_p; - - LIST_ENTRY(ph2handle) chain; - LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ + LIST_ENTRY(phase2handle) ph2ofsession_chain; + LIST_ENTRY(phase2handle) ph1bind_chain; /* chain to ph1handle */ + }; /* @@ -379,7 +311,7 @@ struct recvdpkt { u_int32_t frag_flags; /* IKE phase 1 fragmentation */ #endif - struct sched *scr; /* schedule for resend, may not used */ + schedule_ref scr; /* schedule for resend, may not used */ LIST_ENTRY(recvdpkt) chain; }; @@ -456,79 +388,67 @@ struct ph1dump { }; struct sockaddr_storage; -struct ph1handle; -struct ph2handle; struct policyindex; -extern struct ph1handle *getph1byindex __P((isakmp_index *)); -extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); -extern struct ph1handle *getph1byaddr __P((struct sockaddr_storage *, - struct sockaddr_storage *)); -extern struct ph1handle *getph1byaddrwop __P((struct sockaddr_storage *, - struct sockaddr_storage *)); -extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr_storage *)); -extern int islast_ph1 __P((struct ph1handle *)); - struct ph1handle *ph1; -#ifdef ENABLE_HYBRID -struct ph1handle *getph1bylogin __P((char *)); -int purgeph1bylogin __P((char *)); +extern int ike_session_check_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *, vchar_t *); + +extern void ike_session_flush_all_phase1_for_session(ike_session_t *, int); +extern void ike_session_flush_all_phase1 (int); + +extern phase1_handle_t *ike_session_getph1byindex (ike_session_t *, isakmp_index *); +extern phase1_handle_t *ike_session_getph1byindex0 (ike_session_t *, isakmp_index *); +extern phase1_handle_t *ike_session_getph1byaddr (ike_session_t *, struct sockaddr_storage *, + struct sockaddr_storage *); +extern phase1_handle_t *ike_session_getph1byaddrwop (ike_session_t *, struct sockaddr_storage *, + struct sockaddr_storage *); +extern phase1_handle_t *ike_session_getph1bydstaddrwop (ike_session_t *, struct sockaddr_storage *); +extern int ike_session_islast_ph1 (phase1_handle_t *); + +extern int ike_session_expire_session(ike_session_t *session); +extern int ike_session_purgephXbydstaddrwop (struct sockaddr_storage *); +extern void ike_session_purgephXbyspid (u_int32_t, int); + +extern phase1_handle_t *ike_session_newph1 (unsigned int); +extern void ike_session_delph1 (phase1_handle_t *); + +extern phase2_handle_t *ike_session_getph2byspidx (ike_session_t *, struct policyindex *); +extern phase2_handle_t *ike_session_getph2byspid (u_int32_t); +extern phase2_handle_t *ike_session_getph2byseq (u_int32_t); +//extern phase2_handle_t *ike_session_getph2bysaddr (struct sockaddr_storage *, struct sockaddr_storage *); +extern phase2_handle_t *ike_session_getph2bymsgid (phase1_handle_t *, u_int32_t); +extern phase2_handle_t *ike_session_getonlyph2(phase1_handle_t *iph1); +extern phase2_handle_t *ike_session_getph2byid (struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t); +extern phase2_handle_t *ike_session_getph2bysaidx (struct sockaddr_storage *, struct sockaddr_storage *, u_int, u_int32_t); +extern phase2_handle_t *ike_session_getph2bysaidx2(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id, u_int32_t spi, u_int32_t *opposite_spi); +extern phase2_handle_t *ike_session_newph2 (unsigned int, int); +extern void ike_session_initph2 (phase2_handle_t *); +extern void ike_session_delph2 (phase2_handle_t *); +extern void ike_session_flush_all_phase2_for_session(ike_session_t *, int); +extern void ike_session_flush_all_phase2 (int); +extern void ike_session_deleteallph2 (struct sockaddr_storage *, struct sockaddr_storage *, u_int); +extern void ike_session_deleteallph1 (struct sockaddr_storage *, struct sockaddr_storage *); + +#ifdef ENABLE_DPD +extern int ike_session_ph1_force_dpd (struct sockaddr_storage *); #endif -extern int purgephXbydstaddrwop __P((struct sockaddr_storage *)); -extern void purgephXbyspid __P((u_int32_t, int)); - -extern vchar_t *dumpph1 __P((void)); -extern struct ph1handle *newph1 __P((void)); -extern void delph1 __P((struct ph1handle *)); -extern int insph1 __P((struct ph1handle *)); -extern void remph1 __P((struct ph1handle *)); -extern void flushph1 __P((int)); -extern void initph1tree __P((void)); - -extern struct ph2handle *getph2byspidx __P((struct policyindex *)); -extern struct ph2handle *getph2byspid __P((u_int32_t)); -extern struct ph2handle *getph2byseq __P((u_int32_t)); -extern struct ph2handle *getph2bysaddr __P((struct sockaddr_storage *, - struct sockaddr_storage *)); -extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); -extern struct ph2handle *getph2byid __P((struct sockaddr_storage *, - struct sockaddr_storage *, u_int32_t)); -extern struct ph2handle *getph2bysaidx __P((struct sockaddr_storage *, - struct sockaddr_storage *, u_int, u_int32_t)); -extern struct ph2handle *newph2 __P((void)); -extern void initph2 __P((struct ph2handle *)); -extern void delph2 __P((struct ph2handle *)); -extern int insph2 __P((struct ph2handle *)); -extern void remph2 __P((struct ph2handle *)); -extern void flushph2 __P((int)); -extern void deleteallph2 __P((struct sockaddr_storage *, struct sockaddr_storage *, u_int)); -extern void deleteallph1 __P((struct sockaddr_storage *, struct sockaddr_storage *)); -extern void initph2tree __P((void)); - -extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); -extern void unbindph12 __P((struct ph2handle *)); -extern void rebindph12 __P((struct ph1handle *, struct ph2handle *)); - -extern struct contacted *getcontacted __P((struct sockaddr_storage *)); -extern int inscontacted __P((struct sockaddr_storage *)); -extern void clear_contacted __P((void)); -extern void initctdtree __P((void)); - -extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval)); - -extern int check_recvdpkt __P((struct sockaddr_storage *, - struct sockaddr_storage *, vchar_t *)); -extern int add_recvdpkt __P((struct sockaddr_storage *, struct sockaddr_storage *, - vchar_t *, vchar_t *, size_t, u_int32_t)); -extern void clear_recvdpkt __P((void)); -extern void init_recvdpkt __P((void)); + +//%%%%%%%%%%% don't know where the following will go yet - all these below could change +extern struct contacted *ike_session_getcontacted (struct sockaddr_storage *); +extern int ike_session_inscontacted (struct sockaddr_storage *); +extern void ike_session_clear_contacted (void); +extern void ike_session_initctdtree (void); + +extern time_t ike_session_get_exp_retx_interval (int num_retries, int fixed_retry_interval); + +extern int ike_session_add_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *, + vchar_t *, vchar_t *, size_t, u_int32_t); +extern void ike_session_clear_recvdpkt (void); +extern void ike_session_init_recvdpkt (void); #ifdef ENABLE_HYBRID -extern int exclude_cfg_addr __P((const struct sockaddr_storage *)); +//extern int ike_session_exclude_cfg_addr (const struct sockaddr_storage *); #endif -#ifdef ENABLE_DPD -extern int ph1_force_dpd __P((struct sockaddr_storage *)); -#endif -extern void sweep_sleepwake __P((void)); +extern void sweep_sleepwake (void); #endif /* _HANDLER_H */ diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index 85ac941..76d5206 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -31,6 +31,7 @@ #include "plog.h" #include "sockmisc.h" #include "debug.h" +#include "fsm.h" #include "isakmp_var.h" #include "isakmp.h" @@ -69,8 +70,14 @@ const char *ike_session_stopped_by_idle = "Stopped by Idle"; const char *ike_session_stopped_by_xauth_timeout = "Stopped by XAUTH timeout"; const char *ike_session_stopped_by_sleepwake = "Stopped by Sleep-Wake"; const char *ike_session_stopped_by_assert = "Stopped by Assert"; +const char *ike_session_stopped_by_peer = "Stopped by Peer"; -static LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree = { NULL }; +LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree = { NULL }; + +static void ike_session_bindph12(phase1_handle_t *, phase2_handle_t *); +static void ike_session_rebindph12(phase1_handle_t *, phase2_handle_t *); +static void ike_session_unbind_all_ph2_from_ph1 (phase1_handle_t *); +static void ike_session_rebind_all_ph12_to_new_ph1 (phase1_handle_t *, phase1_handle_t *); static ike_session_t * new_ike_session (ike_session_id_t *id) @@ -78,19 +85,17 @@ new_ike_session (ike_session_id_t *id) ike_session_t *session; if (!id) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); return NULL; } - - plog(LLV_DEBUG, LOCATION, NULL, "new parent session.\n"); + session = racoon_calloc(1, sizeof(*session)); if (session) { bzero(session, sizeof(*session)); memcpy(&session->session_id, id, sizeof(*id)); - LIST_INIT(&session->ikev1_state.ph1tree); - LIST_INIT(&session->ikev1_state.ph2tree); + LIST_INIT(&session->ph1tree); + LIST_INIT(&session->ph2tree); LIST_INSERT_HEAD(&ike_session_tree, session, chain); - session->version = IKE_VERSION_1; // hard-coded for now IPSECSESSIONTRACERSTART(session); } return session; @@ -119,7 +124,7 @@ free_ike_session (ike_session_t *session) session->term_reason); } // do MessageTracer cleanup here - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Freeing IKE-Session to %s.\n", saddr2str((struct sockaddr *)&session->session_id.remote)); LIST_REMOVE(session, chain); @@ -127,48 +132,6 @@ free_ike_session (ike_session_t *session) } } -struct ph1handle * -ike_session_get_established_or_negoing_ph1 (ike_session_t *session) -{ - struct ph1handle *p, *iph1 = NULL; - - if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return NULL; - } - - // look for the most mature ph1 under the session - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { - if (!p->is_dying && p->status >= PHASE1ST_START && p->status <= PHASE1ST_ESTABLISHED) { - if (!iph1 || p->status > iph1->status) { - iph1 = p; - } else if (iph1 && p->status == iph1->status) { - // TODO: pick better one based on farthest rekey/expiry remaining - } - } - } - - return iph1; -} - -struct ph1handle * -ike_session_get_established_ph1 (ike_session_t *session) -{ - struct ph1handle *p; - - if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return NULL; - } - - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { - if (!p->is_dying && p->status == PHASE1ST_ESTABLISHED) { - return p; - } - } - - return NULL; -} void ike_session_init (void) @@ -195,18 +158,43 @@ ike_session_get_rekey_lifetime (int local_spi_is_higher, u_int expiry_lifetime) } } if (rekey_lifetime < expiry_lifetime) { - return (rekey_lifetime); + return rekey_lifetime; } - return(0); + return 0; +} + +ike_session_t * +ike_session_create_session (ike_session_id_t *session_id) +{ + if (!session_id) + return NULL; + + plog(ASL_LEVEL_DEBUG, "New IKE Session to %s.\n", saddr2str((struct sockaddr *)&session_id->remote)); + + return new_ike_session(session_id); } -// TODO: optimize this mess later +void +ike_session_release_session (ike_session_t *session) +{ + while (!LIST_EMPTY(&session->ph2tree)) { + phase2_handle_t *phase2 = LIST_FIRST(&session->ph2tree); + ike_session_unlink_phase2(phase2); + } + + while (!LIST_EMPTY(&session->ph1tree)) { + phase1_handle_t *phase1 = LIST_FIRST(&session->ph1tree); + ike_session_unlink_phase1(phase1); + } +} + +// %%%%%%%%% re-examine this - keep both floated and unfloated port when behind nat ike_session_t * ike_session_get_session (struct sockaddr_storage *local, struct sockaddr_storage *remote, int alloc_if_absent) { - ike_session_t *p; + ike_session_t *p = NULL; ike_session_id_t id; ike_session_id_t id_default; ike_session_id_t id_floated_default; @@ -216,7 +204,7 @@ ike_session_get_session (struct sockaddr_storage *local, int is_isakmp_remote_port; if (!local || !remote) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -261,36 +249,35 @@ ike_session_get_session (struct sockaddr_storage *local, set_port(&id_floated_default.remote, PORT_ISAKMP_NATT); set_port(&id_wop.remote, 0); - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "start search for IKE-Session. target %s.\n", saddr2str((struct sockaddr *)remote)); - for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) { - plog(LLV_DEBUG, LOCATION, local, + LIST_FOREACH(p, &ike_session_tree, chain) { + plog(ASL_LEVEL_DEBUG, "still search for IKE-Session. this %s.\n", saddr2str((struct sockaddr *)&p->session_id.remote)); // for now: ignore any stopped sessions as they will go down if (p->is_dying || p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) { - plog(LLV_DEBUG, LOCATION, local, - "still searching. skipping... session to %s is already stopped, active ph1 %d ph2 %d.\n", + plog(ASL_LEVEL_DEBUG, "still searching. skipping... session to %s is already stopped, active ph1 %d ph2 %d.\n", saddr2str((struct sockaddr *)&p->session_id.remote), p->ikev1_state.active_ph1cnt, p->ikev1_state.active_ph2cnt); continue; } if (memcmp(&p->session_id, &id, sizeof(id)) == 0) { - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "Pre-existing IKE-Session to %s. case 1.\n", saddr2str((struct sockaddr *)remote)); return p; } else if (is_isakmp_remote_port && memcmp(&p->session_id, &id_default, sizeof(id_default)) == 0) { - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "Pre-existing IKE-Session to %s. case 2.\n", saddr2str((struct sockaddr *)remote)); return p; } else if (is_isakmp_remote_port && p->ports_floated && memcmp(&p->session_id, &id_floated_default, sizeof(id_floated_default)) == 0) { - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "Pre-existing IKE-Session to %s. case 3.\n", saddr2str((struct sockaddr *)remote)); return p; @@ -299,13 +286,13 @@ ike_session_get_session (struct sockaddr_storage *local, } } if (best_match) { - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "Best-match IKE-Session to %s.\n", saddr2str((struct sockaddr *)&best_match->session_id.remote)); return best_match; } if (alloc_if_absent) { - plog(LLV_DEBUG, LOCATION, local, + plog(ASL_LEVEL_DEBUG, "New IKE-Session to %s.\n", saddr2str((struct sockaddr *)&id.remote)); return new_ike_session(&id); @@ -315,7 +302,7 @@ ike_session_get_session (struct sockaddr_storage *local, } void -ike_session_init_traffic_cop_params (struct ph1handle *iph1) +ike_session_init_traffic_cop_params (phase1_handle_t *iph1) { if (!iph1 || !iph1->rmconf || @@ -355,69 +342,17 @@ ike_session_init_traffic_cop_params (struct ph1handle *iph1) } } -int -ike_session_link_ph1_to_session (struct ph1handle *iph1) -{ - ike_session_t *session; - - if (!iph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return -1; - } - - session = ike_session_get_session(iph1->local, iph1->remote, TRUE); - if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "failed to get session in %s.\n", __FUNCTION__); - return -1; - } - - // already linked - if (iph1->parent_session) { - if (session == iph1->parent_session) { - return 0; - } - // undo previous session - if (ike_session_unlink_ph1_from_session(iph1) == 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "failed to unlink ph1 in %s.\n", __FUNCTION__); - free_ike_session(session); - return -1; - } - } else { - gettimeofday(&session->start_timestamp, NULL); - } - - - if (iph1->started_by_api) { - session->is_cisco_ipsec = 1; - session->is_l2tpvpn_ipsec = 0; - session->is_btmm_ipsec = 0; - } - iph1->parent_session = session; - LIST_INSERT_HEAD(&session->ikev1_state.ph1tree, iph1, ph1ofsession_chain); - session->ikev1_state.active_ph1cnt++; - if ((!session->ikev1_state.ph1cnt && - iph1->side == INITIATOR) || - iph1->started_by_api) { - // client initiates the first phase1 or, is started by controller api - session->is_client = 1; - } - if (session->established && - session->ikev1_state.ph1cnt) { - iph1->is_rekey = 1; - } - session->ikev1_state.ph1cnt++; - ike_session_init_traffic_cop_params(iph1); - - return 0; -} - void -ike_session_update_mode (struct ph2handle *iph2) +ike_session_update_mode (phase2_handle_t *iph2) { if (!iph2 || !iph2->parent_session) { return; } - + if (iph2->phase2_type != PHASE2_TYPE_SA) + return; + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV2) { + return; // for now + } // exit early if we already detected cisco-ipsec if (iph2->parent_session->is_cisco_ipsec) { return; @@ -469,73 +404,120 @@ ike_session_cleanup_xauth_timeout (void *arg) } int -ike_session_link_ph2_to_session (struct ph2handle *iph2) +ike_session_link_phase1 (ike_session_t *session, phase1_handle_t *iph1) { - struct sockaddr_storage *local; - struct sockaddr_storage *remote; - ike_session_t *session; - - if (!iph2) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + + if (!session || !iph1) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return -1; } + + gettimeofday(&session->start_timestamp, NULL); + + if (iph1->started_by_api) { + session->is_cisco_ipsec = 1; + session->is_l2tpvpn_ipsec = 0; + session->is_btmm_ipsec = 0; + } + iph1->parent_session = session; + LIST_INSERT_HEAD(&session->ph1tree, iph1, ph1ofsession_chain); + session->ikev1_state.active_ph1cnt++; + if ((!session->ikev1_state.ph1cnt && + iph1->side == INITIATOR) || + iph1->started_by_api) { + // client initiates the first phase1 or, is started by controller api + session->is_client = 1; + } + if (session->established && + session->ikev1_state.ph1cnt && + iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + iph1->is_rekey = 1; + } + session->ikev1_state.ph1cnt++; + ike_session_init_traffic_cop_params(iph1); + + return 0; +} - local = iph2->src; - remote = iph2->dst; - - session = ike_session_get_session(local, remote, TRUE); - if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "failed to get session in %s.\n", __FUNCTION__); +int +ike_session_link_phase2 (ike_session_t *session, phase2_handle_t *iph2) +{ + if (!iph2) { + plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); return -1; } - - // already linked - if (iph2->parent_session) { - if (session == iph2->parent_session) { - return 0; - } - // undo previous session - if (ike_session_unlink_ph2_from_session(iph2) == 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "failed to unlink ph2 in %s.\n", __FUNCTION__); - free_ike_session(session); - return -1; - } + if (iph2->parent_session) { + plog(ASL_LEVEL_ERR, "Phase 2 already linked to session %s.\n", __FUNCTION__); } iph2->parent_session = session; - LIST_INSERT_HEAD(&session->ikev1_state.ph2tree, iph2, ph2ofsession_chain); + LIST_INSERT_HEAD(&session->ph2tree, iph2, ph2ofsession_chain); session->ikev1_state.active_ph2cnt++; if (!session->ikev1_state.ph2cnt && iph2->side == INITIATOR) { // client initiates the first phase2 session->is_client = 1; } - if (session->established && - session->ikev1_state.ph2cnt) { + if (iph2->phase2_type == PHASE2_TYPE_SA && + session->established && + session->ikev1_state.ph2cnt && + iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { iph2->is_rekey = 1; } session->ikev1_state.ph2cnt++; - ike_session_update_mode(iph2); return 0; } int -ike_session_unlink_ph1_from_session (struct ph1handle *iph1) +ike_session_link_ph2_to_ph1 (phase1_handle_t *iph1, phase2_handle_t *iph2) +{ + struct sockaddr_storage *local; + struct sockaddr_storage *remote; + int error = 0; + + if (!iph2) { + plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + return -1; + } + if (iph2->ph1) { + plog(ASL_LEVEL_ERR, "Phase 2 already linked %s.\n", __FUNCTION__); + if (iph2->ph1 == iph1) + return 0; + else + return -1; // This shouldn't happen + } + + local = iph2->src; + remote = iph2->dst; + + if (iph2->parent_session == NULL) + if ((error = ike_session_link_phase2(iph1->parent_session, iph2))) + return error; + + ike_session_bindph12(iph1, iph2); + return 0; +} + +int +ike_session_unlink_phase1 (phase1_handle_t *iph1) { ike_session_t *session; if (!iph1 || !iph1->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return -1; } - if (LIST_FIRST(&iph1->ph2tree)) { - // reparent any phase2 that may be hanging on to this phase1 - ike_session_update_ph1_ph2tree(iph1); + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + if (LIST_FIRST(&iph1->bound_ph2tree)) { + // reparent any phase2 that may be hanging on to this phase1 + ike_session_update_ph1_ph2tree(iph1); + } } + sched_scrub_param(iph1); session = iph1->parent_session; LIST_REMOVE(iph1, ph1ofsession_chain); iph1->parent_session = NULL; @@ -544,86 +526,160 @@ ike_session_unlink_ph1_from_session (struct ph1handle *iph1) session->is_dying = 1; free_ike_session(session); } - + ike_session_delph1(iph1); return 0; } int -ike_session_unlink_ph2_from_session (struct ph2handle *iph2) +ike_session_unlink_phase2 (phase2_handle_t *iph2) { ike_session_t *session; if (!iph2 || !iph2->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return -1; } + sched_scrub_param(iph2); + ike_session_unbindph12(iph2); + + LIST_REMOVE(iph2, ph2ofsession_chain); + session = iph2->parent_session; + iph2->parent_session = NULL; + session->ikev1_state.active_ph2cnt--; + if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) { + session->is_dying = 1; + free_ike_session(session); + } + ike_session_delph2(iph2); + return 0; +} + + +phase1_handle_t * +ike_session_update_ph1_ph2tree (phase1_handle_t *iph1) +{ + phase1_handle_t *new_iph1 = NULL; + + if (!iph1) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return NULL; + } + + if (iph1->parent_session) { + new_iph1 = ike_session_get_established_ph1(iph1->parent_session); + + if (!new_iph1) { + plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. NULL ph1.\n"); + ike_session_unbind_all_ph2_from_ph1(iph1); + } else if (iph1 == new_iph1) { + plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. same ph1.\n"); + ike_session_unbind_all_ph2_from_ph1(iph1); + } else { + ike_session_rebind_all_ph12_to_new_ph1(iph1, new_iph1); + } + } else { + plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); + } + return new_iph1; +} + +phase1_handle_t * +ike_session_update_ph2_ph1bind (phase2_handle_t *iph2) +{ + phase1_handle_t *iph1; - LIST_REMOVE(iph2, ph2ofsession_chain); - session = iph2->parent_session; - iph2->parent_session = NULL; - session->ikev1_state.active_ph2cnt--; - if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) { - session->is_dying = 1; - free_ike_session(session); + if (!iph2 || iph2->phase2_type != PHASE2_TYPE_SA) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return NULL; } - return 0; + iph1 = ike_session_get_established_ph1(iph2->parent_session); + if (iph1 && iph2->ph1 && iph1 != iph2->ph1) { + ike_session_rebindph12(iph1, iph2); + } else if (iph1 && !iph2->ph1) { + ike_session_bindph12(iph1, iph2); + } + + return iph1; } -int -ike_session_has_other_established_ph1 (ike_session_t *session, struct ph1handle *iph1) +phase1_handle_t * +ike_session_get_established_or_negoing_ph1 (ike_session_t *session) { - struct ph1handle *p; - + phase1_handle_t *p, *iph1 = NULL; + if (!session) { - return 0; + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return NULL; } - - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { - if (iph1 != p && !p->is_dying) { - if (p->status == PHASE1ST_ESTABLISHED && p->sce_rekey) { - return 1; + + // look for the most mature ph1 under the session + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (!p->is_dying && (FSM_STATE_IS_ESTABLISHED(p->status) || FSM_STATE_IS_NEGOTIATING(p->status))) { + if (!iph1 || p->status > iph1->status) { + iph1 = p; + } else if (iph1 && p->status == iph1->status) { + // TODO: pick better one based on farthest rekey/expiry remaining } } } + + return iph1; +} - return 0; +phase1_handle_t * +ike_session_get_established_ph1 (ike_session_t *session) +{ + phase1_handle_t *p; + + if (!session) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return NULL; + } + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (!p->is_dying && FSM_STATE_IS_ESTABLISHED(p->status)) { + return p; + } + } + + return NULL; } + int -ike_session_has_other_negoing_ph1 (ike_session_t *session, struct ph1handle *iph1) +ike_session_has_other_established_ph1 (ike_session_t *session, phase1_handle_t *iph1) { - struct ph1handle *p; - + phase1_handle_t *p; + if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { + + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { if (iph1 != p && !p->is_dying) { - if (p->status >= PHASE1ST_START && p->status <= PHASE1ST_ESTABLISHED) { + if (FSM_STATE_IS_ESTABLISHED(p->status) && p->sce_rekey) { return 1; } } } - + return 0; } int -ike_session_has_other_established_ph2 (ike_session_t *session, struct ph2handle *iph2) +ike_session_has_other_negoing_ph1 (ike_session_t *session, phase1_handle_t *iph1) { - struct ph2handle *p; + phase1_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - if (iph2 != p && !p->is_dying && iph2->spid == p->spid) { - if (p->status == PHASE2ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (iph1 != p && !p->is_dying) { + if (FSM_STATE_IS_NEGOTIATING(p->status)) { return 1; } } @@ -633,19 +689,18 @@ ike_session_has_other_established_ph2 (ike_session_t *session, struct ph2handle } int -ike_session_has_other_negoing_ph2 (ike_session_t *session, struct ph2handle *iph2) +ike_session_has_other_established_ph2 (ike_session_t *session, phase2_handle_t *iph2) { - struct ph2handle *p; + phase2_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s: ph2 sub spid %d, db spid %d\n", __FUNCTION__, iph2->spid, p->spid); - if (iph2 != p && !p->is_dying && iph2->spid == p->spid) { - if (p->status >= PHASE2ST_START && p->status <= PHASE2ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + if (p->phase2_type == PHASE2_TYPE_SA && iph2 != p && !p->is_dying && iph2->spid == p->spid) { + if (FSM_STATE_IS_ESTABLISHED(p->status)) { return 1; } } @@ -654,119 +709,34 @@ ike_session_has_other_negoing_ph2 (ike_session_t *session, struct ph2handle *iph return 0; } -static void -ike_session_unbindph12_from_ph1 (struct ph1handle *iph1) -{ - struct ph2handle *p, *next; - - for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) { - // take next pointer now, since unbind and rebind may change the underlying ph2tree list - next = LIST_NEXT(p, ph1bind); - unbindph12(p); - } -} - -static void -ike_session_rebindph12_from_old_ph1_to_new_ph1 (struct ph1handle *old_iph1, - struct ph1handle *new_iph1) +int +ike_session_has_other_negoing_ph2 (ike_session_t *session, phase2_handle_t *iph2) { - struct ph2handle *p, *next; - - if (old_iph1 == new_iph1 || !old_iph1 || !new_iph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return; - } + phase2_handle_t *p; - if (old_iph1->parent_session != new_iph1->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parent sessions in %s.\n", __FUNCTION__); - return; + if (!session) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return 0; } - for (p = LIST_FIRST(&old_iph1->ph2tree); p; p = next) { - // take next pointer now, since rebind may change the underlying ph2tree list - next = LIST_NEXT(p, ph1bind); - if (p->parent_session != new_iph1->parent_session) { - plog(LLV_ERROR, LOCATION, NULL, "mismatched parent session in ph1bind replacement.\n"); - } - if (p->ph1 == new_iph1) { - plog(LLV_ERROR, LOCATION, NULL, "same phase1 in ph1bind replacement in %s.\n",__FUNCTION__); - } - rebindph12(new_iph1, p); - } -} - -int -ike_session_verify_ph2_parent_session (struct ph2handle *iph2) -{ - if (!iph2) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return -1; - } - - if (!iph2->parent_session) { - plog(LLV_DEBUG, LOCATION, NULL, "NULL parent session.\n"); - if (ike_session_link_ph2_to_session(iph2)) { - plog(LLV_DEBUG, LOCATION, NULL, "NULL parent session... still failed to link to session.\n"); - // failed to bind ph2 to session - return 1; + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + plog(ASL_LEVEL_DEBUG, "%s: ph2 sub spid %d, db spid %d\n", __FUNCTION__, iph2->spid, p->spid); + if (p->phase2_type == PHASE2_TYPE_SA && iph2 != p && !p->is_dying && iph2->spid == p->spid) { + if (FSM_STATE_IS_NEGOTIATING(p->status)) { + return 1; + } } } + return 0; } -struct ph1handle * -ike_session_update_ph1_ph2tree (struct ph1handle *iph1) -{ - struct ph1handle *new_iph1 = NULL; - - if (!iph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return NULL; - } - - if (iph1->parent_session) { - new_iph1 = ike_session_get_established_ph1(iph1->parent_session); - - if (!new_iph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "no ph1bind replacement found. NULL ph1.\n"); - ike_session_unbindph12_from_ph1(iph1); - } else if (iph1 == new_iph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "no ph1bind replacement found. same ph1.\n"); - ike_session_unbindph12_from_ph1(iph1); - } else { - ike_session_rebindph12_from_old_ph1_to_new_ph1(iph1, new_iph1); - } - } else { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parent session in %s.\n", __FUNCTION__); - } - return new_iph1; -} - -struct ph1handle * -ike_session_update_ph2_ph1bind (struct ph2handle *iph2) -{ - struct ph1handle *iph1; - - if (!iph2) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); - return NULL; - } - - iph1 = ike_session_get_established_ph1(iph2->parent_session); - if (iph1 && iph2->ph1 && iph1 != iph2->ph1) { - rebindph12(iph1, iph2); - } else if (iph1 && !iph2->ph1) { - bindph12(iph1, iph2); - } - - return iph1; -} void -ike_session_ikev1_float_ports (struct ph1handle *iph1) +ike_session_ikev1_float_ports (phase1_handle_t *iph1) { struct sockaddr_storage *local, *remote; - struct ph2handle *p; + phase2_handle_t *p; if (iph1->parent_session) { local = &iph1->parent_session->session_id.local; @@ -776,7 +746,7 @@ ike_session_ikev1_float_ports (struct ph1handle *iph1) set_port(remote, extract_port(iph1->remote)); iph1->parent_session->ports_floated = 1; - for (p = LIST_FIRST(&iph1->parent_session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { + LIST_FOREACH(p, &iph1->parent_session->ph2tree, ph2ofsession_chain) { local = p->src; remote = p->dst; @@ -785,7 +755,7 @@ ike_session_ikev1_float_ports (struct ph1handle *iph1) set_port(remote, extract_port(iph1->remote)); } } else { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parent session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); } } @@ -800,18 +770,18 @@ ike_session_traffic_cop (void *arg) /* get traffic query from kernel */ if (pk_sendget_inbound_sastats(session) < 0) { // log message - plog(LLV_DEBUG2, LOCATION, NULL, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__); } if (pk_sendget_outbound_sastats(session) < 0) { // log message - plog(LLV_DEBUG2, LOCATION, NULL, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__); } session->traffic_monitor.sc_mon = sched_new(session->traffic_monitor.interv_mon, ike_session_traffic_cop, session); } else { // log message - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); } } @@ -830,7 +800,7 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_INBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->peer_sent_data_sc_idle) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n", + plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n", __FUNCTION__, session->traffic_monitor.dir_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { @@ -846,7 +816,7 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_OUTBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->i_sent_data_sc_idle) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n", + plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n", __FUNCTION__, session->traffic_monitor.dir_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { @@ -877,10 +847,10 @@ ike_session_start_traffic_mon (ike_session_t *session) } void -ike_session_ph2_established (struct ph2handle *iph2) +ike_session_ph2_established (phase2_handle_t *iph2) { - if (!iph2->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + if (!iph2->parent_session || iph2->phase2_type != PHASE2_TYPE_SA) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } SCHED_KILL(iph2->parent_session->sc_xauth); @@ -897,24 +867,26 @@ ike_session_ph2_established (struct ph2handle *iph2) iph2->parent_session->term_reason = NULL; ike_session_update_mode(iph2); + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) + ike_session_unbindph12(iph2); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_peer_resp_ph2(1, iph2); #endif /* ENABLE_VPNCONTROL_PORT */ - plog(LLV_DEBUG2, LOCATION, NULL, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid); + plog(ASL_LEVEL_DEBUG, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid); } void -ike_session_cleanup_ph1 (struct ph1handle *iph1) +ike_session_cleanup_ph1 (phase1_handle_t *iph1) { - if (iph1->status == PHASE1ST_EXPIRED) { + if (FSM_STATE_IS_EXPIRED(iph1->status)) { // since this got here via ike_session_cleanup_other_established_ph1s, assumes LIST_FIRST(&iph1->ph2tree) == NULL iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); return; } /* send delete information */ - if (iph1->status == PHASE1ST_ESTABLISHED) { + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { isakmp_info_send_d1(iph1); } @@ -925,31 +897,81 @@ void ike_session_cleanup_ph1_stub (void *p) { - ike_session_cleanup_ph1((struct ph1handle *)p); + ike_session_cleanup_ph1((phase1_handle_t *)p); +} + +void +ike_session_replace_other_ph1 (phase1_handle_t *new_iph1, + phase1_handle_t *old_iph1) +{ + char *local, *remote, *index; + ike_session_t *session = NULL; + + if (new_iph1) + session = new_iph1->parent_session; + + if (!session || !new_iph1 || !old_iph1 || session != old_iph1->parent_session || new_iph1 == old_iph1) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + return; + } + + /* + * if we are responder, then we should wait until the server sends a delete notification. + */ + if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) && + new_iph1->side == RESPONDER) { + return; + } + + SCHED_KILL(old_iph1->sce); + SCHED_KILL(old_iph1->sce_rekey); + old_iph1->is_dying = 1; + + //log deletion + local = racoon_strdup(saddr2str((struct sockaddr *)old_iph1->local)); + remote = racoon_strdup(saddr2str((struct sockaddr *)old_iph1->remote)); + index = racoon_strdup(isakmp_pindex(&old_iph1->index, 0)); + STRDUP_FATAL(local); + STRDUP_FATAL(remote); + STRDUP_FATAL(index); + plog(ASL_LEVEL_DEBUG, "ISAKMP-SA %s-%s (spi:%s) needs to be deleted, replaced by (spi:%s)\n", local, remote, index, isakmp_pindex(&new_iph1->index, 0)); + racoon_free(local); + racoon_free(remote); + racoon_free(index); + + // first rebind the children ph2s of this dying ph1 to the new ph1. + ike_session_rebind_all_ph12_to_new_ph1 (old_iph1, new_iph1); + + if (old_iph1->side == INITIATOR) { + /* everyone deletes old outbound SA */ + old_iph1->sce = sched_new(5, ike_session_cleanup_ph1_stub, old_iph1); + } else { + /* responder sets up timer to delete old inbound SAs... say 7 secs later and flags them as rekeyed */ + old_iph1->sce = sched_new(7, ike_session_cleanup_ph1_stub, old_iph1); + } } void ike_session_cleanup_other_established_ph1s (ike_session_t *session, - struct ph1handle *new_iph1) + phase1_handle_t *new_iph1) { - struct ph1handle *p, *next; + phase1_handle_t *p, *next; char *local, *remote; if (!session || !new_iph1 || session != new_iph1->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } /* * if we are responder, then we should wait until the server sends a delete notification. */ - if (session->is_client && new_iph1->side == RESPONDER) { + if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) && + new_iph1->side == RESPONDER) { return; } - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = next) { - // take next pointer now, since delete change the underlying ph1tree list - next = LIST_NEXT(p, ph1ofsession_chain); + LIST_FOREACH_SAFE(p, &session->ph1tree, ph1ofsession_chain, next) { /* * TODO: currently, most recently established SA wins. Need to revisit to see if * alternative selections is better (e.g. largest p->index stays). @@ -964,14 +986,14 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, remote = racoon_strdup(saddr2str((struct sockaddr *)p->remote)); STRDUP_FATAL(local); STRDUP_FATAL(remote); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ISAKMP-SA needs to be deleted %s-%s spi:%s\n", local, remote, isakmp_pindex(&p->index, 0)); racoon_free(local); racoon_free(remote); - // first rebind the children ph2s of this dying ph1 to the new ph1. - ike_session_rebindph12_from_old_ph1_to_new_ph1 (p, new_iph1); + // first rebind the children ph2s of this dying ph1 to the new ph1. + ike_session_rebind_all_ph12_to_new_ph1 (p, new_iph1); if (p->side == INITIATOR) { /* everyone deletes old outbound SA */ @@ -985,20 +1007,22 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, } void -ike_session_cleanup_ph2 (struct ph2handle *iph2) +ike_session_cleanup_ph2 (phase2_handle_t *iph2) { - if (iph2->status == PHASE2ST_EXPIRED) { + if (iph2->phase2_type != PHASE2_TYPE_SA) + return; + if (FSM_STATE_IS_EXPIRED(iph2->status)) { return; } SCHED_KILL(iph2->sce); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "about to cleanup ph2: status %d, seq %d dying %d\n", iph2->status, iph2->seq, iph2->is_dying); /* send delete information */ - if (iph2->status == PHASE2ST_ESTABLISHED) { + if (FSM_STATE_IS_ESTABLISHED(iph2->status)) { isakmp_info_send_d2(iph2); // delete outgoing SAs @@ -1017,26 +1041,24 @@ ike_session_cleanup_ph2 (struct ph2handle *iph2) } delete_spd(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); } void ike_session_cleanup_ph2_stub (void *p) { - ike_session_cleanup_ph2((struct ph2handle *)p); + ike_session_cleanup_ph2((phase2_handle_t *)p); } void ike_session_cleanup_other_established_ph2s (ike_session_t *session, - struct ph2handle *new_iph2) + phase2_handle_t *new_iph2) { - struct ph2handle *p, *next; + phase2_handle_t *p, *next; - if (!session || !new_iph2 || session != new_iph2->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + if (!session || !new_iph2 || session != new_iph2->parent_session || new_iph2->phase2_type != PHASE2_TYPE_SA) { + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -1047,9 +1069,7 @@ ike_session_cleanup_other_established_ph2s (ike_session_t *session, return; } - for (p = LIST_FIRST(&session->ikev1_state.ph2tree); p; p = next) { - // take next pointer now, since delete change the underlying ph2tree list - next = LIST_NEXT(p, ph2ofsession_chain); + LIST_FOREACH_SAFE(p, &session->ph2tree, ph2ofsession_chain, next) { /* * TODO: currently, most recently established SA wins. Need to revisit to see if * alternative selections is better. @@ -1059,7 +1079,7 @@ ike_session_cleanup_other_established_ph2s (ike_session_t *session, p->is_dying = 1; //log deletion - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "IPsec-SA needs to be deleted: %s\n", sadbsecas2str(p->src, p->dst, p->satype, p->spid, 0)); @@ -1080,18 +1100,18 @@ ike_session_stopped_by_controller (ike_session_t *session, const char *reason) { if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } if (session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) { - plog(LLV_DEBUG2, LOCATION, NULL, "already stopped %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "already stopped %s.\n", __FUNCTION__); return; } session->stopped_by_vpn_controller = 1; gettimeofday(&session->stop_timestamp, NULL); if (!session->term_reason) { - session->term_reason = reason; + session->term_reason = (__typeof__(session->term_reason))reason; } } @@ -1101,33 +1121,32 @@ ike_sessions_stopped_by_controller (struct sockaddr_storage *remote, const char *reason) { ike_session_t *p = NULL; + ike_session_t *next_session = NULL; if (!remote) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } - for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) { - if (withport && cmpsaddrstrict(&p->session_id.remote, remote) == 0 || - !withport && cmpsaddrwop(&p->session_id.remote, remote) == 0) { + LIST_FOREACH_SAFE(p, &ike_session_tree, chain, next_session) { + if ((withport && cmpsaddrstrict(&p->session_id.remote, remote) == 0) || + (!withport && cmpsaddrwop(&p->session_id.remote, remote) == 0)) { ike_session_stopped_by_controller(p, reason); } } } void -ike_session_purge_ph2s_by_ph1 (struct ph1handle *iph1) +ike_session_purge_ph2s_by_ph1 (phase1_handle_t *iph1) { - struct ph2handle *p, *next; + phase2_handle_t *p, *next; if (!iph1 || !iph1->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } - for (p = LIST_FIRST(&iph1->parent_session->ikev1_state.ph2tree); p; p = next) { - // take next pointer now, since delete change the underlying ph2tree list - next = LIST_NEXT(p, ph2ofsession_chain); + LIST_FOREACH_SAFE(p, &iph1->parent_session->ph2tree, ph2ofsession_chain, next) { if (p->is_dying) { continue; } @@ -1135,7 +1154,7 @@ ike_session_purge_ph2s_by_ph1 (struct ph1handle *iph1) p->is_dying = 1; //log deletion - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "IPsec-SA needs to be purged: %s\n", sadbsecas2str(p->src, p->dst, p->satype, p->spid, 0)); @@ -1145,7 +1164,7 @@ ike_session_purge_ph2s_by_ph1 (struct ph1handle *iph1) } void -ike_session_update_ph2_ports (struct ph2handle *iph2) +ike_session_update_ph2_ports (phase2_handle_t *iph2) { struct sockaddr_storage *local; struct sockaddr_storage *remote; @@ -1157,7 +1176,7 @@ ike_session_update_ph2_ports (struct ph2handle *iph2) set_port(iph2->src, extract_port(local)); set_port(iph2->dst, extract_port(remote)); } else { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parent session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); } } @@ -1169,16 +1188,15 @@ ike_session_get_sas_for_stats (ike_session_t *session, u_int32_t max_stats) { int found = 0; - struct ph2handle *iph2; + phase2_handle_t *iph2; if (!session || !seq || !stats || !max_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid args in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__); return found; } *seq = 0; - for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = LIST_NEXT(iph2, ph2ofsession_chain)) { - + LIST_FOREACH(iph2, &session->ph2tree, ph2ofsession_chain) { if (iph2->approval) { struct saproto *pr; @@ -1211,12 +1229,12 @@ ike_session_update_traffic_idle_status (ike_session_t *session, int i, j, found = 0, idle = 1; if (!session || !new_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid args in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__); return; } if (!session->established || session->stopped_by_vpn_controller || session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) { - plog(LLV_DEBUG2, LOCATION, NULL, "dropping update on invalid session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "dropping update on invalid session in %s.\n", __FUNCTION__); return; } @@ -1245,7 +1263,7 @@ ike_session_update_traffic_idle_status (ike_session_t *session, // new SA.... check for any activity if (!found) { if (new_stats[i].lft_c.sadb_lifetime_bytes) { - plog(LLV_DEBUG, LOCATION, NULL, "new SA: dir %d....\n", dir); + plog(ASL_LEVEL_DEBUG, "new SA: dir %d....\n", dir); idle = 0; } } @@ -1256,7 +1274,7 @@ ike_session_update_traffic_idle_status (ike_session_t *session, bcopy(new_stats, session->traffic_monitor.in_last_poll, (max_stats * sizeof(*new_stats))); session->traffic_monitor.num_in_last_poll = max_stats; if (!idle) { - plog(LLV_DEBUG, LOCATION, NULL, "peer sent data....\n"); + //plog(ASL_LEVEL_DEBUG, "peer sent data....\n"); session->peer_sent_data_sc_dpd = 1; session->peer_sent_data_sc_idle = 1; } @@ -1266,7 +1284,7 @@ ike_session_update_traffic_idle_status (ike_session_t *session, bcopy(new_stats, session->traffic_monitor.out_last_poll, (max_stats * sizeof(*new_stats))); session->traffic_monitor.num_out_last_poll = max_stats; if (!idle) { - plog(LLV_DEBUG, LOCATION, NULL, "i sent data....\n"); + //plog(ASL_LEVEL_DEBUG, "i sent data....\n"); session->i_sent_data_sc_dpd = 1; session->i_sent_data_sc_idle = 1; } @@ -1281,27 +1299,29 @@ void ike_session_cleanup (ike_session_t *session, const char *reason) { - struct ph2handle *iph2; - struct ph1handle *iph1; + phase2_handle_t *iph2 = NULL; + phase2_handle_t *next_iph2 = NULL; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *next_iph1 = NULL; if (!session) return; session->is_dying = 1; + ike_session_stopped_by_controller(session, reason); SCHED_KILL(session->traffic_monitor.sc_idle); // do ph2's first... we need the ph1s for notifications - for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = LIST_NEXT(iph2, ph2ofsession_chain)) { - if (iph2->status == PHASE2ST_ESTABLISHED) { + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { + if (FSM_STATE_IS_ESTABLISHED(iph2->status)) { isakmp_info_send_d2(iph2); } isakmp_ph2expire(iph2); // iph2 will go down 1 second later. - ike_session_stopped_by_controller(session, reason); } // do the ph1s last. - for (iph1 = LIST_FIRST(&session->ikev1_state.ph1tree); iph1; iph1 = LIST_NEXT(iph1, ph1ofsession_chain)) { - if (iph1->status == PHASE1ST_ESTABLISHED) { + LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { isakmp_info_send_d1(iph1); } isakmp_ph1expire(iph1); @@ -1328,15 +1348,15 @@ ike_session_cleanup (ike_session_t *session, int ike_session_has_negoing_ph1 (ike_session_t *session) { - struct ph1handle *p; + phase1_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { - if (!p->is_dying && p->status >= PHASE1ST_START && p->status <= PHASE1ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (!p->is_dying && FSM_STATE_IS_NEGOTIATING(p->status)) { return 1; } } @@ -1347,15 +1367,15 @@ ike_session_has_negoing_ph1 (ike_session_t *session) int ike_session_has_established_ph1 (ike_session_t *session) { - struct ph1handle *p; + phase1_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { - if (!p->is_dying && p->status == PHASE1ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { + if (!p->is_dying && FSM_STATE_IS_ESTABLISHED(p->status)) { return 1; } } @@ -1366,15 +1386,15 @@ ike_session_has_established_ph1 (ike_session_t *session) int ike_session_has_negoing_ph2 (ike_session_t *session) { - struct ph2handle *p; + phase2_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - if (!p->is_dying && p->status >= PHASE2ST_START && p->status <= PHASE2ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + if (!p->is_dying && FSM_STATE_IS_NEGOTIATING(p->status)) { return 1; } } @@ -1385,15 +1405,15 @@ ike_session_has_negoing_ph2 (ike_session_t *session) int ike_session_has_established_ph2 (ike_session_t *session) { - struct ph2handle *p; + phase2_handle_t *p; if (!session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return 0; } - for (p = LIST_FIRST(&session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - if (!p->is_dying && p->status == PHASE2ST_ESTABLISHED) { + LIST_FOREACH(p, &session->ph2tree, ph2ofsession_chain) { + if (!p->is_dying && FSM_STATE_IS_ESTABLISHED(p->status)) { return 1; } } @@ -1402,18 +1422,19 @@ ike_session_has_established_ph2 (ike_session_t *session) } void -ike_session_cleanup_ph1s_by_ph2 (struct ph2handle *iph2) +ike_session_cleanup_ph1s_by_ph2 (phase2_handle_t *iph2) { - struct ph1handle *iph1; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *next_iph1 = NULL; if (!iph2 || !iph2->parent_session) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return; } // phase1 is no longer useful - for (iph1 = LIST_FIRST(&iph2->parent_session->ikev1_state.ph1tree); iph1; iph1 = LIST_NEXT(iph1, ph1ofsession_chain)) { - if (iph1->status == PHASE1ST_ESTABLISHED) { + LIST_FOREACH_SAFE(iph1, &iph2->parent_session->ph1tree, ph1ofsession_chain, next_iph1) { + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { isakmp_info_send_d1(iph1); } isakmp_ph1expire(iph1); @@ -1421,7 +1442,7 @@ ike_session_cleanup_ph1s_by_ph2 (struct ph2handle *iph2) } int -ike_session_is_client_ph2_rekey (struct ph2handle *iph2) +ike_session_is_client_ph2_rekey (phase2_handle_t *iph2) { if (iph2->parent_session && iph2->parent_session->is_client && @@ -1433,7 +1454,7 @@ ike_session_is_client_ph2_rekey (struct ph2handle *iph2) } int -ike_session_is_client_ph1_rekey (struct ph1handle *iph1) +ike_session_is_client_ph1_rekey (phase1_handle_t *iph1) { if (iph1->parent_session && iph1->parent_session->is_client && @@ -1444,8 +1465,28 @@ ike_session_is_client_ph1_rekey (struct ph1handle *iph1) return 0; } +int +ike_session_is_client_ph1 (phase1_handle_t *iph1) +{ + if (iph1->parent_session && + iph1->parent_session->is_client) { + return 1; + } + return 0; +} + +int +ike_session_is_client_ph2 (phase2_handle_t *iph2) +{ + if (iph2->parent_session && + iph2->parent_session->is_client) { + return 1; + } + return 0; +} + void -ike_session_start_xauth_timer (struct ph1handle *iph1) +ike_session_start_xauth_timer (phase1_handle_t *iph1) { // if there are no more established ph2s, start a timer to teardown the session if (iph1->parent_session && @@ -1459,7 +1500,7 @@ ike_session_start_xauth_timer (struct ph1handle *iph1) } void -ike_session_stop_xauth_timer (struct ph1handle *iph1) +ike_session_stop_xauth_timer (phase1_handle_t *iph1) { if (iph1->parent_session) { SCHED_KILL(iph1->parent_session->sc_xauth); @@ -1487,7 +1528,7 @@ ike_session_is_id_ipany (vchar_t *ext_id) id_ptr->addr == 0) { return 1; } - plog(LLV_DEBUG2, LOCATION, NULL, "not ipany_ids in %s: type %d, addr %x, mask %x.\n", + plog(ASL_LEVEL_DEBUG, "not ipany_ids in %s: type %d, addr %x, mask %x.\n", __FUNCTION__, id_ptr->type, id_ptr->addr, id_ptr->mask); return 0; } @@ -1509,7 +1550,7 @@ ike_session_is_id_portany (vchar_t *ext_id) id_ptr->port == 0) { return 1; } - plog(LLV_DEBUG2, LOCATION, NULL, "not portany_ids in %s: type %d, port %x.\n", + plog(ASL_LEVEL_DEBUG, "not portany_ids in %s: type %d, port %x.\n", __FUNCTION__, id_ptr->type, id_ptr->port); return 0; } @@ -1551,8 +1592,8 @@ ike_session_cmp_ph2_ids_ipany (vchar_t *ext_id, * a variety of info saved in the older phase2. */ int -ike_session_cmp_ph2_ids (struct ph2handle *iph2, - struct ph2handle *older_ph2) +ike_session_cmp_ph2_ids (phase2_handle_t *iph2, + phase2_handle_t *older_ph2) { vchar_t *portany_id = NULL; vchar_t *portany_id_p = NULL; @@ -1661,78 +1702,71 @@ ike_session_cmp_ph2_ids (struct ph2handle *iph2, } int -ike_session_get_sainfo_r (struct ph2handle *iph2) +ike_session_get_sainfo_r (phase2_handle_t *iph2) { - if (iph2->parent_session && - iph2->parent_session->is_client && - iph2->id && iph2->id_p) { - struct ph2handle *p; - int ipany_ids = ike_session_cmp_ph2_ids_ipany(iph2->id, iph2->id_p); - plog(LLV_DEBUG2, LOCATION, NULL, "ipany_ids %d in %s.\n", ipany_ids, __FUNCTION__); - - for (p = LIST_FIRST(&iph2->parent_session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - if (iph2 != p && !p->is_dying && p->status >= PHASE2ST_ESTABLISHED && - p->sainfo && !p->sainfo->to_delete && !p->sainfo->to_remove) { - plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 found in %s.\n", __FUNCTION__); - if (ipany_ids || - ike_session_cmp_ph2_ids(iph2, p) == 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__); - iph2->sainfo = p->sainfo; - if (iph2->sainfo) { - if (link_sainfo_to_ph2(iph2->sainfo) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to link sainfo\n"); - iph2->sainfo = NULL; - return -1; - } - } - if (!iph2->spid) { - iph2->spid = p->spid; - } else { - plog(LLV_DEBUG2, LOCATION, NULL, "%s: pre-assigned spid %d.\n", __FUNCTION__, iph2->spid); - } - if (p->ext_nat_id) { - if (iph2->ext_nat_id) { - vfree(iph2->ext_nat_id); - } - iph2->ext_nat_id = vdup(p->ext_nat_id); - } - if (p->ext_nat_id_p) { - if (iph2->ext_nat_id_p) { - vfree(iph2->ext_nat_id_p); - } - iph2->ext_nat_id_p = vdup(p->ext_nat_id_p); - } - return 0; - } - } - } - } - return -1; + if (iph2->parent_session && + iph2->parent_session->is_client && + iph2->id && iph2->id_p) { + phase2_handle_t *p; + int ipany_ids = ike_session_cmp_ph2_ids_ipany(iph2->id, iph2->id_p); + plog(ASL_LEVEL_DEBUG, "ipany_ids %d in %s.\n", ipany_ids, __FUNCTION__); + + LIST_FOREACH(p, &iph2->parent_session->ph2tree, ph2ofsession_chain) { + if (iph2 != p && !p->is_dying && FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(p->status) && p->sainfo) { + plog(ASL_LEVEL_DEBUG, "candidate ph2 found in %s.\n", __FUNCTION__); + if (ipany_ids || + ike_session_cmp_ph2_ids(iph2, p) == 0) { + plog(ASL_LEVEL_DEBUG, "candidate ph2 matched in %s.\n", __FUNCTION__); + iph2->sainfo = p->sainfo; + if (iph2->sainfo) + retain_sainfo(iph2->sainfo); + if (!iph2->spid) { + iph2->spid = p->spid; + } else { + plog(ASL_LEVEL_DEBUG, "%s: pre-assigned spid %d.\n", __FUNCTION__, iph2->spid); + } + if (p->ext_nat_id) { + if (iph2->ext_nat_id) { + vfree(iph2->ext_nat_id); + } + iph2->ext_nat_id = vdup(p->ext_nat_id); + } + if (p->ext_nat_id_p) { + if (iph2->ext_nat_id_p) { + vfree(iph2->ext_nat_id_p); + } + iph2->ext_nat_id_p = vdup(p->ext_nat_id_p); + } + return 0; + } + } + } + } + return -1; } int -ike_session_get_proposal_r (struct ph2handle *iph2) +ike_session_get_proposal_r (phase2_handle_t *iph2) { if (iph2->parent_session && iph2->parent_session->is_client && iph2->id && iph2->id_p) { - struct ph2handle *p; + phase2_handle_t *p; int ipany_ids = ike_session_cmp_ph2_ids_ipany(iph2->id, iph2->id_p); - plog(LLV_DEBUG2, LOCATION, NULL, "ipany_ids %d in %s.\n", ipany_ids, __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "ipany_ids %d in %s.\n", ipany_ids, __FUNCTION__); - for (p = LIST_FIRST(&iph2->parent_session->ikev1_state.ph2tree); p; p = LIST_NEXT(p, ph2ofsession_chain)) { - if (iph2 != p && !p->is_dying && p->status >= PHASE2ST_ESTABLISHED && + LIST_FOREACH(p, &iph2->parent_session->ph2tree, ph2ofsession_chain) { + if (iph2 != p && !p->is_dying && FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(p->status) && p->approval) { - plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 found in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "candidate ph2 found in %s.\n", __FUNCTION__); if (ipany_ids || ike_session_cmp_ph2_ids(iph2, p) == 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "candidate ph2 matched in %s.\n", __FUNCTION__); iph2->proposal = dupsaprop(p->approval, 1); if (!iph2->spid) { iph2->spid = p->spid; } else { - plog(LLV_DEBUG2, LOCATION, NULL, "%s: pre-assigned spid %d.\n", __FUNCTION__, iph2->spid); + plog(ASL_LEVEL_DEBUG, "%s: pre-assigned spid %d.\n", __FUNCTION__, iph2->spid); } return 0; } @@ -1743,7 +1777,7 @@ ike_session_get_proposal_r (struct ph2handle *iph2) } void -ike_session_update_natt_version (struct ph1handle *iph1) +ike_session_update_natt_version (phase1_handle_t *iph1) { if (iph1->parent_session) { if (iph1->natt_options) { @@ -1755,7 +1789,7 @@ ike_session_update_natt_version (struct ph1handle *iph1) } int -ike_session_get_natt_version (struct ph1handle *iph1) +ike_session_get_natt_version (phase1_handle_t *iph1) { if (iph1->parent_session) { return(iph1->parent_session->natt_version); @@ -1775,7 +1809,7 @@ ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_t time_t now = time(NULL); if ((now - session->last_time_data_sc_detected) > (session->traffic_monitor.interv_mon << 1)) { - plog(LLV_DEBUG2, LOCATION, NULL, "btmm session is idle: drop ph%drekey.\n", + plog(ASL_LEVEL_DEBUG, "btmm session is idle: drop ph%drekey.\n", rekey_type); return 1; } @@ -1783,7 +1817,7 @@ ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_t if (rekey_type == IKE_SESSION_REKEY_TYPE_PH1 && !ike_session_has_negoing_ph2(session)) { // for vpn: only drop ph1 if there are no more ph2s. - plog(LLV_DEBUG2, LOCATION, NULL, "vpn session is idle: drop ph1 rekey.\n"); + plog(ASL_LEVEL_DEBUG, "vpn session is idle: drop ph1 rekey.\n"); return 1; } } @@ -1799,12 +1833,13 @@ ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_t void ike_session_sweep_sleepwake (void) { - ike_session_t *p; + ike_session_t *p = NULL; + ike_session_t *next_session = NULL; // flag session as dying if all ph1/ph2 are dead/dying - for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) { + LIST_FOREACH_SAFE(p, &ike_session_tree, chain, next_session) { if (p->is_dying) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of dying session.\n"); + plog(ASL_LEVEL_DEBUG, "skipping sweep of dying session.\n"); continue; } SCHED_KILL(p->sc_xauth); @@ -1812,39 +1847,46 @@ ike_session_sweep_sleepwake (void) // for asserted session, traffic monitors will be restared after phase2 becomes established. SCHED_KILL(p->traffic_monitor.sc_mon); SCHED_KILL(p->traffic_monitor.sc_idle); - plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n"); + plog(ASL_LEVEL_DEBUG, "skipping sweep of asserted session.\n"); continue; } - // cleanup any stopped sessions as they will go down - if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) { - plog(LLV_DEBUG2, LOCATION, NULL, "sweeping stopped session.\n"); + // cleanup any stopped sessions as they will go down + if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) { + plog(ASL_LEVEL_DEBUG, "sweeping stopped session.\n"); ike_session_cleanup(p, ike_session_stopped_by_sleepwake); continue; - } + } if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) { - plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n"); + plog(ASL_LEVEL_DEBUG, "session died while sleeping.\n"); ike_session_cleanup(p, ike_session_stopped_by_sleepwake); + continue; } if (p->traffic_monitor.sc_mon) { - if (p->traffic_monitor.sc_mon->xtime <= swept_at) { - SCHED_KILL(p->traffic_monitor.sc_mon); - if (!p->is_dying && p->traffic_monitor.interv_mon) { - p->traffic_monitor.sc_mon = sched_new(p->traffic_monitor.interv_mon, + time_t xtime; + if (sched_get_time(p->traffic_monitor.sc_mon, &xtime)) { + if (xtime <= swept_at) { + SCHED_KILL(p->traffic_monitor.sc_mon); + if (!p->is_dying && p->traffic_monitor.interv_mon) { + p->traffic_monitor.sc_mon = sched_new(p->traffic_monitor.interv_mon, ike_session_traffic_cop, p); - } + } + } } } if (p->traffic_monitor.sc_idle) { - if (p->traffic_monitor.sc_idle->xtime <= swept_at) { - SCHED_KILL(p->traffic_monitor.sc_idle); - if (!p->is_dying && p->traffic_monitor.interv_idle) { - p->traffic_monitor.sc_idle = sched_new(p->traffic_monitor.interv_idle, + time_t xtime; + if (sched_get_time(p->traffic_monitor.sc_idle, &xtime)) { + if (xtime <= swept_at) { + SCHED_KILL(p->traffic_monitor.sc_idle); + if (!p->is_dying && p->traffic_monitor.interv_idle) { + p->traffic_monitor.sc_idle = sched_new(p->traffic_monitor.interv_idle, ike_session_cleanup_idle, p); - } + } + } } } } @@ -1858,31 +1900,31 @@ ike_session_sweep_sleepwake (void) int ike_session_assert_session (ike_session_t *session) { - struct ph2handle *iph2, *iph2_next; - struct ph1handle *iph1, *iph1_next; + phase2_handle_t *iph2 = NULL; + phase2_handle_t *iph2_next = NULL; + phase1_handle_t *iph1 = NULL; + phase1_handle_t *iph1_next = NULL; if (!session || session->is_dying) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); return -1; } // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase2s - for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = iph2_next) { - // take next pointer now, since delete change the underlying ph2tree list - iph2_next = LIST_NEXT(iph2, ph2ofsession_chain); - if (!iph2->is_dying && iph2->status < PHASE2ST_EXPIRED) { + LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, iph2_next) { + if (!iph2->is_dying && !FSM_STATE_IS_EXPIRED(iph2->status)) { SCHED_KILL(iph2->sce); iph2->is_dying = 1; // delete SAs (in the kernel) - if (iph2->status == PHASE2ST_ESTABLISHED && iph2->approval) { + if (FSM_STATE_IS_ESTABLISHED(iph2->status) && iph2->approval) { struct saproto *pr; for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { if (pr->ok) { //log deletion - plog(LLV_DEBUG, LOCATION, NULL, - "assert: phase2 %s deleted\n", + plog(ASL_LEVEL_DEBUG, + "Assert: Phase 2 %s deleted\n", sadbsecas2str(iph2->src, iph2->dst, iph2->satype, iph2->spid, ipsecdoi2pfkey_mode(pr->encmode))); pfkey_send_delete(lcconf->sock_pfkey, @@ -1893,28 +1935,26 @@ ike_session_assert_session (ike_session_t *session) } } - iph2->status = PHASE2ST_EXPIRED; // we want to delete SAs without telling the PEER + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); // we want to delete SAs without telling the PEER iph2->sce = sched_new(3, ike_session_cleanup_ph2_stub, iph2); } } // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase1s - for (iph1 = LIST_FIRST(&session->ikev1_state.ph1tree); iph1; iph1 = iph1_next) { - // take next pointer now, since delete change the underlying ph1tree list - iph1_next = LIST_NEXT(iph1, ph1ofsession_chain); - if (!iph1->is_dying && iph1->status < PHASE1ST_EXPIRED) { + LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, iph1_next) { + if (!iph1->is_dying && !FSM_STATE_IS_EXPIRED(iph1->status)) { SCHED_KILL(iph1->sce); SCHED_KILL(iph1->sce_rekey); iph1->is_dying = 1; //log deletion - plog(LLV_DEBUG, LOCATION, NULL, - "assert: phase1 %s deleted\n", + plog(ASL_LEVEL_DEBUG, + "Assert: Phase 1 %s deleted\n", isakmp_pindex(&iph1->index, 0)); - ike_session_unbindph12_from_ph1(iph1); + ike_session_unbind_all_ph2_from_ph1(iph1); - iph1->status = PHASE1ST_EXPIRED; // we want to delete SAs without telling the PEER + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); // we want to delete SAs without telling the PEER /* responder sets up timer to delete old inbound SAs... say 7 secs later and flags them as rekeyed */ iph1->sce = sched_new(5, ike_session_cleanup_ph1_stub, iph1); } @@ -1931,7 +1971,7 @@ ike_session_assert (struct sockaddr_storage *local, ike_session_t *sess; if (!local || !remote) { - plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); return -1; } @@ -1942,14 +1982,14 @@ ike_session_assert (struct sockaddr_storage *local, } void -ike_session_ph2_retransmits (struct ph2handle *iph2) +ike_session_ph2_retransmits (phase2_handle_t *iph2) { int num_retransmits; if (!iph2->is_dying && iph2->is_rekey && iph2->ph1 && - iph2->ph1->sce_rekey && !iph2->ph1->sce_rekey->dead && + iph2->ph1->sce_rekey && !sched_is_dead(iph2->ph1->sce_rekey) && iph2->side == INITIATOR && iph2->parent_session && !iph2->parent_session->is_cisco_ipsec && /* not for Cisco */ @@ -1969,7 +2009,7 @@ ike_session_ph2_retransmits (struct ph2handle *iph2) * * in all these cases, one sure way to know is to trigger a phase1 rekey early. */ - plog(LLV_DEBUG2, LOCATION, NULL, "many phase2 retransmits: try phase1 rekey and this phase2 to quit earlier.\n"); + plog(ASL_LEVEL_DEBUG, "Many Phase 2 retransmits: try Phase 1 rekey and this Phase 2 to quit earlier.\n"); isakmp_ph1rekeyexpire(iph2->ph1, TRUE); iph2->retry_counter = 0; } @@ -1977,22 +2017,103 @@ ike_session_ph2_retransmits (struct ph2handle *iph2) } void -ike_session_ph1_retransmits (struct ph1handle *iph1) +ike_session_ph1_retransmits (phase1_handle_t *iph1) { int num_retransmits; if (!iph1->is_dying && iph1->is_rekey && !iph1->sce_rekey && - iph1->status >= PHASE1ST_START && iph1->status < PHASE1ST_ESTABLISHED && + FSM_STATE_IS_NEGOTIATING(iph1->status) && iph1->side == INITIATOR && iph1->parent_session && iph1->parent_session->is_client && !ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) { num_retransmits = iph1->rmconf->retry_counter - iph1->retry_counter; if (num_retransmits == 3) { - plog(LLV_DEBUG2, LOCATION, NULL, "many phase1 retransmits: try quit earlier.\n"); + plog(ASL_LEVEL_DEBUG, "Many Phase 1 retransmits: try quit earlier.\n"); iph1->retry_counter = 0; } } } + +static void +ike_session_bindph12(phase1_handle_t *iph1, phase2_handle_t *iph2) +{ + if (iph2->ph1) { + plog(ASL_LEVEL_ERR, "Phase 2 already bound %s.\n", __FUNCTION__); + } + iph2->ph1 = iph1; + LIST_INSERT_HEAD(&iph1->bound_ph2tree, iph2, ph1bind_chain); +} + +void +ike_session_unbindph12(phase2_handle_t *iph2) +{ + if (iph2->ph1 != NULL) { + iph2->ph1 = NULL; + LIST_REMOVE(iph2, ph1bind_chain); + } +} + +static void +ike_session_rebindph12(phase1_handle_t *new_ph1, phase2_handle_t *iph2) +{ + if (!new_ph1) { + return; + } + + // reconcile the ph1-to-ph2 binding + ike_session_unbindph12(iph2); + ike_session_bindph12(new_ph1, iph2); + // recalculate ivm since ph1 binding has changed + if (iph2->ivm != NULL) { + oakley_delivm(iph2->ivm); + if (FSM_STATE_IS_ESTABLISHED(new_ph1->status)) { + iph2->ivm = oakley_newiv2(new_ph1, iph2->msgid); + plog(ASL_LEVEL_DEBUG, "Phase 1-2 binding changed... recalculated ivm.\n"); + } else { + iph2->ivm = NULL; + } + } +} + +static void +ike_session_unbind_all_ph2_from_ph1 (phase1_handle_t *iph1) +{ + phase2_handle_t *p = NULL; + phase2_handle_t *next = NULL; + + LIST_FOREACH_SAFE(p, &iph1->bound_ph2tree, ph1bind_chain, next) { + ike_session_unbindph12(p); + } +} + +static void +ike_session_rebind_all_ph12_to_new_ph1 (phase1_handle_t *old_iph1, + phase1_handle_t *new_iph1) +{ + phase2_handle_t *p = NULL; + phase2_handle_t *next = NULL; + + if (old_iph1 == new_iph1 || !old_iph1 || !new_iph1) { + plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + return; + } + + if (old_iph1->parent_session != new_iph1->parent_session) { + plog(ASL_LEVEL_DEBUG, "Invalid parent sessions in %s.\n", __FUNCTION__); + return; + } + + LIST_FOREACH_SAFE(p, &old_iph1->bound_ph2tree, ph1bind_chain, next) { + if (p->parent_session != new_iph1->parent_session) { + plog(ASL_LEVEL_ERR, "Mismatched parent session in ph1bind replacement.\n"); + } + if (p->ph1 == new_iph1) { + plog(ASL_LEVEL_ERR, "Same Phase 2 in ph1bind replacement in %s.\n",__FUNCTION__); + } + ike_session_rebindph12(new_iph1, p); + } +} + diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h index 87a8252..83a7fe6 100644 --- a/ipsec-tools/racoon/ike_session.h +++ b/ipsec-tools/racoon/ike_session.h @@ -27,14 +27,12 @@ #include #include #include -#include +#include #include +#include #include "handler.h" #include "ipsecSessionTracer.h" -#define IKE_VERSION_1 0x1 -#define IKE_VERSION_2 0x2 - typedef struct ike_session_id { struct sockaddr_storage local; struct sockaddr_storage remote; @@ -48,20 +46,17 @@ typedef struct ike_session_ikev1 { /* list of ph1s */ int active_ph1cnt; int ph1cnt; /* the number which is negotiated for this session */ - LIST_HEAD(_ph1ofsession_, ph1handle) ph1tree; - /* list of ph2s */ int active_ph2cnt; int ph2cnt; /* the number which is negotiated for this session */ - LIST_HEAD(_ph2ofsession_, ph2handle) ph2tree; } ike_session_ikev1_t; typedef struct ike_session_sastats { int interv_mon; int interv_idle; int dir_idle; - struct sched *sc_mon; - struct sched *sc_idle; + schedule_ref sc_mon; + schedule_ref sc_idle; u_int32_t num_in_curr_req; u_int32_t num_in_last_poll; @@ -74,8 +69,8 @@ typedef struct ike_session_sastats { struct sastat out_last_poll[8]; } ike_sesssion_sastats_t; + struct ike_session { - u_int8_t version; /* mask of version flags */ u_int8_t mode; /* mode of protocol, see ipsec.h */ u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ @@ -91,7 +86,7 @@ struct ike_session { int peer_sent_data_sc_idle:1; int i_sent_data_sc_dpd:1; int i_sent_data_sc_idle:1; - int is_client:1; + int is_client:1; time_t last_time_data_sc_detected; int controller_awaiting_peer_resp:1; int is_dying:1; @@ -108,10 +103,14 @@ struct ike_session { ike_session_stats_t stats; ike_sesssion_sastats_t traffic_monitor; - struct sched *sc_idle; - struct sched *sc_xauth; + schedule_ref sc_idle; + schedule_ref sc_xauth; + + LIST_HEAD(_ph1tree_, phase1handle) ph1tree; + LIST_HEAD(_ph2tree_, phase2handle) ph2tree; LIST_ENTRY(ike_session) chain; + }; typedef enum ike_session_rekey_type { @@ -125,52 +124,60 @@ extern const char * ike_session_stopped_by_controller_comm_lost; extern const char * ike_session_stopped_by_flush; extern const char * ike_session_stopped_by_sleepwake; extern const char * ike_session_stopped_by_assert; - -extern void ike_session_init __P((void)); -extern ike_session_t * ike_session_get_session __P((struct sockaddr_storage *, struct sockaddr_storage *, int)); -extern u_int ike_session_get_rekey_lifetime __P((int, u_int)); -extern void ike_session_update_mode __P((struct ph2handle *iph2)); -extern int ike_session_link_ph1_to_session __P((struct ph1handle *)); -extern int ike_session_link_ph2_to_session __P((struct ph2handle *)); -extern int ike_session_unlink_ph1_from_session __P((struct ph1handle *)); -extern int ike_session_unlink_ph2_from_session __P((struct ph2handle *)); -extern int ike_session_has_other_established_ph1 __P((ike_session_t *, struct ph1handle *)); -extern int ike_session_has_other_negoing_ph1 __P((ike_session_t *, struct ph1handle *)); -extern int ike_session_has_other_established_ph2 __P((ike_session_t *, struct ph2handle *)); -extern int ike_session_has_other_negoing_ph2 __P((ike_session_t *, struct ph2handle *)); -extern int ike_session_verify_ph2_parent_session __P((struct ph2handle *)); -extern struct ph1handle * ike_session_update_ph1_ph2tree __P((struct ph1handle *)); -extern struct ph1handle * ike_session_update_ph2_ph1bind __P((struct ph2handle *)); -extern void ike_session_ikev1_float_ports __P((struct ph1handle *)); -extern void ike_session_ph2_established __P((struct ph2handle *)); -extern void ike_session_cleanup_other_established_ph1s __P((ike_session_t *, struct ph1handle *)); -extern void ike_session_cleanup_other_established_ph2s __P((ike_session_t *, struct ph2handle *)); -extern void ike_session_stopped_by_controller __P((ike_session_t *, const char *)); -extern void ike_sessions_stopped_by_controller __P((struct sockaddr_storage *, int, const char *)); -extern void ike_session_purge_ph2s_by_ph1 __P((struct ph1handle *)); -extern struct ph1handle * ike_session_get_established_ph1 __P((ike_session_t *)); -extern void ike_session_update_ph2_ports __P((struct ph2handle *)); -extern u_int32_t ike_session_get_sas_for_stats __P((ike_session_t *, u_int8_t, u_int32_t *, struct sastat *, u_int32_t)); -extern void ike_session_update_traffic_idle_status __P((ike_session_t *, u_int32_t, struct sastat *, u_int32_t)); -extern void ike_session_cleanup __P((ike_session_t *, const char *)); -extern int ike_session_has_negoing_ph1 __P((ike_session_t *)); -extern int ike_session_has_established_ph1 __P((ike_session_t *)); -extern int ike_session_has_negoing_ph2 __P((ike_session_t *)); -extern int ike_session_has_established_ph2 __P((ike_session_t *)); -extern void ike_session_cleanup_ph1s_by_ph2 __P((struct ph2handle *)); -extern int ike_session_is_client_ph2_rekey __P((struct ph2handle *)); -extern int ike_session_is_client_ph1_rekey __P((struct ph1handle *)); -extern void ike_session_start_xauth_timer __P((struct ph1handle *)); -extern void ike_session_stop_xauth_timer __P((struct ph1handle *)); -extern int ike_session_get_sainfo_r __P((struct ph2handle *)); -extern int ike_session_get_proposal_r __P((struct ph2handle *)); -extern void ike_session_update_natt_version __P((struct ph1handle *)); -extern int ike_session_get_natt_version __P((struct ph1handle *)); -extern int ike_session_drop_rekey __P((ike_session_t *, ike_session_rekey_type_t)); -extern void ike_session_sweep_sleepwake __P((void)); -extern int ike_session_assert __P((struct sockaddr_storage *, struct sockaddr_storage *)); -extern int ike_session_assert_session __P((ike_session_t *)); -extern void ike_session_ph2_retransmits __P((struct ph2handle *)); -extern void ike_session_ph1_retransmits __P((struct ph1handle *)); +extern const char * ike_session_stopped_by_peer; + +extern void ike_session_init (void); +extern ike_session_t * ike_session_create_session (ike_session_id_t *session_id); +extern void ike_session_release_session (ike_session_t *session); +extern ike_session_t * ike_session_get_session (struct sockaddr_storage *, struct sockaddr_storage *, int); +extern u_int ike_session_get_rekey_lifetime (int, u_int); +extern void ike_session_update_mode (phase2_handle_t *iph2); +extern int ike_session_link_phase1 (ike_session_t *, phase1_handle_t *); +extern int ike_session_link_phase2 (ike_session_t *, phase2_handle_t *); +extern int ike_session_link_ph2_to_ph1 (phase1_handle_t *, phase2_handle_t *); +extern int ike_session_unlink_phase1 (phase1_handle_t *); +extern int ike_session_unlink_phase2 (phase2_handle_t *); +extern int ike_session_has_other_established_ph1 (ike_session_t *, phase1_handle_t *); +extern int ike_session_has_other_negoing_ph1 (ike_session_t *, phase1_handle_t *); +extern int ike_session_has_other_established_ph2 (ike_session_t *, phase2_handle_t *); +extern int ike_session_has_other_negoing_ph2 (ike_session_t *, phase2_handle_t *); +extern phase1_handle_t * ike_session_update_ph1_ph2tree (phase1_handle_t *); +extern phase1_handle_t * ike_session_update_ph2_ph1bind (phase2_handle_t *); +extern void ike_session_ikev1_float_ports (phase1_handle_t *); +extern void ike_session_ph2_established (phase2_handle_t *); +extern void ike_session_replace_other_ph1 (phase1_handle_t *, phase1_handle_t *); +extern void ike_session_cleanup_other_established_ph1s (ike_session_t *, phase1_handle_t *); +extern void ike_session_cleanup_other_established_ph2s (ike_session_t *, phase2_handle_t *); +extern void ike_session_stopped_by_controller (ike_session_t *, const char *); +extern void ike_sessions_stopped_by_controller (struct sockaddr_storage *, int, const char *); +extern void ike_session_purge_ph2s_by_ph1 (phase1_handle_t *); +extern phase1_handle_t * ike_session_get_established_ph1 (ike_session_t *); +extern phase1_handle_t * ike_session_get_established_or_negoing_ph1 (ike_session_t *); +extern void ike_session_update_ph2_ports (phase2_handle_t *); +extern u_int32_t ike_session_get_sas_for_stats (ike_session_t *, u_int8_t, u_int32_t *, struct sastat *, u_int32_t); +extern void ike_session_update_traffic_idle_status (ike_session_t *, u_int32_t, struct sastat *, u_int32_t); +extern void ike_session_cleanup (ike_session_t *, const char *); +extern int ike_session_has_negoing_ph1 (ike_session_t *); +extern int ike_session_has_established_ph1 (ike_session_t *); +extern int ike_session_has_negoing_ph2 (ike_session_t *); +extern int ike_session_has_established_ph2 (ike_session_t *); +extern void ike_session_cleanup_ph1s_by_ph2 (phase2_handle_t *); +extern int ike_session_is_client_ph2_rekey (phase2_handle_t *); +extern int ike_session_is_client_ph1_rekey (phase1_handle_t *); +extern int ike_session_is_client_ph1 (phase1_handle_t *); +extern int ike_session_is_client_ph2 (phase2_handle_t *); +extern void ike_session_start_xauth_timer (phase1_handle_t *); +extern void ike_session_stop_xauth_timer (phase1_handle_t *); +extern int ike_session_get_sainfo_r (phase2_handle_t *); +extern int ike_session_get_proposal_r (phase2_handle_t *); +extern void ike_session_update_natt_version (phase1_handle_t *); +extern int ike_session_get_natt_version (phase1_handle_t *); +extern int ike_session_drop_rekey (ike_session_t *, ike_session_rekey_type_t); +extern void ike_session_sweep_sleepwake (void); +extern int ike_session_assert (struct sockaddr_storage *, struct sockaddr_storage *); +extern int ike_session_assert_session (ike_session_t *); +extern void ike_session_unbindph12(phase2_handle_t *); +extern void ike_session_ph2_retransmits (phase2_handle_t *); +extern void ike_session_ph1_retransmits (phase1_handle_t *); #endif /* _IKE_SESSION_H */ diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.c b/ipsec-tools/racoon/ikev2_ike_sa_rfc.c new file mode 100644 index 0000000..d88c3ac --- /dev/null +++ b/ipsec-tools/racoon/ikev2_ike_sa_rfc.c @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" + diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.h b/ipsec-tools/racoon/ikev2_ike_sa_rfc.h new file mode 100644 index 0000000..71e63d7 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_ike_sa_rfc.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + diff --git a/ipsec-tools/racoon/ikev2_info_rfc.c b/ipsec-tools/racoon/ikev2_info_rfc.c new file mode 100644 index 0000000..0887408 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_info_rfc.c @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_info_rfc.h b/ipsec-tools/racoon/ikev2_info_rfc.h new file mode 100644 index 0000000..71e63d7 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_info_rfc.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c new file mode 100644 index 0000000..5dd0807 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h new file mode 100644 index 0000000..71e63d7 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + diff --git a/ipsec-tools/racoon/ikev2_rfc.c b/ipsec-tools/racoon/ikev2_rfc.c new file mode 100644 index 0000000..64751fe --- /dev/null +++ b/ipsec-tools/racoon/ikev2_rfc.c @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_rfc.h b/ipsec-tools/racoon/ikev2_rfc.h new file mode 100644 index 0000000..da4ea49 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_rfc.h @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/* + * (RFC4306) + * http://www.iana.org/assignments/ikev2-parameters + */ + diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.c b/ipsec-tools/racoon/ikev2_sessresume_rfc.c new file mode 100644 index 0000000..64751fe --- /dev/null +++ b/ipsec-tools/racoon/ikev2_sessresume_rfc.c @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.h b/ipsec-tools/racoon/ikev2_sessresume_rfc.h new file mode 100644 index 0000000..71e63d7 --- /dev/null +++ b/ipsec-tools/racoon/ikev2_sessresume_rfc.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + diff --git a/ipsec-tools/racoon/ipsecSessionTracer.c b/ipsec-tools/racoon/ipsecSessionTracer.c index 5884aaa..8ce74a9 100644 --- a/ipsec-tools/racoon/ipsecSessionTracer.c +++ b/ipsec-tools/racoon/ipsecSessionTracer.c @@ -41,15 +41,15 @@ const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = { CONST CONSTSTR("IKE Packet: transmit failed"), CONSTSTR("IKE Packet: receive success"), CONSTSTR("IKE Packet: receive failed"), - CONSTSTR("IKEv1 Phase1 Initiator: success"), - CONSTSTR("IKEv1 Phase1 Initiator: failed"), - CONSTSTR("IKEv1 Phase1 Initiator: dropped"), - CONSTSTR("IKEv1 Phase1 Responder: success"), - CONSTSTR("IKEv1 Phase1 Responder: failed"), - CONSTSTR("IKEv1 Phase1 Responder: drop"), - CONSTSTR("IKEv1 Phase1: maximum retransmits"), - CONSTSTR("IKEv1 Phase1 AUTH: success"), - CONSTSTR("IKEv1 Phase1 AUTH: failed"), + CONSTSTR("IKEv1 Phase 1 Initiator: success"), + CONSTSTR("IKEv1 Phase 1 Initiator: failed"), + CONSTSTR("IKEv1 Phase 1 Initiator: dropped"), + CONSTSTR("IKEv1 Phase 1 Responder: success"), + CONSTSTR("IKEv1 Phase 1 Responder: failed"), + CONSTSTR("IKEv1 Phase 1 Responder: drop"), + CONSTSTR("IKEv1 Phase 1: maximum retransmits"), + CONSTSTR("IKEv1 Phase 1 AUTH: success"), + CONSTSTR("IKEv1 Phase 1 AUTH: failed"), CONSTSTR("IKEv1 Dead-Peer-Detection: request transmitted"), CONSTSTR("IKEv1 Dead-Peer-Detection: response received"), CONSTSTR("IKEv1 Dead-Peer-Detection: request retransmitted"), @@ -64,15 +64,15 @@ const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = { CONST CONSTSTR("IKEv1 XAUTH: success"), CONSTSTR("IKEv1 XAUTH: failed"), CONSTSTR("IKEv1 XAUTH: dropped"), - CONSTSTR("IKEv1 Phase2 Initiator: success"), - CONSTSTR("IKEv1 Phase2 Initiator: failed"), - CONSTSTR("IKEv1 Phase2 Initiator: dropped"), - CONSTSTR("IKEv1 Phase2 Responder: success"), - CONSTSTR("IKEv1 Phase2 Responder: fail"), - CONSTSTR("IKEv1 Phase2 Responder: drop"), - CONSTSTR("IKEv1 Phase2: maximum retransmits"), - CONSTSTR("IKEv1 Phase2 AUTH: success"), - CONSTSTR("IKEv1 Phase2 AUTH: failed"), + CONSTSTR("IKEv1 Phase 2 Initiator: success"), + CONSTSTR("IKEv1 Phase 2 Initiator: failed"), + CONSTSTR("IKEv1 Phase 2 Initiator: dropped"), + CONSTSTR("IKEv1 Phase 2 Responder: success"), + CONSTSTR("IKEv1 Phase 2 Responder: fail"), + CONSTSTR("IKEv1 Phase 2 Responder: drop"), + CONSTSTR("IKEv1 Phase 2: maximum retransmits"), + CONSTSTR("IKEv1 Phase 2 AUTH: success"), + CONSTSTR("IKEv1 Phase 2 AUTH: failed"), CONSTSTR("IKEv1 Information-Notice: transmit success"), CONSTSTR("IKEv1 Information-Notice: transmit failed"), CONSTSTR("IKEv1 Information-Notice: receive success"), @@ -80,7 +80,7 @@ const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = { CONST }; /* tells us if we can ignore the failure_reason passed into the event tracer */ -const int const ipsecSessionEventIgnoreReason[IPSECSESSIONEVENTCODE_MAX] = {TRUE/* index place holder */, +const int ipsecSessionEventIgnoreReason[IPSECSESSIONEVENTCODE_MAX] = {TRUE/* index place holder */, TRUE, TRUE, TRUE, @@ -248,7 +248,7 @@ ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCo if (failure_reason) { if (!session->term_reason && !ipsecSessionEventIgnoreReason[eventCode]) { - session->term_reason = failure_reason; + session->term_reason = (char*)failure_reason; } } @@ -351,12 +351,12 @@ ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const cha CONSTSTR("IKE Packets Receive Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC])); } - if (session->version == IKE_VERSION_1) { + //if (session->version == IKE_VERSION_1) { if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] || session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] || session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase1 Failure-Rate Statistic"), + CONSTSTR("IKE Phase 1 Failure-Rate Statistic"), get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] + session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] + session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]), @@ -365,17 +365,17 @@ ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const cha } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase1 Initiator Failure-Rate Statistic"), + CONSTSTR("IKE Phase 1 Initiator Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase1 Responder Failure-Rate Statistic"), + CONSTSTR("IKE Phase 1 Responder Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase1 Authentication Failure-Rate Statistic"), + CONSTSTR("IKE Phase 1 Authentication Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT]) { @@ -408,7 +408,7 @@ ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const cha session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] || session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase2 Failure-Rate Statistic"), + CONSTSTR("IKE Phase 2 Failure-Rate Statistic"), get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] + session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] + session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]), @@ -417,17 +417,17 @@ ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const cha } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase2 Initiator Failure-Rate Statistic"), + CONSTSTR("IKE Phase 2 Initiator Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase2 Responder Failure-Rate Statistic"), + CONSTSTR("IKE Phase 2 Responder Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL]) { ipsecSessionTracerLogFailureRate(session, - CONSTSTR("IKE Phase2 Authentication Failure-Rate Statistics"), + CONSTSTR("IKE Phase 2 Authentication Failure-Rate Statistics"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_SUCC])); } if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]) { @@ -440,7 +440,7 @@ ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const cha CONSTSTR("IKE Information-Notice Receive Failure-Rate Statistic"), get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_SUCC])); } - } + //} } void diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 877c446..8fe1460 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -86,55 +86,46 @@ #ifdef ENABLE_NATT #include "nattraversal.h" #endif +#include "ikev2_rfc.h" + #ifdef ENABLE_HYBRID static int switch_authmethod(int); #endif -#ifdef HAVE_GSSAPI -#include -#include "gssapi.h" -#ifdef HAVE_ICONV_2ND_CONST -#define __iconv_const const -#else -#define __iconv_const -#endif -#endif - int verbose_proposal_check = 1; -static vchar_t *get_ph1approval __P((struct ph1handle *, struct prop_pair **)); -static struct isakmpsa *get_ph1approvalx __P((struct prop_pair *, - struct isakmpsa *, struct isakmpsa *, int)); -static void print_ph1mismatched __P((struct prop_pair *, struct isakmpsa *)); -static int t2isakmpsa __P((struct isakmp_pl_t *, struct isakmpsa *)); -static int cmp_aproppair_i __P((struct prop_pair *, struct prop_pair *)); -static struct prop_pair *get_ph2approval __P((struct ph2handle *, - struct prop_pair **)); -static struct prop_pair *get_ph2approvalx __P((struct ph2handle *, - struct prop_pair *)); -static void free_proppair0 __P((struct prop_pair *)); - -static int get_transform - __P((struct isakmp_pl_p *, struct prop_pair **, int *)); -static u_int32_t ipsecdoi_set_ld __P((vchar_t *)); - -static int check_doi __P((u_int32_t)); -static int check_situation __P((u_int32_t)); - -static int check_prot_main __P((int)); -static int check_prot_quick __P((int)); -static int (*check_protocol[]) __P((int)) = { +static vchar_t *get_ph1approval (phase1_handle_t *, struct prop_pair **); +void print_ph1mismatched (struct prop_pair *, struct isakmpsa *); +static int t2isakmpsa (struct isakmp_pl_t *, struct isakmpsa *); +static int cmp_aproppair_i (struct prop_pair *, struct prop_pair *); +static struct prop_pair *get_ph2approval (phase2_handle_t *, + struct prop_pair **); +static struct prop_pair *get_ph2approvalx (phase2_handle_t *, + struct prop_pair *); +static void free_proppair0 (struct prop_pair *); + +static int get_transform (struct isakmp_pl_p *, struct prop_pair **, int *); +static u_int32_t ipsecdoi_set_ld (vchar_t *); + +static int check_doi (u_int32_t); +static int check_situation (u_int32_t); + +static int check_prot_main (int); +static int check_prot_quick (int); +static int (*check_protocol[]) (int) = { check_prot_main, /* IPSECDOI_TYPE_PH1 */ check_prot_quick, /* IPSECDOI_TYPE_PH2 */ + NULL, /* IPSECDOI_TYPE_IKEV2_PH1 */ + NULL, /* IPSECDOI_TYPE_IKEV2_PH2 */ }; -static int check_spi_size __P((int, int)); +int check_spi_size (int, int); -static int check_trns_isakmp __P((int)); -static int check_trns_ah __P((int)); -static int check_trns_esp __P((int)); -static int check_trns_ipcomp __P((int)); -static int (*check_transform[]) __P((int)) = { +static int check_trns_isakmp (int); +static int check_trns_ah (int); +static int check_trns_esp (int); +static int check_trns_ipcomp (int); +static int (*check_transform[]) (int) = { 0, check_trns_isakmp, /* IPSECDOI_PROTO_ISAKMP */ check_trns_ah, /* IPSECDOI_PROTO_IPSEC_AH */ @@ -142,12 +133,12 @@ static int (*check_transform[]) __P((int)) = { check_trns_ipcomp, /* IPSECDOI_PROTO_IPCOMP */ }; -static int check_attr_isakmp __P((struct isakmp_pl_t *)); -static int check_attr_ah __P((struct isakmp_pl_t *)); -static int check_attr_esp __P((struct isakmp_pl_t *)); -static int check_attr_ipsec __P((int, struct isakmp_pl_t *)); -static int check_attr_ipcomp __P((struct isakmp_pl_t *)); -static int (*check_attributes[]) __P((struct isakmp_pl_t *)) = { +static int check_attr_isakmp (struct isakmp_pl_t *); +static int check_attr_ah (struct isakmp_pl_t *); +static int check_attr_esp (struct isakmp_pl_t *); +static int check_attr_ipsec (int, struct isakmp_pl_t *); +static int check_attr_ipcomp (struct isakmp_pl_t *); +static int (*check_attributes[]) (struct isakmp_pl_t *) = { 0, check_attr_isakmp, /* IPSECDOI_PROTO_ISAKMP */ check_attr_ah, /* IPSECDOI_PROTO_IPSEC_AH */ @@ -155,18 +146,14 @@ static int (*check_attributes[]) __P((struct isakmp_pl_t *)) = { check_attr_ipcomp, /* IPSECDOI_PROTO_IPCOMP */ }; -static int setph1prop __P((struct isakmpsa *, caddr_t)); -static int setph1trns __P((struct isakmpsa *, caddr_t)); -static int setph1attr __P((struct isakmpsa *, caddr_t)); -static vchar_t *setph2proposal0 __P((const struct ph2handle *, - const struct saprop *, const struct saproto *)); +int setph1prop (phase1_handle_t *, caddr_t); +static int setph1trns (struct isakmpsa *, caddr_t); +static int setph1attr (struct isakmpsa *, caddr_t); +static vchar_t *setph2proposal0 (const phase2_handle_t *, + const struct saprop *, const struct saproto *); -static vchar_t *getidval __P((int, vchar_t *)); +static vchar_t *getidval (int, vchar_t *); -#ifdef HAVE_GSSAPI -static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *, - struct isakmpsa *)); -#endif /*%%%*/ /* @@ -181,7 +168,7 @@ static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *, int ipsecdoi_checkph1proposal(sa, iph1) vchar_t *sa; - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *newsa; /* new SA payload approved. */ struct prop_pair **pair; @@ -210,7 +197,7 @@ ipsecdoi_checkph1proposal(sa, iph1) */ static vchar_t * get_ph1approval(iph1, pair) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct prop_pair **pair; { vchar_t *newsa; @@ -259,12 +246,12 @@ get_ph1approval(iph1, pair) } } } - plog(LLV_ERROR, LOCATION, NULL, "no suitable proposal found.\n"); + plog(ASL_LEVEL_ERR, "no suitable proposal found.\n"); return NULL; found: - plog(LLV_DEBUG, LOCATION, NULL, "an acceptable proposal found.\n"); + plog(ASL_LEVEL_DEBUG, "an acceptable proposal found.\n"); /* check DH group settings */ if (sa->dhgrp) { @@ -272,7 +259,7 @@ found: /* it's ok */ goto saok; } - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "invalid DH parameter found, use default.\n"); oakley_dhgrp_free(sa->dhgrp); sa->dhgrp=NULL; @@ -285,36 +272,9 @@ found: } saok: -#ifdef HAVE_GSSAPI - if (sa->gssid != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n", - (int)sa->gssid->l, sa->gssid->v); - if (iph1-> side == INITIATOR) { - if (iph1->rmconf->proposal->gssid != NULL) - iph1->gi_i = vdup(iph1->rmconf->proposal->gssid); - if (tsa.gssid != NULL) - iph1->gi_r = vdup(tsa.gssid); - iph1->approval = fixup_initiator_sa(sa, &tsa); - } else { - if (tsa.gssid != NULL) { - iph1->gi_r = vdup(tsa.gssid); - iph1->gi_i = gssapi_get_id(iph1); - if (sa->gssid == NULL && iph1->gi_i != NULL) - sa->gssid = vdup(iph1->gi_i); - } - iph1->approval = sa; - } - if (iph1->gi_i != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "GIi is %.*s\n", - (int)iph1->gi_i->l, iph1->gi_i->v); - if (iph1->gi_r != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "GIr is %.*s\n", - (int)iph1->gi_r->l, iph1->gi_r->v); -#else iph1->approval = sa; -#endif if(iph1->approval) { - plog(LLV_DEBUG, LOCATION, NULL, "agreed on %s auth.\n", + plog(ASL_LEVEL_DEBUG, "agreed on %s auth.\n", s_oakley_attr_method(iph1->approval->authmethod)); } @@ -333,7 +293,7 @@ saok: * p : one of peer's proposal. * proposal: my proposals. */ -static struct isakmpsa * +struct isakmpsa * get_ph1approvalx(p, proposal, sap, check_level) struct prop_pair *p; struct isakmpsa *proposal, *sap; @@ -345,12 +305,12 @@ get_ph1approvalx(p, proposal, sap, check_level) int authmethod; int tsap_authmethod; - plog(LLV_DEBUG, LOCATION, NULL, - "prop#=%d, prot-id=%s, spi-size=%d, #trns=%d\n", - prop->p_no, s_ipsecdoi_proto(prop->proto_id), - prop->spi_size, prop->num_t); + plog(ASL_LEVEL_DEBUG, + "prop#=%d, prot-id=%s, spi-size=%d, #trns=%d\n", + prop->p_no, s_ipsecdoi_proto(prop->proto_id), + prop->spi_size, prop->num_t); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "trns#=%d, trns-id=%s\n", trns->t_no, s_ipsecdoi_trns(prop->proto_id, trns->t_id)); @@ -368,29 +328,31 @@ get_ph1approvalx(p, proposal, sap, check_level) authmethod = s->authmethod; tsap_authmethod = tsap->authmethod; #endif - plog(LLV_DEBUG, LOCATION, NULL, "Compared: DB:Peer\n"); - plog(LLV_DEBUG, LOCATION, NULL, "(lifetime = %ld:%ld)\n", + plog(ASL_LEVEL_DEBUG, "Compared: DB:Peer\n"); + plog(ASL_LEVEL_DEBUG, "(version = %d:%d)\n", + s->version, tsap->version); + plog(ASL_LEVEL_DEBUG, "(lifetime = %ld:%ld)\n", (long)s->lifetime, (long)tsap->lifetime); - plog(LLV_DEBUG, LOCATION, NULL, "(lifebyte = %zu:%zu)\n", + plog(ASL_LEVEL_DEBUG, "(lifebyte = %zu:%zu)\n", s->lifebyte, tsap->lifebyte); - plog(LLV_DEBUG, LOCATION, NULL, "enctype = %s:%s\n", + plog(ASL_LEVEL_DEBUG, "enctype = %s:%s\n", s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, s->enctype), s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, tsap->enctype)); - plog(LLV_DEBUG, LOCATION, NULL, "(encklen = %d:%d)\n", + plog(ASL_LEVEL_DEBUG, "(encklen = %d:%d)\n", s->encklen, tsap->encklen); - plog(LLV_DEBUG, LOCATION, NULL, "hashtype = %s:%s\n", + plog(ASL_LEVEL_DEBUG, "hashtype = %s:%s\n", s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, s->hashtype), s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, tsap->hashtype)); - plog(LLV_DEBUG, LOCATION, NULL, "authmethod = %s:%s\n", + plog(ASL_LEVEL_DEBUG, "authmethod = %s:%s\n", s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, s->authmethod), s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, tsap->authmethod)); - plog(LLV_DEBUG, LOCATION, NULL, "dh_group = %s:%s\n", + plog(ASL_LEVEL_DEBUG, "dh_group = %s:%s\n", s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, s->dh_group), s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, @@ -407,8 +369,10 @@ get_ph1approvalx(p, proposal, sap, check_level) (tsap->authmethod == authmethod || tsap_authmethod == authmethod) && tsap->hashtype == s->hashtype && tsap->dh_group == s->dh_group && - tsap->encklen == s->encklen) { + tsap->encklen == s->encklen && + tsap->version == s->version) { switch(check_level) { + case PROP_CHECK_IKEV2: case PROP_CHECK_OBEY: goto found; break; @@ -436,7 +400,7 @@ get_ph1approvalx(p, proposal, sap, check_level) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected proposal_check value\n"); continue; break; @@ -485,7 +449,7 @@ found: * p : one of peer's proposal. * proposal: my proposals. */ -static void +void print_ph1mismatched(p, proposal) struct prop_pair *p; struct isakmpsa *proposal; @@ -497,7 +461,7 @@ print_ph1mismatched(p, proposal) return; for (s = proposal; s ; s = s->next) { if (sa.enctype != s->enctype) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "rejected enctype: " "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " "%s:%s\n", @@ -509,7 +473,7 @@ print_ph1mismatched(p, proposal) sa.enctype)); } if (sa.authmethod != s->authmethod) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "rejected authmethod: " "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " "%s:%s\n", @@ -521,7 +485,7 @@ print_ph1mismatched(p, proposal) sa.authmethod)); } if (sa.hashtype != s->hashtype) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "rejected hashtype: " "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " "%s:%s\n", @@ -532,8 +496,23 @@ print_ph1mismatched(p, proposal) s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, sa.hashtype)); } + if (sa.prf != s->prf || + sa.prfklen != s->prfklen) { + plog(ASL_LEVEL_ERR, + "rejected prf: " + "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " + "%s.%d:%s.%d\n", + s->prop_no, s->trns_no, + p->prop->p_no, p->trns->t_no, + s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, + s->prf), + s->prfklen, + s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, + sa.prf), + sa.prfklen); + } if (sa.dh_group != s->dh_group) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "rejected dh_group: " "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " "%s:%s\n", @@ -586,7 +565,7 @@ t2isakmpsa(trns, sa) type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "type=%s, flag=0x%04x, lorv=%s\n", s_oakley_attr(type), flag, s_oakley_attr_v(type, ntohs(d->lorv))); @@ -606,7 +585,7 @@ t2isakmpsa(trns, sa) } else { /*TLV*/ len = ntohs(d->lorv); if (len > tlen) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid ISAKMP-SA attr, attr-len %d, overall-len %d\n", len, tlen); return -1; @@ -707,7 +686,7 @@ t2isakmpsa(trns, sa) if (!prev || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) != OAKLEY_ATTR_SA_LD_TYPE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "life duration must follow ltype\n"); break; } @@ -717,7 +696,7 @@ t2isakmpsa(trns, sa) sa->lifetime = ipsecdoi_set_ld(val); vfree(val); if (sa->lifetime == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life duration.\n"); goto err; } @@ -726,14 +705,14 @@ t2isakmpsa(trns, sa) sa->lifebyte = ipsecdoi_set_ld(val); vfree(val); if (sa->lifebyte == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life duration.\n"); goto err; } break; default: vfree(val); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life type: %d\n", life_t); goto err; } @@ -743,7 +722,7 @@ t2isakmpsa(trns, sa) { int len = ntohs(d->lorv); if (len % 8 != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "keylen %d: not multiple of 8\n", len); goto err; @@ -760,103 +739,6 @@ t2isakmpsa(trns, sa) case OAKLEY_ATTR_GRP_ORDER: sa->dhgrp->order = val; break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_GSS_ID: - { - int error = -1; - iconv_t cd = (iconv_t) -1; - size_t srcleft, dstleft, rv; - __iconv_const char *src; - char *dst; - int len = ntohs(d->lorv); - - /* - * Older verions of racoon just placed the - * ISO-Latin-1 string on the wire directly. - * Check to see if we are configured to be - * compatible with this behavior. - */ - if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) { - if ((sa->gssid = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate memory\n"); - goto out; - } - memcpy(sa->gssid->v, d + 1, len); - plog(LLV_DEBUG, LOCATION, NULL, - "received old-style gss " - "id '%.*s' (len %zu)\n", - (int)sa->gssid->l, sa->gssid->v, - sa->gssid->l); - error = 0; - goto out; - } - - /* - * For Windows 2000 compatibility, we expect - * the GSS ID attribute on the wire to be - * encoded in UTF-16LE. Internally, we work - * in ISO-Latin-1. Therefore, we should need - * 1/2 the specified length, which should always - * be a multiple of 2 octets. - */ - cd = iconv_open("latin1", "utf-16le"); - if (cd == (iconv_t) -1) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to initialize utf-16le -> latin1 " - "conversion descriptor: %s\n", - strerror(errno)); - goto out; - } - - if ((sa->gssid = vmalloc(len / 2)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate memory\n"); - goto out; - } - - src = (__iconv_const char *)(d + 1); - srcleft = len; - - dst = sa->gssid->v; - dstleft = len / 2; - - rv = iconv(cd, (__iconv_const char **)&src, &srcleft, - &dst, &dstleft); - if (rv != 0) { - if (rv == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to convert GSS ID from " - "utf-16le -> latin1: %s\n", - strerror(errno)); - } else { - plog(LLV_ERROR, LOCATION, NULL, - "%zd character%s in GSS ID cannot " - "be represented in latin1\n", - rv, rv == 1 ? "" : "s"); - } - goto out; - } - - /* XXX dstleft should always be 0; assert it? */ - sa->gssid->l = (len / 2) - dstleft; - - plog(LLV_DEBUG, LOCATION, NULL, - "received gss id '%.*s' (len %zu)\n", - (int)sa->gssid->l, sa->gssid->v, sa->gssid->l); - - error = 0; -out: - if (cd != (iconv_t)-1) - (void)iconv_close(cd); - - if ((error != 0) && (sa->gssid != NULL)) { - vfree(sa->gssid); - sa->gssid = NULL; - } - break; - } -#endif /* HAVE_GSSAPI */ default: break; @@ -876,7 +758,7 @@ out: if (keylen) { if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "keylen must not be specified " "for encryption algorithm %d\n", sa->enctype); @@ -900,7 +782,7 @@ err: */ int ipsecdoi_selectph2proposal(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct prop_pair **pair; struct prop_pair *ret; @@ -935,7 +817,7 @@ ipsecdoi_selectph2proposal(iph2) */ int ipsecdoi_checkph2proposal(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct prop_pair **rpair = NULL, **spair = NULL; struct prop_pair *p; @@ -946,7 +828,7 @@ ipsecdoi_checkph2proposal(iph2) /* get proposal pair of SA sent. */ spair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); if (spair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get prop pair.\n"); goto end; } @@ -956,7 +838,7 @@ ipsecdoi_checkph2proposal(iph2) /* get proposal pair of SA replayed */ rpair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2); if (rpair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get prop pair.\n"); goto end; } @@ -971,30 +853,30 @@ ipsecdoi_checkph2proposal(iph2) } } if (num == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no proposal received.\n"); goto end; } if (num != 1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "some proposals received.\n"); goto end; } if (spair[n] == NULL) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "invalid proposal number:%d received.\n", i); } if (rpair[n]->tnext != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "multi transforms replyed.\n"); goto end; } if (cmp_aproppair_i(rpair[n], spair[n])) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "proposal mismathed.\n"); goto end; } @@ -1054,14 +936,14 @@ cmp_aproppair_i(a, b) } if (!r) { /* no suitable transform found */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no suitable transform found.\n"); return -1; } /* compare prop */ if (p->prop->p_no != r->prop->p_no) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "proposal #%d mismatched, " "expected #%d.\n", r->prop->p_no, p->prop->p_no); @@ -1069,14 +951,14 @@ cmp_aproppair_i(a, b) } if (p->prop->proto_id != r->prop->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "proto_id mismathed: my:%d peer:%d\n", r->prop->proto_id, p->prop->proto_id); return -1; } if (p->prop->proto_id != r->prop->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid spi size: %d.\n", p->prop->proto_id); return -1; @@ -1084,19 +966,19 @@ cmp_aproppair_i(a, b) /* check #of transforms */ if (p->prop->num_t != 1) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "#of transform is %d, " "but expected 1.\n", p->prop->num_t); /*FALLTHROUGH*/ } if (p->trns->t_id != r->trns->t_id) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "transform number has been modified.\n"); /*FALLTHROUGH*/ } if (p->trns->reserved != r->trns->reserved) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "reserved field should be zero.\n"); /*FALLTHROUGH*/ } @@ -1104,14 +986,14 @@ cmp_aproppair_i(a, b) /* compare attribute */ len = ntohs(r->trns->h.len) - sizeof(*p->trns); if (memcmp(p->trns + 1, r->trns + 1, len) != 0) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "attribute has been modified.\n"); /*FALLTHROUGH*/ } } if ((p && !q) || (!p && q)) { /* # of protocols mismatched */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "#of protocols mismatched.\n"); return -1; } @@ -1125,7 +1007,7 @@ cmp_aproppair_i(a, b) */ static struct prop_pair * get_ph2approval(iph2, pair) - struct ph2handle *iph2; + phase2_handle_t *iph2; struct prop_pair **pair; { struct prop_pair *ret; @@ -1133,15 +1015,15 @@ get_ph2approval(iph2, pair) iph2->approval = NULL; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "begin compare proposals.\n"); for (i = 0; i < MAXPROPPAIRLEN; i++) { if (pair[i] == NULL) continue; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pair[%d]: %p\n", i, pair[i]); - print_proppair(LLV_DEBUG, pair[i]);; + print_proppair(ASL_LEVEL_DEBUG, pair[i]);; /* compare proposal and select one */ ret = get_ph2approvalx(iph2, pair[i]); @@ -1151,7 +1033,7 @@ get_ph2approval(iph2, pair) } } - plog(LLV_ERROR, LOCATION, NULL, "no suitable policy found.\n"); + plog(ASL_LEVEL_ERR, "no suitable policy found.\n"); return NULL; } @@ -1162,7 +1044,7 @@ get_ph2approval(iph2, pair) */ static struct prop_pair * get_ph2approvalx(iph2, pp) - struct ph2handle *iph2; + phase2_handle_t *iph2; struct prop_pair *pp; { struct prop_pair *ret = NULL; @@ -1175,18 +1057,18 @@ get_ph2approvalx(iph2, pp) for (q1 = pr0; q1; q1 = q1->next) { for (q2 = iph2->proposal; q2; q2 = q2->next) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "peer's single bundle:\n"); - printsaprop0(LLV_DEBUG, q1); - plog(LLV_DEBUG, LOCATION, NULL, + printsaprop0(ASL_LEVEL_DEBUG, q1); + plog(ASL_LEVEL_DEBUG, "my single bundle:\n"); - printsaprop0(LLV_DEBUG, q2); + printsaprop0(ASL_LEVEL_DEBUG, q2); pr = cmpsaprop_alloc(iph2->ph1, q1, q2, iph2->side); if (pr != NULL) goto found; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not matched\n"); } } @@ -1197,7 +1079,7 @@ err: found: flushsaprop(pr0); - plog(LLV_DEBUG, LOCATION, NULL, "matched\n"); + plog(ASL_LEVEL_DEBUG, "matched\n"); iph2->approval = pr; { @@ -1229,7 +1111,7 @@ found: n = racoon_calloc(1, sizeof(struct prop_pair)); if (n == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); goto err; } @@ -1305,36 +1187,42 @@ get_proppair(sa, mode) int tlen; caddr_t bp; int i; - struct ipsecdoi_sa_b *sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)sa->v; - plog(LLV_DEBUG, LOCATION, NULL, "total SA len=%zu\n", sa->l); - plogdump(LLV_DEBUG, sa->v, sa->l); + //plogdump(ASL_LEVEL_DEBUG, sa->v, sa->l, "total SA len=%zu\n", sa->l); - /* check SA payload size */ - if (sa->l < sizeof(*sab)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid SA length = %zu.\n", sa->l); - goto bad; - } + if (mode == IPSECDOI_TYPE_PH1 || mode == IPSECDOI_TYPE_PH2) { + // IKEv1 + struct ipsecdoi_sa_b *sab = ALIGNED_CAST(__typeof__(sab))sa->v; - /* check DOI */ - if (check_doi(ntohl(sab->doi)) < 0) - goto bad; - /* check SITUATION */ - if (check_situation(ntohl(sab->sit)) < 0) - goto bad; + /* check SA payload size */ + if (sa->l < sizeof(*sab)) { + plog(ASL_LEVEL_ERR, + "Invalid SA length = %zu.\n", sa->l); + goto bad; + } + + /* check DOI */ + if (check_doi(ntohl(sab->doi)) < 0) + goto bad; + + /* check SITUATION */ + if (check_situation(ntohl(sab->sit)) < 0) + goto bad; + + bp = (caddr_t)(sab + 1); + tlen = sa->l - sizeof(*sab); + } else { + bp = (__typeof__(bp))sa->v; + tlen = sa->l; + } pair = racoon_calloc(1, MAXPROPPAIRLEN * sizeof(*pair)); if (pair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); goto bad; } - memset(pair, 0, sizeof(pair)); - - bp = (caddr_t)(sab + 1); - tlen = sa->l - sizeof(*sab); { struct isakmp_pl_p *prop; @@ -1351,7 +1239,7 @@ get_proppair(sa, mode) pa++) { /* check the value of next payload */ if (pa->type != ISAKMP_NPTYPE_P) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid payload type=%u\n", pa->type); vfree(pbuf); goto bad; @@ -1360,11 +1248,11 @@ get_proppair(sa, mode) prop = (struct isakmp_pl_p *)pa->ptr; proplen = pa->len; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "proposal #%u len=%d\n", prop->p_no, proplen); if (proplen == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proposal with length %d\n", proplen); vfree(pbuf); goto bad; @@ -1372,7 +1260,7 @@ get_proppair(sa, mode) /* check Protocol ID */ if (!check_protocol[mode]) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported mode %d\n", mode); continue; } @@ -1403,8 +1291,8 @@ get_proppair(sa, mode) if (!pair[i]) continue; - plog(LLV_DEBUG, LOCATION, NULL, "pair %d:\n", i); - print_proppair(LLV_DEBUG, pair[i]); + plog(ASL_LEVEL_DEBUG, "pair %d:\n", i); + print_proppair(ASL_LEVEL_DEBUG, pair[i]); notrans = nprop = 0; for (p = pair[i]; p; p = p->next) { @@ -1422,7 +1310,7 @@ get_proppair(sa, mode) * with multiple proposals. this should be fixed. */ if (pair[i]->next) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "proposal #%u ignored " "(multiple proposal not supported)\n", pair[i]->prop->p_no); @@ -1438,7 +1326,7 @@ get_proppair(sa, mode) pair[i] = NULL; num_p--; } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "proposal #%u: %d transform\n", pair[i]->prop->p_no, nprop); } @@ -1447,7 +1335,7 @@ get_proppair(sa, mode) /* bark if no proposal is found. */ if (num_p <= 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no Proposal found.\n"); goto bad; } @@ -1497,7 +1385,7 @@ get_transform(prop, pair, num_p) /* check the value of next payload */ if (pa->type != ISAKMP_NPTYPE_T) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid payload type=%u\n", pa->type); break; } @@ -1505,18 +1393,18 @@ get_transform(prop, pair, num_p) trns = (struct isakmp_pl_t *)pa->ptr; trnslen = pa->len; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "transform #%u len=%u\n", trns->t_no, trnslen); /* check transform ID */ if (prop->proto_id >= ARRAYLEN(check_transform)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "unsupported proto_id %u\n", prop->proto_id); continue; } if (prop->proto_id >= ARRAYLEN(check_attributes)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "unsupported proto_id %u\n", prop->proto_id); continue; @@ -1524,7 +1412,7 @@ get_transform(prop, pair, num_p) if (!check_transform[prop->proto_id] || !check_attributes[prop->proto_id]) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "unsupported proto_id %u\n", prop->proto_id); continue; @@ -1538,7 +1426,7 @@ get_transform(prop, pair, num_p) p = racoon_calloc(1, sizeof(*p)); if (p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); vfree(pbuf); return -1; @@ -1570,12 +1458,12 @@ get_transform(prop, pair, num_p) /* * make a new SA payload from prop_pair. - * NOTE: this function make spi value clear. + * NOTE: this function clears the spi value. */ vchar_t * get_sabyproppair(pair, iph1) struct prop_pair *pair; - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *newsa; int newtlen; @@ -1584,7 +1472,11 @@ get_sabyproppair(pair, iph1) int prophlen, trnslen; caddr_t bp; - newtlen = sizeof(struct ipsecdoi_sa_b); + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + newtlen = sizeof(struct ipsecdoi_sa_b); + } else { + newtlen = 0; + } for (p = pair; p; p = p->next) { newtlen += sizeof(struct isakmp_pl_p); newtlen += p->prop->spi_size; @@ -1593,17 +1485,19 @@ get_sabyproppair(pair, iph1) newsa = vmalloc(newtlen); if (newsa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n"); + plog(ASL_LEVEL_ERR, "failed to get newsa.\n"); return NULL; } bp = newsa->v; ((struct isakmp_gen *)bp)->len = htons(newtlen); - /* update some of values in SA header */ - (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype); - (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype); - bp += sizeof(struct ipsecdoi_sa_b); + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* update some of values in SA header */ + (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype); + bp += sizeof(struct ipsecdoi_sa_b); + } /* create proposal payloads */ for (p = pair; p; p = p->next) { @@ -1639,7 +1533,7 @@ get_sabyproppair(pair, iph1) */ int ipsecdoi_updatespi(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct prop_pair **pair, *p; struct saprop *pp; @@ -1743,7 +1637,7 @@ get_sabysaprop(pp0, sa0) newsa = vmalloc(newtlen); if (newsa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n"); + plog(ASL_LEVEL_ERR, "failed to get newsa.\n"); goto out; } bp = newsa->v; @@ -1828,7 +1722,7 @@ ipsecdoi_set_ld(buf) ld = ntohl(*ALIGNED_CAST(u_int32_t *)buf->v); break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "length %zu of life duration " "isn't supported.\n", buf->l); return 0; @@ -1849,7 +1743,7 @@ check_doi(doi) case IPSEC_DOI: return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid value of DOI 0x%08x.\n", doi); return -1; } @@ -1869,12 +1763,12 @@ check_situation(sit) case IPSECDOI_SIT_SECRECY: case IPSECDOI_SIT_INTEGRITY: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "situation 0x%08x unsupported yet.\n", sit); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid situation 0x%08x.\n", sit); return -1; } @@ -1893,7 +1787,7 @@ check_prot_main(proto_id) return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Illegal protocol id=%u.\n", proto_id); return -1; } @@ -1916,14 +1810,14 @@ check_prot_quick(proto_id) return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid protocol id %d.\n", proto_id); return -1; } /* NOT REACHED */ } -static int +int check_spi_size(proto_id, size) int proto_id, size; { @@ -1931,7 +1825,7 @@ check_spi_size(proto_id, size) case IPSECDOI_PROTO_ISAKMP: if (size != 0) { /* WARNING */ - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "SPI size isn't zero, but IKE proposal.\n"); } return 0; @@ -1939,7 +1833,7 @@ check_spi_size(proto_id, size) case IPSECDOI_PROTO_IPSEC_AH: case IPSECDOI_PROTO_IPSEC_ESP: if (size != 4) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid SPI size=%d for IPSEC proposal.\n", size); return -1; @@ -1948,7 +1842,7 @@ check_spi_size(proto_id, size) case IPSECDOI_PROTO_IPCOMP: if (size != 2 && size != 4) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid SPI size=%d for IPCOMP proposal.\n", size); return -1; @@ -1973,7 +1867,7 @@ check_trns_isakmp(t_id) case IPSECDOI_KEY_IKE: return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid transform-id=%u in proto_id=%u.\n", t_id, IPSECDOI_KEY_IKE); return -1; @@ -1996,11 +1890,11 @@ check_trns_ah(t_id) case IPSECDOI_AH_SHA512: return 0; case IPSECDOI_AH_DES: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not support transform-id=%u in AH.\n", t_id); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid transform-id=%u in AH.\n", t_id); return -1; } @@ -2029,11 +1923,11 @@ check_trns_esp(t_id) case IPSECDOI_ESP_IDEA: case IPSECDOI_ESP_3IDEA: case IPSECDOI_ESP_RC4: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not support transform-id=%u in ESP.\n", t_id); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid transform-id=%u in ESP.\n", t_id); return -1; } @@ -2053,7 +1947,7 @@ check_trns_ipcomp(t_id) case IPSECDOI_IPCOMP_LZS: return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid transform-id=%u in IPCOMP.\n", t_id); return -1; } @@ -2080,7 +1974,7 @@ check_attr_isakmp(trns) flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "type=%s, flag=0x%04x, lorv=%s\n", s_oakley_attr(type), flag, s_oakley_attr_v(type, lorv)); @@ -2100,7 +1994,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_KEY_LEN: case OAKLEY_ATTR_FIELD_SIZE: if (!flag) { /* TLV*/ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "oakley attribute %d must be TV.\n", type); return -1; @@ -2110,7 +2004,7 @@ check_attr_isakmp(trns) /* sanity check for TLV. length must be specified. */ if (!flag && lorv == 0) { /*TLV*/ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid length %d for TLV attribute %d.\n", lorv, type); return -1; @@ -2119,7 +2013,7 @@ check_attr_isakmp(trns) switch (type) { case OAKLEY_ATTR_ENC_ALG: if (!alg_oakley_encdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalied encryption algorithm=%d.\n", lorv); return -1; @@ -2128,7 +2022,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_HASH_ALG: if (!alg_oakley_hashdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalied hash algorithm=%d.\n", lorv); return -1; @@ -2164,12 +2058,12 @@ check_attr_isakmp(trns) #endif case OAKLEY_ATTR_AUTH_METHOD_RSAENC: case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "auth method %s isn't supported.\n", s_oakley_attr_method(lorv)); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid auth method %d.\n", lorv); return -1; @@ -2178,7 +2072,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_GRP_DESC: if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid DH group %d.\n", lorv); return -1; @@ -2190,7 +2084,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_GRP_TYPE_MODP: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported DH group type %d.\n", lorv); return -1; @@ -2205,7 +2099,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_GRP_GEN_TWO: case OAKLEY_ATTR_GRP_CURVE_A: case OAKLEY_ATTR_GRP_CURVE_B: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr type=%u isn't supported.\n", type); return -1; @@ -2215,7 +2109,7 @@ check_attr_isakmp(trns) case OAKLEY_ATTR_SA_LD_TYPE_KB: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life type %d.\n", lorv); return -1; } @@ -2230,7 +2124,7 @@ check_attr_isakmp(trns) break; case OAKLEY_ATTR_FIELD_SIZE: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr type=%u isn't supported.\n", type); return -1; @@ -2241,7 +2135,7 @@ check_attr_isakmp(trns) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid attribute type %d.\n", type); return -1; } @@ -2297,7 +2191,7 @@ check_attr_ipsec(proto_id, trns) flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "type=%s, flag=0x%04x, lorv=%s\n", s_ipsecdoi_attr(type), flag, s_ipsecdoi_attr_v(type, lorv)); @@ -2308,7 +2202,7 @@ check_attr_ipsec(proto_id, trns) switch (type) { case IPSECDOI_ATTR_ENC_MODE: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when ENC_MODE.\n"); return -1; } @@ -2322,12 +2216,12 @@ check_attr_ipsec(proto_id, trns) case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC: case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT: case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "UDP encapsulation requested\n"); break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encryption mode=%u.\n", lorv); return -1; @@ -2336,7 +2230,7 @@ check_attr_ipsec(proto_id, trns) case IPSECDOI_ATTR_AUTH: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when AUTH.\n"); return -1; } @@ -2346,7 +2240,7 @@ check_attr_ipsec(proto_id, trns) if (proto_id == IPSECDOI_PROTO_IPSEC_AH && trns->t_id != IPSECDOI_AH_MD5) { ahmismatch: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "auth algorithm %u conflicts " "with transform %u.\n", lorv, trns->t_id); @@ -2379,12 +2273,12 @@ ahmismatch: break; case IPSECDOI_ATTR_AUTH_DES_MAC: case IPSECDOI_ATTR_AUTH_KPDK: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "auth algorithm %u isn't supported.\n", lorv); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid auth algorithm=%u.\n", lorv); return -1; @@ -2393,7 +2287,7 @@ ahmismatch: case IPSECDOI_ATTR_SA_LD_TYPE: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when LD_TYPE.\n"); return -1; } @@ -2403,7 +2297,7 @@ ahmismatch: case IPSECDOI_ATTR_SA_LD_TYPE_KB: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life type %d.\n", lorv); return -1; } @@ -2412,12 +2306,12 @@ ahmismatch: case IPSECDOI_ATTR_SA_LD: if (flag) { /* i.e. ISAKMP_GEN_TV */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "life duration was in TLV.\n"); } else { /* i.e. ISAKMP_GEN_TLV */ if (lorv == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid length of LD\n"); return -1; } @@ -2426,13 +2320,13 @@ ahmismatch: case IPSECDOI_ATTR_GRP_DESC: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when GRP_DESC.\n"); return -1; } if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid group description=%u.\n", lorv); return -1; @@ -2441,7 +2335,7 @@ ahmismatch: case IPSECDOI_ATTR_KEY_LENGTH: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when KEY_LENGTH.\n"); return -1; } @@ -2450,12 +2344,12 @@ ahmismatch: case IPSECDOI_ATTR_KEY_ROUNDS: case IPSECDOI_ATTR_COMP_DICT_SIZE: case IPSECDOI_ATTR_COMP_PRIVALG: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr type=%u isn't supported.\n", type); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid attribute type %d.\n", type); return -1; } @@ -2473,7 +2367,7 @@ ahmismatch: if (proto_id == IPSECDOI_PROTO_IPSEC_AH && !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr AUTH must be present for AH.\n"); return -1; } @@ -2481,7 +2375,7 @@ ahmismatch: if (proto_id == IPSECDOI_PROTO_IPSEC_ESP && trns->t_id == IPSECDOI_ESP_NULL && !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr AUTH must be present for ESP NULL encryption.\n"); return -1; } @@ -2508,7 +2402,7 @@ check_attr_ipcomp(trns) flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "type=%d, flag=0x%04x, lorv=0x%04x\n", type, flag, lorv); @@ -2518,7 +2412,7 @@ check_attr_ipcomp(trns) switch (type) { case IPSECDOI_ATTR_ENC_MODE: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when ENC_MODE.\n"); return -1; } @@ -2532,12 +2426,12 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC: case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT: case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "UDP encapsulation requested\n"); break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encryption mode=%u.\n", lorv); return -1; @@ -2546,7 +2440,7 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_SA_LD_TYPE: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when LD_TYPE.\n"); return -1; } @@ -2556,7 +2450,7 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_SA_LD_TYPE_KB: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life type %d.\n", lorv); return -1; } @@ -2565,12 +2459,12 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_SA_LD: if (flag) { /* i.e. ISAKMP_GEN_TV */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "life duration was in TLV.\n"); } else { /* i.e. ISAKMP_GEN_TLV */ if (lorv == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid length of LD\n"); return -1; } @@ -2579,13 +2473,13 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_GRP_DESC: if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "must be TV when GRP_DESC.\n"); return -1; } if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid group description=%u.\n", lorv); return -1; @@ -2593,7 +2487,7 @@ check_attr_ipcomp(trns) break; case IPSECDOI_ATTR_AUTH: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid attr type=%u.\n", type); return -1; @@ -2601,12 +2495,12 @@ check_attr_ipcomp(trns) case IPSECDOI_ATTR_KEY_ROUNDS: case IPSECDOI_ATTR_COMP_DICT_SIZE: case IPSECDOI_ATTR_COMP_PRIVALG: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr type=%u isn't supported.\n", type); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid attribute type %d.\n", type); return -1; } @@ -2625,7 +2519,7 @@ check_attr_ipcomp(trns) #if 0 if (proto_id == IPSECDOI_PROTO_IPCOMP && !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "attr AUTH must be present for AH.\n", type); return -1; } @@ -2640,73 +2534,94 @@ check_attr_ipcomp(trns) * NOT INCLUDING isakmp general header of SA payload */ vchar_t * -ipsecdoi_setph1proposal(props) - struct isakmpsa *props; +ipsecdoi_setph1proposal (phase1_handle_t *iph1) { vchar_t *mysa; int sablen; - + + if (!iph1) return NULL; + + struct isakmpsa *props = iph1->rmconf->proposal; + unsigned int version = iph1->version; + /* count total size of SA minus isakmp general header */ /* not including isakmp general header of SA payload */ - sablen = sizeof(struct ipsecdoi_sa_b); - sablen += setph1prop(props, NULL); - + if (version == ISAKMP_VERSION_NUMBER_IKEV1) { + sablen = sizeof(struct ipsecdoi_sa_b); + } else { + sablen = 0; + } + sablen += setph1prop(iph1, NULL); + mysa = vmalloc(sablen); if (mysa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate my sa buffer\n"); + plog(ASL_LEVEL_ERR, + "failed to allocate my sa buffer\n"); return NULL; } - + /* create SA payload */ - /* not including isakmp general header */ - (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype); - (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); - - (void)setph1prop(props, mysa->v + sizeof(struct ipsecdoi_sa_b)); - + if (version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* not including isakmp general header */ + (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); + + (void)setph1prop(iph1, mysa->v + sizeof(struct ipsecdoi_sa_b)); + } else { + (void)setph1prop(iph1, mysa->v); + } + return mysa; } -static int -setph1prop(props, buf) - struct isakmpsa *props; - caddr_t buf; +int +setph1prop (phase1_handle_t *iph1, + caddr_t buf) { + struct isakmpsa *props = iph1->rmconf->proposal; + unsigned int version = iph1->version; + struct isakmp_pl_p *prop = NULL; struct isakmpsa *s = NULL; int proplen, trnslen; u_int8_t *np_t; /* pointer next trns type in previous header */ int trns_num; caddr_t p = buf; + u_int16_t tmplen; + int spi_size = 0; + cookie_t *my_cookie = (iph1->side == INITIATOR) ? &iph1->index.i_ck : &iph1->index.r_ck; + - proplen = sizeof(*prop); + proplen = sizeof(*prop) + spi_size; if (buf) { /* create proposal */ prop = (struct isakmp_pl_p *)p; prop->h.np = ISAKMP_NPTYPE_NONE; + prop->h.reserved = 0; prop->p_no = props->prop_no; prop->proto_id = IPSECDOI_PROTO_ISAKMP; - prop->spi_size = 0; - p += sizeof(*prop); + prop->spi_size = spi_size; + p += sizeof(*prop); } np_t = NULL; trns_num = 0; for (s = props; s != NULL; s = s->next) { - if (np_t) - *np_t = ISAKMP_NPTYPE_T; - - trnslen = setph1trns(s, p); - proplen += trnslen; - if (buf) { - /* save buffer to pre-next payload */ - np_t = &((struct isakmp_pl_t *)p)->h.np; - p += trnslen; - - /* count up transform length */ - trns_num++; + { + if (np_t) + *np_t = ISAKMP_NPTYPE_T; + + trnslen = setph1trns(s, p); + proplen += trnslen; + if (buf) { + /* save buffer to pre-next payload */ + np_t = &((struct isakmp_pl_t *)p)->h.np; + p += trnslen; + + /* count up transform length */ + trns_num++; + } } } @@ -2720,9 +2635,8 @@ setph1prop(props, buf) } static int -setph1trns(sa, buf) - struct isakmpsa *sa; - caddr_t buf; +setph1trns (struct isakmpsa *sa, + caddr_t buf) { struct isakmp_pl_t *trns = NULL; int trnslen, attrlen; @@ -2750,9 +2664,8 @@ setph1trns(sa, buf) } static int -setph1attr(sa, buf) - struct isakmpsa *sa; - caddr_t buf; +setph1attr (struct isakmpsa *sa, + caddr_t buf) { caddr_t p = buf; int attrlen = 0; @@ -2855,89 +2768,13 @@ setph1attr(sa, buf) default: break; } - -#ifdef HAVE_GSSAPI - if (sa->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - sa->gssid != NULL) { - attrlen += sizeof(struct isakmp_data); - /* - * Older versions of racoon just placed the ISO-Latin-1 - * string on the wire directly. Check to see if we are - * configured to be compatible with this behavior. Otherwise, - * we encode the GSS ID as UTF-16LE for Windows 2000 - * compatibility, which requires twice the number of octets. - */ - if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) - attrlen += sa->gssid->l; - else - attrlen += sa->gssid->l * 2; - if (buf) { - plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %zu, " - "val '%.*s'\n", sa->gssid->l, (int)sa->gssid->l, - sa->gssid->v); - if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) { - p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID, - (caddr_t)sa->gssid->v, - sa->gssid->l); - } else { - size_t dstleft = sa->gssid->l * 2; - size_t srcleft = sa->gssid->l; - const char *src = (const char *)sa->gssid->v; - char *odst, *dst = racoon_malloc(dstleft); - iconv_t cd; - size_t rv; - - cd = iconv_open("utf-16le", "latin1"); - if (cd == (iconv_t) -1) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to initialize " - "latin1 -> utf-16le " - "converstion descriptor: %s\n", - strerror(errno)); - attrlen -= sa->gssid->l * 2; - goto gssid_done; - } - odst = dst; - rv = iconv(cd, (__iconv_const char **)&src, - &srcleft, &dst, &dstleft); - if (rv != 0) { - if (rv == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to convert GSS ID " - "from latin1 -> utf-16le: " - "%s\n", strerror(errno)); - } else { - /* should never happen */ - plog(LLV_ERROR, LOCATION, NULL, - "%zd character%s in GSS ID " - "cannot be represented " - "in utf-16le\n", - rv, rv == 1 ? "" : "s"); - } - (void) iconv_close(cd); - attrlen -= sa->gssid->l * 2; - goto gssid_done; - } - (void) iconv_close(cd); - - /* XXX Check srcleft and dstleft? */ - - p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID, - odst, sa->gssid->l * 2); - - racoon_free(odst); - } - } - } - gssid_done: -#endif /* HAVE_GSSAPI */ - + return attrlen; } static vchar_t * setph2proposal0(iph2, pp, pr) - const struct ph2handle *iph2; + const phase2_handle_t *iph2; const struct saprop *pp; const struct saproto *pr; { @@ -3032,7 +2869,7 @@ setph2proposal0(iph2, pp, pr) break; case IPSECDOI_PROTO_IPSEC_AH: if (tr->authtype == IPSECDOI_ATTR_AUTH_NONE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no authentication algorithm found " "but protocol is AH.\n"); vfree(p); @@ -3043,7 +2880,7 @@ setph2proposal0(iph2, pp, pr) case IPSECDOI_PROTO_IPCOMP: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid protocol: %d\n", pr->proto_id); vfree(p); return NULL; @@ -3117,7 +2954,7 @@ setph2proposal0(iph2, pp, pr) } if (np_t == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no suitable proposal was created.\n"); return NULL; } @@ -3128,80 +2965,107 @@ setph2proposal0(iph2, pp, pr) return p; } + /* * create phase2 proposal from policy configuration. * NOT INCLUDING isakmp general header of SA payload. * This function is called by initiator only. */ int -ipsecdoi_setph2proposal(iph2) - struct ph2handle *iph2; +ipsecdoi_setph2proposal(phase2_handle_t *iph2, int return_sa) { struct saprop *proposal, *a; struct saproto *b = NULL; - vchar_t *q; - struct ipsecdoi_sa_b *sab; + vchar_t *q, *sa = NULL; struct isakmp_pl_p *prop; size_t propoff; /* for previous field of type of next payload. */ - proposal = iph2->proposal; + if (return_sa) + proposal = iph2->approval; + else + proposal = iph2->proposal; - iph2->sa = vmalloc(sizeof(*sab)); - if (iph2->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate my sa buffer\n"); - return -1; - } + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { + struct ipsecdoi_sa_b *sab; - /* create SA payload */ - sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)iph2->sa->v; - sab->doi = htonl(IPSEC_DOI); - sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */ + sa = vmalloc(sizeof(*sab)); + if (sa == NULL) { + plog(ASL_LEVEL_ERR, + "failed to allocate my sa buffer\n"); + return -1; + } + + /* create SA payload */ + sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)sa->v; + sab->doi = htonl(IPSEC_DOI); + sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */ + } + prop = NULL; propoff = 0; for (a = proposal; a; a = a->next) { for (b = a->head; b; b = b->next) { + if (b->proto_id == IPSECDOI_PROTO_IPCOMP) { + // %%%%% todo - IKEv2 uses ipcomp notification + // skip this - not specified in the SA + // Need to set this in iph2 ??? + continue; + } + // IKEv1 sends encode mode in SA - uses diferent codes when NATT being used + // IKEv2 does not send encode mode in SA #ifdef ENABLE_NATT - if (iph2->ph1->natt_flags & NAT_DETECTED) { - int udp_diff = iph2->ph1->natt_options->mode_udp_diff; - plog (LLV_INFO, LOCATION, NULL, - "NAT detected -> UDP encapsulation " - "(ENC_MODE %d->%d).\n", - b->encmode, - b->encmode+udp_diff); - /* Tunnel -> UDP-Tunnel, Transport -> UDP_Transport */ - b->encmode += udp_diff; - b->udp_encap = 1; - } + if (iph2->ph1->natt_flags & NAT_DETECTED) { + plog (ASL_LEVEL_INFO, "NAT detected -> UDP encapsulation\n"); + b->udp_encap = 1; + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { + int udp_diff = iph2->ph1->natt_options->mode_udp_diff; + /* Tunnel -> UDP-Tunnel, Transport -> UDP_Transport */ + b->encmode += udp_diff; + } + } #endif - - q = setph2proposal0(iph2, a, b); + switch (iph2->version) { + case ISAKMP_VERSION_NUMBER_IKEV1: + q = setph2proposal0(iph2, a, b); + break; + default: + plog(ASL_LEVEL_ERR, "Invalid IKE version detected\n"); + q = NULL; + break; + } if (q == NULL) { - VPTRINIT(iph2->sa); + VPTRINIT(sa); return -1; } - - iph2->sa = vrealloc(iph2->sa, iph2->sa->l + q->l); - if (iph2->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + if (sa != NULL) + sa = vrealloc(sa, sa->l + q->l); + else + sa = vmalloc(q->l); + + if (sa == NULL) { + plog(ASL_LEVEL_ERR, "failed to allocate my sa buffer\n"); if (q) vfree(q); return -1; } - memcpy(iph2->sa->v + iph2->sa->l - q->l, q->v, q->l); + memcpy(sa->v + sa->l - q->l, q->v, q->l); if (propoff != 0) { - prop = (struct isakmp_pl_p *)(iph2->sa->v + + prop = (struct isakmp_pl_p *)(sa->v + propoff); - prop->h.np = ISAKMP_NPTYPE_P; + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) + prop->h.np = ISAKMP_NPTYPE_P; } - propoff = iph2->sa->l - q->l; + propoff = sa->l - q->l; vfree(q); } } - + if (return_sa) + iph2->sa_ret = sa; + else + iph2->sa = sa; return 0; } @@ -3210,7 +3074,7 @@ ipsecdoi_setph2proposal(iph2) */ int ipsecdoi_tunnelmode(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saprop *pp; struct saproto *pr = NULL; @@ -3281,7 +3145,7 @@ ipsecdoi_checkalgtypes(proto_id, enc, auth, comp) switch (proto_id) { case IPSECDOI_PROTO_IPSEC_ESP: if (enc == 0 || comp != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "illegal algorithm defined " "ESP enc=%s auth=%s comp=%s.\n", TMPALGTYPE2STR(enc), @@ -3292,7 +3156,7 @@ ipsecdoi_checkalgtypes(proto_id, enc, auth, comp) break; case IPSECDOI_PROTO_IPSEC_AH: if (enc != 0 || auth == 0 || comp != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "illegal algorithm defined " "AH enc=%s auth=%s comp=%s.\n", TMPALGTYPE2STR(enc), @@ -3303,7 +3167,7 @@ ipsecdoi_checkalgtypes(proto_id, enc, auth, comp) break; case IPSECDOI_PROTO_IPCOMP: if (enc != 0 || auth != 0 || comp == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "illegal algorithm defined " "IPcomp enc=%s auth=%s comp=%s.\n", TMPALGTYPE2STR(enc), @@ -3313,7 +3177,7 @@ ipsecdoi_checkalgtypes(proto_id, enc, auth, comp) } break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid ipsec protocol %d\n", proto_id); return -1; } @@ -3436,13 +3300,13 @@ ipsecdoi_chkcmpids( idt, ids, exact ) { if( !exact ) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : values matched (ANONYMOUS)\n" ); return 0; } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : value mismatch (ANONYMOUS)\n" ); return -1; } @@ -3491,7 +3355,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) goto cmpid_result; } #endif - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : id type mismatch %s != %s\n", s_ipsecdoi_ident(id_bs->type), s_ipsecdoi_ident(id_bt->type)); @@ -3500,7 +3364,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) } if(id_bs->proto_id != id_bt->proto_id){ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : proto_id mismatch %d != %d\n", id_bs->proto_id, id_bt->proto_id); @@ -3553,7 +3417,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unhandled id type %i specified for comparison\n", id_bt->type); return -1; @@ -3568,21 +3432,21 @@ ipsecdoi_chkcmpids( idt, ids, exact ) cmpid_result: /* debug level output */ - if(loglevel >= LLV_DEBUG) { + if(loglevel >= ASL_LEVEL_DEBUG) { char *idstrt = ipsecdoi_id2str(idt); char *idstrs = ipsecdoi_id2str(ids); if (!result) - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : values matched (%s)\n", s_ipsecdoi_ident(id_bs->type) ); else - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "check and compare ids : value mismatch (%s)\n", s_ipsecdoi_ident(id_bs->type)); - plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: \'%s\'\n", idstrt ); - plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: \'%s\'\n", idstrs ); + plog(ASL_LEVEL_DEBUG, "cmpid target: \'%s\'\n", idstrt ); + plog(ASL_LEVEL_DEBUG, "cmpid source: \'%s\'\n", idstrs ); racoon_free(idstrs); racoon_free(idstrt); @@ -3597,10 +3461,10 @@ cmpid_result: cmpid_invalid: /* id integrity error */ - plog(LLV_DEBUG, LOCATION, NULL, "check and compare ids : %s integrity error\n", + plog(ASL_LEVEL_DEBUG, "check and compare ids : %s integrity error\n", s_ipsecdoi_ident(id_bs->type)); - plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: length = \'%zu\'\n", ident_t.l ); - plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: length = \'%zu\'\n", ident_s.l ); + plog(ASL_LEVEL_DEBUG, "cmpid target: length = \'%zu\'\n", ident_t.l ); + plog(ASL_LEVEL_DEBUG, "cmpid source: length = \'%zu\'\n", ident_s.l ); return -1; } @@ -3618,19 +3482,19 @@ cmpid_invalid: */ int ipsecdoi_checkid1(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { struct ipsecdoi_id_b *id_b; struct sockaddr_storage *sa; caddr_t sa1, sa2; if (iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid iph1 passed id_p == NULL\n"); return ISAKMP_INTERNAL_ERROR; } if (iph1->id_p->l < sizeof(*id_b)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid value passed as \"ident\" (len=%lu)\n", (u_long)iph1->id_p->l); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; @@ -3642,7 +3506,8 @@ ipsecdoi_checkid1(iph1) * If NAT Traversal being used and peer is behind nat and * natt version = 02 - allow non-address ID type. */ - if (iph1->etype == ISAKMP_ETYPE_IDENT + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1 + && iph1->etype == ISAKMP_ETYPE_IDENT && iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY #ifdef ENABLE_NATT && (iph1->natt_flags & NAT_DETECTED_PEER) == 0 @@ -3650,7 +3515,7 @@ ipsecdoi_checkid1(iph1) ) { if (id_b->type != IPSECDOI_ID_IPV4_ADDR && id_b->type != IPSECDOI_ID_IPV6_ADDR) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Expecting IP address type in main mode, " "but %s.\n", s_ipsecdoi_ident(id_b->type)); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; @@ -3663,7 +3528,7 @@ ipsecdoi_checkid1(iph1) case IPSECDOI_ID_IPV6_ADDR_SUBNET: case IPSECDOI_ID_IPV4_ADDR_RANGE: case IPSECDOI_ID_IPV6_ADDR_RANGE: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "such ID type %s is not proper.\n", s_ipsecdoi_ident(id_b->type)); /*FALLTHROUGH*/ @@ -3674,7 +3539,7 @@ ipsecdoi_checkid1(iph1) id_b->type == IPSECDOI_ID_IPV6_ADDR) { if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "protocol ID and Port mismatched. " "proto_id:%d port:%d\n", id_b->proto_id, ntohs(id_b->port)); @@ -3699,13 +3564,13 @@ ipsecdoi_checkid1(iph1) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph1->remote->ss_family); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } if (ntohs(id_b->port) != port) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "port %d expected, but %d\n", port, ntohs(id_b->port)); /*FALLTHROUGH*/ @@ -3743,7 +3608,7 @@ ipsecdoi_checkid1(iph1) if (eay_cmp_asn1dn(ident0, &ident) == 0) goto matched; #else - plog(LLV_WARNING, LOCATION, NULL, "ASN1DN ID matching not implemented - passed.\n"); + plog(ASL_LEVEL_WARNING, "ASN1DN ID matching not implemented - passed.\n"); goto matched; //%%%%%% hack for now until we have code to do this. #endif break; @@ -3781,7 +3646,7 @@ ipsecdoi_checkid1(iph1) vfree(ident0); ident0 = NULL; } - plog(LLV_WARNING, LOCATION, NULL, "No ID match.\n"); + plog(ASL_LEVEL_DEBUG, "No ID match.\n"); if (iph1->rmconf->verify_identifier) return ISAKMP_NTYPE_INVALID_ID_INFORMATION; matched: /* ID value match */ @@ -3792,6 +3657,9 @@ matched: /* ID value match */ return 0; } +/* HACK!!! - temporary until this prototype gets moved */ +extern CFDataRef SecCertificateCopySubjectSequence( SecCertificateRef certificate); + /* * create ID payload for phase 1 and set into iph1->id. * NOT INCLUDING isakmp general header. @@ -3799,7 +3667,7 @@ matched: /* ID value match */ */ int ipsecdoi_setid1(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *ret = NULL; struct ipsecdoi_id_b id_b; @@ -3807,10 +3675,8 @@ ipsecdoi_setid1(iph1) struct sockaddr_storage *ipid = NULL; /* init */ - id_b.proto_id = 0; - id_b.port = 0; + bzero(&id_b, sizeof(id_b)); ident = NULL; - switch (iph1->rmconf->idvtype) { case IDTYPE_FQDN: id_b.type = IPSECDOI_ID_FQDN; @@ -3832,48 +3698,42 @@ ipsecdoi_setid1(iph1) ident = vdup(iph1->rmconf->idv); } else { if (oakley_getmycert(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get own CERT.\n"); goto err; } -#if TARGET_OS_EMBEDDED - { - SecCertificateRef certificate; - CFDataRef subject; - UInt8* namePtr; - int len; - - certificate = crypto_cssm_x509cert_get_SecCertificateRef(&iph1->cert->cert); - if (certificate == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get SecCertificateRef\n"); - break; - } - subject = SecCertificateCopySubjectSequence(certificate); - if (subject == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectName\n"); - CFRelease(certificate); - break; - } - len = CFDataGetLength(subject); - namePtr = CFDataGetBytePtr(subject); - ident = vmalloc(len); - if (ident == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectName\n"); - CFRelease(certificate); - CFRelease(subject); - break; - } - memcpy(ident->v, namePtr, len); - CFRelease(certificate); - CFRelease(subject); - break; - } -#else - ident = eay_get_x509asn1subjectname(&iph1->cert->cert); -#endif + + SecCertificateRef certificate; + CFDataRef subject; + UInt8* namePtr; + int len; + + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(&iph1->cert->cert); + if (certificate == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get SecCertificateRef\n"); + break; + } + subject = crypto_cssm_CopySubjectSequence(certificate); + if (subject == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get subjectName\n"); + CFRelease(certificate); + break; + } + len = CFDataGetLength(subject); + namePtr = (UInt8*)CFDataGetBytePtr(subject); + ident = vmalloc(len); + if (ident == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get subjectName\n"); + CFRelease(certificate); + CFRelease(subject); + break; + } + memcpy(ident->v, namePtr, len); + CFRelease(certificate); + CFRelease(subject); } break; case IDTYPE_ADDRESS: @@ -3908,15 +3768,18 @@ ipsecdoi_setid1(iph1) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid address family.\n"); goto err; } - id_b.proto_id = IPPROTO_UDP; - id_b.port = htons(PORT_ISAKMP); + if(iph1->version == ISAKMP_VERSION_NUMBER_IKEV1){ + id_b.proto_id = IPPROTO_UDP; + id_b.port = htons(PORT_ISAKMP); + + } ident = vmalloc(l); if (!ident) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID buffer.\n"); return 0; } @@ -3924,14 +3787,14 @@ ipsecdoi_setid1(iph1) } } if (!ident) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID buffer.\n"); return 0; } ret = vmalloc(sizeof(id_b) + ident->l); if (ret == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID buffer.\n"); goto err; } @@ -3941,9 +3804,7 @@ ipsecdoi_setid1(iph1) iph1->id = ret; - plog(LLV_DEBUG, LOCATION, NULL, - "use ID type of %s\n", s_ipsecdoi_ident(id_b.type)); - plogdump(LLV_DEBUG, iph1->id->v, iph1->id->l); + plogdump(ASL_LEVEL_DEBUG, iph1->id->v, iph1->id->l, "use ID type of %s\n", s_ipsecdoi_ident(id_b.type)); if (ident) vfree(ident); return 0; @@ -3951,7 +3812,7 @@ ipsecdoi_setid1(iph1) err: if (ident) vfree(ident); - plog(LLV_ERROR, LOCATION, NULL, "failed get my ID\n"); + plog(ASL_LEVEL_ERR, "failed get my ID\n"); return -1; } @@ -3990,7 +3851,7 @@ set_identifier_qual(vpp, type, value, qual) /* simply return if value is null. */ if (!value){ if( type == IDTYPE_FQDN || type == IDTYPE_USERFQDN){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "No %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn"); return -1; } @@ -4001,7 +3862,7 @@ set_identifier_qual(vpp, type, value, qual) case IDTYPE_FQDN: case IDTYPE_USERFQDN: if(value->l <= 1){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn"); return -1; } @@ -4029,7 +3890,7 @@ set_identifier_qual(vpp, type, value, qual) fp = fopen(value->v, "r"); if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "can not open %s\n", value->v); return -1; } @@ -4050,7 +3911,7 @@ set_identifier_qual(vpp, type, value, qual) case IDQUAL_TAG: new = vmalloc(value->l - 1); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "can not allocate memory"); return -1; } @@ -4058,7 +3919,7 @@ set_identifier_qual(vpp, type, value, qual) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown qualifier"); return -1; } @@ -4073,7 +3934,7 @@ set_identifier_qual(vpp, type, value, qual) sa = str2saddr(value->v, NULL); if (sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid ip address %s\n", value->v); return -1; } @@ -4088,40 +3949,8 @@ set_identifier_qual(vpp, type, value, qual) break; } case IDTYPE_ASN1DN: -#ifdef HAVE_OPENSSL - if (value->v[0] == '~') - /* Hex-encoded ASN1 strings */ - new = eay_hex2asn1dn(value->v + 1, - 1); - else - /* DN encoded strings */ - new = eay_str2asn1dn(value->v, value->l - 1); - - if (new == NULL) - return -1; - - if (loglevel >= LLV_DEBUG) { - X509_NAME *xn; - BIO *bio; - unsigned char *ptr = (unsigned char *) new->v, *buf; - size_t len; - char save; - - xn = d2i_X509_NAME(NULL, (void *)&ptr, new->l); - bio = BIO_new(BIO_s_mem()); - - X509_NAME_print_ex(bio, xn, 0, 0); - len = BIO_get_mem_data(bio, &ptr); - save = ptr[len]; - ptr[len] = 0; - plog(LLV_DEBUG, LOCATION, NULL, "Parsed DN: %s\n", ptr); - ptr[len] = save; - X509_NAME_free(xn); - BIO_free(bio); - } -#else - plog(LLV_DEBUG, LOCATION, NULL, "Setting ID type ASN1DN from string not supported\n"); - return -1; -#endif + plog(ASL_LEVEL_DEBUG, "Setting ID type ASN1DN from string not supported\n"); + return -1; break; } @@ -4140,14 +3969,14 @@ set_identifier_qual(vpp, type, value, qual) */ int ipsecdoi_setid2(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct secpolicy *sp; /* check there is phase 2 handler ? */ sp = getspbyspid(iph2->spid); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found for spid:%u.\n", iph2->spid); return -1; } @@ -4155,11 +3984,12 @@ ipsecdoi_setid2(iph2) iph2->id = ipsecdoi_sockaddr2id(&sp->spidx.src, sp->spidx.prefs, sp->spidx.ul_proto); if (iph2->id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID for %s\n", spidx2str(&sp->spidx)); return -1; } +#ifdef ENABLE_NATT if (((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR || (ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) && iph2->side == RESPONDER && @@ -4170,24 +4000,22 @@ ipsecdoi_setid2(iph2) return -1; } } - plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n", - s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type)); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); +#endif + plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "use local ID type %s\n", + s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type)); /* remote side */ iph2->id_p = ipsecdoi_sockaddr2id(&sp->spidx.dst, sp->spidx.prefd, sp->spidx.ul_proto); if (iph2->id_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID for %s\n", spidx2str(&sp->spidx)); VPTRINIT(iph2->id); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, - "use remote ID type %s\n", - s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type)); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "use remote ID type %s\n", + s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type)); return 0; } @@ -4239,7 +4067,7 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d.\n", saddr->ss_family); return NULL; } @@ -4247,7 +4075,7 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) /* get ID buffer */ new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID buffer.\n"); return NULL; } @@ -4298,7 +4126,7 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) u_short port; if (laddr->ss_family != haddr->ss_family) { - plog(LLV_ERROR, LOCATION, NULL, "Address family mismatch\n"); + plog(ASL_LEVEL_ERR, "Address family mismatch\n"); return NULL; } @@ -4316,7 +4144,7 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d.\n", laddr->ss_family); return NULL; } @@ -4324,7 +4152,7 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) /* get ID buffer */ new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID buffer.\n"); return NULL; } @@ -4359,11 +4187,11 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) * see, RFC2407 4.6.2.1 */ int -ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) - vchar_t *buf; - struct sockaddr_storage *saddr; - u_int8_t *prefixlen; - u_int16_t *ul_proto; +ipsecdoi_id2sockaddr(vchar_t *buf, + struct sockaddr_storage *saddr, + u_int8_t *prefixlen, + u_int16_t *ul_proto, + int version) { struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v; u_int plen = 0; @@ -4401,7 +4229,7 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported ID type %d\n", id_b->type); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } @@ -4471,9 +4299,9 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) } *prefixlen = plen; - *ul_proto = id_b->proto_id == 0 - ? IPSEC_ULPROTO_ANY - : id_b->proto_id; /* see sockaddr2id() */ + if (version == ISAKMP_VERSION_NUMBER_IKEV1) { + *ul_proto = id_b->proto_id == 0 ? IPSEC_ULPROTO_ANY : id_b->proto_id; /* see sockaddr2id() */ + } return 0; } @@ -4660,7 +4488,7 @@ ipsecdoi_id2str(id) #endif { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to extract asn1dn from id\n"); len = snprintf(buf, sizeof(buf), ""); @@ -4675,7 +4503,7 @@ ipsecdoi_id2str(id) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown ID type %d\n", id_b->type); } @@ -4726,7 +4554,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "type=%s, flag=0x%04x, lorv=%s\n", s_ipsecdoi_attr(type), flag, s_ipsecdoi_attr_v(type, ntohs(d->lorv))); @@ -4741,7 +4569,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) life_t = type; break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "invalid life duration type. " "use default\n"); life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT; @@ -4753,7 +4581,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) if (prev == NULL || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) != IPSECDOI_ATTR_SA_LD_TYPE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "life duration must follow ltype\n"); break; } @@ -4766,7 +4594,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) /* i.e. ISAKMP_GEN_TV */ ld_buf = vmalloc(sizeof(d->lorv)); if (ld_buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get LD buffer.\n"); goto end; } @@ -4776,7 +4604,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) /* i.e. ISAKMP_GEN_TLV */ ld_buf = vmalloc(len); if (ld_buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get LD buffer.\n"); goto end; } @@ -4787,7 +4615,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) t = ipsecdoi_set_ld(ld_buf); vfree(ld_buf); if (t == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life duration.\n"); goto end; } @@ -4795,7 +4623,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) if (pp->lifetime == IPSECDOI_ATTR_SA_LD_SEC_DEFAULT) pp->lifetime = t; else if (pp->lifetime != t) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "lifetime mismatched " "in a proposal, " "prev:%ld curr:%u.\n", @@ -4807,7 +4635,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) t = ipsecdoi_set_ld(ld_buf); vfree(ld_buf); if (t == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life duration.\n"); goto end; } @@ -4815,7 +4643,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) if (pp->lifebyte == 0) pp->lifebyte = t; else if (pp->lifebyte != t) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "lifebyte mismatched " "in a proposal, " "prev:%d curr:%u.\n", @@ -4825,7 +4653,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) break; default: vfree(ld_buf); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid life type: %d\n", life_t); goto end; } @@ -4842,7 +4670,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) if (pp->pfs_group == 0) pp->pfs_group = (u_int16_t)ntohs(d->lorv); else if (pp->pfs_group != (u_int16_t)ntohs(d->lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfs_group mismatched " "in a proposal.\n"); goto end; @@ -4852,7 +4680,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) case IPSECDOI_ATTR_ENC_MODE: if (pr->encmode && pr->encmode != (u_int16_t)ntohs(d->lorv)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "multiple encmode exist " "in a transform.\n"); goto end; @@ -4862,7 +4690,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) case IPSECDOI_ATTR_AUTH: if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "multiple authtype exist " "in a transform.\n"); goto end; @@ -4872,7 +4700,7 @@ ipsecdoi_t2satrns(t, pp, pr, tr) case IPSECDOI_ATTR_KEY_LENGTH: if (pr->proto_id != IPSECDOI_PROTO_IPSEC_ESP) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "key length defined but not ESP"); goto end; } @@ -4921,24 +4749,12 @@ ipsecdoi_authalg2trnsid(alg) case IPSECDOI_ATTR_AUTH_KPDK: return IPSECDOI_AH_MD5; /* XXX */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid authentication algorithm:%d\n", alg); } return -1; } -#ifdef HAVE_GSSAPI -struct isakmpsa * -fixup_initiator_sa(match, received) - struct isakmpsa *match, *received; -{ - if (received->gssid != NULL) - match->gssid = vdup(received->gssid); - - return match; -} -#endif - static int rm_idtype2doi[] = { 255, /* IDTYPE_UNDEFINED, 0 */ IPSECDOI_ID_FQDN, /* IDTYPE_FQDN, 1 */ @@ -4982,7 +4798,7 @@ doi2idtype(doi) case IPSECDOI_ID_IPV6_ADDR_SUBNET: return(IDTYPE_ADDRESS); default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Inproper idtype:%s in this function.\n", s_ipsecdoi_ident(doi)); return(IDTYPE_ADDRESS); /* XXX */ diff --git a/ipsec-tools/racoon/ipsec_doi.h b/ipsec-tools/racoon/ipsec_doi.h index e795a6a..6175286 100644 --- a/ipsec-tools/racoon/ipsec_doi.h +++ b/ipsec-tools/racoon/ipsec_doi.h @@ -32,6 +32,8 @@ #ifndef _IPSEC_DOI_H #define _IPSEC_DOI_H +#include "isakmp.h" + /* refered to RFC2407 */ #define IPSEC_DOI 1 @@ -120,6 +122,8 @@ #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5 #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6 #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7 +#define IPSECDOI_ATTR_AUTH_HMAC_MD5_96 252 /* NOTE:internal use */ +#define IPSECDOI_ATTR_AUTH_HMAC_SHA1_96 253 /* NOTE:internal use */ #define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */ /* * When negotiating ESP without authentication, the Auth @@ -182,6 +186,7 @@ struct ipsecdoi_pl_id { #define IDTYPE_LOGIN 6 #define IDTYPE_SUBNET 7 #define IDTYPE_KEYIDUSE 8 +#define IDTYPE_MAX IDTYPE_KEYIDUSE /* shared secret type, it's internal use. */ #define SECRETTYPE_USE 0 @@ -205,8 +210,8 @@ struct ipsecdoi_pl_id { /* The use for checking proposal payload. This is not exchange type. */ -#define IPSECDOI_TYPE_PH1 0 -#define IPSECDOI_TYPE_PH2 1 +#define IPSECDOI_TYPE_PH1 0 +#define IPSECDOI_TYPE_PH2 1 struct isakmpsa; struct ipsecdoi_pl_sa; @@ -215,42 +220,46 @@ struct saproto; struct satrns; struct prop_pair; -extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *)); -extern int ipsecdoi_selectph2proposal __P((struct ph2handle *)); -extern int ipsecdoi_checkph2proposal __P((struct ph2handle *)); - -extern struct prop_pair **get_proppair __P((vchar_t *, int)); -extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *)); -extern int ipsecdoi_updatespi __P((struct ph2handle *iph2)); -extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *)); -extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int ); -extern int ipsecdoi_checkid1 __P((struct ph1handle *)); -extern int ipsecdoi_setid1 __P((struct ph1handle *)); -extern int set_identifier __P((vchar_t **, int, vchar_t *)); -extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int)); -extern int ipsecdoi_setid2 __P((struct ph2handle *)); -extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr_storage *, u_int, u_int)); -extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr_storage *, - u_int8_t *, u_int16_t *)); -extern char *ipsecdoi_id2str __P((const vchar_t *)); -extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr_storage *, - struct sockaddr_storage *, u_int)); - -extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); -extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); -extern int ipsecdoi_transportmode __P((struct saprop *)); -extern int ipsecdoi_tunnelmode __P((struct ph2handle *)); -extern int ipsecdoi_any_transportmode __P((struct saprop *)); -extern int ipsecdoi_get_defaultlifetime __P((void)); -extern int ipsecdoi_checkalgtypes __P((int, int, int, int)); -extern int ipproto2doi __P((int)); -extern int doi2ipproto __P((int)); - -extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *, - struct saprop *, struct saproto *, struct satrns *)); -extern int ipsecdoi_authalg2trnsid __P((int)); -extern int idtype2doi __P((int)); -extern int doi2idtype __P((int)); +extern struct isakmpsa *get_ph1approvalx (struct prop_pair *, + struct isakmpsa *, struct isakmpsa *, int); +extern int ipsecdoi_checkph1proposal (vchar_t *, phase1_handle_t *); +extern int ipsecdoi_selectph2proposal (phase2_handle_t *); +extern int ipsecdoi_checkph2proposal (phase2_handle_t *); + +extern struct prop_pair **get_proppair (vchar_t *, int); +extern vchar_t *get_sabyproppair (struct prop_pair *, phase1_handle_t *); +extern int ipsecdoi_updatespi (phase2_handle_t *iph2); +extern vchar_t *get_sabysaprop (struct saprop *, vchar_t *); +extern int ipsecdoi_chkcmpids (const vchar_t *, const vchar_t *, int ); +extern int ipsecdoi_checkid1 (phase1_handle_t *); +extern int ipsecdoi_setid1 (phase1_handle_t *); +extern int set_identifier (vchar_t **, int, vchar_t *); +extern int set_identifier_qual (vchar_t **, int, vchar_t *, int); +extern int ipsecdoi_setid2 (phase2_handle_t *); +extern vchar_t *ipsecdoi_sockaddr2id (struct sockaddr_storage *, u_int, u_int); +extern int ipsecdoi_id2sockaddr (vchar_t *, struct sockaddr_storage *, + u_int8_t *, u_int16_t *, int); +extern char *ipsecdoi_id2str (const vchar_t *); +extern vchar_t *ipsecdoi_sockrange2id (struct sockaddr_storage *, + struct sockaddr_storage *, u_int); + +extern vchar_t *ipsecdoi_setph1proposal (phase1_handle_t *); +extern int ipsecdoi_setph2proposal (phase2_handle_t *, int); +extern int ipsecdoi_transportmode (struct saprop *); +extern int ipsecdoi_tunnelmode (phase2_handle_t *); +extern int ipsecdoi_any_transportmode (struct saprop *); +extern int ipsecdoi_get_defaultlifetime (void); +extern int ipsecdoi_checkalgtypes (int, int, int, int); +extern int ipproto2doi (int); +extern int doi2ipproto (int); + +extern int ipsecdoi_t2satrns (struct isakmp_pl_t *, + struct saprop *, struct saproto *, struct satrns *); +extern int ipsecdoi_authalg2trnsid (int); +extern int idtype2doi (int); +extern int doi2idtype (int); +extern int check_spi_size (int, int); +extern void print_ph1mismatched (struct prop_pair *, struct isakmpsa *); #endif /* _IPSEC_DOI_H */ diff --git a/ipsec-tools/racoon/ipsec_interface.c b/ipsec-tools/racoon/ipsec_interface.c new file mode 100644 index 0000000..70866a1 --- /dev/null +++ b/ipsec-tools/racoon/ipsec_interface.c @@ -0,0 +1,224 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" +#include +#include +#include +#include + +#include +#include +#include +#include "racoon_types.h" +#include "plog.h" +#include +#include +#include + +#include "var.h" + +int ipsec_interface_create(char *name, int name_max_len, int *index, int flags) +{ + + struct ctl_info kernctl_info; + struct sockaddr_ctl kernctl_addr; + u_int32_t optlen; + int tunsock = -1; + + tunsock = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); + if (tunsock == -1) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: cannot create kernel control socket (errno = %d)", errno); + goto fail; + } + + bzero(&kernctl_info, sizeof(kernctl_info)); + strlcpy(kernctl_info.ctl_name, "com.apple.net.ipsec_control", sizeof(kernctl_info.ctl_name)); + if (ioctl(tunsock, CTLIOCGINFO, &kernctl_info)) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: ioctl failed on kernel control socket (errno = %d)", errno); + goto fail; + } + + bzero(&kernctl_addr, sizeof(kernctl_addr)); // sets the sc_unit field to 0 + kernctl_addr.sc_len = sizeof(kernctl_addr); + kernctl_addr.sc_family = AF_SYSTEM; + kernctl_addr.ss_sysaddr = AF_SYS_CONTROL; + kernctl_addr.sc_id = kernctl_info.ctl_id; + kernctl_addr.sc_unit = 0; // we will get the unit number from getpeername + if (connect(tunsock, (struct sockaddr *)&kernctl_addr, sizeof(kernctl_addr))) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: connect failed on kernel control socket (errno = %d)", errno); + goto fail; + } + + optlen = name_max_len; + if (getsockopt(tunsock, SYSPROTO_CONTROL, 2, name, &optlen)) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt ifname failed on kernel control socket (errno = %d)", errno); + goto fail; + } + + *index = if_nametoindex(name); + + if (flags) { + int optflags = 0; + optlen = sizeof(u_int32_t); + if (getsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, &optlen)) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt flags failed on kernel control socket (errno = %d)", errno); + goto fail; + } + + optflags |= flags; + optlen = sizeof(u_int32_t); + if (setsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, optlen)) { + plog(ASL_LEVEL_ERR, "create_ipsec_interface: setsockopt flags failed on kernel control socket (errno = %d)", errno); + goto fail; + } + } + + return tunsock; + +fail: + if (tunsock != -1) + close(tunsock); + return -1; + +} + +int ipsec_interface_set_mtu(char *ifname, int mtu) +{ + struct ifreq ifr; + int ip_sockfd; + + ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (ip_sockfd < 0) { + plog(ASL_LEVEL_ERR, "sifmtu: cannot create ip socket, %s", strerror(errno)); + return 0; + } + + strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); + ifr.ifr_mtu = mtu; + ioctl(ip_sockfd, SIOCSIFMTU, (caddr_t) &ifr); + + close(ip_sockfd); + return 1; +} + +void +in6_len2mask(struct in6_addr *mask, int len) +{ + int i; + bzero(mask, sizeof(*mask)); + for (i = 0; i < len / 8; i++) + mask->s6_addr[i] = 0xff; + if (len % 8) + mask->s6_addr[i] = (0xff00 >> (len % 8)) & 0xff; +} + +#define SET_SA_FAMILY(addr, family) \ +bzero((char *) &(addr), sizeof(addr)); \ +addr.sa_family = (family); \ +addr.sa_len = sizeof(addr); +int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix) +{ + int ip_sockfd; + + int family = address->ss_family; + + if (family == AF_INET) { + struct ifaliasreq ifra __attribute__ ((aligned (4))); // Wcast-align fix - force alignment + ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (ip_sockfd < 0) { + plog(ASL_LEVEL_ERR, "Cannot create ip socket, %s", strerror(errno)); + return 0; + } + + strlcpy(ifra.ifra_name, ifname, sizeof(ifra.ifra_name)); + + SET_SA_FAMILY(ifra.ifra_addr, AF_INET); + (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_addr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr; + + SET_SA_FAMILY(ifra.ifra_broadaddr, AF_INET); + (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_broadaddr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr; + + if (netmask != 0) { + SET_SA_FAMILY(ifra.ifra_mask, AF_INET); + (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_mask)->sin_addr.s_addr = ((struct sockaddr_in*)netmask)->sin_addr.s_addr; + } + else + bzero(&ifra.ifra_mask, sizeof(ifra.ifra_mask)); + + if (ioctl(ip_sockfd, SIOCAIFADDR, (caddr_t) &ifra) < 0) { + if (errno != EEXIST) { + plog(ASL_LEVEL_ERR, "Couldn't set interface address"); + close(ip_sockfd); + return 0; + } + plog(ASL_LEVEL_ERR, "Couldn't set interface address, already exists"); + } + close(ip_sockfd); + } else if (family == AF_INET6) { + struct in6_aliasreq addreq6; + struct in6_addr mask; + struct in6_addr *addr6 = &((struct sockaddr_in6*)address)->sin6_addr; + + ip_sockfd = socket(AF_INET6, SOCK_DGRAM, 0); + if (ip_sockfd < 0) { + plog(ASL_LEVEL_ERR, "Cannot create IPv6 socket, %s", strerror(errno)); + return 0; + } + + memset(&addreq6, 0, sizeof(addreq6)); + strlcpy(addreq6.ifra_name, ifname, sizeof(addreq6.ifra_name)); + /* my addr */ + addreq6.ifra_addr.sin6_family = AF_INET6; + addreq6.ifra_addr.sin6_len = sizeof(struct sockaddr_in6); + memcpy(&addreq6.ifra_addr.sin6_addr, addr6, sizeof(struct in6_addr)); + + /* prefix mask: 128bit */ + addreq6.ifra_prefixmask.sin6_family = AF_INET6; + addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6); + in6_len2mask(&mask, prefix); + memcpy(&addreq6.ifra_prefixmask.sin6_addr, &mask, sizeof(struct in6_addr)); + + /* address lifetime (infty) */ + addreq6.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME; + addreq6.ifra_lifetime.ia6t_vltime = ND6_INFINITE_LIFETIME; + if (IN6_IS_ADDR_LINKLOCAL(addr6)) { + if (ioctl(ip_sockfd, SIOCLL_START, &addreq6) < 0) { + plog(ASL_LEVEL_ERR, "Couldn't set link-local IPv6 address, %s", strerror(errno)); + close(ip_sockfd); + return 0; + } + } else { + if (ioctl(ip_sockfd, SIOCAIFADDR_IN6, &addreq6) < 0) { + plog(ASL_LEVEL_ERR, "Couldn't set IPv6 address, %s", strerror(errno)); + close(ip_sockfd); + return 0; + } + } + close(ip_sockfd); + } else { + return 0; + } + + return 1; +} diff --git a/ipsec-tools/racoon/ipsec_interface.h b/ipsec-tools/racoon/ipsec_interface.h new file mode 100644 index 0000000..020528c --- /dev/null +++ b/ipsec-tools/racoon/ipsec_interface.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef __IPSEC_INTERFACE__ +#define __IPSEC_INTERFACE__ + +int ipsec_interface_create(char *name, int name_max_len, int *index, int flags); +int ipsec_interface_set_mtu(char *ifname, int mtu); +int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix); + +#endif diff --git a/ipsec-tools/racoon/ipsec_xpc.h b/ipsec-tools/racoon/ipsec_xpc.h new file mode 100644 index 0000000..3b64e83 --- /dev/null +++ b/ipsec-tools/racoon/ipsec_xpc.h @@ -0,0 +1,101 @@ +/* + * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SecureNetworking_ipsec_xpc_H +#define SecureNetworking_ipsec_xpc_H + +#define SN_ENTITLEMENT_IPSEC_IKE CFSTR("com.apple.private.SecureNetworking.ipsec_ike") +#define SN_ENTITLEMENT_IPSEC_DB CFSTR("com.apple.private.SecureNetworking.ipsec_db") + +#define IPSEC_HELPER "com.apple.SecureNetworking.IPSec" + +/* IKE */ +#define IPSECOPCODE "ipsecopcode" +#define IPSECOPIKEDICT "ipsecikedict" +#define IPSECOPCHILDDICT "ipsecchilddict" +#define IPSECOBJREF "ipsecobjectref" +#define IPSECIKEID "ipsecikeid" +#define IPSECCHILDID "ipsecchildid" +#define IPSECIKESTATUS "ipsecikestatus" +#define IPSECCHILDSTATUS "ipsecchildstatus" + + +/* DB SA */ +#define IPSECSASESSIONID "ipsecsasessionid" +#define IPSECSAID "ipsecsaid" +#define IPSECSADICT "ipsecsadict" +#define IPSECSASPI "ipsecsaspi" +#define IPSECSAIDARRAY "ipsecsaidarray" +#define IPSECPOLICYID "ipsecpolicyid" +#define IPSECPOLICYDICT "ipsecpolicydict" +#define IPSECPOLICYIDARRAY "ipsecpolicyidarray" + +/* message */ +#define IPSECMESSAGE "ipsecmessage" +#define IPSECITEMID "ipsecitemid" +#define IPSECITEMDICT "ipsecitemdict" + +#define SERVERREPLY "reply" + +#define REPLYOFFSET 0x1000 + +#define kSNIPSecDBInvalidSPI 0 + +enum { + IPSECIKE_CREATE = 0x0001, + IPSECIKE_START, + IPSECIKE_STOP, + IPSECIKE_GETSTATUS, + IPSECIKE_INVALIDATE, + IPSECIKE_START_CHILD, + IPSECIKE_STOP_CHILD, + IPSECIKE_ENABLE_CHILD, + IPSECIKE_DISABLE_CHILD, + IPSECIKE_GETSTATUS_CHILD +}; + + +enum { + IPSECDB_CREATESESSION = 0x0101, + IPSECDB_GETSPI, + IPSECDB_ADDSA, + IPSECDB_UPDATESA, + IPSECDB_DELETESA, + IPSECDB_COPYSA, + IPSECDB_FLUSHSA, + IPSECDB_ADDPOLICY, + IPSECDB_DELETEPOLICY, + IPSECDB_COPYPOLICY, + IPSECDB_FLUSHPOLICIES, + IPSECDB_FLUSHALL, + IPSECDB_INVALIDATE, + IPSECDB_COPYSAIDS, + IPSECDB_COPYPOLICYIDS +}; + +enum { + SERVER_REPLY_OK = 0x0000, + SERVER_FAILED +}; + +#endif diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index 16eabb3..324b064 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -81,16 +81,15 @@ #include "sockmisc.h" #include "schedule.h" #include "debug.h" +#include "session.h" +#include "fsm.h" #include "remoteconf.h" #include "localconf.h" #include "grabmyaddr.h" -#include "admin.h" -#include "privsep.h" #include "isakmp_var.h" #include "isakmp.h" #include "oakley.h" -#include "evt.h" #include "handler.h" #include "proposal.h" #include "ipsec_doi.h" @@ -99,10 +98,8 @@ #include "policy.h" #include "isakmp_ident.h" #include "isakmp_agg.h" -#include "isakmp_base.h" #include "isakmp_quick.h" #include "isakmp_inf.h" -#include "isakmp_newg.h" #include "vpn_control.h" #include "vpn_control_var.h" #ifdef ENABLE_HYBRID @@ -131,73 +128,28 @@ #include "ipsecMessageTracer.h" #include "power_mgmt.h" -static int nostate1 __P((struct ph1handle *, vchar_t *)); -static int nostate2 __P((struct ph2handle *, vchar_t *)); - -extern caddr_t val2str(const char *, size_t); - -static int (*ph1exchange[][2][PHASE1ST_MAX]) - __P((struct ph1handle *, vchar_t *)) = { - /* error */ - { {}, {}, }, - /* Identity Protection exchange */ - { - { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send, - ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, }, - { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send, - ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, }, - }, - /* Aggressive exchange */ - { - { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - }, - /* Base exchange */ - { - { nostate1, base_i1send, nostate1, base_i2recv, base_i2send, - base_i3recv, base_i3send, nostate1, nostate1, nostate1, }, - { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - }, -}; - -static int (*ph2exchange[][2][PHASE2ST_MAX]) - __P((struct ph2handle *, vchar_t *)) = { - /* error */ - { {}, {}, }, - /* Quick mode for IKE */ - { - { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send, - quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, }, - { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send, - quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, } - }, -}; - -static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ - -static int isakmp_main __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *)); -static int ph1_main __P((struct ph1handle *, vchar_t *)); -static int quick_main __P((struct ph2handle *, vchar_t *)); -static int isakmp_ph1begin_r __P((vchar_t *, - struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t)); -static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); -static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); -static int etypesw1 __P((int)); -static int etypesw2 __P((int)); + +extern caddr_t val2str (const char *, size_t); +u_char i_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the i_ck. */ +u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ + + +static void isakmp_main (vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); +static void ikev1_received_packet(vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); +static int ikev1_ph1begin_r (ike_session_t *session, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t); +static int ikev1_ph2begin_i (phase1_handle_t *, phase2_handle_t *); +static int ikev1_ph2begin_r (phase1_handle_t *, vchar_t *); + + #ifdef ENABLE_FRAG -static int frag_handler(struct ph1handle *, - vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); +static void frag_handler (phase1_handle_t *, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); #endif /* * isakmp packet handler */ -int -isakmp_handler(so_isakmp) - int so_isakmp; +void +isakmp_handler(int so_isakmp) { struct isakmp isakmp; union { @@ -219,9 +171,9 @@ isakmp_handler(so_isakmp) int error = -1; if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignoring isakmp port until power-mgmt event is handled.\n"); - return 0; + return; } /* read message by MSG_PEEK */ @@ -229,7 +181,7 @@ isakmp_handler(so_isakmp) MSG_PEEK, &remote, &remote_len, &local, &local_len)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive isakmp packet: %s\n", strerror (errno)); goto end; @@ -240,31 +192,18 @@ isakmp_handler(so_isakmp) /* Pull the keep-alive packet */ if ((len = recvfrom(so_isakmp, (char *)x.buf, 1, 0, (struct sockaddr *)&remote, &remote_len)) != 1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive keep alive packet: %s\n", strerror (errno)); } goto end; } - /* Lucent IKE in UDP encapsulation */ - { - struct udphdr *udp; - struct ip *ip; - udp = ALIGNED_CAST(struct udphdr *)&x.lbuf[0]; - if (ntohs(udp->uh_dport) == 501) { - ip = ALIGNED_CAST(struct ip *)(x.lbuf + sizeof(*udp)); - extralen += sizeof(*udp) + ip->ip_hl; - } - } - -#ifdef ENABLE_NATT /* we don't know about portchange yet, look for non-esp marker instead */ if (x.non_esp[0] == 0 && x.non_esp[1] != 0) extralen = NON_ESP_MARKER_LEN; -#endif /* now we know if there is an extra non-esp marker at the beginning or not */ @@ -272,13 +211,12 @@ isakmp_handler(so_isakmp) /* check isakmp header length, as well as sanity of header length */ if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { - plog(LLV_ERROR, LOCATION, &remote, - "packet shorter than isakmp header size (%u, %u, %zu)\n", - len, ntohl(isakmp.len), sizeof(isakmp)); + plog(ASL_LEVEL_ERR, + "packet shorter than isakmp header size (size: %zu, minimum expected: %zu)\n", len, sizeof(isakmp)); /* dummy receive */ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive isakmp packet: %s\n", strerror (errno)); } @@ -287,11 +225,11 @@ isakmp_handler(so_isakmp) /* reject it if the size is tooooo big. */ if (ntohl(isakmp.len) > 0xffff) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "the length in the isakmp header is too big.\n"); if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive isakmp packet: %s\n", strerror (errno)); } @@ -300,13 +238,13 @@ isakmp_handler(so_isakmp) /* read real message */ if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate reading buffer (%u Bytes)\n", ntohl(isakmp.len) + extralen); /* dummy receive */ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive isakmp packet: %s\n", strerror (errno)); error = -2; /* serious problem with socket */ @@ -318,22 +256,22 @@ isakmp_handler(so_isakmp) 0, &remote, &remote_len, &local, &local_len)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to receive isakmp packet: %s\n", strerror (errno)); goto end; } if (len < extralen) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid len (%d Bytes) & extralen (%d Bytes)\n", + plog(ASL_LEVEL_ERR, + "invalid len (%zd Bytes) & extralen (%d Bytes)\n", len, extralen); goto end; } if ((buf = vmalloc(len - extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate reading buffer (%u Bytes)\n", + plog(ASL_LEVEL_ERR, + "failed to allocate reading buffer (%lu Bytes)\n", (len - extralen)); goto end; } @@ -343,18 +281,15 @@ isakmp_handler(so_isakmp) len -= extralen; if (len != buf->l) { - plog(LLV_ERROR, LOCATION, &remote, "received invalid length (%d != %zu), why ?\n", + plog(ASL_LEVEL_ERR, "received invalid length (%zd != %zu), why ?\n", len, buf->l); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, - "%d bytes message received %s\n", - len, saddr2str_fromto("from %s to %s", - (struct sockaddr *)&remote, - (struct sockaddr *)&local)); - plogdump(LLV_DEBUG, buf->v, buf->l); + plog(ASL_LEVEL_DEBUG, "%zd bytes message received %s\n", + len, saddr2str_fromto("from %s to %s", + (struct sockaddr *)&remote, + (struct sockaddr *)&local)); /* avoid packets with malicious port/address */ switch (remote.ss_family) { @@ -367,12 +302,12 @@ isakmp_handler(so_isakmp) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", remote.ss_family); goto end; } if (port == 0) { - plog(LLV_ERROR, LOCATION, &remote, + plog(ASL_LEVEL_ERR, "src port == 0 (valid as UDP but not with IKE)\n"); goto end; } @@ -382,11 +317,12 @@ isakmp_handler(so_isakmp) /* XXX: I don't know how to check isakmp half connection attack. */ /* simply reply if the packet was processed. */ - if (check_recvdpkt(&remote, &local, buf)) { + + if (ike_session_check_recvdpkt(&remote, &local, buf)) { IPSECLOGASLMSG("Received retransmitted packet from %s.\n", saddr2str((struct sockaddr *)&remote)); - plog(LLV_NOTIFY, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "the packet is retransmitted by %s.\n", saddr2str((struct sockaddr *)&remote)); error = 0; @@ -394,9 +330,7 @@ isakmp_handler(so_isakmp) } /* isakmp main routine */ - if (isakmp_main(buf, &remote, &local) != 0) goto end; - - error = 0; + isakmp_main(buf, &remote, &local); end: if (tmpbuf != NULL) @@ -404,21 +338,17 @@ end: if (buf != NULL) vfree(buf); - return(error); + return; } /* * main processing to handle isakmp payload */ -static int -isakmp_main(msg, remote, local) - vchar_t *msg; - struct sockaddr_storage *remote, *local; +static void +isakmp_main(vchar_t *msg, struct sockaddr_storage *remote, struct sockaddr_storage *local) { struct isakmp *isakmp = (struct isakmp *)msg->v; - isakmp_index *index = (isakmp_index *)isakmp; - u_int32_t msgid = isakmp->msgid; - struct ph1handle *iph1; + u_int8_t isakmp_version = isakmp->v; #ifdef HAVE_PRINT_ISAKMP_C isakmp_printpacket(msg, remote, local, 0); @@ -426,9 +356,9 @@ isakmp_main(msg, remote, local) /* the initiator's cookie must not be zero */ if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { - plog(LLV_ERROR, LOCATION, remote, + plog(ASL_LEVEL_ERR, "malformed cookie received.\n"); - return -1; + return; } /* Check the Major and Minor Version fields. */ @@ -437,64 +367,87 @@ isakmp_main(msg, remote, local) * I think it may no be here because the version depends * on exchange status. */ - if (isakmp->v < ISAKMP_VERSION_NUMBER) { - if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) { - plog(LLV_ERROR, LOCATION, remote, - "invalid major version %d.\n", - ISAKMP_GETMAJORV(isakmp->v)); - return -1; - } -#if ISAKMP_MINOR_VERSION > 0 - if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { - plog(LLV_ERROR, LOCATION, remote, + if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1 && + ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV2) { + plog(ASL_LEVEL_ERR, "invalid major version %d.\n", isakmp_version); + return; + } + +#if 0 +#if ISAKMP_MINOR_VERSION > 0 //%%%%%%%% fix this + if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { //%%%%%%%%%%%%%%% ?????? + plog(ASL_LEVEL_ERR, "invalid minor version %d.\n", ISAKMP_GETMINORV(isakmp->v)); - return -1; + return; } #endif - } +#endif - /* check the Flags field. */ - /* XXX How is the exclusive check, E and A ? */ - if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { - plog(LLV_ERROR, LOCATION, remote, - "invalid flag 0x%02x.\n", isakmp->flags); - return -1; - } + if (isakmp_version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* check the Flags field. */ + /* XXX How is the exclusive check, E and A ? */ + if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { //%%%%%%%%%%%% any other flags for IKEv2 ????? + plog(ASL_LEVEL_ERR, "invalid flag 0x%02x.\n", isakmp->flags); + return; + } - /* ignore commit bit. */ - if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { - if (isakmp->msgid == 0) { - isakmp_info_send_nx(isakmp, remote, local, - ISAKMP_NTYPE_INVALID_FLAGS, NULL); - plog(LLV_ERROR, LOCATION, remote, - "Commit bit on phase1 forbidden.\n"); - return -1; + /* ignore commit bit. */ + if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { + if (isakmp->msgid == 0) { //%%%%% does this apply to V2 + isakmp_info_send_nx(isakmp, remote, local, + ISAKMP_NTYPE_INVALID_FLAGS, NULL); + plog(ASL_LEVEL_ERR, "Commit bit on Phase 1 forbidden.\n"); + return; + } } + + ikev1_received_packet(msg, local, remote); } + return; +} - iph1 = getph1byindex(index); +/* + * ikev1_received_packet + * Handler for received IKEv1 Packets + */ +static void +ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct sockaddr_storage *remote) +{ + ike_session_t *session; + phase1_handle_t *iph1; + + struct isakmp *isakmp = (struct isakmp *)msg->v; + isakmp_index *index = (isakmp_index *)isakmp; + + session = ike_session_get_session(local, remote, 1); + if (!session) { + plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); + fatal_error(-1); + } + + iph1 = ike_session_getph1byindex(session, index); if (iph1 != NULL) { /* validity check */ if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && iph1->side == INITIATOR) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("malformed or unexpected cookie"), + CONSTSTR("Malformed or unexpected cookie"), CONSTSTR("Failed to process packet (malformed/unexpected cookie)")); - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received or " + plog(ASL_LEVEL_DEBUG, + "Malformed cookie received or " "the initiator's cookies collide.\n"); - return -1; + return; } - -#ifdef ENABLE_NATT + + /* Floating ports for NAT-T */ if (NATT_AVAILABLE(iph1) && ! (iph1->natt_flags & NAT_PORTS_CHANGED) && ((cmpsaddrstrict(iph1->remote, remote) != 0) || (cmpsaddrstrict(iph1->local, local) != 0))) - { + { //%%%%%%%%%%%%%%%%%%%% make this a separate function - ikev2 needs it /* prevent memory leak */ racoon_free(iph1->remote); racoon_free(iph1->local); @@ -502,30 +455,26 @@ isakmp_main(msg, remote, local) iph1->local = NULL; /* copy-in new addresses */ - iph1->remote = dupsaddr((struct sockaddr *)remote); + iph1->remote = dupsaddr(remote); if (iph1->remote == NULL) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("failed to duplicate remote address"), - CONSTSTR("Failed to process phase1 message (can't duplicate remote address")); - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase1 failed: dupsaddr failed.\n"); - remph1(iph1); - delph1(iph1); - return -1; + CONSTSTR("Failed to duplicate remote address"), + CONSTSTR("Failed to process Phase 1 message (can't duplicate remote address")); + plog(ASL_LEVEL_ERR, + "Phase 1 failed: dupsaddr failed.\n"); + fatal_error(-1); } - iph1->local = dupsaddr((struct sockaddr *)local); + iph1->local = dupsaddr(local); if (iph1->local == NULL) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("failed to duplicate local address"), - CONSTSTR("Failed to process phase1 message (can't duplicate local address")); - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase1 failed: dupsaddr failed.\n"); - remph1(iph1); - delph1(iph1); - return -1; - } + CONSTSTR("Failed to duplicate local address"), + CONSTSTR("Failed to process Phase 1 message (can't duplicate local address")); + plog(ASL_LEVEL_ERR, + "Phase 1 failed: dupsaddr failed.\n"); + fatal_error(-1); + } /* set the flag to prevent further port floating (FIXME: should we allow it? E.g. when the NAT gw @@ -533,11 +482,11 @@ isakmp_main(msg, remote, local) iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; /* print some neat info */ - plog (LLV_INFO, LOCATION, NULL, + plog (ASL_LEVEL_INFO, "NAT-T: ports changed to: %s\n", saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local)); } -#endif + /* must be same addresses in one stream of a phase at least. */ if (cmpsaddrstrict(iph1->remote, remote) != 0) { char *saddr_db, *saddr_act; @@ -547,8 +496,8 @@ isakmp_main(msg, remote, local) STRDUP_FATAL(saddr_db); STRDUP_FATAL(saddr_act); - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. db=%s, act=%s\n", + plog(ASL_LEVEL_WARNING, + "Remote address mismatched. db=%s, act=%s\n", saddr_db, saddr_act); racoon_free(saddr_db); @@ -556,658 +505,258 @@ isakmp_main(msg, remote, local) } /* - * don't check of exchange type here because other type will be - * with same index, for example, informational exchange. + * don't check of exchange type here because other type will have + * the same index, for example, informational exchange. */ - /* XXX more acceptable check */ - -#ifdef ENABLE_DPD // received ike packets: update dpd checks - isakmp_reschedule_info_monitor_if_pending(iph1, - "ike packets received from peer"); -#endif /* DPD */ - } - - switch (isakmp->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - case ISAKMP_ETYPE_BASE: - /* phase 1 validity check */ - if (isakmp->msgid != 0) { - plog(LLV_ERROR, LOCATION, remote, - "message id should be zero in phase1.\n"); - return -1; - } - - /* search for isakmp status record of phase 1 */ - if (iph1 == NULL) { - /* - * the packet must be the 1st message from a initiator - * or the 2nd message from the responder. - */ - - /* search for phase1 handle by index without r_ck */ - iph1 = getph1byindex0(index); - if (iph1 == NULL) { - /*it must be the 1st message from a initiator.*/ - if (memcmp(&isakmp->r_ck, r_ck0, - sizeof(cookie_t)) != 0) { - - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received " - "or the spi expired.\n"); - return -1; - } - - /* it must be responder's 1st exchange. */ - if (isakmp_ph1begin_r(msg, remote, local, - isakmp->etype) < 0) - return -1; - break; - - /*NOTREACHED*/ - } - - /* it must be the 2nd message from the responder. */ - if (iph1->side != INITIATOR) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("malformed cookie and unexpected side"), - CONSTSTR("Failed to process phase1 message (unexpected side)")); - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received. " - "it has to be as the initiator. %s\n", - isakmp_pindex(&iph1->index, 0)); - return -1; - } - } - - /* - * Don't delete phase 1 handler when the exchange type - * in handler is not equal to packet's one because of no - * authencication completed. - */ - if (iph1->etype != isakmp->etype) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("mismatched exchange type"), - CONSTSTR("Failed to process phase1 message (mismatched exchange type)")); - plog(LLV_ERROR, LOCATION, iph1->remote, - "exchange type is mismatched: " - "db=%s packet=%s, ignore it.\n", - s_isakmp_etype(iph1->etype), - s_isakmp_etype(isakmp->etype)); - return -1; - } - -#ifdef ENABLE_FRAG - if (isakmp->np == ISAKMP_NPTYPE_FRAG) - return frag_handler(iph1, msg, remote, local); -#endif - - /* call main process of phase 1 */ - if (ph1_main(iph1, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase1 negotiation failed.\n"); - remph1(iph1); - delph1(iph1); - return -1; - } - break; - - case ISAKMP_ETYPE_AUTH: - plog(LLV_INFO, LOCATION, remote, - "unsupported exchange %d received.\n", - isakmp->etype); - break; - - case ISAKMP_ETYPE_INFO: - case ISAKMP_ETYPE_ACKINFO: - /* - * iph1 must be present for Information message. - * if iph1 is null then trying to get the phase1 status - * as the packet from responder againt initiator's 1st - * exchange in phase 1. - * NOTE: We think such informational exchange should be ignored. - */ - if (iph1 == NULL) { - iph1 = getph1byindex0(index); - if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "unknown Informational " - "exchange received.\n"); - return -1; - } - if (cmpsaddrstrict(iph1->remote, remote) != 0) { - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. " - "db=%s\n", - saddr2str((struct sockaddr *)iph1->remote)); - } - } - -#ifdef ENABLE_FRAG - if (isakmp->np == ISAKMP_NPTYPE_FRAG) - return frag_handler(iph1, msg, remote, local); -#endif - - if (isakmp_info_recv(iph1, msg) < 0) - return -1; - break; + isakmp_reschedule_info_monitor_if_pending(iph1, "IKE packet received from peer"); - case ISAKMP_ETYPE_QUICK: - { - struct ph2handle *iph2; - - if (iph1 == NULL) { - isakmp_info_send_nx(isakmp, remote, local, - ISAKMP_NTYPE_INVALID_COOKIE, NULL); - plog(LLV_ERROR, LOCATION, remote, - "can't start the quick mode, " - "there is no ISAKMP-SA, %s\n", - isakmp_pindex((isakmp_index *)&isakmp->i_ck, - isakmp->msgid)); - return -1; - } -#ifdef ENABLE_HYBRID - /* Reinit the IVM if it's still there */ - if (iph1->mode_cfg && iph1->mode_cfg->ivm) { - oakley_delivm(iph1->mode_cfg->ivm); - iph1->mode_cfg->ivm = NULL; - } -#endif -#ifdef ENABLE_FRAG - if (isakmp->np == ISAKMP_NPTYPE_FRAG) - return frag_handler(iph1, msg, remote, local); -#endif - - /* check status of phase 1 whether negotiated or not. */ - if (iph1->status != PHASE1ST_ESTABLISHED) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, - CONSTSTR("can't start phase2 without valid phase1"), - CONSTSTR("Failed to start phase2 resonder (no established phase1")); - plog(LLV_ERROR, LOCATION, remote, - "can't start the quick mode, " - "there is no valid ISAKMP-SA, %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); - return -1; - } - - /* search isakmp phase 2 stauts record. */ - iph2 = getph2bymsgid(iph1, msgid); - if (iph2 == NULL) { - /* it must be new negotiation as responder */ - if (isakmp_ph2begin_r(iph1, msg) < 0) - return -1; - return 0; - /*NOTREACHED*/ - } - - /* commit bit. */ - /* XXX - * we keep to set commit bit during negotiation. - * When SA is configured, bit will be reset. - * XXX - * don't initiate commit bit. should be fixed in the future. - */ - if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) - iph2->flags |= ISAKMP_FLAG_C; - - if (ISSET(isakmp->flags, ISAKMP_FLAG_E) && - (iph2->ph1 == NULL || iph2->ph1->approval == NULL)) { - IPSECSESSIONTRACEREVENT(iph2->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, - CONSTSTR("can't continue phase2 without valid phase1"), - CONSTSTR("Failed to continue phase2 resonder (invalid linked phase1")); - plog(LLV_ERROR, LOCATION, remote, - "can't start the quick mode, " - "invalid linked ISAKMP-SA\n"); - return -1; - } - - /* call main process of quick mode */ - if (quick_main(iph2, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase2 negotiation failed.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } } - break; - - case ISAKMP_ETYPE_NEWGRP: - if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "Unknown new group mode exchange, " - "there is no ISAKMP-SA.\n"); - return -1; - } - -#ifdef ENABLE_FRAG - if (isakmp->np == ISAKMP_NPTYPE_FRAG) - return frag_handler(iph1, msg, remote, local); -#endif - - isakmp_newgroup_r(iph1, msg); - break; - -#ifdef ENABLE_HYBRID - case ISAKMP_ETYPE_CFG: - if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "mode config %d from %s, " - "but we have no ISAKMP-SA.\n", - isakmp->etype, saddr2str((struct sockaddr *)remote)); - return -1; - } - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_ERROR, LOCATION, NULL, - "mode config %d from %s, " - "but ISAKMP-SA %s isn't established.\n", - isakmp->etype, saddr2str((struct sockaddr *)remote), - isakmp_pindex(&iph1->index, iph1->msgid)); - return -1; - } -#ifdef ENABLE_FRAG - if (isakmp->np == ISAKMP_NPTYPE_FRAG) - return frag_handler(iph1, msg, remote, local); -#endif - - isakmp_cfg_r(iph1, msg); - break; -#endif - - case ISAKMP_ETYPE_NONE: - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid exchange type %d from %s.\n", - isakmp->etype, saddr2str((struct sockaddr *)remote)); - return -1; - } - - return 0; -} - -/* - * main function of phase 1. - */ -static int -ph1_main(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error; - int ini_contact = iph1->rmconf->ini_contact; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - int spi_cmp; - u_int rekey_lifetime; - - /* ignore a packet */ - if (iph1->status == PHASE1ST_ESTABLISHED) - return 0; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - /* receive */ - if (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status] == NULL) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, - CONSTSTR("unavailable function"), - CONSTSTR("Failed to process phase1 message (no state function)")); - plog(LLV_ERROR, LOCATION, iph1->remote, - "why isn't the function defined.\n"); - return -1; - } - error = (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg); - if (error != 0) { - - /* XXX - * When an invalid packet is received on phase1, it should - * be selected to process this packet. That is to respond - * with a notify and delete phase 1 handler, OR not to respond - * and keep phase 1 handler. However, in PHASE1ST_START when - * acting as RESPONDER we must not keep phase 1 handler or else - * it will stay forever. - */ - - if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to pre-process packet.\n"); - return -1; - } else { - /* ignore the error and keep phase 1 handler */ - return 0; - } - } - -#ifndef ENABLE_FRAG - /* free resend buffer */ - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); - return -1; - } -#endif - - VPTRINIT(iph1->sendbuf); - - /* turn off schedule */ - SCHED_KILL(iph1->scr); - - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to process packet.\n"); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), - timedelta(&start, &end)); -#endif - if (iph1->status == PHASE1ST_ESTABLISHED) { - -#ifdef ENABLE_STATS - gettimeofday(&iph1->end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", s_isakmp_etype(iph1->etype), - timedelta(&iph1->start, &iph1->end)); -#endif - -#ifdef ENABLE_VPNCONTROL_PORT - - if (iph1->side == RESPONDER && - iph1->local->ss_family == AF_INET) { - - struct redirect *addr; - - LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) { - if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) { - vchar_t *raddr = vmalloc(sizeof(u_int32_t)); - - if (raddr == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to send redirect message - memory error.\n"); - } else { - memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t)); - (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr); - plog(LLV_DEBUG, LOCATION, iph1->remote, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); - vfree(raddr); - if (addr->force) { - (void)ike_session_update_ph1_ph2tree(iph1); - isakmp_ph1expire(iph1); - } - } - } - return 0; - } - } -#endif - /* save created date. */ - (void)time(&iph1->created); - - /* add to the schedule to expire, and save back pointer. */ - iph1->sce = sched_new(iph1->approval->lifetime, - isakmp_ph1expire_stub, iph1); - - if (iph1->rmconf->initiate_ph1rekey) { - if (iph1->side == INITIATOR) { - spi_cmp = memcmp(&iph1->index.i_ck, &iph1->index.r_ck, sizeof(iph1->index.i_ck)); - if (spi_cmp == 0) - spi_cmp = 1; - } else { - spi_cmp = memcmp(&iph1->index.r_ck, &iph1->index.i_ck, sizeof(iph1->index.r_ck)); - if (spi_cmp == 0) - spi_cmp = -1; - } - rekey_lifetime = ike_session_get_rekey_lifetime((spi_cmp > 0), - iph1->approval->lifetime); - if (rekey_lifetime) { - iph1->sce_rekey = sched_new(rekey_lifetime, - isakmp_ph1rekeyexpire_stub, - iph1); - } else { - /* iph1->approval->lifetime is too small (e.g. 1) so why bother? - * LOG ERROR - */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get rekey timer - lifetime is too small... probably.\n"); - } - } - -#ifdef ENABLE_HYBRID - /* ignore xauth if it is a rekey */ - if (!iph1->is_rekey && - iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - switch(AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - xauth_sendreq(iph1); - /* XXX Don't process INITIAL_CONTACT */ - ini_contact = 0; - break; - default: - break; - } - } -#endif -#ifdef ENABLE_DPD - /* Schedule the r_u_there.... */ - if(iph1->dpd_support && iph1->rmconf->dpd_interval) - isakmp_sched_r_u(iph1, 0); -#endif - - /* INITIAL-CONTACT processing */ - /* ignore initial-contact if it is a rekey */ - /* don't send anything if local test mode. */ - if (!iph1->is_rekey && !f_local && ini_contact && !getcontacted(iph1->remote)) { - /* send INITIAL-CONTACT */ - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INITIAL_CONTACT, NULL); - /* insert a node into contacted list. */ - if (inscontacted(iph1->remote) == -1) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to add contacted list.\n"); - /* ignore */ - } - } - - log_ph1established(iph1); - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - - /* - * SA up shell script hook: do it now for rekeys, otherwise only - * if ISAKMP mode config wasn't requested. In the later - * case it is done when we receive the configuration. - */ - if ((iph1->status == PHASE1ST_ESTABLISHED) && - (iph1->is_rekey || !iph1->rmconf->mode_cfg)) { - switch (AUTHMETHOD(iph1)) { -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - /* Unimplemeted... */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - break; -#endif - default: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; - } - } - - ike_session_cleanup_other_established_ph1s(iph1->parent_session, iph1); - -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); - vpncontrol_notify_peer_resp_ph1(1, iph1); -#endif - - } - - return 0; -} - -/* - * main function of quick mode. - */ -static int -quick_main(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - struct isakmp *isakmp = (struct isakmp *)msg->v; - int error; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* ignore a packet */ - if (iph2->status == PHASE2ST_ESTABLISHED - || iph2->status == PHASE2ST_GETSPISENT) - return 0; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - /* receive */ - if (ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status] == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "why isn't the function defined.\n"); - return -1; - } - error = (ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg); - if (error != 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to pre-process packet.\n"); - if (error == ISAKMP_INTERNAL_ERROR) - return 0; - isakmp_info_send_n1(iph2->ph1, error, NULL); - return -1; - } - - /* when using commit bit, status will be reached here. */ - //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place - // return 0; - - /* free resend buffer */ - if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); - return -1; - } - VPTRINIT(iph2->sendbuf); - - /* turn off schedule */ - SCHED_KILL(iph2->scr); - - /* when using commit bit, status will be reached here. */ - if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - moved to here - return 0; + + // + // Check exchange type and process accordingly + // + switch (isakmp->etype) { - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg) != 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to process packet.\n"); - return -1; + case ISAKMP_ETYPE_IDENT: + case ISAKMP_ETYPE_AGG: + { + /* phase 1 validity check */ + if (isakmp->msgid != 0) { + plog(ASL_LEVEL_ERR, "Message id should be zero in Phase 1.\n"); + return; + } + + /* search for isakmp status record of phase 1 */ + if (iph1 == NULL) { + /* + * the packet must be the 1st message from a initiator + * or the 2nd message from the responder. + */ + + /* search for phase1 handle by index without r_ck */ + iph1 = ike_session_getph1byindex0(session, index); + if (iph1 == NULL) { + /*it must be the 1st message from a initiator.*/ + if (memcmp(&isakmp->r_ck, r_ck0, + sizeof(cookie_t)) != 0) { + + plog(ASL_LEVEL_DEBUG, "Malformed cookie received " + "or the spi expired.\n"); + return; + } + + /* Initiation of new exchange */ + ikev1_ph1begin_r(session, msg, remote, local, isakmp->etype); + return; + } + } + + /* + * Don't delete phase 1 handler for mismatch + * because of no authentication has been completed. + */ + if (iph1->etype != isakmp->etype) { + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, + CONSTSTR("Mismatched exchange type"), + CONSTSTR("Failed to process Phase 1 message (mismatched exchange type)")); + plog(ASL_LEVEL_ERR, + "Exchange type is mismatched: " + "db=%s packet=%s, ignore it.\n", + s_isakmp_etype(iph1->etype), + s_isakmp_etype(isakmp->etype)); + return; + } + + if (isakmp->np == ISAKMP_NPTYPE_FRAG) { + frag_handler(iph1, msg, remote, local); + return; + } + fsm_ikev1_phase1_process_payloads(iph1, msg); + } + break; + + case ISAKMP_ETYPE_INFO: + case ISAKMP_ETYPE_ACKINFO: + { + /* + * iph1 must be present for Information message. + * if iph1 is null then trying to get the phase1 status + * as the packet from responder againt initiator's 1st + * exchange in phase 1. + * NOTE: We think such informational exchange should be ignored. + */ + if (iph1 == NULL) { + iph1 = ike_session_getph1byindex0(session, index); + if (iph1 == NULL) { + plog(ASL_LEVEL_ERR, "Unknown Informational exchange received.\n"); + return; + } + if (cmpsaddrstrict(iph1->remote, remote) != 0) { + plog(ASL_LEVEL_WARNING, + "Remote address mismatched. " + "db=%s\n", + saddr2str((struct sockaddr *)iph1->remote)); + } + } + if (isakmp->np == ISAKMP_NPTYPE_FRAG) + return frag_handler(iph1, msg, remote, local); + + if (isakmp_info_recv(iph1, msg) < 0) + return; + } + break; + + case ISAKMP_ETYPE_QUICK: + { + u_int32_t msgid = isakmp->msgid; + phase2_handle_t *iph2; + + if (iph1 == NULL) { + isakmp_info_send_nx(isakmp, remote, local, + ISAKMP_NTYPE_INVALID_COOKIE, NULL); + plog(ASL_LEVEL_ERR, "Can't start the quick mode, " + "there is no ISAKMP-SA, %s\n", isakmp_pindex((isakmp_index *)&isakmp->i_ck, + isakmp->msgid)); + return; + } + #ifdef ENABLE_HYBRID + /* Reinit the IVM if it's still there */ + if (iph1->mode_cfg && iph1->mode_cfg->ivm) { + oakley_delivm(iph1->mode_cfg->ivm); + iph1->mode_cfg->ivm = NULL; + } + #endif + if (isakmp->np == ISAKMP_NPTYPE_FRAG) { + frag_handler(iph1, msg, remote, local); + return; + } + + /* check status of phase 1 whether negotiated or not. */ + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, + CONSTSTR("Can't start Phase 2 without valid Phase 1"), + CONSTSTR("Failed to start Phase 2 responder (no established Phase 1")); + plog(ASL_LEVEL_ERR, "can't start the quick mode, " + "there is no valid ISAKMP-SA, %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); + return; + } + + /* search isakmp phase 2 stauts record. */ + iph2 = ike_session_getph2bymsgid(iph1, msgid); + if (iph2 == NULL) { + /* it must be new negotiation as responder */ + ikev1_ph2begin_r(iph1, msg); + return; + } + + /* commit bit. */ + /* XXX + * we keep to set commit bit during negotiation. + * When SA is configured, bit will be reset. + * XXX + * don't initiate commit bit. should be fixed in the future. + */ + if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) + iph2->flags |= ISAKMP_FLAG_C; + + if (ISSET(isakmp->flags, ISAKMP_FLAG_E) && + (iph2->ph1 == NULL || iph2->ph1->approval == NULL)) { + IPSECSESSIONTRACEREVENT(iph2->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, + CONSTSTR("Can't continue Phase 2 without valid Phase 1"), + CONSTSTR("Failed to continue Phase 2 resonder (invalid linked Phase 1")); + plog(ASL_LEVEL_ERR, "can't start the quick mode, " + "invalid linked ISAKMP-SA\n"); + return; + } + fsm_ikev1_phase2_process_payloads(iph2, msg); + } + break; + + case ISAKMP_ETYPE_CFG: + { + if (iph1 == NULL) { + plog(ASL_LEVEL_ERR, + "mode config %d from %s, " + "but we have no ISAKMP-SA.\n", + isakmp->etype, saddr2str((struct sockaddr *)remote)); + return; + } + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + plog(ASL_LEVEL_ERR, + "mode config %d from %s, " + "but ISAKMP-SA %s isn't established.\n", + isakmp->etype, saddr2str((struct sockaddr *)remote), + isakmp_pindex(&iph1->index, iph1->msgid)); + return; + } + if (isakmp->np == ISAKMP_NPTYPE_FRAG) + return frag_handler(iph1, msg, remote, local); + isakmp_cfg_r(iph1, msg); + } + break; + + case ISAKMP_ETYPE_NEWGRP: + case ISAKMP_ETYPE_AUTH: + case ISAKMP_ETYPE_NONE: + default: + plog(ASL_LEVEL_ERR, + "Invalid exchange type %d from %s.\n", + isakmp->etype, saddr2str((struct sockaddr *)remote)); + break; } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", - s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), - timedelta(&start, &end)); -#endif - - return 0; } /* new negotiation of phase 1 for initiator */ int -isakmp_ph1begin_i(rmconf, remote, local, started_by_api) - struct remoteconf *rmconf; - struct sockaddr_storage *remote, *local; - int started_by_api; +ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct sockaddr_storage *remote, + struct sockaddr_storage *local, int started_by_api) { - struct ph1handle *iph1; + + phase1_handle_t *iph1; #ifdef ENABLE_STATS struct timeval start, end; #endif + if (session == NULL) { + session = ike_session_get_session(local, remote, 1); + if (!session) { + plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); + fatal_error(-1); + } + } + /* get new entry to isakmp status table. */ - iph1 = newph1(); + iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1); if (iph1 == NULL) return -1; - iph1->status = PHASE1ST_START; iph1->rmconf = rmconf; - if (link_rmconf_to_ph1(rmconf) < 0) { - plog(LLV_ERROR, LOCATION, remote, - "couldn't link " - "configuration.\n"); - iph1->rmconf = NULL; - /* don't call remph1(iph1) until after insph1(iph1) is called */ - delph1(iph1); - return -1; - } + retain_rmconf(iph1->rmconf); iph1->side = INITIATOR; iph1->started_by_api = started_by_api; - iph1->version = ISAKMP_VERSION_NUMBER; + iph1->version = ISAKMP_VERSION_NUMBER_IKEV1; iph1->msgid = 0; iph1->flags = 0; iph1->ph2cnt = 0; -#ifdef HAVE_GSSAPI - iph1->gssapi_state = NULL; -#endif + #ifdef ENABLE_HYBRID if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { /* don't call remph1(iph1) until after insph1(iph1) is called */ - delph1(iph1); + ike_session_delph1(iph1); return -1; } #endif -#ifdef ENABLE_FRAG if(rmconf->ike_frag == ISAKMP_FRAG_FORCE) iph1->frag = 1; else iph1->frag = 0; iph1->frag_chain = NULL; -#endif iph1->approval = NULL; /* XXX copy remote address */ @@ -1217,12 +766,9 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) return -1; } - (void)insph1(iph1); - - if (ike_session_link_ph1_to_session(iph1) != 0) { - plog(LLV_DEBUG, LOCATION, NULL, "Failed to link ph1 to session\n"); - remph1(iph1); - delph1(iph1); + if (ike_session_link_phase1(session, iph1) != 0) { + plog(ASL_LEVEL_DEBUG, "Failed to link ph1 to session\n"); + ike_session_delph1(iph1); return -1; } // HACK!!! to track rekeys across SIGHUPs @@ -1235,20 +781,26 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) /* start phase 1 exchange */ iph1->etype = rmconf->etypes->type; - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + if (iph1->etype == ISAKMP_ETYPE_IDENT) + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_START); + else if (iph1->etype == ISAKMP_ETYPE_AGG) + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_START); + else + return -1; + + plog(ASL_LEVEL_DEBUG, "===\n"); { char *a; a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "initiate new phase 1 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "begin %s mode.\n", s_isakmp_etype(iph1->etype)); @@ -1257,23 +809,17 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) gettimeofday(&start, NULL); #endif - IPSECLOGASLMSG("IPSec Phase1 started (Initiated by me).\n"); - - /* start exchange */ - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, NULL) != 0) { - /* failed to start phase 1 negotiation */ - remph1(iph1); - delph1(iph1); + IPSECLOGASLMSG("IPSec Phase 1 started (Initiated by me).\n"); + if (fsm_ikev1_phase1_send_response(iph1, NULL)) { + ike_session_unlink_phase1(iph1); return -1; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", + "Phase 1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), timedelta(&start, &end)); #endif @@ -1287,14 +833,13 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) /* new negotiation of phase 1 for responder */ static int -isakmp_ph1begin_r(msg, remote, local, etype) - vchar_t *msg; - struct sockaddr_storage *remote, *local; - u_int8_t etype; +ikev1_ph1begin_r(ike_session_t *session, vchar_t *msg, struct sockaddr_storage *remote, + struct sockaddr_storage *local, u_int8_t etype) { - struct isakmp *isakmp = (struct isakmp *)msg->v; + + struct isakmp *isakmp = (struct isakmp *)msg->v; struct remoteconf *rmconf; - struct ph1handle *iph1; + phase1_handle_t *iph1; struct etypes *etypeok; #ifdef ENABLE_STATS struct timeval start, end; @@ -1303,7 +848,7 @@ isakmp_ph1begin_r(msg, remote, local, etype) /* look for my configuration */ rmconf = getrmconf(remote); if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, remote, + plog(ASL_LEVEL_ERR, "couldn't find " "configuration.\n"); return -1; @@ -1312,58 +857,52 @@ isakmp_ph1begin_r(msg, remote, local, etype) /* check to be acceptable exchange type */ etypeok = check_etypeok(rmconf, etype); if (etypeok == NULL) { - plog(LLV_ERROR, LOCATION, remote, + plog(ASL_LEVEL_ERR, "not acceptable %s mode\n", s_isakmp_etype(etype)); return -1; } - + /* get new entry to isakmp status table. */ - iph1 = newph1(); + iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1); if (iph1 == NULL) return -1; memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); - iph1->status = PHASE1ST_START; - iph1->rmconf = rmconf; - if (link_rmconf_to_ph1(rmconf) < 0) { - plog(LLV_ERROR, LOCATION, remote, - "couldn't link " - "configuration.\n"); - iph1->rmconf = NULL; - /* don't call remph1(iph1) until after insph1(iph1) is called */ - delph1(iph1); - return -1; - } + iph1->rmconf = rmconf; + retain_rmconf(iph1->rmconf); iph1->flags = 0; iph1->side = RESPONDER; iph1->started_by_api = 0; iph1->etype = etypeok->type; iph1->version = isakmp->v; iph1->msgid = 0; -#ifdef HAVE_GSSAPI - iph1->gssapi_state = NULL; -#endif + + if (iph1->etype == ISAKMP_ETYPE_IDENT) + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_START); + else if (iph1->etype == ISAKMP_ETYPE_AGG) + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_START); + else + return -1; + + #ifdef ENABLE_HYBRID if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { /* don't call remph1(iph1) until after insph1(iph1) is called */ - delph1(iph1); + ike_session_delph1(iph1); return -1; } #endif -#ifdef ENABLE_FRAG + iph1->frag = 0; iph1->frag_chain = NULL; -#endif iph1->approval = NULL; -#ifdef ENABLE_NATT /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. * We have to setup this flag now to correctly generate the first reply. * Don't know if a better check could be done for that ? */ if(extract_port(local) == lcconf->port_isakmp_natt) iph1->natt_flags |= (NAT_PORTS_CHANGED); -#endif /* copy remote address */ if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { @@ -1371,27 +910,25 @@ isakmp_ph1begin_r(msg, remote, local, etype) iph1 = NULL; /* deleted in copy_ph1addresses */ return -1; } - (void)insph1(iph1); - if (ike_session_link_ph1_to_session(iph1) != 0) { - remph1(iph1); - delph1(iph1); + if (ike_session_link_phase1(session, iph1) != 0) { + ike_session_delph1(iph1); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); { char *a; a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "respond new phase 1 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "begin %s mode.\n", s_isakmp_etype(etype)); #ifdef ENABLE_STATS @@ -1399,72 +936,37 @@ isakmp_ph1begin_r(msg, remote, local, etype) gettimeofday(&start, NULL); #endif - IPSECLOGASLMSG("IPSec Phase1 started (Initiated by peer).\n"); - -#ifndef ENABLE_FRAG - - /* start exchange */ - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) < 0 - || (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) < 0) { - plog(LLV_ERROR, LOCATION, remote, - "failed to process packet.\n"); - remph1(iph1); - delph1(iph1); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", - s_isakmp_state(iph1->etype, iph1->side, iph1->status), - timedelta(&start, &end)); -#endif -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); -#endif - - return 0; - -#else /* ENABLE_FRAG */ + IPSECLOGASLMSG("IPSec Phase 1 started (Initiated by peer).\n"); /* now that we have a phase1 handle, feed back into our * main receive function to catch fragmented packets */ - - return isakmp_main(msg, remote, local); - -#endif /* ENABLE_FRAG */ - + isakmp_main(msg, remote, local); + return 0; } /* new negotiation of phase 2 for initiator */ static int -isakmp_ph2begin_i(iph1, iph2) - struct ph1handle *iph1; - struct ph2handle *iph2; +ikev1_ph2begin_i(phase1_handle_t *iph1, phase2_handle_t *iph2) { + #ifdef ENABLE_HYBRID if (xauth_check(iph1) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Attempt to start phase 2 whereas Xauth failed\n"); return -1; } #endif /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); + plog(ASL_LEVEL_DEBUG, "begin QUICK mode.\n"); { char *a; a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "initiate new phase 2 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); @@ -1473,26 +975,13 @@ isakmp_ph2begin_i(iph1, iph2) #ifdef ENABLE_STATS gettimeofday(&iph2->start, NULL); #endif - /* found isakmp-sa */ - if (iph2->ph1 && iph1 != iph2->ph1) { - plog(LLV_DEBUG2, LOCATION, NULL, "phase2 already bound in %s.\n",__FUNCTION__); - rebindph12(iph1, iph2); - } else if (!iph2->ph1) { - bindph12(iph1, iph2); - } - iph2->is_dying = 0; - if (ike_session_link_ph2_to_session(iph2) != 0) { - return -1; - } - iph2->status = PHASE2ST_STATUS2; - IPSECLOGASLMSG("IPSec Phase2 started (Initiated by me).\n"); + iph2->is_dying = 0; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START); - if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, NULL) < 0) { + IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by me).\n"); + if (quick_iprep(iph2, NULL)) return -1; - } #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2); @@ -1503,45 +992,43 @@ isakmp_ph2begin_i(iph1, iph2) /* new negotiation of phase 2 for responder */ static int -isakmp_ph2begin_r(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; +ikev1_ph2begin_r(phase1_handle_t *iph1, vchar_t *msg) { struct isakmp *isakmp = (struct isakmp *)msg->v; - struct ph2handle *iph2 = 0; + phase2_handle_t *iph2 = 0; int error; #ifdef ENABLE_STATS struct timeval start, end; #endif #ifdef ENABLE_HYBRID if (xauth_check(iph1) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Attempt to start phase 2 whereas Xauth failed\n"); + plog(ASL_LEVEL_ERR, + "Attempt to start Phase 2 whereas Xauth failed\n"); return -1; } #endif - iph2 = newph2(); + iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_SA); if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate phase2 entry.\n"); + plog(ASL_LEVEL_ERR, + "failed to allocate Phase 2 entry.\n"); return -1; } - iph2->ph1 = iph1; iph2->side = RESPONDER; - iph2->status = PHASE2ST_START; + iph2->version = ISAKMP_VERSION_NUMBER_IKEV1; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_START); iph2->flags = isakmp->flags; iph2->msgid = isakmp->msgid; iph2->seq = pk_getseq(); iph2->ivm = oakley_newiv2(iph1, iph2->msgid); if (iph2->ivm == NULL) { - delph2(iph2); + ike_session_delph2(iph2); return -1; } - iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); /* XXX should be considered */ + iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ if (iph2->dst == NULL) { - delph2(iph2); + ike_session_delph2(iph2); return -1; } switch (iph2->dst->ss_family) { @@ -1558,15 +1045,15 @@ isakmp_ph2begin_r(iph1, msg) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph2->dst->ss_family); - delph2(iph2); + ike_session_delph2(iph2); return -1; } - iph2->src = dupsaddr((struct sockaddr *)iph1->local); /* XXX should be considered */ + iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ if (iph2->src == NULL) { - delph2(iph2); + ike_session_delph2(iph2); return -1; } switch (iph2->src->ss_family) { @@ -1583,31 +1070,24 @@ isakmp_ph2begin_r(iph1, msg) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph2->src->ss_family); - delph2(iph2); - return -1; - } - - /* add new entry to isakmp status table */ - insph2(iph2); - bindph12(iph1, iph2); - iph2->is_dying = 0; - if (ike_session_link_ph2_to_session(iph2) != 0) { - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_delph2(iph2); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + if (ike_session_link_ph2_to_ph1(iph1, iph2)) + return -1; + iph2->is_dying = 0; + + plog(ASL_LEVEL_DEBUG, "===\n"); { char *a; a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "respond new phase 2 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); @@ -1617,52 +1097,148 @@ isakmp_ph2begin_r(iph1, msg) gettimeofday(&start, NULL); #endif - IPSECLOGASLMSG("IPSec Phase2 started (Initiated by peer).\n"); - - error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, msg); - if (error != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to pre-process packet.\n"); - if (error != ISAKMP_INTERNAL_ERROR) - isakmp_info_send_n1(iph2->ph1, error, NULL); - /* - * release handler because it's wrong that ph2handle is kept - * after failed to check message for responder's. - */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } + IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by peer).\n"); - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to process packet.\n"); - /* don't release handler */ - return -1; - } -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", - s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), - timedelta(&start, &end)); -#endif + error = fsm_ikev1_phase2_process_payloads(iph2, msg); + if (error) + return error; #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2); #endif - return 0; } +int +ikev1_phase1_established(phase1_handle_t *iph1) +{ + int spi_cmp; + u_int rekey_lifetime; + int ini_contact = iph1->rmconf->ini_contact; + +#ifdef ENABLE_STATS + gettimeofday(&iph1->end, NULL); + syslog(LOG_NOTICE, "%s(%s): %8.6f", + "Phase 1", s_isakmp_etype(iph1->etype), + timedelta(&iph1->start, &iph1->end)); +#endif + +#ifdef ENABLE_VPNCONTROL_PORT + + if (iph1->side == RESPONDER && + iph1->local->ss_family == AF_INET) { + + struct redirect *addr; + + LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) { + if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) { + vchar_t *raddr = vmalloc(sizeof(u_int32_t)); + + if (raddr == NULL) { + plog(ASL_LEVEL_ERR, + "failed to send redirect message - memory error.\n"); + } else { + memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t)); + (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr); + plog(ASL_LEVEL_DEBUG, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); + vfree(raddr); + if (addr->force) { + (void)ike_session_update_ph1_ph2tree(iph1); + isakmp_ph1expire(iph1); + } + } + } + return 0; + } + } +#endif + /* save created date. */ + (void)time(&iph1->created); + + /* add to the schedule to expire, and save back pointer. */ + iph1->sce = sched_new(iph1->approval->lifetime, + isakmp_ph1expire_stub, iph1); + + if (iph1->rmconf->initiate_ph1rekey) { + if (iph1->side == INITIATOR) { + spi_cmp = memcmp(&iph1->index.i_ck, &iph1->index.r_ck, sizeof(iph1->index.i_ck)); + if (spi_cmp == 0) + spi_cmp = 1; + } else { + spi_cmp = memcmp(&iph1->index.r_ck, &iph1->index.i_ck, sizeof(iph1->index.r_ck)); + if (spi_cmp == 0) + spi_cmp = -1; + } + rekey_lifetime = ike_session_get_rekey_lifetime((spi_cmp > 0), + iph1->approval->lifetime); + if (rekey_lifetime) { + iph1->sce_rekey = sched_new(rekey_lifetime, + isakmp_ph1rekeyexpire_stub, + iph1); + } else { + /* iph1->approval->lifetime is too small (e.g. 1) so why bother? + * LOG ERROR + */ + plog(ASL_LEVEL_ERR, + "failed to get rekey timer - lifetime is too small... probably.\n"); + } + } + +#ifdef ENABLE_HYBRID + /* ignore xauth if it is a rekey */ + if (!iph1->is_rekey && + iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { + switch(AUTHMETHOD(iph1)) { + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: + xauth_sendreq(iph1); + /* XXX Don't process INITIAL_CONTACT */ + ini_contact = 0; + break; + default: + break; + } + } +#endif +#ifdef ENABLE_DPD + /* Schedule the r_u_there.... */ + if(iph1->dpd_support && iph1->rmconf->dpd_interval) + isakmp_sched_r_u(iph1, 0); +#endif + + /* INITIAL-CONTACT processing */ + /* ignore initial-contact if it is a rekey */ + /* don't send anything if local test mode. */ + if (!iph1->is_rekey && !f_local && ini_contact && !ike_session_getcontacted(iph1->remote)) { + /* send INITIAL-CONTACT */ + isakmp_info_send_n1(iph1, + ISAKMP_NTYPE_INITIAL_CONTACT, NULL); + /* insert a node into contacted list. */ + if (ike_session_inscontacted(iph1->remote) == -1) { + plog(ASL_LEVEL_ERR, + "failed to add contacted list.\n"); + /* ignore */ + } + } + + log_ph1established(iph1); + plog(ASL_LEVEL_DEBUG, "===\n"); + + ike_session_cleanup_other_established_ph1s(iph1->parent_session, iph1); + +#ifdef ENABLE_VPNCONTROL_PORT + vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); + vpncontrol_notify_peer_resp_ph1(1, iph1); +#endif + + return 0; +} + + /* * parse ISAKMP payloads, without ISAKMP base header. */ @@ -1677,7 +1253,7 @@ isakmp_parsewoh(np0, gen, len) vchar_t *result; struct isakmp_parse_t *p, *ep; - plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); + plog(ASL_LEVEL_DEBUG, "begin.\n"); /* * 5 is a magic number, but any value larger than 2 should be fine @@ -1685,7 +1261,7 @@ isakmp_parsewoh(np0, gen, len) */ result = vmalloc(sizeof(struct isakmp_parse_t) * 5); if (result == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); return NULL; } @@ -1699,19 +1275,19 @@ isakmp_parsewoh(np0, gen, len) while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { if (tlen <= sizeof(struct isakmp_gen)) { /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid length of payload\n"); vfree(result); return NULL; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); p->type = np; p->len = ntohs(gen->len); if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "invalid length of payload\n"); vfree(result); return NULL; @@ -1724,7 +1300,7 @@ isakmp_parsewoh(np0, gen, len) off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v; result = vrealloc(result, result->l * 2); if (result == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "failed to realloc buffer.\n"); vfree(result); return NULL; @@ -1744,7 +1320,7 @@ isakmp_parsewoh(np0, gen, len) p->len = 0; p->ptr = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n"); + plog(ASL_LEVEL_DEBUG, "succeed.\n"); return result; } @@ -1771,17 +1347,13 @@ isakmp_parse(buf) } int -isakmp_init(int ignore_phX, int *tentative_failures) +isakmp_init(void) { - /* initialize a isakmp status table */ - if (!ignore_phX) { - initph1tree(); - initph2tree(); - } - initctdtree(); - init_recvdpkt(); - if (isakmp_open(tentative_failures) < 0) + ike_session_initctdtree(); + ike_session_init_recvdpkt(); + + if (isakmp_open() < 0) goto err; return(0); @@ -1794,8 +1366,8 @@ err: void isakmp_cleanup() { - clear_recvdpkt(); - clear_contacted(); + ike_session_clear_recvdpkt(); + ike_session_clear_contacted(); } /* @@ -1832,9 +1404,10 @@ isakmp_pindex(index, msgid) return buf; } + /* open ISAKMP sockets. */ int -isakmp_open(int *tentative_failures) +isakmp_open(void) { const int yes = 1; int ifnum = 0, encap_ifnum = 0; @@ -1842,11 +1415,9 @@ isakmp_open(int *tentative_failures) int pktinfo; #endif struct myaddrs *p; - - if (tentative_failures) { - *tentative_failures = FALSE; - } - + int tentative_failures = 0; + int s; + for (p = lcconf->myaddrs; p; p = p->next) { if (!p->addr) continue; @@ -1861,20 +1432,20 @@ isakmp_open(int *tentative_failures) switch (p->addr->ss_family) { case AF_INET: if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "listening to wildcard address," "broadcast IKE packet may kill you\n"); break; #ifdef INET6 case AF_INET6: if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr)) - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "listening to wildcard address, " "broadcast IKE packet may kill you\n"); break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported address family %d\n", lcconf->default_af); goto err_and_next; @@ -1885,7 +1456,7 @@ isakmp_open(int *tentative_failures) IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) p->addr)->sin6_addr)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Ignoring multicast address %s\n", saddr2str((struct sockaddr *)p->addr)); racoon_free(p->addr); @@ -1895,14 +1466,13 @@ isakmp_open(int *tentative_failures) #endif if ((p->sock = socket(p->addr->ss_family, SOCK_DGRAM, 0)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "socket (%s)\n", strerror(errno)); goto err_and_next; } if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) - plog(LLV_ERROR, LOCATION, NULL, - "failed to put socket in non-blocking mode\n"); + plog(ASL_LEVEL_ERR, "failed to put socket in non-blocking mode\n"); /* receive my interface address on inbound packets. */ switch (p->addr->ss_family) { @@ -1910,7 +1480,7 @@ isakmp_open(int *tentative_failures) if (setsockopt(p->sock, IPPROTO_IP, IP_RECVDSTADDR, (const void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IP_RECVDSTADDR (%s)\n", strerror(errno)); goto err_and_next; @@ -1926,7 +1496,7 @@ isakmp_open(int *tentative_failures) if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, (const void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IPV6_RECVDSTADDR (%d):%s\n", pktinfo, strerror(errno)); goto err_and_next; @@ -1939,7 +1509,7 @@ isakmp_open(int *tentative_failures) if (p->addr->ss_family == AF_INET6 && setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IPV6_USE_MIN_MTU (%s)\n", strerror(errno)); return -1; @@ -1952,7 +1522,7 @@ isakmp_open(int *tentative_failures) if (extract_port(p->addr) == PORT_ISAKMP) { if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, p->addr, + plog(ASL_LEVEL_ERR, "setsockopt (%s)\n", strerror(errno)); goto err_and_next; } @@ -1960,7 +1530,7 @@ isakmp_open(int *tentative_failures) if (bind(p->sock, (struct sockaddr *)p->addr, sysdep_sa_len((struct sockaddr *)p->addr)) < 0) { int tmp_errno = errno; - plog(LLV_ERROR, LOCATION, p->addr, + plog(ASL_LEVEL_ERR, "failed to bind to address %s (%s).\n", saddr2str((struct sockaddr *)p->addr), strerror(tmp_errno)); #ifdef INET6 @@ -1978,22 +1548,20 @@ isakmp_open(int *tentative_failures) */ if ((ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_ANYCAST | IN6_IFF_DUPLICATED | IN6_IFF_DETACHED | IN6_IFF_DEPRECATED)) == 0) { // address may have been tentantive... invalidate sock but leave address around for another try later - plog(LLV_ERROR, LOCATION, p->addr, + plog(ASL_LEVEL_ERR, "failed to bind to address %s: because interface address is/was not ready (flags %x).\n", saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); close(p->sock); p->sock = -1; - if (tentative_failures) { - *tentative_failures = TRUE; - } + tentative_failures = 1; continue; } else { - plog(LLV_ERROR, LOCATION, p->addr, + plog(ASL_LEVEL_ERR, "failed to bind to address %s: because of interface address error, flags %x.\n", saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); } } else { - plog(LLV_ERROR, LOCATION, p->addr, + plog(ASL_LEVEL_ERR, "failed to bind to address %s: can't read interface address flags.\n", saddr2str((struct sockaddr *)p->addr)); } @@ -2007,8 +1575,30 @@ isakmp_open(int *tentative_failures) ifnum++; if (p->udp_encap) encap_ifnum++; - - plog(LLV_INFO, LOCATION, NULL, + + s = p->sock; + + if (p->source != NULL) { + dispatch_source_cancel(p->source); + p->source = NULL; + } + p->source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, p->sock, 0, dispatch_get_main_queue()); + if (p->source == NULL) { + plog(ASL_LEVEL_ERR, "could not create isakmp socket source."); + return -1; + } + dispatch_source_set_event_handler(p->source, + ^{ + isakmp_handler(s); + }); + dispatch_source_t the_source = p->source; + dispatch_source_set_cancel_handler(p->source, + ^{ + close(s); + dispatch_release(the_source); + }); dispatch_resume(p->source); + + plog(ASL_LEVEL_INFO, "%s used as isakmp port (fd=%d)\n", saddr2str((struct sockaddr *)p->addr), p->sock); continue; @@ -2016,29 +1606,47 @@ isakmp_open(int *tentative_failures) err_and_next: racoon_free(p->addr); p->addr = NULL; - if (! lcconf->autograbaddr && lcconf->strict_address) + p->sock = -1; + if (! lcconf->autograbaddr && lcconf->strict_address) { return -1; + } + continue; } if (!ifnum) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no address could be bound.\n"); + return -1; } #ifdef ENABLE_NATT if (natt_enabled_in_rmconf() && !encap_ifnum) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "NAT-T is enabled in at least one remote{} section,\n"); - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "but no 'isakmp_natt' address was specified!\n"); } #endif + if (tentative_failures) + sched_new(5, update_myaddrs, NULL); + return 0; } +void +isakmp_suspend_sockets() +{ + struct myaddrs *p; + + for (p = lcconf->myaddrs; p; p = p->next) { + if (p->source) + dispatch_suspend(p->source); + } +} + void isakmp_close() { @@ -2056,12 +1664,13 @@ isakmp_close_sockets() if (!p->addr) continue; - if (p->sock >= 0) { - close(p->sock); - p->sock = -1; - } + if (p->source) { + dispatch_source_cancel(p->source); + p->source = NULL; + p->in_use = 0; + p->sock = -1; + } } - } @@ -2075,25 +1684,25 @@ isakmp_close_unused() for (p = lcconf->myaddrs; p; p = next) { next = p->next; if (p->in_use == 0) { // not in use ? - - if (p->sock >= 0) - close(p->sock); - *prev = p->next; + if (p->source) { + dispatch_source_cancel(p->source); + p->source = NULL; + } + *prev = p->next; delmyaddr(p); } else - prev = &(p->next); + prev = &(p->next); } } int isakmp_send(iph1, sbuf) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *sbuf; { int len = 0; int s; vchar_t *vbuf = NULL; - #ifdef ENABLE_NATT size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; @@ -2107,14 +1716,14 @@ isakmp_send(iph1, sbuf) extralen = 0; #endif if (extralen) - plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); + plog (ASL_LEVEL_DEBUG, "Adding NON-ESP marker\n"); /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) must added just before the packet itself. For this we must allocate a new buffer and release it at the end. */ if (extralen) { if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "vbuf allocation failed\n"); return -1; } @@ -2132,13 +1741,13 @@ isakmp_send(iph1, sbuf) return -1; } - plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + plog (ASL_LEVEL_DEBUG, "%zu bytes %s\n", sbuf->l, saddr2str_fromto("from %s to %s", (struct sockaddr *)iph1->local, (struct sockaddr *)iph1->remote)); #ifdef ENABLE_FRAG if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { if (isakmp_sendfrags(iph1, sbuf) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_sendfrags failed\n"); if ( vbuf != NULL ) vfree(vbuf); @@ -2150,7 +1759,7 @@ isakmp_send(iph1, sbuf) len = sendfromto(s, sbuf->v, sbuf->l, iph1->local, iph1->remote, lcconf->count_persend); if (len == -1) { - plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); + plog(ASL_LEVEL_ERR, "sendfromto failed\n"); if ( vbuf != NULL ) vfree(vbuf); return -1; @@ -2168,28 +1777,27 @@ void isakmp_ph1resend_stub(p) void *p; { - struct ph1handle *iph1; + phase1_handle_t *iph1; - iph1=(struct ph1handle *)p; + iph1=(phase1_handle_t *)p; if(isakmp_ph1resend(iph1) < 0){ - if(iph1->scr != NULL){ + if(iph1->scr != 0){ /* Should not happen... */ - sched_kill(iph1->scr); - iph1->scr=NULL; + SCHED_KILL(iph1->scr); } - remph1(iph1); - delph1(iph1); + ike_session_unlink_phase1(iph1); } } int isakmp_ph1resend(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { time_t retry_interval; + // make sure there is a buffer to send // isakmp_plist_set_all() could have returned NULL if (iph1->sendbuf == NULL) @@ -2200,14 +1808,12 @@ isakmp_ph1resend(iph1) if (iph1->retry_counter <= 0) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT, - CONSTSTR("Phase1 Maximum Retransmits"), - CONSTSTR("Phase1 negotiation failed (Maximum retransmits)")); + CONSTSTR("Phase 1 Maximum Retransmits"), + CONSTSTR("Phase 1 negotiation failed (Maximum retransmits)")); - plog(LLV_ERROR, LOCATION, NULL, - "phase1 negotiation failed due to time up. %s\n", + plog(ASL_LEVEL_ERR, + "Phase 1 negotiation failed due to time up. %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEER_NO_RESPONSE, NULL); if (iph1->side == INITIATOR && iph1->is_rekey && iph1->parent_session && iph1->parent_session->is_client) { /* to get around a bug on the peer, in which rekeys to port 4500 are dropped */ if (isakmp_ph1rekeyretry(iph1) == 0) @@ -2222,30 +1828,28 @@ isakmp_ph1resend(iph1) if (iph1->rmconf->retry_counter != iph1->retry_counter) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, - CONSTSTR("Phase1 Retransmit"), + CONSTSTR("Phase 1 Retransmit"), CONSTSTR("Failed to retrasmit Phase1")); } - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase1 negotiation failed due to send error. %s\n", + plog(ASL_LEVEL_ERR, + "Phase 1 negotiation failed due to send error. %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEER_NO_RESPONSE, NULL); return -1; } if (iph1->rmconf->retry_counter != iph1->retry_counter) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, - CONSTSTR("Phase1 Retransmit"), + CONSTSTR("Phase 1 Retransmit"), CONSTSTR(NULL)); } - plog(LLV_DEBUG, LOCATION, iph1->remote, - "resend phase1 packet %s\n", + plog(ASL_LEVEL_DEBUG, + "Resend Phase 1 packet %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); iph1->retry_counter--; - retry_interval = get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter), + retry_interval = ike_session_get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter), iph1->rmconf->retry_interval); iph1->scr = sched_new(retry_interval, isakmp_ph1resend_stub, iph1); @@ -2258,20 +1862,18 @@ void isakmp_ph2resend_stub(p) void *p; { - struct ph2handle *iph2; + phase2_handle_t *iph2; - iph2=(struct ph2handle *)p; + iph2=(phase2_handle_t *)p; if(isakmp_ph2resend(iph2) < 0){ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); } } int isakmp_ph2resend(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { time_t retry_interval; @@ -2279,18 +1881,19 @@ isakmp_ph2resend(iph2) */ //%%% BUG FIX - related to commit bit usage - crash happened here if (iph2->ph1 == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "internal error - attempt to re-send phase2 with no phase1 bound.\n"); + plog(ASL_LEVEL_ERR, + "Internal error - attempt to re-send Phase 2 with no Phase 1 bound.\n"); return -1; } - if (iph2->ph1->status == PHASE1ST_EXPIRED){ + + if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)){ IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT, - CONSTSTR("Underlying Phase1 expired"), - CONSTSTR("Failed to retransmit phase2 (underlying phase1 expired)")); - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "phase2 negotiation failed due to phase1 expired. %s\n", + CONSTSTR("Underlying Phase 1 expired"), + CONSTSTR("Failed to retransmit Phase 2 (underlying Phase 1 expired)")); + plog(ASL_LEVEL_ERR, + "Phase 2 negotiation failed due to Phase 1 expired. %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); return -1; } @@ -2298,12 +1901,11 @@ isakmp_ph2resend(iph2) if (iph2->retry_counter <= 0) { IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT, - CONSTSTR("Phase2 maximum retransmits"), - CONSTSTR("Phase2 negotiation failed (maximum retransmits)")); - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "phase2 negotiation failed due to time up. %s\n", + CONSTSTR("Phase 2 maximum retransmits"), + CONSTSTR("Phase 2 negotiation failed (maximum retransmits)")); + plog(ASL_LEVEL_ERR, + "Phase 2 negotiation failed due to time up. %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); - EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); return -1; } else { ike_session_ph2_retransmits(iph2); @@ -2313,29 +1915,28 @@ isakmp_ph2resend(iph2) if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) { IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, - CONSTSTR("Phase2 Retransmit"), + CONSTSTR("Phase 2 Retransmit"), CONSTSTR("Failed to retransmit Phase2 message")); } - plog(LLV_ERROR, LOCATION, NULL, - "phase2 negotiation failed due to send error. %s\n", + plog(ASL_LEVEL_ERR, + "Phase 2 negotiation failed due to send error. %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); - EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); return -1; } if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) { IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, - CONSTSTR("Phase2 Retransmit"), + CONSTSTR("Phase 2 Retransmit"), CONSTSTR(NULL)); } - plog(LLV_DEBUG, LOCATION, NULL, - "resend phase2 packet %s\n", + plog(ASL_LEVEL_DEBUG, + "Resend Phase 2 packet %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); iph2->retry_counter--; - retry_interval = get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter), + retry_interval = ike_session_get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter), iph2->ph1->rmconf->retry_interval); iph2->scr = sched_new(retry_interval, isakmp_ph2resend_stub, iph2); @@ -2343,56 +1944,59 @@ isakmp_ph2resend(iph2) #ifdef ENABLE_DPD if (iph2->scr) { isakmp_reschedule_info_monitor_if_pending(iph2->ph1, - "phase2 packets sent to peer: retransmit timer armed"); + "Phase 2 packets sent to peer: retransmit timer armed"); } #endif /* DPD */ return 0; } + /* called from scheduler */ void isakmp_ph1expire_stub(p) void *p; { - isakmp_ph1expire((struct ph1handle *)p); + isakmp_ph1expire((phase1_handle_t *)p); } void isakmp_ph1expire(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { char *src, *dst; + phase1_handle_t *new_iph1; SCHED_KILL(iph1->sce); #ifdef ENABLE_DPD SCHED_KILL(iph1->dpd_r_u); #endif - if(iph1->status != PHASE1ST_EXPIRED){ + if(!FSM_STATE_IS_EXPIRED(iph1->status)){ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "ISAKMP-SA expired %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); racoon_free(src); racoon_free(dst); - iph1->status = PHASE1ST_EXPIRED; - (void)ike_session_update_ph1_ph2tree(iph1); + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); + new_iph1 = ike_session_update_ph1_ph2tree(iph1); } /* * the phase1 deletion is postponed until there is no phase2. */ - if (LIST_FIRST(&iph1->ph2tree) != NULL) { + if (LIST_FIRST(&iph1->bound_ph2tree) != NULL) { iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); return; } + iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); } @@ -2403,12 +2007,12 @@ isakmp_ph1rekeyexpire_stub(p) void *p; { - isakmp_ph1rekeyexpire((struct ph1handle *)p, FALSE); + isakmp_ph1rekeyexpire((phase1_handle_t *)p, FALSE); } void isakmp_ph1rekeyexpire(iph1, ignore_sess_drop_policy) -struct ph1handle *iph1; +phase1_handle_t *iph1; int ignore_sess_drop_policy; { char *src, *dst; @@ -2416,9 +2020,16 @@ int ignore_sess_drop_policy; SCHED_KILL(iph1->sce_rekey); + // We are going to start the rekey. Let's fire off the + // phase1 expiration timer if it is not done yet. + if (!iph1->sce && iph1->approval->lifetimegap) { + iph1->sce = sched_new(iph1->approval->lifetimegap, + isakmp_ph1expire_stub, iph1); + } + // early exit if iph2->sce == NULL, iph2 isn't established or if entire session is going down - if (iph1->sce == NULL || - iph1->status != PHASE1ST_ESTABLISHED || + if (iph1->sce == 0 || + !FSM_STATE_IS_ESTABLISHED(iph1->status) || iph1->is_dying) { return; } @@ -2428,49 +2039,54 @@ int ignore_sess_drop_policy; STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "ISAKMP-SA rekey-timer expired %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); racoon_free(src); racoon_free(dst); - if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { - return; + { + if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { + return; + } } // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, - "request for ISAKMP-SA rekey was ignored " + plog(ASL_LEVEL_INFO, + "Request for ISAKMP-SA rekey was ignored " "due to another established ph1.\n"); return; } // if there is another ph1 that is negotiating, postpone this rekey for a few seconds later if (ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) { - plog(LLV_DEBUG, LOCATION, NULL, "reschedule Phase1 rekey.\n"); + plog(ASL_LEVEL_DEBUG, "Reschedule Phase 1 rekey.\n"); iph1->sce_rekey = sched_new(1, isakmp_ph1rekeyexpire_stub, iph1); return; } - // get rmconf to initiate rekey with - rmconf = iph1->rmconf; - if (!rmconf || rmconf->to_delete || rmconf->to_remove) { - rmconf = getrmconf(iph1->remote); - } - if (rmconf) { - /* begin quick mode */ - plog(LLV_DEBUG, LOCATION, NULL, "begin Phase1 rekey.\n"); + // get rmconf to initiate rekey with + rmconf = iph1->rmconf; + if (!rmconf) + rmconf = getrmconf(iph1->remote); + + if (rmconf) { + /* begin quick mode */ + plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n"); /* start phase 1 negotiation as a initiator. */ - if (isakmp_ph1begin_i(rmconf, iph1->remote, iph1->local, 0) < 0) { - plog(LLV_DEBUG, LOCATION, NULL, "Phase1 rekey Failed.\n"); + { + if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { + plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); + } + iph1->is_rekey = TRUE; } } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Phase1 rekey failed: no configuration found for %s.\n", saddrwop2str((struct sockaddr *)iph1->remote)); } @@ -2478,17 +2094,19 @@ int ignore_sess_drop_policy; int isakmp_ph1rekeyretry(iph1) -struct ph1handle *iph1; +phase1_handle_t *iph1; { char *src, *dst; struct remoteconf *rmconf; // this code path is meant for floated ph1 rekeys that are failing on the first message - if (iph1->sce != NULL || - iph1->sce_rekey != NULL || - (iph1->status != PHASE1ST_MSG1SENT || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) || - (extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) || - iph1->is_dying) { + if (iph1->sce != 0 || + iph1->sce_rekey != 0 || + ((iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT && + iph1->status != IKEV1_STATE_AGG_I_MSG1SENT) + || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) + || (extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) + || iph1->is_dying) { return -1; } @@ -2497,7 +2115,7 @@ struct ph1handle *iph1; STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "ISAKMP-SA rekey failed... retrying %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); @@ -2505,7 +2123,7 @@ struct ph1handle *iph1; racoon_free(dst); if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "request for ISAKMP-SA rekey was ignored " "due to idleness.\n"); return 0; @@ -2513,7 +2131,7 @@ struct ph1handle *iph1; // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "request to retry ISAKMP-SA rekey was ignored " "due to another established ph1.\n"); return -1; @@ -2530,16 +2148,17 @@ struct ph1handle *iph1; rmconf = getrmconf(iph1->remote); if (rmconf) { /* begin quick mode */ - plog(LLV_DEBUG, LOCATION, NULL, "begin Phase1 rekey retry.\n"); + plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n"); /* start phase 1 negotiation as a initiator. */ - if (isakmp_ph1begin_i(rmconf, iph1->remote, iph1->local, 0) < 0) { - plog(LLV_DEBUG, LOCATION, NULL, "Phase1 rekey retry Failed.\n"); + if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { + plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n"); return -1; } + iph1->is_rekey = TRUE; } else { - plog(LLV_ERROR, LOCATION, NULL, - "Phase1 rekey retry failed: no configuration found for %s.\n", + plog(ASL_LEVEL_ERR, + "Phase 1 rekey retry failed: no configuration found for %s.\n", saddrwop2str((struct sockaddr *)iph1->remote)); return -1; } @@ -2552,12 +2171,12 @@ isakmp_ph1delete_stub(p) void *p; { - isakmp_ph1delete((struct ph1handle *)p); + isakmp_ph1delete((phase1_handle_t *)p); } void isakmp_ph1delete(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { char *src, *dst; @@ -2567,11 +2186,11 @@ isakmp_ph1delete(iph1) SCHED_KILL(iph1->dpd_r_u); #endif - if (LIST_FIRST(&iph1->ph2tree) != NULL) { + if (LIST_FIRST(&iph1->bound_ph2tree) != NULL) { iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); return; } - + isakmp_info_send_d1(iph1); /* don't re-negosiation when the phase 1 SA expires. */ @@ -2581,15 +2200,13 @@ isakmp_ph1delete(iph1) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "ISAKMP-SA deleted %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); - EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); racoon_free(src); racoon_free(dst); - - remph1(iph1); - delph1(iph1); + + ike_session_unlink_phase1(iph1); return; } @@ -2605,16 +2222,16 @@ isakmp_ph2expire_stub(p) void *p; { - isakmp_ph2expire((struct ph2handle *)p); + isakmp_ph2expire((phase2_handle_t *)p); } void isakmp_ph2expire(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { char *src, *dst; - if (iph2->status == PHASE2ST_EXPIRED) { + if (FSM_STATE_IS_EXPIRED(iph2->status)) { return; } @@ -2625,27 +2242,25 @@ isakmp_ph2expire(iph2) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, - "phase2 sa expired %s-%s\n", src, dst); + plog(ASL_LEVEL_INFO, + "Phase 2 sa expired %s-%s\n", src, dst); racoon_free(src); racoon_free(dst); // delete outgoing SAs - if (iph2->status == PHASE2ST_ESTABLISHED && iph2->approval) { + if (FSM_STATE_IS_ESTABLISHED(iph2->status) && iph2->approval) { struct saproto *pr; for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { if (pr->ok) { pfkey_send_delete(lcconf->sock_pfkey, - ipsecdoi2pfkey_proto(pr->proto_id), - IPSEC_MODE_ANY, - iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */); - } + ipsecdoi2pfkey_proto(pr->proto_id), + IPSEC_MODE_ANY, + iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */); } } - - iph2->status = PHASE2ST_EXPIRED; - + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); return; @@ -2657,12 +2272,12 @@ isakmp_ph2delete_stub(p) void *p; { - isakmp_ph2delete((struct ph2handle *)p); + isakmp_ph2delete((phase2_handle_t *)p); } void isakmp_ph2delete(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { char *src, *dst; @@ -2673,14 +2288,12 @@ isakmp_ph2delete(iph2) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, - "phase2 sa deleted %s-%s\n", src, dst); + plog(ASL_LEVEL_INFO, + "Phase 2 sa deleted %s-%s\n", src, dst); racoon_free(src); racoon_free(dst); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return; } @@ -2693,106 +2306,97 @@ isakmp_ph2delete(iph2) * if phase1 has been finished, begin phase2. */ int -isakmp_post_acquire(iph2) - struct ph2handle *iph2; +isakmp_post_acquire(phase2_handle_t *iph2) { struct remoteconf *rmconf; - struct ph1handle *iph1 = NULL; + phase1_handle_t *iph1 = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); + plog(ASL_LEVEL_DEBUG, "In post_acquire\n"); /* search appropreate configuration with masking port. */ rmconf = getrmconf(iph2->dst); if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found for %s.\n", + plog(ASL_LEVEL_ERR, + "No configuration found for %s.\n", saddrwop2str((struct sockaddr *)iph2->dst)); return -1; } - /* if passive mode, ignore the acquire message */ if (rmconf->passive) { - plog(LLV_DEBUG, LOCATION, NULL, - "because of passive mode, " - "ignore the acquire message for %s.\n", + plog(ASL_LEVEL_DEBUG, + "Because of passive mode, ignore the acquire message for %s.\n", saddrwop2str((struct sockaddr *)iph2->dst)); return 0; } - if (ike_session_verify_ph2_parent_session(iph2)) { - plog(LLV_INFO, LOCATION, iph2->dst, - "request for establishing IPsec-SA was ignored " - "because there was a failure verifying parent session.\n"); - return -1; - } - - // what if there is another ph2 that is negotiating - if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) { - // TODO: postpone this rekey for a second later - plog(LLV_INFO, LOCATION, iph2->dst, - "request for establishing IPsec-SA was ignored " - "due to another negoing ph2.\n"); - return -1; - } + + // what if there is another ph2 that is negotiating + if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) { + // TODO: postpone this rekey for a second later + plog(ASL_LEVEL_INFO, + "Request for establishing IPsec-SA was ignored due to another negoing ph2.\n"); + return -1; + } // if this is a phase2 rekeys (the policy may not have the current port number). // so, use the appropriate ports. if (iph2->is_rekey) { ike_session_update_ph2_ports(iph2); } + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) + iph1 = ike_session_update_ph2_ph1bind(iph2); + else + iph1 = ike_session_get_established_or_negoing_ph1(iph2->parent_session); - iph1 = ike_session_update_ph2_ph1bind(iph2); - - /* no ISAKMP-SA found. */ + /* no IKE-SA found. */ if (iph1 == NULL) { - struct sched *sc; - iph2->retry_checkph1 = lcconf->retry_checkph1; - sc = sched_new(1, isakmp_chkph1there_stub, iph2); - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA request for %s queued " - "due to no phase1 found.\n", - saddrwop2str((struct sockaddr *)iph2->dst)); - - // exit if there is another ph1 that is established (with a pending rekey timer) - if (ike_session_has_negoing_ph1(iph2->parent_session)) { - plog(LLV_INFO, LOCATION, iph2->dst, - "request for phase1 was ignored " - "due to another negotiating ph1.\n"); - return 0; - } - + /* start phase 1 negotiation as a initiator. */ - if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) { - plog(LLV_INFO, LOCATION, iph2->dst, - "request for phase1 failed. will try later.\n"); + { + sched_new(1, isakmp_chkph1there_stub, iph2); + + plog(ASL_LEVEL_INFO, + "IPsec-SA request for %s queued due to no Phase 1 found.\n", + saddrwop2str((struct sockaddr *)iph2->dst)); + + // exit if there is another ph1 that is established (with a pending rekey timer) + if (ike_session_has_negoing_ph1(iph2->parent_session)) { + plog(ASL_LEVEL_INFO, + "Request for Phase 1 was ignored due to another negotiating Phase 1.\n"); + return 0; + } + + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + plog(ASL_LEVEL_INFO, + "Request for Phase 1 failed. Will try later.\n"); + } } - return 0; /*NOTREACHED*/ } + /* found ISAKMP-SA, but on negotiation. */ - if (iph1->status != PHASE1ST_ESTABLISHED) { + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { iph2->retry_checkph1 = lcconf->retry_checkph1; sched_new(1, isakmp_chkph1there_stub, iph2); - plog(LLV_INFO, LOCATION, iph2->dst, - "request for establishing IPsec-SA was queued " - "due to no phase1 found.\n"); + plog(ASL_LEVEL_INFO, + "Request for establishing IPsec-SA was queued due to no phase1 found.\n"); return 0; /*NOTREACHED*/ } /* found established ISAKMP-SA */ - /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); /* begin quick mode */ - if (isakmp_ph2begin_i(iph1, iph2)) - return -1; - + { + plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n"); + if (ikev1_ph2begin_i(iph1, iph2)) + return -1; + } return 0; } @@ -2800,32 +2404,41 @@ isakmp_post_acquire(iph2) * receive GETSPI from kernel. */ int -isakmp_post_getspi(iph2) - struct ph2handle *iph2; +isakmp_post_getspi(phase2_handle_t *iph2) { #ifdef ENABLE_STATS struct timeval start, end; #endif - - /* don't process it because there is no suitable phase1-sa. */ - if (iph2->ph1->status == PHASE1ST_EXPIRED) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "the negotiation is stopped, " - "because there is no suitable ISAKMP-SA.\n"); - return -1; - } - + int error = 0; + + /* don't process it because there is no suitable phase1-sa. */ + if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)) { + plog(ASL_LEVEL_ERR, + "the negotiation is stopped, " + "because there is no suitable ISAKMP-SA.\n"); + return -1; + } + fsm_set_state(&iph2->status, iph2->side == INITIATOR ? + IKEV1_STATE_QUICK_I_GETSPIDONE : IKEV1_STATE_QUICK_R_GETSPIDONE); + #ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, NULL) != 0) + gettimeofday(&start, NULL); +#endif + switch (iph2->side) { + case INITIATOR: + error = quick_i1send(iph2, NULL); + break; + case RESPONDER: + error = quick_r2send(iph2, NULL); + break; + } + + if (error) //%%%%%%%% log something ??? return -1; #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", + plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", + "Phase 2", s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), timedelta(&start, &end)); #endif @@ -2838,47 +2451,44 @@ void isakmp_chkph1there_stub(p) void *p; { - isakmp_chkph1there((struct ph2handle *)p); + isakmp_chkph1there((phase2_handle_t *)p); } void isakmp_chkph1there(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { - struct ph1handle *iph1; + phase1_handle_t *iph1; - if (iph2->status != PHASE2ST_STATUS2 || - iph2->is_dying) { - plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: ph2 handle has advanced too far (status %d, STATUS2 %d, dying %d)... ignoring\n", iph2->status, PHASE2ST_STATUS2, iph2->is_dying); + if ((iph2->version == ISAKMP_VERSION_NUMBER_IKEV1 && iph2->status != IKEV1_STATE_QUICK_I_START) || + iph2->is_dying) { + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying); return; } iph2->retry_checkph1--; - if (iph2->retry_checkph1 < 0 || - ike_session_verify_ph2_parent_session(iph2)) { + + if (iph2->retry_checkph1 < 0 /* %%%%|| + ike_session_verify_ph2_parent_session(iph2) */) { if (iph2->retry_checkph1 < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, - "phase2 negotiation failed " - "due to time up waiting for phase1. %s\n", + plog(ASL_LEVEL_ERR, + "Phase 2 negotiation failed " + "due to time up waiting for Phase 1. %s\n", sadbsecas2str(iph2->dst, iph2->src, iph2->satype, 0, 0)); } else { - plog(LLV_ERROR, LOCATION, iph2->dst, - "phase2 negotiation failed " + plog(ASL_LEVEL_ERR, + "Phase 2 negotiation failed " "due to invalid parent session. %s\n", sadbsecas2str(iph2->dst, iph2->src, iph2->satype, 0, 0)); } - plog(LLV_INFO, LOCATION, NULL, - "delete phase 2 handler.\n"); + plog(ASL_LEVEL_INFO, + "delete Phase 2 handler.\n"); /* send acquire to kernel as error */ pk_sendeacquire(iph2); - - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - + ike_session_unlink_phase2(iph2); return; } @@ -2887,39 +2497,44 @@ isakmp_chkph1there(iph2) /* XXX Even if ph1 as responder is there, should we not start * phase 2 negotiation ? */ if (iph1 != NULL - && iph1->status == PHASE1ST_ESTABLISHED) { + && FSM_STATE_IS_ESTABLISHED(iph1->status)) { /* found isakmp-sa */ - plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local)); - plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote)); - plog(LLV_DEBUG2, LOCATION, NULL, "before:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); + plog(ASL_LEVEL_DEBUG, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local)); + plog(ASL_LEVEL_DEBUG, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote)); + plog(ASL_LEVEL_DEBUG, "before:\n"); + plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); + plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); set_port(iph2->src, extract_port(iph1->local)); set_port(iph2->dst, extract_port(iph1->remote)); - plog(LLV_DEBUG2, LOCATION, NULL, "After:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); + plog(ASL_LEVEL_DEBUG, "After:\n"); + plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); + plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); /* begin quick mode */ - if (isakmp_ph2begin_i(iph1, iph2)) { - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + { + if (ikev1_ph2begin_i(iph1, iph2)) { + ike_session_unlink_phase2(iph2); + } } return; } if (!ike_session_has_negoing_ph1(iph2->parent_session)) { struct remoteconf *rmconf = getrmconf(iph2->dst); /* start phase 1 negotiation as a initiator. */ - if (rmconf == NULL || - isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); + if (rmconf) { + { + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); + } + } + } else if (rmconf == NULL) { + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n"); } } - plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n"); + plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established ph1 handler found\n"); /* no isakmp-sa found */ sched_new(1, isakmp_chkph1there_stub, iph2); @@ -2982,7 +2597,7 @@ isakmp_add_attr_v(buf0, type, val, len) } else buf = vmalloc(tlen); if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get a attribute buffer.\n"); return NULL; } @@ -3015,7 +2630,7 @@ isakmp_add_attr_l(buf0, type, val) } else buf = vmalloc(tlen); if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get a attribute buffer.\n"); return NULL; } @@ -3047,7 +2662,7 @@ isakmp_newcookie(place, remote, local) if (remote->ss_family != local->ss_family) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "address family mismatch, remote:%d local:%d\n", remote->ss_family, local->ss_family); goto end; @@ -3066,7 +2681,7 @@ isakmp_newcookie(place, remote, local) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", remote->ss_family); goto end; } @@ -3074,7 +2689,7 @@ isakmp_newcookie(place, remote, local) + sizeof(time_t) + lcconf->secret_size; buf = vmalloc(blen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get a cookie.\n"); goto end; } @@ -3111,7 +2726,7 @@ isakmp_newcookie(place, remote, local) memcpy(place, buf2->v, sizeof(cookie_t)); sa1 = val2str(place, sizeof (cookie_t)); - plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1); + plog(ASL_LEVEL_DEBUG, "new cookie:\n%s\n", sa1); racoon_free(sa1); error = 0; @@ -3133,13 +2748,13 @@ isakmp_p2ph(buf, gen) { /* XXX to be checked in each functions for logging. */ if (*buf) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "ignore this payload, same payload type exist.\n"); return -1; } if (ntohs(gen->len) < sizeof(*gen)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore this payload, invalid payload len %d.\n", ntohs(gen->len)); return -1; @@ -3147,7 +2762,7 @@ isakmp_p2ph(buf, gen) *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); if (*buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer.\n"); return -1; } @@ -3158,13 +2773,13 @@ isakmp_p2ph(buf, gen) u_int32_t isakmp_newmsgid2(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { u_int32_t msgid2; do { msgid2 = eay_random(); - } while (getph2bymsgid(iph1, msgid2)); + } while (ike_session_getph2bymsgid(iph1, msgid2)); return msgid2; } @@ -3175,7 +2790,7 @@ isakmp_newmsgid2(iph1) static caddr_t set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) vchar_t *vbuf; - struct ph1handle *iph1; + phase1_handle_t *iph1; int nptype; u_int8_t etype; u_int8_t flags; @@ -3206,7 +2821,7 @@ set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) caddr_t set_isakmp_header1(vbuf, iph1, nptype) vchar_t *vbuf; - struct ph1handle *iph1; + phase1_handle_t *iph1; int nptype; { return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid); @@ -3218,7 +2833,7 @@ set_isakmp_header1(vbuf, iph1, nptype) caddr_t set_isakmp_header2(vbuf, iph2, nptype) vchar_t *vbuf; - struct ph2handle *iph2; + phase2_handle_t *iph2; int nptype; { return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid); @@ -3236,7 +2851,7 @@ set_isakmp_payload(buf, src, nptype) struct isakmp_gen *gen; caddr_t p = buf; - plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n", + plog(ASL_LEVEL_DEBUG, "add payload of len %zu, next type %d\n", src->l, nptype); gen = (struct isakmp_gen *)p; @@ -3249,46 +2864,17 @@ set_isakmp_payload(buf, src, nptype) return p; } -static int -etypesw1(etype) - int etype; -{ - switch (etype) { - case ISAKMP_ETYPE_IDENT: - return 1; - case ISAKMP_ETYPE_AGG: - return 2; - case ISAKMP_ETYPE_BASE: - return 3; - default: - return 0; - } - /*NOTREACHED*/ -} - -static int -etypesw2(etype) - int etype; -{ - switch (etype) { - case ISAKMP_ETYPE_QUICK: - return 1; - default: - return 0; - } - /*NOTREACHED*/ -} #ifdef HAVE_PRINT_ISAKMP_C /* for print-isakmp.c */ char *snapend; -extern void isakmp_print __P((const u_char *, u_int, const u_char *)); +extern void isakmp_print(const u_char *, u_int, const u_char *); -char *getname __P((const u_char *)); +char *getname(const u_char *); #ifdef INET6 -char *getname6 __P((const u_char *)); +char *getname6(const u_char *); #endif -int safeputchar __P((int)); +int safeputchar(int); /* * Return a name for the IP address pointed to by ap. This address @@ -3367,11 +2953,11 @@ isakmp_printpacket(msg, from, my, decoded) vchar_t *buf; #endif - if (loglevel < LLV_DEBUG) + if (loglevel < ASL_LEVEL_DEBUG) return; #ifdef YIPS_DEBUG - plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); + plog(ASL_LEVEL_DEBUG, "begin.\n"); gettimeofday(&tv, NULL); s = tv.tv_sec % 3600; @@ -3431,16 +3017,16 @@ isakmp_printpacket(msg, from, my, decoded) int copy_ph1addresses(iph1, rmconf, remote, local) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct remoteconf *rmconf; struct sockaddr_storage *remote, *local; { u_short *port = NULL; /* address portion must be grabbed from real remote address "remote" */ - iph1->remote = dupsaddr((struct sockaddr *)remote); + iph1->remote = dupsaddr(remote); if (iph1->remote == NULL) { - delph1(iph1); + ike_session_delph1(iph1); return -1; } @@ -3473,18 +3059,18 @@ copy_ph1addresses(iph1, rmconf, remote, local) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph1->remote->ss_family); - delph1(iph1); + ike_session_delph1(iph1); return -1; } if (local == NULL) iph1->local = getlocaladdr((struct sockaddr *)iph1->remote); else - iph1->local = dupsaddr((struct sockaddr *)local); + iph1->local = dupsaddr(local); if (iph1->local == NULL) { - delph1(iph1); + ike_session_delph1(iph1); return -1; } port = NULL; @@ -3510,14 +3096,14 @@ copy_ph1addresses(iph1, rmconf, remote, local) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph1->local->ss_family); - delph1(iph1); + ike_session_delph1(iph1); return -1; } #ifdef ENABLE_NATT if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) { - plog (LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n"); + plog (ASL_LEVEL_DEBUG, "Marking ports as changed\n"); iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; } #endif @@ -3525,29 +3111,9 @@ copy_ph1addresses(iph1, rmconf, remote, local) return 0; } -static int -nostate1(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n", - iph1->status); - return -1; -} - -static int -nostate2(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n", - iph2->status); - return -1; -} - void log_ph1established(iph1) - const struct ph1handle *iph1; + const phase1_handle_t *iph1; { char *src, *dst; @@ -3556,18 +3122,15 @@ log_ph1established(iph1) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "ISAKMP-SA established %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); - EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL); - if(!iph1->rmconf->mode_cfg) - EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL); racoon_free(src); racoon_free(dst); - IPSECLOGASLMSG("IPSec Phase1 established (Initiated by %s).\n", + IPSECLOGASLMSG("IPSec Phase 1 established (Initiated by %s).\n", (iph1->side == INITIATOR)? "me" : "peer"); return; @@ -3594,7 +3157,7 @@ isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_t } vchar_t * -isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) +isakmp_plist_set_all (struct payload_list **plist, phase1_handle_t *iph1) { struct payload_list *ptr = *plist, *first; size_t tlen = sizeof (struct isakmp), n = 0; @@ -3613,7 +3176,7 @@ isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) buf = vmalloc(tlen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -3644,197 +3207,45 @@ end: } #ifdef ENABLE_FRAG -int +void frag_handler(iph1, msg, remote, local) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; struct sockaddr_storage *remote; struct sockaddr_storage *local; { vchar_t *newmsg; - int result; if (isakmp_frag_extract(iph1, msg) == 1) { if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { - plog(LLV_ERROR, LOCATION, remote, + plog(ASL_LEVEL_ERR, "Packet reassembly failed\n"); - return -1; + return; } /* simply reply if the packet was processed. */ - if (check_recvdpkt(remote, local, newmsg) > 0) { + if (ike_session_check_recvdpkt(remote, local, newmsg) > 0) { IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n", saddr2str((struct sockaddr *)remote)); - plog(LLV_NOTIFY, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "the reassembled packet is retransmitted by %s.\n", saddr2str((struct sockaddr *)remote)); - vfree(newmsg); - return 0; + vfree(newmsg); + return; } - result = isakmp_main(newmsg, remote, local); + isakmp_main(newmsg, remote, local); vfree(newmsg); - return result; - } - - return 0; -} -#endif - -void -script_hook(iph1, script) - struct ph1handle *iph1; - int script; -{ -#define IP_MAX 40 -#define PORT_MAX 6 - char addrstr[IP_MAX]; - char portstr[PORT_MAX]; - char **envp = NULL; - int envc = 1; - struct sockaddr_in *sin; - char **c; - - if (iph1 == NULL || - iph1->rmconf == NULL || - iph1->rmconf->script[script] == NULL) - return; - -#ifdef ENABLE_HYBRID - (void)isakmp_cfg_setenv(iph1, &envp, &envc); -#endif - - /* local address */ - sin = (struct sockaddr_in *)iph1->local; - inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); - snprintf(portstr, sizeof(portstr), "%d", ntohs(sin->sin_port)); - - if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n"); - goto out; - } - - if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n"); - goto out; - } - - /* Peer address */ - if (iph1->remote != NULL) { - sin = (struct sockaddr_in *)iph1->remote; - inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); - snprintf(portstr, sizeof(portstr), "%d", ntohs(sin->sin_port)); - - if (script_env_append(&envp, &envc, - "REMOTE_ADDR", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set REMOTE_ADDR\n"); - goto out; - } - - if (script_env_append(&envp, &envc, - "REMOTE_PORT", portstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set REMOTEL_PORT\n"); - goto out; - } } -#ifdef HAVE_OPENSSL - if (privsep_script_exec(iph1->rmconf->script[script]->v, - script, envp) != 0) - plog(LLV_ERROR, LOCATION, NULL, - "Script %s execution failed\n", script_names[script]); -#else - if (script_exec(iph1->rmconf->script[script]->v, - script, envp) != 0) - plog(LLV_ERROR, LOCATION, NULL, - "Script %s execution failed\n", script_names[script]); -#endif - -out: - for (c = envp; *c; c++) - racoon_free(*c); - - racoon_free(envp); - return; } - -int -script_env_append(envp, envc, name, value) - char ***envp; - int *envc; - char *name; - char *value; -{ - char *envitem; - char **newenvp; - int newenvc; - int envitem_len; - - envitem_len = strlen(name) + 1 + strlen(value) + 1; - envitem = racoon_malloc(envitem_len); - if (envitem == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - snprintf(envitem, envitem_len, "%s=%s", name, value); - - newenvc = (*envc) + 1; - newenvp = racoon_realloc(*envp, newenvc * sizeof(char *)); - if (newenvp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - racoon_free(envitem); - return -1; - } - - newenvp[newenvc - 2] = envitem; - newenvp[newenvc - 1] = NULL; - - *envp = newenvp; - *envc = newenvc; - return 0; -} - -int -script_exec(script, name, envp) - char *script; - int name; - char *const envp[]; -{ - char *argv[] = { NULL, NULL, NULL }; - - argv[0] = script; - argv[1] = script_names[name]; - argv[2] = NULL; - - switch (fork()) { - case 0: - execve(argv[0], argv, envp); - plog(LLV_ERROR, LOCATION, NULL, - "execve(\"%s\") failed: %s\n", - argv[0], strerror(errno)); - _exit(1); - break; - case -1: - plog(LLV_ERROR, LOCATION, NULL, - "Cannot fork: %s\n", strerror(errno)); - return -1; - break; - default: - break; - } - - return 0; -} +#endif void purge_remote(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *buf = NULL; struct sadb_msg *msg, *next, *end; @@ -3842,15 +3253,15 @@ purge_remote(iph1) struct sockaddr_storage *src, *dst; caddr_t mhp[SADB_EXT_MAX + 1]; u_int proto_id; - struct ph2handle *iph2; - struct ph1handle *new_iph1; + phase2_handle_t *iph2; + phase1_handle_t *new_iph1; - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purging ISAKMP-SA spi=%s.\n", isakmp_pindex(&(iph1->index), iph1->msgid)); /* Mark as expired. */ - iph1->status = PHASE1ST_EXPIRED; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); new_iph1 = ike_session_update_ph1_ph2tree(iph1); @@ -3860,7 +3271,7 @@ purge_remote(iph1) */ buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -3878,7 +3289,7 @@ purge_remote(iph1) } if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey_check (%s)\n", ipsec_strerror()); msg = next; continue; @@ -3913,14 +3324,14 @@ purge_remote(iph1) } proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); /* Check if there is another valid ISAKMP-SA */ if (new_iph1 != NULL) { if (iph2 == NULL) { /* No handler... still send a pfkey_delete message, but log this !*/ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "Unknown IPsec-SA spi=%u, hmmmm?\n", ntohl(sa->sadb_sa_spi)); }else{ @@ -3935,10 +3346,9 @@ purge_remote(iph1) } /* If the ph2handle is established, do not purge IPsec-SA */ - if (iph2->status == PHASE2ST_ESTABLISHED || - iph2->status == PHASE2ST_EXPIRED) { + if (FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(iph2->status)) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", ntohl(sa->sadb_sa_spi), isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); @@ -3957,12 +3367,10 @@ purge_remote(iph1) /* delete a relative phase 2 handle. */ if (iph2 != NULL) { delete_spd(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purged IPsec-SA spi=%u.\n", ntohl(sa->sadb_sa_spi)); @@ -3973,7 +3381,7 @@ purge_remote(iph1) vfree(buf); /* Mark the phase1 handler as EXPIRED */ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purged ISAKMP-SA spi=%s.\n", isakmp_pindex(&(iph1->index), iph1->msgid)); @@ -3984,7 +3392,7 @@ purge_remote(iph1) void delete_spd(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { if (iph2 == NULL) return; @@ -4003,7 +3411,7 @@ delete_spd(iph2) int error; int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "generated policy, deleting it.\n"); memset(&u.spidx, 0, sizeof(u.spidx)); @@ -4032,7 +3440,7 @@ delete_spd(iph2) || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a destination address of a policy */ error = ipsecdoi_id2sockaddr(iph2->id, &u.spidx.dst, - &u.spidx.prefd, &u.spidx.ul_proto); + &u.spidx.prefd, &u.spidx.ul_proto, iph2->version); if (error) goto purge; @@ -4056,9 +3464,9 @@ delete_spd(iph2) } else { - plog(LLV_DEBUG, LOCATION, NULL, - "get a destination address of SP index " - "from phase1 address " + plog(ASL_LEVEL_DEBUG, + "Get a destination address of SP index " + "from Phase 1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); @@ -4093,7 +3501,7 @@ delete_spd(iph2) || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a source address of inbound SA */ error = ipsecdoi_id2sockaddr(iph2->id_p, &u.spidx.src, - &u.spidx.prefs, &u.spidx.ul_proto); + &u.spidx.prefs, &u.spidx.ul_proto, iph2->version); if (error) goto purge; @@ -4114,15 +3522,15 @@ delete_spd(iph2) if (_XIDT(iph2->id_p) == idi2type && u.spidx.dst.ss_family == u.spidx.src.ss_family) { iph2->src_id = - dupsaddr((struct sockaddr *)&u.spidx.dst); + dupsaddr(&u.spidx.dst); iph2->dst_id = - dupsaddr((struct sockaddr *)&u.spidx.src); + dupsaddr(&u.spidx.src); } } else { - plog(LLV_DEBUG, LOCATION, NULL, - "get a source address of SP index " - "from phase1 address " + plog(ASL_LEVEL_DEBUG, + "Get a source address of SP index " + "from Phase 1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); @@ -4147,12 +3555,12 @@ delete_spd(iph2) #undef _XIDT - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get a src address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&u.spidx.src), u.spidx.prefs, u.spidx.ul_proto); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get dst address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&u.spidx.dst), @@ -4171,10 +3579,10 @@ delete_spd(iph2) */ if (pk_sendspddelete(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spddelete(inbound) failed.\n"); }else{ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spddelete(inbound) sent.\n"); } @@ -4183,10 +3591,10 @@ delete_spd(iph2) if (tunnel_mode_prop(iph2->approval)) { u.spidx.dir = IPSEC_DIR_FWD; if (pk_sendspddelete(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spddelete(forward) failed.\n"); }else{ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spddelete(forward) sent.\n"); } } @@ -4204,10 +3612,10 @@ delete_spd(iph2) u.spidx.prefd = pref; if (pk_sendspddelete(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spddelete(outbound) failed.\n"); }else{ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spddelete(outbound) sent.\n"); } purge: @@ -4232,13 +3640,13 @@ setscopeid(sp_addr0, sa_addr0) /* this check should not be here ? */ if (sa_addr->sin6_family != AF_INET6) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "can't get scope ID: family mismatch\n"); return -1; } if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "scope ID is not supported except of lladdr.\n"); return -1; } @@ -4251,10 +3659,10 @@ setscopeid(sp_addr0, sa_addr0) vchar_t * isakmp_plist_append_initial_contact (iph1, plist) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct payload_list *plist; { - if (!iph1->is_rekey && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { + if (!iph1->is_rekey && iph1->rmconf->ini_contact && !ike_session_getcontacted(iph1->remote)) { vchar_t *notp_ini = NULL; struct isakmp_pl_n np, *nptr; char *cptr; @@ -4270,25 +3678,24 @@ isakmp_plist_append_initial_contact (iph1, plist) cptr = notp_ini->v + sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen); memcpy(cptr, &iph1->index, sizeof(isakmp_index)); plist = isakmp_plist_append(plist, notp_ini, ISAKMP_NPTYPE_N); - plog(LLV_DEBUG2, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "added initial-contact payload.\n"); /* insert a node into contacted list. */ - if (inscontacted(iph1->remote) == -1) { - plog(LLV_ERROR, LOCATION, iph1->remote, + if (ike_session_inscontacted(iph1->remote) == -1) { + plog(ASL_LEVEL_ERR, "failed to add contacted list.\n"); /* ignore */ } return notp_ini; } else { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "failed to allocate notification payload.\n"); return NULL; } } else { - plog(LLV_DEBUG, LOCATION, iph1->remote, - "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n", - iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, getcontacted(iph1->remote)? 1:0); + plog(ASL_LEVEL_DEBUG, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n", + iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, ike_session_getcontacted(iph1->remote)? 1:0); } return NULL; } diff --git a/ipsec-tools/racoon/isakmp.h b/ipsec-tools/racoon/isakmp.h index 628276c..b66bf06 100644 --- a/ipsec-tools/racoon/isakmp.h +++ b/ipsec-tools/racoon/isakmp.h @@ -32,6 +32,11 @@ #ifndef _ISAKMP_H #define _ISAKMP_H +#include +#include "racoon_types.h" +#include "vmbuf.h" +#include "isakmp_var.h" + /* refer to RFC 2408 */ /* must include first. */ @@ -120,9 +125,11 @@ struct isakmp { */ #define ISAKMP_NPTYPE_GSS 129 /* GSS token */ -#define ISAKMP_MAJOR_VERSION 1 +#define ISAKMP_MAJOR_VERSION_IKEV1 1 +#define ISAKMP_MAJOR_VERSION_IKEV2 2 #define ISAKMP_MINOR_VERSION 0 -#define ISAKMP_VERSION_NUMBER 0x10 +#define ISAKMP_VERSION_NUMBER_IKEV1 0x10 +#define ISAKMP_VERSION_NUMBER_IKEV2 0x20 #define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4) #define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0)) #define ISAKMP_GETMINORV(v) ((v) & 0x0f) @@ -390,12 +397,16 @@ struct isakmp_pl_natoa { /* IP address */ } __attribute__((__packed__)); -struct payload_list { +typedef struct payload_list { struct payload_list *next, *prev; vchar_t *payload; int payload_type; -}; +} payload_list_t; +typedef struct payload_list_head { + int num_payloads; + payload_list_t *payloads; +} payload_list_head_t; /* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */ struct isakmp_pl_attr { @@ -458,4 +469,7 @@ struct isakmp_pl_resp_lifetime { /* data follows next */ } __attribute__((__packed__)); +extern u_char i_ck0[]; +extern u_char r_ck0[]; + #endif /* _ISAKMP_H */ diff --git a/ipsec-tools/racoon/isakmp_agg.c b/ipsec-tools/racoon/isakmp_agg.c index 993ac28..9a3ccfb 100644 --- a/ipsec-tools/racoon/isakmp_agg.c +++ b/ipsec-tools/racoon/isakmp_agg.c @@ -65,11 +65,11 @@ #include #endif +#include "fsm.h" #include "localconf.h" #include "remoteconf.h" #include "isakmp_var.h" #include "isakmp.h" -#include "evt.h" #include "oakley.h" #include "handler.h" #include "ipsec_doi.h" @@ -91,10 +91,6 @@ #include "nattraversal.h" #endif -#ifdef HAVE_GSSAPI -#include "gssapi.h" -#endif - #include "vpn_control.h" #include "vpn_control_var.h" #include "ipsecSessionTracer.h" @@ -117,7 +113,7 @@ */ int agg_i1send(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; /* must be null */ { struct payload_list *plist = NULL; @@ -135,26 +131,23 @@ agg_i1send(iph1, msg) #ifdef ENABLE_FRAG vchar_t *vid_frag = NULL; #endif -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; - int len; -#endif #ifdef ENABLE_DPD vchar_t *vid_dpd = NULL; #endif + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_I_START) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); + goto end; + } /* validity check */ if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "msg has to be NULL in this function.\n"); goto end; } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } /* create isakmp index */ memset(&iph1->index, 0, sizeof(iph1->index)); @@ -162,22 +155,22 @@ agg_i1send(iph1, msg) /* make ID payload into isakmp status */ if (ipsecdoi_setid1(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID"); goto end; } /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); + iph1->sa = ipsecdoi_setph1proposal(iph1); if (iph1->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set proposal"); goto end; } /* consistency check of proposals */ if (iph1->rmconf->dhgrp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "configuration failure about DH group.\n"); goto end; } @@ -190,7 +183,7 @@ agg_i1send(iph1, msg) if (oakley_dh_generate(iph1->rmconf->dhgrp, &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH"); goto end; } @@ -198,7 +191,7 @@ agg_i1send(iph1, msg) /* generate NONCE value */ iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); if (iph1->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } @@ -208,16 +201,14 @@ agg_i1send(iph1, msg) switch (RMAUTHMETHOD(iph1)) { case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth vendor ID generation failed\n"); if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unity vendor ID generation failed\n"); break; default: @@ -232,30 +223,25 @@ agg_i1send(iph1, msg) vid_frag = isakmp_frag_addcap(vid_frag, VENDORID_FRAG_AGG); if (vid_frag == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Frag vendorID construction failed\n"); } #endif /* create CR if need */ if (iph1->rmconf->send_cr - && oakley_needcr(iph1->rmconf->proposal->authmethod) - && iph1->rmconf->peerscertfile == NULL) { + && oakley_needcr(iph1->rmconf->proposal->authmethod)) { need_cr = 1; cr = oakley_getcr(iph1); if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get CR"); goto end; } } - plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", + plog(ASL_LEVEL_DEBUG, "authmethod is %s\n", s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); -#ifdef HAVE_GSSAPI - if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_itoken(iph1, &len); -#endif /* set SA payload to propose */ plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); @@ -269,12 +255,6 @@ agg_i1send(iph1, msg) /* create isakmp ID payload */ plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); -#ifdef HAVE_GSSAPI - if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - gssapi_get_token_to_send(iph1, &gsstoken); - plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); - } -#endif /* create isakmp CR payload */ if (need_cr) plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); @@ -316,12 +296,12 @@ agg_i1send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } - iph1->status = PHASE1ST_MSG1SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG1SENT); error = 0; @@ -339,10 +319,6 @@ end: } if (cr) vfree(cr); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif #ifdef ENABLE_FRAG if (vid_frag) vfree(vid_frag); @@ -375,7 +351,7 @@ end: */ int agg_i2recv(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { vchar_t *pbuf = NULL; @@ -384,9 +360,6 @@ agg_i2recv(iph1, msg) int error = -1; int vid_numeric; int ptype; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif int received_cert = 0; #ifdef ENABLE_NATT @@ -400,17 +373,17 @@ agg_i2recv(iph1, msg) TAILQ_INIT(&natd_tree); #endif - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_I_MSG1SENT) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -420,7 +393,7 @@ agg_i2recv(iph1, msg) /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_SA); @@ -428,7 +401,7 @@ agg_i2recv(iph1, msg) } if (isakmp_p2ph(&satmp, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload"); goto end; } @@ -441,21 +414,21 @@ agg_i2recv(iph1, msg) switch (pa->type) { case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload"); goto end; } break; case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload"); goto end; } break; case ISAKMP_NPTYPE_ID: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process ID payload"); goto end; } @@ -465,14 +438,14 @@ agg_i2recv(iph1, msg) break; case ISAKMP_NPTYPE_CR: if (oakley_savecr(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CR payload"); goto end; } break; case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CERT payload"); goto end; } @@ -480,7 +453,7 @@ agg_i2recv(iph1, msg) break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SIG payload"); goto end; } @@ -510,14 +483,14 @@ agg_i2recv(iph1, msg) #ifdef ENABLE_DPD if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { iph1->dpd_support=1; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports DPD\n"); } #endif #ifdef ENABLE_FRAG if ((vid_numeric == VENDORID_FRAG) && (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports FRAGMENTATION\n"); iph1->frag = 1; } @@ -526,16 +499,6 @@ agg_i2recv(iph1, msg) case ISAKMP_NPTYPE_N: isakmp_check_notify(pa->ptr, iph1); break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: @@ -546,7 +509,7 @@ agg_i2recv(iph1, msg) struct natd_payload *natd; natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); if (!natd) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to pre-process NATD payload"); goto end; } @@ -554,7 +517,7 @@ agg_i2recv(iph1, msg) natd->payload = NULL; if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NATD payload"); goto end; } @@ -571,7 +534,7 @@ agg_i2recv(iph1, msg) default: /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -585,21 +548,21 @@ agg_i2recv(iph1, msg) /* payload existency check */ if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid ID payload.\n"); goto end; } /* check SA payload and set approval SA for use */ if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "failed to get valid proposal.\n"); /* XXX send information */ goto end; @@ -615,7 +578,7 @@ agg_i2recv(iph1, msg) struct natd_payload *natd = NULL; int natd_verified; - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); @@ -629,7 +592,7 @@ agg_i2recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd->payload, natd->seq); - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", natd->seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -639,7 +602,7 @@ agg_i2recv(iph1, msg) racoon_free (natd); } - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", + plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -656,31 +619,31 @@ agg_i2recv(iph1, msg) if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { #else - if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { + if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute DH"); goto end; } /* generate SKEYIDs & IV & final cipher key */ if (oakley_skeyid(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID"); goto end; } if (oakley_skeyid_dae(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID-DAE"); goto end; } if (oakley_compute_enckey(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate ENCKEY"); goto end; } if (oakley_newiv(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); goto end; } @@ -696,8 +659,6 @@ agg_i2recv(iph1, msg) /* message printed inner oakley_validate_auth() */ goto end; } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); isakmp_info_send_n1(iph1, ptype, NULL); goto end; } @@ -712,7 +673,7 @@ agg_i2recv(iph1, msg) } /* change status of isakmp status entry */ - iph1->status = PHASE1ST_MSG2RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG2RCVD); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); @@ -732,10 +693,7 @@ end: CONSTSTR("Initiator, Aggressive-Mode Message 2"), CONSTSTR("Failure processing Aggressive-Mode Message 2")); } -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif + if (pbuf) vfree(pbuf); if (satmp) @@ -765,8 +723,8 @@ end: * rev: HDR, HASH_I */ int -agg_i2send(iph1, msg) - struct ph1handle *iph1; +agg_i3send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { struct payload_list *plist = NULL; @@ -779,27 +737,18 @@ agg_i2send(iph1, msg) vchar_t *notp_unity = NULL; vchar_t *notp_ini = NULL; - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_I_MSG2RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); + plog(ASL_LEVEL_DEBUG, "generate HASH_I\n"); iph1->hash = oakley_ph1hash_common(iph1, GENERATE); if (iph1->hash == NULL) { -#ifdef HAVE_GSSAPI - if (gssapi_more_tokens(iph1) && -#ifdef ENABLE_HYBRID - !iph1->rmconf->xauth && -#endif - 1) - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); -#endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); goto end; } @@ -809,29 +758,26 @@ agg_i2send(iph1, msg) #ifdef ENABLE_HYBRID case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: #endif /* set HASH payload */ plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: #endif /* XXX if there is CR or not ? */ if (oakley_getmycert(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get mycert"); goto end; } if (oakley_getsign(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get sign"); goto end; } @@ -855,34 +801,20 @@ agg_i2send(iph1, msg) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: #endif break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get GSS hash\n"); - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); - goto end; - } - - plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH); - break; -#endif } #ifdef ENABLE_NATT /* generate NAT-D payloads */ if (NATT_AVAILABLE(iph1)) { - plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } @@ -908,15 +840,15 @@ agg_i2send(iph1, msg) /* send to responder */ if (isakmp_send(iph1, iph1->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } @@ -924,7 +856,7 @@ agg_i2send(iph1, msg) /* set encryption flag */ iph1->flags |= ISAKMP_FLAG_E; - iph1->status = PHASE1ST_ESTABLISHED; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC, @@ -971,28 +903,25 @@ end: */ int agg_r1recv(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; vchar_t *pbuf = NULL; struct isakmp_parse_t *pa; int vid_numeric; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_R_START) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -1000,14 +929,14 @@ agg_r1recv(iph1, msg) /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_SA); goto end; } if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload"); goto end; } @@ -1017,28 +946,28 @@ agg_r1recv(iph1, msg) pa->type != ISAKMP_NPTYPE_NONE; pa++) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received payload of type %s\n", s_isakmp_nptype(pa->type)); switch (pa->type) { case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload"); goto end; } break; case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload"); goto end; } break; case ISAKMP_NPTYPE_ID: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process ID payload"); goto end; } @@ -1071,14 +1000,14 @@ agg_r1recv(iph1, msg) #ifdef ENABLE_DPD if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { iph1->dpd_support=1; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports DPD\n"); } #endif #ifdef ENABLE_FRAG if ((vid_numeric == VENDORID_FRAG) && (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports FRAGMENTATION\n"); iph1->frag = 1; } @@ -1087,25 +1016,15 @@ agg_r1recv(iph1, msg) case ISAKMP_NPTYPE_CR: if (oakley_savecr(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CR payload"); goto end; } break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif default: /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1115,21 +1034,21 @@ agg_r1recv(iph1, msg) /* payload existency check */ if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid ID payload.\n"); goto end; } #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -1138,7 +1057,7 @@ agg_r1recv(iph1, msg) /* check SA payload and set approval SA for use */ if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "failed to get valid proposal.\n"); /* XXX send information */ goto end; @@ -1149,7 +1068,7 @@ agg_r1recv(iph1, msg) ; } - iph1->status = PHASE1ST_MSG1RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG1RCVD); error = 0; @@ -1165,10 +1084,7 @@ end: CONSTSTR("Responder, Aggressive-Mode Message 1"), CONSTSTR("Failed to process Aggressive-Mode Message 1")); } -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif + if (pbuf) vfree(pbuf); if (error) { @@ -1192,8 +1108,8 @@ end: * rev: HDR, SA, PubKey_i, Ke_r, Ke_r, HASH_R */ int -agg_r1send(iph1, msg) - struct ph1handle *iph1; +agg_r2send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { struct payload_list *plist = NULL; @@ -1216,17 +1132,10 @@ agg_r1send(iph1, msg) vchar_t *vid_frag = NULL; #endif -#ifdef HAVE_GSSAPI - int gsslen; - vchar_t *gsstoken = NULL, *gsshash = NULL; - vchar_t *gss_sa = NULL; - int free_gss_sa = 0; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_R_MSG1RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -1235,7 +1144,7 @@ agg_r1send(iph1, msg) /* make ID payload into isakmp status */ if (ipsecdoi_setid1(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID"); goto end; } @@ -1248,7 +1157,7 @@ agg_r1send(iph1, msg) if (oakley_dh_generate(iph1->rmconf->dhgrp, &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH"); goto end; } @@ -1256,7 +1165,7 @@ agg_r1send(iph1, msg) /* generate NONCE value */ iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); if (iph1->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } @@ -1266,62 +1175,51 @@ agg_r1send(iph1, msg) if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { #else - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute DH"); goto end; } /* generate SKEYIDs & IV & final cipher key */ if (oakley_skeyid(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID"); goto end; } if (oakley_skeyid_dae(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID-DAE"); goto end; } if (oakley_compute_enckey(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate ENCKEY"); goto end; } if (oakley_newiv(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); goto end; } -#ifdef HAVE_GSSAPI - if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_rtoken(iph1, &gsslen); -#endif - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); + plog(ASL_LEVEL_DEBUG, "generate HASH_R\n"); iph1->hash = oakley_ph1hash_common(iph1, GENERATE); if (iph1->hash == NULL) { -#ifdef HAVE_GSSAPI - if (gssapi_more_tokens(iph1)) - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); -#endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate GSS HASH"); goto end; } /* create CR if need */ if (iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { + && oakley_needcr(iph1->approval->authmethod)) { need_cr = 1; cr = oakley_getcr(iph1); if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get CR.\n"); goto end; } @@ -1334,15 +1232,15 @@ agg_r1send(iph1, msg) vid_natt = set_vendorid(iph1->natt_options->version); /* generate NAT-D payloads */ - plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } @@ -1360,7 +1258,7 @@ agg_r1send(iph1, msg) vid_frag = isakmp_frag_addcap(vid_frag, VENDORID_FRAG_AGG); if (vid_frag == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Frag vendorID construction failed\n"); } #endif @@ -1390,24 +1288,21 @@ agg_r1send(iph1, msg) if (need_cr) plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif /* XXX if there is CR or not ? */ if (oakley_getmycert(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get mycert"); goto end; } if (oakley_getsign(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get sign"); goto end; } @@ -1447,67 +1342,13 @@ agg_r1send(iph1, msg) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: #endif break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* create buffer to send isakmp payload */ - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to generate GSS HASH\n"); - /* - * This is probably due to the GSS - * roundtrips not being finished yet. - * Return this error in the hope that - * a fallback to main mode will be done. - */ - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); - goto end; - } - if (iph1->approval->gssid != NULL) - gss_sa = - ipsecdoi_setph1proposal(iph1->approval); - else - gss_sa = iph1->sa_ret; - - if (gss_sa != iph1->sa_ret) - free_gss_sa = 1; - - /* set SA payload to reply */ - plist = isakmp_plist_append(plist, - gss_sa, ISAKMP_NPTYPE_SA); - - /* create isakmp KE payload */ - plist = isakmp_plist_append(plist, - iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - plist = isakmp_plist_append(plist, - iph1->nonce, ISAKMP_NPTYPE_NONCE); - - /* create isakmp ID payload */ - plist = isakmp_plist_append(plist, - iph1->id, ISAKMP_NPTYPE_ID); - - /* create GSS payload */ - gssapi_get_token_to_send(iph1, &gsstoken); - plist = isakmp_plist_append(plist, - gsstoken, ISAKMP_NPTYPE_GSS); - - /* create isakmp HASH payload */ - plist = isakmp_plist_append(plist, - gsshash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - break; -#endif } #ifdef ENABLE_HYBRID if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); + plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n"); if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot create Xauth vendor ID\n"); goto end; } @@ -1517,7 +1358,7 @@ agg_r1send(iph1, msg) if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot create Unity vendor ID\n"); goto end; } @@ -1563,20 +1404,20 @@ agg_r1send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + plog(ASL_LEVEL_ERR , "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } - iph1->status = PHASE1ST_MSG1SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG2SENT); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); @@ -1604,14 +1445,6 @@ end: if (unity_vid) vfree(unity_vid); #endif -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); - if (gsshash) - vfree(gsshash); - if (free_gss_sa) - vfree(gss_sa); -#endif #ifdef ENABLE_NATT if (vid_natt) vfree(vid_natt); @@ -1641,8 +1474,8 @@ end: * rev: HDR, HASH_I */ int -agg_r2recv(iph1, msg0) - struct ph1handle *iph1; +agg_r3recv(iph1, msg0) + phase1_handle_t *iph1; vchar_t *msg0; { vchar_t *msg = NULL; @@ -1656,10 +1489,10 @@ agg_r2recv(iph1, msg0) #endif int received_cert = 0; - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_R_MSG2SENT) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -1669,7 +1502,7 @@ agg_r2recv(iph1, msg0) msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt msg"); goto end; } @@ -1679,7 +1512,7 @@ agg_r2recv(iph1, msg0) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -1699,7 +1532,7 @@ agg_r2recv(iph1, msg0) break; case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CERT payload"); goto end; } @@ -1707,7 +1540,7 @@ agg_r2recv(iph1, msg0) break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SIG payload"); goto end; } @@ -1726,7 +1559,7 @@ agg_r2recv(iph1, msg0) int natd_verified; if (isakmp_p2ph (&natd_received, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NATD payload"); goto end; } @@ -1737,7 +1570,7 @@ agg_r2recv(iph1, msg0) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -1751,7 +1584,7 @@ agg_r2recv(iph1, msg0) default: /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1761,7 +1594,7 @@ agg_r2recv(iph1, msg0) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", + plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -1783,8 +1616,6 @@ agg_r2recv(iph1, msg0) /* message printed inner oakley_validate_auth() */ goto end; } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); isakmp_info_send_n1(iph1, ptype, NULL); goto end; } @@ -1793,7 +1624,7 @@ agg_r2recv(iph1, msg0) CONSTSTR("Responder, Aggressive-Mode Message 3"), CONSTSTR(NULL)); - iph1->status = PHASE1ST_MSG2RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG3RCVD); error = 0; @@ -1828,16 +1659,16 @@ end: * status update and establish isakmp sa. */ int -agg_r2send(iph1, msg) - struct ph1handle *iph1; +agg_rfinalize(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_AGG_R_MSG3RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -1849,7 +1680,7 @@ agg_r2send(iph1, msg) /* set encryption flag */ iph1->flags |= ISAKMP_FLAG_E; - iph1->status = PHASE1ST_ESTABLISHED; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC, diff --git a/ipsec-tools/racoon/isakmp_agg.h b/ipsec-tools/racoon/isakmp_agg.h index 8bf35ed..338dae4 100644 --- a/ipsec-tools/racoon/isakmp_agg.h +++ b/ipsec-tools/racoon/isakmp_agg.h @@ -32,13 +32,15 @@ #ifndef _ISAKMP_AGG_H #define _ISAKMP_AGG_H -extern int agg_i1send __P((struct ph1handle *, vchar_t *)); -extern int agg_i2recv __P((struct ph1handle *, vchar_t *)); -extern int agg_i2send __P((struct ph1handle *, vchar_t *)); +#include "racoon_types.h" -extern int agg_r1recv __P((struct ph1handle *, vchar_t *)); -extern int agg_r1send __P((struct ph1handle *, vchar_t *)); -extern int agg_r2recv __P((struct ph1handle *, vchar_t *)); -extern int agg_r2send __P((struct ph1handle *, vchar_t *)); +extern int agg_i1send (phase1_handle_t *, vchar_t *); +extern int agg_i2recv (phase1_handle_t *, vchar_t *); +extern int agg_i3send (phase1_handle_t *, vchar_t *); + +extern int agg_r1recv (phase1_handle_t *, vchar_t *); +extern int agg_r2send (phase1_handle_t *, vchar_t *); +extern int agg_r3recv (phase1_handle_t *, vchar_t *); +extern int agg_rfinalize (phase1_handle_t *, vchar_t *); #endif /* _ISAKMP_AGG_H */ diff --git a/ipsec-tools/racoon/isakmp_base.c b/ipsec-tools/racoon/isakmp_base.c deleted file mode 100644 index 45e42ee..0000000 --- a/ipsec-tools/racoon/isakmp_base.c +++ /dev/null @@ -1,1523 +0,0 @@ -/* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */ - -/* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Base Exchange (Base Mode) */ - -#include "config.h" - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#ifdef ENABLE_HYBRID -#include -#endif - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "evt.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_base.h" -#include "isakmp_inf.h" -#include "vendorid.h" -#ifdef ENABLE_NATT -#include "nattraversal.h" -#endif -#ifdef ENABLE_FRAG -#include "isakmp_frag.h" -#endif -#ifdef ENABLE_HYBRID -#include "isakmp_xauth.h" -#include "isakmp_cfg.h" -#endif -#include "vpn_control.h" -#include "vpn_control_var.h" -#ifndef HAVE_OPENSSL -#include -#endif - -/* %%% - * begin Identity Protection Mode as initiator. - */ -/* - * send to responder - * psk: HDR, SA, Idii, Ni_b - * sig: HDR, SA, Idii, Ni_b - * rsa: HDR, SA, [HASH(1),] Pubkey_r, Pubkey_r - * rev: HDR, SA, [HASH(1),] Pubkey_r, Ke_i - */ -int -base_i1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; /* must be null */ -{ - struct payload_list *plist = NULL; - int error = -1; -#ifdef ENABLE_NATT - vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; - int i, vid_natt_i = 0; -#endif -#ifdef ENABLE_FRAG - vchar_t *vid_frag = NULL; -#endif -#ifdef ENABLE_HYBRID - vchar_t *vid_xauth = NULL; - vchar_t *vid_unity = NULL; -#endif -#ifdef ENABLE_DPD - vchar_t *vid_dpd = NULL; -#endif - - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* create isakmp index */ - memset(&iph1->index, 0, sizeof(iph1->index)); - isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); - if (iph1->sa == NULL) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - -#ifdef ENABLE_HYBRID - /* Do we need Xauth VID? */ - switch (RMAUTHMETHOD(iph1)) { - case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: - if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, - "Xauth vendor ID generation failed\n"); - - if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, - "Unity vendor ID generation failed\n"); - break; - default: - break; - } -#endif -#ifdef ENABLE_FRAG - if (iph1->rmconf->ike_frag) { - vid_frag = set_vendorid(VENDORID_FRAG); - if (vid_frag != NULL) - vid_frag = isakmp_frag_addcap(vid_frag, - VENDORID_FRAG_BASE); - if (vid_frag == NULL) - plog(LLV_ERROR, LOCATION, NULL, - "Frag vendorID construction failed\n"); - } -#endif -#ifdef ENABLE_NATT - /* Is NAT-T support allowed in the config file? */ - if (iph1->rmconf->nat_traversal) { - /* Advertise NAT-T capability */ - memset (vid_natt, 0, sizeof (vid_natt)); -#ifdef VENDORID_NATT_00 - if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) - vid_natt_i++; -#endif -#ifdef VENDORID_NATT_02 - if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) - vid_natt_i++; -#endif -#ifdef VENDORID_NATT_02_N - if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) - vid_natt_i++; -#endif -#ifdef VENDORID_NATT_RFC - if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) - vid_natt_i++; -#endif - } -#endif - - /* set SA payload to propose */ - plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); - - /* create isakmp ID payload */ - plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp NONCE payload */ - plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); - -#ifdef ENABLE_FRAG - if (vid_frag) - plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); -#endif -#ifdef ENABLE_HYBRID - if (vid_xauth) - plist = isakmp_plist_append(plist, - vid_xauth, ISAKMP_NPTYPE_VID); - if (vid_unity) - plist = isakmp_plist_append(plist, - vid_unity, ISAKMP_NPTYPE_VID); -#endif -#ifdef ENABLE_DPD - if (iph1->rmconf->dpd) { - vid_dpd = set_vendorid(VENDORID_DPD); - if (vid_dpd != NULL) - plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); - } -#endif -#ifdef ENABLE_NATT - /* set VID payload for NAT-T */ - for (i = 0; i < vid_natt_i; i++) - plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); -#endif - iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); - - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: -#ifdef ENABLE_FRAG - if (vid_frag) - vfree(vid_frag); -#endif -#ifdef ENABLE_NATT - for (i = 0; i < vid_natt_i; i++) - vfree(vid_natt[i]); -#endif -#ifdef ENABLE_HYBRID - if (vid_xauth != NULL) - vfree(vid_xauth); - if (vid_unity != NULL) - vfree(vid_unity); -#endif -#ifdef ENABLE_DPD - if (vid_dpd != NULL) - vfree(vid_dpd); -#endif - - return error; -} - -/* - * receive from responder - * psk: HDR, SA, Idir, Nr_b - * sig: HDR, SA, Idir, Nr_b, [ CR ] - * rsa: HDR, SA, PubKey_i, PubKey_i - * rev: HDR, SA, PubKey_i, Ke_r - */ -int -base_i2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - vchar_t *satmp = NULL; - int error = -1; - int vid_numeric; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; - - /* SA payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&satmp, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - vid_numeric = check_vendorid(pa->ptr); -#ifdef ENABLE_NATT - if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) - natt_handle_vendorid(iph1, vid_numeric); -#endif -#ifdef ENABLE_HYBRID - switch (vid_numeric) { - case VENDORID_XAUTH: - iph1->mode_cfg->flags |= - ISAKMP_CFG_VENDORID_XAUTH; - break; - - case VENDORID_UNITY: - iph1->mode_cfg->flags |= - ISAKMP_CFG_VENDORID_UNITY; - break; - - default: - break; - } -#endif -#ifdef ENABLE_DPD - if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { - iph1->dpd_support=1; - plog(LLV_DEBUG, LOCATION, NULL, - "remote supports DPD\n"); - } -#endif -#ifdef ENABLE_FRAG - if ((vid_numeric == VENDORID_FRAG) && - (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) { - plog(LLV_DEBUG, LOCATION, NULL, - "remote supports FRAGMENTATION\n"); - iph1->frag = 1; - } -#endif - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - if (iph1->nonce_p == NULL || iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - -#ifdef ENABLE_NATT - if (NATT_AVAILABLE(iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, - "Selected NAT-T version: %s\n", - vid_string_by_id(iph1->natt_options->version)); - ike_session_update_natt_version(iph1); - } -#endif - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - VPTRINIT(iph1->sa_ret); - - iph1->status = PHASE1ST_MSG2RECEIVED; - -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); -#endif - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (satmp) - vfree(satmp); - - if (error) { - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - } - - return error; -} - -/* - * send to responder - * psk: HDR, KE, HASH_I - * sig: HDR, KE, [ CR, ] [CERT,] SIG_I - * rsa: HDR, KE, HASH_I - * rev: HDR, Ke_i, HASH_I - */ -int -base_i2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct payload_list *plist = NULL; - vchar_t *vid = NULL; - int need_cert = 0; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* fix isakmp index */ - memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, - sizeof(cookie_t)); - - /* generate DH public value */ -#ifdef HAVE_OPENSSL - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) -#else - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) -#endif - goto end; - - /* generate SKEYID to compute hash if not signature mode */ - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: -#endif - break; - default: - if (oakley_skeyid(iph1) < 0) - goto end; - break; - } - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); - iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); - if (iph1->hash == NULL) - goto end; - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: -#ifdef ENABLE_HYBRID - case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: -#endif - vid = set_vendorid(iph1->approval->vendorid); - - /* create isakmp KE payload */ - plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp HASH payload */ - plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: -#endif - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert && iph1->rmconf->send_cert) - need_cert = 1; - - /* create isakmp KE payload */ - plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* add CERT payload if there */ - if (need_cert) - plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - - /* add SIG payload */ - plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG); - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* ... */ - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: -#endif - break; - } - -#ifdef ENABLE_NATT - /* generate NAT-D payloads */ - if (NATT_AVAILABLE(iph1)) - { - vchar_t *natd[2] = { NULL, NULL }; - - plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); - if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); - goto end; - } - - if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); - goto end; - } - - /* old Apple version sends natd payloads in the wrong order */ - if (iph1->natt_options->version == VENDORID_NATT_APPLE) { - plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); - plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); - } else - { - plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); - plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); - } - } -#endif - - iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG2SENT; - - error = 0; - -end: - if (vid) - vfree(vid); - return error; -} - -/* - * receive from responder - * psk: HDR, KE, HASH_R - * sig: HDR, KE, [CERT,] SIG_R - * rsa: HDR, KE, HASH_R - * rev: HDR, _Ke_r, HASH_R - */ -int -base_i3recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - int ptype; -#ifdef ENABLE_NATT - vchar_t *natd_received; - int natd_seq = 0, natd_verified; -#endif - int received_cert = 0; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - received_cert = 1; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - -#ifdef ENABLE_NATT - case ISAKMP_NPTYPE_NATD_DRAFT: - case ISAKMP_NPTYPE_NATD_RFC: - case ISAKMP_NPTYPE_NATD_BADDRAFT: - if (NATT_AVAILABLE(iph1) && iph1->natt_options && - pa->type == iph1->natt_options->payload_nat_d) { - natd_received = NULL; - if (isakmp_p2ph (&natd_received, pa->ptr) < 0) - goto end; - - /* set both bits first so that we can clear them - upon verifying hashes */ - if (natd_seq == 0) - iph1->natt_flags |= NAT_DETECTED; - - /* this function will clear appropriate bits bits - from iph1->natt_flags */ - natd_verified = natt_compare_addr_hash (iph1, - natd_received, natd_seq++); - - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", - natd_seq - 1, - natd_verified ? "verified" : "doesn't match"); - - vfree (natd_received); - break; - } - /* %%%% Be lenient here - some servers send natd payloads */ - /* when no nat is detected */ - break; -#endif - - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - -#ifdef ENABLE_NATT - if (NATT_AVAILABLE(iph1)) { - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", - iph1->natt_flags & NAT_DETECTED ? - "detected:" : "not detected", - iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", - iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); - if (iph1->natt_flags & NAT_DETECTED) - natt_float_ports (iph1); - } -#endif - - if (received_cert) { - oakley_verify_certid(iph1); - } - - /* payload existency check */ - /* validate authentication value */ - ptype = oakley_validate_auth(iph1); - if (ptype != 0) { - if (ptype == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } - - /* compute sharing secret of DH */ -#ifdef HAVE_OPENSSL - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) -#else - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) -#endif - goto end; - - /* generate SKEYID to compute hash if signature mode */ - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: -#endif - if (oakley_skeyid(iph1) < 0) - goto end; - break; - default: - break; - } - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_MSG3RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->dhpub_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * status update and establish isakmp sa. - */ -int -base_i3send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - return error; -} - -/* - * receive from initiator - * psk: HDR, SA, Idii, Ni_b - * sig: HDR, SA, Idii, Ni_b - * rsa: HDR, SA, [HASH(1),] Pubkey_r, Pubkey_r - * rev: HDR, SA, [HASH(1),] Pubkey_r, Ke_i - */ -int -base_r1recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - int vid_numeric; - - /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - /* - * NOTE: XXX even if multiple VID, we'll silently ignore those. - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; - - /* check the position of SA payload */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - vid_numeric = check_vendorid(pa->ptr); -#ifdef ENABLE_NATT - if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) - natt_handle_vendorid(iph1, vid_numeric); -#endif -#ifdef ENABLE_HYBRID - switch (vid_numeric) { - case VENDORID_XAUTH: - iph1->mode_cfg->flags |= - ISAKMP_CFG_VENDORID_XAUTH; - break; - - case VENDORID_UNITY: - iph1->mode_cfg->flags |= - ISAKMP_CFG_VENDORID_UNITY; - break; - - default: - break; - } -#endif -#ifdef ENABLE_DPD - if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { - iph1->dpd_support=1; - plog(LLV_DEBUG, LOCATION, NULL, - "remote supports DPD\n"); - } -#endif -#ifdef ENABLE_FRAG - if ((vid_numeric == VENDORID_FRAG) && - (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) { - plog(LLV_DEBUG, LOCATION, NULL, - "remote supports FRAGMENTATION\n"); - iph1->frag = 1; - } -#endif - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - if (iph1->nonce_p == NULL || iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - -#ifdef ENABLE_NATT - if (NATT_AVAILABLE(iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, - "Selected NAT-T version: %s\n", - vid_string_by_id(iph1->natt_options->version)); - ike_session_update_natt_version(iph1); - } -#endif - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - - iph1->status = PHASE1ST_MSG1RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->sa); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, SA, Idir, Nr_b - * sig: HDR, SA, Idir, Nr_b, [ CR ] - * rsa: HDR, SA, PubKey_i, PubKey_i - * rev: HDR, SA, PubKey_i, Ke_r - */ -int -base_r1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct payload_list *plist = NULL; - int error = -1; -#ifdef ENABLE_NATT - vchar_t *vid_natt = NULL; -#endif -#ifdef ENABLE_HYBRID - vchar_t *vid_xauth = NULL; - vchar_t *vid_unity = NULL; -#endif -#ifdef ENABLE_FRAG - vchar_t *vid_frag = NULL; -#endif -#ifdef ENABLE_DPD - vchar_t *vid_dpd = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* set responder's cookie */ - isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - - /* set SA payload to reply */ - plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA); - - /* create isakmp ID payload */ - plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp NONCE payload */ - plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); - -#ifdef ENABLE_NATT - /* has the peer announced nat-t? */ - if (NATT_AVAILABLE(iph1)) - vid_natt = set_vendorid(iph1->natt_options->version); - if (vid_natt) - plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); -#endif -#ifdef ENABLE_HYBRID - if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); - if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot create Xauth vendor ID\n"); - goto end; - } - plist = isakmp_plist_append(plist, - vid_xauth, ISAKMP_NPTYPE_VID); - } - - if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { - if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot create Unity vendor ID\n"); - goto end; - } - plist = isakmp_plist_append(plist, - vid_unity, ISAKMP_NPTYPE_VID); - } -#endif -#ifdef ENABLE_DPD - /* - * Only send DPD support if remote announced DPD - * and if DPD support is active - */ - if (iph1->dpd_support && iph1->rmconf->dpd) { - if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "DPD vendorID construction failed\n"); - } else { - plist = isakmp_plist_append(plist, vid_dpd, - ISAKMP_NPTYPE_VID); - } - } -#endif -#ifdef ENABLE_FRAG - if (iph1->rmconf->ike_frag) { - if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Frag vendorID construction failed\n"); - } else { - vid_frag = isakmp_frag_addcap(vid_frag, - VENDORID_FRAG_BASE); - plist = isakmp_plist_append(plist, - vid_frag, ISAKMP_NPTYPE_VID); - } - } -#endif - - iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) { - iph1 = NULL; - goto end; - } - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG1SENT; - -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); -#endif - - error = 0; - -end: -#ifdef ENABLE_NATT - if (vid_natt) - vfree(vid_natt); -#endif -#ifdef ENABLE_HYBRID - if (vid_xauth != NULL) - vfree(vid_xauth); - if (vid_unity != NULL) - vfree(vid_unity); -#endif -#ifdef ENABLE_FRAG - if (vid_frag) - vfree(vid_frag); -#endif -#ifdef ENABLE_DPD - if (vid_dpd) - vfree(vid_dpd); -#endif - - if (iph1 != NULL) - VPTRINIT(iph1->sa_ret); - - return error; -} - -/* - * receive from initiator - * psk: HDR, KE, HASH_I - * sig: HDR, KE, [ CR, ] [CERT,] SIG_I - * rsa: HDR, KE, HASH_I - * rev: HDR, Ke_i, HASH_I - */ -int -base_r2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - int ptype; -#ifdef ENABLE_NATT - int natd_seq = 0; -#endif - int received_cert = 0; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - iph1->pl_hash = NULL; - - for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - received_cert = 1; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - -#ifdef ENABLE_NATT - case ISAKMP_NPTYPE_NATD_DRAFT: - case ISAKMP_NPTYPE_NATD_RFC: - case ISAKMP_NPTYPE_NATD_BADDRAFT: - if (pa->type == iph1->natt_options->payload_nat_d) - { - vchar_t *natd_received = NULL; - int natd_verified; - - if (isakmp_p2ph (&natd_received, pa->ptr) < 0) - goto end; - - if (natd_seq == 0) - iph1->natt_flags |= NAT_DETECTED; - - natd_verified = natt_compare_addr_hash (iph1, - natd_received, natd_seq++); - - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", - natd_seq - 1, - natd_verified ? "verified" : "doesn't match"); - - vfree (natd_received); - break; - } - /* %%%% Be lenient here - some servers send natd payloads */ - /* when no nat is detected */ - break; -#endif - - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - if (received_cert) { - oakley_verify_certid(iph1); - } - - /* generate DH public value */ -#ifdef HAVE_OPENSSL - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) -#else - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) -#endif - goto end; - - /* compute sharing secret of DH */ -#ifdef HAVE_OPENSSL - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) -#else - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) -#endif - goto end; - - /* generate SKEYID */ - if (oakley_skeyid(iph1) < 0) - goto end; - -#ifdef ENABLE_NATT - if (NATT_AVAILABLE(iph1)) - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", - iph1->natt_flags & NAT_DETECTED ? - "detected:" : "not detected", - iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", - iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); -#endif - - /* payload existency check */ - /* validate authentication value */ - ptype = oakley_validate_auth(iph1); - if (ptype != 0) { - if (ptype == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->dhpub_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, KE, HASH_R - * sig: HDR, KE, [CERT,] SIG_R - * rsa: HDR, KE, HASH_R - * rev: HDR, _Ke_r, HASH_R - */ -int -base_r2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct payload_list *plist = NULL; - vchar_t *vid = NULL; - int need_cert = 0; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: -#endif - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: -#endif -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: -#endif - iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication method %d\n", - iph1->approval->authmethod); - goto end; - } - if (iph1->hash == NULL) - goto end; - - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: -#endif - vid = set_vendorid(iph1->approval->vendorid); - - /* create isakmp KE payload */ - plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp HASH payload */ - plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: -#endif - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert && iph1->rmconf->send_cert) - need_cert = 1; - - /* create isakmp KE payload */ - plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* add CERT payload if there */ - if (need_cert) - plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG); - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* ... */ - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: -#ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: -#endif - break; - } - -#ifdef ENABLE_NATT - /* generate NAT-D payloads */ - if (NATT_AVAILABLE(iph1)) { - vchar_t *natd[2] = { NULL, NULL }; - - plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); - if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); - goto end; - } - - if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); - goto end; - } - - /* old Apple version sends natd payloads in the wrong order */ - if (iph1->natt_options->version == VENDORID_NATT_APPLE) { - plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); - plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); - } else - { - plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); - plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); - } - } -#endif - - iph1->sendbuf = isakmp_plist_set_all(&plist, iph1); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send HDR;KE;NONCE to responder */ - if (isakmp_send(iph1, iph1->sendbuf) < 0) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - if (vid) - vfree(vid); - return error; -} diff --git a/ipsec-tools/racoon/isakmp_base.h b/ipsec-tools/racoon/isakmp_base.h deleted file mode 100644 index d6ecd63..0000000 --- a/ipsec-tools/racoon/isakmp_base.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $Id: isakmp_base.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _ISAKMP_BASE_H -#define _ISAKMP_BASE_H - -extern int base_i1send __P((struct ph1handle *, vchar_t *)); -extern int base_i2recv __P((struct ph1handle *, vchar_t *)); -extern int base_i2send __P((struct ph1handle *, vchar_t *)); -extern int base_i3recv __P((struct ph1handle *, vchar_t *)); -extern int base_i3send __P((struct ph1handle *, vchar_t *)); - -extern int base_r1recv __P((struct ph1handle *, vchar_t *)); -extern int base_r1send __P((struct ph1handle *, vchar_t *)); -extern int base_r2recv __P((struct ph1handle *, vchar_t *)); -extern int base_r2send __P((struct ph1handle *, vchar_t *)); - -#endif /* _ISAKMP_BASE_H */ diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index 81c03d8..6d0af82 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -76,11 +76,6 @@ #include #include -#ifdef HAVE_LIBRADIUS -#include -#include -#endif - #include "var.h" #include "misc.h" #include "vmbuf.h" @@ -88,11 +83,11 @@ #include "sockmisc.h" #include "schedule.h" #include "debug.h" +#include "fsm.h" #include "isakmp_var.h" #include "isakmp.h" #include "handler.h" -#include "evt.h" #include "throttle.h" #include "remoteconf.h" #include "localconf.h" @@ -102,8 +97,6 @@ #include "isakmp_unity.h" #include "isakmp_cfg.h" #include "strnames.h" -#include "admin.h" -#include "privsep.h" #include "vpn_control.h" #include "vpn_control_var.h" #include "ike_session.h" @@ -113,27 +106,23 @@ struct isakmp_cfg_config isakmp_cfg_config; -static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); -static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *); +static vchar_t *buffer_cat (vchar_t *s, vchar_t *append); +static vchar_t *isakmp_cfg_net (phase1_handle_t *, struct isakmp_data *); #if 0 -static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *); +static vchar_t *isakmp_cfg_void (phase1_handle_t *, struct isakmp_data *); #endif -static vchar_t *isakmp_cfg_addr4(struct ph1handle *, +static vchar_t *isakmp_cfg_addr4 (phase1_handle_t *, struct isakmp_data *, in_addr_t *); -static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); -static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, +static void isakmp_cfg_getaddr4 (struct isakmp_data *, struct in_addr *); +static vchar_t *isakmp_cfg_addr4_list (phase1_handle_t *, struct isakmp_data *, in_addr_t *, int); -static void isakmp_cfg_appendaddr4(struct isakmp_data *, +static void isakmp_cfg_appendaddr4 (struct isakmp_data *, struct in_addr *, int *, int); -static void isakmp_cfg_getstring(struct isakmp_data *,char *); -void isakmp_cfg_iplist_to_str(char *, int, void *, int); +static void isakmp_cfg_getstring (struct isakmp_data *,char *); +void isakmp_cfg_iplist_to_str (char *, int, void *, int); #define ISAKMP_CFG_LOGIN 1 #define ISAKMP_CFG_LOGOUT 2 -static int isakmp_cfg_accounting(struct ph1handle *, int); -#ifdef HAVE_LIBRADIUS -static int isakmp_cfg_accounting_radius(struct ph1handle *, int); -#endif /* * Handle an ISAKMP config mode packet @@ -141,7 +130,7 @@ static int isakmp_cfg_accounting_radius(struct ph1handle *, int); */ void isakmp_cfg_r(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { struct isakmp *packet; @@ -151,7 +140,7 @@ isakmp_cfg_r(iph1, msg) int np; vchar_t *dmsg; struct isakmp_ivm *ivm; - struct ph2handle *iph2; + phase2_handle_t *iph2; int error = -1; /* Check that the packet is long enough to have a header */ @@ -160,7 +149,7 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. Unexpected short packet"), CONSTSTR("Failed to process short MODE-Config packet")); - plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n"); + plog(ASL_LEVEL_ERR, "Unexpected short packet\n"); return; } @@ -172,7 +161,7 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. User credentials sent in cleartext"), CONSTSTR("Dropped cleattext User credentials")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "User credentials sent in cleartext!\n"); return; } @@ -193,13 +182,12 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. Failed to decrypt packet"), CONSTSTR("Failed to decrypt MODE-Config packet")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt message\n"); return; } - plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n"); - plogdump(LLV_DEBUG, dmsg->v, dmsg->l); + plog(ASL_LEVEL_DEBUG, "MODE_CFG packet\n"); /* Now work with the decrypted packet */ packet = (struct isakmp *)dmsg->v; @@ -210,20 +198,19 @@ isakmp_cfg_r(iph1, msg) while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) { /* Check that the payload header fits in the packet */ if (tlen < sizeof(*ph)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Short payload header\n"); goto out; } /* Check that the payload fits in the packet */ if (tlen < ntohs(ph->len)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Short payload\n"); goto out; } - plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np); - plogdump(LLV_DEBUG, ph, ntohs(ph->len)); + plog(ASL_LEVEL_DEBUG, "Seen payload %d\n", np); switch(np) { case ISAKMP_NPTYPE_HASH: { @@ -237,15 +224,15 @@ isakmp_cfg_r(iph1, msg) plen = ntohs(nph->len); /* Check that the hash payload fits in the packet */ if (tlen < (plen + ntohs(ph->len))) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Invalid Hash payload. len %d, overall-len %d\n", ntohs(nph->len), - plen); + (int)plen); goto out; } if ((payload = vmalloc(plen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } @@ -253,14 +240,14 @@ isakmp_cfg_r(iph1, msg) if ((check = oakley_compute_hash1(iph1, packet->msgid, payload)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot compute hash\n"); vfree(payload); goto out; } if (memcmp(ph + 1, check->v, check->l) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Hash verification failed\n"); vfree(payload); vfree(check); @@ -279,7 +266,7 @@ isakmp_cfg_r(iph1, msg) break; } default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unexpected next payload %d\n", np); /* Skip to the next payload */ break; @@ -294,13 +281,11 @@ isakmp_cfg_r(iph1, msg) error = 0; /* find phase 2 in case pkt scheduled for resend */ - iph2 = getph2bymsgid(iph1, packet->msgid); + iph2 = ike_session_getph2bymsgid(iph1, packet->msgid); if (iph2 == NULL) goto out; /* no resend scheduled */ SCHED_KILL(iph2->scr); /* turn off schedule */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, @@ -318,14 +303,14 @@ out: int isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; u_int32_t msgid; struct isakmp_pl_attr *attrpl; vchar_t *msg; { int type = attrpl->type; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); switch (type) { case ISAKMP_CFG_ACK: @@ -350,7 +335,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unepected configuration exchange type %d\n", type); return -1; break; @@ -361,7 +346,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) int isakmp_cfg_reply(iph1, attrpl) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; { struct isakmp_data *attr; @@ -385,7 +370,7 @@ isakmp_cfg_reply(iph1, attrpl) if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { type &= ~ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Short attribute %s = %d\n", s_isakmp_cfg_type(type), ntohs(attr->lorv)); @@ -399,7 +384,7 @@ isakmp_cfg_reply(iph1, attrpl) break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -415,13 +400,13 @@ isakmp_cfg_reply(iph1, attrpl) /* Check that the attribute fit in the packet */ if (tlen < alen) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Short attribute %s\n", s_isakmp_cfg_type(type)); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s, len %zu\n", s_isakmp_cfg_type(type), alen); @@ -494,7 +479,7 @@ isakmp_cfg_reply(iph1, attrpl) break; /* not actually ignored - don't fall thru */ // else fall thru default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -511,78 +496,32 @@ isakmp_cfg_reply(iph1, attrpl) if (iph1->mode_cfg->attr_list != NULL) /* shouldn't happen */ vfree(iph1->mode_cfg->attr_list); if (ntohs(attrpl->h.len) < sizeof(*attrpl)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid cfg-attr-list, attr-len %d\n", ntohs(attrpl->h.len)); return -1; } alen = ntohs(attrpl->h.len) - sizeof(*attrpl); if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory for mode-cfg attribute list\n"); return -1; } memcpy(iph1->mode_cfg->attr_list->v, attrpl + 1, alen); } - /* - * Call the SA up script hook now that we have the configuration - * It is done at the end of phase 1 if ISAKMP mode config is not - * requested. - */ - - if ((iph1->status == PHASE1ST_ESTABLISHED) && - iph1->rmconf->mode_cfg) { - switch (AUTHMETHOD(iph1)) { - case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - /* Unimplemented */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; - default: - break; - } - } #ifdef ENABLE_VPNCONTROL_PORT - if (iph1->status == PHASE1ST_ESTABLISHED) + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); #endif -#ifdef ENABLE_ADMINPORT - { - vchar_t *buf; - - if (ntohs(attrpl->h.len) < sizeof(*attrpl)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid cfg-attr-list, attr-len %d\n", - ntohs(attrpl->h.len)); - return -1; - } - alen = ntohs(attrpl->h.len) - sizeof(*attrpl); - if ((buf = vmalloc(alen)) == NULL) { - plog(LLV_WARNING, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - } else { - memcpy(buf->v, attrpl + 1, buf->l); - EVT_PUSH(iph1->local, iph1->remote, - EVTT_ISAKMP_CFG_DONE, buf); - vfree(buf); - } - } -#endif - return 0; } int isakmp_cfg_request(iph1, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; vchar_t *msg; { @@ -627,7 +566,7 @@ isakmp_cfg_request(iph1, attrpl, msg) } if ((payload = vmalloc(sizeof(*reply))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } memset(payload->v, 0, sizeof(*reply)); @@ -640,7 +579,7 @@ isakmp_cfg_request(iph1, attrpl, msg) if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { type &= ~ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Short attribute %s = %d\n", s_isakmp_cfg_type(type), ntohs(attr->lorv)); @@ -649,7 +588,7 @@ isakmp_cfg_request(iph1, attrpl, msg) reply_attr = isakmp_xauth_req(iph1, attr); break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -671,13 +610,13 @@ isakmp_cfg_request(iph1, attrpl, msg) /* Check that the attribute fit in the packet */ if (tlen < alen) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Short attribute %s\n", s_isakmp_cfg_type(type)); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s, len %zu\n", s_isakmp_cfg_type(type), alen); @@ -724,7 +663,7 @@ isakmp_cfg_request(iph1, attrpl, msg) case INTERNAL_ADDRESS_EXPIRY: default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -745,32 +684,12 @@ isakmp_cfg_request(iph1, attrpl, msg) reply->type = ISAKMP_CFG_REPLY; reply->id = attrpl->id; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Sending MODE_CFG REPLY\n"); error = isakmp_cfg_send(iph1, payload, ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg); - if (iph1->status == PHASE1ST_ESTABLISHED) { - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - /* Unimplemented */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; - default: - break; - } -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); -#endif - - } end: vfree(payload); @@ -780,7 +699,7 @@ end: int isakmp_cfg_set(iph1, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; vchar_t *msg; { @@ -795,7 +714,7 @@ isakmp_cfg_set(iph1, attrpl, msg) int error = -1; if ((payload = vmalloc(sizeof(*reply))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } memset(payload->v, 0, sizeof(*reply)); @@ -811,7 +730,7 @@ isakmp_cfg_set(iph1, attrpl, msg) reply_attr = NULL; type = ntohs(attr->type); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s\n", s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); @@ -820,7 +739,7 @@ isakmp_cfg_set(iph1, attrpl, msg) reply_attr = isakmp_xauth_set(iph1, attr); break; default: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Unexpected SET attribute %s\n", s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); break; @@ -852,14 +771,14 @@ isakmp_cfg_set(iph1, attrpl, msg) reply->type = ISAKMP_CFG_ACK; reply->id = attrpl->id; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Sending MODE_CFG ACK\n"); error = isakmp_cfg_send(iph1, payload, ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg); if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) { - if (iph1->status == PHASE1ST_ESTABLISHED) + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) isakmp_info_send_d1(iph1); isakmp_ph1expire(iph1); iph1 = NULL; @@ -885,7 +804,7 @@ buffer_cat(s, append) new = vmalloc(s->l + append->l); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return s; } @@ -899,7 +818,7 @@ buffer_cat(s, append) static vchar_t * isakmp_cfg_net(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type; @@ -911,7 +830,7 @@ isakmp_cfg_net(iph1, attr) * Don't give an address to a peer that did not succeed Xauth */ if (xauth_check(iph1) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Attempt to start phase config whereas Xauth failed\n"); return NULL; } @@ -922,39 +841,13 @@ isakmp_cfg_net(iph1, attr) * configuration source, we will jump * back to this point. */ -retry_source: switch(type) { case INTERNAL_IP4_ADDRESS: switch(confsource) { -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_CONF_LDAP: - if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No IP from LDAP, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif -#ifdef HAVE_LIBRADIUS - case ISAKMP_CFG_CONF_RADIUS: - if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) - && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) - /* - * -2 is 255.255.255.254, RADIUS uses that - * to instruct the NAS to use a local pool - */ - break; - plog(LLV_INFO, LOCATION, NULL, - "No IP from RADIUS, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif case ISAKMP_CFG_CONF_LOCAL: if (isakmp_cfg_getport(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Port pool depleted\n"); break; } @@ -966,39 +859,16 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected confsource\n"); } - if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0) - plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); - return isakmp_cfg_addr4(iph1, attr, &iph1->mode_cfg->addr4.s_addr); break; case INTERNAL_IP4_NETMASK: switch(confsource) { -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_CONF_LDAP: - if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No mask from LDAP, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif -#ifdef HAVE_LIBRADIUS - case ISAKMP_CFG_CONF_RADIUS: - if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No mask from RADIUS, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif case ISAKMP_CFG_CONF_LOCAL: iph1->mode_cfg->mask4.s_addr = isakmp_cfg_config.netmask4; @@ -1006,7 +876,7 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected confsource\n"); } return isakmp_cfg_addr4(iph1, attr, @@ -1031,7 +901,7 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type); + plog(ASL_LEVEL_ERR, "Unexpected type %d\n", type); break; } return NULL; @@ -1040,14 +910,14 @@ retry_source: #if 0 static vchar_t * isakmp_cfg_void(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { vchar_t *buffer; struct isakmp_data *new; if ((buffer = vmalloc(sizeof(*attr))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1062,7 +932,7 @@ isakmp_cfg_void(iph1, attr) vchar_t * isakmp_cfg_copy(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { vchar_t *buffer; @@ -1072,7 +942,7 @@ isakmp_cfg_copy(iph1, attr) len = ntohs(attr->lorv); if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1083,7 +953,7 @@ isakmp_cfg_copy(iph1, attr) vchar_t * isakmp_cfg_short(iph1, attr, value) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; int value; { @@ -1092,7 +962,7 @@ isakmp_cfg_short(iph1, attr, value) int type; if ((buffer = vmalloc(sizeof(*attr))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1107,7 +977,7 @@ isakmp_cfg_short(iph1, attr, value) vchar_t * isakmp_cfg_varlen(iph1, attr, string, len) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; char *string; size_t len; @@ -1117,7 +987,7 @@ isakmp_cfg_varlen(iph1, attr, string, len) char *data; if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1133,7 +1003,7 @@ isakmp_cfg_varlen(iph1, attr, string, len) } vchar_t * isakmp_cfg_string(iph1, attr, string) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; char *string; { @@ -1143,7 +1013,7 @@ isakmp_cfg_string(iph1, attr, string) static vchar_t * isakmp_cfg_addr4(iph1, attr, addr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; in_addr_t *addr; { @@ -1153,7 +1023,7 @@ isakmp_cfg_addr4(iph1, attr, addr) len = sizeof(*addr); if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1168,7 +1038,7 @@ isakmp_cfg_addr4(iph1, attr, addr) static vchar_t * isakmp_cfg_addr4_list(iph1, attr, addr, nbr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; in_addr_t *addr; int nbr; @@ -1182,12 +1052,12 @@ isakmp_cfg_addr4_list(iph1, attr, addr, nbr) len = sizeof(*addr); if ((buffer = vmalloc(0)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } for(i = 0; i < nbr; i++) { if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } @@ -1213,13 +1083,13 @@ out: struct isakmp_ivm * isakmp_cfg_newiv(iph1, msgid) - struct ph1handle *iph1; + phase1_handle_t *iph1; u_int32_t msgid; { struct isakmp_cfg_state *ics = iph1->mode_cfg; if (ics == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_newiv called without mode config state\n"); return NULL; } @@ -1236,7 +1106,7 @@ isakmp_cfg_newiv(iph1, msgid) /* Derived from isakmp_info_send_common */ int isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *payload; u_int32_t np; int flags; @@ -1244,7 +1114,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) int retry_count; vchar_t *msg; { - struct ph2handle *iph2 = NULL; + phase2_handle_t *iph2 = NULL; vchar_t *hash = NULL; struct isakmp *isakmp; struct isakmp_gen *gen; @@ -1254,34 +1124,34 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) struct isakmp_cfg_state *ics = iph1->mode_cfg; /* Check if phase 1 is established */ - if ((iph1->status != PHASE1ST_ESTABLISHED) || + if ((!FSM_STATE_IS_ESTABLISHED(iph1->status)) || (iph1->local == NULL) || (iph1->remote == NULL)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ISAKMP mode config exchange with immature phase 1\n"); goto end; } /* add new entry to isakmp status table */ - iph2 = newph2(); + iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_CFG); if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate ph2"); goto end; } - iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); + iph2->dst = dupsaddr(iph1->remote); if (iph2->dst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate remote address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } - iph2->src = dupsaddr((struct sockaddr *)iph1->local); + iph2->src = dupsaddr(iph1->local); if (iph2->src == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate local address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } @@ -1301,14 +1171,13 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph1->remote->ss_family); - delph2(iph2); + ike_session_delph2(iph2); goto end; } - iph2->ph1 = iph1; iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; + fsm_set_state(&iph2->status, IKEV1_STATE_INFO); if (new_exchange) iph2->msgid = isakmp_newmsgid2(iph1); @@ -1319,19 +1188,19 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) if (iph1->skeyid_a != NULL) { if (new_exchange) { if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } } /* generate HASH(1) */ - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload); + hash = oakley_compute_hash1(iph1, iph2->msgid, payload); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } @@ -1350,15 +1219,14 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) else iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); - insph2(iph2); - bindph12(iph1, iph2); + ike_session_link_ph2_to_ph1(iph1, iph2); tlen += sizeof(*isakmp) + payload->l; /* create buffer for isakmp payload */ iph2->sendbuf = vmalloc(tlen); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto err; } @@ -1393,18 +1261,17 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); #endif - plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n"); - plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); + plog(ASL_LEVEL_DEBUG, "MODE_CFG packet to send\n"); /* encoding */ if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { vchar_t *tmp; - tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, + tmp = oakley_do_encrypt(iph1, iph2->sendbuf, ics->ivm->ive, ics->ivm->iv); VPTRINIT(iph2->sendbuf); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto err; } @@ -1416,7 +1283,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) if (retry_count > 0) { iph2->retry_counter = retry_count; if (isakmp_ph2resend(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to resend packet"); VPTRINIT(iph2->sendbuf); goto err; @@ -1430,21 +1297,21 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) } if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); VPTRINIT(iph2->sendbuf); goto err; } if (msg) { /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg, - PH2_NON_ESP_EXTRA_LEN(iph2), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg, + PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); } } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sendto mode config %s.\n", s_isakmp_nptype(np)); /* @@ -1466,9 +1333,7 @@ err: CONSTSTR("Mode-Config message"), CONSTSTR("Failed to transmit Mode-Config message")); } - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); end: if (hash) vfree(hash); @@ -1476,40 +1341,40 @@ end: } -void -isakmp_cfg_rmstate(iph1) - struct ph1handle *iph1; +void +isakmp_cfg_rmstate(phase1_handle_t *iph1) { - struct isakmp_cfg_state *state = iph1->mode_cfg; - - if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0) - plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); - - if (state->flags & ISAKMP_CFG_PORT_ALLOCATED) - isakmp_cfg_putport(iph1, state->port); - + struct isakmp_cfg_state **state = &iph1->mode_cfg; + + + if (*state == NULL) + return; + + if ((*state)->flags & ISAKMP_CFG_PORT_ALLOCATED) + isakmp_cfg_putport(iph1, (*state)->port); + /* Delete the IV if it's still there */ - if(iph1->mode_cfg->ivm) { - oakley_delivm(iph1->mode_cfg->ivm); - iph1->mode_cfg->ivm = NULL; + if((*state)->ivm) { + oakley_delivm((*state)->ivm); + (*state)->ivm = NULL; } - + /* Free any allocated splitnet lists */ - if(iph1->mode_cfg->split_include != NULL) - splitnet_list_free(iph1->mode_cfg->split_include, - &iph1->mode_cfg->include_count); - if(iph1->mode_cfg->split_local != NULL) - splitnet_list_free(iph1->mode_cfg->split_local, - &iph1->mode_cfg->local_count); - - xauth_rmstate(&state->xauth); + if((*state)->split_include != NULL) + splitnet_list_free((*state)->split_include, + &(*state)->include_count); + if((*state)->split_local != NULL) + splitnet_list_free((*state)->split_local, + &(*state)->local_count); + + xauth_rmstate(&(*state)->xauth); - if (state->attr_list) - vfree(state->attr_list); - - racoon_free(state); - iph1->mode_cfg = NULL; - + if ((*state)->attr_list) + vfree((*state)->attr_list); + + racoon_free((*state)); + (*state) = NULL; + return; } @@ -1519,7 +1384,7 @@ isakmp_cfg_mkstate(void) struct isakmp_cfg_state *state; if ((state = racoon_malloc(sizeof(*state))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory for mode config state\n"); return NULL; } @@ -1530,7 +1395,7 @@ isakmp_cfg_mkstate(void) int isakmp_cfg_getport(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { unsigned int i; size_t size = isakmp_cfg_config.pool_size; @@ -1539,7 +1404,7 @@ isakmp_cfg_getport(iph1) return iph1->mode_cfg->port; if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_config.port_pool == NULL\n"); return -1; } @@ -1550,14 +1415,14 @@ isakmp_cfg_getport(iph1) } if (i == size) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "No more addresses available\n"); return -1; } isakmp_cfg_config.port_pool[i].used = 1; - plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i); + plog(ASL_LEVEL_INFO, "Using port %d\n", i); iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; iph1->mode_cfg->port = i; @@ -1567,342 +1432,34 @@ isakmp_cfg_getport(iph1) int isakmp_cfg_putport(iph1, index) - struct ph1handle *iph1; + phase1_handle_t *iph1; unsigned int index; { if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_config.port_pool == NULL\n"); return -1; } if (isakmp_cfg_config.port_pool[index].used == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Attempt to release an unallocated address (port %d)\n", index); return -1; } -#ifdef HAVE_LIBPAM - /* Cleanup PAM status associated with the port */ - if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM) - privsep_cleanup_pam(index); -#endif isakmp_cfg_config.port_pool[index].used = 0; iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; - plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index); - - return 0; -} - -#ifdef HAVE_LIBPAM -void -cleanup_pam(port) - int port; -{ - if (isakmp_cfg_config.port_pool[port].pam != NULL) { - pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS); - isakmp_cfg_config.port_pool[port].pam = NULL; - } - - return; -} -#endif + plog(ASL_LEVEL_INFO, "Released port %d\n", index); -/* Accounting, only for RADIUS or PAM */ -static int -isakmp_cfg_accounting(iph1, inout) - struct ph1handle *iph1; - int inout; -{ -#ifdef HAVE_LIBPAM - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM) - return privsep_accounting_pam(iph1->mode_cfg->port, - inout); -#endif -#ifdef HAVE_LIBRADIUS - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) - return isakmp_cfg_accounting_radius(iph1, inout); -#endif -#ifdef HAVE_OPENSSL - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) - return privsep_accounting_system(iph1->mode_cfg->port, - iph1->remote, iph1->mode_cfg->login, inout); -#endif return 0; } -#ifdef HAVE_LIBPAM -int -isakmp_cfg_accounting_pam(port, inout) - int port; - int inout; -{ - int error = 0; - pam_handle_t *pam; - - if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "isakmp_cfg_config.port_pool == NULL\n"); - return -1; - } - - pam = isakmp_cfg_config.port_pool[port].pam; - if (pam == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n"); - return -1; - } - - switch (inout) { - case ISAKMP_CFG_LOGIN: - error = pam_open_session(pam, 0); - break; - case ISAKMP_CFG_LOGOUT: - error = pam_close_session(pam, 0); - pam_end(pam, error); - isakmp_cfg_config.port_pool[port].pam = NULL; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_open_session/pam_close_session failed: %s\n", - pam_strerror(pam, error)); - return -1; - } - - return 0; -} -#endif /* HAVE_LIBPAM */ - -#ifdef HAVE_LIBRADIUS -static int -isakmp_cfg_accounting_radius(iph1, inout) - struct ph1handle *iph1; - int inout; -{ - /* For first time use, initialize Radius */ - if (radius_acct_state == NULL) { - if ((radius_acct_state = rad_acct_open()) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot init librradius\n"); - return -1; - } - - if (rad_config(radius_acct_state, NULL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot open librarius config file: %s\n", - rad_strerror(radius_acct_state)); - rad_close(radius_acct_state); - radius_acct_state = NULL; - return -1; - } - } - - if (rad_create_request(radius_acct_state, - RAD_ACCOUNTING_REQUEST) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_create_request failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_string(radius_acct_state, RAD_USER_NAME, - iph1->mode_cfg->login) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_string failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - switch (inout) { - case ISAKMP_CFG_LOGIN: - inout = RAD_START; - break; - case ISAKMP_CFG_LOGOUT: - inout = RAD_STOP; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - if (rad_put_addr(radius_acct_state, - RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_addr(radius_acct_state, - RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (isakmp_cfg_radius_common(radius_acct_state, - iph1->mode_cfg->port) != 0) - return -1; - - if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_send_request failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - return 0; -} -#endif /* HAVE_LIBRADIUS */ - -/* - * Attributes common to all RADIUS requests - */ -#ifdef HAVE_LIBRADIUS -int -isakmp_cfg_radius_common(radius_state, port) - struct rad_handle *radius_state; - int port; -{ - struct utsname name; - static struct hostent *host = NULL; - struct in_addr nas_addr; - - /* - * Find our own IP by resolving our nodename - */ - if (host == NULL) { - if (uname(&name) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "uname failed: %s\n", strerror(errno)); - return -1; - } - - if ((host = gethostbyname(name.nodename)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gethostbyname failed: %s\n", strerror(errno)); - return -1; - } - } - - memcpy(&nas_addr, host->h_addr, sizeof(nas_addr)); - if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - return 0; -} -#endif - -/* - Logs the user into the utmp system files. -*/ - -int -isakmp_cfg_accounting_system(port, raddr, usr, inout) - int port; - struct sockaddr_storage *raddr; - char *usr; - int inout; -{ - struct utmpx ut; - char term[_UTX_LINESIZE]; - char addr[NI_MAXHOST]; - - if (usr == NULL || usr[0]=='\0') { - plog(LLV_ERROR, LOCATION, NULL, - "system accounting : no login found\n"); - return -1; - } - - snprintf(term, sizeof(term), TERMSPEC, port); - - switch (inout) { - case ISAKMP_CFG_LOGIN: - strlcpy(ut.ut_user, usr, sizeof(ut.ut_user)); - - strlcpy(ut.ut_line, term, sizeof(ut.ut_line)); - - GETNAMEINFO_NULL((struct sockaddr *)raddr, addr); - strlcpy(ut.ut_host, addr, sizeof(ut.ut_host)); - - ut.ut_pid = getpid(); - - ut.ut_type = UTMPX_AUTOFILL_MASK | USER_PROCESS; - - gettimeofday(&ut.ut_tv, NULL); - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' logging on '%s' from %s.\n", - ut.ut_user, ut.ut_line, ut.ut_host); - - if (pututxline(&ut) == NULL) - return -1; - - break; - case ISAKMP_CFG_LOGOUT: - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' unlogging from '%s'.\n", - usr, term); - - ut.ut_type = UTMPX_AUTOFILL_MASK | DEAD_PROCESS; - - gettimeofday(&ut.ut_tv, NULL); - - if (pututxline(&ut) == NULL) - return -1; - - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - return 0; -} int isakmp_cfg_getconfig(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *buffer; struct isakmp_pl_attr *attrpl; @@ -1939,7 +1496,7 @@ isakmp_cfg_getconfig(iph1) LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { if (bound_addr->address == address) { - if (version = bound_addr->version) + if ((version = bound_addr->version)) len += bound_addr->version->l; break; } @@ -1949,7 +1506,7 @@ isakmp_cfg_getconfig(iph1) } if ((buffer = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } @@ -1978,7 +1535,7 @@ isakmp_cfg_getconfig(iph1) } } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Sending MODE_CFG REQUEST\n"); error = isakmp_cfg_send(iph1, buffer, @@ -2000,7 +1557,7 @@ isakmp_cfg_getaddr4(attr, ip) in_addr_t *addr; if (alen != sizeof(*ip)) { - plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); + plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n"); return; } @@ -2021,11 +1578,11 @@ isakmp_cfg_appendaddr4(attr, ip, num, max) in_addr_t *addr; if (alen != sizeof(*ip)) { - plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); + plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n"); return; } if (*num == max) { - plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n"); + plog(ASL_LEVEL_ERR, "Too many addresses given\n"); return; } @@ -2090,184 +1647,6 @@ isakmp_cfg_iplist_to_str(dest, count, addr, withmask) dest[0] = '\0'; } -int -isakmp_cfg_setenv(iph1, envp, envc) - struct ph1handle *iph1; - char ***envp; - int *envc; -{ - char addrstr[IP_MAX]; - char addrlist[IP_MAX * MAXNS + MAXNS]; - char *splitlist = addrlist; - char defdom[MAXPATHLEN + 1]; - int cidr, tmp; - char cidrstr[4]; - - plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); - - /* - * Internal IPv4 address, either if - * we are a client or a server. - */ - if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || -#ifdef HAVE_LIBLDAP - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || -#endif -#ifdef HAVE_LIBRADIUS - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || -#endif - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { - inet_ntop(AF_INET, &iph1->mode_cfg->addr4, - addrstr, IP_MAX); - } else - addrstr[0] = '\0'; - - if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n"); - return -1; - } - - if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) { - if (script_env_append(envp, envc, "XAUTH_USER", - iph1->mode_cfg->xauth.authdata.generic.usr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set XAUTH_USER\n"); - return -1; - } - } - - /* Internal IPv4 mask */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) - inet_ntop(AF_INET, &iph1->mode_cfg->mask4, - addrstr, IP_MAX); - else - addrstr[0] = '\0'; - - /* - * During several releases, documentation adverised INTERNAL_NETMASK4 - * while code was using INTERNAL_MASK4. We now do both. - */ - - if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n"); - return -1; - } - - if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_NETMASK4\n"); - return -1; - } - - tmp = ntohl(iph1->mode_cfg->mask4.s_addr); - for (cidr = 0; tmp != 0; cidr++) - tmp <<= 1; - snprintf(cidrstr, 3, "%d", cidr); - - if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n"); - return -1; - } - - /* Internal IPv4 DNS */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) { - /* First Internal IPv4 DNS (for compatibilty with older code */ - inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], - addrstr, IP_MAX); - - /* Internal IPv4 DNS - all */ - isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index, - (void *)iph1->mode_cfg->dns4, 0); - } else { - addrstr[0] = '\0'; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n"); - return -1; - } - if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_DNS4_LIST\n"); - return -1; - } - - /* Internal IPv4 WINS */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) { - /* - * First Internal IPv4 WINS - * (for compatibilty with older code - */ - inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], - addrstr, IP_MAX); - - /* Internal IPv4 WINS - all */ - isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index, - (void *)iph1->mode_cfg->wins4, 0); - } else { - addrstr[0] = '\0'; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_WINS4\n"); - return -1; - } - if (script_env_append(envp, envc, - "INTERNAL_WINS4_LIST", addrlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_WINS4_LIST\n"); - return -1; - } - - /* Deault domain */ - if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) - strlcpy(defdom, - iph1->mode_cfg->default_domain, - sizeof(defdom)); - else - defdom[0] = '\0'; - - if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set DEFAULT_DOMAIN\n"); - return -1; - } - - /* Split networks */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) - splitlist = splitnet_list_2str(iph1->mode_cfg->split_include); - else { - splitlist = addrlist; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); - return -1; - } - if (splitlist != addrlist) - racoon_free(splitlist); - - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) - splitlist = splitnet_list_2str(iph1->mode_cfg->split_local); - else { - splitlist = addrlist; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n"); - return -1; - } - if (splitlist != addrlist) - racoon_free(splitlist); - - return 0; -} - int isakmp_cfg_resize_pool(size) int size; @@ -2279,7 +1658,7 @@ isakmp_cfg_resize_pool(size) if (size == isakmp_cfg_config.pool_size) return 0; - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "Resize address pool from %zu to %d\n", isakmp_cfg_config.pool_size, size); @@ -2288,7 +1667,7 @@ isakmp_cfg_resize_pool(size) (size < isakmp_cfg_config.pool_size)) { for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) { if (isakmp_cfg_config.port_pool[i].used) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "resize pool from %zu to %d impossible " "port %d is in use\n", isakmp_cfg_config.pool_size, size, i); @@ -2301,7 +1680,7 @@ isakmp_cfg_resize_pool(size) len = size * sizeof(*isakmp_cfg_config.port_pool); new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len); if (new_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "resize pool from %zu to %d impossible: %s", isakmp_cfg_config.pool_size, size, strerror(errno)); return -1; diff --git a/ipsec-tools/racoon/isakmp_cfg.h b/ipsec-tools/racoon/isakmp_cfg.h index 7890665..56dfe43 100644 --- a/ipsec-tools/racoon/isakmp_cfg.h +++ b/ipsec-tools/racoon/isakmp_cfg.h @@ -30,17 +30,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ +#ifndef _ISAKMP_CFG_H +#define _ISAKMP_CFG_H -#ifdef HAVE_LIBPAM -#include -#endif + +#include "racoon_types.h" #include -/* - * XXX don't forget to update - * src/racoon/handler.c:exclude_cfg_addr() - * if you add IPv6 capability - */ + /* Attribute types */ #define INTERNAL_IP4_ADDRESS 1 @@ -71,9 +68,6 @@ */ struct isakmp_cfg_port { char used; -#ifdef HAVE_LIBPAM - pam_handle_t *pam; -#endif }; struct isakmp_cfg_config { @@ -186,40 +180,27 @@ struct isakmp_cfg_state { #define ISAKMP_CFG_GOT_REPLY 0x8000 /* got config data from reply - don't process again */ struct isakmp_pl_attr; -struct ph1handle; struct isakmp_ivm; -void isakmp_cfg_r(struct ph1handle *, vchar_t *); -int isakmp_cfg_attr_r(struct ph1handle *, u_int32_t, struct isakmp_pl_attr *, vchar_t *); -int isakmp_cfg_reply(struct ph1handle *, struct isakmp_pl_attr *); -int isakmp_cfg_request(struct ph1handle *, struct isakmp_pl_attr *, vchar_t *); -int isakmp_cfg_set(struct ph1handle *, struct isakmp_pl_attr *, vchar_t *); -int isakmp_cfg_send(struct ph1handle *, vchar_t *, u_int32_t, int, int, int, vchar_t *); -struct isakmp_ivm *isakmp_cfg_newiv(struct ph1handle *, u_int32_t); -void isakmp_cfg_rmstate(struct ph1handle *); -struct isakmp_cfg_state *isakmp_cfg_mkstate(void); -vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *); -vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int); -vchar_t *isakmp_cfg_varlen(struct ph1handle *, struct isakmp_data *, char *, size_t); -vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, char *); -int isakmp_cfg_getconfig(struct ph1handle *); -int isakmp_cfg_setenv(struct ph1handle *, char ***, int *); - -int isakmp_cfg_resize_pool(int); -int isakmp_cfg_getport(struct ph1handle *); -int isakmp_cfg_putport(struct ph1handle *, unsigned int); -int isakmp_cfg_init(int); +void isakmp_cfg_r (phase1_handle_t *, vchar_t *); +int isakmp_cfg_attr_r (phase1_handle_t *, u_int32_t, struct isakmp_pl_attr *, vchar_t *); +int isakmp_cfg_reply (phase1_handle_t *, struct isakmp_pl_attr *); +int isakmp_cfg_request (phase1_handle_t *, struct isakmp_pl_attr *, vchar_t *); +int isakmp_cfg_set (phase1_handle_t *, struct isakmp_pl_attr *, vchar_t *); +int isakmp_cfg_send (phase1_handle_t *, vchar_t *, u_int32_t, int, int, int, vchar_t *); +struct isakmp_ivm *isakmp_cfg_newiv (phase1_handle_t *, u_int32_t); +void isakmp_cfg_rmstate (phase1_handle_t *); +struct isakmp_cfg_state *isakmp_cfg_mkstate (void); +vchar_t *isakmp_cfg_copy (phase1_handle_t *, struct isakmp_data *); +vchar_t *isakmp_cfg_short (phase1_handle_t *, struct isakmp_data *, int); +vchar_t *isakmp_cfg_varlen (phase1_handle_t *, struct isakmp_data *, char *, size_t); +vchar_t *isakmp_cfg_string (phase1_handle_t *, struct isakmp_data *, char *); +int isakmp_cfg_getconfig (phase1_handle_t *); + +int isakmp_cfg_resize_pool (int); +int isakmp_cfg_getport (phase1_handle_t *); +int isakmp_cfg_putport (phase1_handle_t *, unsigned int); +int isakmp_cfg_init (int); #define ISAKMP_CFG_INIT_COLD 1 #define ISAKMP_CFG_INIT_WARM 0 -#ifdef HAVE_LIBRADIUS -struct rad_handle; -extern struct rad_handle *radius_acct_state; -int isakmp_cfg_radius_common(struct rad_handle *, int); -#endif - -#ifdef HAVE_LIBPAM -int isakmp_cfg_accounting_pam(int, int); -void cleanup_pam(int); -#endif - -int isakmp_cfg_accounting_system(int, struct sockaddr_storage *, char *, int); +#endif /* _ISAKMP_CFG_H */ diff --git a/ipsec-tools/racoon/isakmp_frag.c b/ipsec-tools/racoon/isakmp_frag.c index a42ab4e..ee24b93 100644 --- a/ipsec-tools/racoon/isakmp_frag.c +++ b/ipsec-tools/racoon/isakmp_frag.c @@ -86,7 +86,7 @@ int isakmp_sendfrags(iph1, buf) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *buf; { struct isakmp *hdr; @@ -143,7 +143,7 @@ isakmp_sendfrags(iph1, buf) fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen; if ((frag = vmalloc(fraglen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } @@ -171,7 +171,7 @@ isakmp_sendfrags(iph1, buf) allocate a new buffer and release it at the end. */ if (extralen) { if ((vbuf = vmalloc(frag->l + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s: vbuf allocation failed\n", __FUNCTION__); vfree(frag); return -1; @@ -185,7 +185,7 @@ isakmp_sendfrags(iph1, buf) if (sendfromto(s, frag->v, frag->l, iph1->local, iph1->remote, lcconf->count_persend) == -1) { - plog(LLV_ERROR, LOCATION, NULL, "%s: sendfromto failed\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "%s: sendfromto failed\n", __FUNCTION__); vfree(frag); return -1; } @@ -196,7 +196,7 @@ isakmp_sendfrags(iph1, buf) sdata += datalen; } - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s: processed %d fragments\n", __FUNCTION__, fragnum); return fragnum; @@ -216,7 +216,7 @@ vendorid_frag_cap(gen) int isakmp_frag_extract(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { struct isakmp *isakmp; @@ -228,7 +228,7 @@ isakmp_frag_extract(iph1, msg) int i; if (msg->l < sizeof(*isakmp) + sizeof(*frag)) { - plog(LLV_ERROR, LOCATION, NULL, "Message too short\n"); + plog(ASL_LEVEL_ERR, "Message too short\n"); return -1; } @@ -241,29 +241,29 @@ isakmp_frag_extract(iph1, msg) */ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) || ntohs(frag->len) < sizeof(*frag) + 1) { - plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n"); + plog(ASL_LEVEL_ERR, "Fragment too short\n"); return -1; } if (ntohs(frag->len) < sizeof(*frag)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid Frag, frag-len %d\n", ntohs(frag->len)); return -1; } if ((buf = vmalloc(ntohs(frag->len) - sizeof(*frag))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } if ((item = racoon_malloc(sizeof(*item))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); vfree(buf); return -1; } - bzero(item, sizeof(*item)); - + bzero(item, sizeof(*item)); + data = (char *)(frag + 1); memcpy(buf->v, data, buf->l); @@ -272,67 +272,52 @@ isakmp_frag_extract(iph1, msg) item->frag_next = NULL; item->frag_packet = buf; item->frag_id = ntohs(frag->unknown1); + + plog(ASL_LEVEL_DEBUG, + "%s: received fragment #%d frag ID=%d last frag=%d\n", + __FUNCTION__, item->frag_num, item->frag_id, item->frag_last); + + /* Insert if new and find the last frag num if present */ + struct isakmp_frag_item *current; + + last_frag = (item->frag_last ? item->frag_num : 0); + current = iph1->frag_chain; + while (current) { + if (current->frag_num == item->frag_num) { // duplicate? + vfree(item->frag_packet); + racoon_free(item); + return 0; // already have it + } + if (current->frag_last) + last_frag = current->frag_num; + current = current->frag_next; + } + /* no dup - insert it */ + item->frag_next = iph1->frag_chain; + iph1->frag_chain = item; + + /* Check if the chain is complete */ + if (last_frag == 0) + return 0; /* if last_frag not found - chain is not complete */ + for (i = 1; i <= last_frag; i++) { + current = iph1->frag_chain; + while (current) { + if (current->frag_num == i) + break; + current = current->frag_next; + }; + if (!current) + return 0; /* chain not complete */ + } - /* Look for the last frag while inserting the new item in the chain */ - if (item->frag_last) - last_frag = item->frag_num; - - if (iph1->frag_chain == NULL) { - iph1->frag_chain = item; - } else { - struct isakmp_frag_item *current; - int dup = 0; - - current = iph1->frag_chain; - if (!current->frag_next && current->frag_last) { - last_frag = current->frag_num; - } - while (current->frag_next) { - if (current->frag_last) - last_frag = current->frag_num; - if (current->frag_num == item->frag_num) { - dup = 1; - } - current = current->frag_next; - } - // avoid duplicates - if (!dup) { - current->frag_next = item; - } else { - racoon_free(item); - vfree(buf); - item = NULL; - buf = NULL; - } - } - - /* If we saw the last frag, check if the chain is complete */ - if (last_frag != 0) { - for (i = 1; i <= last_frag; i++) { - item = iph1->frag_chain; - do { - if (item->frag_num == i) - break; - item = item->frag_next; - } while (item != NULL); - - if (item == NULL) /* Not found */ - break; - } - - if (item != NULL) /* It is complete */ - return 1; - } - - plog(LLV_DEBUG2, LOCATION, NULL, - "%s: processed %d fragments\n", __FUNCTION__, last_frag); - - return 0; + plog(ASL_LEVEL_DEBUG, + "%s: processed fragment %d\n", __FUNCTION__, frag->index); + return 1; /* chain is complete */ } vchar_t * isakmp_frag_reassembly(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { struct isakmp_frag_item *item; size_t len = 0; @@ -342,7 +327,7 @@ isakmp_frag_reassembly(iph1) char *data; if ((item = iph1->frag_chain) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "No fragment to reassemble\n"); + plog(ASL_LEVEL_ERR, "No fragment to reassemble\n"); goto out; } @@ -356,7 +341,7 @@ isakmp_frag_reassembly(iph1) } while (item != NULL); if ((buf = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } data = buf->v; @@ -370,17 +355,17 @@ isakmp_frag_reassembly(iph1) } while (item != NULL); if (item == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Missing fragment #%d\n", i); vfree(buf); buf = NULL; return buf; - } + } memcpy(data, item->frag_packet->v, item->frag_packet->l); data += item->frag_packet->l; } - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s: processed %d fragments\n", __FUNCTION__, frag_count); out: @@ -399,6 +384,7 @@ out: iph1->frag_chain = NULL; + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "re-assembled fragements:\n"); return buf; } @@ -415,7 +401,7 @@ isakmp_frag_addcap(buf, cap) len = buf->l; if (len == hashlen_bytes) { if ((buf = vrealloc(buf, len + sizeof(cap))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -482,7 +468,7 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen; if ((frag = vmalloc(fraglen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } @@ -513,7 +499,7 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) vchar_t *vbuf; if ((vbuf = vmalloc(frag->l + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s: vbuf allocation failed\n", __FUNCTION__); vfree(frag); return -1; @@ -526,7 +512,7 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) #endif if (sendfromto(s, frag->v, frag->l, local, remote, count_persend) == -1) { - plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); + plog(ASL_LEVEL_ERR, "sendfromto failed\n"); vfree(frag); return -1; } @@ -537,7 +523,7 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) sdata += datalen; } - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s: processed %d fragments\n", __FUNCTION__, fragnum); return fragnum; diff --git a/ipsec-tools/racoon/isakmp_frag.h b/ipsec-tools/racoon/isakmp_frag.h index 0ddab52..7a23ec0 100644 --- a/ipsec-tools/racoon/isakmp_frag.h +++ b/ipsec-tools/racoon/isakmp_frag.h @@ -34,6 +34,8 @@ #ifndef _ISAKMP_FRAG_H #define _ISAKMP_FRAG_H +#include "racoon_types.h" + /* These are the values from parsing "remote {}" block of the config file. */ #define ISAKMP_FRAG_OFF FALSE /* = 0 */ @@ -57,11 +59,11 @@ struct isakmp_frag_item { vchar_t *frag_packet; }; -int isakmp_sendfrags(struct ph1handle *, vchar_t *); -unsigned int vendorid_frag_cap(struct isakmp_gen *); -int isakmp_frag_extract(struct ph1handle *, vchar_t *); -vchar_t *isakmp_frag_reassembly(struct ph1handle *); -vchar_t *isakmp_frag_addcap(vchar_t *, int); -int sendfragsfromto(int s, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t); +int isakmp_sendfrags (phase1_handle_t *, vchar_t *); +unsigned int vendorid_frag_cap (struct isakmp_gen *); +int isakmp_frag_extract (phase1_handle_t *, vchar_t *); +vchar_t *isakmp_frag_reassembly (phase1_handle_t *); +vchar_t *isakmp_frag_addcap (vchar_t *, int); +int sendfragsfromto (int s, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t); #endif /* _ISAKMP_FRAG_H */ diff --git a/ipsec-tools/racoon/isakmp_ident.c b/ipsec-tools/racoon/isakmp_ident.c index 53dfc01..71fbd5a 100644 --- a/ipsec-tools/racoon/isakmp_ident.c +++ b/ipsec-tools/racoon/isakmp_ident.c @@ -60,12 +60,12 @@ #include "sockmisc.h" #include "schedule.h" #include "debug.h" +#include "fsm.h" #include "localconf.h" #include "remoteconf.h" #include "isakmp_var.h" #include "isakmp.h" -#include "evt.h" #include "oakley.h" #include "handler.h" #include "ipsec_doi.h" @@ -78,9 +78,6 @@ #ifdef ENABLE_NATT #include "nattraversal.h" #endif -#ifdef HAVE_GSSAPI -#include "gssapi.h" -#endif #ifdef ENABLE_HYBRID #include #include "isakmp_xauth.h" @@ -98,8 +95,8 @@ #include #endif -static vchar_t *ident_ir2mx __P((struct ph1handle *)); -static vchar_t *ident_ir3mx __P((struct ph1handle *)); +static vchar_t *ident_ir2mx (phase1_handle_t *); +static vchar_t *ident_ir3mx (phase1_handle_t *); /* %%% * begin Identity Protection Mode as initiator. @@ -113,7 +110,7 @@ static vchar_t *ident_ir3mx __P((struct ph1handle *)); */ int ident_i1send(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; /* must be null */ { struct payload_list *plist = NULL; @@ -132,15 +129,18 @@ ident_i1send(iph1, msg) #ifdef ENABLE_DPD vchar_t *vid_dpd = NULL; #endif - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); + + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_START) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + + /* validity check */ + if (msg != NULL) { + plog(ASL_LEVEL_ERR, + "msg has to be NULL in this function.\n"); goto end; } @@ -149,9 +149,9 @@ ident_i1send(iph1, msg) isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); + iph1->sa = ipsecdoi_setph1proposal(iph1); if (iph1->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set proposal"); goto end; } @@ -169,20 +169,18 @@ ident_i1send(iph1, msg) switch (RMAUTHMETHOD(iph1)) { case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth vendor ID generation failed\n"); else plist = isakmp_plist_append(plist, vid_xauth, ISAKMP_NPTYPE_VID); if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unity vendor ID generation failed\n"); else plist = isakmp_plist_append(plist, @@ -195,7 +193,7 @@ ident_i1send(iph1, msg) #ifdef ENABLE_FRAG if (iph1->rmconf->ike_frag) { if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Frag vendorID construction failed\n"); } else { vid_frag = isakmp_frag_addcap(vid_frag, @@ -223,12 +221,12 @@ ident_i1send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } - iph1->status = PHASE1ST_MSG1SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT); error = 0; @@ -275,7 +273,7 @@ end: */ int ident_i2recv(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { vchar_t *pbuf = NULL; @@ -284,10 +282,10 @@ ident_i2recv(iph1, msg) int error = -1; int vid_numeric; - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -303,7 +301,7 @@ ident_i2recv(iph1, msg) */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -311,14 +309,14 @@ ident_i2recv(iph1, msg) /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_SA); goto end; } if (isakmp_p2ph(&satmp, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload"); goto end; } @@ -358,7 +356,7 @@ ident_i2recv(iph1, msg) #ifdef ENABLE_FRAG if ((vid_numeric == VENDORID_FRAG) && (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports FRAGMENTATION\n"); iph1->frag = 1; } @@ -366,7 +364,7 @@ ident_i2recv(iph1, msg) break; default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -376,7 +374,7 @@ ident_i2recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -385,14 +383,14 @@ ident_i2recv(iph1, msg) /* check SA payload and set approval SA for use */ if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "failed to get valid proposal.\n"); /* XXX send information */ goto end; } VPTRINIT(iph1->sa_ret); - iph1->status = PHASE1ST_MSG2RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); @@ -429,16 +427,16 @@ end: * Ke_i, [<Ke_i] */ int -ident_i2send(iph1, msg) - struct ph1handle *iph1; +ident_i3send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -454,7 +452,7 @@ ident_i2send(iph1, msg) if (oakley_dh_generate(iph1->approval->dhgrp, &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH"); goto end; } @@ -462,24 +460,15 @@ ident_i2send(iph1, msg) /* generate NONCE value */ iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); if (iph1->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_get_itoken(iph1, NULL) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get GSS token"); - goto end; - } -#endif - /* create buffer to send isakmp payload */ iph1->sendbuf = ident_ir2mx(iph1); if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to create send buffer"); goto end; } @@ -491,20 +480,20 @@ ident_i2send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } - iph1->status = PHASE1ST_MSG2SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT); error = 0; @@ -532,33 +521,30 @@ end: * rev: HDR, PubKey_i, Ke_r, Ke_r, */ int -ident_i3recv(iph1, msg) - struct ph1handle *iph1; +ident_i4recv(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { vchar_t *pbuf = NULL; struct isakmp_parse_t *pa; int error = -1; int vid_numeric; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif #ifdef ENABLE_NATT vchar_t *natd_received; int natd_seq = 0, natd_verified; #endif - /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -570,14 +556,14 @@ ident_i3recv(iph1, msg) switch (pa->type) { case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload"); goto end; } break; case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload"); goto end; } @@ -608,21 +594,11 @@ ident_i3recv(iph1, msg) break; case ISAKMP_NPTYPE_CR: if (oakley_savecr(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CR payload"); goto end; } break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: @@ -632,7 +608,7 @@ ident_i3recv(iph1, msg) pa->type == iph1->natt_options->payload_nat_d) { natd_received = NULL; if (isakmp_p2ph (&natd_received, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NATD payload"); goto end; } @@ -647,7 +623,7 @@ ident_i3recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -661,7 +637,7 @@ ident_i3recv(iph1, msg) default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -671,7 +647,7 @@ ident_i3recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", + plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -683,7 +659,7 @@ ident_i3recv(iph1, msg) /* payload existency check */ if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } @@ -693,7 +669,7 @@ ident_i3recv(iph1, msg) ; } - iph1->status = PHASE1ST_MSG3RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD); error = 0; @@ -709,10 +685,6 @@ end: CONSTSTR("Initiator, Main-Mode Message 4"), CONSTSTR("Failed to process Main-Mode Message 4")); } -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (pbuf) vfree(pbuf); if (error) { @@ -735,20 +707,17 @@ end: * rev: HDR*, HASH_I */ int -ident_i3send(iph1, msg0) - struct ph1handle *iph1; +ident_i5send(iph1, msg0) + phase1_handle_t *iph1; vchar_t *msg0; { int error = -1; int dohash = 1; -#ifdef HAVE_GSSAPI - int len; -#endif - /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } @@ -757,61 +726,47 @@ ident_i3send(iph1, msg0) if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { #else - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute DH"); goto end; } /* generate SKEYIDs & IV & final cipher key */ if (oakley_skeyid(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID"); goto end; } if (oakley_skeyid_dae(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID-DAE"); goto end; } if (oakley_compute_enckey(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate ENCKEY"); goto end; } if (oakley_newiv(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); goto end; } /* make ID payload into isakmp status */ if (ipsecdoi_setid1(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID"); goto end; } -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_more_tokens(iph1)) { - plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n"); - if (gssapi_get_itoken(iph1, &len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get GSSAPI token"); - goto end; - } - if (len != 0) - dohash = 0; - } -#endif - /* generate HASH to send */ if (dohash) { iph1->hash = oakley_ph1hash_common(iph1, GENERATE); if (iph1->hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); goto end; } @@ -824,7 +779,7 @@ ident_i3send(iph1, msg0) /* create HDR;ID;HASH payload */ iph1->sendbuf = ident_ir3mx(iph1); if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate send buffer"); goto end; } @@ -832,15 +787,15 @@ ident_i3send(iph1, msg0) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } @@ -848,7 +803,7 @@ ident_i3send(iph1, msg0) /* see handler.h about IV synchronization. */ memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); - iph1->status = PHASE1ST_MSG3SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT); error = 0; @@ -876,8 +831,8 @@ end: * rev: HDR*, HASH_R */ int -ident_i4recv(iph1, msg0) - struct ph1handle *iph1; +ident_i6recv(iph1, msg0) + phase1_handle_t *iph1; vchar_t *msg0; { vchar_t *pbuf = NULL; @@ -886,28 +841,25 @@ ident_i4recv(iph1, msg0) int error = -1; int type; int vid_numeric; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif int received_cert = 0; - /* validity check */ - if (iph1->status != PHASE1ST_MSG3SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* decrypting */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "expecting the packet encrypted.\n"); goto end; } msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt"); goto end; } @@ -915,7 +867,7 @@ ident_i4recv(iph1, msg0) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -929,7 +881,7 @@ ident_i4recv(iph1, msg0) switch (pa->type) { case ISAKMP_NPTYPE_ID: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process ID payload"); goto end; } @@ -939,7 +891,7 @@ ident_i4recv(iph1, msg0) break; case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CERT payload"); goto end; } @@ -947,21 +899,12 @@ ident_i4recv(iph1, msg0) break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SIG payload"); goto end; } break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif + case ISAKMP_NPTYPE_VID: vid_numeric = check_vendorid(pa->ptr); #ifdef ENABLE_DPD @@ -974,7 +917,7 @@ ident_i4recv(iph1, msg0) break; default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -990,45 +933,37 @@ ident_i4recv(iph1, msg0) /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid ID payload.\n"); goto end; } /* validate authentication value */ -#ifdef HAVE_GSSAPI - if (gsstoken == NULL) { -#endif - type = oakley_validate_auth(iph1); - if (type != 0) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, - CONSTSTR("Initiator, Main-Mode Message 6"), - CONSTSTR("Failed to authenticate Main-Mode Message 6")); - if (type == -1) { - /* msg printed inner oakley_validate_auth() */ - goto end; - } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, - CONSTSTR("Initiator, Main-Mode Message 6"), - CONSTSTR(NULL)); -#ifdef HAVE_GSSAPI - } -#endif + type = oakley_validate_auth(iph1); + if (type != 0) { + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, + CONSTSTR("Initiator, Main-Mode Message 6"), + CONSTSTR("Failed to authenticate Main-Mode Message 6")); + if (type == -1) { + /* msg printed inner oakley_validate_auth() */ + goto end; + } + isakmp_info_send_n1(iph1, type, NULL); + goto end; + } + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, + CONSTSTR("Initiator, Main-Mode Message 6"), + CONSTSTR(NULL)); + /* * XXX: Should we do compare two addresses, ph1handle's and ID * payload's. */ - plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:"); - plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:"); /* see handler.h about IV synchronization. */ memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); @@ -1036,12 +971,7 @@ ident_i4recv(iph1, msg0) /* * If we got a GSS token, we need to this roundtrip again. */ -#ifdef HAVE_GSSAPI - iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED : - PHASE1ST_MSG4RECEIVED; -#else - iph1->status = PHASE1ST_MSG4RECEIVED; -#endif + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD); error = 0; @@ -1061,10 +991,6 @@ end: vfree(pbuf); if (msg) vfree(msg); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (error) { VPTRINIT(iph1->id_p); @@ -1082,23 +1008,23 @@ end: * status update and establish isakmp sa. */ int -ident_i4send(iph1, msg) - struct ph1handle *iph1; +ident_ifinalize(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; - /* validity check */ - if (iph1->status != PHASE1ST_MSG4RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); + /* validity check */ + if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) { + plog(ASL_LEVEL_ERR, + "status mismatched %d.\n", iph1->status); goto end; } /* see handler.h about IV synchronization. */ memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); - iph1->status = PHASE1ST_ESTABLISHED; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC, @@ -1120,7 +1046,7 @@ end: */ int ident_r1recv(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { vchar_t *pbuf = NULL; @@ -1129,8 +1055,8 @@ ident_r1recv(iph1, msg) int vid_numeric; /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_START) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } @@ -1141,7 +1067,7 @@ ident_r1recv(iph1, msg) */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -1149,14 +1075,14 @@ ident_r1recv(iph1, msg) /* check the position of SA payload */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_SA); goto end; } if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload"); goto end; } @@ -1196,7 +1122,7 @@ ident_r1recv(iph1, msg) #ifdef ENABLE_FRAG if ((vid_numeric == VENDORID_FRAG) && (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "remote supports FRAGMENTATION\n"); iph1->frag = 1; } @@ -1210,7 +1136,7 @@ ident_r1recv(iph1, msg) * the re-sent packet. And we do same behavior * when we expect encrypted packet. */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1220,7 +1146,7 @@ ident_r1recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(LLV_INFO, LOCATION, iph1->remote, + plog(ASL_LEVEL_INFO, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -1229,13 +1155,13 @@ ident_r1recv(iph1, msg) /* check SA payload and set approval SA for use */ if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "failed to get valid proposal.\n"); /* XXX send information */ goto end; } - iph1->status = PHASE1ST_MSG1RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD); error = 0; @@ -1268,16 +1194,13 @@ end: * rev: HDR, SA */ int -ident_r1send(iph1, msg) - struct ph1handle *iph1; +ident_r2send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { struct payload_list *plist = NULL; int error = -1; vchar_t *gss_sa = NULL; -#ifdef HAVE_GSSAPI - int free_gss_sa = 0; -#endif #ifdef ENABLE_NATT vchar_t *vid_natt = NULL; #endif @@ -1293,32 +1216,24 @@ ident_r1send(iph1, msg) #endif /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } /* set responder's cookie */ isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); - -#ifdef HAVE_GSSAPI - if (iph1->approval->gssid != NULL) { - gss_sa = ipsecdoi_setph1proposal(iph1->approval); - if (gss_sa != iph1->sa_ret) - free_gss_sa = 1; - } else -#endif - gss_sa = iph1->sa_ret; + gss_sa = iph1->sa_ret; /* set SA payload to reply */ plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA); #ifdef ENABLE_HYBRID if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); + plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n"); if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot create Xauth vendor ID\n"); goto end; } @@ -1328,7 +1243,7 @@ ident_r1send(iph1, msg) if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot create Unity vendor ID\n"); goto end; } @@ -1359,7 +1274,7 @@ ident_r1send(iph1, msg) vid_frag = isakmp_frag_addcap(vid_frag, VENDORID_FRAG_IDENT); if (vid_frag == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Frag vendorID construction failed\n"); else plist = isakmp_plist_append(plist, @@ -1376,20 +1291,20 @@ ident_r1send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } - iph1->status = PHASE1ST_MSG1SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); @@ -1409,10 +1324,6 @@ end: CONSTSTR("Responder, Main-Mode Message 2"), CONSTSTR("Failed to transmit Main-Mode Message 2")); } -#ifdef HAVE_GSSAPI - if (free_gss_sa) - vfree(gss_sa); -#endif #ifdef ENABLE_NATT if (vid_natt) vfree(vid_natt); @@ -1445,23 +1356,20 @@ end: * Ke_i, [<Ke_i] */ int -ident_r2recv(iph1, msg) - struct ph1handle *iph1; +ident_r3recv(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { vchar_t *pbuf = NULL; struct isakmp_parse_t *pa; int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif #ifdef ENABLE_NATT int natd_seq = 0; #endif /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } @@ -1469,7 +1377,7 @@ ident_r2recv(iph1, msg) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -1480,14 +1388,14 @@ ident_r2recv(iph1, msg) switch (pa->type) { case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload"); goto end; } break; case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload"); goto end; } @@ -1496,20 +1404,10 @@ ident_r2recv(iph1, msg) (void)check_vendorid(pa->ptr); break; case ISAKMP_NPTYPE_CR: - plog(LLV_WARNING, LOCATION, iph1->remote, + plog(ASL_LEVEL_WARNING, "CR received, ignore it. " "It should be in other exchange.\n"); break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: @@ -1522,7 +1420,7 @@ ident_r2recv(iph1, msg) int natd_verified; if (isakmp_p2ph (&natd_received, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NATD payload"); goto end; } @@ -1533,7 +1431,7 @@ ident_r2recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -1547,7 +1445,7 @@ ident_r2recv(iph1, msg) default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1557,7 +1455,7 @@ ident_r2recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) - plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", + plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -1566,12 +1464,12 @@ ident_r2recv(iph1, msg) /* payload existency check */ if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } - iph1->status = PHASE1ST_MSG2RECEIVED; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD); error = 0; @@ -1589,10 +1487,6 @@ end: } if (pbuf) vfree(pbuf); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (error) { VPTRINIT(iph1->dhpub_p); @@ -1612,15 +1506,15 @@ end: * rev: HDR, PubKey_i, Ke_r, Ke_r, */ int -ident_r2send(iph1, msg) - struct ph1handle *iph1; +ident_r4send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } @@ -1633,7 +1527,7 @@ ident_r2send(iph1, msg) if (oakley_dh_generate(iph1->approval->dhgrp, &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH"); goto end; } @@ -1641,20 +1535,15 @@ ident_r2send(iph1, msg) /* generate NONCE value */ iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); if (iph1->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_rtoken(iph1, NULL); -#endif - /* create HDR;KE;NONCE payload */ iph1->sendbuf = ident_ir2mx(iph1); if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate send buffer"); goto end; } @@ -1666,15 +1555,15 @@ ident_r2send(iph1, msg) /* send the packet, add to the schedule to resend */ iph1->retry_counter = iph1->rmconf->retry_counter; if (isakmp_ph1resend(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } @@ -1684,36 +1573,36 @@ ident_r2send(iph1, msg) if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { #else - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute DH"); goto end; } /* generate SKEYIDs & IV & final cipher key */ if (oakley_skeyid(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID"); goto end; } if (oakley_skeyid_dae(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate SKEYID-DAE"); goto end; } if (oakley_compute_enckey(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate ENCKEY"); goto end; } if (oakley_newiv(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); goto end; } - iph1->status = PHASE1ST_MSG2SENT; + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT); error = 0; @@ -1741,8 +1630,8 @@ end: * rev: HDR*, HASH_I */ int -ident_r3recv(iph1, msg0) - struct ph1handle *iph1; +ident_r5recv(iph1, msg0) + phase1_handle_t *iph1; vchar_t *msg0; { vchar_t *msg = NULL; @@ -1750,28 +1639,25 @@ ident_r3recv(iph1, msg0) struct isakmp_parse_t *pa; int error = -1; int type; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif int received_cert = 0; /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } /* decrypting */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "reject the packet, " "expecting the packet encrypted.\n"); goto end; } msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt"); goto end; } @@ -1779,7 +1665,7 @@ ident_r3recv(iph1, msg0) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -1793,7 +1679,7 @@ ident_r3recv(iph1, msg0) switch (pa->type) { case ISAKMP_NPTYPE_ID: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process ID payload"); goto end; } @@ -1803,14 +1689,14 @@ ident_r3recv(iph1, msg0) break; case ISAKMP_NPTYPE_CR: if (oakley_savecr(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CR payload"); goto end; } break; case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process CERT payload"); goto end; } @@ -1818,21 +1704,11 @@ ident_r3recv(iph1, msg0) break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SIG payload"); goto end; } break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to process GSS payload"); - goto end; - } - gssapi_save_received_token(iph1, gsstoken); - break; -#endif case ISAKMP_NPTYPE_VID: (void)check_vendorid(pa->ptr); break; @@ -1841,7 +1717,7 @@ ident_r3recv(iph1, msg0) break; default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1863,16 +1739,13 @@ ident_r3recv(iph1, msg0) #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: #endif if (iph1->id_p == NULL || iph1->pl_hash == NULL) ng++; break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif if (iph1->id_p == NULL || iph1->sig_p == NULL) ng++; @@ -1886,20 +1759,14 @@ ident_r3recv(iph1, msg0) if (iph1->pl_hash == NULL) ng++; break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - if (gsstoken == NULL && iph1->pl_hash == NULL) - ng++; - break; -#endif default: - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid authmethod %d why ?\n", iph1->approval->authmethod); goto end; } if (ng) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } @@ -1907,37 +1774,30 @@ ident_r3recv(iph1, msg0) /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid ID payload.\n"); goto end; } /* validate authentication value */ -#ifdef HAVE_GSSAPI - if (gsstoken == NULL) { -#endif - type = oakley_validate_auth(iph1); - if (type != 0) { - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, - CONSTSTR("Responder, Main-Mode Message 5"), - CONSTSTR("Failed to authenticate Main-Mode Message 5")); - if (type == -1) { - /* msg printed inner oakley_validate_auth() */ - goto end; - } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEERPH1AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - IPSECSESSIONTRACEREVENT(iph1->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, - CONSTSTR("Responder, Main-Mode Message 5"), - CONSTSTR(NULL)); -#ifdef HAVE_GSSAPI - } -#endif + + type = oakley_validate_auth(iph1); + if (type != 0) { + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, + CONSTSTR("Responder, Main-Mode Message 5"), + CONSTSTR("Failed to authenticate Main-Mode Message 5")); + if (type == -1) { + /* msg printed inner oakley_validate_auth() */ + goto end; + } + isakmp_info_send_n1(iph1, type, NULL); + goto end; + } + IPSECSESSIONTRACEREVENT(iph1->parent_session, + IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, + CONSTSTR("Responder, Main-Mode Message 5"), + CONSTSTR(NULL)); if (oakley_checkcr(iph1) < 0) { /* Ignore this error in order to be interoperability. */ @@ -1949,19 +1809,12 @@ ident_r3recv(iph1, msg0) * payload's. */ - plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n"); - plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n"); /* see handler.h about IV synchronization. */ memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); -#ifdef HAVE_GSSAPI - iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED : - PHASE1ST_MSG3RECEIVED; -#else - iph1->status = PHASE1ST_MSG3RECEIVED; -#endif - + fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD); error = 0; IPSECSESSIONTRACEREVENT(iph1->parent_session, @@ -1980,10 +1833,6 @@ end: vfree(pbuf); if (msg) vfree(msg); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (error) { VPTRINIT(iph1->id_p); @@ -2008,45 +1857,33 @@ end: * rev: HDR*, HASH_R */ int -ident_r3send(iph1, msg) - struct ph1handle *iph1; +ident_r6send(iph1, msg) + phase1_handle_t *iph1; vchar_t *msg; { int error = -1; int dohash = 1; -#ifdef HAVE_GSSAPI - int len; -#endif /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph1->status); goto end; } /* make ID payload into isakmp status */ if (ipsecdoi_setid1(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID"); goto end; } -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_more_tokens(iph1)) { - gssapi_get_rtoken(iph1, &len); - if (len != 0) - dohash = 0; - } -#endif - if (dohash) { /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); + plog(ASL_LEVEL_DEBUG, "generate HASH_R\n"); iph1->hash = oakley_ph1hash_common(iph1, GENERATE); if (iph1->hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); goto end; } @@ -2059,22 +1896,22 @@ ident_r3send(iph1, msg) /* create HDR;ID;HASH payload */ iph1->sendbuf = ident_ir3mx(iph1); if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to create send buffer"); goto end; } /* send HDR;ID;HASH to responder */ if (isakmp_send(iph1, iph1->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, + PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } @@ -2082,7 +1919,7 @@ ident_r3send(iph1, msg) /* see handler.h about IV synchronization. */ memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); - iph1->status = PHASE1ST_ESTABLISHED; + fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC, @@ -2123,7 +1960,7 @@ end: */ static vchar_t * ident_ir2mx(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *buf = 0; struct payload_list *plist = NULL; @@ -2131,9 +1968,6 @@ ident_ir2mx(iph1) vchar_t *cr = NULL; vchar_t *vid = NULL; int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif #ifdef ENABLE_NATT vchar_t *natd[2] = { NULL, NULL }; #endif @@ -2141,33 +1975,22 @@ ident_ir2mx(iph1) /* create CR if need */ if (iph1->side == RESPONDER && iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { + && oakley_needcr(iph1->approval->authmethod)) { need_cr = 1; cr = oakley_getcr(iph1); if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cr buffer.\n"); goto end; } } -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_token_to_send(iph1, &gsstoken); -#endif - /* create isakmp KE payload */ plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); /* create isakmp NONCE payload */ plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); -#endif - /* append vendor id, if needed */ if (vid) plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); @@ -2178,21 +2001,21 @@ ident_ir2mx(iph1) #ifdef ENABLE_NATT /* generate and append NAT-D payloads */ - if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED) + if (NATT_AVAILABLE(iph1)) { if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } - plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -2216,10 +2039,6 @@ end: } if (cr) vfree(cr); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (vid) vfree(vid); @@ -2250,7 +2069,7 @@ end: */ static vchar_t * ident_ir3mx(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { struct payload_list *plist = NULL; vchar_t *buf = NULL, *new = NULL; @@ -2258,11 +2077,6 @@ ident_ir3mx(iph1) int need_cert = 0; vchar_t *cr = NULL; int error = -1; -#ifdef HAVE_GSSAPI - int nptype; - vchar_t *gsstoken = NULL; - vchar_t *gsshash = NULL; -#endif vchar_t *notp_ini = NULL; switch (AUTHMETHOD(iph1)) { @@ -2271,7 +2085,6 @@ ident_ir3mx(iph1) case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: #endif /* create isakmp ID payload */ plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); @@ -2279,24 +2092,20 @@ ident_ir3mx(iph1) /* create isakmp HASH payload */ plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif if (oakley_getmycert(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get mycert"); goto end; } if (oakley_getsign(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get sign"); goto end; } @@ -2304,12 +2113,11 @@ ident_ir3mx(iph1) /* create CR if need */ if (iph1->side == INITIATOR && iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { + && oakley_needcr(iph1->approval->authmethod)) { need_cr = 1; cr = oakley_getcr(iph1); if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get CR"); goto end; } @@ -2332,32 +2140,7 @@ ident_ir3mx(iph1) if (need_cr) plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - if (iph1->hash != NULL) { - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to generate GSSAPI HASH"); - goto end; - } - } else { - gssapi_get_token_to_send(iph1, &gsstoken); - } - - if (!gssapi_id_sent(iph1)) { - /* create isakmp ID payload */ - plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); - gssapi_set_id_sent(iph1); - } - if (iph1->hash != NULL) - /* create isakmp HASH payload */ - plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH); - else - plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); - break; -#endif case OAKLEY_ATTR_AUTH_METHOD_RSAENC: case OAKLEY_ATTR_AUTH_METHOD_RSAREV: #ifdef ENABLE_HYBRID @@ -2366,12 +2149,12 @@ ident_ir3mx(iph1) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not supported authentication type %d\n", iph1->approval->authmethod); goto end; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid authentication type %d\n", iph1->approval->authmethod); goto end; @@ -2390,7 +2173,7 @@ ident_ir3mx(iph1) /* encoding */ new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt"); goto end; } @@ -2402,10 +2185,6 @@ ident_ir3mx(iph1) error = 0; end: -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif if (cr) vfree(cr); if (error && buf != NULL) { diff --git a/ipsec-tools/racoon/isakmp_ident.h b/ipsec-tools/racoon/isakmp_ident.h index 38fb875..4907adb 100644 --- a/ipsec-tools/racoon/isakmp_ident.h +++ b/ipsec-tools/racoon/isakmp_ident.h @@ -32,19 +32,21 @@ #ifndef _ISAKMP_IDENT_H #define _ISAKMP_IDENT_H -extern int ident_i1send __P((struct ph1handle *, vchar_t *)); -extern int ident_i2recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i2send __P((struct ph1handle *, vchar_t *)); -extern int ident_i3recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i3send __P((struct ph1handle *, vchar_t *)); -extern int ident_i4recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i4send __P((struct ph1handle *, vchar_t *)); +#include "racoon_types.h" -extern int ident_r1recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r1send __P((struct ph1handle *, vchar_t *)); -extern int ident_r2recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r2send __P((struct ph1handle *, vchar_t *)); -extern int ident_r3recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r3send __P((struct ph1handle *, vchar_t *)); +extern int ident_i1send (phase1_handle_t *, vchar_t *); +extern int ident_i2recv (phase1_handle_t *, vchar_t *); +extern int ident_i3send (phase1_handle_t *, vchar_t *); +extern int ident_i4recv (phase1_handle_t *, vchar_t *); +extern int ident_i5send (phase1_handle_t *, vchar_t *); +extern int ident_i6recv (phase1_handle_t *, vchar_t *); +extern int ident_ifinalize (phase1_handle_t *, vchar_t *); + +extern int ident_r1recv (phase1_handle_t *, vchar_t *); +extern int ident_r2send (phase1_handle_t *, vchar_t *); +extern int ident_r3recv (phase1_handle_t *, vchar_t *); +extern int ident_r4send (phase1_handle_t *, vchar_t *); +extern int ident_r5recv (phase1_handle_t *, vchar_t *); +extern int ident_r6send (phase1_handle_t *, vchar_t *); #endif /* _ISAKMP_IDENT_H */ diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index e1f078a..a587087 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -32,12 +32,13 @@ */ #include "config.h" +#include "racoon_types.h" #include #include #include -#include +#include #include #include #ifndef HAVE_NETINET6_IPSEC @@ -73,6 +74,9 @@ #include "misc.h" #include "plog.h" #include "debug.h" +#include "fsm.h" +#include "session.h" +#include "ike_session.h" #include "localconf.h" #include "remoteconf.h" @@ -81,7 +85,6 @@ #include "policy.h" #include "proposal.h" #include "isakmp_var.h" -#include "evt.h" #include "isakmp.h" #ifdef ENABLE_HYBRID #include "isakmp_xauth.h" @@ -89,6 +92,7 @@ #include "isakmp_cfg.h" #endif #include "isakmp_inf.h" +#include "ikev2_info_rfc.h" #include "oakley.h" #include "ipsec_doi.h" #include "crypto_openssl.h" @@ -96,7 +100,6 @@ #include "policy.h" #include "algorithm.h" #include "proposal.h" -#include "admin.h" #include "strnames.h" #ifdef ENABLE_NATT #include "nattraversal.h" @@ -108,37 +111,31 @@ #include "ipsecMessageTracer.h" /* information exchange */ -static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int); -static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int); +static int isakmp_info_recv_n (phase1_handle_t *, struct isakmp_pl_n *, u_int32_t, int); +static int isakmp_info_recv_d (phase1_handle_t *, struct isakmp_pl_d *, u_int32_t, int); #ifdef ENABLE_DPD -static int isakmp_info_recv_r_u __P((struct ph1handle *, - struct isakmp_pl_ru *, u_int32_t)); -static int isakmp_info_recv_r_u_ack __P((struct ph1handle *, - struct isakmp_pl_ru *, u_int32_t)); +static int isakmp_info_recv_r_u (phase1_handle_t *, struct isakmp_pl_ru *, u_int32_t); +static int isakmp_info_recv_r_u_ack (phase1_handle_t *, struct isakmp_pl_ru *, u_int32_t); #endif #ifdef ENABLE_VPNCONTROL_PORT -static int isakmp_info_recv_lb __P((struct ph1handle *, struct isakmp_pl_lb *lb, int)); +static int isakmp_info_recv_lb (phase1_handle_t *, struct isakmp_pl_lb *lb, int); #endif -//static void purge_isakmp_spi __P((int, isakmp_index *, size_t)); -static void info_recv_initialcontact __P((struct ph1handle *)); - static int -isakmp_ph1_responder_lifetime (struct ph1handle *iph1, - struct isakmp_pl_resp_lifetime *notify) +isakmp_ph1_responder_lifetime (phase1_handle_t *iph1, struct isakmp_pl_resp_lifetime *notify) { char *spi; if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid spi_size in notification payload.\n"); return -1; } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "notification message ISAKMP-SA RESPONDER-LIFETIME, " "doi=%d proto_id=%d spi=%s(size=%d).\n", ntohl(notify->doi), notify->proto_id, spi, notify->spi_size); @@ -158,19 +155,18 @@ isakmp_ph1_responder_lifetime (struct ph1handle *iph1, } static int -isakmp_ph2_responder_lifetime (struct ph2handle *iph2, - struct isakmp_pl_resp_lifetime *notify) +isakmp_ph2_responder_lifetime (phase2_handle_t *iph2, struct isakmp_pl_resp_lifetime *notify) { char *spi; if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) { - plog(LLV_ERROR, LOCATION, iph2->dst, + plog(ASL_LEVEL_ERR, "invalid spi_size in notification payload.\n"); return -1; } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(LLV_DEBUG, LOCATION, iph2->dst, + plog(ASL_LEVEL_DEBUG, "notification message IPSEC-SA RESPONDER-LIFETIME, " "doi=%d proto_id=%d spi=%s(size=%d).\n", ntohl(notify->doi), notify->proto_id, spi, notify->spi_size); @@ -188,9 +184,7 @@ isakmp_ph2_responder_lifetime (struct ph2handle *iph2, * receive Information */ int -isakmp_info_recv(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; +isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) { vchar_t *msg = NULL; vchar_t *pbuf = NULL; @@ -206,7 +200,7 @@ isakmp_info_recv(iph1, msg0) int encrypted; int flag = 0; - plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n"); + plog(ASL_LEVEL_DEBUG, "receive Information.\n"); encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E); msgid = ((struct isakmp *)msg0->v)->msgid; @@ -216,7 +210,7 @@ isakmp_info_recv(iph1, msg0) struct isakmp_ivm *ivm; if (iph1->ivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n"); + plog(ASL_LEVEL_ERR, "iph1->ivm == NULL\n"); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("Information message"), @@ -227,7 +221,7 @@ isakmp_info_recv(iph1, msg0) /* compute IV */ ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid); if (ivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute IV\n"); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, @@ -239,7 +233,7 @@ isakmp_info_recv(iph1, msg0) msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive); oakley_delivm(ivm); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt packet\n"); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, @@ -253,7 +247,7 @@ isakmp_info_recv(iph1, msg0) /* Safety check */ if (msg->l < sizeof(*isakmp) + sizeof(*gen)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information because the " "message is way too short\n"); goto end; @@ -265,15 +259,15 @@ isakmp_info_recv(iph1, msg0) if (encrypted) { if (isakmp->np != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information because the " "message has no hash payload.\n"); goto end; } - if (iph1->status != PHASE1ST_ESTABLISHED && + if (!FSM_STATE_IS_ESTABLISHED(iph1->status) && (!iph1->approval || !iph1->skeyid_a)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information because ISAKMP-SA " "has not been established yet.\n"); goto end; @@ -281,7 +275,7 @@ isakmp_info_recv(iph1, msg0) /* Safety check */ if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information because the " "message is too short\n"); goto end; @@ -293,20 +287,20 @@ isakmp_info_recv(iph1, msg0) /* nd length check */ if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) + ntohs(gen->len))) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "too long payload length (broken message?)\n"); goto end; } if (ntohs(nd->len) < sizeof(*nd)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "too short payload length (broken message?)\n"); goto end; } payload = vmalloc(ntohs(nd->len)); if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot allocate memory\n"); goto end; } @@ -316,7 +310,7 @@ isakmp_info_recv(iph1, msg0) /* compute HASH */ hash = oakley_compute_hash1(iph1, isakmp->msgid, payload); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot compute hash\n"); vfree(payload); @@ -324,7 +318,7 @@ isakmp_info_recv(iph1, msg0) } if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information due to hash length mismatch\n"); vfree(hash); @@ -333,7 +327,7 @@ isakmp_info_recv(iph1, msg0) } if (memcmp(p, hash->v, hash->l) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ignore information due to hash mismatch\n"); vfree(hash); @@ -341,23 +335,30 @@ isakmp_info_recv(iph1, msg0) goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n"); + plog(ASL_LEVEL_DEBUG, "hash validated.\n"); vfree(hash); vfree(payload); } else { - /* make sure the packet was encrypted after the beginning of phase 1. */ + /* make sure phase 1 was not yet at encrypted state */ switch (iph1->etype) { case ISAKMP_ETYPE_AGG: - case ISAKMP_ETYPE_BASE: + // %%%%% should also check for unity/mode cfg - last pkt is encrypted in such cases + if (!FSM_STATE_IS_ESTABLISHED(iph1->status) && + ((iph1->side == INITIATOR && iph1->status == IKEV1_STATE_AGG_I_MSG3SENT) || + (iph1->side == RESPONDER && iph1->status == IKEV1_STATE_AGG_R_MSG3RCVD))) { + break; + } case ISAKMP_ETYPE_IDENT: - if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT) - || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) { + if (!FSM_STATE_IS_ESTABLISHED(iph1->status) && + ((iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_IDENT_I_MSG5SENT + || iph1->status == IKEV1_STATE_IDENT_I_MSG6RCVD)) || + (iph1->side == RESPONDER && (iph1->status == IKEV1_STATE_IDENT_R_MSG5RCVD)))) { break; } /*FALLTHRU*/ default: - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "%s message must be encrypted\n", s_isakmp_nptype(np)); error = 0; @@ -366,7 +367,7 @@ isakmp_info_recv(iph1, msg0) } if (!(pbuf = isakmp_parse(msg))) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); error = -1; goto end; @@ -391,13 +392,13 @@ isakmp_info_recv(iph1, msg0) case ISAKMP_NPTYPE_NONCE: /* XXX to be 6.4.2 ike-01.txt */ /* XXX IV is to be synchronized. */ - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "ignore Acknowledged Informational\n"); break; default: /* don't send information, see isakmp_ident_r1() */ error = 0; - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "reject the packet, " "received unexpected payload type %s.\n", s_isakmp_nptype(gen->np)); @@ -431,11 +432,7 @@ end: * handling of Notification payload */ static int -isakmp_info_recv_n(iph1, notify, msgid, encrypted) - struct ph1handle *iph1; - struct isakmp_pl_n *notify; - u_int32_t msgid; - int encrypted; +isakmp_info_recv_n(phase1_handle_t *iph1, struct isakmp_pl_n *notify, u_int32_t msgid, int encrypted) { u_int type; vchar_t *ndata; @@ -490,26 +487,26 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) type <= ISAKMP_NTYPE_MAXERROR) { if (msgid == 0) { /* don't think this realy deletes ph1 ? */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete phase1 handle.\n"); + plog(ASL_LEVEL_ERR, + "Delete Phase 1 handle.\n"); return -1; } else { - if (getph2bymsgid(iph1, msgid) == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "fatal %s notify messsage, " - "phase1 should be deleted.\n", + if (ike_session_getph2bymsgid(iph1, msgid) == NULL) { + plog(ASL_LEVEL_ERR, + "Fatal %s notify messsage, " + "Phase 1 should be deleted.\n", s_isakmp_notify_msg(type)); } else { - plog(LLV_ERROR, LOCATION, iph1->remote, - "fatal %s notify messsage, " - "phase2 should be deleted.\n", + plog(ASL_LEVEL_ERR, + "Fatal %s notify messsage, " + "Phase 2 should be deleted.\n", s_isakmp_notify_msg(type)); } } } else { - plog(LLV_ERROR, LOCATION, iph1->remote, - "unhandled notify message %s, " - "no phase2 handle found.\n", + plog(ASL_LEVEL_ERR, + "Unhandled notify message %s, " + "no Phase 2 handle found.\n", s_isakmp_notify_msg(type)); } } @@ -519,14 +516,14 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) /* get spi if specified and allocate */ if(notify->spi_size > 0) { if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid spi_size in notification payload.\n"); + plog(ASL_LEVEL_ERR, + "Invalid spi_size in notification payload.\n"); return -1; } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(LLV_DEBUG, LOCATION, iph1->remote, - "notification message %d:%s, " + plog(ASL_LEVEL_DEBUG, + "Notification message %d:%s, " "doi=%d proto_id=%d spi=%s(size=%d).\n", type, s_isakmp_notify_msg(type), ntohl(notify->doi), notify->proto_id, spi, notify->spi_size); @@ -543,12 +540,12 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) nraw += sizeof(*notify) + notify->spi_size; if ((ndata = vmalloc(l)) != NULL) { memcpy(ndata->v, nraw, ndata->l); - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Message: '%s'.\n", binsanitize(ndata->v, ndata->l)); vfree(ndata); } else { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); } } @@ -557,12 +554,8 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) } #ifdef ENABLE_VPNCONTROL_PORT -static -void -isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, - int isakmp_info_initiator, - int type, - vchar_t *data) +static void +isakmp_info_vpncontrol_notify_ike_failed (phase1_handle_t *iph1, int isakmp_info_initiator, int type, vchar_t *data) { u_int32_t address; u_int32_t fail_reason; @@ -579,8 +572,10 @@ isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, if (premature) { fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE; + plog(ASL_LEVEL_NOTICE, ">>> Server reports client's certificate is pre-mature\n"); } else if (expired) { fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED; + plog(ASL_LEVEL_NOTICE, ">>> Server reports client's certificate is expired\n"); } else { fail_reason = type; } @@ -597,12 +592,16 @@ isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, if (premature) { fail_reason = VPNCTL_NTYPE_PEER_CERT_PREMATURE; + plog(ASL_LEVEL_NOTICE, ">>> Server's certificate is pre-mature\n"); } else if (expired) { fail_reason = VPNCTL_NTYPE_PEER_CERT_EXPIRED; + plog(ASL_LEVEL_NOTICE, ">>> Server's certificate is expired\n"); } else if (subjname) { fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME; + plog(ASL_LEVEL_NOTICE, ">>> Server's certificate subject name not valid\n"); } else if (subjaltname) { fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME; + plog(ASL_LEVEL_NOTICE, ">>> Server's certificate subject alternate name not valid\n"); } else { fail_reason = type; } @@ -618,21 +617,17 @@ isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, * handling of Deletion payload */ static int -isakmp_info_recv_d(iph1, delete, msgid, encrypted) - struct ph1handle *iph1; - struct isakmp_pl_d *delete; - u_int32_t msgid; - int encrypted; +isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t msgid, int encrypted) { int tlen, num_spi; - struct ph1handle *del_ph1; + phase1_handle_t *del_ph1; union { u_int32_t spi32; u_int16_t spi16[2]; } spi; if (ntohl(delete->doi) != IPSEC_DOI) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "delete payload with invalid doi:%d.\n", ntohl(delete->doi)); #ifdef ENABLE_HYBRID @@ -652,17 +647,17 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d); if (tlen != num_spi * delete->spi_size) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "deletion payload with invalid length.\n"); return 0; } - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "delete payload for protocol %s\n", s_ipsecdoi_proto(delete->proto_id)); if(!iph1->rmconf->weak_phase1_check && !encrypted) { - plog(LLV_WARNING, LOCATION, iph1->remote, + plog(ASL_LEVEL_WARNING, "Ignoring unencrypted delete payload " "(check the weak_phase1_check option)\n"); return 0; @@ -671,14 +666,14 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) switch (delete->proto_id) { case IPSECDOI_PROTO_ISAKMP: if (delete->spi_size != sizeof(isakmp_index)) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "delete payload with strange spi " "size %d(proto_id:%d)\n", delete->spi_size, delete->proto_id); return 0; } - del_ph1=getph1byindex((isakmp_index *)(delete + 1)); + del_ph1 = ike_session_getph1byindex(iph1->parent_session, (isakmp_index *)(delete + 1)); if(del_ph1 != NULL){ // hack: start a rekey now, if one was pending (only for client). @@ -689,8 +684,6 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) isakmp_ph1rekeyexpire(del_ph1, FALSE); } - EVT_PUSH(del_ph1->local, del_ph1->remote, - EVTT_PEERPH1_NOPROP, NULL); if (del_ph1->scr) SCHED_KILL(del_ph1->scr); @@ -700,7 +693,7 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) */ #ifdef ENABLE_VPNCONTROL_PORT if (del_ph1->started_by_api || (del_ph1->is_rekey && del_ph1->parent_session && del_ph1->parent_session->is_client)) { - if (islast_ph1(del_ph1)) { + if (ike_session_islast_ph1(del_ph1)) { isakmp_info_vpncontrol_notify_ike_failed(del_ph1, FROM_REMOTE, VPNCTL_NTYPE_PH1_DELETE, NULL); } } @@ -712,16 +705,14 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) case IPSECDOI_PROTO_IPSEC_AH: case IPSECDOI_PROTO_IPSEC_ESP: if (delete->spi_size != sizeof(u_int32_t)) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "delete payload with strange spi " "size %d(proto_id:%d)\n", delete->spi_size, delete->proto_id); return 0; } - EVT_PUSH(iph1->local, iph1->remote, - EVTT_PEER_DELETE, NULL); purge_ipsec_spi(iph1->remote, delete->proto_id, - ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi); // Wcast-align fix (void*) - delete payload is aligned + ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi, NULL, NULL); // Wcast-align fix (void*) - delete payload is aligned break; case IPSECDOI_PROTO_IPCOMP: @@ -733,25 +724,25 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) } else if (delete->spi_size == sizeof(spi.spi32)) memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32)); else { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "delete payload with strange spi " "size %d(proto_id:%d)\n", delete->spi_size, delete->proto_id); return 0; } purge_ipsec_spi(iph1->remote, delete->proto_id, - &spi.spi32, num_spi); + &spi.spi32, num_spi, NULL, NULL); break; default: - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "deletion message received, " "invalid proto_id: %d\n", delete->proto_id); return 0; } - plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n"); + plog(ASL_LEVEL_DEBUG, "purged SAs.\n"); return 0; } @@ -760,15 +751,14 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) * send Delete payload (for ISAKMP SA) in Informational exchange. */ int -isakmp_info_send_d1(iph1) - struct ph1handle *iph1; +isakmp_info_send_d1(phase1_handle_t *iph1) { struct isakmp_pl_d *d; vchar_t *payload = NULL; int tlen; int error = 0; - if (iph1->status != PHASE2ST_ESTABLISHED) + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) return 0; /* create delete payload */ @@ -778,7 +768,7 @@ isakmp_info_send_d1(iph1) tlen = sizeof(*d) + sizeof(isakmp_index); payload = vmalloc(tlen); if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for payload.\n"); return errno; } @@ -815,10 +805,9 @@ isakmp_info_send_d1(iph1) * pfkey msg. It sends always single SPI. */ int -isakmp_info_send_d2(iph2) - struct ph2handle *iph2; +isakmp_info_send_d2(phase2_handle_t *iph2) { - struct ph1handle *iph1; + phase1_handle_t *iph1; struct saproto *pr; struct isakmp_pl_d *d; vchar_t *payload = NULL; @@ -826,7 +815,7 @@ isakmp_info_send_d2(iph2) int error = 0; u_int8_t *spi; - if (iph2->status != PHASE2ST_ESTABLISHED) + if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) return 0; /* @@ -835,7 +824,7 @@ isakmp_info_send_d2(iph2) */ iph1 = ike_session_get_established_ph1(iph2->parent_session); if (!iph1) { - iph1 = getph1byaddr(iph2->src, iph2->dst); + iph1 = ike_session_getph1byaddr(iph2->parent_session, iph2->src, iph2->dst); } if (iph1 == NULL){ IPSECSESSIONTRACEREVENT(iph2->parent_session, @@ -846,7 +835,7 @@ isakmp_info_send_d2(iph2) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("Delete IPSEC-SA"), CONSTSTR("Failed to transmit Delete-IPSEC-SA message")); - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "No ph1 handler found, could not send DELETE_SA\n"); return 0; } @@ -872,7 +861,7 @@ isakmp_info_send_d2(iph2) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("Delete IPSEC-SA"), CONSTSTR("Failed to transmit Delete-IPSEC-SA message")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for payload.\n"); return errno; } @@ -913,23 +902,20 @@ isakmp_info_send_d2(iph2) } /* - * send Notification payload (for without ISAKMP SA) in Informational exchange + * send Notification payload (without ISAKMP SA) in an Informational exchange */ int -isakmp_info_send_nx(isakmp, remote, local, type, data) - struct isakmp *isakmp; - struct sockaddr_storage *remote, *local; - int type; - vchar_t *data; +isakmp_info_send_nx(struct isakmp *isakmp, struct sockaddr_storage *remote, struct sockaddr_storage *local, + int type, vchar_t *data) { - struct ph1handle *iph1 = NULL; + phase1_handle_t *iph1 = NULL; struct remoteconf *rmconf; vchar_t *payload = NULL; int tlen; int error = -1; struct isakmp_pl_n *n; int spisiz = 0; /* see below */ - ike_session_t *sess = ike_session_get_session(local, remote, FALSE); + ike_session_t *sess = ike_session_get_session(local, remote, FALSE); /* search appropreate configuration */ rmconf = getrmconf(remote); @@ -938,39 +924,28 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, CONSTSTR("Information message"), CONSTSTR("Failed to transmit Information message (no remote configuration)")); - plog(LLV_ERROR, LOCATION, remote, + plog(ASL_LEVEL_ERR, "no configuration found for peer address.\n"); goto end; } /* add new entry to isakmp status table. */ - iph1 = newph1(); + iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1); if (iph1 == NULL) { IPSECSESSIONTRACEREVENT(sess, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, CONSTSTR("Information message"), - CONSTSTR("Failed to transmit Information message (no new phase1)")); - plog(LLV_ERROR, LOCATION, NULL, + CONSTSTR("Failed to transmit Information message (no new Phase 1)")); + plog(ASL_LEVEL_ERR, "failed to allocate ph1"); return -1; } memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t)); isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); - iph1->status = PHASE1ST_START; + fsm_set_state(&iph1->status, IKEV1_STATE_INFO); iph1->rmconf = rmconf; - if (link_rmconf_to_ph1(rmconf) < 0) { - IPSECSESSIONTRACEREVENT(sess, - IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, - CONSTSTR("Information message"), - CONSTSTR("Failed to transmit Information message (can't link remote configuration to phase1)")); - plog(LLV_ERROR, LOCATION, remote, - "couldn't link " - "configuration.\n"); - iph1->rmconf = NULL; - error = -1; - goto end; - } + retain_rmconf(iph1->rmconf); iph1->side = INITIATOR; iph1->version = isakmp->v; iph1->flags = 0; @@ -991,8 +966,8 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) IPSECSESSIONTRACEREVENT(sess, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, CONSTSTR("Information message"), - CONSTSTR("Failed to transmit Information Message (can't copy phase1 addresses)")); - plog(LLV_ERROR, LOCATION, NULL, + CONSTSTR("Failed to transmit Information Message (can't copy Phase 1 addresses)")); + plog(ASL_LEVEL_ERR, "failed to copy ph1 addresses"); error = -1; iph1 = NULL; /* deleted in copy_ph1addresses */ @@ -1008,7 +983,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, CONSTSTR("Information message"), CONSTSTR("Failed to transmit Information Message (can't allocate payload)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); error = -1; goto end; @@ -1029,7 +1004,9 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) #ifdef ENABLE_VPNCONTROL_PORT isakmp_info_vpncontrol_notify_ike_failed(iph1, FROM_LOCAL, type, data); #endif - + if (ike_session_link_phase1(sess, iph1)) + fatal_error(-1); + error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); vfree(payload); if (error) { @@ -1046,19 +1023,16 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) end: if (iph1 != NULL) - delph1(iph1); + ike_session_unlink_phase1(iph1); return error; } /* - * send Notification payload (for ISAKMP SA) in Informational exchange + * send Notification payload (with ISAKMP SA) in an Informational exchange */ int -isakmp_info_send_n1(iph1, type, data) - struct ph1handle *iph1; - int type; - vchar_t *data; +isakmp_info_send_n1(phase1_handle_t *iph1, int type, vchar_t *data) { vchar_t *payload = NULL; int tlen; @@ -1091,7 +1065,7 @@ isakmp_info_send_n1(iph1, type, data) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("ISAKMP-SA"), CONSTSTR("Failed to transmit ISAKMP-SA message (can't allocate payload)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); return errno; } @@ -1130,15 +1104,12 @@ isakmp_info_send_n1(iph1, type, data) } /* - * send Notification payload (for IPsec SA) in Informational exchange + * send Notification payload (with IPsec SA) in an Informational exchange */ int -isakmp_info_send_n2(iph2, type, data) - struct ph2handle *iph2; - int type; - vchar_t *data; +isakmp_info_send_n2(phase2_handle_t *iph2, int type, vchar_t *data) { - struct ph1handle *iph1 = iph2->ph1; + phase1_handle_t *iph1 = iph2->ph1; vchar_t *payload = NULL; int tlen; int error = 0; @@ -1160,7 +1131,7 @@ isakmp_info_send_n2(iph2, type, data) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("IPSEC-SA"), CONSTSTR("Failed to transmit IPSEC-SA message (can't allocate payload)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); return errno; } @@ -1199,13 +1170,9 @@ isakmp_info_send_n2(iph2, type, data) * When ph1->skeyid_a == NULL, send message without encoding. */ int -isakmp_info_send_common(iph1, payload, np, flags) - struct ph1handle *iph1; - vchar_t *payload; - u_int32_t np; - int flags; +isakmp_info_send_common(phase1_handle_t *iph1, vchar_t *payload, u_int32_t np, int flags) { - struct ph2handle *iph2 = NULL; + phase2_handle_t *iph2 = NULL; vchar_t *hash = NULL; struct isakmp *isakmp; struct isakmp_gen *gen; @@ -1214,25 +1181,25 @@ isakmp_info_send_common(iph1, payload, np, flags) int error = -1; /* add new entry to isakmp status table */ - iph2 = newph2(); + iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_INFO); if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate ph2"); goto end; } - iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); + iph2->dst = dupsaddr(iph1->remote); if (iph2->dst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate remote address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } - iph2->src = dupsaddr((struct sockaddr *)iph1->local); + iph2->src = dupsaddr(iph1->local); if (iph2->src == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate local address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } switch (iph1->remote->ss_family) { @@ -1251,32 +1218,31 @@ isakmp_info_send_common(iph1, payload, np, flags) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph1->remote->ss_family); - delph2(iph2); + ike_session_delph2(iph2); goto end; } - iph2->ph1 = iph1; iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; + fsm_set_state(&iph2->status, IKEV1_STATE_INFO); iph2->msgid = isakmp_newmsgid2(iph1); /* get IV and HASH(1) if skeyid_a was generated. */ if (iph1->skeyid_a != NULL) { iph2->ivm = oakley_newiv2(iph1, iph2->msgid); if (iph2->ivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } /* generate HASH(1) */ - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload); + hash = oakley_compute_hash1(iph1, iph2->msgid, payload); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } @@ -1295,15 +1261,14 @@ isakmp_info_send_common(iph1, payload, np, flags) else iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); - insph2(iph2); - bindph12(iph1, iph2); + ike_session_link_ph2_to_ph1(iph1, iph2); tlen += sizeof(*isakmp) + payload->l; /* create buffer for isakmp payload */ iph2->sendbuf = vmalloc(tlen); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto err; } @@ -1346,7 +1311,7 @@ isakmp_info_send_common(iph1, payload, np, flags) iph2->ivm->iv); VPTRINIT(iph2->sendbuf); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto err; } @@ -1355,13 +1320,13 @@ isakmp_info_send_common(iph1, payload, np, flags) /* HDR*, HASH(1), N */ if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); VPTRINIT(iph2->sendbuf); goto err; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sendto Information %s.\n", s_isakmp_nptype(np)); /* @@ -1391,9 +1356,7 @@ end: return error; err: - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); goto end; } @@ -1404,12 +1367,7 @@ err: * XXX Which is SPI to be included, inbound or outbound ? */ vchar_t * -isakmp_add_pl_n(buf0, np_p, type, pr, data) - vchar_t *buf0; - u_int8_t **np_p; - int type; - struct saproto *pr; - vchar_t *data; +isakmp_add_pl_n(vchar_t *buf0, u_int8_t **np_p, int type, struct saproto *pr, vchar_t *data) { vchar_t *buf = NULL; struct isakmp_pl_n *n; @@ -1429,7 +1387,7 @@ isakmp_add_pl_n(buf0, np_p, type, pr, data) } else buf = vmalloc(tlen); if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get a payload buffer.\n"); return NULL; } @@ -1451,62 +1409,23 @@ isakmp_add_pl_n(buf0, np_p, type, pr, data) return buf; } -#if 0 -static void -purge_isakmp_spi(proto, spi, n) - int proto; - isakmp_index *spi; /*network byteorder*/ - size_t n; -{ - struct ph1handle *iph1; - size_t i; - - for (i = 0; i < n; i++) { - iph1 = getph1byindex(&spi[i]); - if (!iph1 || iph1->is_dying || iph1->status == PHASE1ST_EXPIRED) - continue; - - plog(LLV_INFO, LOCATION, NULL, - "purged ISAKMP-SA proto_id=%s spi=%s.\n", - s_ipsecdoi_proto(proto), - isakmp_pindex(&spi[i], 0)); - - SCHED_KILL(iph1->sce); - SCHED_KILL(iph1->sce_rekey); - iph1->status = PHASE1ST_EXPIRED; - ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1 - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); - } -} -#endif - void -purge_ipsec_spi(dst0, proto, spi, n) - struct sockaddr_storage *dst0; - int proto; - u_int32_t *spi; /*network byteorder*/ - size_t n; +purge_ipsec_spi(struct sockaddr_storage *dst0, int proto, u_int32_t *spi /*network byteorder*/, size_t n, u_int32_t *inbound_spi, size_t *max_inbound_spi) { vchar_t *buf = NULL; struct sadb_msg *msg, *next, *end; struct sadb_sa *sa; struct sadb_lifetime *lt; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int64_t created; - size_t i; + size_t i, j = 0; caddr_t mhp[SADB_EXT_MAX + 1]; - plog(LLV_DEBUG2, LOCATION, NULL, - "purge_ipsec_spi:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str((struct sockaddr *)dst0)); - plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0])); - plog(LLV_DEBUG2, LOCATION, NULL, "num SPI: %d\n", n); - buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -1524,7 +1443,7 @@ purge_ipsec_spi(dst0, proto, spi, n) } if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey_check (%s)\n", ipsec_strerror()); msg = next; continue; @@ -1550,55 +1469,59 @@ purge_ipsec_spi(dst0, proto, spi, n) msg = next; continue; } - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst)); - - /* XXX n^2 algorithm, inefficient */ - /* don't delete inbound SAs at the moment */ + /* don't delete inbound SAs at the moment (just save them in inbound_spi) */ /* XXX should we remove SAs with opposite direction as well? */ if (CMPSADDR2(dst0, dst)) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str((struct sockaddr *)dst)); msg = next; continue; } for (i = 0; i < n; i++) { - plog(LLV_DEBUG, LOCATION, NULL, - "check spi(packet)=%u spi(db)=%u.\n", - ntohl(spi[i]), ntohl(sa->sadb_sa_spi)); + u_int32_t *i_spi; + if (spi[i] != sa->sadb_sa_spi) continue; - pfkey_send_delete(lcconf->sock_pfkey, - msg->sadb_msg_satype, - IPSEC_MODE_ANY, - src, dst, sa->sadb_sa_spi); - /* * delete a relative phase 2 handler. * continue to process if no relative phase 2 handler * exists. */ - iph2 = getph2bysaidx(src, dst, proto, spi[i]); + if (inbound_spi && max_inbound_spi && j < *max_inbound_spi) { + i_spi = &inbound_spi[j]; + } else { + i_spi = NULL; + } + iph2 = ike_session_getph2bysaidx2(src, dst, proto, spi[i], i_spi); + + pfkey_send_delete(lcconf->sock_pfkey, + msg->sadb_msg_satype, + IPSEC_MODE_ANY, + src, dst, sa->sadb_sa_spi); + if(iph2 != NULL){ delete_spd(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); + if (i_spi) { + j++; + } } - plog(LLV_INFO, LOCATION, NULL, - "purged IPsec-SA proto_id=%s spi=%u.\n", - s_ipsecdoi_proto(proto), - ntohl(spi[i])); + plog(ASL_LEVEL_INFO, "Purged IPsec-SA proto_id=%s spi=%u.\n", + s_ipsecdoi_proto(proto), + ntohl(spi[i])); } msg = next; } + if (max_inbound_spi) { + *max_inbound_spi = j; + } + if (buf) vfree(buf); } @@ -1610,9 +1533,8 @@ purge_ipsec_spi(dst0, proto, spi, n) * Sun IKE behavior, and makes rekeying work much better when the peer * restarts. */ -static void -info_recv_initialcontact(iph1) - struct ph1handle *iph1; +void +info_recv_initialcontact(phase1_handle_t *iph1) { vchar_t *buf = NULL; struct sadb_msg *msg, *next, *end; @@ -1620,7 +1542,7 @@ info_recv_initialcontact(iph1) struct sockaddr_storage *src, *dst; caddr_t mhp[SADB_EXT_MAX + 1]; int proto_id, i; - struct ph2handle *iph2; + phase2_handle_t *iph2; #if 0 char *loc, *rem; #endif @@ -1643,35 +1565,35 @@ info_recv_initialcontact(iph1) for (i = 0; i < pfkey_nsatypes; i++) { proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purging %s SAs for %s -> %s\n", pfkey_satypes[i].ps_name, loc, rem); if (pfkey_send_delete_all(lcconf->sock_pfkey, pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, iph1->local, iph1->remote) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "delete_all %s -> %s failed for %s (%s)\n", loc, rem, pfkey_satypes[i].ps_name, ipsec_strerror()); goto the_hard_way; } - deleteallph2(iph1->local, iph1->remote, proto_id); + ike_session_deleteallph2(iph1->local, iph1->remote, proto_id); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purging %s SAs for %s -> %s\n", pfkey_satypes[i].ps_name, rem, loc); if (pfkey_send_delete_all(lcconf->sock_pfkey, pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, iph1->remote, iph1->local) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "delete_all %s -> %s failed for %s (%s)\n", rem, loc, pfkey_satypes[i].ps_name, ipsec_strerror()); goto the_hard_way; } - deleteallph2(iph1->remote, iph1->local, proto_id); + ike_session_deleteallph2(iph1->remote, iph1->local, proto_id); } racoon_free(loc); @@ -1685,7 +1607,7 @@ info_recv_initialcontact(iph1) buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -1703,7 +1625,7 @@ info_recv_initialcontact(iph1) } if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey_check (%s)\n", ipsec_strerror()); msg = next; continue; @@ -1782,7 +1704,7 @@ info_recv_initialcontact(iph1) continue; } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); pfkey_send_delete(lcconf->sock_pfkey, msg->sadb_msg_satype, @@ -1794,12 +1716,10 @@ info_recv_initialcontact(iph1) * exists. */ proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); if (iph2) { delete_spd(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); } msg = next; @@ -1809,13 +1729,11 @@ info_recv_initialcontact(iph1) } void -isakmp_check_notify(gen, iph1) - struct isakmp_gen *gen; /* points to Notify payload */ - struct ph1handle *iph1; +isakmp_check_notify(struct isakmp_gen *gen /* points to Notify payload */, phase1_handle_t *iph1) { struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen; - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "Notify Message received\n"); switch (ntohs(notify->type)) { @@ -1826,24 +1744,24 @@ isakmp_check_notify(gen, iph1) #ifdef ENABLE_HYBRID case ISAKMP_NTYPE_UNITY_HEARTBEAT: #endif - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore %s notification.\n", + plog(ASL_LEVEL_WARNING, + "Ignore %s notification.\n", s_isakmp_notify_msg(ntohs(notify->type))); break; case ISAKMP_NTYPE_INITIAL_CONTACT: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore INITIAL-CONTACT notification, " - "because it is only accepted after phase1.\n"); + plog(ASL_LEVEL_WARNING, + "Ignore INITIAL-CONTACT notification, " + "because it is only accepted after Phase 1.\n"); break; case ISAKMP_NTYPE_LOAD_BALANCE: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore LOAD-BALANCE notification, " - "because it is only accepted after phase1.\n"); + plog(ASL_LEVEL_WARNING, + "Ignore LOAD-BALANCE notification, " + "because it is only accepted after Phase 1.\n"); break; default: isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received unknown notification type %s.\n", + plog(ASL_LEVEL_ERR, + "Received unknown notification type %s.\n", s_isakmp_notify_msg(ntohs(notify->type))); } @@ -1851,14 +1769,12 @@ isakmp_check_notify(gen, iph1) } void -isakmp_check_ph2_notify(gen, iph2) -struct isakmp_gen *gen; /* points to Notify payload */ -struct ph2handle *iph2; +isakmp_check_ph2_notify(struct isakmp_gen *gen /* points to Notify payload */, phase2_handle_t *iph2) { struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen; - plog(LLV_DEBUG, LOCATION, iph2->dst, - "Phase2 Notify Message received\n"); + plog(ASL_LEVEL_DEBUG, + "Phase 2 Notify Message received\n"); switch (ntohs(notify->type)) { case ISAKMP_NTYPE_RESPONDER_LIFETIME: @@ -1871,24 +1787,24 @@ struct ph2handle *iph2; #ifdef ENABLE_HYBRID case ISAKMP_NTYPE_UNITY_HEARTBEAT: #endif - plog(LLV_WARNING, LOCATION, iph2->dst, - "ignore %s notification.\n", + plog(ASL_LEVEL_WARNING, + "Ignore %s notification.\n", s_isakmp_notify_msg(ntohs(notify->type))); break; case ISAKMP_NTYPE_INITIAL_CONTACT: - plog(LLV_WARNING, LOCATION, iph2->dst, - "ignore INITIAL-CONTACT notification, " - "because it is only accepted after phase1.\n"); + plog(ASL_LEVEL_WARNING, + "Ignore INITIAL-CONTACT notification, " + "because it is only accepted after Phase 1.\n"); break; case ISAKMP_NTYPE_LOAD_BALANCE: - plog(LLV_WARNING, LOCATION, iph2->dst, - "ignore LOAD-BALANCE notification, " - "because it is only accepted after phase1.\n"); + plog(ASL_LEVEL_WARNING, + "Ignore LOAD-BALANCE notification, " + "because it is only accepted after Phase 1.\n"); break; default: isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph2->dst, - "received unknown notification type %s.\n", + plog(ASL_LEVEL_ERR, + "Received unknown notification type %s.\n", s_isakmp_notify_msg(ntohs(notify->type))); } @@ -1897,46 +1813,42 @@ struct ph2handle *iph2; #ifdef ENABLE_VPNCONTROL_PORT static int -isakmp_info_recv_lb(iph1, n, encrypted) - struct ph1handle *iph1; - struct isakmp_pl_lb *n; - int encrypted; +isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted) { if (iph1->side != INITIATOR) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "LOAD-BALANCE notification ignored - we are not the initiator.\n"); return 0; } if (iph1->remote->ss_family != AF_INET) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "LOAD-BALANCE notification ignored - only supported for IPv4.\n"); return 0; } if (!encrypted) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "LOAD-BALANCE notification ignored - not protected.\n"); return 0; } if (ntohs(n->h.len) != sizeof(struct isakmp_pl_lb)) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Invalid length of payload\n"); return -1; } vpncontrol_notify_ike_failed(ISAKMP_NTYPE_LOAD_BALANCE, FROM_REMOTE, ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 4, (u_int8_t*)(&(n->address))); - plog(LLV_DEBUG, LOCATION, iph1->remote, - "received LOAD_BALANCE notification - redirect address=%x.\n", - ntohl(n->address)); + plog(ASL_LEVEL_NOTICE, + "Received LOAD_BALANCE notification.\n"); if (((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr != ntohl(n->address)) { - plog(LLV_DEBUG, LOCATION, iph1->remote, - "deleting old phase1 because of LOAD_BALANCE notification - redirect address=%x.\n", + plog(ASL_LEVEL_DEBUG, + "Deleting old Phase 1 because of LOAD_BALANCE notification - redirect address=%x.\n", ntohl(n->address)); - if (iph1->status == PHASE1ST_ESTABLISHED) { + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { isakmp_info_send_d1(iph1); } isakmp_ph1expire(iph1); @@ -1948,17 +1860,14 @@ isakmp_info_recv_lb(iph1, n, encrypted) #ifdef ENABLE_DPD static int -isakmp_info_recv_r_u (iph1, ru, msgid) - struct ph1handle *iph1; - struct isakmp_pl_ru *ru; - u_int32_t msgid; +isakmp_info_recv_r_u (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t msgid) { struct isakmp_pl_ru *ru_ack; vchar_t *payload = NULL; int tlen; int error = 0; - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "DPD R-U-There received\n"); /* XXX should compare cookies with iph1->index? @@ -1970,7 +1879,7 @@ isakmp_info_recv_r_u (iph1, ru, msgid) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("R-U-THERE? ACK"), CONSTSTR("Failed to transmit DPD response")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); return errno; } @@ -2002,27 +1911,24 @@ isakmp_info_recv_r_u (iph1, ru, msgid) CONSTSTR(NULL)); } - plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n"); + plog(ASL_LEVEL_DEBUG, "received a valid R-U-THERE, ACK sent\n"); /* Should we mark tunnel as active ? */ return error; } static int -isakmp_info_recv_r_u_ack (iph1, ru, msgid) - struct ph1handle *iph1; - struct isakmp_pl_ru *ru; - u_int32_t msgid; +isakmp_info_recv_r_u_ack (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t msgid) { - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "DPD R-U-There-Ack received\n"); /* XXX Maintain window of acceptable sequence numbers ? * => ru->data <= iph2->dpd_seq && * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */ if (ntohl(ru->data) != iph1->dpd_seq) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Wrong DPD sequence number (%d, %d expected).\n", ntohl(ru->data), iph1->dpd_seq); return 0; @@ -2030,7 +1936,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgid) if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) || memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Cookie mismatch in DPD ACK!.\n"); return 0; } @@ -2057,7 +1963,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgid) CONSTSTR("Responder DPD Response"), CONSTSTR(NULL)); } - plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n"); + plog(ASL_LEVEL_DEBUG, "received an R-U-THERE-ACK\n"); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_peer_resp_ph1(1, iph1); @@ -2071,10 +1977,9 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgid) * send Delete payload (for ISAKMP SA) in Informational exchange. */ void -isakmp_info_send_r_u(arg) - void *arg; +isakmp_info_send_r_u(void *arg) { - struct ph1handle *iph1 = arg; + phase1_handle_t *iph1 = arg; /* create R-U-THERE payload */ struct isakmp_pl_ru *ru; @@ -2082,8 +1987,8 @@ isakmp_info_send_r_u(arg) int tlen; int error = 0; - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD r-u send aborted, invalid phase1 status %d....\n", + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + plog(ASL_LEVEL_DEBUG, "DPD r-u send aborted, invalid Phase 1 status %d....\n", iph1->status); return; } @@ -2096,7 +2001,6 @@ isakmp_info_send_r_u(arg) CONSTSTR("DPD maximum retransmits"), CONSTSTR("maxed-out of DPD requests without receiving an ack")); - EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL); if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; else @@ -2104,7 +2008,7 @@ isakmp_info_send_r_u(arg) (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, address, 0, NULL); purge_remote(iph1); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "DPD: remote seems to be dead\n"); /* Do not reschedule here: phase1 is deleted, @@ -2120,7 +2024,7 @@ isakmp_info_send_r_u(arg) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("R-U-THERE?"), CONSTSTR("Failed to transmit DPD request")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for payload.\n"); return; } @@ -2168,7 +2072,7 @@ isakmp_info_send_r_u(arg) CONSTSTR("Responder DPD Request"), CONSTSTR(NULL)); } - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "DPD R-U-There sent (%d)\n", error); /* will be decreased if ACK received... */ @@ -2178,7 +2082,7 @@ isakmp_info_send_r_u(arg) * will be deleted/rescheduled if ACK received before */ isakmp_sched_r_u(iph1, 1); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry); } @@ -2186,15 +2090,15 @@ isakmp_info_send_r_u(arg) * monitor DPD (ALGORITHM_INBOUND_DETECT) Informational exchange. */ static void -isakmp_info_monitor_r_u_algo_inbound_detect (struct ph1handle *iph1) +isakmp_info_monitor_r_u_algo_inbound_detect (phase1_handle_t *iph1) { - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid phase1 status %d....\n", + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid Phase 1 status %d....\n", iph1->status); return; } - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n"); + plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n"); // check phase1 for ike packets received from peer if (iph1->peer_sent_ike) { @@ -2204,7 +2108,7 @@ isakmp_info_monitor_r_u_algo_inbound_detect (struct ph1handle *iph1) /* ike packets received from peer... reschedule dpd */ isakmp_sched_r_u(iph1, 0); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "ike packets received from peer... reschedule monitor.\n"); return; @@ -2216,7 +2120,7 @@ isakmp_info_monitor_r_u_algo_inbound_detect (struct ph1handle *iph1) } else { isakmp_sched_r_u(iph1, 0); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "rescheduling DPD monitoring (for ALGORITHM_INBOUND_DETECT).\n"); } iph1->parent_session->peer_sent_data_sc_dpd = 0; @@ -2226,15 +2130,15 @@ isakmp_info_monitor_r_u_algo_inbound_detect (struct ph1handle *iph1) * monitor DPD (ALGORITHM_BLACKHOLE_DETECT) Informational exchange. */ static void -isakmp_info_monitor_r_u_algo_blackhole_detect (struct ph1handle *iph1) +isakmp_info_monitor_r_u_algo_blackhole_detect (phase1_handle_t *iph1) { - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid phase1 status %d....\n", + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid Phase 1 status %d....\n", iph1->status); return; } - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n"); + plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n"); // check if data was sent but none was received if (iph1->parent_session->i_sent_data_sc_dpd && @@ -2243,7 +2147,7 @@ isakmp_info_monitor_r_u_algo_blackhole_detect (struct ph1handle *iph1) } else { isakmp_sched_r_u(iph1, 0); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "rescheduling DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) i = %d, peer %d.\n", iph1->parent_session->i_sent_data_sc_dpd, iph1->parent_session->peer_sent_data_sc_dpd); @@ -2256,10 +2160,9 @@ isakmp_info_monitor_r_u_algo_blackhole_detect (struct ph1handle *iph1) * monitor DPD Informational exchange. */ static void -isakmp_info_monitor_r_u(arg) -void *arg; +isakmp_info_monitor_r_u(void *arg) { - struct ph1handle *iph1 = arg; + phase1_handle_t *iph1 = arg; if (iph1 && iph1->rmconf) { if (iph1->rmconf->dpd_algo == DPD_ALGO_INBOUND_DETECT) { @@ -2267,7 +2170,7 @@ void *arg; } else if (iph1->rmconf->dpd_algo == DPD_ALGO_BLACKHOLE_DETECT) { isakmp_info_monitor_r_u_algo_blackhole_detect(iph1); } else { - plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring aborted, invalid algorithm %d....\n", + plog(ASL_LEVEL_DEBUG, "DPD monitoring aborted, invalid algorithm %d....\n", iph1->rmconf->dpd_algo); } } @@ -2275,9 +2178,7 @@ void *arg; /* Schedule a new R-U-THERE */ int -isakmp_sched_r_u(iph1, retry) - struct ph1handle *iph1; - int retry; +isakmp_sched_r_u(phase1_handle_t *iph1, int retry) { if(iph1 == NULL || iph1->rmconf == NULL) @@ -2311,11 +2212,10 @@ isakmp_sched_r_u(iph1, retry) * 2) indicates liveness (e.g. received ike packets). */ void -isakmp_reschedule_info_monitor_if_pending (struct ph1handle *iph1, - char *reason) +isakmp_reschedule_info_monitor_if_pending (phase1_handle_t *iph1, char *reason) { if (!iph1 || - iph1->status != PHASE1ST_ESTABLISHED || + !FSM_STATE_IS_ESTABLISHED(iph1->status) || !iph1->dpd_support || !iph1->rmconf->dpd_interval || iph1->rmconf->dpd_algo == DPD_ALGO_DEFAULT) { @@ -2327,7 +2227,7 @@ isakmp_reschedule_info_monitor_if_pending (struct ph1handle *iph1, isakmp_sched_r_u(iph1, 0); - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "%s... rescheduling send_r_u.\n", reason); } diff --git a/ipsec-tools/racoon/isakmp_inf.h b/ipsec-tools/racoon/isakmp_inf.h index 32f85cf..5aa8c79 100644 --- a/ipsec-tools/racoon/isakmp_inf.h +++ b/ipsec-tools/racoon/isakmp_inf.h @@ -34,33 +34,35 @@ #ifndef _ISAKMP_INF_H #define _ISAKMP_INF_H +#include "racoon_types.h" #include "proposal.h" struct saproto; -extern int isakmp_info_recv __P((struct ph1handle *, vchar_t *)); -extern int isakmp_info_send_d1 __P((struct ph1handle *)); -extern int isakmp_info_send_d2 __P((struct ph2handle *)); -extern int isakmp_info_send_nx __P((struct isakmp *, - struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *)); -extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *)); -extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *)); -extern int isakmp_info_send_common __P((struct ph1handle *, - vchar_t *, u_int32_t, int)); +extern int isakmp_info_recv (phase1_handle_t *, vchar_t *); +extern int isakmp_info_send_d1 (phase1_handle_t *); +extern int isakmp_info_send_d2 (phase2_handle_t *); +extern int isakmp_info_send_nx (struct isakmp *, + struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *); +extern int isakmp_info_send_n1 (phase1_handle_t *, int, vchar_t *); +extern int isakmp_info_send_n2 (phase2_handle_t *, int, vchar_t *); +extern int isakmp_info_send_common (phase1_handle_t *, + vchar_t *, u_int32_t, int); -extern vchar_t * isakmp_add_pl_n __P((vchar_t *, u_int8_t **, int, - struct saproto *, vchar_t *)); +extern vchar_t * isakmp_add_pl_n (vchar_t *, u_int8_t **, int, + struct saproto *, vchar_t *); -extern void isakmp_check_notify __P((struct isakmp_gen *, struct ph1handle *)); +extern void isakmp_check_notify (struct isakmp_gen *, phase1_handle_t *); -extern void isakmp_check_ph2_notify __P((struct isakmp_gen *, struct ph2handle *)); +extern void isakmp_check_ph2_notify (struct isakmp_gen *, phase2_handle_t *); #ifdef ENABLE_DPD -extern int isakmp_sched_r_u __P((struct ph1handle *, int)); -extern void isakmp_reschedule_info_monitor_if_pending __P((struct ph1handle *, char *)); -extern void isakmp_info_send_r_u __P((void *)); +extern int isakmp_sched_r_u (phase1_handle_t *, int); +extern void isakmp_reschedule_info_monitor_if_pending (phase1_handle_t *, char *); +extern void isakmp_info_send_r_u (void *); #endif -extern void purge_ipsec_spi __P((struct sockaddr_storage *, int, u_int32_t *, size_t)); -extern int tunnel_mode_prop __P((struct saprop *)); +extern void purge_ipsec_spi (struct sockaddr_storage *, int, u_int32_t *, size_t, u_int32_t *, size_t *); +extern int tunnel_mode_prop (struct saprop *); +extern void info_recv_initialcontact (phase1_handle_t *); #endif /* _ISAKMP_INF_H */ diff --git a/ipsec-tools/racoon/isakmp_newg.c b/ipsec-tools/racoon/isakmp_newg.c deleted file mode 100644 index 211e632..0000000 --- a/ipsec-tools/racoon/isakmp_newg.c +++ /dev/null @@ -1,232 +0,0 @@ -/* $NetBSD: isakmp_newg.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */ - -/* $KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "cfparse_proto.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_newg.h" -#include "oakley.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "handler.h" -#include "pfkey.h" -#include "admin.h" -#include "str2val.h" -#include "vendorid.h" - -/* - * New group mode as responder - */ -int -isakmp_newgroup_r(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ -#if 0 - struct isakmp *isakmp = (struct isakmp *)msg->v; - struct isakmp_pl_hash *hash = NULL; - struct isakmp_pl_sa *sa = NULL; - int error = -1; - vchar_t *buf; - struct oakley_sa *osa; - int len; - - /* validate the type of next payload */ - /* - * ISAKMP_ETYPE_NEWGRP, - * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA, - * ISAKMP_NPTYPE_NONE - */ - { - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - - if ((pbuf = isakmp_parse(msg)) == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_HASH: - if (hash) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received multiple payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_SA: - if (sa) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received multiple payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - sa = (struct isakmp_pl_sa *)pa->ptr; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - } - vfree(pbuf); - - if (!hash || !sa) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "no HASH, or no SA payload.\n"); - goto end; - } - } - - /* validate HASH */ - { - char *r_hash; - vchar_t *my_hash = NULL; - int result; - - plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n"); - - len = sizeof(isakmp->msgid) + ntohs(sa->h.len); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid)); - memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len)); - - plog(LLV_DEBUG, LOCATION, NULL, "hash source\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1); - vfree(buf); - if (my_hash == NULL) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "hash result\n"); - plogdump(LLV_DEBUG, my_hash->v, my_hash->l); - - r_hash = (char *)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "original hash\n")); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash))); - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "HASH mismatch.\n"); - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL); - goto end; - } - } - - /* check SA payload and get new one for use */ - buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa, - OAKLEY_NEWGROUP_MODE); - if (buf == NULL) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - goto end; - } - - /* save sa parameters */ - osa = ipsecdoi_get_oakley(buf); - if (osa == NULL) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - goto end; - } - vfree(buf); - - switch (osa->dhgrp) { - case OAKLEY_ATTR_GRP_DESC_MODP768: - case OAKLEY_ATTR_GRP_DESC_MODP1024: - case OAKLEY_ATTR_GRP_DESC_MODP1536: - /*XXX*/ - default: - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - plog(LLV_ERROR, LOCATION, NULL, - "dh group %d isn't supported.\n", osa->dhgrp); - goto end; - } - - plog(LLV_INFO, LOCATION, iph1->remote, - "got new dh group %s.\n", isakmp_pindex(&iph1->index, 0)); - - error = 0; - -end: - if (error) { - if (iph1 != NULL) - (void)isakmp_free_ph1(iph1); - } - return error; -#endif - return 0; -} - diff --git a/ipsec-tools/racoon/isakmp_newg.h b/ipsec-tools/racoon/isakmp_newg.h deleted file mode 100644 index 2a52b1e..0000000 --- a/ipsec-tools/racoon/isakmp_newg.h +++ /dev/null @@ -1,37 +0,0 @@ -/* $Id: isakmp_newg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _ISAKMP_NEWG_H -#define _ISAKMP_NEWG_H - -extern int isakmp_newgroup_r __P((struct ph1handle *, vchar_t *)); - -#endif /* _ISAKMP_NEWG_H */ diff --git a/ipsec-tools/racoon/isakmp_quick.c b/ipsec-tools/racoon/isakmp_quick.c index e0cba14..8bb4a87 100644 --- a/ipsec-tools/racoon/isakmp_quick.c +++ b/ipsec-tools/racoon/isakmp_quick.c @@ -70,6 +70,7 @@ #include "plog.h" #include "debug.h" +#include "fsm.h" #include "localconf.h" #include "remoteconf.h" #include "handler.h" @@ -88,7 +89,6 @@ #include "sockmisc.h" #include "proposal.h" #include "sainfo.h" -#include "admin.h" #include "strnames.h" #include "nattraversal.h" #include "ipsecSessionTracer.h" @@ -98,10 +98,8 @@ #endif /* quick mode */ -static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); -static int get_sainfo_r __P((struct ph2handle *)); -static int get_proposal_r __P((struct ph2handle *)); -static int get_proposal_r_remote __P((struct ph2handle *, int)); +static vchar_t *quick_ir1mx (phase2_handle_t *, vchar_t *, vchar_t *); +static int get_proposal_r_remote (phase2_handle_t *, int); /* %%% * Quick Mode @@ -110,15 +108,15 @@ static int get_proposal_r_remote __P((struct ph2handle *, int)); * begin Quick Mode as initiator. send pfkey getspi message to kernel. */ int -quick_i1prep(iph2, msg) - struct ph2handle *iph2; +quick_iprep(iph2, msg) + phase2_handle_t *iph2; vchar_t *msg; /* must be null pointer */ { int error = ISAKMP_INTERNAL_ERROR; /* validity check */ - if (iph2->status != PHASE2ST_STATUS2) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_I_START) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } @@ -130,7 +128,7 @@ quick_i1prep(iph2, msg) if (iph2->ivm == NULL) return 0; - iph2->status = PHASE2ST_GETSPISENT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_GETSPISENT); /* don't anything if local test mode. */ if (f_local) { @@ -140,12 +138,12 @@ quick_i1prep(iph2, msg) /* send getspi message */ if (pk_sendgetspi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send getspi message"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n"); iph2->sce = sched_new(lcconf->wait_ph2complete, pfkey_timeover_stub, iph2); @@ -162,7 +160,7 @@ end: */ int quick_i1send(iph2, msg) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *msg; /* must be null pointer */ { vchar_t *body = NULL; @@ -182,19 +180,19 @@ quick_i1send(iph2, msg) /* validity check */ if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "msg has to be NULL in this function.\n"); goto end; } - if (iph2->status != PHASE2ST_GETSPIDONE) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_I_GETSPIDONE) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* create SA payload for my proposal */ - if (ipsecdoi_setph2proposal(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (ipsecdoi_setph2proposal(iph2, FALSE) < 0) { + plog(ASL_LEVEL_ERR, "failed to set proposal"); goto end; } @@ -202,7 +200,7 @@ quick_i1send(iph2, msg) /* generate NONCE value */ iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); if (iph2->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } @@ -217,7 +215,7 @@ quick_i1send(iph2, msg) if (pfsgroup) { /* DH group settting if PFS is required. */ if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set DH value.\n"); goto end; } @@ -228,7 +226,7 @@ quick_i1send(iph2, msg) if (oakley_dh_generate(iph2->pfsgrp, &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH"); goto end; } @@ -236,14 +234,12 @@ quick_i1send(iph2, msg) /* generate ID value */ if (ipsecdoi_setid2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get ID.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n"); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); - plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n"); - plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "IDci:\n"); + plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "IDcr:\n"); /* * we do not attach IDci nor IDcr, under the following condition: @@ -281,24 +277,22 @@ quick_i1send(iph2, msg) && (iph2->ph1->natt_flags & NAT_DETECTED)) { natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r); if (natoa_type == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NAT-OA payload.\n"); goto end; } else if (natoa_type != 0) { tlen += sizeof(*gen) + natoa_i->l; tlen += sizeof(*gen) + natoa_r->l; - plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAi:\n"); - plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l); - plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAr:\n"); - plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l); + //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "initiator send NAT-OAi:\n"); + //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "initiator send NAT-OAr:\n"); } } #endif body = vmalloc(tlen); if (body == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -340,7 +334,7 @@ quick_i1send(iph2, msg) /* generate HASH(1) */ hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH"); goto end; } @@ -348,7 +342,7 @@ quick_i1send(iph2, msg) /* send isakmp payload */ iph2->sendbuf = quick_ir1mx(iph2, body, hash); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get send buffer"); goto end; } @@ -356,13 +350,13 @@ quick_i1send(iph2, msg) /* send the packet, add to the schedule to resend */ iph2->retry_counter = iph2->ph1->rmconf->retry_counter; if (isakmp_ph2resend(iph2) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* change status of isakmp status entry */ - iph2->status = PHASE2ST_MSG1SENT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG1SENT); error = 0; @@ -398,7 +392,7 @@ end: */ int quick_i2recv(iph2, msg0) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; @@ -415,21 +409,21 @@ quick_i2recv(iph2, msg0) struct sockaddr_storage *natoa_r = NULL; /* validity check */ - if (iph2->status != PHASE2ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_I_MSG1SENT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* decrypt packet */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "Packet wasn't encrypted.\n"); goto end; } msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt"); goto end; } @@ -443,7 +437,7 @@ quick_i2recv(iph2, msg0) */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg"); goto end; } @@ -451,7 +445,7 @@ quick_i2recv(iph2, msg0) /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_HASH); @@ -467,7 +461,7 @@ quick_i2recv(iph2, msg0) */ /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_WARNING, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_WARNING, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_HASH); @@ -477,14 +471,14 @@ quick_i2recv(iph2, msg0) tlen = iph2->nonce->l + ntohl(isakmp->len) - sizeof(*isakmp); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid length (%d,%d) while getting hash buffer.\n", + plog(ASL_LEVEL_ERR, + "invalid length (%lu,%d) while getting hash buffer.\n", iph2->nonce->l, ntohl(isakmp->len)); goto end; } hbuf = vmalloc(tlen); if (hbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer.\n"); goto end; } @@ -506,13 +500,13 @@ quick_i2recv(iph2, msg0) switch (pa->type) { case ISAKMP_NPTYPE_SA: if (iph2->sa_ret != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Ignored, multiple SA " "isn't supported.\n"); break; } if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload"); goto end; } @@ -520,7 +514,7 @@ quick_i2recv(iph2, msg0) case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload"); goto end; } @@ -528,7 +522,7 @@ quick_i2recv(iph2, msg0) case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload"); goto end; } @@ -538,6 +532,11 @@ quick_i2recv(iph2, msg0) { vchar_t *vp; + if (iph2->id == NULL || iph2->id_p == NULL) { + error = ISAKMP_INTERNAL_ERROR; // shouldn't happen + goto end; + } + /* check ID value */ if (f_id == 0) { /* for IDci */ @@ -561,7 +560,7 @@ quick_i2recv(iph2, msg0) vp->l - sizeof(struct ipsecdoi_id_b))) { // to support servers that use our external nat address as our ID if (iph2->ph1->natt_flags & NAT_DETECTED) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "mismatched ID was returned - ignored because nat traversal is being used.\n"); /* If I'm behind a nat and the ID is type address - save the address * and port for when the peer rekeys. @@ -570,12 +569,12 @@ quick_i2recv(iph2, msg0) if (lcconf->ext_nat_id) vfree(lcconf->ext_nat_id); if (idp_ptr->h.len < sizeof(struct isakmp_gen)) { - plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len); + plog(ASL_LEVEL_ERR, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len); goto end; } lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen)); if (lcconf->ext_nat_id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n"); + plog(ASL_LEVEL_ERR, "memory error while allocating external nat id.\n"); goto end; } memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l); @@ -583,25 +582,23 @@ quick_i2recv(iph2, msg0) vfree(iph2->ext_nat_id); iph2->ext_nat_id = vdup(lcconf->ext_nat_id); if (iph2->ext_nat_id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating ph2's external nat id.\n"); + plog(ASL_LEVEL_ERR, "memory error while allocating ph2's external nat id.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "external nat address saved.\n"); - plogdump(LLV_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l); + plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l, "external nat address saved.\n"); } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) { if (iph2->ext_nat_id_p) vfree(iph2->ext_nat_id_p); iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen)); if (iph2->ext_nat_id_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating peers ph2's external nat id.\n"); + plog(ASL_LEVEL_ERR, "memory error while allocating peers ph2's external nat id.\n"); goto end; } memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l); - plog(LLV_DEBUG, LOCATION, NULL, "peer's external nat address saved.\n"); - plogdump(LLV_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l, "peer's external nat address saved.\n"); } } else { - plog(LLV_ERROR, LOCATION, NULL, "mismatched ID was returned.\n"); + plog(ASL_LEVEL_ERR, "mismatched ID was returned.\n"); error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; goto end; } @@ -630,11 +627,11 @@ quick_i2recv(iph2, msg0) if (daddr) { if (natoa_i == NULL) { natoa_i = daddr; - plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n", + plog(ASL_LEVEL_DEBUG, "initiaor rcvd NAT-OA i: %s\n", saddr2str((struct sockaddr *)natoa_i)); } else if (natoa_r == NULL) { natoa_r = daddr; - plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n", + plog(ASL_LEVEL_DEBUG, "initiator rcvd NAT-OA r: %s\n", saddr2str((struct sockaddr *)natoa_r)); } else { racoon_free(daddr); @@ -649,7 +646,7 @@ quick_i2recv(iph2, msg0) default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -664,14 +661,14 @@ quick_i2recv(iph2, msg0) /* payload existency check */ if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } /* Fixed buffer for calculating HASH */ memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n", hbuf->l, tlen + iph2->nonce->l); /* adjust buffer length for HASH */ @@ -685,12 +682,11 @@ quick_i2recv(iph2, msg0) r_hash = (char *)hash + sizeof(*hash); - plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); + //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(2) received:"); my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); if (my_hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH"); goto end; } @@ -699,7 +695,7 @@ quick_i2recv(iph2, msg0) vfree(my_hash); if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_DEBUG, "HASH(2) mismatch.\n"); error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; goto end; @@ -708,14 +704,14 @@ quick_i2recv(iph2, msg0) /* validity check SA payload sent from responder */ if (ipsecdoi_checkph2proposal(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to validate SA proposal"); error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; goto end; } /* change status of isakmp status entry */ - iph2->status = PHASE2ST_STATUS6; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG2RCVD); error = 0; @@ -746,13 +742,10 @@ end: racoon_free(natoa_r); } #endif - if (error) { VPTRINIT(iph2->sa_ret); VPTRINIT(iph2->nonce_p); VPTRINIT(iph2->dhpub_p); - VPTRINIT(iph2->id); - VPTRINIT(iph2->id_p); } return error; @@ -763,8 +756,8 @@ end: * HDR*, HASH(3) */ int -quick_i2send(iph2, msg0) - struct ph2handle *iph2; +quick_i3send(iph2, msg0) + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; @@ -776,8 +769,8 @@ quick_i2send(iph2, msg0) int packet_error = -1; /* validity check */ - if (iph2->status != PHASE2ST_STATUS6) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_I_MSG2RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } @@ -786,11 +779,11 @@ quick_i2send(iph2, msg0) { vchar_t *tmp = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); + plog(ASL_LEVEL_DEBUG, "HASH(3) generate\n"); tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer.\n"); goto end; } @@ -801,7 +794,7 @@ quick_i2send(iph2, msg0) vfree(tmp); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH"); goto end; } @@ -812,7 +805,7 @@ quick_i2send(iph2, msg0) + sizeof(struct isakmp_gen) + hash->l; buf = vmalloc(tlen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -820,7 +813,7 @@ quick_i2send(iph2, msg0) /* create isakmp header */ p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); if (p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to create ISAKMP header"); goto end; } @@ -835,7 +828,7 @@ quick_i2send(iph2, msg0) /* encoding */ iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto end; } @@ -845,24 +838,24 @@ quick_i2send(iph2, msg0) /* send the packet, add to the schedule to resend */ iph2->retry_counter = iph2->ph1->rmconf->retry_counter; if (isakmp_ph2resend(iph2) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet, commit-bit"); goto end; } } else { /* send the packet */ if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, + if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0, - PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } @@ -875,40 +868,34 @@ quick_i2send(iph2, msg0) /* compute both of KEYMATs */ if (oakley_compute_keymat(iph2, INITIATOR) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute KEYMAT"); goto end; } - iph2->status = PHASE2ST_ADDSA; - - /* don't anything if local test mode. */ - if (f_local) { - error = 0; - goto end; - } - /* if there is commit bit don't set up SA now. */ if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { - iph2->status = PHASE2ST_COMMIT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG3SENT); error = 0; goto end; } + + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA); /* Do UPDATE for initiator */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); + plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey update failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n"); /* Do ADD for responder */ if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey add failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n"); error = 0; @@ -934,8 +921,8 @@ end: * HDR#*, HASH(4), notify */ int -quick_i3recv(iph2, msg0) - struct ph2handle *iph2; +quick_i4recv(iph2, msg0) + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; @@ -947,21 +934,21 @@ quick_i3recv(iph2, msg0) int packet_error = -1; /* validity check */ - if (iph2->status != PHASE2ST_COMMIT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_I_MSG3SENT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* decrypt packet */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "Packet wasn't encrypted.\n"); goto end; } msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt packet\n"); goto end; } @@ -969,7 +956,7 @@ quick_i3recv(iph2, msg0) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg\n"); goto end; } @@ -984,14 +971,14 @@ quick_i3recv(iph2, msg0) break; case ISAKMP_NPTYPE_N: if (notify != NULL) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignoring multiple notifications\n"); break; } isakmp_check_ph2_notify(pa->ptr, iph2); notify = vmalloc(pa->len); if (notify == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get notify buffer.\n"); goto end; } @@ -999,7 +986,7 @@ quick_i3recv(iph2, msg0) break; default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1009,7 +996,7 @@ quick_i3recv(iph2, msg0) /* payload existency check */ if (hash == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } @@ -1023,13 +1010,12 @@ quick_i3recv(iph2, msg0) r_hash = (char *)hash + sizeof(*hash); - plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); + //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(4) validate:"); my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); vfree(tmp); if (my_hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH\n"); goto end; } @@ -1038,7 +1024,7 @@ quick_i3recv(iph2, msg0) vfree(my_hash); if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_DEBUG, "HASH(4) mismatch.\n"); error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; goto end; @@ -1051,7 +1037,8 @@ quick_i3recv(iph2, msg0) CONSTSTR(NULL)); packet_error = 0; - iph2->status = PHASE2ST_ADDSA; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA); + iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ /* don't anything if local test mode. */ @@ -1061,19 +1048,19 @@ quick_i3recv(iph2, msg0) } /* Do UPDATE for initiator */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); + plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey update failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n"); /* Do ADD for responder */ if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey add failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n"); error = 0; @@ -1100,7 +1087,7 @@ end: */ int quick_r1recv(iph2, msg0) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; @@ -1117,15 +1104,15 @@ quick_r1recv(iph2, msg0) struct sockaddr_storage *natoa_r = NULL; /* validity check */ - if (iph2->status != PHASE2ST_START) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_START) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* decrypting */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "Packet wasn't encrypted.\n"); error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; goto end; @@ -1133,7 +1120,7 @@ quick_r1recv(iph2, msg0) /* decrypt packet */ msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt packet\n"); goto end; } @@ -1147,7 +1134,7 @@ quick_r1recv(iph2, msg0) */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg\n"); goto end; } @@ -1155,7 +1142,7 @@ quick_r1recv(iph2, msg0) /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_HASH); @@ -1172,7 +1159,7 @@ quick_r1recv(iph2, msg0) */ /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_WARNING, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_WARNING, "received invalid next payload type %d, " "expecting %d.\n", pa->type, ISAKMP_NPTYPE_SA); @@ -1182,13 +1169,13 @@ quick_r1recv(iph2, msg0) /* allocate buffer for computing HASH(1) */ tlen = ntohl(isakmp->len) - sizeof(*isakmp); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while extracting hash.\n", + plog(ASL_LEVEL_ERR, "invalid length (%d) while extracting hash.\n", ntohl(isakmp->len)); goto end; } hbuf = vmalloc(tlen); if (hbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer.\n"); goto end; } @@ -1224,12 +1211,12 @@ quick_r1recv(iph2, msg0) switch (pa->type) { case ISAKMP_NPTYPE_SA: if (iph2->sa != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Multi SAs isn't supported.\n"); goto end; } if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process SA payload\n"); goto end; } @@ -1237,7 +1224,7 @@ quick_r1recv(iph2, msg0) case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process NONCE payload\n"); goto end; } @@ -1245,7 +1232,7 @@ quick_r1recv(iph2, msg0) case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process KE payload\n"); goto end; } @@ -1257,7 +1244,7 @@ quick_r1recv(iph2, msg0) f_id_order++; if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process IDci2 payload\n"); goto end; } @@ -1265,7 +1252,7 @@ quick_r1recv(iph2, msg0) } else if (iph2->id == NULL) { /* for IDcr */ if (f_id_order == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "IDr2 payload is not " "immediatelly followed " "by IDi2. We allowed.\n"); @@ -1273,14 +1260,12 @@ quick_r1recv(iph2, msg0) } if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to process IDcr2 payload\n"); goto end; } } else { - plog(LLV_ERROR, LOCATION, NULL, - "received too many ID payloads.\n"); - plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); + plogdump(ASL_LEVEL_ERR, iph2->id->v, iph2->id->l, "received too many ID payloads"); error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; goto end; } @@ -1305,11 +1290,11 @@ quick_r1recv(iph2, msg0) if (daddr) { if (natoa_i == NULL) { natoa_i = daddr; - plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n", + plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA i: %s\n", saddr2str((struct sockaddr *)natoa_i)); } else if (natoa_r == NULL) { natoa_r = daddr; - plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n", + plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA r: %s\n", saddr2str((struct sockaddr *)natoa_r)); } else { racoon_free(daddr); @@ -1323,7 +1308,7 @@ quick_r1recv(iph2, msg0) #endif default: - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpected payload type %d.\n", pa->type); @@ -1339,19 +1324,17 @@ quick_r1recv(iph2, msg0) /* payload existency check */ if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "expected isakmp payloads missing.\n"); error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; goto end; } if (iph2->id_p) { - plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); - plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "received IDci2:"); } if (iph2->id) { - plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "received IDcr2:"); } /* adjust buffer length for HASH */ @@ -1365,12 +1348,11 @@ quick_r1recv(iph2, msg0) r_hash = (caddr_t)hash + sizeof(*hash); - plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); + //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(1) validate:"); my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); if (my_hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH\n"); goto end; } @@ -1379,7 +1361,7 @@ quick_r1recv(iph2, msg0) vfree(my_hash); if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "HASH(1) mismatch.\n"); error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; goto end; @@ -1389,7 +1371,7 @@ quick_r1recv(iph2, msg0) /* get sainfo */ error = get_sainfo_r(iph2); if (error) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get sainfo.\n"); goto end; } @@ -1400,7 +1382,7 @@ quick_r1recv(iph2, msg0) case -2: /* generate a policy template from peer's proposal */ if (set_proposal_from_proposal(iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate a proposal template " "from client's proposal.\n"); return ISAKMP_INTERNAL_ERROR; @@ -1409,27 +1391,27 @@ quick_r1recv(iph2, msg0) case 0: /* select single proposal or reject it. */ if (ipsecdoi_selectph2proposal(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to select proposal.\n"); error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; goto end; } break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get proposal for responder.\n"); goto end; } /* check KE and attribute of PFS */ if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no PFS is specified, but peer sends KE.\n"); error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; goto end; } if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "PFS is specified, but peer doesn't sends KE.\n"); error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; goto end; @@ -1444,7 +1426,7 @@ quick_r1recv(iph2, msg0) iph2->msg1 = vdup(msg0); /* change status of isakmp status entry */ - iph2->status = PHASE2ST_STATUS2; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG1RCVD); error = 0; @@ -1491,29 +1473,29 @@ end: * call pfkey_getspi. */ int -quick_r1prep(iph2, msg) - struct ph2handle *iph2; +quick_rprep(iph2, msg) + phase2_handle_t *iph2; vchar_t *msg; { int error = ISAKMP_INTERNAL_ERROR; /* validity check */ - if (iph2->status != PHASE2ST_STATUS2) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_MSG1RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } - iph2->status = PHASE2ST_GETSPISENT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_GETSPISENT); /* send getspi message */ if (pk_sendgetspi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send getspi"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n"); iph2->sce = sched_new(lcconf->wait_ph2complete, pfkey_timeover_stub, iph2); @@ -1530,7 +1512,7 @@ end: */ int quick_r2send(iph2, msg) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *msg; { vchar_t *body = NULL; @@ -1547,26 +1529,26 @@ quick_r2send(iph2, msg) /* validity check */ if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "msg has to be NULL in this function.\n"); goto end; } - if (iph2->status != PHASE2ST_GETSPIDONE) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_GETSPIDONE) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* update responders SPI */ if (ipsecdoi_updatespi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); + plog(ASL_LEVEL_ERR, "failed to update spi.\n"); goto end; } /* generate NONCE value */ iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); if (iph2->nonce == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate NONCE"); goto end; } @@ -1576,7 +1558,7 @@ quick_r2send(iph2, msg) if (iph2->dhpub_p != NULL && pfsgroup != 0) { /* DH group settting if PFS is required. */ if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set DH value.\n"); goto end; } @@ -1588,7 +1570,7 @@ quick_r2send(iph2, msg) if (oakley_dh_generate(iph2->pfsgrp, &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) { #endif - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate DH public"); goto end; } @@ -1612,7 +1594,7 @@ quick_r2send(iph2, msg) && (iph2->ph1->natt_flags & NAT_DETECTED)) { natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r); if (natoa_type == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to create NATOA payloads"); goto end; } @@ -1620,20 +1602,18 @@ quick_r2send(iph2, msg) tlen += sizeof(*gen) + natoa_i->l; tlen += sizeof(*gen) + natoa_r->l; - plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAi:\n"); - plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l); - plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAr:\n"); - plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l); + //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "responder send NAT-OAi:"); + //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "responder send NAT-OAr:"); } } #endif - plog(LLV_DEBUG, LOCATION, NULL, "Approved SA\n"); - printsaprop0(LLV_DEBUG, iph2->approval); + plog(ASL_LEVEL_DEBUG, "Approved SA\n"); + printsaprop0(ASL_LEVEL_DEBUG, iph2->approval); body = vmalloc(tlen); if (body == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -1662,13 +1642,11 @@ quick_r2send(iph2, msg) if (iph2->id_p != NULL) { /* IDci */ p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); - plog(LLV_DEBUG, LOCATION, NULL, "sending IDci2:\n"); - plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "sending IDci2:"); /* IDcr */ np_p = &((struct isakmp_gen *)p)->np; /* XXX */ p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)); - plog(LLV_DEBUG, LOCATION, NULL, "sending IDcr2:\n"); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); + plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "sending IDcr2:"); } /* add a RESPONDER-LIFETIME notify payload if needed */ @@ -1682,14 +1660,14 @@ quick_r2send(iph2, msg) data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, IPSECDOI_ATTR_SA_LD_TYPE_SEC); if (!data) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to add RESPONDER-LIFETIME notify (type) payload"); goto end; } data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, (caddr_t)&v, sizeof(v)); if (!data) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to add RESPONDER-LIFETIME notify (value) payload"); goto end; } @@ -1699,14 +1677,14 @@ quick_r2send(iph2, msg) data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, IPSECDOI_ATTR_SA_LD_TYPE_KB); if (!data) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to add RESPONDER-LIFETIME notify (type) payload"); goto end; } data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, (caddr_t)&v, sizeof(v)); if (!data) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to add RESPONDER-LIFETIME notify (value) payload"); goto end; } @@ -1721,7 +1699,7 @@ quick_r2send(iph2, msg) body = isakmp_add_pl_n(body, &np_p, ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); if (!body) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid RESPONDER-LIFETIME payload"); vfree(data); return error; /* XXX */ @@ -1743,7 +1721,7 @@ quick_r2send(iph2, msg) tmp = vmalloc(iph2->nonce_p->l + body->l); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer.\n"); goto end; } @@ -1754,7 +1732,7 @@ quick_r2send(iph2, msg) vfree(tmp); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH"); goto end; } @@ -1763,7 +1741,7 @@ quick_r2send(iph2, msg) /* send isakmp payload */ iph2->sendbuf = quick_ir1mx(iph2, body, hash); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get send buffer"); goto end; } @@ -1771,21 +1749,21 @@ quick_r2send(iph2, msg) /* send the packet, add to the schedule to resend */ iph2->retry_counter = iph2->ph1->rmconf->retry_counter; if (isakmp_ph2resend(iph2) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1, - PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1, + PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) { + plog(ASL_LEVEL_ERR, "failed to add a response packet to the tree.\n"); goto end; } /* change status of isakmp status entry */ - iph2->status = PHASE2ST_MSG1SENT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG2SENT); error = 0; @@ -1819,7 +1797,7 @@ end: */ int quick_r3recv(iph2, msg0) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; @@ -1829,21 +1807,21 @@ quick_r3recv(iph2, msg0) int error = ISAKMP_INTERNAL_ERROR; /* validity check */ - if (iph2->status != PHASE2ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_MSG2SENT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* decrypt packet */ if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "Packet wasn't encrypted.\n"); goto end; } msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt packet\n"); goto end; } @@ -1851,7 +1829,7 @@ quick_r3recv(iph2, msg0) /* validate the type of next payload */ pbuf = isakmp_parse(msg); if (pbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to parse msg\n"); goto end; } @@ -1869,7 +1847,7 @@ quick_r3recv(iph2, msg0) break; default: /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "ignore the packet, " "received unexpecting payload type %d.\n", pa->type); @@ -1879,7 +1857,7 @@ quick_r3recv(iph2, msg0) /* payload existency check */ if (hash == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); goto end; } @@ -1894,12 +1872,11 @@ quick_r3recv(iph2, msg0) r_hash = (char *)hash + sizeof(*hash); - plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); + //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(3) validate:"); tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer.\n"); goto end; } @@ -1909,7 +1886,7 @@ quick_r3recv(iph2, msg0) my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); vfree(tmp); if (my_hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH\n"); goto end; } @@ -1918,7 +1895,7 @@ quick_r3recv(iph2, msg0) vfree(my_hash); if (result) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, + plog(ASL_LEVEL_ERR, "HASH(3) mismatch.\n"); error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; goto end; @@ -1927,9 +1904,9 @@ quick_r3recv(iph2, msg0) /* if there is commit bit, don't set up SA now. */ if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { - iph2->status = PHASE2ST_COMMIT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG3RCVD); } else - iph2->status = PHASE2ST_STATUS6; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT); error = 0; @@ -1958,8 +1935,8 @@ end: * HDR#*, HASH(4), notify */ int -quick_r3send(iph2, msg0) - struct ph2handle *iph2; +quick_r4send(iph2, msg0) + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *buf = NULL; @@ -1971,21 +1948,21 @@ quick_r3send(iph2, msg0) int error = ISAKMP_INTERNAL_ERROR; /* validity check */ - if (iph2->status != PHASE2ST_COMMIT) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_MSG3RCVD) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* generate HASH(4) */ /* XXX What can I do in the case of multiple different SA */ - plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); + plog(ASL_LEVEL_DEBUG, "HASH(4) generate\n"); /* XXX What should I do if there are multiple SAs ? */ tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; notify = vmalloc(tlen); if (notify == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get notify buffer.\n"); goto end; } @@ -2000,7 +1977,7 @@ quick_r3send(iph2, msg0) myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); if (myhash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute HASH"); goto end; } @@ -2011,7 +1988,7 @@ quick_r3send(iph2, msg0) + notify->l; buf = vmalloc(tlen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -2019,7 +1996,7 @@ quick_r3send(iph2, msg0) /* create isakmp header */ p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); if (p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ISAKMP header"); goto end; } @@ -2037,27 +2014,27 @@ quick_r3send(iph2, msg0) /* encoding */ iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto end; } /* send the packet */ if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); goto end; } /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0, - PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0, + PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); goto end; } - iph2->status = PHASE2ST_COMMIT; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT); error = 0; @@ -2088,28 +2065,29 @@ end: * set SA to kernel. */ int -quick_r3prep(iph2, msg0) - struct ph2handle *iph2; +quick_rfinalize(iph2, msg0) + phase2_handle_t *iph2; vchar_t *msg0; { vchar_t *msg = NULL; int error = ISAKMP_INTERNAL_ERROR; /* validity check */ - if (iph2->status != PHASE2ST_STATUS6) { - plog(LLV_ERROR, LOCATION, NULL, + if (iph2->status != IKEV1_STATE_QUICK_R_COMMIT) { + plog(ASL_LEVEL_ERR, "status mismatched %d.\n", iph2->status); goto end; } /* compute both of KEYMATs */ if (oakley_compute_keymat(iph2, RESPONDER) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute KEYMAT"); goto end; } - iph2->status = PHASE2ST_ADDSA; + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_ADDSA); + iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ /* don't anything if local test mode. */ @@ -2119,19 +2097,19 @@ quick_r3prep(iph2, msg0) } /* Do UPDATE as responder */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); + plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey update failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n"); /* Do ADD for responder */ if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); + plog(ASL_LEVEL_ERR, "pfkey add failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); + plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n"); /* * set policies into SPD if the policy is generated @@ -2149,11 +2127,11 @@ quick_r3prep(iph2, msg0) iph2->src = dst; iph2->dst = src; if (pk_sendspdupdate2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spdupdate2(inbound) failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spdupdate2(inbound) sent.\n"); spidx = iph2->spidx_gen; @@ -2162,11 +2140,11 @@ quick_r3prep(iph2, msg0) if (tunnel_mode_prop(iph2->approval)) { spidx->dir = IPSEC_DIR_FWD; if (pk_sendspdupdate2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spdupdate2(forward) failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spdupdate2(forward) sent.\n"); } #endif @@ -2183,11 +2161,11 @@ quick_r3prep(iph2, msg0) spidx->prefd = pref; if (pk_sendspdupdate2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey spdupdate2(outbound) failed.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey spdupdate2(outbound) sent.\n"); /* spidx_gen is unnecessary any more */ @@ -2211,7 +2189,7 @@ end: */ static vchar_t * quick_ir1mx(iph2, body, hash) - struct ph2handle *iph2; + phase2_handle_t *iph2; vchar_t *body, *hash; { struct isakmp *isakmp; @@ -2227,7 +2205,7 @@ quick_ir1mx(iph2, body, hash) + body->l; buf = vmalloc(tlen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto end; } @@ -2238,7 +2216,7 @@ quick_ir1mx(iph2, body, hash) /* set isakmp header */ p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); if (p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ISAKMP header"); goto end; } @@ -2257,7 +2235,7 @@ quick_ir1mx(iph2, body, hash) /* encoding */ new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto end; } @@ -2281,9 +2259,9 @@ end: * get remote's sainfo. * NOTE: this function is for responder. */ -static int +int get_sainfo_r(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { vchar_t *idsrc = NULL, *iddst = NULL; int prefixlen; @@ -2299,7 +2277,7 @@ get_sainfo_r(iph2) prefixlen = sizeof(struct in6_addr) << 3; break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph2->src->ss_family); goto end; } @@ -2309,7 +2287,7 @@ get_sainfo_r(iph2) idsrc = vdup(iph2->id); } if (idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID for source.\n"); goto end; } @@ -2323,7 +2301,7 @@ get_sainfo_r(iph2) prefixlen = sizeof(struct in6_addr) << 3; break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", iph2->dst->ss_family); goto end; } @@ -2333,7 +2311,7 @@ get_sainfo_r(iph2) iddst = vdup(iph2->id_p); } if (iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set ID for destination.\n"); goto end; } @@ -2348,7 +2326,7 @@ get_sainfo_r(iph2) if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1); if (iph2->sainfo) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get_sainfo_r case 1.\n"); } // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2 @@ -2356,16 +2334,16 @@ get_sainfo_r(iph2) (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) { ike_session_get_sainfo_r(iph2); if (iph2->sainfo) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get_sainfo_r case 2.\n"); } // still no sainfo (or anonymous): fallback to sainfo picked by dst id if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get_sainfo_r about to try dst id only.\n"); iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p); if (iph2->sainfo) { - plog(LLV_DEBUG2, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get_sainfo_r case 3.\n"); if (iph2->sainfo->idsrc == NULL) anonymous = iph2->sainfo; @@ -2375,30 +2353,25 @@ get_sainfo_r(iph2) } if (iph2->sainfo == NULL) { if (anonymous == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get sainfo.\n"); goto end; } iph2->sainfo = anonymous; } - if (link_sainfo_to_ph2(iph2->sainfo) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to link sainfo\n"); - iph2->sainfo = NULL; - goto end; - } - + retain_sainfo(iph2->sainfo); + #ifdef ENABLE_HYBRID /* xauth group inclusion check */ if (iph2->sainfo->group != NULL) if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to group check"); goto end; } #endif - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); error = 0; @@ -2411,9 +2384,9 @@ end: return error; } -static int +int get_proposal_r(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { int error = get_proposal_r_remote(iph2, 0); if (error != -2 && error != 0 && @@ -2439,31 +2412,31 @@ get_proposal_r(iph2) */ static int get_proposal_r_remote(iph2, ignore_id) - struct ph2handle *iph2; + phase2_handle_t *iph2; int ignore_id; { struct policyindex spidx; struct secpolicy *sp_in, *sp_out; int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ int error = ISAKMP_INTERNAL_ERROR; - int generated_policy_exit_early = 1; + int generated_policy_exit_early = 0; /* check the existence of ID payload */ if ((iph2->id_p != NULL && iph2->id == NULL) || (iph2->id_p == NULL && iph2->id != NULL)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Both IDs wasn't found in payload.\n"); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } /* make sure if id[src,dst] is null (if use_remote_addr == 0). */ if (!ignore_id && (iph2->src_id || iph2->dst_id)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Why do ID[src,dst] exist already.\n"); return ISAKMP_INTERNAL_ERROR; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s: ignore_id %x.\n", __FUNCTION__, ignore_id); memset(&spidx, 0, sizeof(spidx)); @@ -2487,7 +2460,7 @@ get_proposal_r_remote(iph2, ignore_id) || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a destination address of a policy */ error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst, - &spidx.prefd, &spidx.ul_proto); + &spidx.prefd, &spidx.ul_proto, iph2->version); if (error) return error; @@ -2511,9 +2484,9 @@ get_proposal_r_remote(iph2, ignore_id) } else { - plog(LLV_DEBUG, LOCATION, NULL, - "get a destination address of SP index " - "from phase1 address " + plog(ASL_LEVEL_DEBUG, + "Get a destination address of SP index " + "from Phase 1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); @@ -2551,7 +2524,7 @@ get_proposal_r_remote(iph2, ignore_id) || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a source address of inbound SA */ error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src, - &spidx.prefs, &spidx.ul_proto); + &spidx.prefs, &spidx.ul_proto, iph2->version); if (error) return error; @@ -2570,24 +2543,24 @@ get_proposal_r_remote(iph2, ignore_id) /* make id[src,dst] if both ID types are IP address and same */ if (_XIDT(iph2->id_p) == idi2type && spidx.dst.ss_family == spidx.src.ss_family) { - iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst); + iph2->src_id = dupsaddr(&spidx.dst); if (iph2->src_id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "buffer allocation failed.\n"); return ISAKMP_INTERNAL_ERROR; } - iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src); + iph2->dst_id = dupsaddr(&spidx.src); if (iph2->dst_id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "buffer allocation failed.\n"); return ISAKMP_INTERNAL_ERROR; } } } else { - plog(LLV_DEBUG, LOCATION, NULL, - "get a source address of SP index " - "from phase1 address " + plog(ASL_LEVEL_DEBUG, + "Get a source address of SP index " + "from Phase 1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); @@ -2614,12 +2587,12 @@ get_proposal_r_remote(iph2, ignore_id) #undef _XIDT - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get a src address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&spidx.src), spidx.prefs, spidx.ul_proto); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "get dst address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&spidx.dst), @@ -2637,24 +2610,24 @@ get_proposal_r_remote(iph2, ignore_id) if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) { if (iph2->ph1->rmconf->gen_policy) { if (sp_in) - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "Update the generated policy : %s\n", spidx2str(&spidx)); else - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "no policy found, " "try to generate the policy : %s\n", spidx2str(&spidx)); iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx)); if (!iph2->spidx_gen) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "buffer allocation failed.\n"); return ISAKMP_INTERNAL_ERROR; } memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); generated_policy_exit_early = 1; /* special value */ } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found: %s\n", spidx2str(&spidx)); return ISAKMP_INTERNAL_ERROR; } @@ -2675,7 +2648,7 @@ get_proposal_r_remote(iph2, ignore_id) sp_out = getsp_r(&spidx, iph2); if (!sp_out) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "no outbound policy found: %s\n", spidx2str(&spidx)); } else { @@ -2686,7 +2659,7 @@ get_proposal_r_remote(iph2, ignore_id) } } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "suitable SP found:%s\n", spidx2str(&spidx)); if (generated_policy_exit_early) { @@ -2698,7 +2671,7 @@ get_proposal_r_remote(iph2, ignore_id) * outbound policy is not checked currently. */ if (sp_in->policy != IPSEC_POLICY_IPSEC) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "policy found, but no IPsec required: %s\n", spidx2str(&spidx)); return ISAKMP_INTERNAL_ERROR; @@ -2706,7 +2679,7 @@ get_proposal_r_remote(iph2, ignore_id) /* set new proposal derived from a policy into the iph2->proposal. */ if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to create saprop.\n"); return ISAKMP_INTERNAL_ERROR; } diff --git a/ipsec-tools/racoon/isakmp_quick.h b/ipsec-tools/racoon/isakmp_quick.h index 4768b53..8c538c1 100644 --- a/ipsec-tools/racoon/isakmp_quick.h +++ b/ipsec-tools/racoon/isakmp_quick.h @@ -32,17 +32,19 @@ #ifndef _ISAKMP_QUICK_H #define _ISAKMP_QUICK_H -extern int quick_i1prep __P((struct ph2handle *, vchar_t *)); -extern int quick_i1send __P((struct ph2handle *, vchar_t *)); -extern int quick_i2recv __P((struct ph2handle *, vchar_t *)); -extern int quick_i2send __P((struct ph2handle *, vchar_t *)); -extern int quick_i3recv __P((struct ph2handle *, vchar_t *)); +#include "racoon_types.h" -extern int quick_r1recv __P((struct ph2handle *, vchar_t *)); -extern int quick_r1prep __P((struct ph2handle *, vchar_t *)); -extern int quick_r2send __P((struct ph2handle *, vchar_t *)); -extern int quick_r3recv __P((struct ph2handle *, vchar_t *)); -extern int quick_r3send __P((struct ph2handle *, vchar_t *)); -extern int quick_r3prep __P((struct ph2handle *, vchar_t *)); +extern int quick_iprep (phase2_handle_t *, vchar_t *); +extern int quick_i1send (phase2_handle_t *, vchar_t *); +extern int quick_i2recv (phase2_handle_t *, vchar_t *); +extern int quick_i3send (phase2_handle_t *, vchar_t *); +extern int quick_i4recv (phase2_handle_t *, vchar_t *); + +extern int quick_r1recv (phase2_handle_t *, vchar_t *); +extern int quick_rprep (phase2_handle_t *, vchar_t *); +extern int quick_r2send (phase2_handle_t *, vchar_t *); +extern int quick_r3recv (phase2_handle_t *, vchar_t *); +extern int quick_r4send (phase2_handle_t *, vchar_t *); +extern int quick_rfinalize (phase2_handle_t *, vchar_t *); #endif /* _ISAKMP_QUICK_H */ diff --git a/ipsec-tools/racoon/isakmp_unity.c b/ipsec-tools/racoon/isakmp_unity.c index c7951ba..53943b0 100644 --- a/ipsec-tools/racoon/isakmp_unity.c +++ b/ipsec-tools/racoon/isakmp_unity.c @@ -79,19 +79,19 @@ #include "isakmp_cfg.h" #include "strnames.h" -static vchar_t *isakmp_cfg_split(struct ph1handle *, +static vchar_t *isakmp_cfg_split (phase1_handle_t *, struct isakmp_data *, struct unity_netentry*,int); vchar_t * isakmp_unity_req(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type; vchar_t *reply_attr = NULL; if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unity mode config request but the peer " "did not declare itself as unity compliant\n"); return NULL; @@ -103,13 +103,13 @@ isakmp_unity_req(iph1, attr) if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { type &= ~ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Short attribute %s = %d\n", s_isakmp_cfg_type(type), ntohs(attr->lorv)); switch (type) { default: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -127,13 +127,13 @@ isakmp_unity_req(iph1, attr) int len; if ((fd = open(filename, O_RDONLY, 0)) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot open \"%s\"\n", filename); return NULL; } if ((len = read(fd, buf, MAXMOTD)) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot read \"%s\"\n", filename); close(fd); return NULL; @@ -190,7 +190,7 @@ isakmp_unity_req(iph1, attr) case UNITY_NATT_PORT: case UNITY_BACKUP_SERVERS: default: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); return NULL; break; @@ -201,7 +201,7 @@ isakmp_unity_req(iph1, attr) void isakmp_unity_reply(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type = ntohs(attr->type); @@ -258,7 +258,7 @@ isakmp_unity_reply(iph1, attr) case UNITY_BACKUP_SERVERS: case UNITY_DDNS_HOSTNAME: default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -268,7 +268,7 @@ isakmp_unity_reply(iph1, attr) static vchar_t * isakmp_cfg_split(iph1, attr, netentry, count) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; struct unity_netentry *netentry; int count; @@ -284,7 +284,7 @@ isakmp_cfg_split(iph1, attr, netentry, count) len = sizeof(struct unity_network) * count; if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -301,7 +301,7 @@ isakmp_cfg_split(iph1, attr, netentry, count) inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40); inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40); - plog(LLV_DEBUG, LOCATION, NULL, "splitnet: %s/%s\n", tmp1, tmp2); + plog(ASL_LEVEL_DEBUG, "splitnet: %s/%s\n", tmp1, tmp2); netentry = netentry->next; } diff --git a/ipsec-tools/racoon/isakmp_unity.h b/ipsec-tools/racoon/isakmp_unity.h index b52f02c..2804cb8 100644 --- a/ipsec-tools/racoon/isakmp_unity.h +++ b/ipsec-tools/racoon/isakmp_unity.h @@ -31,6 +31,9 @@ * SUCH DAMAGE. */ + +#include "racoon_types.h" + /* ISAKMP notifies specific to the Unity vendor Id */ /* Sent during xauth if the user types his password too slowly */ #define ISAKMP_NTYPE_UNITY_HEARTBEAT 40500 @@ -64,9 +67,9 @@ struct unity_netentry { struct unity_netentry *next; }; -int splitnet_list_add(struct unity_netentry **, struct unity_network *, int *); -void splitnet_list_free(struct unity_netentry *, int *); -char * splitnet_list_2str(struct unity_netentry *); +int splitnet_list_add (struct unity_netentry **, struct unity_network *, int *); +void splitnet_list_free (struct unity_netentry *, int *); +char * splitnet_list_2str (struct unity_netentry *); -vchar_t *isakmp_unity_req(struct ph1handle *, struct isakmp_data *); -void isakmp_unity_reply(struct ph1handle *, struct isakmp_data *); +vchar_t *isakmp_unity_req (phase1_handle_t *, struct isakmp_data *); +void isakmp_unity_reply (phase1_handle_t *, struct isakmp_data *); diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h index 6e75240..d3d60a5 100644 --- a/ipsec-tools/racoon/isakmp_var.h +++ b/ipsec-tools/racoon/isakmp_var.h @@ -33,6 +33,8 @@ #define _ISAKMP_VAR_H #include "vmbuf.h" +#include "racoon_types.h" +#include #define PORT_ISAKMP 500 #define PORT_ISAKMP_NATT 4500 @@ -48,92 +50,95 @@ typedef struct { /* i_cookie + r_cookie */ } isakmp_index; struct isakmp_gen; -struct sched; + + struct sockaddr_storage; -struct ph1handle; -struct ph2handle; struct remoteconf; struct isakmp_gen; struct ipsecdoi_pl_id; /* XXX */ struct isakmp_pl_ke; /* XXX */ struct isakmp_pl_nonce; /* XXX */ -extern int isakmp_handler __P((int)); -extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr_storage *, - struct sockaddr_storage *, int)); - -extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int)); -extern vchar_t *isakmp_parse __P((vchar_t *)); - -extern int isakmp_init __P((int, int *)); -extern void isakmp_cleanup __P((void)); - -extern const char *isakmp_pindex __P((const isakmp_index *, const u_int32_t)); -extern int isakmp_open __P((int *)); -extern void isakmp_close __P((void)); -extern void isakmp_close_sockets __P((void)); -extern void isakmp_close_unused __P((void)); -extern int isakmp_send __P((struct ph1handle *, vchar_t *)); - -extern void isakmp_ph1resend_stub __P((void *)); -extern int isakmp_ph1resend __P((struct ph1handle *)); -extern void isakmp_ph2resend_stub __P((void *)); -extern int isakmp_ph2resend __P((struct ph2handle *)); -extern void isakmp_ph1expire_stub __P((void *)); -extern void isakmp_ph1expire __P((struct ph1handle *)); -extern void isakmp_ph1rekeyexpire_stub __P((void *)); -extern void isakmp_ph1rekeyexpire __P((struct ph1handle *, int)); -extern int isakmp_ph1rekeyretry __P((struct ph1handle *)); -extern void isakmp_ph1delete_stub __P((void *)); -extern void isakmp_ph1delete __P((struct ph1handle *)); -extern void isakmp_ph2expire_stub __P((void *)); -extern void isakmp_ph2expire __P((struct ph2handle *)); -extern void isakmp_ph2delete_stub __P((void *)); -extern void isakmp_ph2delete __P((struct ph2handle *)); - -extern int isakmp_post_acquire __P((struct ph2handle *)); -extern int isakmp_post_getspi __P((struct ph2handle *)); -extern void isakmp_chkph1there_stub __P((void *)); -extern void isakmp_chkph1there __P((struct ph2handle *)); - -extern caddr_t isakmp_set_attr_v __P((caddr_t, int, caddr_t, int)); -extern caddr_t isakmp_set_attr_l __P((caddr_t, int, u_int32_t)); -extern vchar_t *isakmp_add_attr_v __P((vchar_t *, int, caddr_t, int)); -extern vchar_t *isakmp_add_attr_l __P((vchar_t *, int, u_int32_t)); - -extern int isakmp_newcookie __P((caddr_t, struct sockaddr_storage *, struct sockaddr_storage *)); - -extern int isakmp_p2ph __P((vchar_t **, struct isakmp_gen *)); - -extern u_int32_t isakmp_newmsgid2 __P((struct ph1handle *)); -extern caddr_t set_isakmp_header1 __P((vchar_t *, struct ph1handle *, int)); -extern caddr_t set_isakmp_header2 __P((vchar_t *, struct ph2handle *, int)); -extern caddr_t set_isakmp_payload __P((caddr_t, vchar_t *, int)); - -extern struct payload_list *isakmp_plist_append __P((struct payload_list *plist, - vchar_t *payload, int payload_type)); -extern vchar_t *isakmp_plist_set_all __P((struct payload_list **plist, - struct ph1handle *iph1)); -extern vchar_t *isakmp_plist_append_initial_contact __P((struct ph1handle *, - struct payload_list *)); +extern void isakmp_handler (int); +extern int ikev1_ph1begin_i (ike_session_t *session, struct remoteconf *, struct sockaddr_storage *, + struct sockaddr_storage *, int); +extern int get_sainfo_r (phase2_handle_t *); +extern int get_proposal_r (phase2_handle_t *); + +extern vchar_t *isakmp_parsewoh (int, struct isakmp_gen *, int); +extern vchar_t *isakmp_parse (vchar_t *); + +extern int isakmp_init (void); +extern void isakmp_cleanup (void); + +extern const char *isakmp_pindex (const isakmp_index *, const u_int32_t); +extern int isakmp_open (void); +extern void isakmp_suspend_sockets(void); +extern void isakmp_close (void); +extern void isakmp_close_sockets (void); +extern void isakmp_close_unused (void); +extern int isakmp_send (phase1_handle_t *, vchar_t *); + +extern void isakmp_ph1resend_stub (void *); +extern int isakmp_ph1resend (phase1_handle_t *); +extern void isakmp_ph2resend_stub (void *); +extern int isakmp_ph2resend (phase2_handle_t *); + +extern void isakmp_ph1expire_stub (void *); +extern void isakmp_ph1expire (phase1_handle_t *); +extern void isakmp_ph1rekeyexpire_stub (void *); +extern void isakmp_ph1rekeyexpire (phase1_handle_t *, int); +extern int isakmp_ph1rekeyretry (phase1_handle_t *); +extern void isakmp_ph1delete_stub (void *); +extern void isakmp_ph1delete (phase1_handle_t *); +extern void isakmp_ph2expire_stub (void *); +extern void isakmp_ph2expire (phase2_handle_t *); +extern void isakmp_ph2delete_stub (void *); +extern void isakmp_ph2delete (phase2_handle_t *); +extern int ikev1_phase1_established(phase1_handle_t *); + +extern int isakmp_post_acquire (phase2_handle_t *); +extern int isakmp_post_getspi (phase2_handle_t *); +extern void isakmp_chkph1there_stub (void *); +extern void isakmp_chkph1there (phase2_handle_t *); + +extern caddr_t isakmp_set_attr_v (caddr_t, int, caddr_t, int); +extern caddr_t isakmp_set_attr_l (caddr_t, int, u_int32_t); +extern vchar_t *isakmp_add_attr_v (vchar_t *, int, caddr_t, int); +extern vchar_t *isakmp_add_attr_l (vchar_t *, int, u_int32_t); + +extern int isakmp_newcookie (caddr_t, struct sockaddr_storage *, struct sockaddr_storage *); + +extern int isakmp_p2ph (vchar_t **, struct isakmp_gen *); + +extern u_int32_t isakmp_newmsgid2 (phase1_handle_t *); +extern caddr_t set_isakmp_header1 (vchar_t *, phase1_handle_t *, int); +extern caddr_t set_isakmp_header2 (vchar_t *, phase2_handle_t *, int); +extern caddr_t set_isakmp_payload (caddr_t, vchar_t *, int); + +extern struct payload_list *isakmp_plist_append (struct payload_list *plist, + vchar_t *payload, int payload_type); +extern vchar_t *isakmp_plist_set_all (struct payload_list **plist, + phase1_handle_t *iph1); +extern vchar_t *isakmp_plist_append_initial_contact (phase1_handle_t *, struct payload_list *); #ifdef HAVE_PRINT_ISAKMP_C -extern void isakmp_printpacket __P((vchar_t *, struct sockaddr_storage *, - struct sockaddr_storage *, int)); +extern void isakmp_printpacket (vchar_t *, struct sockaddr_storage *, + struct sockaddr_storage *, int); #endif -extern int copy_ph1addresses __P(( struct ph1handle *, - struct remoteconf *, struct sockaddr_storage *, struct sockaddr_storage *)); -extern void log_ph1established __P((const struct ph1handle *)); +extern int copy_ph1addresses (phase1_handle_t *, + struct remoteconf *, struct sockaddr_storage *, struct sockaddr_storage *); +extern void log_ph1established (const phase1_handle_t *); -extern void script_hook __P((struct ph1handle *, int)); -extern int script_env_append __P((char ***, int *, char *, char *)); -extern int script_exec __P((char *, int, char * const *)); +extern void script_hook (phase1_handle_t *, int); +extern int script_env_append (char ***, int *, char *, char *); +extern int script_exec (char *, int, char * const *); -void purge_remote __P((struct ph1handle *)); -void delete_spd __P((struct ph2handle *)); +void purge_remote (phase1_handle_t *); +void delete_spd (phase2_handle_t *); #ifdef INET6 -u_int32_t setscopeid __P((struct sockaddr_storage *, struct sockaddr_storage *)); +u_int32_t setscopeid (struct sockaddr_storage *, struct sockaddr_storage *); #endif #endif /* _ISAKMP_VAR_H */ diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c index 955a062..ab4855f 100644 --- a/ipsec-tools/racoon/isakmp_xauth.c +++ b/ipsec-tools/racoon/isakmp_xauth.c @@ -74,13 +74,11 @@ #include "sockmisc.h" #include "schedule.h" #include "debug.h" +#include "fsm.h" #include "crypto_openssl.h" #include "isakmp_var.h" #include "isakmp.h" -#include "admin.h" -#include "privsep.h" -#include "evt.h" #include "handler.h" #include "throttle.h" #include "remoteconf.h" @@ -97,32 +95,10 @@ #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" -#ifdef HAVE_LIBRADIUS -#include - -struct rad_handle *radius_auth_state = NULL; -struct rad_handle *radius_acct_state = NULL; -#endif - -#ifdef HAVE_LIBPAM -#include - -static char *PAM_usr = NULL; -static char *PAM_pwd = NULL; -static int PAM_conv(int, const struct pam_message **, - struct pam_response **, void *); -static struct pam_conv PAM_chat = { &PAM_conv, NULL }; -#endif - -#ifdef HAVE_LIBLDAP -#include "ldap.h" -#include -struct xauth_ldap_config xauth_ldap_config; -#endif void xauth_sendreq(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *buffer; struct isakmp_pl_attr *attr; @@ -133,19 +109,19 @@ xauth_sendreq(iph1) size_t tlen; /* Status checks */ - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_ERROR, LOCATION, NULL, + if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { + plog(ASL_LEVEL_ERR, "Xauth request while phase 1 is not completed\n"); return; } if (xst->status != XAUTHST_NOTYET) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth request whith Xauth state %d\n", xst->status); return; } - plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); + plog(ASL_LEVEL_INFO, "Sending Xauth request\n"); tlen = sizeof(*attr) + + sizeof(*typeattr) + @@ -153,7 +129,7 @@ xauth_sendreq(iph1) + sizeof(*pwdattr); if ((buffer = vmalloc(tlen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate buffer\n"); return; } @@ -188,7 +164,7 @@ xauth_sendreq(iph1) int xauth_attr_reply(iph1, attr, id) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; int id; { @@ -198,14 +174,14 @@ xauth_attr_reply(iph1, attr, id) struct xauth_state *xst = &iph1->mode_cfg->xauth; if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth reply but peer did not declare " "itself as Xauth capable\n"); return -1; } if (xst->status != XAUTHST_REQSENT) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth reply while Xauth state is %d\n", xst->status); return -1; } @@ -218,7 +194,7 @@ xauth_attr_reply(iph1, attr, id) xst->authtype = XAUTH_TYPE_GENERIC; break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unexpected authentication type %d\n", ntohs(type)); return -1; @@ -234,7 +210,7 @@ xauth_attr_reply(iph1, attr, id) break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "ignored Xauth attribute %d\n", type); break; } @@ -243,7 +219,7 @@ xauth_attr_reply(iph1, attr, id) alen = ntohs(attr->lorv); if ((*outlet = racoon_realloc(*outlet, alen + 1)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory for Xauth Data\n"); return -1; } @@ -263,44 +239,25 @@ xauth_attr_reply(iph1, attr, id) time_t throttle_delay = 0; #if 0 /* Real debug, don't do that at home */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Got username \"%s\", password \"%s\"\n", usr, pwd); #endif strlcpy(iph1->mode_cfg->login, usr, sizeof(iph1->mode_cfg->login)); res = -1; if ((port = isakmp_cfg_getport(iph1)) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Port pool depleted\n"); goto skip_auth; } switch (isakmp_cfg_config.authsource) { case ISAKMP_CFG_AUTH_SYSTEM: -#ifdef HAVE_OPENSSL - res = privsep_xauth_login_system(usr, pwd); -#else res = xauth_login_system(usr, pwd); -#endif - break; -#ifdef HAVE_LIBRADIUS - case ISAKMP_CFG_AUTH_RADIUS: - res = xauth_login_radius(iph1, usr, pwd); - break; -#endif -#ifdef HAVE_LIBPAM - case ISAKMP_CFG_AUTH_PAM: - res = privsep_xauth_login_pam(iph1->mode_cfg->port, - iph1->remote, usr, pwd); break; -#endif -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_AUTH_LDAP: - res = xauth_login_ldap(iph1, usr, pwd); - break; -#endif + default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected authentication source\n"); res = -1; break; @@ -324,7 +281,7 @@ xauth_attr_reply(iph1, attr, id) str = saddrwop2str((struct sockaddr *)iph1->remote); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Throttling in action for %s: delay %lds\n", str, (unsigned long)throttle_delay); res = -1; @@ -337,7 +294,7 @@ skip_auth: struct xauth_reply_arg *xra; if ((xra = racoon_malloc(sizeof(*xra))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "malloc failed, bypass throttling\n"); return xauth_reply(iph1, port, id, res); } @@ -365,12 +322,12 @@ xauth_reply_stub(args) void *args; { struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args; - struct ph1handle *iph1; + phase1_handle_t *iph1; - if ((iph1 = getph1byindex(&xra->index)) != NULL) + if ((iph1 = ike_session_getph1byindex(NULL, &xra->index)) != NULL) (void)xauth_reply(iph1, xra->port, xra->id, xra->res); else - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Delayed Xauth reply: phase 1 no longer exists.\n"); racoon_free(xra); @@ -379,7 +336,7 @@ xauth_reply_stub(args) int xauth_reply(iph1, port, id, res) - struct ph1handle *iph1; + phase1_handle_t *iph1; int port; int id; { @@ -387,7 +344,7 @@ xauth_reply(iph1, port, id, res) char *usr = xst->authdata.generic.usr; if (iph1->is_dying) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "dropped login for user \"%s\"\n", usr); return -1; } @@ -396,14 +353,14 @@ xauth_reply(iph1, port, id, res) if (port != -1) isakmp_cfg_putport(iph1, port); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "login failed for user \"%s\"\n", usr); xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); xst->status = XAUTHST_NOTYET; /* Delete Phase 1 SA */ - if (iph1->status == PHASE1ST_ESTABLISHED) + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) isakmp_info_send_d1(iph1); isakmp_ph1expire(iph1); @@ -411,7 +368,7 @@ xauth_reply(iph1, port, id, res) } xst->status = XAUTHST_OK; - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "login succeeded for user \"%s\"\n", usr); xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); @@ -421,7 +378,7 @@ xauth_reply(iph1, port, id, res) void xauth_sendstatus(iph1, status, id) - struct ph1handle *iph1; + phase1_handle_t *iph1; int status; int id; { @@ -434,7 +391,7 @@ xauth_sendstatus(iph1, status, id) + sizeof(*stattr); if ((buffer = vmalloc(tlen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate buffer\n"); return; } @@ -457,786 +414,6 @@ xauth_sendstatus(iph1, status, id) return; } -#ifdef HAVE_LIBRADIUS -int -xauth_radius_init(void) -{ - /* For first time use, initialize Radius */ - if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && - (radius_auth_state == NULL)) { - if ((radius_auth_state = rad_auth_open()) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot init libradius\n"); - return -1; - } - - if (rad_config(radius_auth_state, NULL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot open librarius config file: %s\n", - rad_strerror(radius_auth_state)); - rad_close(radius_auth_state); - radius_auth_state = NULL; - return -1; - } - } - - if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && - (radius_acct_state == NULL)) { - if ((radius_acct_state = rad_acct_open()) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot init libradius\n"); - return -1; - } - - if (rad_config(radius_acct_state, NULL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot open librarius config file: %s\n", - rad_strerror(radius_acct_state)); - rad_close(radius_acct_state); - radius_acct_state = NULL; - return -1; - } - } - - return 0; -} - -int -xauth_login_radius(iph1, usr, pwd) - struct ph1handle *iph1; - char *usr; - char *pwd; -{ - int res; - const void *data; - size_t len; - int type; - - if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_create_request failed: %s\n", - rad_strerror(radius_auth_state)); - return -1; - } - - if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_string failed: %s\n", - rad_strerror(radius_auth_state)); - return -1; - } - - if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_string failed: %s\n", - rad_strerror(radius_auth_state)); - return -1; - } - - if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) - return -1; - - switch (res = rad_send_request(radius_auth_state)) { - case RAD_ACCESS_ACCEPT: - while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { - switch (type) { - case RAD_FRAMED_IP_ADDRESS: - iph1->mode_cfg->addr4 = rad_cvt_addr(data); - iph1->mode_cfg->flags - |= ISAKMP_CFG_ADDR4_EXTERN; - break; - - case RAD_FRAMED_IP_NETMASK: - iph1->mode_cfg->mask4 = rad_cvt_addr(data); - iph1->mode_cfg->flags - |= ISAKMP_CFG_MASK4_EXTERN; - break; - - default: - plog(LLV_INFO, LOCATION, NULL, - "Unexpected attribute: %d\n", type); - break; - } - } - - return 0; - break; - - case RAD_ACCESS_REJECT: - return -1; - break; - - case -1: - plog(LLV_ERROR, LOCATION, NULL, - "rad_send_request failed: %s\n", - rad_strerror(radius_auth_state)); - return -1; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "rad_send_request returned %d\n", res); - return -1; - break; - } - - return -1; -} -#endif - -#ifdef HAVE_LIBPAM -static int -PAM_conv(msg_count, msg, rsp, dontcare) - int msg_count; - const struct pam_message **msg; - struct pam_response **rsp; - void *dontcare; -{ - int i; - int replies = 0; - struct pam_response *reply = NULL; - - if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) - return PAM_CONV_ERR; - bzero(reply, sizeof(*reply) * msg_count); - - for (i = 0; i < msg_count; i++) { - switch (msg[i]->msg_style) { - case PAM_PROMPT_ECHO_ON: - /* Send the username, libpam frees resp */ - reply[i].resp_retcode = PAM_SUCCESS; - if ((reply[i].resp = strdup(PAM_usr)) == NULL) { - plog(LLV_ERROR, LOCATION, - NULL, "strdup failed\n"); - exit(1); - } - break; - - case PAM_PROMPT_ECHO_OFF: - /* Send the password, libpam frees resp */ - reply[i].resp_retcode = PAM_SUCCESS; - if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { - plog(LLV_ERROR, LOCATION, - NULL, "strdup failed\n"); - exit(1); - } - break; - - case PAM_TEXT_INFO: - case PAM_ERROR_MSG: - reply[i].resp_retcode = PAM_SUCCESS; - reply[i].resp = NULL; - break; - - default: - if (reply != NULL) - racoon_free(reply); - return PAM_CONV_ERR; - break; - } - } - - if (reply != NULL) - *rsp = reply; - - return PAM_SUCCESS; -} - -int -xauth_login_pam(port, raddr, usr, pwd) - int port; - struct sockaddr_storage *raddr; - char *usr; - char *pwd; -{ - int error; - int res; - const void *data; - size_t len; - int type; - char *remote = NULL; - pam_handle_t *pam = NULL; - - if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "isakmp_cfg_config.port_pool == NULL\n"); - return -1; - } - - if ((error = pam_start("racoon", usr, - &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { - if (isakmp_cfg_config.port_pool[port].pam == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); - return -1; - } else { - plog(LLV_ERROR, LOCATION, NULL, - "pam_start failed: %s\n", - pam_strerror(isakmp_cfg_config.port_pool[port].pam, - error)); - goto out; - } - } - pam = isakmp_cfg_config.port_pool[port].pam; - - if ((remote = strdup(saddrwop2str(raddr))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", strerror(errno)); - goto out; - } - - if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_set_item failed: %s\n", - pam_strerror(pam, error)); - goto out; - } - - PAM_usr = usr; - PAM_pwd = pwd; - error = pam_authenticate(pam, 0); - PAM_usr = NULL; - PAM_pwd = NULL; - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_authenticate failed: %s\n", - pam_strerror(pam, error)); - goto out; - } - - if ((error = pam_acct_mgmt(pam, 0)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_acct_mgmt failed: %s\n", - pam_strerror(pam, error)); - goto out; - } - - if ((error = pam_setcred(pam, 0)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_setcred failed: %s\n", - pam_strerror(pam, error)); - goto out; - } - - if (remote != NULL) - free(remote); - - return 0; - -out: - pam_end(pam, error); - isakmp_cfg_config.port_pool[port].pam = NULL; - if (remote != NULL) - free(remote); - return -1; -} -#endif - -#ifdef HAVE_LIBLDAP -int -xauth_ldap_init(void) -{ - int tmplen; - int error = -1; - - xauth_ldap_config.pver = 3; - xauth_ldap_config.host = NULL; - xauth_ldap_config.port = LDAP_PORT; - xauth_ldap_config.base = NULL; - xauth_ldap_config.subtree = 0; - xauth_ldap_config.bind_dn = NULL; - xauth_ldap_config.bind_pw = NULL; - xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; - xauth_ldap_config.attr_user = NULL; - xauth_ldap_config.attr_addr = NULL; - xauth_ldap_config.attr_mask = NULL; - xauth_ldap_config.attr_group = NULL; - xauth_ldap_config.attr_member = NULL; - - /* set default host */ - tmplen = strlen(LDAP_DFLT_HOST); - xauth_ldap_config.host = vmalloc(tmplen); - if (xauth_ldap_config.host == NULL) - goto out; - memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); - - /* set default user naming attribute */ - tmplen = strlen(LDAP_DFLT_USER); - xauth_ldap_config.attr_user = vmalloc(tmplen); - if (xauth_ldap_config.attr_user == NULL) - goto out; - memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); - - /* set default address attribute */ - tmplen = strlen(LDAP_DFLT_ADDR); - xauth_ldap_config.attr_addr = vmalloc(tmplen); - if (xauth_ldap_config.attr_addr == NULL) - goto out; - memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); - - /* set default netmask attribute */ - tmplen = strlen(LDAP_DFLT_MASK); - xauth_ldap_config.attr_mask = vmalloc(tmplen); - if (xauth_ldap_config.attr_mask == NULL) - goto out; - memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); - - /* set default group naming attribute */ - tmplen = strlen(LDAP_DFLT_GROUP); - xauth_ldap_config.attr_group = vmalloc(tmplen); - if (xauth_ldap_config.attr_group == NULL) - goto out; - memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); - - /* set default member attribute */ - tmplen = strlen(LDAP_DFLT_MEMBER); - xauth_ldap_config.attr_member = vmalloc(tmplen); - if (xauth_ldap_config.attr_member == NULL) - goto out; - memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); - - error = 0; -out: - if (error != 0) - plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); - - return error; -} - -void -xauth_ldap_flush(void) -{ - if (xauth_ldap_config.host) { - vfree(xauth_ldap_config.host); - xauth_ldap_config.host = NULL; - } - if (xauth_ldap_config.base) { - vfree(xauth_ldap_config.base); - xauth_ldap_config.base = NULL; - } - if (xauth_ldap_config.bind_dn) { - vfree(xauth_ldap_config.bind_dn); - xauth_ldap_config.bind_dn = NULL; - } - if (xauth_ldap_config.bind_pw) { - vfree(xauth_ldap_config.bind_pw); - xauth_ldap_config.bind_pw = NULL; - } - if (xauth_ldap_config.attr_user) { - vfree(xauth_ldap_config.attr_user); - xauth_ldap_config.attr_user = NULL; - } - if (xauth_ldap_config.attr_addr) { - vfree(xauth_ldap_config.attr_addr); - xauth_ldap_config.attr_addr = NULL; - } - if (xauth_ldap_config.attr_mask) { - vfree(xauth_ldap_config.attr_mask); - xauth_ldap_config.attr_mask = NULL; - } - if (xauth_ldap_config.attr_group) { - vfree(xauth_ldap_config.attr_group); - xauth_ldap_config.attr_group = NULL; - } - if (xauth_ldap_config.attr_member) { - vfree(xauth_ldap_config.attr_member); - xauth_ldap_config.attr_member = NULL; - } -} - -int -xauth_login_ldap(iph1, usr, pwd) - struct ph1handle *iph1; - char *usr; - char *pwd; -{ - int rtn = -1; - int res = -1; - LDAP *ld = NULL; - LDAPMessage *lr = NULL; - LDAPMessage *le = NULL; - struct berval cred; - struct berval **bv = NULL; - struct timeval timeout; - char *init = NULL; - char *filter = NULL; - char *atlist[3]; - int atlist_len[sizeof(atlist)/sizeof(__typeof__(*atlist))]; - char *basedn = NULL; - char *userdn = NULL; - int udn_len = 0; - int tmplen = 0; - int ecount = 0; - int scope = LDAP_SCOPE_ONE; - - atlist[0] = NULL; - atlist_len[0] = 0; - atlist[1] = NULL; - atlist_len[1] = 0; - atlist[2] = NULL; - atlist_len[2] = 0; - - /* build our initialization url */ - tmplen = strlen("ldap://:") + 17; - tmplen += strlen(xauth_ldap_config.host->v); - init = racoon_malloc(tmplen); - if (init == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to alloc ldap init url\n"); - goto ldap_end; - } - snprintf(init, tmplen, "ldap://%s:%d", - xauth_ldap_config.host->v, - xauth_ldap_config.port ); - - /* initialize the ldap handle */ - res = ldap_initialize(&ld, init); - if (res != LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_initialize failed: %s\n", - ldap_err2string(res)); - goto ldap_end; - } - - /* initialize the protocol version */ - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, - &xauth_ldap_config.pver); - - /* - * attempt to bind to the ldap server. - * default to anonymous bind unless a - * user dn and password has been - * specified in our configuration - */ - if ((xauth_ldap_config.bind_dn != NULL)&& - (xauth_ldap_config.bind_pw != NULL)) - { - cred.bv_val = xauth_ldap_config.bind_pw->v; - cred.bv_len = strlen( cred.bv_val ); - res = ldap_sasl_bind_s(ld, - xauth_ldap_config.bind_dn->v, NULL, &cred, - NULL, NULL, NULL); - } - else - { - res = ldap_sasl_bind_s(ld, - NULL, NULL, NULL, - NULL, NULL, NULL); - } - - if (res!=LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_sasl_bind_s (search) failed: %s\n", - ldap_err2string(res)); - goto ldap_end; - } - - /* build an ldap user search filter */ - tmplen = strlen(xauth_ldap_config.attr_user->v); - tmplen += 1; - tmplen += strlen(usr); - tmplen += 1; - filter = racoon_malloc(tmplen); - if (filter == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to alloc ldap search filter buffer\n"); - goto ldap_end; - } - snprintf(filter, tmplen, "%s=%s", - xauth_ldap_config.attr_user->v, usr); - - /* build our return attribute list */ - atlist_len[0] = strlen(xauth_ldap_config.attr_addr->v) + 1; - atlist[0] = racoon_malloc(atlist_len[0]); - atlist_len[1] = strlen(xauth_ldap_config.attr_mask->v) + 1; - atlist[1] = racoon_malloc(atlist_len[1]); - if ((atlist[0] == NULL)||(atlist[1] == NULL)) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to alloc ldap attrib list buffer\n"); - goto ldap_end; - } - strlcpy(atlist[0],xauth_ldap_config.attr_addr->v,atlist_len[0]); - strlcpy(atlist[1],xauth_ldap_config.attr_mask->v,atlist_len[1]); - - /* attempt to locate the user dn */ - if (xauth_ldap_config.base != NULL) - basedn = xauth_ldap_config.base->v; - if (xauth_ldap_config.subtree) - scope = LDAP_SCOPE_SUBTREE; - timeout.tv_sec = 15; - timeout.tv_usec = 0; - res = ldap_search_ext_s(ld, basedn, scope, - filter, atlist, 0, NULL, NULL, - &timeout, 2, &lr); - if (res != LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_search_ext_s failed: %s\n", - ldap_err2string(res)); - goto ldap_end; - } - - /* check the number of ldap entries returned */ - ecount = ldap_count_entries(ld, lr); - if (ecount < 1) { - plog(LLV_WARNING, LOCATION, NULL, - "no ldap results for filter \'%s\'\n", - filter); - goto ldap_end; - } - if (ecount > 1) { - plog(LLV_WARNING, LOCATION, NULL, - "multiple (%i) ldap results for filter \'%s\'\n", - ecount, filter); - } - - /* obtain the dn from the first result */ - le = ldap_first_entry(ld, lr); - if (le == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_first_entry failed: invalid entry returned\n"); - goto ldap_end; - } - userdn = ldap_get_dn(ld, le); - if (userdn == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_get_dn failed: invalid string returned\n"); - goto ldap_end; - } - - /* cache the user dn in the xauth state */ - udn_len = strlen(userdn)+1; - iph1->mode_cfg->xauth.udn = racoon_malloc(udn_len); - strlcpy(iph1->mode_cfg->xauth.udn,userdn,udn_len); - - /* retrieve modecfg address */ - bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); - if (bv != NULL) { - char tmpaddr[16]; - /* sanity check for address value */ - if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { - plog(LLV_DEBUG, LOCATION, NULL, - "ldap returned invalid modecfg address\n"); - ldap_value_free_len(bv); - goto ldap_end; - } - memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); - tmpaddr[bv[0]->bv_len]=0; - iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); - iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; - plog(LLV_INFO, LOCATION, NULL, - "ldap returned modecfg address %s\n", tmpaddr); - ldap_value_free_len(bv); - } - - /* retrieve modecfg netmask */ - bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); - if (bv != NULL) { - char tmpmask[16]; - /* sanity check for netmask value */ - if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { - plog(LLV_DEBUG, LOCATION, NULL, - "ldap returned invalid modecfg netmask\n"); - ldap_value_free_len(bv); - goto ldap_end; - } - memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); - tmpmask[bv[0]->bv_len]=0; - iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); - iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; - plog(LLV_INFO, LOCATION, NULL, - "ldap returned modecfg netmask %s\n", tmpmask); - ldap_value_free_len(bv); - } - - /* - * finally, use the dn and the xauth - * password to check the users given - * credentials by attempting to bind - * to the ldap server - */ - plog(LLV_INFO, LOCATION, NULL, - "attempting ldap bind for dn \'%s\'\n", userdn); - cred.bv_val = pwd; - cred.bv_len = strlen( cred.bv_val ); - res = ldap_sasl_bind_s(ld, - userdn, NULL, &cred, - NULL, NULL, NULL); - if(res==LDAP_SUCCESS) - rtn = 0; - -ldap_end: - - /* free ldap resources */ - if (userdn != NULL) - ldap_memfree(userdn); - if (atlist[0] != NULL) - racoon_free(atlist[0]); - if (atlist[1] != NULL) - racoon_free(atlist[1]); - if (filter != NULL) - racoon_free(filter); - if (lr != NULL) - ldap_msgfree(lr); - if (init != NULL) - racoon_free(init); - - ldap_unbind_ext_s(ld, NULL, NULL); - - return rtn; -} - -int -xauth_group_ldap(udn, grp) - char * udn; - char * grp; -{ - int rtn = -1; - int res = -1; - LDAP *ld = NULL; - LDAPMessage *lr = NULL; - LDAPMessage *le = NULL; - struct berval cred; - struct timeval timeout; - char *init = NULL; - char *filter = NULL; - char *basedn = NULL; - char *groupdn = NULL; - int tmplen = 0; - int ecount = 0; - int scope = LDAP_SCOPE_ONE; - - /* build our initialization url */ - tmplen = strlen("ldap://:") + 17; - tmplen += strlen(xauth_ldap_config.host->v); - init = racoon_malloc(tmplen); - if (init == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to alloc ldap init url\n"); - goto ldap_group_end; - } - snprintf(init, tmplen, "ldap://%s:%d", - xauth_ldap_config.host->v, - xauth_ldap_config.port ); - - /* initialize the ldap handle */ - res = ldap_initialize(&ld, init); - if (res != LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_initialize failed: %s\n", - ldap_err2string(res)); - goto ldap_group_end; - } - - /* initialize the protocol version */ - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, - &xauth_ldap_config.pver); - - /* - * attempt to bind to the ldap server. - * default to anonymous bind unless a - * user dn and password has been - * specified in our configuration - */ - if ((xauth_ldap_config.bind_dn != NULL)&& - (xauth_ldap_config.bind_pw != NULL)) - { - cred.bv_val = xauth_ldap_config.bind_pw->v; - cred.bv_len = strlen( cred.bv_val ); - res = ldap_sasl_bind_s(ld, - xauth_ldap_config.bind_dn->v, NULL, &cred, - NULL, NULL, NULL); - } - else - { - res = ldap_sasl_bind_s(ld, - NULL, NULL, NULL, - NULL, NULL, NULL); - } - - if (res!=LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_sasl_bind_s (search) failed: %s\n", - ldap_err2string(res)); - goto ldap_group_end; - } - - /* build an ldap group search filter */ - tmplen = strlen("(&(=)(=))") + 1; - tmplen += strlen(xauth_ldap_config.attr_group->v); - tmplen += strlen(grp); - tmplen += strlen(xauth_ldap_config.attr_member->v); - tmplen += strlen(udn); - filter = racoon_malloc(tmplen); - if (filter == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to alloc ldap search filter buffer\n"); - goto ldap_group_end; - } - snprintf(filter, tmplen, "(&(%s=%s)(%s=%s))", - xauth_ldap_config.attr_group->v, grp, - xauth_ldap_config.attr_member->v, udn); - - /* attempt to locate the group dn */ - if (xauth_ldap_config.base != NULL) - basedn = xauth_ldap_config.base->v; - if (xauth_ldap_config.subtree) - scope = LDAP_SCOPE_SUBTREE; - timeout.tv_sec = 15; - timeout.tv_usec = 0; - res = ldap_search_ext_s(ld, basedn, scope, - filter, NULL, 0, NULL, NULL, - &timeout, 2, &lr); - if (res != LDAP_SUCCESS) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_search_ext_s failed: %s\n", - ldap_err2string(res)); - goto ldap_group_end; - } - - /* check the number of ldap entries returned */ - ecount = ldap_count_entries(ld, lr); - if (ecount < 1) { - plog(LLV_WARNING, LOCATION, NULL, - "no ldap results for filter \'%s\'\n", - filter); - goto ldap_group_end; - } - - /* success */ - rtn = 0; - - /* obtain the dn from the first result */ - le = ldap_first_entry(ld, lr); - if (le == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_first_entry failed: invalid entry returned\n"); - goto ldap_group_end; - } - groupdn = ldap_get_dn(ld, le); - if (groupdn == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ldap_get_dn failed: invalid string returned\n"); - goto ldap_group_end; - } - - plog(LLV_INFO, LOCATION, NULL, - "ldap membership group returned \'%s\'\n", groupdn); -ldap_group_end: - - /* free ldap resources */ - if (groupdn != NULL) - ldap_memfree(groupdn); - if (filter != NULL) - racoon_free(filter); - if (lr != NULL) - ldap_msgfree(lr); - if (init != NULL) - racoon_free(init); - - ldap_unbind_ext_s(ld, NULL, NULL); - - return rtn; -} - -#endif int xauth_login_system(usr, pwd) @@ -1286,7 +463,7 @@ xauth_group_system(usr, grp) gr = getgrnam(grp); if (gr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "the system group name \'%s\' is unknown\n", grp); return -1; @@ -1294,7 +471,7 @@ xauth_group_system(usr, grp) while ((member = gr->gr_mem[index++])!=NULL) { if (!strcmp(member,usr)) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "membership validated\n"); return 0; } @@ -1305,7 +482,7 @@ xauth_group_system(usr, grp) int xauth_check(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { struct xauth_state *xst = &iph1->mode_cfg->xauth; @@ -1319,19 +496,17 @@ xauth_check(iph1) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: /* The following are not yet implemented */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Hybrid auth negotiated but peer did not " "announced as Xauth capable\n"); return -1; } if (xst->status != XAUTHST_OK) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Hybrid auth negotiated but peer did not " "succeed Xauth exchange\n"); return -1; @@ -1349,7 +524,7 @@ xauth_check(iph1) int group_check(iph1, grp_list, grp_count) - struct ph1handle *iph1; + phase1_handle_t *iph1; char **grp_list; int grp_count; { @@ -1360,7 +535,7 @@ group_check(iph1, grp_list, grp_count) /* check for presence of modecfg data */ if(iph1->mode_cfg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "xauth group specified but modecfg not found\n"); return res; } @@ -1374,7 +549,7 @@ group_check(iph1, grp_list, grp_count) usr = iph1->mode_cfg->xauth.authdata.generic.usr; if(usr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "xauth group specified but xauth not found\n"); return res; } @@ -1389,29 +564,21 @@ group_check(iph1, grp_list, grp_count) grp_list[grp_index]); break; -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_GROUP_LDAP: - res = xauth_group_ldap( - iph1->mode_cfg->xauth.udn, - grp_list[grp_index]); - break; -#endif - default: /* we should never get here */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unknown group auth source\n"); break; } if( !res ) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "user \"%s\" is a member of group \"%s\"\n", usr, grp_list[grp_index]); break; } else { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "user \"%s\" is not a member of group \"%s\"\n", usr, grp_list[grp_index]); @@ -1423,7 +590,7 @@ group_check(iph1, grp_list, grp_count) vchar_t * isakmp_xauth_req(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type; @@ -1440,7 +607,7 @@ isakmp_xauth_req(iph1, attr) int freepwd = 0; if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth mode config request but peer " "did not declare itself as Xauth capable\n"); return NULL; @@ -1452,12 +619,12 @@ isakmp_xauth_req(iph1, attr) switch(type) { case XAUTH_TYPE: if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected long XAUTH_TYPE attribute\n"); return NULL; } if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unsupported Xauth authentication %d\n", ntohs(attr->lorv)); return NULL; @@ -1469,7 +636,7 @@ isakmp_xauth_req(iph1, attr) case XAUTH_USER_NAME: if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { - plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " + plog(ASL_LEVEL_ERR, "Xauth performed " "with no login supplied\n"); return NULL; } @@ -1486,7 +653,7 @@ isakmp_xauth_req(iph1, attr) skip = sizeof(struct ipsecdoi_id_b); usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); if (usr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1500,7 +667,7 @@ isakmp_xauth_req(iph1, attr) pwd = iph1->rmconf->xauth->pass; } else { if ((pwd = getpskbyname(usr)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "No password was found for login %s\n", iph1->rmconf->xauth->login->v); vfree(usr); @@ -1522,27 +689,26 @@ isakmp_xauth_req(iph1, attr) if (dlen > 0) { mraw = (char*)(attr + 1); if ((mdata = vmalloc(dlen)) == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } memcpy(mdata->v, mraw, mdata->l); - plog(LLV_NOTIFY,LOCATION, iph1->remote, - "XAUTH Message: '%s'.\n", + plog(ASL_LEVEL_NOTICE, "XAUTH Message: '%s'.\n", binsanitize(mdata->v, mdata->l)); vfree(mdata); } } return NULL; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); return NULL; break; } if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } @@ -1583,7 +749,7 @@ out: vchar_t * isakmp_xauth_set(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type; @@ -1598,7 +764,7 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP, CONSTSTR("XAUTH is not supported by peer"), CONSTSTR("XAUTH dropped (not supported by peer)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth mode config set but peer " "did not declare itself as Xauth capable\n"); return NULL; @@ -1619,17 +785,15 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP, CONSTSTR("Unexpected XAUTH Status"), - CONSTSTR("Xauth dropped (unexpected Xauth status)... not a phase1 rekey")); - plog(LLV_ERROR, LOCATION, NULL, - "Unexpected XAUTH_STATUS_OK... not a phase1 rekey\n"); + CONSTSTR("Xauth dropped (unexpected Xauth status)... not a Phase 1 rekey")); + plog(ASL_LEVEL_ERR, + "Unexpected XAUTH_STATUS_OK... not a Phase 1 rekey\n"); return NULL; } case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: /* Not implemented ... */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: break; @@ -1638,7 +802,7 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP, CONSTSTR("Unexpected XAUTH Status"), CONSTSTR("Xauth dropped (unexpected Xauth status)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected XAUTH_STATUS_OK\n"); return NULL; break; @@ -1650,11 +814,8 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL, CONSTSTR("XAUTH Status is not OK"), CONSTSTR("Xauth Failed (status not ok)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Xauth authentication failed\n"); - - EVT_PUSH(iph1->local, iph1->remote, - EVTT_XAUTH_FAILED, NULL); vpncontrol_notify_ike_failed(VPNCTL_NTYPE_AUTHENTICATION_FAILED, FROM_LOCAL, ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 0, NULL); @@ -1667,8 +828,6 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC, CONSTSTR("XAUTH Status is OK"), CONSTSTR(NULL)); - EVT_PUSH(iph1->local, iph1->remote, - EVTT_XAUTH_SUCCESS, NULL); if (iph1->is_rekey) { xst->status = XAUTHST_OK; } @@ -1685,13 +844,12 @@ isakmp_xauth_set(iph1, attr) if (dlen > 0) { mraw = (char*)(attr + 1); if ((mdata = vmalloc(dlen)) == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } memcpy(mdata->v, mraw, mdata->l); - plog(LLV_NOTIFY,LOCATION, iph1->remote, - "XAUTH Message: '%s'.\n", + plog(ASL_LEVEL_NOTICE, "XAUTH Message: '%s'.\n", binsanitize(mdata->v, mdata->l)); vfree(mdata); } @@ -1702,7 +860,7 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP, CONSTSTR("ignored attribute"), CONSTSTR("Xauth dropped (ignored attribute)")); - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); return NULL; break; @@ -1713,7 +871,7 @@ isakmp_xauth_set(iph1, attr) IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP, CONSTSTR("Failed to allocate attribute"), CONSTSTR("Xauth dropped (failed to allocate attribute)")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1743,20 +901,16 @@ xauth_rmstate(xst) case XAUTH_TYPE_CHAP: case XAUTH_TYPE_OTP: case XAUTH_TYPE_SKEY: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unsupported authtype %d\n", xst->authtype); break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unexpected authtype %d\n", xst->authtype); break; } -#ifdef HAVE_LIBLDAP - if (xst->udn != NULL) - racoon_free(xst->udn); -#endif return; } @@ -1767,7 +921,7 @@ xauth_rmconf_used(xauth_rmconf) if (*xauth_rmconf == NULL) { *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); if (*xauth_rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "xauth_rmconf_used: malloc failed\n"); return -1; } diff --git a/ipsec-tools/racoon/isakmp_xauth.h b/ipsec-tools/racoon/isakmp_xauth.h index f12dbb7..1ea8ed5 100644 --- a/ipsec-tools/racoon/isakmp_xauth.h +++ b/ipsec-tools/racoon/isakmp_xauth.h @@ -34,6 +34,8 @@ #ifndef _ISAKMP_XAUTH_H #define _ISAKMP_XAUTH_H +#include "racoon_types.h" + /* ISAKMP mode config attribute types specific to the Xauth vendor ID */ #define XAUTH_TYPE 16520 #define XAUTH_USER_NAME 16521 @@ -67,9 +69,6 @@ struct xauth_state { char *pwd; } generic; } authdata; -#ifdef HAVE_LIBLDAP - char *udn; /* ldap user dn */ -#endif }; /* What's been sent */ @@ -96,61 +95,20 @@ struct xauth_reply_arg { int res; }; -struct ph1handle; struct isakmp_data; -void xauth_sendreq(struct ph1handle *); -int xauth_attr_reply(struct ph1handle *, struct isakmp_data *, int); -int xauth_login_system(char *, char *); -void xauth_sendstatus(struct ph1handle *, int, int); -int xauth_check(struct ph1handle *); -int group_check(struct ph1handle *, char **, int); -vchar_t *isakmp_xauth_req(struct ph1handle *, struct isakmp_data *); -vchar_t *isakmp_xauth_set(struct ph1handle *, struct isakmp_data *); -void xauth_rmstate(struct xauth_state *); -void xauth_reply_stub(void *); -int xauth_reply(struct ph1handle *, int, int, int); -int xauth_rmconf_used(struct xauth_rmconf **); -void xauth_rmconf_delete(struct xauth_rmconf **); - -#ifdef HAVE_LIBRADIUS -int xauth_login_radius(struct ph1handle *, char *, char *); -int xauth_radius_init(void); -#endif - -#ifdef HAVE_LIBPAM -int xauth_login_pam(int, struct sockaddr_storage *, char *, char *); -#endif - -#ifdef HAVE_LIBLDAP - -#define LDAP_DFLT_HOST "localhost" -#define LDAP_DFLT_USER "cn" -#define LDAP_DFLT_ADDR "racoon-address" -#define LDAP_DFLT_MASK "racoon-netmask" -#define LDAP_DFLT_GROUP "cn" -#define LDAP_DFLT_MEMBER "member" - -struct xauth_ldap_config { - int pver; - vchar_t *host; - int port; - vchar_t *base; - int subtree; - vchar_t *bind_dn; - vchar_t *bind_pw; - int auth_type; - vchar_t *attr_user; - vchar_t *attr_addr; - vchar_t *attr_mask; - vchar_t *attr_group; - vchar_t *attr_member; -}; - -extern struct xauth_ldap_config xauth_ldap_config; +void xauth_sendreq (phase1_handle_t *); +int xauth_attr_reply (phase1_handle_t *, struct isakmp_data *, int); +int xauth_login_system (char *, char *); +void xauth_sendstatus (phase1_handle_t *, int, int); +int xauth_check (phase1_handle_t *); +int group_check (phase1_handle_t *, char **, int); +vchar_t *isakmp_xauth_req (phase1_handle_t *, struct isakmp_data *); +vchar_t *isakmp_xauth_set (phase1_handle_t *, struct isakmp_data *); +void xauth_rmstate (struct xauth_state *); +void xauth_reply_stub (void *); +int xauth_reply (phase1_handle_t *, int, int, int); +int xauth_rmconf_used (struct xauth_rmconf **); +void xauth_rmconf_delete (struct xauth_rmconf **); -int xauth_ldap_init(void); -void xauth_ldap_flush(void); -int xauth_login_ldap(struct ph1handle *, char *, char *); -#endif #endif /* _ISAKMP_XAUTH_H */ diff --git a/ipsec-tools/racoon/kmpstat.c b/ipsec-tools/racoon/kmpstat.c index 65ca9e3..591b3a9 100644 --- a/ipsec-tools/racoon/kmpstat.c +++ b/ipsec-tools/racoon/kmpstat.c @@ -39,7 +39,7 @@ #include #include -#include +#include #include #include @@ -73,7 +73,6 @@ #include "sockmisc.h" #include "racoonctl.h" -#include "admin.h" #include "schedule.h" #include "isakmp_var.h" #include "isakmp.h" @@ -84,9 +83,6 @@ #include "oakley.h" #include "handler.h" #include "pfkey.h" -#include "admin.h" -#include "evt.h" -#include "admin_var.h" #include "ipsec_doi.h" u_int32_t racoonctl_interface = RACOONCTL_INTERFACE; @@ -187,21 +183,9 @@ bad1: /* * Dumb plog functions (used by sockmisc.c) */ -void -plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - vprintf(fmt, ap); - va_end(ap); -} void -plogdump(pri, data, len) - int pri; - void *data; - size_t len; +plogdump_func(int pri, void *data, size_t len, const char *fmt, ...) { return; } diff --git a/ipsec-tools/racoon/localconf.c b/ipsec-tools/racoon/localconf.c index 8552ffd..9c855c2 100644 --- a/ipsec-tools/racoon/localconf.c +++ b/ipsec-tools/racoon/localconf.c @@ -49,8 +49,6 @@ #include "localconf.h" #include "algorithm.h" -#include "admin.h" -#include "privsep.h" #include "isakmp_var.h" #include "isakmp.h" #include "ipsec_doi.h" @@ -58,7 +56,6 @@ #include "vendorid.h" #include "str2val.h" #include "safefile.h" -#include "admin.h" #include "gcmalloc.h" #include "session.h" @@ -70,8 +67,9 @@ typedef void * SecKeychainRef; #endif struct localconf *lcconf; +struct localconf *saved_lcconf; -static void setdefault __P((void)); +static void setdefault (void); void initlcconf() @@ -99,7 +97,7 @@ flushlcconf() lcconf->pathinfo[i] = NULL; } } - for (i = 0; i < LC_IDENTTYPE_MAX; i++) { + for (i = 0; i < IDTYPE_MAX; i++) { if (lcconf->ident[i]) vfree(lcconf->ident[i]); lcconf->ident[i] = NULL; @@ -115,7 +113,6 @@ setdefault() { lcconf->uid = 0; lcconf->gid = 0; - lcconf->chroot = NULL; lcconf->autograbaddr = 1; lcconf->port_isakmp = PORT_ISAKMP; lcconf->port_isakmp_natt = PORT_ISAKMP_NATT; @@ -133,13 +130,31 @@ setdefault() lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE; lcconf->strict_address = FALSE; lcconf->complex_bundle = TRUE; /*XXX FALSE;*/ - lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */ lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL; lcconf->auto_exit_delay = 0; lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET; lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT; /* always auto exit as default */ } + +void +savelcconf(void) +{ + saved_lcconf = lcconf; + lcconf = NULL; + initlcconf(); +} + +void +restorelcconf(void) +{ + flushlcconf(); + racoon_free(lcconf); + lcconf = saved_lcconf; + saved_lcconf = NULL; +} + + /* * get PSK by string. */ @@ -150,11 +165,11 @@ getpskbyname(id0) char *id; vchar_t *key = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by name.\n"); + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by name.\n"); id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b)); if (id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get psk buffer.\n"); goto end; } @@ -162,11 +177,7 @@ getpskbyname(id0) id0->l - sizeof(struct ipsecdoi_id_b)); id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0'; -#ifdef HAVE_OPENSSL - key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); -#else key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); -#endif end: if (id) @@ -188,11 +199,11 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id OSStatus status; char serviceName[] = "com.apple.net.racoon"; - plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from keychain.\n"); + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from keychain.\n"); status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem); if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set system keychain domain.\n"); goto end; } @@ -200,7 +211,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &keychain); if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get system keychain domain.\n"); goto end; } @@ -210,7 +221,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id char* peer_id = NULL; int idlen = id_p->l - sizeof(struct ipsecdoi_id_b); - u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type; + u_int8_t id_type = (ALIGNED_CAST(struct ipsecdoi_id_b *)(id_p->v))->type; switch (id_type) { case IPSECDOI_ID_IPV4_ADDR: @@ -232,7 +243,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id goto end; memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen); *(peer_id + idlen) = '\0'; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting shared secret from keychain using %s.\n", peer_id); break; @@ -302,8 +313,8 @@ no_id: break; default : - plog(LLV_ERROR, LOCATION, NULL, - "failed to get preshared key from system keychain (error %d).\n", status); + plog(ASL_LEVEL_ERR, + "failed to get preshared key from system keychain (error %ld).\n", (long)status); } end: @@ -311,7 +322,7 @@ end: if (cur_password) { key = vmalloc(cur_password_len); if (key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate key buffer.\n"); } else memcpy(key->v, cur_password, cur_password_len); @@ -335,15 +346,11 @@ getpskbyaddr(remote) vchar_t *key = NULL; char addr[NI_MAXHOST], port[NI_MAXSERV]; - plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by addr.\n"); + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by addr.\n"); GETNAMEINFO((struct sockaddr *)remote, addr, port); -#ifdef HAVE_OPENSSL - key = privsep_getpsk(addr, strlen(addr)); -#else key = getpsk(addr, strlen(addr)); -#endif return key; } @@ -360,14 +367,14 @@ getpsk(str, len) size_t keylen; char *k = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from file.\n"); + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from file.\n"); if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0) fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r"); else fp = NULL; if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to open pre_share_key file %s\n", lcconf->pathinfo[LC_PATHTYPE_PSK]); return NULL; @@ -401,7 +408,7 @@ getpsk(str, len) if (strncmp(p, "0x", 2) == 0) { k = str2val(p + 2, 16, &keylen); if (k == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get psk buffer.\n"); goto end; } @@ -410,7 +417,7 @@ getpsk(str, len) key = vmalloc(keylen); if (key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate key buffer.\n"); goto end; } @@ -440,7 +447,7 @@ getpathname(path, len, type, name) name[0] == '/' ? "" : "/", name); - plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path); + plog(ASL_LEVEL_DEBUG, "filename: %s\n", path); } #if 0 /* DELETEIT */ diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index 4313515..c2284da 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -35,6 +35,9 @@ #if !TARGET_OS_EMBEDDED #include #endif +#include +#include "vmbuf.h" +#include "ipsec_doi.h" /* local configuration */ @@ -43,11 +46,9 @@ #define LC_PATHTYPE_INCLUDE 0 #define LC_PATHTYPE_PSK 1 #define LC_PATHTYPE_CERT 2 -#define LC_PATHTYPE_BACKUPSA 3 -#define LC_PATHTYPE_SCRIPT 4 -#define LC_PATHTYPE_PIDFILE 5 -#define LC_PATHTYPE_LOGFILE 6 -#define LC_PATHTYPE_MAX 7 +#define LC_PATHTYPE_PIDFILE 3 +#define LC_PATHTYPE_LOGFILE 4 +#define LC_PATHTYPE_MAX 5 #define LC_DEFAULT_PAD_MAXSIZE 20 #define LC_DEFAULT_PAD_RANDOM TRUE @@ -63,8 +64,6 @@ #define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */ -#define LC_IDENTTYPE_MAX 5 /* XXX */ - #define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */ #define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */ #define LC_GSSENC_MAX 2 @@ -76,7 +75,8 @@ struct vpnctl_socket_elem { LIST_ENTRY(vpnctl_socket_elem) chain; - int sock; + int sock; + dispatch_source_t source; LIST_HEAD(_bound_addrs, bound_addr) bound_addresses; }; @@ -106,22 +106,23 @@ struct localconf { uid_t uid; gid_t gid; - char *chroot; /* chroot path */ u_int16_t port_isakmp; /* port for isakmp as default */ u_int16_t port_isakmp_natt; /* port for NAT-T use */ u_int16_t port_admin; /* port for admin */ int default_af; /* default address family */ - int sock_admin; int sock_vpncontrol; int sock_pfkey; int rtsock; /* routing socket */ + dispatch_source_t vpncontrol_source; + dispatch_source_t pfkey_source; + dispatch_source_t rt_source; LIST_HEAD(_vpnctl_socket_elem_, vpnctl_socket_elem) vpnctl_comm_socks; LIST_HEAD(_redirect_, redirect) redirect_addresses; int auto_exit_state; /* auto exit state */ int auto_exit_delay; /* auto exit delay until exit */ - struct sched *auto_exit_sched; /* auto exit schedule */ + schedule_ref auto_exit_sched; /* auto exit schedule */ TAILQ_HEAD(_saved_msg_elem, saved_msg_elem) saved_msg_queue; int autograbaddr; @@ -129,7 +130,7 @@ struct localconf { char *logfile_param; /* from command line */ char *pathinfo[LC_PATHTYPE_MAX]; - vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */ + vchar_t *ident[IDTYPE_MAX]; /* base of Identifier payload. */ int pad_random; int pad_randomlen; @@ -162,25 +163,27 @@ struct localconf { * is enable, racoon uses old format. */ - int gss_id_enc; /* GSS ID encoding to use */ #if !TARGET_OS_EMBEDDED vproc_transaction_t vt; /* returned by vproc_transaction_begin */ #endif }; + extern struct localconf *lcconf; -extern void initlcconf __P((void)); -extern void flushlcconf __P((void)); -extern vchar_t *getpskbyname __P((vchar_t *)); -extern vchar_t *getpskbyaddr __P((struct sockaddr_storage *)); +extern void initlcconf(void); +extern void flushlcconf(void); +extern void savelcconf(void); +extern void restorelcconf(void); +extern vchar_t *getpskbyname(vchar_t *); +extern vchar_t *getpskbyaddr(struct sockaddr_storage *); #if HAVE_KEYCHAIN -extern vchar_t *getpskfromkeychain __P((const char *, u_int8_t, int, vchar_t *)); +extern vchar_t *getpskfromkeychain(const char *, u_int8_t, int, vchar_t *); #endif -extern void getpathname __P((char *, int, int, const char *)); -extern int sittype2doi __P((int)); -extern int doitype2doi __P((int)); -extern vchar_t *getpsk __P((const char *, const int)); +extern void getpathname(char *, int, int, const char *); +extern int sittype2doi(int); +extern int doitype2doi(int); +extern vchar_t *getpsk(const char *, const int); #endif /* _LOCALCONF_H */ diff --git a/ipsec-tools/racoon/logger.c b/ipsec-tools/racoon/logger.c deleted file mode 100644 index 054871e..0000000 --- a/ipsec-tools/racoon/logger.c +++ /dev/null @@ -1,355 +0,0 @@ -/* $KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include - -#include -#include -#include -#include -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "logger.h" -#include "var.h" -#include "gcmalloc.h" - -#define MAX_LOG_FILESIZE_BYTES 2097152 // 2MB -#define MAX_LOG_FILESIZE_KBYTES (MAX_LOG_FILESIZE_BYTES/1024) -#define MAX_LOG_FILESIZE_MBYTES (MAX_LOG_FILESIZE_BYTES/(1024 * 1024)) -#define LOG_DISCARD_BYTES (MAX_LOG_FILESIZE_BYTES/3) - -static int log_flush (struct log *p, int newbytes) -{ - struct stat st; - - if (!p || !p->fp) { - return -1; - } - - if (!p->byteswritten) { - bzero(&st, sizeof(st)); - if (fstat(fileno(p->fp), &st) < 0) { - return -1; - } - if (st.st_size < 0) { - return -1; - } - p->byteswritten = st.st_size; - } - if (newbytes > 0) { - p->byteswritten += newbytes; - } - - if (p->byteswritten > MAX_LOG_FILESIZE_BYTES) { - // hack to delete the first 1/3 of the file: won't work on some devices because malloc(MAX_LOG_FILESIZE_BYTES) fails - char *buf = NULL; - size_t discard, saved = 0; - FILE *fp; - - // calc how much to seek into the file - discard = p->byteswritten/3; - if (discard < LOG_DISCARD_BYTES) { - discard = LOG_DISCARD_BYTES; - } - fp = fopen(p->fname, "r"); - // get a temp buffer to hold the last 2/3 of the file - buf = malloc(MAX_LOG_FILESIZE_BYTES); - // seek into the file (skipping the first 1/3 of the file) - if (fp && buf) { - if (fseeko(fp, discard, SEEK_SET) == 0) { - // try reading as much as possible.. shouldn't fill up buffer - saved = fread(buf, MAX_LOG_FILESIZE_BYTES, sizeof(*buf), fp); - // p->byteswritten may be inaccurate (e.g another stream is writing to the file) - if (saved == MAX_LOG_FILESIZE_BYTES) { - saved = 0; - } - } - } - if (fp) { - fclose(fp); - } - - p->byteswritten = 0; - (void)fpurge(p->fp); - // delete file and start appending logs again - p->fp = freopen(p->fname, "wa", p->fp); - if (p->fp == NULL) - return -1; - fprintf(p->fp, "logfile turned over due to size>%d%s\n", - (MAX_LOG_FILESIZE_MBYTES > 0)? MAX_LOG_FILESIZE_MBYTES:MAX_LOG_FILESIZE_KBYTES, - (MAX_LOG_FILESIZE_MBYTES > 0)? "MB":"KB"); - // append some of the previous logs (if successfully we buffered 2/3 of the file) - if (buf && saved) { - (void)fwrite(buf, saved, sizeof(*buf), p->fp); - } - if (buf) { - free(buf); - } - } - (void)fflush(p->fp); - return 0; -} - -struct log * -log_open(siz, fname) - size_t siz; - char *fname; -{ - struct log *p; - - p = (struct log *)racoon_malloc(sizeof(*p)); - if (p == NULL) - return NULL; - memset(p, 0, sizeof(*p)); - - p->buf = (char **)racoon_malloc(sizeof(char *) * siz); - if (p->buf == NULL) { - racoon_free(p); - return NULL; - } - memset(p->buf, 0, sizeof(char *) * siz); - - p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz); - if (p->tbuf == NULL) { - racoon_free(p->buf); - racoon_free(p); - return NULL; - } - memset(p->tbuf, 0, sizeof(time_t *) * siz); - - p->siz = siz; - if (fname) - p->fname = racoon_strdup(fname); - - return p; -} - -/* - * append string to ring buffer. - * string must be \n-terminated (since we add timestamps). - * even if not, we'll add \n to avoid formatting mistake (see log_close()). - */ -void -log_add(p, str) - struct log *p; - char *str; -{ - /* syslog if p->fname == NULL? */ - if (p->buf[p->head]) - racoon_free(p->buf[p->head]); - p->buf[p->head] = racoon_strdup(str); - p->tbuf[p->head] = time(NULL); - p->head++; - p->head %= p->siz; -} - -/* - * write out string to the log file, as is. - * \n-termination is up to the caller. if you don't add \n, the file - * format may be broken. - */ -int -log_print(p, str) - struct log *p; - char *str; -{ - int bytes; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - if (p->fp == NULL) { - p->fp = fopen(p->fname, "a"); - } - if (p->fp == NULL) - return -1; - bytes = fprintf(p->fp, "%s", str); - if (log_flush(p, bytes)) { - return -1; - } - - return 0; -} - -int -log_vprint(struct log *p, const char *fmt, ...) -{ - va_list ap; - int bytes; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - if (p->fp == NULL) { - p->fp = fopen(p->fname, "a"); - } - if (p->fp == NULL) - return -1; - va_start(ap, fmt); - bytes = vfprintf(p->fp, fmt, ap); - va_end(ap); - if (log_flush(p, bytes)) { - return -1; - } - - return 0; -} - -int -log_vaprint(struct log *p, const char *fmt, va_list ap) -{ - int bytes; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - if (p->fp == NULL) { - p->fp = fopen(p->fname, "a"); - } - if (p->fp == NULL) - return -1; - bytes = vfprintf(p->fp, fmt, ap); - if (log_flush(p, bytes)) { - return -1; - } - - return 0; -} - -/* - * write out content of ring buffer, and reclaim the log structure - */ -int -log_close(p) - struct log *p; -{ - int i, j; - char ts[256]; - struct tm *tm; - int bytes; - - if (p->fname == NULL) - goto nowrite; - if (p->fp == NULL) { - p->fp = fopen(p->fname, "a"); - } - if (p->fp == NULL) - goto nowrite; - - for (i = 0; i < p->siz; i++) { - j = (p->head + i) % p->siz; - if (p->buf[j]) { - tm = localtime(&p->tbuf[j]); - strftime(ts, sizeof(ts), "%B %d %T", tm); - bytes = fprintf(p->fp, "%s: %s\n", ts, p->buf[j]); - (void)log_flush(p, bytes); - if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n') { - bytes = fprintf(p->fp, "\n"); - (void)log_flush(p, bytes); - } - } - } - -nowrite: - log_free(p); - return 0; -} - -void -log_free(p) - struct log *p; -{ - int i; - - for (i = 0; i < p->siz; i++) - racoon_free(p->buf[i]); - racoon_free(p->buf); - racoon_free(p->tbuf); - if (p->fname) - racoon_free(p->fname); - if (p->fp) { - fclose(p->fp); - } - racoon_free(p); -} - -#ifdef TEST -struct log *l; - -void -vatest(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - log_vaprint(l, fmt, ap); - va_end(ap); -} - -int -main(argc, argv) - int argc; - char **argv; -{ - int i; - - l = log_open(30, "/tmp/hoge"); - if (l == NULL) - errx(1, "hoge"); - - for (i = 0; i < 50; i++) { - log_add(l, "foo"); - log_add(l, "baa"); - log_add(l, "baz"); - } - log_print(l, "hoge\n"); - log_vprint(l, "hoge %s\n", "this is test"); - vatest("%s %s\n", "this is", "vprint test"); - abort(); - log_free(l); -} - -#endif - diff --git a/ipsec-tools/racoon/logger.h b/ipsec-tools/racoon/logger.h deleted file mode 100644 index 521cafb..0000000 --- a/ipsec-tools/racoon/logger.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $Id: logger.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _LOGGER_H -#define _LOGGER_H - -struct log { - int head; - int siz; - char **buf; - time_t *tbuf; - FILE *fp; - char *fname; - off_t byteswritten; -}; - -extern struct log *log_open __P((size_t, char *)); -extern void log_add __P((struct log *, char *)); -extern int log_print __P((struct log *, char *)); -extern int log_vprint __P((struct log *, const char *, ...)); -extern int log_vaprint __P((struct log *, const char *, va_list)); -extern int log_close __P((struct log *)); -extern void log_free __P((struct log *)); - -#endif /* _LOGGER_H */ diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 7b4f049..9b45afd 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -79,21 +79,19 @@ #include "pfkey.h" #include "policy.h" #include "crypto_openssl.h" -#include "backupsa.h" #include "vendorid.h" #include -#include #ifndef TARGET_OS_EMBEDDED #include #endif // !TARGET_OS_EMBEDDED #include "power_mgmt.h" +#include "preferences.h" //#include "package_version.h" int f_local = 0; /* local test mode. behave like a wall. */ int vflag = 1; /* for print-isakmp.c */ -static int loading_sa = 0; /* install sa when racoon boots up. */ static int dump_config = 0; /* dump parsed config file. */ static int exec_done = 0; /* we've already been exec'd */ @@ -103,21 +101,21 @@ static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")"; static char version[] = "@(#) racoon / IPsec-tools"; #endif /* TOP_PACKAGE */ -int main __P((int, char **)); -static void usage __P((void)); -static void parse __P((int, char **)); -static void restore_params __P((void)); -static void save_params __P((void)); -static void saverestore_params __P((int)); -static void cleanup_pidfile __P((void)); +int main (int, char **); +static void usage (void); +static void parse (int, char **); +static void restore_params (void); +static void save_params (void); +static void saverestore_params (int); +static void cleanup_pidfile (void); #if 0 // -int launchedbylaunchd __P((void)); +int launchedbylaunchd (void); #endif pid_t racoon_pid = 0; int launchdlaunched = 0; int print_pid = 1; /* for racoon only */ -char logFileStr[MAXPATHLEN+1]; + void usage() @@ -128,14 +126,8 @@ usage() #else "", #endif -#ifdef ENABLE_ADMINPORT - "[-a (port)] " -#else "" -#endif ); - printf(" -B: install SA to the kernel from the file " - "specified by the configuration file.\n"); printf(" -d: debug level, more -d will generate more debug message.\n"); printf(" -D: started by LaunchD (implies daemon mode).\n"); printf(" -C: dump parsed config file.\n"); @@ -146,9 +138,6 @@ usage() #ifdef INET6 printf(" -4: IPv4 mode.\n"); printf(" -6: IPv6 mode.\n"); -#endif -#ifdef ENABLE_ADMINPORT - printf(" -a: port number for admin port.\n"); #endif printf(" -f: pathname for configuration file.\n"); printf(" -l: pathname for log file.\n"); @@ -167,14 +156,20 @@ main(ac, av) char *sb_errorbuf = NULL; #endif // !TARGET_OS_EMBEDDED + /* + * Check IPSec plist + */ + prefsinit(); + ploginit(); + #ifndef TARGET_OS_EMBEDDED if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) { if (sb_errorbuf) { - syslog(LOG_ERR, "sandbox_init failed: %s\n", sb_errorbuf); + plog(ASL_LEVEL_ERR, "sandbox_init failed: %s\n", sb_errorbuf); sandbox_free_error(sb_errorbuf); sb_errorbuf = NULL; } else { - syslog(LOG_ERR, "sandbox_init failed\n"); + plog(ASL_LEVEL_ERR, "sandbox_init failed\n"); } } #endif // !TARGET_OS_EMBEDDED @@ -196,12 +191,6 @@ main(ac, av) /* NOTREACHED*/ } -#ifdef DEBUG_RECORD_MALLOCATION - DRM_init(); -#endif - - logFileStr[0] = 0; - #ifdef HAVE_OPENSSL eay_init(); #endif @@ -212,90 +201,23 @@ main(ac, av) compute_vendorids(); parse(ac, av); - plogmtxinit(); - - /* - * Check IPSec plist - */ - { - SCPreferencesRef prefs = NULL; - CFPropertyListRef globals; - CFStringRef logFileRef; - CFNumberRef debugLevelRef; - - int level = 0; - - logFileStr[0] = 0; - - if ((prefs = SCPreferencesCreate(0, CFSTR("racoon"), CFSTR("com.apple.ipsec.plist"))) == NULL) - goto skip; - globals = SCPreferencesGetValue(prefs, CFSTR("Global")); - if (!globals || (CFGetTypeID(globals) != CFDictionaryGetTypeID())) - goto skip; - debugLevelRef = CFDictionaryGetValue(globals, CFSTR("DebugLevel")); - if (!debugLevelRef || (CFGetTypeID(debugLevelRef) != CFNumberGetTypeID())) - goto skip; - CFNumberGetValue(debugLevelRef, kCFNumberSInt32Type, &level); - switch (level) - { - case 0: - loglevel = 5; - goto skip; - break; - case 1: - loglevel = 6; - break; - case 2: - loglevel = 7; - break; - default: - break; /* invalid - ignore */ - } - - logFileRef = CFDictionaryGetValue(globals, CFSTR("DebugLogfile")); - if (!logFileRef || (CFGetTypeID(logFileRef) != CFStringGetTypeID())) { - goto skip; - } - CFStringGetCString(logFileRef, logFileStr, MAXPATHLEN, kCFStringEncodingMacRoman); -skip: - if (prefs) - CFRelease(prefs); - } - - if (logFileStr[0]) - plogset(logFileStr); - else - if (lcconf->logfile_param) - plogset(lcconf->logfile_param); - ploginit(); - - plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); + plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); + plog(ASL_LEVEL_INFO, "%s\n", version); #ifdef HAVE_OPENSSL - plog(LLV_INFO, LOCATION, NULL, "@(#)" + plog(ASL_LEVEL_INFO, "@(#)" "This product linked %s (http://www.openssl.org/)" "\n", eay_version()); #endif - plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", + plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n", lcconf->racoon_conf); + //%%%%% this sould probably be moved to session() if (pfkey_init() < 0) { - errx(1, "something error happened " - "while pfkey initializing."); + errx(1, "failed to initialize pfkey.\n"); /* NOTREACHED*/ } -#ifdef ENABLE_HYBRID - if (isakmp_cfg_init(ISAKMP_CFG_INIT_COLD)) - errx(1, "could not initialize ISAKMP mode config structures"); -#endif - -#ifdef HAVE_LIBLDAP - if (xauth_ldap_init() != 0) - errx(1, "could not initialize libldap"); -#endif - /* * in order to prefer the parameters by command line, * saving some parameters before parsing configuration file. @@ -307,7 +229,7 @@ skip: restore_params(); if (lcconf->logfile_param == NULL && logFileStr[0] == 0) - plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); + plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); #ifdef ENABLE_NATT /* Tell the kernel which port to use for UDP encapsulation */ @@ -319,12 +241,6 @@ skip: } #endif -#ifdef HAVE_LIBRADIUS - if (xauth_radius_init() != 0) { - errx(1, "could not initialize libradius"); - /* NOTREACHED*/ - } -#endif #ifdef ENABLE_HYBRID if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0) @@ -339,28 +255,23 @@ skip: * install SAs from the specified file. If the file is not specified * by the configuration file, racoon will exit. */ - if (loading_sa && !f_local) { - if (backupsa_from_file() != 0) - errx(1, "something error happened " - "SA recovering."); - } if (f_foreground) close(0); else { if ( !exec_done && launchdlaunched ){ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "racoon launched by launchd.\n"); exec_done = 1; if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot register pidfile cleanup"); } }else { if (exec_done) { if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot register pidfile cleanup"); } } else { @@ -371,7 +282,7 @@ skip: int i; if (ac > MAX_EXEC_ARGS) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "too many arguments.\n"); exit(1); } @@ -385,12 +296,12 @@ skip: * when launched by setuid process */ if (setuid(0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot set uid.\n"); exit(1); } if (setgid(0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot set gid.\n"); exit(1); } @@ -403,23 +314,23 @@ skip: args[ac+1] = 0; execve(PATHRACOON, args, env); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to exec racoon. (%s)", strerror(errno)); exit(1); } } } - + + + /* start the session */ session(); - - exit(0); } #if 0 // int launchedbylaunchd(){ launch_data_t checkin_response = NULL; - + if ((checkin_response = launch_socket_service_check_in()) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "launch_socket_service_check_in fails.\n"); @@ -480,11 +391,6 @@ parse(ac, av) else pname = *av; -#if 0 /* for debugging */ - loglevel += 2; - plogset("/tmp/racoon.log"); -#endif - while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx" #ifdef YYDEBUG "y" @@ -495,7 +401,7 @@ parse(ac, av) )) != -1) { switch (c) { case 'd': - loglevel++; + plogsetlevel(ASL_LEVEL_DEBUG); break; case 'D': if (f_foreground) { @@ -522,14 +428,9 @@ parse(ac, av) lcconf->port_isakmp_natt = atoi(optarg); break; case 'a': -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = atoi(optarg); - break; -#else fprintf(stderr, "%s: the option is disabled " "in the configuration\n", pname); exit(1); -#endif case 'f': lcconf->racoon_conf = optarg; break; @@ -572,9 +473,6 @@ parse(ac, av) lcconf->default_af = AF_INET6; break; #endif - case 'B': - loading_sa++; - break; case 'C': dump_config++; break; @@ -611,20 +509,11 @@ saverestore_params(f) int f; { static u_int16_t s_port_isakmp; -#ifdef ENABLE_ADMINPORT - static u_int16_t s_port_admin; -#endif /* 0: save, 1: restore */ if (f) { lcconf->port_isakmp = s_port_isakmp; -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = s_port_admin; -#endif } else { s_port_isakmp = lcconf->port_isakmp; -#ifdef ENABLE_ADMINPORT - s_port_admin = lcconf->port_admin; -#endif } } diff --git a/ipsec-tools/racoon/misc.c b/ipsec-tools/racoon/misc.c index 07e5390..2bc6911 100644 --- a/ipsec-tools/racoon/misc.c +++ b/ipsec-tools/racoon/misc.c @@ -48,7 +48,7 @@ #include "debug.h" #if 0 -static int bindump __P((void *, size_t)); +static int bindump (void *, size_t); static int bindump(buf0, len) @@ -167,3 +167,26 @@ timedelta(t1, t2) return t2->tv_sec - t1->tv_sec - 1 + (double)(1000000 + t2->tv_usec - t1->tv_usec) / 1000000; } + +/* + * Returns a printable string from (possibly) binary data ; + * concatenates all unprintable chars to one space. + * XXX Maybe the printable chars range is too large... + */ +char* +binsanitize(binstr, n) + char *binstr; + size_t n; +{ + int p,q; + for (p = 0, q = 0; p < n; p++) { + if (isgraph((int)binstr[p])) { + binstr[q++] = binstr[p]; + } else { + if (q && binstr[q - 1] != ' ') + binstr[q++] = ' '; + } + } + binstr[q++] = '\0'; + return binstr; +} diff --git a/ipsec-tools/racoon/misc.h b/ipsec-tools/racoon/misc.h index c1a1319..c56aea3 100644 --- a/ipsec-tools/racoon/misc.h +++ b/ipsec-tools/racoon/misc.h @@ -42,20 +42,21 @@ #define LOCATION debug_location(__FILE__, __LINE__, NULL) #endif -extern int hexdump __P((void *, size_t)); -extern char *bit2str __P((int, int)); -extern void *get_newbuf __P((void *, size_t)); -extern const char *debug_location __P((const char *, int, const char *)); -extern int getfsize __P((char *)); +extern int hexdump (void *, size_t); +extern char *bit2str (int, int); +extern void *get_newbuf (void *, size_t); +extern const char *debug_location (const char *, int, const char *); +extern int getfsize (char *); struct timeval; -extern double timedelta __P((struct timeval *, struct timeval *)); -char *strdup __P((const char *)); +extern double timedelta (struct timeval *, struct timeval *); +char *strdup (const char *); +extern char* binsanitize (char*, size_t); #define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \ TAILQ_FOREACH_REVERSE(var, head, field, headname) #define STRDUP_FATAL(x) if (x == NULL) { \ - plog(LLV_ERROR, LOCATION, NULL, "strdup failed\n"); \ + plog(ASL_LEVEL_ERR, "strdup failed\n"); \ exit(1); \ } diff --git a/ipsec-tools/racoon/nattraversal.c b/ipsec-tools/racoon/nattraversal.c index 1f08eb9..1cd7280 100644 --- a/ipsec-tools/racoon/nattraversal.c +++ b/ipsec-tools/racoon/nattraversal.c @@ -114,7 +114,7 @@ natt_vendorid (int vid) } vchar_t * -natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr) +natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr) { vchar_t *natd; vchar_t *buf; @@ -122,9 +122,11 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr) void *addr_ptr, *addr_port; size_t buf_size, addr_size; - plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n", - saddr2str((struct sockaddr *)addr), iph1->approval->hashtype, - (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); + if (iph1->approval) { + plog(ASL_LEVEL_INFO, "Hashing %s with algo #%d %s\n", + saddr2str((struct sockaddr *)addr), iph1->approval->hashtype, + (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); + } if (addr->ss_family == AF_INET) { addr_size = sizeof (struct in_addr); /* IPv4 address */ @@ -137,7 +139,7 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr) addr_port = &((struct sockaddr_in6 *)addr)->sin6_port; } else { - plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->ss_family); + plog(ASL_LEVEL_ERR, "Unsupported address family #0x%x\n", addr->ss_family); return NULL; } @@ -174,7 +176,7 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr) } int -natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, +natt_compare_addr_hash (phase1_handle_t *iph1, vchar_t *natd_received, int natd_seq) { vchar_t *natd_computed; @@ -270,7 +272,7 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->encaps_type = UDP_ENCAP_ESPINUDP; break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported NAT-T version: %s\n", vid_string_by_id(version)); return -1; @@ -282,7 +284,7 @@ natt_fill_options (struct ph1natt_options *opts, int version) } int -create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa_r) +create_natoa_payloads(phase2_handle_t *iph2, vchar_t **natoa_i, vchar_t **natoa_r) { int natoa_type = 0; vchar_t *i; @@ -323,7 +325,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid address family: %d\n", i_addr->ss_family); return -1; } @@ -338,21 +340,21 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid address family: %d\n", r_addr->ss_family); return -1; } i = vmalloc(sizeof(struct isakmp_pl_natoa) + i_size - sizeof(struct isakmp_gen)); if (i == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for natoa payload.\n"); return -1; } r = vmalloc(sizeof(struct isakmp_pl_natoa) + r_size - sizeof(struct isakmp_gen)); if (r == NULL) { vfree(i); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for natoa payload.\n"); return -1; } @@ -404,7 +406,7 @@ process_natoa_payload(vchar_t *buf) case IPSECDOI_ID_IPV4_ADDR: saddr = racoon_malloc(sizeof(struct sockaddr_in)); if (!saddr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "error allocating addr for NAT-OA payload\n"); return NULL; } @@ -418,7 +420,7 @@ process_natoa_payload(vchar_t *buf) case IPSECDOI_ID_IPV6_ADDR: saddr = racoon_malloc(sizeof(struct sockaddr_in6)); if (!saddr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "error allocating addr for NAT-OA payload\n"); return NULL; } @@ -430,7 +432,7 @@ process_natoa_payload(vchar_t *buf) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid NAT-OA payload %d\n", id_b->type); return NULL; } @@ -438,7 +440,7 @@ process_natoa_payload(vchar_t *buf) } void -natt_float_ports (struct ph1handle *iph1) +natt_float_ports (phase1_handle_t *iph1) { if (! (iph1->natt_flags & NAT_DETECTED) ) @@ -460,11 +462,12 @@ natt_float_ports (struct ph1handle *iph1) set_port (iph1->remote, iph1->natt_options->float_port); iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; - ike_session_ikev1_float_ports(iph1); + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) + ike_session_ikev1_float_ports(iph1); } void -natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) +natt_handle_vendorid (phase1_handle_t *iph1, int vid_numeric) { int version; @@ -472,7 +475,7 @@ natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options)); if (! iph1->natt_options) { - plog (LLV_ERROR, LOCATION, NULL, + plog (ASL_LEVEL_ERR, "Allocating memory for natt_options failed!\n"); return; } diff --git a/ipsec-tools/racoon/nattraversal.h b/ipsec-tools/racoon/nattraversal.h index 986ca47..c921ff7 100644 --- a/ipsec-tools/racoon/nattraversal.h +++ b/ipsec-tools/racoon/nattraversal.h @@ -47,7 +47,7 @@ #define NAT_KA_QUEUED (1L<<4) #define NAT_ADD_NON_ESP_MARKER (1L<<5) -#define NATT_AVAILABLE(ph1) ((iph1)->natt_flags & NAT_ANNOUNCED) +#define NATT_AVAILABLE(iph1) ((iph1)->natt_flags & NAT_ANNOUNCED) #define NAT_DETECTED (NAT_DETECTED_ME | NAT_DETECTED_PEER) @@ -56,19 +56,19 @@ #ifdef ENABLE_NATT #ifdef ENABLE_FRAG -#define PH1_NON_ESP_EXTRA_LEN(iph1) ((iph1->frag && iph1->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)) -#define PH2_NON_ESP_EXTRA_LEN(iph2) ((iph2->ph1->frag && iph2->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)) +#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) ((iph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)) +#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) ((iph2->ph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)) #define PH1_FRAG_FLAGS(iph1) (NON_ESP_MARKER_USE(iph1) ? FRAG_PUT_NON_ESP_MARKER : 0) #define PH2_FRAG_FLAGS(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? FRAG_PUT_NON_ESP_MARKER : 0) #else -#define PH1_NON_ESP_EXTRA_LEN(iph1) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0) -#define PH2_NON_ESP_EXTRA_LEN(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0) +#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0) +#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0) #define PH1_FRAG_FLAGS(iph1) 0 #define PH2_FRAG_FLAGS(iph2) 0 #endif #else -#define PH1_NON_ESP_EXTRA_LEN(iph1) 0 -#define PH2_NON_ESP_EXTRA_LEN(iph2) 0 +#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) 0 +#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) 0 #define PH1_FRAG_FLAGS(iph1) 0 #define PH2_FRAG_FLAGS(iph2) 0 #endif @@ -99,13 +99,13 @@ struct ph2natt { }; int natt_vendorid (int vid); -vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr); -int natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, int natd_seq); +vchar_t *natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr); +int natt_compare_addr_hash (phase1_handle_t *iph1, vchar_t *natd_received, int natd_seq); int natt_udp_encap (int encmode); int natt_fill_options (struct ph1natt_options *opts, int version); -void natt_float_ports (struct ph1handle *iph1); -void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric); -int create_natoa_payloads(struct ph2handle *iph2, vchar_t **, vchar_t **); +void natt_float_ports (phase1_handle_t *iph1); +void natt_handle_vendorid (phase1_handle_t *iph1, int vid_numeric); +int create_natoa_payloads(phase2_handle_t *iph2, vchar_t **, vchar_t **); struct sockaddr_storage * process_natoa_payload(vchar_t *buf); struct payload_list * diff --git a/ipsec-tools/racoon/netdb_dnssec.h b/ipsec-tools/racoon/netdb_dnssec.h index b83273d..8e875b1 100644 --- a/ipsec-tools/racoon/netdb_dnssec.h +++ b/ipsec-tools/racoon/netdb_dnssec.h @@ -66,7 +66,7 @@ struct certinfo { struct certinfo *ci_next; /* next structure */ }; -extern void freecertinfo __P((struct certinfo *)); -extern int getcertsbyname __P((char *, struct certinfo **)); +extern void freecertinfo (struct certinfo *); +extern int getcertsbyname (char *, struct certinfo **); #endif /* _NETDB_DNSSEC_H */ diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index 0bd8958..d2dab6b 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -78,8 +78,6 @@ #include "isakmp_cfg.h" #endif #include "oakley.h" -#include "admin.h" -#include "privsep.h" #include "localconf.h" #include "policy.h" #include "handler.h" @@ -104,10 +102,9 @@ #include #include #endif -#ifdef HAVE_GSSAPI -#include "gssapi.h" -#endif #include "vpn_control_var.h" +#include "ikev2_rfc.h" +#include "extern.h" #define OUTBOUND_SA 0 #define INBOUND_SA 1 @@ -152,32 +149,21 @@ struct dhgroup dh_modp6144; struct dhgroup dh_modp8192; -static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); -static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); -static int get_cert_fromlocal __P((struct ph1handle *, int)); -static int oakley_check_certid __P((struct ph1handle *iph1, int)); -static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus)); -static int check_typeofcertname __P((int, int)); -static cert_t *save_certbuf __P((struct isakmp_gen *)); +static int oakley_check_dh_pub (vchar_t *, vchar_t **); +static int oakley_compute_keymat_x (phase2_handle_t *, int, int); +static int oakley_compute_ikev2_keymat_x (phase2_handle_t *); +static int get_cert_fromlocal (phase1_handle_t *, int); +static int oakley_check_certid (phase1_handle_t *iph1); +static int oakley_check_certid_1 (vchar_t *, int, int, void*, cert_status_t *certStatus); +static vchar_t * oakley_prf_plus (vchar_t *, vchar_t *, int, phase1_handle_t *iph1); #ifdef HAVE_OPENSSL -static cert_t *save_certx509 __P((X509 *)); +static int check_typeofcertname (int, int); #endif -static int oakley_padlen __P((int, int)); - -static int base64toCFData(vchar_t *, CFDataRef*); -static cert_t *oakley_appendcert_to_certchain(cert_t *, cert_t *); +static cert_t *save_certbuf (struct isakmp_gen *); +static int oakley_padlen (int, int); -static void oakley_cert_prettyprint (vchar_t *cert) -{ - char *p = NULL; -#ifdef HAVE_OPENSSL - p = eay_get_x509text(cert); -#else - /* add new cert dump code here */ -#endif - plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); - racoon_free(p); -} +static int base64toCFData (vchar_t *, CFDataRef*); +static cert_t *oakley_appendcert_to_certchain (cert_t *, cert_t *); int oakley_get_defaultlifetime() @@ -210,17 +196,12 @@ oakley_dhinit() } void -oakley_dhgrp_free(dhgrp) - struct dhgroup *dhgrp; +oakley_dhgrp_free(struct dhgroup *dhgrp) { - if (dhgrp->prime) - vfree(dhgrp->prime); - if (dhgrp->curve_a) - vfree(dhgrp->curve_a); - if (dhgrp->curve_b) - vfree(dhgrp->curve_b); - if (dhgrp->order) - vfree(dhgrp->order); + VPTRINIT(dhgrp->prime); + VPTRINIT(dhgrp->curve_a); + VPTRINIT(dhgrp->curve_b); + VPTRINIT(dhgrp->order); racoon_free(dhgrp); } @@ -231,8 +212,7 @@ oakley_dhgrp_free(dhgrp) * performed, prepending zero bits to the value if necessary. */ static int -oakley_check_dh_pub(prime, pub0) - vchar_t *prime, **pub0; +oakley_check_dh_pub(vchar_t *prime, vchar_t **pub0) { vchar_t *tmp; vchar_t *pub = *pub0; @@ -242,7 +222,7 @@ oakley_check_dh_pub(prime, pub0) if (prime->l < pub->l) { /* what should i do ? */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid public information was generated.\n"); return -1; } @@ -250,7 +230,7 @@ oakley_check_dh_pub(prime, pub0) /* prime->l > pub->l */ tmp = vmalloc(prime->l); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get DH buffer.\n"); return -1; } @@ -275,7 +255,7 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t struct timeval start, end; #endif if ((*gxy = vmalloc(dh->prime->l)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get DH buffer.\n"); return -1; } @@ -286,37 +266,36 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t switch (dh->type) { case OAKLEY_ATTR_GRP_TYPE_MODP: if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute dh value.\n"); return -1; } break; case OAKLEY_ATTR_GRP_TYPE_ECP: case OAKLEY_ATTR_GRP_TYPE_EC2N: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "dh type %d isn't supported.\n", dh->type); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid dh type %d.\n", dh->type); return -1; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); - plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); + plog(ASL_LEVEL_DEBUG, "compute DH's shared.\n"); return 0; } #else int -oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext dhC) +oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext *dhC) { vchar_t *computed_key = NULL; @@ -328,42 +307,47 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize gettimeofday(&start, NULL); #endif - plog(LLV_DEBUG, LOCATION, NULL, "compute DH result.\n"); + plog(ASL_LEVEL_DEBUG, "compute DH result.\n"); - maxKeyLen = SecDHGetMaxKeyLength(dhC); + maxKeyLen = SecDHGetMaxKeyLength(*dhC); computed_key = vmalloc(maxKeyLen); if (computed_key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + plog(ASL_LEVEL_ERR, "memory error.\n"); goto fail; } computed_keylen = computed_key->l; - if (SecDHComputeKey(dhC, pub_p->v + (maxKeyLen - publicKeySize), publicKeySize, - computed_key->v, &computed_keylen)) { - plog(LLV_ERROR, LOCATION, NULL, "failed to compute dh value.\n"); + if (SecDHComputeKey(*dhC, (uint8_t*)pub_p->v + (maxKeyLen - publicKeySize), publicKeySize, + (uint8_t*)computed_key->v, &computed_keylen)) { + plog(ASL_LEVEL_ERR, "failed to compute dh value.\n"); goto fail; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif *gxy = vmalloc(maxKeyLen); if (*gxy == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + plog(ASL_LEVEL_ERR, "memory error.\n"); goto fail; } memcpy((*gxy)->v + (maxKeyLen - computed_keylen), computed_key->v, computed_keylen); - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); - plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); - SecDHDestroy(dhC); + plog(ASL_LEVEL_DEBUG, "compute DH's shared.\n"); + if (*dhC) { + SecDHDestroy(*dhC); + *dhC = NULL; + } vfree(computed_key); return 0; fail: - SecDHDestroy(dhC); + if (*dhC) { + SecDHDestroy(*dhC); + *dhC = NULL; + } vfree(*gxy); vfree(computed_key); return -1; @@ -378,9 +362,7 @@ fail: */ #ifdef HAVE_OPENSSL int -oakley_dh_generate(dh, pub, priv) - const struct dhgroup *dh; - vchar_t **pub, **priv; +oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, vchar_t **priv) { #ifdef ENABLE_STATS struct timeval start, end; @@ -389,7 +371,7 @@ oakley_dh_generate(dh, pub, priv) switch (dh->type) { case OAKLEY_ATTR_GRP_TYPE_MODP: if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to compute dh value.\n"); return -1; } @@ -397,18 +379,18 @@ oakley_dh_generate(dh, pub, priv) case OAKLEY_ATTR_GRP_TYPE_ECP: case OAKLEY_ATTR_GRP_TYPE_EC2N: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "dh type %d isn't supported.\n", dh->type); return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid dh type %d.\n", dh->type); return -1; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif @@ -416,10 +398,8 @@ oakley_dh_generate(dh, pub, priv) if (oakley_check_dh_pub(dh->prime, pub) != 0) return -1; - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); - plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l); - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); - plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); + plog(ASL_LEVEL_DEBUG, "compute DH's private.\n"); + plog(ASL_LEVEL_DEBUG, "compute DH's public.\n"); return 0; } @@ -435,35 +415,31 @@ oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySiz gettimeofday(&start, NULL); #endif - plog(LLV_DEBUG, LOCATION, NULL, "generate DH key pair.\n"); + plog(ASL_LEVEL_DEBUG, "generate DH key pair.\n"); *pub = NULL; switch (dh->type) { case OAKLEY_ATTR_GRP_TYPE_MODP: -#define SECDH_MODP_GENERATOR OAKLEY_ATTR_GRP_DESC_MODP1024 - if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) { - plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n"); - goto fail; - } - if (SecDHCreate(SECDH_MODP_GENERATOR, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) { - plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n"); +#define SECDH_MODP_GENERATOR 2 + if (SecDHCreate(SECDH_MODP_GENERATOR, (uint8_t*)dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) { + plog(ASL_LEVEL_ERR, "failed to create dh context.\n"); goto fail; } maxKeyLen = SecDHGetMaxKeyLength(*dhC); public = vmalloc(maxKeyLen); *publicKeySize = public->l; if (public == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + plog(ASL_LEVEL_ERR, "memory error.\n"); goto fail; } - if (SecDHGenerateKeypair(*dhC, public->v, publicKeySize)) { - plog(LLV_ERROR, LOCATION, NULL, "failed to generate dh key pair.\n"); + if (SecDHGenerateKeypair(*dhC, (uint8_t*)public->v, publicKeySize)) { + plog(ASL_LEVEL_ERR, "failed to generate dh key pair.\n"); goto fail; } - plog(LLV_DEBUG, LOCATION, NULL, "got DH key pair.\n"); + plog(ASL_LEVEL_DEBUG, "got DH key pair.\n"); *pub = vmalloc(maxKeyLen); if (*pub == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + plog(ASL_LEVEL_ERR, "memory error.\n"); goto fail; } /* copy and fill with leading zeros */ @@ -472,36 +448,37 @@ oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySiz case OAKLEY_ATTR_GRP_TYPE_ECP: case OAKLEY_ATTR_GRP_TYPE_EC2N: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "dh type %d isn't supported.\n", dh->type); goto fail; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid dh type %d.\n", dh->type); goto fail; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif if (oakley_check_dh_pub(dh->prime, pub) != 0) { - plog(LLV_DEBUG, LOCATION, NULL, "failed DH public key size check.\n"); + plog(ASL_LEVEL_DEBUG, "failed DH public key size check.\n"); goto fail; } - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); - plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); + //plogdump(ASL_LEVEL_DEBUG, (*pub)->v, (*pub)->l, "compute DH's public.\n"); vfree(public); return 0; fail: - SecDHDestroy(*dhC); + if (*dhC) { + SecDHDestroy(*dhC); + *dhC = NULL; + } vfree(*pub); vfree(public); return -1; @@ -513,9 +490,7 @@ fail: * copy pre-defined dhgroup values. */ int -oakley_setdhgroup(group, dhgrp) - int group; - struct dhgroup **dhgrp; +oakley_setdhgroup(int group, struct dhgroup **dhgrp) { struct dhgroup *g; @@ -523,21 +498,21 @@ oakley_setdhgroup(group, dhgrp) g = alg_oakley_dhdef_group(group); if (g == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid DH parameter grp=%d.\n", group); return -1; } if (!g->type || !g->prime || !g->gen1) { /* unsuported */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported DH parameters grp=%d.\n", group); return -1; } *dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); if (*dhgrp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get DH buffer.\n"); return 0; } @@ -558,25 +533,28 @@ oakley_setdhgroup(group, dhgrp) * modify oakley_compute_keymat() accordingly. */ vchar_t * -oakley_prf(key, buf, iph1) - vchar_t *key, *buf; - struct ph1handle *iph1; +oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1) { vchar_t *res = NULL; int type; if (iph1->approval == NULL) { - /* - * it's before negotiating hash algorithm. - * We use md5 as default. - */ - type = OAKLEY_ATTR_HASH_ALG_MD5; + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* + * it's before negotiating hash algorithm. + * We use md5 as default. + */ + type = OAKLEY_ATTR_HASH_ALG_MD5; + } else { + type = OAKLEY_ATTR_HASH_ALG_SHA; + } } else - type = iph1->approval->hashtype; - - res = alg_oakley_hmacdef_one(type, key, buf); + { + type = iph1->approval->hashtype; + } + res = alg_oakley_hmacdef_one(type, key, buf); if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid hmac algorithm %d.\n", type); return NULL; } @@ -588,25 +566,32 @@ oakley_prf(key, buf, iph1) * hash */ vchar_t * -oakley_hash(buf, iph1) - vchar_t *buf; - struct ph1handle *iph1; +oakley_hash(vchar_t *buf, phase1_handle_t *iph1) { vchar_t *res = NULL; int type; if (iph1->approval == NULL) { - /* - * it's before negotiating hash algorithm. - * We use md5 as default. - */ - type = OAKLEY_ATTR_HASH_ALG_MD5; - } else - type = iph1->approval->hashtype; + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* + * it's before negotiating hash algorithm. + * We use md5 as default. + */ + type = OAKLEY_ATTR_HASH_ALG_MD5; + } else { + type = OAKLEY_ATTR_HASH_ALG_SHA; + } + } else { + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + type = iph1->approval->hashtype; + } else { + type = OAKLEY_ATTR_HASH_ALG_SHA; + } + } res = alg_oakley_hashdef_one(type, buf); if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid hash algorithm %d.\n", type); return NULL; } @@ -619,9 +604,7 @@ oakley_hash(buf, iph1) * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. */ int -oakley_compute_keymat(iph2, side) - struct ph2handle *iph2; - int side; +oakley_compute_keymat(phase2_handle_t *iph2, int side) { int error = -1; @@ -631,7 +614,7 @@ oakley_compute_keymat(iph2, side) if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub, iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) #else - if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, iph2->dhC) < 0) + if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, &iph2->dhC) < 0) #endif goto end; } @@ -641,7 +624,7 @@ oakley_compute_keymat(iph2, side) || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0) goto end; - plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n"); + plog(ASL_LEVEL_DEBUG, "KEYMAT computed.\n"); error = 0; @@ -649,6 +632,7 @@ end: return error; } + /* * compute KEYMAT. * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). @@ -659,10 +643,7 @@ end: * so we do not implement RFC2409 Appendix B (DOORAK-MAC example). */ static int -oakley_compute_keymat_x(iph2, side, sa_dir) - struct ph2handle *iph2; - int side; - int sa_dir; +oakley_compute_keymat_x(phase2_handle_t *iph2, int side, int sa_dir) { vchar_t *buf = NULL, *res = NULL, *bp; char *p; @@ -683,7 +664,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir) + iph2->nonce_p->l); buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get keymat buffer.\n"); goto end; } @@ -713,8 +694,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir) p += bp->l; /* compute IV */ - plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "KEYMAT compute with\n"); /* res = K1 */ res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1); @@ -746,16 +726,16 @@ oakley_compute_keymat_x(iph2, side, sa_dir) default: break; } - plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n", + plog(ASL_LEVEL_DEBUG, "encklen=%d authklen=%d\n", encklen, authklen); dupkeymat = (encklen + authklen) / 8 / res->l; dupkeymat += 2; /* safety mergin */ if (dupkeymat < 3) dupkeymat = 3; - plog(LLV_DEBUG, LOCATION, NULL, - "generating %zu bits of key (dupkeymat=%d)\n", - dupkeymat * 8 * res->l, dupkeymat); + //plog(ASL_LEVEL_DEBUG, + // "generating %zu bits of key (dupkeymat=%d)\n", + // dupkeymat * 8 * res->l, dupkeymat); if (0 < --dupkeymat) { vchar_t *prev = res; /* K(n-1) */ vchar_t *seed = NULL; /* seed for Kn */ @@ -771,13 +751,13 @@ oakley_compute_keymat_x(iph2, side, sa_dir) * K3 = prf(SKEYID_d, K2 | src) * Kn = prf(SKEYID_d, K(n-1) | src) */ - plog(LLV_DEBUG, LOCATION, NULL, - "generating K1...K%d for KEYMAT.\n", - dupkeymat + 1); + //plog(ASL_LEVEL_DEBUG, + // "generating K1...K%d for KEYMAT.\n", + // dupkeymat + 1); seed = vmalloc(prev->l + buf->l); if (seed == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get keymat buffer.\n"); if (prev && prev != res) vfree(prev); @@ -793,7 +773,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir) this = oakley_prf(iph2->ph1->skeyid_d, seed, iph2->ph1); if (!this) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "oakley_prf memory overflow\n"); if (prev && prev != res) vfree(prev); @@ -811,7 +791,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir) prev = res; if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get keymat buffer.\n"); if (prev && prev != res) vfree(prev); @@ -832,7 +812,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir) vfree(seed); } - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, ""); if (sa_dir == INBOUND_SA) pr->keymat = res; @@ -871,10 +851,7 @@ end: * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. */ vchar_t * -oakley_compute_hash3(iph1, msgid, body) - struct ph1handle *iph1; - u_int32_t msgid; - vchar_t *body; +oakley_compute_hash3(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body) { vchar_t *buf = 0, *res = 0; int len; @@ -884,7 +861,7 @@ oakley_compute_hash3(iph1, msgid, body) len = 1 + sizeof(u_int32_t) + body->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "failed to get hash buffer\n"); goto end; } @@ -895,9 +872,6 @@ oakley_compute_hash3(iph1, msgid, body) memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l); - plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - /* compute HASH */ res = oakley_prf(iph1->skeyid_a, buf, iph1); if (res == NULL) @@ -905,8 +879,7 @@ oakley_compute_hash3(iph1, msgid, body) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH computed:\n"); end: if (buf != NULL) @@ -925,10 +898,7 @@ end: * prf(SKEYID_a, M-ID | N/D) */ vchar_t * -oakley_compute_hash1(iph1, msgid, body) - struct ph1handle *iph1; - u_int32_t msgid; - vchar_t *body; +oakley_compute_hash1(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body) { vchar_t *buf = NULL, *res = NULL; char *p; @@ -939,7 +909,7 @@ oakley_compute_hash1(iph1, msgid, body) len = sizeof(u_int32_t) + body->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "failed to get hash buffer\n"); goto end; } @@ -951,9 +921,6 @@ oakley_compute_hash1(iph1, msgid, body) memcpy(p, body->v, body->l); - plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - /* compute HASH */ res = oakley_prf(iph1->skeyid_a, buf, iph1); if (res == NULL) @@ -961,8 +928,7 @@ oakley_compute_hash1(iph1, msgid, body) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH computed:\n"); end: if (buf != NULL) @@ -978,17 +944,12 @@ end: * for gssapi, also include all GSS tokens, and call gss_wrap on the result */ vchar_t * -oakley_ph1hash_common(iph1, sw) - struct ph1handle *iph1; - int sw; +oakley_ph1hash_common(phase1_handle_t *iph1, int sw) { vchar_t *buf = NULL, *res = NULL, *bp; char *p, *bp2; int len, bl; int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstokens = NULL; -#endif /* create buffer */ len = iph1->dhpub->l @@ -997,25 +958,9 @@ oakley_ph1hash_common(iph1, sw) + iph1->sa->l + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - if (iph1->gi_i != NULL && iph1->gi_r != NULL) { - bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); - len += bp->l; - } - if (sw == GENERATE) - gssapi_get_itokens(iph1, &gsstokens); - else - gssapi_get_rtokens(iph1, &gsstokens); - if (gsstokens == NULL) - return NULL; - len += gsstokens->l; - } -#endif - buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer\n"); goto end; } @@ -1058,21 +1003,6 @@ oakley_ph1hash_common(iph1, sw) memcpy(p, bp->v, bp->l); p += bp->l; -#ifdef HAVE_GSSAPI - if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - if (iph1->gi_i != NULL && iph1->gi_r != NULL) { - bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); - memcpy(p, bp->v, bp->l); - p += bp->l; - } - memcpy(p, gsstokens->v, gsstokens->l); - p += gsstokens->l; - } -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - /* compute HASH */ res = oakley_prf(iph1->skeyid, buf, iph1); if (res == NULL) @@ -1080,17 +1010,9 @@ oakley_ph1hash_common(iph1, sw) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n", - iph1->side == INITIATOR ? "init" : "resp"); - plogdump(LLV_DEBUG, res->v, res->l); - end: if (buf != NULL) vfree(buf); -#ifdef HAVE_GSSAPI - if (gsstokens != NULL) - vfree(gsstokens); -#endif return res; } @@ -1102,9 +1024,7 @@ end: * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b) */ vchar_t * -oakley_ph1hash_base_i(iph1, sw) - struct ph1handle *iph1; - int sw; +oakley_ph1hash_base_i(phase1_handle_t *iph1, int sw) { vchar_t *buf = NULL, *res = NULL, *bp; vchar_t *hashkey = NULL; @@ -1115,7 +1035,7 @@ oakley_ph1hash_base_i(iph1, sw) /* sanity check */ if (iph1->etype != ISAKMP_ETYPE_BASE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid etype for this hash function\n"); return NULL; } @@ -1133,32 +1053,24 @@ oakley_ph1hash_base_i(iph1, sw) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: #endif if (iph1->skeyid == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); + plog(ASL_LEVEL_ERR, "no SKEYID found.\n"); return NULL; } hashkey = iph1->skeyid; break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: -#endif #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif /* make hash for seed */ len = iph1->nonce->l + iph1->nonce_p->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer\n"); goto end; } @@ -1182,7 +1094,7 @@ oakley_ph1hash_base_i(iph1, sw) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not supported authentication method %d\n", iph1->approval->authmethod); return NULL; @@ -1195,7 +1107,7 @@ oakley_ph1hash_base_i(iph1, sw) + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer\n"); goto end; } @@ -1217,8 +1129,7 @@ oakley_ph1hash_base_i(iph1, sw) memcpy(p, bp->v, bp->l); p += bp->l; - plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "HASH_I with:\n"); /* compute HASH */ res = oakley_prf(hashkey, buf, iph1); @@ -1227,8 +1138,7 @@ oakley_ph1hash_base_i(iph1, sw) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH_I computed:\n"); end: if (hash != NULL) @@ -1244,9 +1154,7 @@ end: * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b) */ vchar_t * -oakley_ph1hash_base_r(iph1, sw) - struct ph1handle *iph1; - int sw; +oakley_ph1hash_base_r(phase1_handle_t *iph1, int sw) { vchar_t *buf = NULL, *res = NULL, *bp; vchar_t *hash = NULL; @@ -1256,28 +1164,23 @@ oakley_ph1hash_base_r(iph1, sw) /* sanity check */ if (iph1->etype != ISAKMP_ETYPE_BASE) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid etype for this hash function\n"); return NULL; } switch(AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: #endif break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not supported authentication method %d\n", iph1->approval->authmethod); return NULL; @@ -1288,7 +1191,7 @@ oakley_ph1hash_base_r(iph1, sw) len = iph1->nonce->l + iph1->nonce_p->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer\n"); goto end; } @@ -1316,7 +1219,7 @@ oakley_ph1hash_base_r(iph1, sw) + (sw == GENERATE ? iph1->id_p->l : iph1->id->l); buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get hash buffer\n"); goto end; } @@ -1343,8 +1246,7 @@ oakley_ph1hash_base_r(iph1, sw) memcpy(p, bp->v, bp->l); p += bp->l; - plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "HASH_R with:\n"); /* compute HASH */ res = oakley_prf(hash, buf, iph1); @@ -1353,8 +1255,7 @@ oakley_ph1hash_base_r(iph1, sw) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH_R computed:\n"); end: if (buf != NULL) @@ -1366,15 +1267,14 @@ end: #if HAVE_OPENDIR static int -oakley_verify_userid(iph1) - struct ph1handle *iph1; +oakley_verify_userid(phase1_handle_t *iph1) { cert_t *p; vchar_t *user_id; int user_id_found = 0; for (p = iph1->cert_p; p; p = p->chain) { - user_id = eay_get_x509_common_name(&p->cert); + user_id = eay_get_x509_common_name(&p->cert); //%%%%%%%% fix this if (user_id) { user_id_found = 1; // the following functions will check if user_id == 0 @@ -1386,39 +1286,16 @@ oakley_verify_userid(iph1) } } if (user_id_found) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "the peer is not authorized for access.\n"); } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "the peer is not authorized for access - user ID not found.\n"); } return ISAKMP_NTYPE_AUTHENTICATION_FAILED; } #endif /* HAVE_OPENDIR */ -#ifdef HAVE_OPENSSL -static int -oakley_check_x509cert(certchain, capath, cafile, local) - cert_t *certchain; - char *capath; - char *cafile; - int local; -{ - cert_t *p; - int result = 0; - - for (p = certchain; p; p = p->chain) { - if ((result = eay_check_x509cert(&p->cert, - capath, - cafile, - local))) { - break; - } - } - return result; -} -#endif /* HAVE_OPENSSL */ - /* * compute each authentication method in phase 1. * OUT: @@ -1428,18 +1305,14 @@ oakley_check_x509cert(certchain, capath, cafile, local) * the value is notification type. */ int -oakley_validate_auth(iph1) - struct ph1handle *iph1; +oakley_validate_auth(phase1_handle_t *iph1) { vchar_t *my_hash = NULL; int result; -#ifdef HAVE_GSSAPI - vchar_t *gsshash = NULL; -#endif #ifdef ENABLE_STATS struct timeval start, end; #endif - SecKeyRef publicKeyRef; + SecKeyRef publicKeyRef = NULL; #ifdef ENABLE_STATS gettimeofday(&start, NULL); @@ -1456,7 +1329,7 @@ oakley_validate_auth(iph1) char *r_hash; if (iph1->id_p == NULL || iph1->pl_hash == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); return ISAKMP_NTYPE_PAYLOAD_MALFORMED; } @@ -1464,7 +1337,7 @@ oakley_validate_auth(iph1) if (AUTHMETHOD(iph1) == FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I && ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0)) { - plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " + plog(ASL_LEVEL_ERR, "No SIG was passed, " "hybrid auth is enabled, " "but peer is no Xauth compliant\n"); return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; @@ -1473,25 +1346,28 @@ oakley_validate_auth(iph1) #endif r_hash = (caddr_t)(iph1->pl_hash + 1); - plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n"); - plogdump(LLV_DEBUG, r_hash, - ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash)); + //plogdump(ASL_LEVEL_DEBUG, r_hash, + // ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash), "HASH received:\n"); - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - case ISAKMP_ETYPE_BASE: - if (iph1->side == INITIATOR) + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + switch (iph1->etype) { + case ISAKMP_ETYPE_IDENT: + case ISAKMP_ETYPE_AGG: my_hash = oakley_ph1hash_common(iph1, VALIDATE); - else - my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; + break; + case ISAKMP_ETYPE_BASE: + if (iph1->side == INITIATOR) + my_hash = oakley_ph1hash_common(iph1, VALIDATE); + else + my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); + break; + default: + plog(ASL_LEVEL_ERR, + "invalid etype %d\n", iph1->etype); + return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; + } + } else { + my_hash = oakley_ph1hash_common(iph1, VALIDATE); } if (my_hash == NULL) return ISAKMP_INTERNAL_ERROR; @@ -1500,22 +1376,18 @@ oakley_validate_auth(iph1) vfree(my_hash); if (result) { - plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); + plog(ASL_LEVEL_ERR, "HASH mismatched\n"); return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; } - plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n"); + plog(ASL_LEVEL_DEBUG, "HASH for PSK validated.\n"); } break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif { int error = 0; @@ -1523,75 +1395,29 @@ oakley_validate_auth(iph1) /* validation */ if (iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "no ID payload was passed.\n"); return ISAKMP_NTYPE_PAYLOAD_MALFORMED; } if (iph1->sig_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "no SIG payload was passed.\n"); return ISAKMP_NTYPE_PAYLOAD_MALFORMED; } - plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n"); - plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l); + plog(ASL_LEVEL_DEBUG, "*** SIGN passed\n"); /* get peer's cert */ switch (iph1->rmconf->getcert_method) { case ISAKMP_GETCERT_PAYLOAD: if (iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no peer's CERT payload found.\n"); return ISAKMP_INTERNAL_ERROR; } break; -#ifdef HAVE_OPENSSL - case ISAKMP_GETCERT_LOCALFILE: - switch (iph1->rmconf->certtype) { - case ISAKMP_CERT_X509SIGN: - if (iph1->rmconf->peerscertfile == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no peer's CERT file found.\n"); - return ISAKMP_INTERNAL_ERROR; - } - - /* don't use cached cert */ - if (iph1->cert_p != NULL) { - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - } - - error = get_cert_fromlocal(iph1, 0); - break; - - } - if (error) - return ISAKMP_INTERNAL_ERROR; - break; -#endif - case ISAKMP_GETCERT_DNS: - if (iph1->rmconf->peerscertfile != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "why peer's CERT file is defined " - "though getcert method is dns ?\n"); - return ISAKMP_INTERNAL_ERROR; - } - - /* don't use cached cert */ - if (iph1->cert_p != NULL) { - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - } - - iph1->cert_p = dnssec_getcert(iph1->id_p); - if (iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no CERT RR found.\n"); - return ISAKMP_INTERNAL_ERROR; - } - break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid getcert_mothod: %d\n", iph1->rmconf->getcert_method); return ISAKMP_INTERNAL_ERROR; @@ -1599,17 +1425,8 @@ oakley_validate_auth(iph1) /* compare ID payload and certificate name */ if (iph1->rmconf->verify_cert && - (error = oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) != 0) - return error; - - /* check configured peers identifier against cert IDs */ - /* allows checking of specified ID against multiple ids in the cert */ - /* such as multiple domain names */ -#if !TARGET_OS_EMBEDDED - if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER && - (error = oakley_check_certid(iph1, CERT_CHECKID_FROM_RMCONFIG)) != 0) + (error = oakley_check_certid(iph1)) != 0) return error; -#endif #if HAVE_OPENDIR /* check cert common name against Open Directory authentication group */ @@ -1627,7 +1444,6 @@ oakley_validate_auth(iph1) #ifdef ENABLE_HYBRID switch (AUTHMETHOD(iph1)) { case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: certtype = iph1->cert_p->type; break; default: @@ -1658,7 +1474,7 @@ oakley_validate_auth(iph1) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown address type for peers identifier.\n"); return ISAKMP_NTYPE_AUTHENTICATION_FAILED; break; @@ -1673,35 +1489,41 @@ oakley_validate_auth(iph1) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no supported certtype %d\n", certtype); return ISAKMP_INTERNAL_ERROR; } if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "the peer's certificate is not verified.\n"); return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY; } } - plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n"); + plog(ASL_LEVEL_DEBUG, "CERT validated\n"); - /* compute hash */ - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - case ISAKMP_ETYPE_BASE: - if (iph1->side == INITIATOR) - my_hash = oakley_ph1hash_base_r(iph1, VALIDATE); - else - my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + /* compute hash */ + switch (iph1->etype) { + case ISAKMP_ETYPE_IDENT: + case ISAKMP_ETYPE_AGG: + my_hash = oakley_ph1hash_common(iph1, VALIDATE); + break; + case ISAKMP_ETYPE_BASE: + if (iph1->side == INITIATOR) + my_hash = oakley_ph1hash_base_r(iph1, VALIDATE); + else + my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); + break; + default: + plog(ASL_LEVEL_ERR, + "invalid etype %d\n", iph1->etype); + return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; + } + } else { + vchar_t *octets = NULL; + octets = ikev2_ike_sa_auth_get_octets(iph1, (iph1->side == INITIATOR)? FALSE : TRUE); + my_hash = alg_oakley_hashdef_one(OAKLEY_ATTR_HASH_ALG_SHA, octets); } if (my_hash == NULL) return ISAKMP_INTERNAL_ERROR; @@ -1711,7 +1533,6 @@ oakley_validate_auth(iph1) #ifdef ENABLE_HYBRID switch (AUTHMETHOD(iph1)) { case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: certtype = iph1->cert_p->type; break; default: @@ -1720,93 +1541,54 @@ oakley_validate_auth(iph1) #endif /* check signature */ switch (certtype) { - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_DNS: - if (publicKeyRef == NULL) - plog(LLV_ERROR, LOCATION, NULL, "@@@@@@ publicKeyRef is NULL\n"); - error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p); - if (error) - plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error)); - - CFRelease(publicKeyRef); - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "no supported certtype %d\n", - certtype); - vfree(my_hash); - return ISAKMP_INTERNAL_ERROR; + case ISAKMP_CERT_X509SIGN: + if (publicKeyRef == NULL) { + plog(ASL_LEVEL_ERR, "@@@@@@ publicKeyRef is NULL\n"); + } + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, FALSE); + } else { + error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, TRUE); + } + if (error) { + plog(ASL_LEVEL_ERR, "error verifying signature %s\n", GetSecurityErrorString(error)); + } + + CFRelease(publicKeyRef); + break; + default: + plog(ASL_LEVEL_ERR, + "no supported certtype %d\n", + certtype); + vfree(my_hash); + return ISAKMP_INTERNAL_ERROR; } vfree(my_hash); if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid SIG.\n"); return ISAKMP_NTYPE_INVALID_SIGNATURE; } - plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n"); + plog(ASL_LEVEL_DEBUG, "SIG authenticated\n"); } break; #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: { if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " + plog(ASL_LEVEL_ERR, "No SIG was passed, " "hybrid auth is enabled, " "but peer is no Xauth compliant\n"); return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; break; } - plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, " + plog(ASL_LEVEL_INFO, "No SIG was passed, " "but hybrid auth is enabled\n"); return 0; break; } -#endif -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* check if we're not into XAUTH_PSKEY_I instead */ -#ifdef ENABLE_HYBRID - if (iph1->rmconf->xauth) - break; -#endif - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - } - - if (my_hash == NULL) { - if (gssapi_more_tokens(iph1)) - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - else - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - - gsshash = gssapi_unwraphash(iph1); - if (gsshash == NULL) { - vfree(my_hash); - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - - result = memcmp(my_hash->v, gsshash->v, my_hash->l); - vfree(my_hash); - vfree(gsshash); - - if (result) { - plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n"); - break; #endif case OAKLEY_ATTR_AUTH_METHOD_RSAENC: case OAKLEY_ATTR_AUTH_METHOD_RSAREV: @@ -1817,23 +1599,23 @@ oakley_validate_auth(iph1) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: #endif if (iph1->id_p == NULL || iph1->pl_hash == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "few isakmp message received.\n"); return ISAKMP_NTYPE_PAYLOAD_MALFORMED; } - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "not supported authmethod type %s\n", s_oakley_attr_method(iph1->approval->authmethod)); return ISAKMP_INTERNAL_ERROR; default: - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "invalid authmethod %d why ?\n", iph1->approval->authmethod); return ISAKMP_INTERNAL_ERROR; } #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__, + plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", __func__, s_oakley_attr_method(iph1->approval->authmethod), timedelta(&start, &end)); #endif @@ -1856,8 +1638,7 @@ oakley_find_status_in_certchain (cert_t *certchain, cert_status_t certStatus) static int -oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1, - int notify_initiator) +oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, int notify_initiator) { #if TARGET_OS_EMBEDDED int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); @@ -1886,8 +1667,7 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1, * NOTE: include certificate type. */ int -oakley_getmycert(iph1) - struct ph1handle *iph1; +oakley_getmycert(phase1_handle_t *iph1) { int err; @@ -1901,9 +1681,8 @@ oakley_getmycert(iph1) } } return err; - default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unknown certtype #%d\n", iph1->rmconf->certtype); return -1; @@ -1918,28 +1697,19 @@ oakley_getmycert(iph1) * my == 0 peer's cert. */ static int -get_cert_fromlocal(iph1, my) - struct ph1handle *iph1; - int my; +get_cert_fromlocal(phase1_handle_t *iph1, int my) { -#ifdef HAVE_OPENSSL - char path[MAXPATHLEN]; -#endif vchar_t *cert = NULL; cert_t **certpl; - char *certfile; int error = -1; cert_status_t status = CERT_STATUS_OK; - if (my) { - certfile = iph1->rmconf->mycertfile; + if (my) certpl = &iph1->cert; - } else { - certfile = iph1->rmconf->peerscertfile; + else certpl = &iph1->cert_p; - } - if (!certfile && iph1->rmconf->identity_in_keychain == 0) { - plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n"); + if (iph1->rmconf->identity_in_keychain == 0) { + plog(ASL_LEVEL_ERR, "no CERT defined.\n"); return 0; } @@ -1951,29 +1721,19 @@ get_cert_fromlocal(iph1, my) if (iph1->rmconf->keychainCertRef == NULL || base64toCFData(iph1->rmconf->keychainCertRef, &dataRef)) goto end; cert = crypto_cssm_get_x509cert(dataRef, &status); - plog(LLV_DEBUG, LOCATION, NULL, "done with chking cert status %d\n",status); + plog(ASL_LEVEL_DEBUG, "done with chking cert status %d\n",status); CFRelease(dataRef); break; } // else fall thru -#ifdef HAVE_OPENSSL - case ISAKMP_CERT_DNS: - /* make public file name */ - getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile); - cert = eay_get_x509cert(path); - if (cert) { - oakley_cert_prettyprint(cert); - }; - break; -#endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "not supported certtype %d\n", iph1->rmconf->certtype); goto end; } if (!cert) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get %s CERT.\n", my ? "my" : "peers"); goto end; @@ -1981,13 +1741,13 @@ get_cert_fromlocal(iph1, my) *certpl = oakley_newcert(); if (!*certpl) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cert buffer.\n"); goto end; } (*certpl)->pl = vmalloc(cert->l + 1); if ((*certpl)->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cert buffer\n"); oakley_delcert(*certpl); *certpl = NULL; @@ -2000,9 +1760,7 @@ get_cert_fromlocal(iph1, my) (*certpl)->cert.v = (*certpl)->pl->v + 1; (*certpl)->cert.l = (*certpl)->pl->l - 1; - plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); - plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l); - oakley_cert_prettyprint(cert); + plog(ASL_LEVEL_DEBUG, "created CERT payload\n"); error = 0; @@ -2016,12 +1774,8 @@ end: /* get signature */ int -oakley_getsign(iph1) - struct ph1handle *iph1; +oakley_getsign(phase1_handle_t *iph1) { -#ifdef HAVE_OPENSSL - char path[MAXPATHLEN]; -#endif vchar_t *privkey = NULL; int error = -1; @@ -2038,19 +1792,18 @@ oakley_getsign(iph1) break; } // else fall thru default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unknown certtype #%d\n", iph1->rmconf->certtype); goto end; } if (iph1->sig == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n"); + plog(ASL_LEVEL_ERR, "failed to sign.\n"); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n"); - plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->sig->v, iph1->sig->l, "SIGN computed:\n"); error = 0; @@ -2062,12 +1815,11 @@ end: } void -oakley_verify_certid(iph1) -struct ph1handle *iph1; +oakley_verify_certid(phase1_handle_t *iph1) { if (iph1->rmconf->verify_cert && - oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){ - plog(LLV_DEBUG, LOCATION, NULL, + oakley_check_certid(iph1)){ + plog(ASL_LEVEL_DEBUG, "Discarding CERT: does not match ID:\n"); oakley_delcert(iph1->cert_p); iph1->cert_p = NULL; @@ -2075,11 +1827,7 @@ struct ph1handle *iph1; } static int -oakley_check_certid_in_certchain(certchain, idtype, idlen, id) - cert_t *certchain; - int idtype; - int idlen; - void *id; +oakley_check_certid_in_certchain(cert_t *certchain, int idtype, int idlen, void *id) { cert_t *p; @@ -2092,8 +1840,7 @@ oakley_check_certid_in_certchain(certchain, idtype, idlen, id) } cert_t * -oakley_get_peer_cert_from_certchain(iph1) - struct ph1handle * iph1; +oakley_get_peer_cert_from_certchain(phase1_handle_t * iph1) { cert_t *p; struct ipsecdoi_id_b *id_b; @@ -2101,7 +1848,7 @@ oakley_get_peer_cert_from_certchain(iph1) void *peers_id; if (!iph1->id_p || !iph1->cert_p) { - plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); + plog(ASL_LEVEL_ERR, "no ID nor CERT found.\n"); return NULL; } if (!iph1->cert_p->chain) { @@ -2124,183 +1871,90 @@ oakley_get_peer_cert_from_certchain(iph1) * compare certificate name and ID value. */ static int -oakley_check_certid(iph1, which_id) - struct ph1handle *iph1; - int which_id; +oakley_check_certid(phase1_handle_t *iph1) { struct ipsecdoi_id_b *id_b; int idlen; u_int8_t doi_type = 255; void *peers_id = NULL; - struct genlist_entry *gpb = NULL; - if (which_id == CERT_CHECKID_FROM_PEER) { - /* use ID from peer */ - if (iph1->id_p == NULL || iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v; - doi_type = id_b->type; - peers_id = id_b + 1; - idlen = iph1->id_p->l - sizeof(*id_b); - - return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id); + /* use ID from peer */ + if (iph1->id_p == NULL || iph1->cert_p == NULL) { + plog(ASL_LEVEL_ERR, "no ID nor CERT found.\n"); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v; + doi_type = id_b->type; + peers_id = id_b + 1; + idlen = iph1->id_p->l - sizeof(*id_b); + + return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id); - } else { - /* use ID from remote configuration */ - /* check each ID in list */ - struct idspec *id_spec; - - for (id_spec = genlist_next (iph1->rmconf->idvl_p, &gpb); id_spec; id_spec = genlist_next (0, &gpb)) { - - if (id_spec->idtype == IDTYPE_ADDRESS) { - switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) { - case AF_INET: - doi_type = IPSECDOI_ID_IPV4_ADDR; - idlen = sizeof(struct in_addr); - peers_id = &((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr); - break; - #ifdef INET6 - case AF_INET6: - doi_type = IPSECDOI_ID_IPV6_ADDR; - idlen = sizeof(struct in6_addr); - peers_id = &((ALIGNED_CAST(struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr); - break; - #endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "unknown address type for peers identifier.\n"); - return ISAKMP_NTYPE_AUTHENTICATION_FAILED; - break; - } - - } else { - doi_type = idtype2doi(id_spec->idtype); - peers_id = id_spec->id->v; - idlen = id_spec->id->l; - } - if (oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id) == 0) - return 0; - } - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } } - + static int -oakley_check_certid_1(cert, idtype, idlen, id, certStatus) - vchar_t *cert; - int idtype; - int idlen; - void *id; - cert_status_t *certStatus; +oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_status_t *certStatus) { int len; - int error; + int error = 0; #if !TARGET_OS_EMBEDDED int type; - vchar_t *name = NULL; char *altname = NULL; #endif switch (idtype) { case IPSECDOI_ID_DER_ASN1_DN: -#if TARGET_OS_EMBEDDED { - SecCertificateRef certificate; - CFDataRef subject; - UInt8* namePtr; - - certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + CFDataRef subject; + SecCertificateRef certificate; + UInt8* namePtr; + + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert); if (certificate == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get SecCertificateRef\n"); + plog(ASL_LEVEL_ERR, + "failed to get SecCertificateRef\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID; } - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - subject = SecCertificateCopySubjectSequence(certificate); - if (subject == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n"); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - CFRelease(certificate); return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - len = CFDataGetLength(subject); - namePtr = CFDataGetBytePtr(subject); - if (idlen != len) { - plog(LLV_ERROR, LOCATION, NULL, "Invalid ID length in phase 1.\n"); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - CFRelease(subject); - CFRelease(certificate); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - error = memcmp(id, namePtr, idlen); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectName.\n"); - plog(LLV_ERROR, LOCATION, NULL, - "subjectName (type %s):\n", - s_ipsecdoi_ident(idtype)); - plogdump(LLV_ERROR, namePtr, len); - plog(LLV_ERROR, LOCATION, NULL, - "ID:\n"); - plogdump(LLV_ERROR, id, idlen); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - CFRelease(certificate); - CFRelease(subject); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } + } + subject = crypto_cssm_CopySubjectSequence(certificate); + if (subject == NULL) { + plog(ASL_LEVEL_ERR, "failed to get certificate subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } + error = ISAKMP_NTYPE_INVALID_CERTIFICATE; + } else { + len = CFDataGetLength(subject); + namePtr = (UInt8*)CFDataGetBytePtr(subject); + if (namePtr) { + if (idlen != len || memcmp(id, namePtr, idlen)) { + plog(ASL_LEVEL_ERR, "ID mismatched with certificate subjectName\n"); + error =ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } + } else { + plog(ASL_LEVEL_ERR, "no certificate subjectName found\n"); + error = ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + } + if (error) { + plog(ASL_LEVEL_ERR, + "ID mismatched with certificate subjectName\n"); + plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n", + s_ipsecdoi_ident(idtype)); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } + } CFRelease(certificate); CFRelease(subject); - } -#else - name = eay_get_x509asn1subjectname(cert); - if (!name) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectName\n"); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - if (idlen != name->l) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ID length in phase 1.\n"); - vfree(name); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - error = memcmp(id, name->v, idlen); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectName.\n"); - plog(LLV_ERROR, LOCATION, NULL, - "subjectName (type %s):\n", - s_ipsecdoi_ident(idtype)); - plogdump(LLV_ERROR, name->v, name->l); - plog(LLV_ERROR, LOCATION, NULL, - "ID:\n"); - plogdump(LLV_ERROR, id, idlen); - vfree(name); - if (certStatus && !*certStatus) { - *certStatus = CERT_STATUS_INVALID_SUBJNAME; - } - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - vfree(name); -#endif - return 0; + return 0; + } + break; case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV6_ADDR: @@ -2310,10 +1964,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) SecCertificateRef certificate; CFArrayRef addresses; #define ADDRESS_BUF_SIZE 64 - - certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert); if (certificate == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get SecCertificateRef\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID; @@ -2322,7 +1976,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } addresses = SecCertificateCopyIPAddresses(certificate); if (addresses == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n"); + plog(ASL_LEVEL_ERR, "failed to get subjectName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; } @@ -2343,7 +1997,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) continue; addressBuf = racoon_malloc(ADDRESS_BUF_SIZE); if (addressBuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "out of memory\n"); + plog(ASL_LEVEL_ERR, "out of memory\n"); CFRelease(addresses); CFRelease(certificate); return -1; @@ -2361,11 +2015,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } else racoon_free(addressBuf); } - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n"); + plog(ASL_LEVEL_ERR, "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); - plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); - plogdump(LLV_ERROR, id, idlen); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); CFRelease(addresses); CFRelease(certificate); if (certStatus && !*certStatus) { @@ -2382,16 +2035,16 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) int pos; - if (idtype == IPSECDOI_ID_IPV4_ADDR && idlen != sizeof(struct in_addr) - || idtype == IPSECDOI_ID_IPV6_ADDR && idlen != sizeof(struct in6_addr)) { - plog(LLV_ERROR, LOCATION, NULL, + if ((idtype == IPSECDOI_ID_IPV4_ADDR && idlen != sizeof(struct in_addr)) + || (idtype == IPSECDOI_ID_IPV6_ADDR && idlen != sizeof(struct in6_addr))) { + plog(ASL_LEVEL_ERR, "invalid address length passed.\n"); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } for (pos = 1; ; pos++) { if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) !=0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get subjectAltName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2401,7 +2054,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) /* it's the end condition of the loop. */ if (!altname) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid subjectAltName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2436,13 +2089,11 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) #endif else { /* invalid IP address length in certificate - bad or bogus certificate */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid IP address in certificate.\n"); - plog(LLV_ERROR, LOCATION, NULL, - "subjectAltName (expected type %s, got type %s):\n", - s_ipsecdoi_ident(idtype), - s_ipsecdoi_ident(type)); - plogdump(LLV_ERROR, altname, len); + plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); racoon_free(altname); altname = NULL; if (certStatus && !*certStatus) { @@ -2459,16 +2110,12 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) return 0; } /* failed to find a match */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n"); - plog(LLV_ERROR, LOCATION, NULL, - "subjectAltName (expected type %s, got type %s):\n", - s_ipsecdoi_ident(idtype), - s_ipsecdoi_ident(type)); - plogdump(LLV_ERROR, altname, len); - plog(LLV_ERROR, LOCATION, NULL, - "ID:\n"); - plogdump(LLV_ERROR, id, idlen); + plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); racoon_free(altname); if (certStatus && !*certStatus) *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2485,9 +2132,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) CFArrayRef names; CFStringRef name, ID; - certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert); if (certificate == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get SecCertificateRef\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID; @@ -2496,7 +2143,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } names = SecCertificateCopyDNSNames(certificate); if (names == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get subjectName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2505,12 +2152,12 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) return ISAKMP_NTYPE_INVALID_CERTIFICATE; } count = CFArrayGetCount(names); - ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8); + ID = CFStringCreateWithBytes(kCFAllocatorDefault, id, idlen, kCFStringEncodingUTF8, FALSE); if (ID== NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error\n"); + plog(ASL_LEVEL_ERR, "memory error\n"); CFRelease(names); CFRelease(certificate); - + return 0; } for (pos = 0; pos < count; pos++) { name = CFArrayGetValueAtIndex(names, pos); @@ -2521,11 +2168,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) return 0; } } - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n"); + plog(ASL_LEVEL_ERR, "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); - plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); - plogdump(LLV_ERROR, id, idlen); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); CFRelease(ID); CFRelease(names); CFRelease(certificate); @@ -2543,9 +2189,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) CFArrayRef names; CFStringRef name, ID; - certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert); if (certificate == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get SecCertificateRef\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID; @@ -2554,7 +2200,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } names = SecCertificateCopyRFC822Names(certificate); if (names == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get subjectName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2563,9 +2209,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) return ISAKMP_NTYPE_INVALID_CERTIFICATE; } count = CFArrayGetCount(names); - ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8); + ID = CFStringCreateWithBytes(kCFAllocatorDefault, id, idlen, kCFStringEncodingUTF8, FALSE); if (ID == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "memory error\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID; @@ -2583,11 +2229,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) return 0; } } - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n"); + plog(ASL_LEVEL_ERR, "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); - plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); - plogdump(LLV_ERROR, id, idlen); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); CFRelease(ID); CFRelease(names); CFRelease(certificate); @@ -2604,7 +2249,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) for (pos = 1; ; pos++) { if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get subjectAltName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2614,7 +2259,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) /* it's the end condition of the loop. */ if (!altname) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid subjectAltName\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2641,15 +2286,15 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) racoon_free(altname); return 0; } - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n"); + plog(ASL_LEVEL_ERR, "subjectAltName (expected type %s, got type %s):\n", s_ipsecdoi_ident(idtype), s_ipsecdoi_ident(type)); - plogdump(LLV_ERROR, altname, len); - plog(LLV_ERROR, LOCATION, NULL, - "ID:\n"); - plogdump(LLV_ERROR, id, idlen); + plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); + plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); racoon_free(altname); if (certStatus && !*certStatus) *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; @@ -2657,7 +2302,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Impropper ID type passed: %s.\n", s_ipsecdoi_ident(idtype)); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; @@ -2666,8 +2311,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) } #ifdef HAVE_OPENSSL static int -check_typeofcertname(doi, genid) - int doi, genid; +check_typeofcertname(int doi, int genid) { switch (doi) { case IPSECDOI_ID_IPV4_ADDR: @@ -2701,162 +2345,49 @@ check_typeofcertname(doi, genid) * save certificate including certificate type. */ int -oakley_savecert(iph1, gen) - struct ph1handle *iph1; - struct isakmp_gen *gen; +oakley_savecert(phase1_handle_t *iph1, struct isakmp_gen *gen) { cert_t **c; u_int8_t type; -#ifdef HAVE_OPENSSL - STACK_OF(X509) *certs=NULL; - PKCS7 *p7; -#endif type = *(u_int8_t *)(gen + 1) & 0xff; switch (type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC. " - "ignore this CERT payload.\n"); - return 0; - case ISAKMP_CERT_PKCS7: - case ISAKMP_CERT_PGP: case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: c = &iph1->cert_p; break; - case ISAKMP_CERT_CRL: - c = &iph1->crl_p; - break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - plog(LLV_ERROR, LOCATION, NULL, - "No supported such CERT type %d\n", type); - return -1; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid CERT type %d\n", type); return -1; } if (*c) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "preexisting CERT payload... chaining.\n"); } -#ifdef HAVE_OPENSSL - if (type == ISAKMP_CERT_PKCS7) { - u_char *bp; - int i; - - /* Skip the header */ - bp = (u_char *)(gen + 1); - /* And the first byte is the certificate type, - * we know that already - */ - bp++; - p7 = d2i_PKCS7(NULL, (void *)&bp, - ntohs(gen->len) - sizeof(*gen) - 1); - - if (!p7) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to parse PKCS#7 CERT.\n"); - return -1; - } - - /* Copied this from the openssl pkcs7 application; - * there"s little by way of documentation for any of - * it. I can only presume it"s correct. - */ - - i = OBJ_obj2nid(p7->type); - switch (i) { - case NID_pkcs7_signed: - certs=p7->d.sign->cert; - break; - case NID_pkcs7_signedAndEnveloped: - certs=p7->d.signed_and_enveloped->cert; - break; - default: - break; - } - - if (!certs) { - plog(LLV_ERROR, LOCATION, NULL, - "CERT PKCS#7 bundle contains no certs.\n"); - PKCS7_free(p7); - return -1; - } - - for (i = 0; i < sk_X509_num(certs); i++) { - int len; - u_char *bp; - cert_t *new; - X509 *cert = sk_X509_value(certs,i); - - plog(LLV_DEBUG, LOCATION, NULL, - "Trying PKCS#7 cert %d.\n", i); - /* We'll just try each cert in turn */ - new = save_certx509(cert); - if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CERT buffer.\n"); - continue; - } - *c = oakley_appendcert_to_certchain(*c, new); - plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); - plogdump(LLV_DEBUG, new->cert.v, new->cert.l); - oakley_cert_prettyprint(&new->cert); - } - PKCS7_free(p7); - - } else -#endif - { - cert_t *new; - new = save_certbuf(gen); - if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CERT buffer.\n"); - return -1; - } + cert_t *new; + new = save_certbuf(gen); + if (!new) { + plog(ASL_LEVEL_ERR, + "Failed to get CERT buffer.\n"); + return -1; + } - switch (new->type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC. " - "ignore it.\n"); - return 0; - case ISAKMP_CERT_PGP: - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: - /* Ignore cert if it doesn't match identity - * XXX If verify cert is disabled, we still just take - * the first certificate.... - */ - *c = oakley_appendcert_to_certchain(*c, new); - plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); - plogdump(LLV_DEBUG, new->cert.v, new->cert.l); - oakley_cert_prettyprint(&new->cert); - break; - case ISAKMP_CERT_CRL: - *c = oakley_appendcert_to_certchain(*c, new); - plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n"); - plogdump(LLV_DEBUG, new->cert.v, new->cert.l); - oakley_cert_prettyprint(&new->cert); - break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - default: - /* XXX */ - oakley_delcert(new); - return 0; - } - } + switch (new->type) { + case ISAKMP_CERT_X509SIGN: + /* Ignore cert if it doesn't match identity + * XXX If verify cert is disabled, we still just take + * the first certificate.... + */ + *c = oakley_appendcert_to_certchain(*c, new); + plog(ASL_LEVEL_DEBUG, "CERT saved:\n"); + break; + default: + /* XXX */ + oakley_delcert(new); + return 0; + } return 0; } @@ -2865,9 +2396,7 @@ oakley_savecert(iph1, gen) * save certificate including certificate type. */ int -oakley_savecr(iph1, gen) - struct ph1handle *iph1; - struct isakmp_gen *gen; +oakley_savecr(phase1_handle_t *iph1, struct isakmp_gen *gen) { cert_t **c; u_int8_t type; @@ -2876,69 +2405,52 @@ oakley_savecr(iph1, gen) type = *(u_int8_t *)(gen + 1) & 0xff; switch (type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC\n"); - /*FALLTHRU*/ - case ISAKMP_CERT_PKCS7: - case ISAKMP_CERT_PGP: case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: if (iph1->cr_p) { oakley_delcert(iph1->cr_p); iph1->cr_p = NULL; } c = &iph1->cr_p; break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - plog(LLV_ERROR, LOCATION, NULL, - "No supported such CR type %d\n", type); - return -1; - case ISAKMP_CERT_CRL: default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid CR type %d\n", type); return -1; } new = save_certbuf(gen); if (!new) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Failed to get CR buffer.\n"); return -1; } *c = oakley_appendcert_to_certchain(*c, new); - plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n"); - plogdump(LLV_DEBUG, new->cert.v, new->cert.l); + plog(ASL_LEVEL_DEBUG, "CR saved\n"); return 0; } static cert_t * -save_certbuf(gen) - struct isakmp_gen *gen; +save_certbuf(struct isakmp_gen *gen) { cert_t *new; if(ntohs(gen->len) <= sizeof(*gen)){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Len is too small !!.\n"); return NULL; } new = oakley_newcert(); if (!new) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Failed to get CERT buffer.\n"); return NULL; } new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen)); if (new->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Failed to copy CERT from packet.\n"); oakley_delcert(new); new = NULL; @@ -2952,41 +2464,6 @@ save_certbuf(gen) return new; } -#ifdef HAVE_OPENSSL -static cert_t * -save_certx509(cert) - X509 *cert; -{ - cert_t *new; - int len; - u_char *bp; - - new = oakley_newcert(); - if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CERT buffer.\n"); - return NULL; - } - - len = i2d_X509(cert, NULL); - new->pl = vmalloc(len); - if (new->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to copy CERT from packet.\n"); - oakley_delcert(new); - new = NULL; - return NULL; - } - bp = (u_char *) new->pl->v; - len = i2d_X509(cert, &bp); - new->type = ISAKMP_CERT_X509SIGN; - new->cert.v = new->pl->v; - new->cert.l = new->pl->l; - - return new; -} -#endif - /* * get my CR. * NOTE: No Certificate Authority field is included to CR payload at the @@ -2995,28 +2472,27 @@ save_certx509(cert) * if there is no specific certificate authority requested. */ vchar_t * -oakley_getcr(iph1) - struct ph1handle *iph1; +oakley_getcr(phase1_handle_t *iph1) { vchar_t *buf; buf = vmalloc(1); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cr buffer\n"); return NULL; } if(iph1->rmconf->certtype == ISAKMP_CERT_NONE) { buf->v[0] = iph1->rmconf->cacerttype; - plog(LLV_DEBUG, LOCATION, NULL, "create my CR: NONE, using %s instead\n", + plog(ASL_LEVEL_DEBUG, "create my CR: NONE, using %s instead\n", s_isakmp_certtype(iph1->rmconf->cacerttype)); } else { buf->v[0] = iph1->rmconf->certtype; - plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n", + plog(ASL_LEVEL_DEBUG, "create my CR: %s\n", s_isakmp_certtype(iph1->rmconf->certtype)); } - if (buf->l > 1) - plogdump(LLV_DEBUG, buf->v, buf->l); + //if (buf->l > 1) + // plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, ""); return buf; } @@ -3025,18 +2501,17 @@ oakley_getcr(iph1) * check peer's CR. */ int -oakley_checkcr(iph1) - struct ph1handle *iph1; +oakley_checkcr(phase1_handle_t *iph1) { if (iph1->cr_p == NULL) return 0; - plog(LLV_DEBUG, LOCATION, iph1->remote, + plog(ASL_LEVEL_DEBUG, "peer transmitted CR: %s\n", s_isakmp_certtype(iph1->cr_p->type)); if (iph1->cr_p->type != iph1->rmconf->certtype) { - plog(LLV_ERROR, LOCATION, iph1->remote, + plog(ASL_LEVEL_ERR, "such a cert type isn't supported: %d\n", (char)iph1->cr_p->type); return -1; @@ -3049,19 +2524,14 @@ oakley_checkcr(iph1) * check to need CR payload. */ int -oakley_needcr(type) - int type; +oakley_needcr(int type) { switch (type) { - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: #endif return 1; default: @@ -3071,8 +2541,7 @@ oakley_needcr(type) } vchar_t * -oakley_getpskall(iph1) -struct ph1handle *iph1; +oakley_getpskall(phase1_handle_t *iph1) { vchar_t *secret = NULL; @@ -3099,26 +2568,29 @@ struct ph1handle *iph1; /* rmconf->shared_secret is a string and contains a NULL character that must be removed */ secret = vmalloc(iph1->rmconf->shared_secret->l - 1); if (secret == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, "memory error.\n"); + plog(ASL_LEVEL_ERR, "memory error.\n"); goto end; } memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l); } - } else { + } else if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || + iph1->etype != ISAKMP_ETYPE_IDENT) { secret = getpskbyname(iph1->id_p); if (!secret) { if (iph1->rmconf->verify_identifier) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the Hybrid pskey.\n"); + plog(ASL_LEVEL_ERR, "couldn't find pskey by peer's ID.\n"); goto end; } } } if (!secret) { - plog(LLV_NOTIFY, LOCATION, iph1->remote, - "couldn't find the Hybrid pskey, " - "try to get one by the peer's address.\n"); + plog(ASL_LEVEL_NOTICE, "try to get pskey by the peer's address.\n"); secret = getpskbyaddr(iph1->remote); + if (!secret) { + plog(ASL_LEVEL_ERR, + "couldn't find the pskey by address %s.\n", + saddrwop2str((struct sockaddr *)iph1->remote)); + } } end: @@ -3133,207 +2605,231 @@ end: * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R) */ int -oakley_skeyid(iph1) - struct ph1handle *iph1; +oakley_skeyid(phase1_handle_t *iph1) { - vchar_t *buf = NULL, *bp; + vchar_t *key = NULL; + vchar_t *buf = NULL; + vchar_t *bp; char *p; int len; int error = -1; - + + /* SKEYID */ switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: + case OAKLEY_ATTR_AUTH_METHOD_PSKEY: #ifdef ENABLE_HYBRID - case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: + case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: #endif - if (iph1->rmconf->shared_secret) { - - switch (iph1->rmconf->secrettype) { - case SECRETTYPE_KEY: - /* in psk file - use KEY from remote configuration to locate it */ - iph1->authstr = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1); - break; -#if HAVE_KEYCHAIN - case SECRETTYPE_KEYCHAIN: - /* in the system keychain */ - iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, NULL); - break; - case SECRETTYPE_KEYCHAIN_BY_ID: - /* in the system keychain - use peer id */ - iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p); - break; -#endif // HAVE_KEYCHAIN - case SECRETTYPE_USE: - /* in the remote configuration */ - default: - /* rmconf->shared_secret is a string and contains a NULL character that must be removed */ - iph1->authstr = vmalloc(iph1->rmconf->shared_secret->l - 1); - if (iph1->authstr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); - break; - } - memcpy(iph1->authstr->v, iph1->rmconf->shared_secret->v, iph1->authstr->l); - } - } - else - if (iph1->etype != ISAKMP_ETYPE_IDENT) { - iph1->authstr = getpskbyname(iph1->id_p); - if (iph1->authstr == NULL) { - if (iph1->rmconf->verify_identifier) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey.\n"); - goto end; - } - plog(LLV_NOTIFY, LOCATION, iph1->remote, - "couldn't find the proper pskey, " - "try to get one by the peer's address.\n"); - } - } - if (iph1->authstr == NULL) { - /* - * If the exchange type is the main mode or if it's - * failed to get the psk by ID, racoon try to get - * the psk by remote IP address. - * It may be nonsense. - */ - iph1->authstr = getpskbyaddr(iph1->remote); - if (iph1->authstr == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey for %s.\n", - saddrwop2str((struct sockaddr *)iph1->remote)); - goto end; - } - } - plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); - /* should be secret PSK */ - plog(LLV_DEBUG2, LOCATION, NULL, "psk: "); - plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l); - - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get skeyid buffer\n"); - goto end; - } - p = buf->v; - - bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); - plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); - plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1); - if (iph1->skeyid == NULL) - goto end; - break; - - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: + key = oakley_getpskall(iph1); + if (key == NULL) { + plog(ASL_LEVEL_ERR, + "couldn't find the pskey for %s.\n", + saddrwop2str((struct sockaddr *)iph1->remote)); + goto end; + } + plog(ASL_LEVEL_DEBUG, "the psk found.\n"); + /* should be secret PSK */ + plogdump(ASL_LEVEL_DEBUG, key->v, key->l, "psk: "); + + len = iph1->nonce->l + iph1->nonce_p->l; + buf = vmalloc(len); + if (buf == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get skeyid buffer\n"); + goto end; + } + p = buf->v; + + bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); + //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce 1: "); + memcpy(p, bp->v, bp->l); + p += bp->l; + + bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); + //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce 2: "); + memcpy(p, bp->v, bp->l); + p += bp->l; + + iph1->skeyid = oakley_prf(key, buf, iph1); + + if (iph1->skeyid == NULL) + goto end; + break; + + case OAKLEY_ATTR_AUTH_METHOD_RSASIG: #ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: #endif -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: -#endif - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get nonce buffer\n"); - goto end; - } - p = buf->v; - - bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); - plog(LLV_DEBUG, LOCATION, NULL, "nonce1: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); - plog(LLV_DEBUG, LOCATION, NULL, "nonce2: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1); - if (iph1->skeyid == NULL) - goto end; - break; - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: + len = iph1->nonce->l + iph1->nonce_p->l; + buf = vmalloc(len); + if (buf == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get nonce buffer\n"); + goto end; + } + p = buf->v; + + bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); + //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce1: "); + memcpy(p, bp->v, bp->l); + p += bp->l; + + bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); + //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce2: "); + memcpy(p, bp->v, bp->l); + p += bp->l; + + iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1); + if (iph1->skeyid == NULL) + goto end; + break; + case OAKLEY_ATTR_AUTH_METHOD_RSAENC: + case OAKLEY_ATTR_AUTH_METHOD_RSAREV: #ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: #endif - plog(LLV_WARNING, LOCATION, NULL, - "not supported authentication method %s\n", - s_oakley_attr_method(iph1->approval->authmethod)); - goto end; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication method %d\n", - iph1->approval->authmethod); - goto end; + plog(ASL_LEVEL_WARNING, + "not supported authentication method %s\n", + s_oakley_attr_method(iph1->approval->authmethod)); + goto end; + default: + plog(ASL_LEVEL_ERR, + "invalid authentication method %d\n", + iph1->approval->authmethod); + goto end; } - - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l); - + + //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid->v, iph1->skeyid->l, "IKEv1 SKEYID computed:\n"); + error = 0; - + end: + if (key != NULL) + vfree(key); if (buf != NULL) vfree(buf); return error; } +static vchar_t * +oakley_prf_plus (vchar_t *key, vchar_t *buf, int result_len, phase1_handle_t *iph1) +{ + vchar_t *t = 0; + uint8_t byte_value; + vchar_t *result = 0; + uint8_t *p; + vchar_t *bp; + int bp_len; + uint8_t *tmp; + vchar_t *prf; + + /* + * (draft-17) + prf+ (K,S) = T1 | T2 | T3 | T4 | ... + + where: + T1 = prf (K, S | 0x01) + T2 = prf (K, T1 | S | 0x02) + T3 = prf (K, T2 | S | 0x03) + T4 = prf (K, T3 | S | 0x04) + */ + + if (!(result = vmalloc(result_len))) { + return NULL; + } + + /* + * initial T0 = empty + */ + t = 0; + p = (uint8_t *)result->v; + for (byte_value = 1; result_len > 0; ++byte_value) { + /* + * prf_output = prf(K, Ti-1 | S | byte) + */ + bp_len = buf->l + sizeof(byte_value); + if (t) { + bp_len += t->l; + } + bp = vmalloc(bp_len); + if (!bp) { + return NULL; + } + tmp = (__typeof__(tmp))bp->v; + + if (t) { + memcpy(tmp, t->v, t->l); + tmp += t->l; + } + memcpy(tmp, buf->v, buf->l); + tmp += buf->l; + memcpy(tmp, &byte_value, sizeof(byte_value)); + tmp += sizeof(byte_value); + + if (!(prf = oakley_prf(key, bp, iph1))) { + VPTRINIT(bp); + return (vchar_t *)-1; + } + VPTRINIT(bp); + + /* + * concat prf_output + */ + memcpy(p, prf->v, prf->l > (size_t)result_len ? (size_t)result_len : prf->l); + p += prf->l; + result_len -= prf->l; + + /* + * Ti = prf_output + */ + if (t) { + bzero(t->v, t->l); + vfree(t); + } + t = prf; + } + if (t) { + bzero(t->v, t->l); + vfree(t); + } + return result; +} + /* * compute SKEYID_[dae] - * see seciton 5. Exchanges in RFC 2409 - * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) - * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1) - * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2) */ int -oakley_skeyid_dae(iph1) - struct ph1handle *iph1; +oakley_skeyid_dae(phase1_handle_t *iph1) { - vchar_t *buf = NULL; + vchar_t *buf = NULL, *bp = NULL; char *p; int len; int error = -1; if (iph1->skeyid == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); + plog(ASL_LEVEL_ERR, "no SKEYID found.\n"); goto end; } - + /* + * see seciton 5. Exchanges in RFC 2409 + * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) + * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1) + * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2) + */ /* SKEYID D */ /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */ len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get skeyid buffer\n"); goto end; } @@ -3353,15 +2849,14 @@ oakley_skeyid_dae(iph1) vfree(buf); buf = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l, "SKEYID_d computed:\n"); /* SKEYID A */ /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */ len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get skeyid buffer\n"); goto end; } @@ -3382,15 +2877,14 @@ oakley_skeyid_dae(iph1) vfree(buf); buf = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l, "SKEYID_a computed:\n"); /* SKEYID E */ /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */ len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get skeyid buffer\n"); goto end; } @@ -3411,8 +2905,7 @@ oakley_skeyid_dae(iph1) vfree(buf); buf = NULL; - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l, "SKEYID_e computed:\n"); error = 0; @@ -3427,8 +2920,7 @@ end: * see Appendix B. */ int -oakley_compute_enckey(iph1) - struct ph1handle *iph1; +oakley_compute_enckey(phase1_handle_t *iph1) { u_int keylen, prflen; int error = -1; @@ -3437,7 +2929,7 @@ oakley_compute_enckey(iph1) keylen = alg_oakley_encdef_keylen(iph1->approval->enctype, iph1->approval->encklen); if (keylen == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encryption algoritym %d, " "or invalid key length %d.\n", iph1->approval->enctype, @@ -3446,15 +2938,52 @@ oakley_compute_enckey(iph1) } iph1->key = vmalloc(keylen >> 3); if (iph1->key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get key buffer\n"); goto end; } + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) { + iph1->key_p = vmalloc(keylen >> 3); + if (iph1->key_p == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get key buffer\n"); + goto end; + } + + if (iph1->key->l <= iph1->skeyid_e->l) { + plog(ASL_LEVEL_DEBUG, + "%s setting key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key->l, (int)iph1->skeyid_e->v[0], iph1->skeyid_e->l); + /* + * if length(Ka) <= length(SKEYID_e) + * Ka = first length(K) bit of SKEYID_e + */ + memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l); + } else { + plog(ASL_LEVEL_ERR, + "unexpected key length error (exp %zd, got %zd)", + iph1->key->l, iph1->skeyid_e->l); + goto end; + } + if (iph1->key_p->l <= iph1->skeyid_e_p->l) { + plog(ASL_LEVEL_DEBUG, + "%s setting peer key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key_p->l, (int)iph1->skeyid_e_p->v[0], iph1->skeyid_e_p->l); + /* + * if length(Ka) <= length(SKEYID_e) + * Ka = first length(K) bit of SKEYID_e + */ + memcpy(iph1->key_p->v, iph1->skeyid_e_p->v, iph1->key_p->l); + } else { + plog(ASL_LEVEL_ERR, + "unexpected peer key length error (exp %zd, got %zd)", + iph1->key_p->l, iph1->skeyid_e_p->l); + goto end; + } + } /* set prf length */ prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype); if (prflen == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid hash type %d.\n", iph1->approval->hashtype); goto end; } @@ -3472,6 +3001,12 @@ oakley_compute_enckey(iph1) int cplen; int subkey; + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) { + plog(ASL_LEVEL_ERR, + "invalid key len (got %zu, expected %zu.\n", iph1->key->l, iph1->skeyid_e->l); + goto end; + } + /* * otherwise, * Ka = K1 | K2 | K3 @@ -3480,13 +3015,13 @@ oakley_compute_enckey(iph1) * K2 = prf(SKEYID_e, K1) * K3 = prf(SKEYID_e, K2) */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "len(SKEYID_e) < len(Ka) (%zu < %zu), " "generating long key (Ka = K1 | K2 | ...)\n", iph1->skeyid_e->l, iph1->key->l); if ((buf = vmalloc(prflen >> 3)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get key buffer\n"); goto end; } @@ -3505,11 +3040,11 @@ oakley_compute_enckey(iph1) vfree(buf); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "compute intermediate encryption key K%d\n", subkey); - plogdump(LLV_DEBUG, buf->v, buf->l); - plogdump(LLV_DEBUG, res->v, res->l); + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, ""); + //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, ""); cplen = (res->l < ep - p) ? res->l : ep - p; memcpy(p, res->v, cplen); @@ -3517,7 +3052,7 @@ oakley_compute_enckey(iph1) buf->l = prflen >> 3; /* to cancel K1 speciality */ if (res->l != buf->l) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "internal error: res->l=%zu buf->l=%zu\n", res->l, buf->l); vfree(res); @@ -3537,24 +3072,8 @@ oakley_compute_enckey(iph1) * draft-ietf-ipsec-ike-01.txt Appendix B. * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3. */ -#if 0 - /* weakkey check */ - if (iph1->approval->enctype > ARRAYLEN(oakley_encdef) - || oakley_encdef[iph1->approval->enctype].weakkey == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "encryption algoritym %d isn't supported.\n", - iph1->approval->enctype); - goto end; - } - if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) { - plog(LLV_ERROR, LOCATION, NULL, - "weakkey was generated.\n"); - goto end; - } -#endif - plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "final encryption key computed:\n"); error = 0; @@ -3564,13 +3083,13 @@ end: /* allocated new buffer for CERT */ cert_t * -oakley_newcert() +oakley_newcert(void) { cert_t *new; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get cert's buffer\n"); return NULL; } @@ -3583,8 +3102,7 @@ oakley_newcert() /* delete buffer for CERT */ void -oakley_delcert_1(cert) - cert_t *cert; +oakley_delcert_1(cert_t *cert) { if (!cert) return; @@ -3595,8 +3113,7 @@ oakley_delcert_1(cert) /* delete buffer for CERT */ void -oakley_delcert(cert) - cert_t *cert; +oakley_delcert(cert_t *cert) { cert_t *p, *to_delete; @@ -3612,9 +3129,7 @@ oakley_delcert(cert) /* delete buffer for CERT */ static cert_t * -oakley_appendcert_to_certchain(certchain, new) - cert_t *certchain; - cert_t *new; +oakley_appendcert_to_certchain(cert_t *certchain, cert_t *new) { cert_t *p; @@ -3636,8 +3151,7 @@ oakley_appendcert_to_certchain(certchain, new) * see 4.1 Phase 1 state in draft-ietf-ipsec-ike. */ int -oakley_newiv(iph1) - struct ph1handle *iph1; +oakley_newiv(phase1_handle_t *iph1) { struct isakmp_ivm *newivm = NULL; vchar_t *buf = NULL, *bp; @@ -3648,8 +3162,8 @@ oakley_newiv(iph1) len = iph1->dhpub->l + iph1->dhpub_p->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); + plog(ASL_LEVEL_ERR, + "Failed to get IV buffer\n"); return -1; } @@ -3666,8 +3180,8 @@ oakley_newiv(iph1) /* allocate IVm */ newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); if (newivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); + plog(ASL_LEVEL_ERR, + "Failed to get IV buffer\n"); vfree(buf); return -1; } @@ -3683,8 +3197,8 @@ oakley_newiv(iph1) /* adjust length of iv */ newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); if (newivm->iv->l == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", + plog(ASL_LEVEL_ERR, + "Invalid encryption algorithm %d.\n", iph1->approval->enctype); vfree(buf); oakley_delivm(newivm); @@ -3693,7 +3207,7 @@ oakley_newiv(iph1) /* create buffer to save iv */ if ((newivm->ive = vdup(newivm->iv)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno)); vfree(buf); oakley_delivm(newivm); @@ -3702,8 +3216,7 @@ oakley_newiv(iph1) vfree(buf); - plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n"); - plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); + //plogdump(ASL_LEVEL_DEBUG, newivm->iv->v, newivm->iv->l, "IV computed:\n"); if (iph1->ivm != NULL) oakley_delivm(iph1->ivm); @@ -3723,9 +3236,7 @@ oakley_newiv(iph1) * see 4.2 Phase 2 state in draft-ietf-ipsec-ike. */ struct isakmp_ivm * -oakley_newiv2(iph1, msgid) - struct ph1handle *iph1; - u_int32_t msgid; +oakley_newiv2(phase1_handle_t *iph1, u_int32_t msgid) { struct isakmp_ivm *newivm = NULL; vchar_t *buf = NULL; @@ -3737,8 +3248,8 @@ oakley_newiv2(iph1, msgid) len = iph1->ivm->iv->l + sizeof(msgid_t); buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); + plog(ASL_LEVEL_ERR, + "Failed to get IV buffer\n"); goto end; } @@ -3749,15 +3260,14 @@ oakley_newiv2(iph1, msgid) memcpy(p, &msgid, sizeof(msgid)); - plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n"); - plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); + plog(ASL_LEVEL_DEBUG, "Compute IV for Phase 2\n"); + //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "Phase 1 last IV:\n"); /* allocate IVm */ newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); if (newivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); + plog(ASL_LEVEL_ERR, + "Failed to get IV buffer\n"); goto end; } @@ -3768,22 +3278,21 @@ oakley_newiv2(iph1, msgid) /* adjust length of iv */ newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); if (newivm->iv->l == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", + plog(ASL_LEVEL_ERR, + "Invalid encryption algorithm %d.\n", iph1->approval->enctype); goto end; } /* create buffer to save new iv */ if ((newivm->ive = vdup(newivm->iv)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno)); + plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno)); goto end; } error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n"); - plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); + //plogdump(ASL_LEVEL_DEBUG, newivm->iv->v, newivm->iv->l, "Phase 2 IV computed:\n"); end: if (error && newivm != NULL){ @@ -3795,9 +3304,66 @@ end: return newivm; } +/* + * Compute unpredictable IV for IKEv2. + */ +int +oakley_newiv_ikev2(phase1_handle_t * iph1) +{ + struct isakmp_ivm *newivm = NULL; + int iv_length; + + /* Get IV length */ + iv_length = alg_oakley_encdef_blocklen(iph1->approval->enctype); + if (iv_length == -1) { + plog(ASL_LEVEL_ERR, "Invalid encryption algorithm %d.\n", iph1->approval->enctype); + } + + /* Allocate IV Manager */ + newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); + if (newivm == NULL) { + plog(ASL_LEVEL_ERR, "Failed to allocate IV buffer.\n"); + return -1; + } + + /* Compute IV */ + /* There are two recommended methods for generating unpredictable IVs. The first method is to apply the forward cipher function, under the same key that is used for the encryption of the plaintext, to a nonce. The nonce must be a data block that is unique to each execution of the encryption operation. For example, the nonce may be a counter, as described in Appendix B, or a message number. The second method is to generate a random data block using a FIPS- approved random number generator. + [National Institute of Standards and Technology, U.S. + Department of Commerce, "Recommendation for Block Cipher + Modes of Operation", SP 800-38A, 2001.] + */ + /* Currently, we implement the second scheme, which uses a random block */ + newivm->iv = eay_set_random(iv_length); + if (newivm->iv == NULL) { + oakley_delivm(newivm); + return -1; + } + + /* Adjust length of IV */ + if (newivm->iv->l != iv_length) { + plog(ASL_LEVEL_WARNING, "IV length was adjusted.\n"); + newivm->iv->l = iv_length; + } + + /* Make copy of IV in IVe */ + if ((newivm->ive = vdup(newivm->iv)) == NULL) { + plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno)); + oakley_delivm(newivm); + return -1; + } + + /* Delete old IV if there is one */ + if (iph1->ivm != NULL) + oakley_delivm(iph1->ivm); + + iph1->ivm = newivm; + + return 0; +} + + void -oakley_delivm(ivm) - struct isakmp_ivm *ivm; +oakley_delivm(struct isakmp_ivm *ivm) { if (ivm == NULL) return; @@ -3807,7 +3373,7 @@ oakley_delivm(ivm) if (ivm->ive != NULL) vfree(ivm->ive); racoon_free(ivm); - plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n"); + plog(ASL_LEVEL_DEBUG, "IV freed\n"); return; } @@ -3817,9 +3383,7 @@ oakley_delivm(ivm) * save new iv and old iv. */ vchar_t * -oakley_do_decrypt(iph1, msg, ivdp, ivep) - struct ph1handle *iph1; - vchar_t *msg, *ivdp, *ivep; +oakley_do_ikev1_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *ivep) { vchar_t *buf = NULL, *new = NULL; char *pl; @@ -3828,12 +3392,12 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep) int blen; int error = -1; - plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n"); + plog(ASL_LEVEL_DEBUG, "Begin decryption.\n"); blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); if (blen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", + plog(ASL_LEVEL_ERR, + "Invalid encryption algorithm %d.\n", iph1->approval->enctype); goto end; } @@ -3842,9 +3406,7 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep) memset(ivep->v, 0, ivep->l); memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen); - plog(LLV_DEBUG, LOCATION, NULL, - "IV was saved for next processing:\n"); - plogdump(LLV_DEBUG, ivep->v, ivep->l); + plogdump(ASL_LEVEL_DEBUG, ivep->v, ivep->l, "IV was saved for next processing:\n"); pl = msg->v + sizeof(struct isakmp); @@ -3853,8 +3415,8 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep) /* create buffer */ buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to decrypt.\n"); + plog(ASL_LEVEL_ERR, + "Failed to get buffer to decrypt.\n"); goto end; } memcpy(buf->v, pl, len); @@ -3863,52 +3425,44 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep) new = alg_oakley_encdef_decrypt(iph1->approval->enctype, buf, iph1->key, ivdp); if (new == NULL || new->v == NULL || new->l == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "decryption %d failed.\n", iph1->approval->enctype); + plog(ASL_LEVEL_ERR, + "Decryption %d failed.\n", iph1->approval->enctype); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "with key:\n"); vfree(buf); buf = NULL; if (new == NULL) goto end; - plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n"); - plogdump(LLV_DEBUG, ivdp->v, ivdp->l); - - plog(LLV_DEBUG, LOCATION, NULL, - "decrypted payload, but not trimed.\n"); - plogdump(LLV_DEBUG, new->v, new->l); + plog(ASL_LEVEL_DEBUG, "decrypted payload by IV:\n"); /* get padding length */ if (lcconf->pad_excltail) padlen = new->v[new->l - 1] + 1; else padlen = new->v[new->l - 1]; - plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen); + plog(ASL_LEVEL_DEBUG, "padding len=%u\n", padlen); /* trim padding */ if (lcconf->pad_strict) { if (padlen > new->l) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid padding len=%u, buflen=%zu.\n", - padlen, new->l); - plogdump(LLV_ERROR, new->v, new->l); + plog(ASL_LEVEL_ERR, "invalid padding len=%u, buflen=%zu.\n", + padlen, new->l); goto end; } new->l -= padlen; - plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n"); + plog(ASL_LEVEL_DEBUG, "trimmed padding\n"); } else { - plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n"); + plog(ASL_LEVEL_DEBUG, "skip to trim padding.\n"); } /* create new buffer */ len = sizeof(struct isakmp) + new->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to decrypt.\n"); goto end; } @@ -3916,8 +3470,7 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep) memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); ((struct isakmp *)buf->v)->len = htonl(buf->l); - plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); + plog(ASL_LEVEL_DEBUG, "decrypted.\n"); #ifdef HAVE_PRINT_ISAKMP_C isakmp_printpacket(buf, iph1->remote, iph1->local, 1); @@ -3936,13 +3489,24 @@ end: return buf; } +/* + * decrypt packet. + */ +vchar_t * +oakley_do_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *ivep) +{ + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + return(oakley_do_ikev1_decrypt(iph1, msg, ivdp, ivep)); + } + plog(ASL_LEVEL_ERR, "Failed to decrypt invalid IKE version"); + return NULL; +} + /* * encrypt packet. */ vchar_t * -oakley_do_encrypt(iph1, msg, ivep, ivp) - struct ph1handle *iph1; - vchar_t *msg, *ivep, *ivp; +oakley_do_ikev1_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *ivp) { vchar_t *buf = 0, *new = 0; char *pl; @@ -3951,13 +3515,13 @@ oakley_do_encrypt(iph1, msg, ivep, ivp) int blen; int error = -1; - plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n"); + plog(ASL_LEVEL_DEBUG, "Begin encryption.\n"); /* set cbc block length */ blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); if (blen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", + plog(ASL_LEVEL_ERR, + "Invalid encryption algorithm %d.\n", iph1->approval->enctype); goto end; } @@ -3967,13 +3531,13 @@ oakley_do_encrypt(iph1, msg, ivep, ivp) /* add padding */ padlen = oakley_padlen(len, blen); - plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen); + plog(ASL_LEVEL_DEBUG, "pad length = %u\n", padlen); /* create buffer */ buf = vmalloc(len + padlen); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to encrypt.\n"); + plog(ASL_LEVEL_ERR, + "Failed to get buffer to encrypt.\n"); goto end; } if (padlen) { @@ -3992,40 +3556,37 @@ oakley_do_encrypt(iph1, msg, ivep, ivp) else buf->v[len + padlen - 1] = padlen; - plogdump(LLV_DEBUG, buf->v, buf->l); + plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "About to encrypt %d bytes", buf->l); /* do encrypt */ new = alg_oakley_encdef_encrypt(iph1->approval->enctype, buf, iph1->key, ivep); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "encryption %d failed.\n", iph1->approval->enctype); + plog(ASL_LEVEL_ERR, + "Encryption %d failed.\n", iph1->approval->enctype); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); + //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "with key:\n"); vfree(buf); buf = NULL; if (new == NULL) goto end; - plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n"); - plogdump(LLV_DEBUG, ivep->v, ivep->l); + //plogdump(ASL_LEVEL_DEBUG, ivep->v, ivep->l, "encrypted payload by IV:\n"); /* save IV for next */ memset(ivp->v, 0, ivp->l); memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen); - plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n"); - plogdump(LLV_DEBUG, ivp->v, ivp->l); + //plogdump(ASL_LEVEL_DEBUG, ivp->v, ivp->l, "save IV for next:\n"); /* create new buffer */ len = sizeof(struct isakmp) + new->l; buf = vmalloc(len); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to encrypt.\n"); + plog(ASL_LEVEL_ERR, + "Failed to get buffer to encrypt.\n"); goto end; } memcpy(buf->v, msg->v, sizeof(struct isakmp)); @@ -4034,7 +3595,7 @@ oakley_do_encrypt(iph1, msg, ivep, ivp) error = 0; - plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n"); + plog(ASL_LEVEL_DEBUG, "Encrypted.\n"); end: if (error && buf != NULL) { @@ -4047,14 +3608,27 @@ end: return buf; } + +/* + * encrypt packet. + */ +vchar_t * +oakley_do_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *ivp) +{ + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) { + return(oakley_do_ikev1_encrypt(iph1, msg, ivep, ivp)); + } + plog(ASL_LEVEL_ERR, "Failed to encrypt invalid IKE version"); + return NULL; +} + /* culculate padding length */ static int -oakley_padlen(len, base) - int len, base; +oakley_padlen(int len, int base) { int padlen; - padlen = base - len % base; + padlen = base - (len % base); if (lcconf->pad_randomlen) padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) * @@ -4103,7 +3677,7 @@ static int base64toCFData(vchar_t *textin, CFDataRef *dataRef) int numeq = 0; int acc = 0; int cntr = 0; - uint8_t *textcur = textin->v; + uint8_t *textcur = (__typeof__(textcur))textin->v; int len = textin->l; int i; diff --git a/ipsec-tools/racoon/oakley.h b/ipsec-tools/racoon/oakley.h index c900382..026b05c 100644 --- a/ipsec-tools/racoon/oakley.h +++ b/ipsec-tools/racoon/oakley.h @@ -35,12 +35,14 @@ #define _OAKLEY_H #include "config.h" +#include "racoon_types.h" #include "vmbuf.h" #ifndef HAVE_OPENSSL #include #endif + /* refer to RFC 2409 */ /* Attribute Classes */ @@ -91,12 +93,23 @@ #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R 65008 #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I 65009 #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R 65010 +#define OAKLEY_ATTR_AUTH_METHOD_EAP_PSKEY_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I +#define OAKLEY_ATTR_AUTH_METHOD_EAP_PSKEY_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R +#define OAKLEY_ATTR_AUTH_METHOD_EAP_DSSSIG_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I +#define OAKLEY_ATTR_AUTH_METHOD_EAP_DSSSIG_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSASIG_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSASIG_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAENC_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAENC_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAREV_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I +#define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAREV_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R #endif /* 65500 -> still private * to avoid clash with GSSAPI_KRB below */ #define FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I 65500 +#define FICTIVE_AUTH_METHOD_EAP_PSKEY_I FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I /* @@ -190,66 +203,62 @@ typedef struct cert_t_tag { struct cert_t_tag *chain; } cert_t; -struct ph1handle; -struct ph2handle; struct isakmp_ivm; -extern int oakley_get_defaultlifetime __P((void)); +extern int oakley_get_defaultlifetime (void); -extern int oakley_dhinit __P((void)); -extern void oakley_dhgrp_free __P((struct dhgroup *)); +extern int oakley_dhinit (void); +extern void oakley_dhgrp_free (struct dhgroup *); #ifdef HAVE_OPENSSL -extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, vchar_t *, vchar_t *, vchar_t **)); -extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, vchar_t **)); +extern int oakley_dh_compute (const struct dhgroup *, vchar_t *, vchar_t *, vchar_t *, vchar_t **); +extern int oakley_dh_generate (const struct dhgroup *, vchar_t **, vchar_t **); #else -extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, size_t, vchar_t **, SecDHContext)); -extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, size_t *, SecDHContext*)); +extern int oakley_dh_compute (const struct dhgroup *, vchar_t *, size_t, vchar_t **, SecDHContext*); +extern int oakley_dh_generate (const struct dhgroup *, vchar_t **, size_t *, SecDHContext*); #endif -extern int oakley_setdhgroup __P((int, struct dhgroup **)); +extern int oakley_setdhgroup (int, struct dhgroup **); -extern vchar_t *oakley_prf __P((vchar_t *, vchar_t *, struct ph1handle *)); -extern vchar_t *oakley_hash __P((vchar_t *, struct ph1handle *)); +extern vchar_t *oakley_prf (vchar_t *, vchar_t *, phase1_handle_t *); +extern vchar_t *oakley_hash (vchar_t *, phase1_handle_t *); -extern int oakley_compute_keymat __P((struct ph2handle *, int)); +extern int oakley_compute_keymat (phase2_handle_t *, int); +extern int oakley_compute_ikev2_keymat (phase2_handle_t *); #if notyet -extern vchar_t *oakley_compute_hashx __P((void)); +extern vchar_t *oakley_compute_hashx (void); #endif -extern vchar_t *oakley_compute_hash3 __P((struct ph1handle *, - u_int32_t, vchar_t *)); -extern vchar_t *oakley_compute_hash1 __P((struct ph1handle *, - u_int32_t, vchar_t *)); -extern vchar_t *oakley_ph1hash_common __P((struct ph1handle *, int)); -extern vchar_t *oakley_ph1hash_base_i __P((struct ph1handle *, int)); -extern vchar_t *oakley_ph1hash_base_r __P((struct ph1handle *, int)); +extern vchar_t *oakley_compute_hash3 (phase1_handle_t *, u_int32_t, vchar_t *); +extern vchar_t *oakley_compute_hash1 (phase1_handle_t *, u_int32_t, vchar_t *); +extern vchar_t *oakley_ph1hash_common (phase1_handle_t *, int); +extern vchar_t *oakley_ph1hash_base_i (phase1_handle_t *, int); +extern vchar_t *oakley_ph1hash_base_r (phase1_handle_t *, int); -extern int oakley_validate_auth __P((struct ph1handle *)); -extern int oakley_getmycert __P((struct ph1handle *)); -extern int oakley_getsign __P((struct ph1handle *)); -extern cert_t * oakley_get_peer_cert_from_certchain __P((struct ph1handle *)); -extern int oakley_find_status_in_certchain __P((cert_t *, cert_status_t)); -extern void oakley_verify_certid __P((struct ph1handle *)); -extern vchar_t *oakley_getcr __P((struct ph1handle *)); -extern int oakley_checkcr __P((struct ph1handle *)); -extern int oakley_needcr __P((int)); +extern int oakley_validate_auth (phase1_handle_t *); +extern int oakley_getmycert (phase1_handle_t *); +extern int oakley_getsign (phase1_handle_t *); +extern cert_t * oakley_get_peer_cert_from_certchain (phase1_handle_t *); +extern int oakley_find_status_in_certchain (cert_t *, cert_status_t); +extern void oakley_verify_certid (phase1_handle_t *); +extern vchar_t *oakley_getcr (phase1_handle_t *); +extern int oakley_checkcr (phase1_handle_t *); +extern int oakley_needcr (int); struct isakmp_gen; -extern int oakley_savecert __P((struct ph1handle *, struct isakmp_gen *)); -extern int oakley_savecr __P((struct ph1handle *, struct isakmp_gen *)); +extern int oakley_savecert (phase1_handle_t *, struct isakmp_gen *); +extern int oakley_savecr (phase1_handle_t *, struct isakmp_gen *); -extern vchar_t * oakley_getpskall __P((struct ph1handle *)); -extern int oakley_skeyid __P((struct ph1handle *)); -extern int oakley_skeyid_dae __P((struct ph1handle *)); +extern vchar_t * oakley_getpskall (phase1_handle_t *); +extern int oakley_skeyid (phase1_handle_t *); +extern int oakley_skeyid_dae (phase1_handle_t *); -extern int oakley_compute_enckey __P((struct ph1handle *)); -extern cert_t *oakley_newcert __P((void)); -extern void oakley_delcert __P((cert_t *)); -extern int oakley_newiv __P((struct ph1handle *)); -extern struct isakmp_ivm *oakley_newiv2 __P((struct ph1handle *, u_int32_t)); -extern void oakley_delivm __P((struct isakmp_ivm *)); -extern vchar_t *oakley_do_decrypt __P((struct ph1handle *, - vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *oakley_do_encrypt __P((struct ph1handle *, - vchar_t *, vchar_t *, vchar_t *)); +extern int oakley_compute_enckey (phase1_handle_t *); +extern cert_t *oakley_newcert (void); +extern void oakley_delcert (cert_t *); +extern int oakley_newiv (phase1_handle_t *); +extern struct isakmp_ivm *oakley_newiv2 (phase1_handle_t *, u_int32_t); +extern int oakley_newiv_ikev2(phase1_handle_t *iph1); +extern void oakley_delivm (struct isakmp_ivm *); +extern vchar_t *oakley_do_decrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); +extern vchar_t *oakley_do_encrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); #ifdef ENABLE_HYBRID #define AUTHMETHOD(iph1) \ diff --git a/ipsec-tools/racoon/open_dir.c b/ipsec-tools/racoon/open_dir.c index 952d0ce..a904c06 100644 --- a/ipsec-tools/racoon/open_dir.c +++ b/ipsec-tools/racoon/open_dir.c @@ -39,11 +39,11 @@ #define BUF_LEN 1024 -static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned long index, +static tDirStatus open_dir_get_search_node_ref (tDirReference dirRef, unsigned long index, tDirNodeReference *searchNodeRef, unsigned long *count); -static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name, +static tDirStatus open_dir_get_user_attr (tDirReference dirRef, tDirNodeReference searchNodeRef, char *user_name, char *attr, tAttributeValueEntryPtr *attr_value); -static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNodeReference searchNodeRef, +static tDirStatus open_dir_check_group_membership (tDirReference dirRef, tDirNodeReference searchNodeRef, char *group_name, char *user_name, char *userGID, int *authorized); @@ -64,12 +64,12 @@ int open_dir_authorize_id(vchar_t *id, vchar_t *group) char* group_name = NULL; if (id == 0 || id->l < 1) { - plog(LLV_ERROR, LOCATION, NULL, "invalid user name.\n"); + plog(ASL_LEVEL_ERR, "invalid user name.\n"); goto end; } user_name = racoon_malloc(id->l + 1); if (user_name == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "out of memory - unable to allocate space for user name.\n"); + plog(ASL_LEVEL_ERR, "out of memory - unable to allocate space for user name.\n"); goto end; } bcopy(id->v, user_name, id->l); @@ -78,7 +78,7 @@ int open_dir_authorize_id(vchar_t *id, vchar_t *group) if (group && group->l > 0) { group_name = racoon_malloc(group->l + 1); if (group_name == NULL) { - plog(LLV_NOTIFY, LOCATION, NULL, "out of memeory - unable to allocate space for group name.\n"); + plog(ASL_LEVEL_ERR, "out of memeory - unable to allocate space for group name.\n"); goto end; } bcopy(group->v, group_name, group->l); @@ -89,7 +89,7 @@ int open_dir_authorize_id(vchar_t *id, vchar_t *group) // get the search node ref if ((dsResult = open_dir_get_search_node_ref(dirRef, 1, &searchNodeRef, &searchNodeCount)) == eDSNoErr) { // get the user's primary group ID - if (dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDSNAttrRecordName, &recordName) == eDSNoErr) { + if ((dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDSNAttrRecordName, &recordName)) == eDSNoErr) { if (recordName != 0) { if (group_name != 0) { if ((dsResult = open_dir_get_user_attr(dirRef, searchNodeRef, user_name, kDS1AttrPrimaryGroupID, &groupID)) == eDSNoErr) { @@ -112,9 +112,9 @@ int open_dir_authorize_id(vchar_t *id, vchar_t *group) end: if (authorized) - plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' authorized for access\n", user_name); + plog(ASL_LEVEL_NOTICE, "User '%s' authorized for access\n", user_name); else - plog(LLV_NOTIFY, LOCATION, NULL, "User '%s' not authorized for access\n", user_name); + plog(ASL_LEVEL_NOTICE, "User '%s' not authorized for access\n", user_name); if (user_name) free(user_name); if (group_name) @@ -141,17 +141,17 @@ static tDirStatus open_dir_get_search_node_ref(tDirReference dirRef, unsigned lo // allocate required buffers and data lists if ((searchNodeDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataBuffer\n"); goto cleanup; } if ((searchNodeNameDataListPtr = dsDataListAllocate(dirRef)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } // find authentication search node(s) if ((dsResult = dsFindDirNodes(dirRef, searchNodeDataBufferPtr, 0, eDSAuthenticationSearchNodeName, - &outNodeCount, &continueData)) == eDSNoErr) { + (UInt32*)&outNodeCount, &continueData)) == eDSNoErr) { if (outNodeCount != 0) { // get the seach node name and open the node @@ -197,26 +197,26 @@ static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference *attr_value = 0; if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataBuffer\n"); goto cleanup; } if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, user_name, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeUsers, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSNAttrRecordName, kDS1AttrDistinguishedName, attr, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } // find the user record(s), extracting the user name and requested attribute do { dsResult = dsGetRecordList(searchNodeRef, userRcdDataBufferPtr, recordNameDataListPtr, eDSExact, - recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData); + recordTypeDataListPtr, attrTypeDataListPtr, 0, (UInt32*)&outRecordCount, &continueData); // if buffer too small - allocate a larger one if (dsResult == eDSBufferTooSmall) { @@ -224,7 +224,7 @@ static tDirStatus open_dir_get_user_attr(tDirReference dirRef, tDirNodeReference dsDataBufferDeAllocate(dirRef, userRcdDataBufferPtr); if ((userRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataBuffer\n"); dsResult = -1; goto cleanup; } @@ -325,33 +325,33 @@ static tDirStatus open_dir_check_group_membership(tDirReference dirRef, tDirNode *authorized = 0; if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, BUF_LEN)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataBuffer\n"); goto cleanup; } if ((recordNameDataListPtr = dsBuildListFromStrings(dirRef, group_name, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } if ((recordTypeDataListPtr = dsBuildListFromStrings(dirRef, kDSStdRecordTypeGroups, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } if ((attrTypeDataListPtr = dsBuildListFromStrings(dirRef, kDS1AttrPrimaryGroupID, kDSNAttrGroupMembership, 0)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataList\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataList\n"); goto cleanup; } // find the group record, extracting the group ID and group membership attribute do { dsResult = dsGetRecordList(searchNodeRef, groupRcdDataBufferPtr, recordNameDataListPtr, eDSExact, - recordTypeDataListPtr, attrTypeDataListPtr, 0, &outRecordCount, &continueData); + recordTypeDataListPtr, attrTypeDataListPtr, 0, (UInt32*)&outRecordCount, &continueData); // if buffer too small - allocate a larger one if (dsResult == eDSBufferTooSmall) { u_int32_t size = groupRcdDataBufferPtr->fBufferSize * 2; dsDataBufferDeAllocate(dirRef, groupRcdDataBufferPtr); if ((groupRcdDataBufferPtr = dsDataBufferAllocate(dirRef, size)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Could not allocate tDataBuffer\n"); + plog(ASL_LEVEL_ERR, "Could not allocate tDataBuffer\n"); dsResult = -1; goto cleanup; } diff --git a/ipsec-tools/racoon/open_dir.h b/ipsec-tools/racoon/open_dir.h index 89f1f2c..3b718aa 100644 --- a/ipsec-tools/racoon/open_dir.h +++ b/ipsec-tools/racoon/open_dir.h @@ -23,7 +23,7 @@ #ifndef __OPEN_DIR_H__ #define __OPEN_DIR_H__ -extern int open_dir_authorize_id(vchar_t *id, vchar_t *group); +extern int open_dir_authorize_id (vchar_t *id, vchar_t *group); #endif /* __OPEN_DIR_H__ */ diff --git a/ipsec-tools/racoon/pfkey.h b/ipsec-tools/racoon/pfkey.h index f4b5419..5c113b6 100644 --- a/ipsec-tools/racoon/pfkey.h +++ b/ipsec-tools/racoon/pfkey.h @@ -32,6 +32,7 @@ #ifndef _PFKEY_H #define _PFKEY_H +#include #include "ike_session.h" struct pfkey_satype { @@ -42,39 +43,39 @@ struct pfkey_satype { extern const struct pfkey_satype pfkey_satypes[]; extern const int pfkey_nsatypes; -extern int pfkey_handler __P((void)); -extern void pfkey_post_handler __P((void)); -extern vchar_t *pfkey_dump_sadb __P((int)); -extern void pfkey_flush_sadb __P((u_int)); -extern int pfkey_init __P((void)); +extern void pfkey_handler (void *); +extern void pfkey_post_handler (void); +extern vchar_t *pfkey_dump_sadb (int); +extern void pfkey_flush_sadb (u_int); +extern int pfkey_init (void); +void pfkey_close(void); -extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int)); +extern struct pfkey_st *pfkey_getpst (caddr_t *, int, int); -extern int pk_checkalg __P((int, int, int)); +extern int pk_checkalg (int, int, int); -struct ph2handle; -extern int pk_sendgetspi __P((struct ph2handle *)); -extern int pk_sendupdate __P((struct ph2handle *)); -extern int pk_sendadd __P((struct ph2handle *)); -extern int pk_sendeacquire __P((struct ph2handle *)); -extern int pk_sendspdupdate2 __P((struct ph2handle *)); -extern int pk_sendspdadd2 __P((struct ph2handle *)); -extern int pk_sendspddelete __P((struct ph2handle *)); -extern int pk_sendget_inbound_sastats __P((ike_session_t *)); -extern int pk_sendget_outbound_sastats __P((ike_session_t *)); +extern int pk_sendgetspi (phase2_handle_t *); +extern int pk_sendupdate (phase2_handle_t *); +extern int pk_sendadd (phase2_handle_t *); +extern int pk_sendeacquire (phase2_handle_t *); +extern int pk_sendspdupdate2 (phase2_handle_t *); +extern int pk_sendspdadd2 (phase2_handle_t *); +extern int pk_sendspddelete (phase2_handle_t *); +extern int pk_sendget_inbound_sastats (ike_session_t *); +extern int pk_sendget_outbound_sastats (ike_session_t *); -extern void pfkey_timeover_stub __P((void *)); -extern void pfkey_timeover __P((struct ph2handle *)); +extern void pfkey_timeover_stub (void *); +extern void pfkey_timeover (phase2_handle_t *); -extern u_int pfkey2ipsecdoi_proto __P((u_int)); -extern u_int ipsecdoi2pfkey_proto __P((u_int)); -extern u_int pfkey2ipsecdoi_mode __P((u_int)); -extern u_int ipsecdoi2pfkey_mode __P((u_int)); +extern u_int pfkey2ipsecdoi_proto (u_int); +extern u_int ipsecdoi2pfkey_proto (u_int); +extern u_int pfkey2ipsecdoi_mode (u_int); +extern u_int ipsecdoi2pfkey_mode (u_int); -extern int pfkey_convertfromipsecdoi __P(( u_int, u_int, u_int, - u_int *, u_int *, u_int *, u_int *, u_int *)); -extern u_int32_t pk_getseq __P((void)); +extern int pfkey_convertfromipsecdoi ( phase2_handle_t *, u_int, u_int, u_int, + u_int *, u_int *, u_int *, u_int *, u_int *); +extern u_int32_t pk_getseq (void); extern const char *sadbsecas2str - __P((struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t, int)); + (struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t, int); #endif /* _PFKEY_H */ diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 88ec5f7..1f20ca8 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -30,6 +30,7 @@ */ #include "config.h" +#include "racoon_types.h" #include #include @@ -54,7 +55,7 @@ #include #include -#include +#include #include #ifndef HAVE_NETINET6_IPSEC @@ -71,6 +72,8 @@ #include "plog.h" #include "sockmisc.h" #include "debug.h" +#include "fsm.h" +#include "ike_session.h" #include "schedule.h" #include "localconf.h" @@ -86,10 +89,7 @@ #include "algorithm.h" #include "sainfo.h" #include "proposal.h" -#include "admin.h" -#include "privsep.h" #include "strnames.h" -#include "backupsa.h" #include "gcmalloc.h" #include "nattraversal.h" #include "crypto_openssl.h" @@ -100,38 +100,41 @@ #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" #include "power_mgmt.h" +#include "session.h" +#include "ikev2_rfc.h" +#include "api_support.h" #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC #endif /* prototype */ -static u_int ipsecdoi2pfkey_aalg __P((u_int)); -static u_int ipsecdoi2pfkey_ealg __P((u_int)); -static u_int ipsecdoi2pfkey_calg __P((u_int)); -static u_int ipsecdoi2pfkey_alg __P((u_int, u_int)); -static u_int keylen_aalg __P((u_int)); -static u_int keylen_ealg __P((u_int, int)); - -static int pk_recvgetspi __P((caddr_t *)); -static int pk_recvupdate __P((caddr_t *)); -static int pk_recvadd __P((caddr_t *)); -static int pk_recvdelete __P((caddr_t *)); -static int pk_recvacquire __P((caddr_t *)); -static int pk_recvexpire __P((caddr_t *)); -static int pk_recvflush __P((caddr_t *)); -static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *)); -static int pk_recvspdupdate __P((caddr_t *)); -static int pk_recvspdadd __P((caddr_t *)); -static int pk_recvspddelete __P((caddr_t *)); -static int pk_recvspdexpire __P((caddr_t *)); -static int pk_recvspdget __P((caddr_t *)); -static int pk_recvspddump __P((caddr_t *)); -static int pk_recvspdflush __P((caddr_t *)); -static int pk_recvgetsastat __P((caddr_t *)); -static struct sadb_msg *pk_recv __P((int, ssize_t *)); - -static int (*pkrecvf[]) __P((caddr_t *)) = { +static u_int ipsecdoi2pfkey_aalg (u_int); +static u_int ipsecdoi2pfkey_ealg (u_int); +static u_int ipsecdoi2pfkey_calg (u_int); +static u_int ipsecdoi2pfkey_alg (u_int, u_int); +static u_int keylen_aalg (u_int); +static u_int keylen_ealg (u_int, int); + +static int pk_recvgetspi (caddr_t *); +static int pk_recvupdate (caddr_t *); +static int pk_recvadd (caddr_t *); +static int pk_recvdelete (caddr_t *); +static int pk_recvacquire (caddr_t *); +static int pk_recvexpire (caddr_t *); +static int pk_recvflush (caddr_t *); +static int getsadbpolicy (caddr_t *, int *, int, phase2_handle_t *); +static int pk_recvspdupdate (caddr_t *); +static int pk_recvspdadd (caddr_t *); +static int pk_recvspddelete (caddr_t *); +static int pk_recvspdexpire (caddr_t *); +static int pk_recvspdget (caddr_t *); +static int pk_recvspddump (caddr_t *); +static int pk_recvspdflush (caddr_t *); +static int pk_recvgetsastat (caddr_t *); +static struct sadb_msg *pk_recv (int, ssize_t *); + +static int (*pkrecvf[]) (caddr_t *) = { NULL, pk_recvgetspi, pk_recvupdate, @@ -163,7 +166,7 @@ NULL, /* SADB_X_MIGRATE */ #endif }; -static int addnewsp __P((caddr_t *)); +static int addnewsp (caddr_t *); /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 @@ -195,54 +198,54 @@ pfkey_process(msg) caddr_t mhp[SADB_EXT_MAX + 1]; int error = -1; - //plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", - // s_pfkey_type(msg->sadb_msg_type)); - //plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); + // Special debug use only - creates large logs + // plogdump(ASL_LEVEL_DEBUG, msg, msg->sadb_msg_len << 3, "get pfkey %s message\n", + // s_pfkey_type(msg->sadb_msg_type)); /* validity check */ + /* check pfkey message. */ + if (pfkey_align(msg, mhp)) { + plog(ASL_LEVEL_ERR, + "libipsec failed pfkey align (%s)\n", + ipsec_strerror()); + goto end; + } + if (pfkey_check(mhp)) { + plog(ASL_LEVEL_ERR, + "libipsec failed pfkey check (%s)\n", + ipsec_strerror()); + goto end; + } + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + if (msg->sadb_msg_errno) { int pri; /* when SPD is empty, treat the state as no error. */ if (msg->sadb_msg_type == SADB_X_SPDDUMP && msg->sadb_msg_errno == ENOENT) - pri = LLV_DEBUG; + pri = ASL_LEVEL_DEBUG; else - pri = LLV_ERROR; + pri = ASL_LEVEL_ERR; - plog(pri, LOCATION, NULL, + plog(pri, "pfkey %s failed: %s\n", s_pfkey_type(msg->sadb_msg_type), strerror(msg->sadb_msg_errno)); - goto end; } - /* check pfkey message. */ - if (pfkey_align(msg, mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey align (%s)\n", - ipsec_strerror()); - goto end; - } - if (pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey check (%s)\n", - ipsec_strerror()); - goto end; - } - msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer - + /* safety check */ if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown PF_KEY message type=%u\n", msg->sadb_msg_type); goto end; } if (pkrecvf[msg->sadb_msg_type] == NULL) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "unsupported PF_KEY message %s\n", s_pfkey_type(msg->sadb_msg_type)); goto end; @@ -263,35 +266,37 @@ end: * 0: success * -1: fail */ -int -pfkey_handler() + +//%%%%%%%%%%%%%%%%%% need to handle errors encountered here - this no longer returns a result +void +pfkey_handler(void *unused) { struct sadb_msg *msg; ssize_t len; if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignoring pfkey port until power-mgmt event is handled.\n"); - return 0; + return; } /* receive pfkey message. */ len = 0; msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len); + if (msg == NULL) { if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to recv from pfkey (%s)\n", strerror(errno)); - return -1; + return; } else { /* short message - msg not ready */ - plog(LLV_ERROR, LOCATION, NULL, - "recv short message from pfkey\n"); - return 0; + plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n"); + return; } } - return pfkey_process(msg); + pfkey_process(msg); } void @@ -301,7 +306,7 @@ pfkey_post_handler() struct saved_msg_elem *elem_tmp = NULL; if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); return; } @@ -342,16 +347,16 @@ pfkey_dump_sadb(satype) size_t bl, ml; ssize_t len; - if ((s = privsep_pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if ((s = pfkey_open()) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed pfkey open: %s\n", ipsec_strerror()); return NULL; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_dump\n"); if (pfkey_send_dump(s, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed dump: %s\n", ipsec_strerror()); goto fail; } @@ -385,7 +390,7 @@ pfkey_dump_sadb(satype) bl = buf ? buf->l : 0; buf = vrealloc(buf, bl + ml); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to reallocate buffer to dump.\n"); goto fail; } @@ -404,34 +409,10 @@ done: if (msg) racoon_free(msg); if (s >= 0) - privsep_pfkey_close(s); + pfkey_close_sock(s); return buf; } -#ifdef ENABLE_ADMINPORT -/* - * flush SADB - */ -void -pfkey_flush_sadb(proto) - u_int proto; -{ - int satype; - - /* convert to SADB_SATYPE */ - if ((satype = admin2pfkey_proto(proto)) < 0) - return; - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n"); - if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send flush (%s)\n", ipsec_strerror()); - return; - } - - return; -} -#endif /* * These are the SATYPEs that we manage. We register to get @@ -451,24 +432,24 @@ const int pfkey_nsatypes = * PF_KEY initialization */ int -pfkey_init() +pfkey_init(void) { - int i, reg_fail; + int i, reg_fail, sock; - if ((lcconf->sock_pfkey = privsep_pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if ((lcconf->sock_pfkey = pfkey_open()) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed pfkey open (%s)\n", ipsec_strerror()); return -1; } for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "call pfkey_send_register for %s\n", pfkey_satypes[i].ps_name); if (pfkey_send_register(lcconf->sock_pfkey, pfkey_satypes[i].ps_satype) < 0 || pfkey_recv_register(lcconf->sock_pfkey) < 0) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "failed to register %s (%s)\n", pfkey_satypes[i].ps_name, ipsec_strerror()); @@ -477,30 +458,50 @@ pfkey_init() } if (reg_fail == pfkey_nsatypes) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to regist any protocol.\n"); - pfkey_close(lcconf->sock_pfkey); + close(lcconf->sock_pfkey); return -1; } - - initsp(); + initsp(); + + lcconf->pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_pfkey, 0, dispatch_get_main_queue()); + if (lcconf->pfkey_source == NULL) { + plog(ASL_LEVEL_ERR, "could not create pfkey socket source."); + return -1; + } + dispatch_source_set_event_handler_f(lcconf->pfkey_source, pfkey_handler); + sock = lcconf->sock_pfkey; + dispatch_source_set_cancel_handler(lcconf->pfkey_source, + ^{ + pfkey_close_sock(sock); + }); + dispatch_resume(lcconf->pfkey_source); if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec sending spddump failed: %s\n", ipsec_strerror()); - pfkey_close(lcconf->sock_pfkey); + pfkey_close(); return -1; } #if 0 if (pfkey_promisc_toggle(1) < 0) { - pfkey_close(lcconf->sock_pfkey); + pfkey_close(); return -1; } #endif + return 0; } +void +pfkey_close(void) +{ + dispatch_source_cancel(lcconf->pfkey_source); + lcconf->pfkey_source = NULL; +} + /* %%% for conversion */ /* IPSECDOI_ATTR_AUTH -> SADB_AALG */ static u_int @@ -508,44 +509,46 @@ ipsecdoi2pfkey_aalg(hashtype) u_int hashtype; { switch (hashtype) { - case IPSECDOI_ATTR_AUTH_HMAC_MD5: - return SADB_AALG_MD5HMAC; - case IPSECDOI_ATTR_AUTH_HMAC_SHA1: - return SADB_AALG_SHA1HMAC; - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: + case IPSECDOI_ATTR_AUTH_HMAC_MD5: + case IPSECDOI_ATTR_AUTH_HMAC_MD5_96: + return SADB_AALG_MD5HMAC; + case IPSECDOI_ATTR_AUTH_HMAC_SHA1: + case IPSECDOI_ATTR_AUTH_HMAC_SHA1_96: + return SADB_AALG_SHA1HMAC; + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC) - return SADB_X_AALG_SHA2_256; + return SADB_X_AALG_SHA2_256; #else - return SADB_X_AALG_SHA2_256HMAC; + return SADB_X_AALG_SHA2_256HMAC; #endif - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC) - return SADB_X_AALG_SHA2_384; + return SADB_X_AALG_SHA2_384; #else - return SADB_X_AALG_SHA2_384HMAC; + return SADB_X_AALG_SHA2_384HMAC; #endif - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC) - return SADB_X_AALG_SHA2_512; + return SADB_X_AALG_SHA2_512; #else - return SADB_X_AALG_SHA2_512HMAC; + return SADB_X_AALG_SHA2_512HMAC; #endif - case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ - return SADB_AALG_NONE; - - /* not supported */ - case IPSECDOI_ATTR_AUTH_DES_MAC: - plog(LLV_ERROR, LOCATION, NULL, - "Not supported hash type: %u\n", hashtype); - return ~0; - - case 0: /* reserved */ - default: - return SADB_AALG_NONE; - - plog(LLV_ERROR, LOCATION, NULL, - "Invalid hash type: %u\n", hashtype); - return ~0; + case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ + return SADB_AALG_NONE; + + /* not supported */ + case IPSECDOI_ATTR_AUTH_DES_MAC: + plog(ASL_LEVEL_ERR, + "Not supported hash type: %u\n", hashtype); + return ~0; + + case 0: /* reserved */ + default: + return SADB_AALG_NONE; + + plog(ASL_LEVEL_ERR, + "Invalid hash type: %u\n", hashtype); + return ~0; } /*NOTREACHED*/ } @@ -588,13 +591,13 @@ ipsecdoi2pfkey_ealg(t_id) case IPSECDOI_ESP_3IDEA: case IPSECDOI_ESP_IDEA: case IPSECDOI_ESP_RC4: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Not supported transform: %u\n", t_id); return ~0; case 0: /* reserved */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid transform id: %u\n", t_id); return ~0; } @@ -616,7 +619,7 @@ ipsecdoi2pfkey_calg(t_id) case 0: /* reserved */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid transform id: %u\n", t_id); return ~0; } @@ -637,7 +640,7 @@ ipsecdoi2pfkey_proto(proto) return SADB_X_SATYPE_IPCOMP; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid ipsec_doi proto: %u\n", proto); return ~0; } @@ -656,7 +659,7 @@ ipsecdoi2pfkey_alg(algclass, type) case IPSECDOI_PROTO_IPCOMP: return ipsecdoi2pfkey_calg(type); default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid ipsec_doi algclass: %u\n", algclass); return ~0; } @@ -677,7 +680,7 @@ pfkey2ipsecdoi_proto(satype) return IPSECDOI_PROTO_IPCOMP; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid pfkey proto: %u\n", satype); return ~0; } @@ -703,7 +706,7 @@ ipsecdoi2pfkey_mode(mode) #endif return IPSEC_MODE_TRANSPORT; default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); + plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode); return ~0; } /*NOTREACHED*/ @@ -722,7 +725,7 @@ pfkey2ipsecdoi_mode(mode) case IPSEC_MODE_ANY: return IPSECDOI_ATTR_ENC_MODE_ANY; default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); + plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode); return ~0; } /*NOTREACHED*/ @@ -740,7 +743,7 @@ keylen_aalg(hashtype) res = alg_ipsec_hmacdef_hashlen(hashtype); if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid hmac algorithm %u.\n", hashtype); return ~0; } @@ -757,7 +760,7 @@ keylen_ealg(enctype, encklen) res = alg_ipsec_encdef_keylen(enctype, encklen); if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encryption algorithm %u.\n", enctype); return ~0; } @@ -765,8 +768,9 @@ keylen_ealg(enctype, encklen) } int -pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, +pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype, e_type, e_keylen, a_type, a_keylen, flags) + phase2_handle_t *iph2; u_int proto_id; u_int t_id; u_int hashtype; @@ -790,9 +794,8 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, if ((*a_keylen = keylen_aalg(hashtype)) == ~0) goto bad; *a_keylen >>= 3; - if (*e_type == SADB_EALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n"); + plog(ASL_LEVEL_ERR, "no ESP algorithm.\n"); goto bad; } break; @@ -813,7 +816,7 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, *e_type = SADB_EALG_NONE; *e_keylen = 0; if (*a_type == SADB_AALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n"); + plog(ASL_LEVEL_ERR, "no AH algorithm.\n"); goto bad; } break; @@ -828,13 +831,13 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, *a_type = SADB_AALG_NONE; *a_keylen = 0; if (*e_type == SADB_X_CALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n"); + plog(ASL_LEVEL_ERR, "no IPCOMP algorithm.\n"); goto bad; } break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n"); + plog(ASL_LEVEL_ERR, "unknown IPsec protocol.\n"); goto bad; } @@ -851,14 +854,14 @@ pfkey_timeover_stub(p) void *p; { - pfkey_timeover((struct ph2handle *)p); + pfkey_timeover((phase2_handle_t *)p); } void pfkey_timeover(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s give up to get IPsec-SA due to time up to wait.\n", saddrwop2str((struct sockaddr *)iph2->dst)); SCHED_KILL(iph2->sce); @@ -867,9 +870,7 @@ pfkey_timeover(iph2) if (iph2->side == INITIATOR) pk_sendeacquire(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return; } @@ -883,7 +884,7 @@ pfkey_timeover(iph2) */ int pk_sendgetspi(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct sockaddr_storage *src = NULL, *dst = NULL; u_int satype, mode; @@ -916,7 +917,7 @@ pk_sendgetspi(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); return -1; } @@ -932,12 +933,12 @@ pk_sendgetspi(iph2) } mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_getspi\n"); if (pfkey_send_getspi( lcconf->sock_pfkey, satype, @@ -945,13 +946,14 @@ pk_sendgetspi(iph2) dst, /* src of SA */ src, /* dst of SA */ minspi, maxspi, - pr->reqid_in, iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + pr->reqid_in, 0, 0, iph2->seq, 0) < 0) { + plog(ASL_LEVEL_ERR, "ipseclib failed send getspi (%s)\n", ipsec_strerror()); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + + plog(ASL_LEVEL_DEBUG, "pfkey GETSPI sent: %s\n", sadbsecas2str(dst, src, satype, 0, mode)); } @@ -968,7 +970,7 @@ pk_recvgetspi(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct ph2handle *iph2; + phase2_handle_t *iph2; struct sockaddr_storage *dst; int proto_id; int allspiok, notfound; @@ -978,8 +980,8 @@ pk_recvgetspi(mhp) /* validity check */ if (mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb getspi message passed.\n"); + plog(ASL_LEVEL_ERR, + "Inappropriate sadb getspi message passed.\n"); return -1; } msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer @@ -988,7 +990,7 @@ pk_recvgetspi(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -996,40 +998,43 @@ pk_recvgetspi(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", + plog(ASL_LEVEL_DEBUG, + "Seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } if (iph2->is_dying) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch phase2 dying (db:%d msg:%d)\n", - iph2->status, PHASE2ST_GETSPISENT); + plog(ASL_LEVEL_ERR, + "Status mismatch Phase 2 dying (db:%d)\n", + iph2->status); return -1; } - - if (iph2->status != PHASE2ST_GETSPISENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_GETSPISENT); - return -1; - } - - // check the underlying iph2->ph1 - if (!iph2->ph1) { - if (!ike_session_update_ph2_ph1bind(iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "can't proceed with getspi for %s. no suitable ISAKMP-SA found \n", - saddrwop2str((struct sockaddr *)iph2->dst)); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + + switch (iph2->version) { + case ISAKMP_VERSION_NUMBER_IKEV1: + if (iph2->status != IKEV1_STATE_QUICK_I_GETSPISENT && + iph2->status != IKEV1_STATE_QUICK_R_GETSPISENT) { + plog(ASL_LEVEL_ERR, "Status mismatch (db:%d)\n", iph2->status); + return -1; + } + // check the underlying iph2->ph1 + if (!iph2->ph1) { + if (!ike_session_update_ph2_ph1bind(iph2)) { + plog(ASL_LEVEL_ERR, + "Can't proceed with getspi for %s. no suitable ISAKMP-SA found \n", + saddrwop2str((struct sockaddr *)iph2->dst)); + ike_session_unlink_phase2(iph2); + return -1; + } + } + break; + default: + plog(ASL_LEVEL_ERR, "Internal error: invalid IKE major version %d\n", iph2->version); return -1; - } } /* set SPI, and check to get all spi whether or not */ @@ -1042,7 +1047,7 @@ pk_recvgetspi(mhp) if (pr->proto_id == proto_id && pr->spi == 0) { pr->spi = sa->sadb_sa_spi; notfound = 0; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey GETSPI succeeded: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, @@ -1054,29 +1059,25 @@ pk_recvgetspi(mhp) } if (notfound) { - plog(LLV_ERROR, LOCATION, NULL, - "get spi for unknown address %s\n", + plog(ASL_LEVEL_ERR, + "Get spi for unknown address %s\n", saddrwop2str((struct sockaddr *)iph2->dst)); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return -1; } if (allspiok) { - /* update status */ - iph2->status = PHASE2ST_GETSPIDONE; - if (isakmp_post_getspi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to start post getspi.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - iph2 = NULL; - return -1; - } - } - + switch (iph2->version) { + case ISAKMP_VERSION_NUMBER_IKEV1: + if (isakmp_post_getspi(iph2) < 0) { + plog(ASL_LEVEL_ERR, "IKEv1 post getspi failed.\n"); + ike_session_unlink_phase2(iph2); + iph2 = NULL; + return -1; + } + break; + } + } return 0; } @@ -1085,7 +1086,7 @@ pk_recvgetspi(mhp) */ int pk_sendupdate(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saproto *pr; struct sockaddr_storage *src = NULL, *dst = NULL; @@ -1095,11 +1096,13 @@ pk_sendupdate(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; + struct satrns *tr; + int authtype; /* sanity check */ if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no approvaled SAs found.\n"); + plog(ASL_LEVEL_ERR, + "No approved SAs found.\n"); } if (iph2->side == INITIATOR) @@ -1121,8 +1124,8 @@ pk_sendupdate(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); + plog(ASL_LEVEL_ERR, + "Invalid proto_id %d\n", pr->proto_id); return -1; } else if (satype == SADB_X_SATYPE_IPCOMP) { @@ -1134,18 +1137,21 @@ pk_sendupdate(iph2) #else mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); + plog(ASL_LEVEL_ERR, + "Invalid encmode %d\n", pr->encmode); return -1; } #endif /* set algorithm type and key length */ e_keylen = pr->head->encklen; + authtype = pr->head->authtype; + a_keylen = 0; if (pfkey_convertfromipsecdoi( + iph2, pr->proto_id, pr->head->trns_id, - pr->head->authtype, + authtype, &e_type, &e_keylen, &a_type, &a_keylen, &flags) < 0) return -1; @@ -1157,7 +1163,9 @@ pk_sendupdate(iph2) #endif #ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); + //plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_update: e_type %d, e_klen %d, a_type %d, a_klen %d\n", + e_type, e_keylen, a_type, a_keylen); if (pr->udp_encap) { memset (&natt, 0, sizeof (natt)); natt.sport = extract_port (iph2->ph1->remote); @@ -1192,14 +1200,14 @@ pk_sendupdate(iph2) pr->keymat->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, natt.sport) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, natt.sport, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send update (%s)\n", ipsec_strerror()); return -1; } #else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n"); if (pfkey_send_update( lcconf->sock_pfkey, satype, @@ -1212,39 +1220,15 @@ pk_sendupdate(iph2) pr->keymat->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, 0, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send update (%s)\n", ipsec_strerror()); return -1; } #endif /* ENABLE_NATT */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, (struct sockaddr *)dst, (struct sockaddr *)src, - pr->spi, pr->reqid_in, 4, - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); } return 0; @@ -1257,7 +1241,7 @@ pk_recvupdate(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int proto_id, encmode, sa_mode; int incomplete = 0; struct saproto *pr; @@ -1271,7 +1255,7 @@ pk_recvupdate(mhp) || mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb update message passed.\n"); return -1; } @@ -1286,7 +1270,7 @@ pk_recvupdate(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -1294,26 +1278,27 @@ pk_recvupdate(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", + plog(ASL_LEVEL_DEBUG, + "Seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } if (iph2->is_dying) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch phase2 dying (db:%d msg:%d)\n", - iph2->status, PHASE2ST_ADDSA); + plog(ASL_LEVEL_ERR, + "Status mismatch Phase 2 dying (db:%d)\n", + iph2->status); return -1; } - - if (iph2->status != PHASE2ST_ADDSA) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_ADDSA); + //%%%% fix for IKEv2 + if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA && + iph2->status != IKEV1_STATE_QUICK_R_ADDSA) { + plog(ASL_LEVEL_ERR, + "Status mismatch (db:%d)\n", + iph2->status); return -1; } @@ -1321,13 +1306,13 @@ pk_recvupdate(mhp) for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } encmode = pfkey2ipsecdoi_mode(sa_mode); if (encmode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", sa_mode); return -1; } @@ -1335,14 +1320,14 @@ pk_recvupdate(mhp) if (pr->proto_id == proto_id && pr->spi == sa->sadb_sa_spi) { pr->ok = 1; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey UPDATE succeeded: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA established: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, sa->sadb_sa_spi, @@ -1360,7 +1345,7 @@ pk_recvupdate(mhp) SCHED_KILL(iph2->sce); /* update status */ - iph2->status = PHASE2ST_ESTABLISHED; + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED); if (iph2->side == INITIATOR) { IPSECSESSIONTRACEREVENT(iph2->parent_session, @@ -1376,13 +1361,13 @@ pk_recvupdate(mhp) ike_session_ph2_established(iph2); - IPSECLOGASLMSG("IPSec Phase2 established (Initiated by %s).\n", + IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n", (iph2->side == INITIATOR)? "me" : "peer"); #ifdef ENABLE_STATS gettimeofday(&iph2->end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", "quick", timedelta(&iph2->start, &iph2->end)); + plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", + "Phase 2", "quick", timedelta(&iph2->start, &iph2->end)); #endif /* count up */ @@ -1397,12 +1382,12 @@ pk_recvupdate(mhp) * since we are going to reuse the phase2 handler, we need to * remain it and refresh all the references between ph1 and ph2 to use. */ - unbindph12(iph2); + ike_session_unbindph12(iph2); //%%%%% fix this iph2->sce = sched_new(iph2->approval->lifetime, isakmp_ph2expire_stub, iph2); - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); return 0; } @@ -1411,7 +1396,7 @@ pk_recvupdate(mhp) */ int pk_sendadd(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saproto *pr; struct sockaddr_storage *src = NULL, *dst = NULL; @@ -1421,10 +1406,12 @@ pk_sendadd(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; + struct satrns *tr; + int authtype; /* sanity check */ if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no approvaled SAs found.\n"); } @@ -1447,7 +1434,7 @@ pk_sendadd(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); return -1; } @@ -1460,7 +1447,7 @@ pk_sendadd(iph2) #else mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); return -1; } @@ -1468,10 +1455,13 @@ pk_sendadd(iph2) /* set algorithm type and key length */ e_keylen = pr->head->encklen; + authtype = pr->head->authtype; + a_keylen = 0; if (pfkey_convertfromipsecdoi( + iph2, pr->proto_id, pr->head->trns_id, - pr->head->authtype, + authtype, &e_type, &e_keylen, &a_type, &a_keylen, &flags) < 0) return -1; @@ -1483,7 +1473,9 @@ pk_sendadd(iph2) #endif #ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); + //plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_add: e_type %d, e_klen %d, a_type %d, a_klen %d\n", + e_type, e_keylen, a_type, a_keylen); if (pr->udp_encap) { memset (&natt, 0, sizeof (natt)); @@ -1523,14 +1515,14 @@ pk_sendadd(iph2) pr->keymat_p->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq,natt.dport) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq,natt.dport, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send add (%s)\n", ipsec_strerror()); return -1; } #else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n"); /* Remove port information, it is not used without NAT-T */ //set_port(src, 0); @@ -1548,38 +1540,13 @@ pk_sendadd(iph2) pr->keymat_p->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, 0, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send add (%s)\n", ipsec_strerror()); return -1; } #endif /* ENABLE_NATT */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, (struct sockaddr *)src, (struct sockaddr *)dst, - pr->spi_p, pr->reqid_out, 4, - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); } return 0; @@ -1592,7 +1559,7 @@ pk_recvadd(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int sa_mode; /* ignore this message because of local test mode. */ @@ -1604,7 +1571,7 @@ pk_recvadd(mhp) || mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb add message passed.\n"); return -1; } @@ -1619,7 +1586,7 @@ pk_recvadd(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -1627,21 +1594,20 @@ pk_recvadd(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } - /* * NOTE don't update any status of phase2 handle * because they must be updated by SADB_UPDATE message */ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA established: %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -1660,7 +1626,7 @@ pk_recvadd(mhp) } #endif - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); return 0; } @@ -1671,7 +1637,7 @@ pk_recvexpire(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int proto_id, sa_mode; /* sanity check */ @@ -1681,7 +1647,7 @@ pk_recvexpire(mhp) || mhp[SADB_EXT_ADDRESS_DST] == NULL || (mhp[SADB_EXT_LIFETIME_HARD] != NULL && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb expire message passed.\n"); return -1; } @@ -1696,31 +1662,31 @@ pk_recvexpire(mhp) proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA expired: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); if (iph2 == NULL) { /* * Ignore it because two expire messages are come up. * phase2 handler has been deleted already when 2nd message * is received. */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "no such a SA found: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); return 0; } - if (iph2->is_dying || iph2->status != PHASE2ST_ESTABLISHED) { + if (iph2->is_dying || !FSM_STATE_IS_ESTABLISHED(iph2->status)) { /* * If the status is not equal to PHASE2ST_ESTABLISHED, * racoon ignores this expire message. There are two reason. @@ -1729,49 +1695,45 @@ pk_recvexpire(mhp) * without receiving a expire message. Another is that racoon * may receive the multiple expire messages from the kernel. */ - plog(LLV_WARNING, LOCATION, NULL, - "the expire message is received " - "but the handler is dying or has not been established.\n"); + plog(ASL_LEVEL_WARNING, + "The expire message is received but the handler %s (status = 0x%x).\n", + iph2->is_dying ? "is dying" : "has not been established", iph2->status); return 0; } /* turn off the timer for calling isakmp_ph2expire() */ SCHED_KILL(iph2->sce); - iph2->status = PHASE2ST_EXPIRED; + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); - /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ - /* allocate buffer for status management of pfkey message */ - if (iph2->side == INITIATOR && - !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && - !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { - - initph2(iph2); - - /* update status for re-use */ - iph2->status = PHASE2ST_STATUS2; - - /* start isakmp initiation by using ident exchange */ - if (isakmp_post_acquire(iph2) < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, - "failed to begin ipsec sa " - "re-negotiation.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } + { + /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ + /* allocate buffer for status management of pfkey message */ + if (iph2->side == INITIATOR && + !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && + !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { + + ike_session_initph2(iph2); + + /* start isakmp initiation by using ident exchange */ + if (isakmp_post_acquire(iph2) < 0) { + plog(ASL_LEVEL_ERR, + "failed to begin ipsec sa " + "re-negotiation.\n"); + ike_session_unlink_phase2(iph2); + return -1; + } + + return 0; + /*NOTREACHED*/ + } + } - return 0; - /*NOTREACHED*/ - } /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't * manage IPsec SA, so delete the list */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return 0; } @@ -1783,10 +1745,10 @@ pk_recvacquire(mhp) struct sadb_msg *msg; struct sadb_x_policy *xpl; struct secpolicy *sp_out = NULL, *sp_in = NULL; -#define MAXNESTEDSA 5 /* XXX */ - struct ph2handle *iph2[MAXNESTEDSA]; + phase2_handle_t *iph2; struct sockaddr_storage *src, *dst; - int n; /* # of phase 2 handler */ + ike_session_t *session = NULL; + struct remoteconf *rmconf; /* ignore this message because of local test mode. */ if (f_local) @@ -1797,7 +1759,7 @@ pk_recvacquire(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb acquire message passed.\n"); return -1; } @@ -1808,7 +1770,7 @@ pk_recvacquire(mhp) /* ignore if type is not IPSEC_POLICY_IPSEC */ if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore ACQUIRE message. type is not IPsec.\n"); return 0; } @@ -1824,7 +1786,7 @@ pk_recvacquire(mhp) && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr)) #endif ) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore due to multicast address: %s.\n", saddrwop2str((struct sockaddr *)sa)); return 0; @@ -1845,7 +1807,12 @@ pk_recvacquire(mhp) struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); struct myaddrs *p; int do_listen = 0; + char * str; for (p = lcconf->myaddrs; p; p = p->next) { + str = saddr2str((struct sockaddr *)p->addr); + plog(ASL_LEVEL_DEBUG, + "checking listen addrs: %s", str); + if (!cmpsaddrwop(p->addr, sa)) { do_listen = 1; break; @@ -1853,7 +1820,7 @@ pk_recvacquire(mhp) } if (!do_listen) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore because do not listen on source address : %s.\n", saddrwop2str((struct sockaddr *)sa)); return 0; @@ -1870,138 +1837,148 @@ pk_recvacquire(mhp) * has to process such a acquire message because racoon may * have lost the expire message. */ - iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); - if (iph2[0] != NULL) { - if (iph2[0]->status < PHASE2ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, NULL, + iph2 = ike_session_getph2byid(src, dst, xpl->sadb_x_policy_id); + if (iph2 != NULL) { + session = iph2->parent_session; + if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) { + plog(ASL_LEVEL_DEBUG, "ignore the acquire because ph2 found\n"); return -1; } - if (iph2[0]->status == PHASE2ST_EXPIRED) - iph2[0] = NULL; + if (FSM_STATE_IS_EXPIRED(iph2->status)) + iph2 = NULL; /*FALLTHROUGH*/ } /* search for proper policyindex */ sp_out = getspbyspid(xpl->sadb_x_policy_id); if (sp_out == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n", + plog(ASL_LEVEL_ERR, "no policy found: id:%d.\n", xpl->sadb_x_policy_id); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx)); /* get inbound policy */ { - struct policyindex spidx; - - spidx.dir = IPSEC_DIR_INBOUND; - memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); - memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); - spidx.prefs = sp_out->spidx.prefd; - spidx.prefd = sp_out->spidx.prefs; - spidx.ul_proto = sp_out->spidx.ul_proto; - - sp_in = getsp(&spidx); - if (sp_in) { - plog(LLV_DEBUG, LOCATION, NULL, - "suitable inbound SP found: %s.\n", - spidx2str(&sp_in->spidx)); - } else { - plog(LLV_NOTIFY, LOCATION, NULL, - "no in-bound policy found: %s\n", - spidx2str(&spidx)); - } + struct policyindex spidx; + + spidx.dir = IPSEC_DIR_INBOUND; + memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); + memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); + spidx.prefs = sp_out->spidx.prefd; + spidx.prefd = sp_out->spidx.prefs; + spidx.ul_proto = sp_out->spidx.ul_proto; + + sp_in = getsp(&spidx); + if (sp_in) { + plog(ASL_LEVEL_DEBUG, + "Suitable inbound SP found: %s.\n", + spidx2str(&sp_in->spidx)); + } else { + plog(ASL_LEVEL_NOTICE, + "No in-bound policy found: %s\n", + spidx2str(&spidx)); + } } - - memset(iph2, 0, MAXNESTEDSA); - - n = 0; - + /* allocate a phase 2 */ - iph2[n] = newph2(); - if (iph2[n] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate phase2 entry.\n"); + rmconf = getrmconf(dst); + if (rmconf == NULL) { + plog(ASL_LEVEL_ERR, "No configuration found for %s.\n", + saddrwop2str((struct sockaddr *)dst)); + return -1; + } + + iph2 = ike_session_newph2(rmconf->ike_version, PHASE2_TYPE_SA); + if (iph2 == NULL) { + plog(ASL_LEVEL_ERR, + "Failed to allocate Phase 2 entry.\n"); return -1; } - iph2[n]->side = INITIATOR; - iph2[n]->spid = xpl->sadb_x_policy_id; - iph2[n]->satype = msg->sadb_msg_satype; - iph2[n]->seq = msg->sadb_msg_seq; - iph2[n]->status = PHASE2ST_STATUS2; + plog(ASL_LEVEL_DEBUG, "Got new Phase 2 version %d\n", iph2->version); + iph2->version = rmconf->ike_version; + iph2->side = INITIATOR; + iph2->spid = xpl->sadb_x_policy_id; + iph2->satype = msg->sadb_msg_satype; + iph2->seq = msg->sadb_msg_seq; /* set end addresses of SA */ // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer - iph2[n]->dst = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); - if (iph2[n]->dst == NULL) { - delph2(iph2[n]); + iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); + if (iph2->src == NULL) { + ike_session_delph2(iph2); return -1; } - iph2[n]->src = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); - if (iph2[n]->src == NULL) { - delph2(iph2[n]); + iph2->dst = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); + if (iph2->dst == NULL) { + ike_session_delph2(iph2); return -1; + } + + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START); } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "new acquire %s\n", spidx2str(&sp_out->spidx)); /* get sainfo */ { - vchar_t *idsrc, *iddst; - - idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src, - sp_out->spidx.prefs, sp_out->spidx.ul_proto); - if (idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - delph2(iph2[n]); - return -1; - } - iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst, - sp_out->spidx.prefd, sp_out->spidx.ul_proto); - if (iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - vfree(idsrc); - delph2(iph2[n]); - return -1; - } - iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, 0); - vfree(idsrc); - vfree(iddst); - if (iph2[n]->sainfo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get sainfo.\n"); - delph2(iph2[n]); - return -1; - /* XXX should use the algorithm list from register message */ - } - if (link_sainfo_to_ph2(iph2[n]->sainfo) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to link sainfo\n"); - iph2[n]->sainfo = NULL; - delph2(iph2[n]); - return -1; - } + vchar_t *idsrc, *iddst; + + idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src, + sp_out->spidx.prefs, sp_out->spidx.ul_proto); + if (idsrc == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get ID for %s\n", + spidx2str(&sp_out->spidx)); + ike_session_delph2(iph2); + return -1; + } + iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst, + sp_out->spidx.prefd, sp_out->spidx.ul_proto); + if (iddst == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get ID for %s\n", + spidx2str(&sp_out->spidx)); + vfree(idsrc); + ike_session_delph2(iph2); + return -1; + } + iph2->sainfo = getsainfo(idsrc, iddst, NULL, 0); + vfree(idsrc); + vfree(iddst); + if (iph2->sainfo == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get sainfo.\n"); + ike_session_delph2(iph2); + return -1; + /* XXX should use the algorithm list from register message */ + } } + retain_sainfo(iph2->sainfo); - if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to create saprop.\n"); - delph2(iph2[n]); + if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) { + plog(ASL_LEVEL_ERR, + "failed to create saprop.\n"); + ike_session_delph2(iph2); return -1; } - insph2(iph2[n]); + + if (session == NULL) + session = ike_session_get_session(iph2->src, iph2->dst, 1); + if (session == NULL) + fatal_error(-1); + + if (ike_session_link_phase2(session, iph2)) + fatal_error(-1); //????? fix ??? /* start isakmp initiation by using ident exchange */ /* XXX should be looped if there are multiple phase 2 handler. */ - if (isakmp_post_acquire(iph2[n]) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (isakmp_post_acquire(iph2) < 0) { + plog(ASL_LEVEL_ERR, "failed to begin ipsec sa negotiation.\n"); goto err; } @@ -2009,7 +1986,7 @@ pk_recvacquire(mhp) #if !TARGET_OS_EMBEDDED if ( lcconf->vt == NULL){ if (!(lcconf->vt = vproc_transaction_begin(NULL))) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "vproc_transaction_begin returns NULL.\n"); } #endif @@ -2018,13 +1995,7 @@ pk_recvacquire(mhp) return 0; err: - while (n >= 0) { - unbindph12(iph2[n]); - remph2(iph2[n]); - delph2(iph2[n]); - iph2[n] = NULL; - n--; - } + ike_session_unlink_phase2(iph2); return -1; } @@ -2035,7 +2006,7 @@ pk_recvdelete(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2 = NULL; + phase2_handle_t *iph2 = NULL; u_int proto_id; /* ignore this message because of local test mode. */ @@ -2046,7 +2017,7 @@ pk_recvdelete(mhp) if (mhp[0] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb delete message passed.\n"); return -1; } @@ -2057,7 +2028,7 @@ pk_recvdelete(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid == getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because the message was originated by me.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2066,44 +2037,44 @@ pk_recvdelete(mhp) proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } - plog(LLV_DEBUG2, LOCATION, NULL, "SADB delete message: proto-id %d\n", proto_id); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst)); + plog(ASL_LEVEL_DEBUG, "SADB delete message: proto-id %d\n", proto_id); + plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)src)); + plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)dst)); if (!sa) { - deleteallph2(src, dst, proto_id); - deleteallph1(src, dst); + ike_session_deleteallph2(src, dst, proto_id); + ike_session_deleteallph1(src, dst); return 0; } - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); if (iph2 == NULL) { /* ignore */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no iph2 found: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); return 0; } - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey DELETE received: %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); /* send delete information */ - if (iph2->status == PHASE2ST_ESTABLISHED) + + /* TODO: Look into handling this properly. Currently, if we get here, we can end up sending delete messages to the server for their own SAs, which is rejected. */ + /*if (FSM_STATE_IS_ESTABLISHED(iph2->status)) isakmp_info_send_d2(iph2); ike_session_cleanup_ph1s_by_ph2(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2);*/ return 0; } @@ -2112,19 +2083,15 @@ static int pk_recvflush(mhp) caddr_t *mhp; { - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb flush message passed.\n"); return -1; } - flushph2(false); - flushph1(false); + ike_session_flush_all_phase2(false); + ike_session_flush_all_phase1(false); return 0; } @@ -2133,7 +2100,7 @@ static int getsadbpolicy(policy0, policylen0, type, iph2) caddr_t *policy0; int *policylen0, type; - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; struct sadb_x_policy *xpl; @@ -2161,7 +2128,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) /* make policy structure */ policy = racoon_malloc(policylen); if (!policy) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "buffer allocation failed.\n"); return -1; } @@ -2186,13 +2153,13 @@ getsadbpolicy(policy0, policylen0, type, iph2) satype = doi2ipproto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); goto err; } mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); goto err; } @@ -2241,7 +2208,7 @@ err: int pk_sendspdupdate2(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; @@ -2252,7 +2219,7 @@ pk_sendspdupdate2(iph2) vtime = 0; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2266,12 +2233,12 @@ pk_sendspdupdate2(iph2) spidx->ul_proto, ltime, vtime, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spdupdate2 (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdupdate2\n"); end: if (policy) @@ -2294,7 +2261,7 @@ pk_recvspdupdate(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdupdate message passed.\n"); return -1; } @@ -2323,7 +2290,7 @@ pk_recvspdupdate(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy does not already exist: \"%s\"\n", spidx2str(&spidx)); } else { @@ -2342,7 +2309,7 @@ pk_recvspdupdate(mhp) */ int pk_sendspdadd2(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; @@ -2353,7 +2320,7 @@ pk_sendspdadd2(iph2) vtime = 0; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2367,12 +2334,12 @@ pk_sendspdadd2(iph2) spidx->ul_proto, ltime, vtime, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spdadd2 (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdadd2\n"); end: if (policy) @@ -2395,7 +2362,7 @@ pk_recvspdadd(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdadd message passed.\n"); return -1; } @@ -2424,7 +2391,7 @@ pk_recvspdadd(mhp) sp = getsp(&spidx); if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy already exists. " "anyway replace it: %s\n", spidx2str(&spidx)); @@ -2443,14 +2410,14 @@ pk_recvspdadd(mhp) */ int pk_sendspddelete(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; int policylen; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2463,12 +2430,12 @@ pk_sendspddelete(iph2) spidx->prefd, spidx->ul_proto, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spddelete (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spddelete\n"); end: if (policy) @@ -2491,7 +2458,7 @@ pk_recvspddelete(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddelete message passed.\n"); return -1; } @@ -2520,13 +2487,13 @@ pk_recvspddelete(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found: %s\n", spidx2str(&spidx)); return -1; } - purgephXbyspid(xpl->sadb_x_policy_id, true); + ike_session_purgephXbyspid(xpl->sadb_x_policy_id, true); remsp(sp); delsp(sp); @@ -2548,7 +2515,7 @@ pk_recvspdexpire(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdexpire message passed.\n"); return -1; } @@ -2577,13 +2544,13 @@ pk_recvspdexpire(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found: %s\n", spidx2str(&spidx)); return -1; } - purgephXbyspid(xpl->sadb_x_policy_id, false); + ike_session_purgephXbyspid(xpl->sadb_x_policy_id, false); remsp(sp); delsp(sp); @@ -2597,7 +2564,7 @@ pk_recvspdget(mhp) { /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdget message passed.\n"); return -1; } @@ -2617,7 +2584,7 @@ pk_recvspddump(mhp) /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddump message passed.\n"); return -1; } @@ -2628,7 +2595,7 @@ pk_recvspddump(mhp) xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; if (saddr == NULL || daddr == NULL || xpl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddump message passed.\n"); return -1; } @@ -2654,7 +2621,7 @@ pk_recvspddump(mhp) sp = getsp(&spidx); if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy already exists. " "anyway replace it: %s\n", spidx2str(&spidx)); @@ -2674,13 +2641,13 @@ pk_recvspdflush(mhp) { /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdflush message passed.\n"); return -1; } - flushph2(false); - flushph1(false); + ike_session_flush_all_phase2(false); + ike_session_flush_all_phase1(false); flushsp(); return 0; @@ -2691,7 +2658,7 @@ pk_recvspdflush(mhp) */ int pk_sendeacquire(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct sadb_msg *newmsg; int len; @@ -2699,7 +2666,7 @@ pk_sendeacquire(iph2) len = sizeof(struct sadb_msg); newmsg = racoon_calloc(1, len); if (newmsg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send acquire.\n"); return -1; } @@ -2729,7 +2696,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) u_int32_t seq; if (!session) { - plog(LLV_DEBUG, LOCATION, NULL, "invalid args in %s \n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__); return -1; } @@ -2745,7 +2712,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) max_stats))) { u_int64_t session_ids[] = {(u_int64_t)session, 0}; - plog(LLV_DEBUG, LOCATION, NULL, "about to call %s\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__); if (pfkey_send_getsastats(lcconf->sock_pfkey, seq, @@ -2756,7 +2723,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) session->traffic_monitor.num_in_curr_req) < 0) { return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "%s successful\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__); return session->traffic_monitor.num_in_curr_req; } @@ -2770,7 +2737,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) u_int32_t seq; if (!session) { - plog(LLV_DEBUG, LOCATION, NULL, "invalid args in %s \n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__); return -1; } @@ -2786,7 +2753,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) max_stats))) { u_int64_t session_ids[] = {(u_int64_t)session, 0}; - plog(LLV_DEBUG, LOCATION, NULL, "about to call %s\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__); if (pfkey_send_getsastats(lcconf->sock_pfkey, seq, @@ -2797,7 +2764,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) session->traffic_monitor.num_out_curr_req) < 0) { return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "%s successful\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__); return session->traffic_monitor.num_out_curr_req; } @@ -2820,7 +2787,7 @@ caddr_t *mhp; if (mhp[0] == NULL || mhp[SADB_EXT_SESSION_ID] == NULL || mhp[SADB_EXT_SASTAT] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb getsastat response.\n"); return -1; } @@ -2830,7 +2797,7 @@ caddr_t *mhp; /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -2838,7 +2805,7 @@ caddr_t *mhp; return -1; } if (!session_id->sadb_session_id_v[0]) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is bad " "because session-id[0] is invalid.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2847,7 +2814,7 @@ caddr_t *mhp; session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0]; if (!stat_resp->sadb_sastat_list_len) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is bad " "because it has no sastats.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2882,12 +2849,9 @@ pk_checkalg(class, calg, keylen) sup = SADB_EXT_SUPPORTED_AUTH; break; case IPSECDOI_PROTO_IPCOMP: - //plog(LLV_DEBUG, LOCATION, NULL, - // "compression algorithm can not be checked " - // "because sadb message doesn't support it.\n"); return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid algorithm class.\n"); return -1; } @@ -2897,7 +2861,7 @@ pk_checkalg(class, calg, keylen) if (keylen == 0) { if (ipsec_get_keylen(sup, alg, &alg0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s.\n", ipsec_strerror()); return -1; } @@ -2906,7 +2870,7 @@ pk_checkalg(class, calg, keylen) error = ipsec_check_keylen(sup, alg, keylen); if (error) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s.\n", ipsec_strerror()); return error; @@ -2940,8 +2904,7 @@ pk_recv(so, lenp) while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv pfkey message: %s\n", strerror(errno)); + plog(ASL_LEVEL_ERR, "failed to recv pfkey message: %s\n", strerror(errno)); break; } if (*lenp < 0) { @@ -2974,7 +2937,7 @@ addnewsp(mhp) if (mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spd management message passed.\n"); return -1; } @@ -2985,7 +2948,7 @@ addnewsp(mhp) new = newsp(); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer\n"); return -1; } @@ -3012,7 +2975,7 @@ addnewsp(mhp) /* validity check */ if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid msg length.\n"); return -1; } @@ -3024,7 +2987,7 @@ addnewsp(mhp) /* length check */ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid msg length.\n"); return -1; } @@ -3032,7 +2995,7 @@ addnewsp(mhp) /* allocate request buffer */ *p_isr = newipsecreq(); if (*p_isr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get new ipsecreq.\n"); return -1; } @@ -3046,7 +3009,7 @@ addnewsp(mhp) case IPPROTO_IPCOMP: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto type: %u\n", xisr->sadb_x_ipsecrequest_proto); return -1; @@ -3059,7 +3022,7 @@ addnewsp(mhp) break; case IPSEC_MODE_ANY: default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid mode: %u\n", xisr->sadb_x_ipsecrequest_mode); return -1; @@ -3077,7 +3040,7 @@ addnewsp(mhp) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid level: %u\n", xisr->sadb_x_ipsecrequest_level); return -1; @@ -3106,7 +3069,7 @@ addnewsp(mhp) /* validity check */ if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "becoming tlen < 0\n"); } @@ -3116,7 +3079,7 @@ addnewsp(mhp) } break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid policy type.\n"); return -1; } diff --git a/ipsec-tools/racoon/plainrsa-gen.8 b/ipsec-tools/racoon/plainrsa-gen.8 deleted file mode 100644 index 0f059f8..0000000 --- a/ipsec-tools/racoon/plainrsa-gen.8 +++ /dev/null @@ -1,137 +0,0 @@ -.\" $Id: plainrsa-gen.8,v 1.2.10.1 2005/04/18 11:10:55 manubsd Exp $ -.\" -.\" Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. -.\" Contributed by: Michal Ludvig , SUSE Labs -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd June 14, 2004 -.Dt PLAINRSA-GEN 8 -.Os -.\" -.Sh NAME -.Nm plainrsa-gen -.Nd generator for Plain RSA keys -.\" -.Sh SYNOPSIS -.Nm plainrsa-gen -.Bk -words -.Op Fl b Ar bits -.Op Fl e Ar pubexp -.Op Fl f Ar outfile -.Op Fl h -.Ek -.\" -.Sh DESCRIPTION -.Nm -can be used to generate -.Li Plain RSA keys -for authentication purposes. -Using -.Li Plain RSA keys -is optional. -Other possibilities are -.Li Pre-shared keys -or -.Li X.509 certificates . -.\" -.Bl -tag -width Ds -.It Fl b Ar bits -bit length of the key. -Default is -.Li 1024 , -recommended length is -.Li 2048 -or even -.Li 4096 -bits. -Note that generating longer keys takes more time. -.It Fl e Ar pubexp -value of the RSA public exponent. -Default is -.Li 0x3 . -Don't change this unless you really know what you are doing! -.It Fl f Ar outfile -write the resulting key to -.Ar outfile -instead of -.Li stdout . -If the file already exists it won't be overwritten. -You wouldn't like to lose your private key by accident, would you? -.El -.\" -.Sh OUTPUT FILE FORMAT -This is the secret -.Li private key -that should -.Ic never -leave your computer: -.Bd -literal -: RSA { - # RSA 1024 bits - # pubkey=0sAQOrWlcwbAIdNSMhDt... - Modulus: 0xab5a57306c021d3523... - PublicExponent: 0x03 - PrivateExponent: 0x723c3a2048... - Prime1: 0xd309b30e6adf9d85c01... - Prime2: 0xcfdc2a8aa5b2b3c90e3... - Exponent1: 0x8cb122099c9513ae... - Exponent2: 0x8a92c7071921cd30... - Coefficient: 0x722751305eafe9... - } -.Ed -.Pp -The line -.Li pubkey=0sAQOrW... -of the -.Li private key -contains a -.Li public key -that should be stored in the other peer's configuration in this format: -.Bd -literal -: PUB 0sAQOrWlcwbAIdNSMhDt... -.Ed -.\" -.Pp -You can also specify -.Li from -and -.Li to -addresses for which the key is valid: -.Bd -literal -0.0.0.0/0 10.20.30.0/24 : PUB 0sAQOrWlcwbAIdNSMhDt... -.Ed -.\" -.Sh SEE ALSO -.Xr racoon.conf 5 , -.Xr racoon 8 -.\" -.Sh HISTORY -.Nm -was written by -.An Michal Ludvig Aq michal@logix.cz -and first appeared in -.Ic ipsec-tools 0.4 . diff --git a/ipsec-tools/racoon/plainrsa-gen.c b/ipsec-tools/racoon/plainrsa-gen.c deleted file mode 100644 index 92bfdfb..0000000 --- a/ipsec-tools/racoon/plainrsa-gen.c +++ /dev/null @@ -1,210 +0,0 @@ -/* $NetBSD: plainrsa-gen.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */ -/* - * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. - * Contributed by: Michal Ludvig , SUSE Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* This file contains a generator for FreeS/WAN-style ipsec.secrets RSA keys. */ - -#include "config.h" - -#include -#include -#include - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_OPENSSL_ENGINE_H -#include -#endif - -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "crypto_openssl.h" - -//#include "package_version.h" - -int print_pid = 0; - -void -usage (char *argv0) -{ -// fprintf(stderr, "Plain RSA key generator, part of %s\n", TOP_PACKAGE_STRING); - fprintf(stderr, "By Michal Ludvig (http://www.logix.cz/michal)\n"); - fprintf(stderr, "\n"); - fprintf(stderr, "Usage: %s [options]\n", argv0); - fprintf(stderr, "\n"); - fprintf(stderr, " -b bits Generate long RSA key (default=1024)\n"); - fprintf(stderr, " -e pubexp Public exponent to use (default=0x3)\n"); - fprintf(stderr, " -f filename Filename to store the key to (default=stdout)\n"); - fprintf(stderr, " -h Help\n"); - fprintf(stderr, "\n"); - fprintf(stderr, "Report bugs to \n"); - exit(1); -} - -/* - * See RFC 2065, section 3.5 for details about the output format. - */ -vchar_t * -mix_b64_pubkey(RSA *key) -{ - char *binbuf; - long binlen, ret; - vchar_t *res; - - binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n); - binbuf = malloc(binlen); - memset(binbuf, 0, binlen); - binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]); - ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1])); - if (1 + binbuf[0] + ret != binlen) { - plog(LLV_ERROR, LOCATION, NULL, - "Pubkey generation failed. This is really strange...\n"); - return NULL; - } - - return base64_encode(binbuf, binlen); -} - -char * -lowercase(char *input) -{ - char *ptr = input; - while (*ptr) { - if (*ptr >= 'A' && *ptr <= 'F') - *ptr -= 'A' - 'a'; - *ptr++; - } - - return input; -} - -int -gen_rsa_key(FILE *fp, size_t bits, unsigned long exp) -{ - RSA *key; - vchar_t *pubkey64 = NULL; - - key = RSA_generate_key(bits, exp, NULL, NULL); - if (!key) { - fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror()); - return -1; - } - - pubkey64 = mix_b64_pubkey(key); - if (!pubkey64) { - fprintf(stderr, "mix_b64_pubkey(): %s\n", eay_strerror()); - return -1; - } - - fprintf(fp, "# : PUB 0s%s\n", pubkey64->v); - fprintf(fp, ": RSA\t{\n"); - fprintf(fp, "\t# RSA %zu bits\n", bits); - fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v); - fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n))); - fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e))); - fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d))); - fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p))); - fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q))); - fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1))); - fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1))); - fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp))); - fprintf(fp, " }\n"); - - vfree(pubkey64); - - return 0; -} - -int -main (int argc, char *argv[]) -{ - FILE *fp = stdout; - size_t bits = 1024; - unsigned int pubexp = 0x3; - struct stat st; - extern char *optarg; - extern int optind; - int c; - char *fname = NULL; - - while ((c = getopt(argc, argv, "e:b:f:h")) != -1) - switch (c) { - case 'e': - if (strncmp(optarg, "0x", 2) == 0) - sscanf(optarg, "0x%x", &pubexp); - else - pubexp = atoi(optarg); - break; - case 'b': - bits = atoi(optarg); - break; - case 'f': - fname = optarg; - break; - case 'h': - default: - usage(argv[0]); - } - - if (fname) { - if (stat(fname, &st) >= 0) { - fprintf(stderr, "%s: file exists! Please use a different name.\n", fname); - exit(1); - } - - umask(0077); - fp = fopen(fname, "w"); - if (fp == NULL) { - fprintf(stderr, "%s: %s\n", fname, strerror(errno)); - exit(1); - } - } - - ploginit(); - eay_init(); - - gen_rsa_key(fp, bits, pubexp); - - fclose(fp); - - return 0; -} diff --git a/ipsec-tools/racoon/plog.c b/ipsec-tools/racoon/plog.c index 7e1bae8..e3d33a3 100644 --- a/ipsec-tools/racoon/plog.c +++ b/ipsec-tools/racoon/plog.c @@ -35,6 +35,7 @@ #include #include +#include #include #include #include @@ -57,156 +58,97 @@ #include #include #include +#include +#include +#include #include "var.h" #include "misc.h" #include "plog.h" -#include "logger.h" #include "debug.h" #include "gcmalloc.h" +#include "preferences.h" #ifndef VA_COPY # define VA_COPY(dst,src) memcpy(&(dst), (src), sizeof(va_list)) #endif +const char *plog_facility = "com.apple.racoon"; +const char *plog_session_id = "com.apple.racoon.sessionid"; +const char *plog_session_type = "com.apple.racoon.sessiontype"; +const char *plog_session_ver = "com.apple.racoon.sessionversion"; + extern int print_pid; char *pname = NULL; -u_int32_t loglevel = LLV_BASE; +u_int32_t loglevel = ASL_LEVEL_NOTICE; +//u_int32_t loglevel = ASL_LEVEL_DEBUG; int f_foreground = 0; int print_location = 0; -static struct log *logp = NULL; -static pthread_mutex_t logp_mtx = {0}; -static char *logfile = NULL; - -static char *plog_common __P((int, const char *, const char *)); - -static struct plogtags { - char *name; - int priority; -} ptab[] = { - { "(not defined)", 0, }, - { "INFO", LOG_INFO, }, - { "NOTIFY", LOG_INFO, }, - { "WARNING", LOG_INFO, }, - { "ERROR", LOG_INFO, }, - { "ERROR", LOG_ERR, }, - { "DEBUG", LOG_DEBUG, }, - { "DEBUG2", LOG_DEBUG, }, -}; - -static char * -plog_common(pri, fmt, func) -int pri; -const char *fmt, *func; -{ - static char buf[800]; /* XXX shoule be allocated every time ? */ - char *p; - int reslen, len; - - p = buf; - reslen = sizeof(buf); - - if (logfile || f_foreground) { - time_t t; - struct tm *tm; - - t = time(0); - tm = localtime(&t); - len = strftime(p, reslen, "%Y-%m-%d %T: ", tm); - p += len; - reslen -= len; - } - - if (pri < ARRAYLEN(ptab)) { - if (print_pid) - len = snprintf(p, reslen, "[%d] %s: ", getpid(), ptab[pri].name); - else - len = snprintf(p, reslen, "%s: ", ptab[pri].name); - if (len >= 0 && len < reslen) { - p += len; - reslen -= len; - } else - *p = '\0'; - } - - if (print_location) - snprintf(p, reslen, "%s: %s", func, fmt); - else - snprintf(p, reslen, "%s", fmt); -#ifdef BROKEN_PRINTF - while ((p = strstr(buf,"%z")) != NULL) - p[1] = 'l'; -#endif - - return buf; -} +char *logfile = NULL; +int logfile_fd = -1; +char logFileStr[MAXPATHLEN+1]; +char *gSessId = NULL; +char *gSessType = NULL; +char *gSessVer = NULL; +aslclient logRef = NULL; void -plogmtxinit (void) +plogdump_asl (aslmsg msg, int pri, const char *fmt, ...) { - pthread_mutexattr_t attrs; - pthread_mutexattr_init(&attrs); - pthread_mutexattr_settype(&attrs, PTHREAD_MUTEX_RECURSIVE); - pthread_mutex_init(&logp_mtx, &attrs); - pthread_mutexattr_destroy(&attrs); -} + caddr_t buf; + size_t buflen = 512; + va_list args; + char *level; -void -plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...) -{ - va_list ap; + switch (pri) { + case ASL_LEVEL_INFO: + level = ASL_STRING_INFO; + break; - va_start(ap, fmt); - plogv(pri, func, sa, fmt, &ap); - va_end(ap); -} + case ASL_LEVEL_NOTICE: + level = ASL_STRING_NOTICE; + break; -void -plogv(int pri, const char *func, struct sockaddr_storage *sa, - const char *fmt, va_list *ap) -{ - char *newfmt; - va_list ap_bak; - - if (pri > loglevel) + case ASL_LEVEL_WARNING: + level = ASL_STRING_WARNING; + break; + + case ASL_LEVEL_ERR: + level = ASL_STRING_ERR; + break; + + case ASL_LEVEL_DEBUG: + level = ASL_STRING_DEBUG; + break; + + default: return; + } - pthread_mutex_lock(&logp_mtx); + asl_set(msg, ASL_KEY_LEVEL, level); - newfmt = plog_common(pri, fmt, func); - - VA_COPY(ap_bak, ap); - - if (f_foreground) - vprintf(newfmt, *ap); - - - if (logfile) { - log_vaprint(logp, newfmt, ap_bak); - } else { - if (pri < ARRAYLEN(ptab)) - vsyslog(ptab[pri].priority, newfmt, ap_bak); - else - vsyslog(LOG_ALERT, newfmt, ap_bak); + buf = racoon_malloc(buflen); + if (buf) { + buf[0] = '\0'; + va_start(args, fmt); + vsnprintf(buf, buflen, fmt, args); +// asl_set(msg, ASL_KEY_MESSAGE, buf); + va_end(args); + racoon_free(buf); } - pthread_mutex_unlock(&logp_mtx); } void -plogdump(pri, data, len) - int pri; - void *data; - size_t len; +plogdump_func(int pri, void *data, size_t len, const char *fmt, ...) { caddr_t buf; size_t buflen; int i, j; - - if (pri > loglevel) - return; + va_list args; + char fmt_buf[512]; /* * 2 words a bytes + 1 space 4 bytes + 1 newline 32 bytes @@ -232,94 +174,301 @@ plogdump(pri, data, len) buf[i++] = '\n'; buf[i] = '\0'; } - plog_func(pri, LOCATION, NULL, "%s", buf); + + fmt_buf[0] = '\n'; + va_start(args, fmt); + vsnprintf(fmt_buf, sizeof(fmt_buf), fmt, args); + va_end(args); + + plog(pri, "%s %s", fmt_buf, buf); racoon_free(buf); } void -ploginit() +clog_func (clog_err_t *cerr, clog_err_op_t cerr_op, int pri, const char *function, const char *line, const char *fmt, ...) { - pthread_mutex_lock(&logp_mtx); + clog_err_t *new, *p; + va_list args; - if (logfile) { - logp = log_open(250, logfile); - if (logp == NULL) - errx(1, "ERROR: failed to open log file %s.", logfile); - pthread_mutex_unlock(&logp_mtx); + if (!cerr) { return; } - - openlog(pname, LOG_NDELAY, LOG_DAEMON); - pthread_mutex_unlock(&logp_mtx); + if (!(new = racoon_calloc(1, sizeof(*cerr)))) { + return; + } + // fill in new + cerr->clog_err_level = pri; /* will be used for filtering */ + /* TODO */ + //cerr->clog_err_code; + //cerr->client_id; + //cerr->client_type; + va_start(args, fmt); + cerr->description_len = vasprintf(&cerr->description, fmt, args); + va_end(args); + cerr->function = function; + cerr->line = line; + + // add new to the tail + TAILQ_FOREACH(p, &cerr->chain_head, chain) { + if (TAILQ_NEXT(p, chain) == NULL) { + TAILQ_NEXT(p, chain) = new; + new->chain.tqe_prev = &TAILQ_NEXT(p, chain); + break; + } + } + + if (cerr_op == CLOG_ERR_DUMP) { + char *prev = NULL, *backtrace = NULL; + + TAILQ_FOREACH(p, &cerr->chain_head, chain) { + // collapse list into backtrace + if (cerr->description) { + if (backtrace) { + prev = backtrace; + backtrace = NULL; + asprintf(&backtrace, "%s\n\t\t-> %s", prev, cerr->description); + free(prev); + } else { + asprintf(&backtrace, "%s", cerr->description); + } + } + } + + if (backtrace) { + // use plog to dump event. + plog(pri, "%s", backtrace); + } + } } void -plogset(file) +plogsetfile(file) char *file; { - pthread_mutex_lock(&logp_mtx); - if (logfile != NULL) + syslog(LOG_NOTICE, "%s: about to add racoon log file: %s\n", __FUNCTION__, file? file:"bad file path"); + if (logfile != NULL) { racoon_free(logfile); + if (logfile_fd != -1) { + asl_remove_log_file(logRef, logfile_fd); + asl_close_auxiliary_file(logfile_fd); + logfile_fd = -1; + } + } logfile = racoon_strdup(file); STRDUP_FATAL(logfile); - pthread_mutex_unlock(&logp_mtx); + if ((logfile_fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND | O_NOFOLLOW, 0)) >= 0) { + asl_add_log_file(logRef, logfile_fd); + } else { + syslog(LOG_NOTICE, "%s: failed to add racoon log file: %s. error %d\n", __FUNCTION__, file? file:"bad file path", errno); + } } void -plogreset(file) +plogresetfile(file) char *file; { - pthread_mutex_lock(&logp_mtx); - /* if log paths equal - do nothing */ if (logfile == NULL && file == NULL) { - pthread_mutex_unlock(&logp_mtx); return; } - if (logfile != NULL && file != NULL) + if (logfile != NULL && file != NULL) { if (!strcmp(logfile, file)) { - pthread_mutex_unlock(&logp_mtx); return; } - - if (logfile == NULL) /* no logfile was specified - daemon was used */ - closelog(); /* close it */ - else { - log_close(logp); - logp = NULL; - racoon_free(logfile); - logfile = NULL; + if (logfile_fd != -1) { + asl_remove_log_file(logRef, logfile_fd); + close(logfile_fd); + logfile_fd = -1; + } } - + + if (logfile) { + racoon_free(logfile); + logfile = NULL; + } + if (file) - plogset(file); - ploginit(); + plogsetfile(file); +} - pthread_mutex_unlock(&logp_mtx); -} +int +ploggetlevel(void) +{ + return loglevel; +} -/* - Returns a printable string from (possibly) binary data ; - concatenates all unprintable chars to one space. - XXX Maybe the printable chars range is too large... - */ -char* -binsanitize(binstr, n) - char *binstr; - size_t n; +void +plogsetlevel(int level) { - int p,q; - for (p = 0, q = 0; p < n; p++) { - if (isgraph((int)binstr[p])) { - binstr[q++] = binstr[p]; - } else { - if (q && binstr[q - 1] != ' ') - binstr[q++] = ' '; - } + int mask; + + if (level && level >= ASL_LEVEL_EMERG && level <= ASL_LEVEL_DEBUG) { + loglevel = level; } - binstr[q++] = '\0'; - return binstr; + if (loglevel >= ASL_LEVEL_INFO) { + mask = ASL_FILTER_MASK_TUNNEL; + } else { + mask = 0; + } + mask |= ASL_FILTER_MASK_UPTO(loglevel); + syslog(LOG_DEBUG, "%s: about to set racoon's log level %d, mask %x\n", __FUNCTION__, level, mask); + asl_set_filter(NULL, mask); } - + +void +plogsetlevelstr(char *levelstr) +{ + if (!levelstr) { + return; + } + + if (strncmp(levelstr, ASL_STRING_EMERG, sizeof(ASL_STRING_EMERG) - 1) == 0) { + plogsetlevel(ASL_LEVEL_EMERG); + } else if (strncmp(levelstr, ASL_STRING_ALERT, sizeof(ASL_STRING_ALERT) - 1) == 0) { + plogsetlevel(ASL_LEVEL_ALERT); + } else if (strncmp(levelstr, ASL_STRING_CRIT, sizeof(ASL_STRING_CRIT) - 1) == 0) { + plogsetlevel(ASL_LEVEL_CRIT); + } else if (strncmp(levelstr, ASL_STRING_ERR, sizeof(ASL_STRING_ERR) - 1) == 0) { + plogsetlevel(ASL_LEVEL_ERR); + } else if (strncmp(levelstr, ASL_STRING_WARNING, sizeof(ASL_STRING_NOTICE) - 1) == 0) { + plogsetlevel(ASL_LEVEL_WARNING); + } else if (strncmp(levelstr, ASL_STRING_NOTICE, sizeof(ASL_STRING_NOTICE) - 1) == 0) { + plogsetlevel(ASL_LEVEL_NOTICE); + } else if (strncmp(levelstr, ASL_STRING_INFO, sizeof(ASL_STRING_INFO) - 1) == 0) { + plogsetlevel(ASL_LEVEL_INFO); + } else if (strncmp(levelstr, ASL_STRING_DEBUG, sizeof(ASL_STRING_DEBUG) - 1) == 0) { + plogsetlevel(ASL_LEVEL_DEBUG); + } +} + +void +plogsetlevelquotedstr (char *levelquotedstr) +{ + int len; + + if (!levelquotedstr) { + plog(ASL_LEVEL_ERR, "Null log level (quoted string)"); + return; + } + + len = strlen(levelquotedstr); + if (len < 3 || + levelquotedstr[0] != '"' || + levelquotedstr[len - 1] != '"') { + plog(ASL_LEVEL_ERR, "Invalid log level (quoted string): %s", levelquotedstr); + return; + } + // skip quotes + levelquotedstr[len - 1] = '\0'; + plogsetlevelstr(&levelquotedstr[1]); +} + +void +plogreadprefs (void) +{ + CFPropertyListRef globals; + CFStringRef logFileRef; + CFNumberRef debugLevelRef; + CFStringRef debugLevelStringRef; + char logLevelStr[16]; + int level = 0; + + logLevelStr[0] = 0; + + SCPreferencesSynchronize(gPrefs); + + globals = SCPreferencesGetValue(gPrefs, CFSTR("Global")); + if (!globals || (CFGetTypeID(globals) != CFDictionaryGetTypeID())) { + return; + } + debugLevelRef = CFDictionaryGetValue(globals, CFSTR("DebugLevel")); + if (debugLevelRef && (CFGetTypeID(debugLevelRef) == CFNumberGetTypeID())) { + CFNumberGetValue(debugLevelRef, kCFNumberSInt32Type, &level); + plogsetlevel(level); + } else { + debugLevelStringRef = CFDictionaryGetValue(globals, CFSTR("DebugLevelString")); + if (debugLevelStringRef && (CFGetTypeID(debugLevelStringRef) == CFStringGetTypeID())) { + CFStringGetCString(debugLevelStringRef, logLevelStr, sizeof(logLevelStr), kCFStringEncodingMacRoman); + plogsetlevelstr(logLevelStr); + } + } + + logFileRef = CFDictionaryGetValue(globals, CFSTR("DebugLogfile")); + if (!logFileRef || (CFGetTypeID(logFileRef) != CFStringGetTypeID())) { + return; + } + CFStringGetCString(logFileRef, logFileStr, MAXPATHLEN, kCFStringEncodingMacRoman); + plogsetfile(logFileStr); +} + +void +ploginit(void) +{ + logFileStr[0] = 0; + logRef = NULL;//asl_open(NULL, plog_facility, 0); + plogsetlevel(ASL_LEVEL_NOTICE); + //plogsetlevel(ASL_LEVEL_DEBUG); + plogreadprefs(); +} + +void +plogsetsessioninfo (const char *session_id, + const char *session_type, + const char *session_ver) +{ + if (gSessId) { + free(gSessId); + } + if (!session_id) { + gSessId = NULL; + } else { + gSessId = strdup(session_id); + } + if (gSessId) { + free(gSessId); + } + if (!session_type) { + gSessType = NULL; + } else { + gSessType = strdup(session_id); + } + if (gSessVer) { + free(gSessVer); + } + if (!session_ver) { + gSessVer = NULL; + } else { + gSessVer = strdup(session_ver); + } +} + +char * +createCStringFromCFString(CFAllocatorRef allocator, CFStringRef cfstr) +{ + CFIndex cstr_len = CFStringGetMaximumSizeForEncoding(CFStringGetLength(cfstr), kCFStringEncodingUTF8) + 1; + char *cstr = (char *)CFAllocatorAllocate(allocator, cstr_len, 0); + CFStringGetCString(cfstr, cstr, cstr_len, kCFStringEncodingUTF8); + return cstr; +} + +void +plogcf(int priority, CFStringRef fmt, ...) +{ + va_list args; + CFStringRef cfstr; + char *cstr; + + va_start(args, fmt); + cfstr = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, fmt, args); + va_end(args); + + cstr = createCStringFromCFString(kCFAllocatorDefault, cfstr); + plog(priority, "%s", cstr); + + CFAllocatorDeallocate(kCFAllocatorDefault, cstr); + CFRelease(cfstr); +} + + diff --git a/ipsec-tools/racoon/plog.h b/ipsec-tools/racoon/plog.h index 49e1154..328bb7e 100644 --- a/ipsec-tools/racoon/plog.h +++ b/ipsec-tools/racoon/plog.h @@ -39,48 +39,104 @@ #else #include #endif -#include +#include +#include +#include -/* - * INFO: begin negotiation, SA establishment/deletion/expiration. - * NOTIFY: just notifiable. - * WARNING: not error strictly. - * ERROR: system call error. also invalid parameter/format. - * ERROR2: error causing exit - to be logged to syslog. - * DEBUG1: debugging informatioin. - * DEBUG2: too more verbose. e.g. parsing config. - */ -#define LLV_INFO 1 -#define LLV_NOTIFY 2 -#define LLV_WARNING 3 -#define LLV_ERROR 4 -#define LLV_ERROR2 5 -#define LLV_DEBUG 6 -#define LLV_DEBUG2 7 - -#define LLV_BASE 5 /* always logging less than or equal to this value. */ extern char *pname; extern u_int32_t loglevel; extern int f_foreground; extern int print_location; +extern char *logfile; +extern char logFileStr[]; +extern char *gSessId; +extern char *gSessType; +extern char *gSessVer; +extern aslclient logRef; struct sockaddr_storage; -extern void plog_func __P((int, const char *, struct sockaddr_storage *, const char *, ...)) - __attribute__ ((__format__ (__printf__, 4, 5))); -extern void plogv __P((int, const char *, struct sockaddr_storage *, - const char *, va_list *)); -extern void plogdump __P((int, void *, size_t)); -extern void ploginit __P((void)); -extern void plogset __P((char *)); - -extern char* binsanitize __P((char*, size_t)); - -#define plog(pri, func, sa, fmt, args...) do { \ - if (pri <= loglevel) { \ - plog_func(pri, func, sa, fmt, ##args); \ - } \ - } while(0) -extern void plogmtxinit __P((void)); + +typedef enum clog_err_op { + CLOG_ERR_OFF = 0, + CLOG_ERR_FILL, + CLOG_ERR_DUMP, +} clog_err_op_t; + +typedef struct clog_err { + int clog_err_level; /* will be used for filtering */ + int clog_err_code; /* internal code */ + char *client_id; + char *client_type; + char *description; + int description_len; + const char *function; + const char *line; + + // add a CFErrorRef for global error code (i.e. number-space) + + TAILQ_HEAD(_chain_head, clog_err) chain_head; + TAILQ_ENTRY(clog_err) chain; +} clog_err_t; + +extern const char *plog_facility; +extern const char *plog_session_id; +extern const char *plog_session_type; +extern const char *plog_session_ver; +extern void clog_func (clog_err_t *, clog_err_op_t, int, const char *, const char *, const char *, ...); +extern void plogdump_asl (aslmsg, int, const char *, ...); +extern void plogdump_func (int, void *, size_t, const char *, ...); +extern void plogcf(int priority, CFStringRef fmt, ...); + +#define clog(cerr, cerr_op, pri, fmt, args...) do { \ + if (pri <= loglevel) { \ + clog_func(cerr, cerr_op, pri, __FUNCTION__, __LINE__, fmt, ##args); \ + } \ +} while(0) + +#define plog(pri, fmt, args...) do { \ + if (pri <= loglevel) { \ + aslmsg m; \ + if ((m = asl_new(ASL_TYPE_MSG))) { \ + asl_set(m, ASL_KEY_FACILITY, plog_facility); \ + if (gSessId) \ + asl_set(m, plog_session_id, gSessId); \ + if (gSessType) \ + asl_set(m, plog_session_type, gSessType); \ + if (gSessVer) \ + asl_set(m, plog_session_ver, gSessVer); \ + asl_log(logRef, m, pri, fmt, ##args); \ + asl_free(m); \ + } \ + } \ + } while(0) + +#define plogdump(pri, buf, len, fmt, args...) do { \ + if (pri <= loglevel) { \ + plogdump_func(pri, buf, len, fmt, ##args); \ + } \ + } while(0) + +void ploginit(void); + +void plogreadprefs (void); + +void plogsetfile (char *); + +void plogresetfile (char *); + +int ploggetlevel(void); + +void plogsetlevel (int); + +void plogresetlevel (void); + +void plogsetlevelstr (char *); +void plogsetlevelquotedstr (char *); + +// Called at the beginning of any dispatch event to initialize the logger with protocol client info +void plogsetsessioninfo (const char *session_id, + const char *session_type, + const char *session_ver); #endif /* _PLOG_H */ diff --git a/ipsec-tools/racoon/policy.c b/ipsec-tools/racoon/policy.c index e27a817..5abafad 100644 --- a/ipsec-tools/racoon/policy.c +++ b/ipsec-tools/racoon/policy.c @@ -92,7 +92,7 @@ getsp(spidx) struct secpolicy * getsp_r(spidx, iph2) struct policyindex *spidx; - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct secpolicy *p; int mismatched_outer_addr = 0; @@ -103,7 +103,7 @@ getsp_r(spidx, iph2) struct ipsecrequest *isr; for (isr = p->req; isr != NULL; isr = isr->next) { if (isr->saidx.mode != IPSEC_MODE_TUNNEL) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s, skipping policy. dir %d, mode %d\n", + plog(ASL_LEVEL_DEBUG, "%s, skipping policy. dir %d, mode %d\n", __FUNCTION__, spidx->dir, isr->saidx.mode); continue; } @@ -113,7 +113,7 @@ getsp_r(spidx, iph2) // TODO: look out for wildcards if (!cmpsaddrwop(iph2->dst, &isr->saidx.src) && !cmpsaddrwop(iph2->src, &isr->saidx.dst)) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s, inbound policy outer addresses matched phase2's addresses\n", + plog(ASL_LEVEL_DEBUG, "%s, inbound policy outer addresses matched Phase 2 addresses\n", __FUNCTION__); return p; } else { @@ -123,7 +123,7 @@ getsp_r(spidx, iph2) // TODO: look out for wildcards if (!cmpsaddrwop(iph2->src, &isr->saidx.src) && !cmpsaddrwop(iph2->dst, &isr->saidx.dst)) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s, outbound policy outer addresses matched phase2's addresses\n", + plog(ASL_LEVEL_DEBUG, "%s, outbound policy outer addresses matched Phase 2 addresses\n", __FUNCTION__); return p; } else { @@ -133,15 +133,15 @@ getsp_r(spidx, iph2) mismatched_outer_addr = 1; } if (mismatched_outer_addr) { - plog(LLV_DEBUG2, LOCATION, NULL, "%s, policy outer addresses matched phase2's addresses: dir %d\n", + plog(ASL_LEVEL_DEBUG, "%s, policy outer addresses matched Phase 2 addresses: dir %d\n", __FUNCTION__, spidx->dir); - plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", + plog(ASL_LEVEL_DEBUG, "src1: %s\n", saddr2str((struct sockaddr *)iph2->src)); - plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", + plog(ASL_LEVEL_DEBUG, "src2: %s\n", saddr2str((struct sockaddr *)&isr->saidx.src)); - plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", + plog(ASL_LEVEL_DEBUG, "dst1: %s\n", saddr2str((struct sockaddr *)iph2->dst)); - plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", + plog(ASL_LEVEL_DEBUG, "dst2: %s\n", saddr2str((struct sockaddr *)&isr->saidx.dst)); } } @@ -158,15 +158,15 @@ getsp_r(spidx, iph2) struct secpolicy * getsp_r(spidx, iph2) struct policyindex *spidx; - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct secpolicy *p; u_int8_t prefixlen; - plog(LLV_DEBUG, LOCATION, NULL, "checking for transport mode\n"); + plog(ASL_LEVEL_DEBUG, "checking for transport mode\n"); if (spidx->src.ss_family != spidx->dst.ss_family) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "address family mismatch, src:%d dst:%d\n", spidx->src.ss_family, spidx->dst.ss_family); @@ -182,29 +182,29 @@ getsp_r(spidx, iph2) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", spidx->src.ss_family); return NULL; } /* is it transport mode SA negotiation? */ - plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", + plog(ASL_LEVEL_DEBUG, "src1: %s\n", saddr2str(iph2->src)); - plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", + plog(ASL_LEVEL_DEBUG, "src2: %s\n", saddr2str(&spidx->src)); if (cmpsaddrwop(iph2->src, &spidx->src) || spidx->prefs != prefixlen) return NULL; - plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", + plog(ASL_LEVEL_DEBUG, "dst1: %s\n", saddr2str(iph2->dst)); - plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", + plog(ASL_LEVEL_DEBUG, "dst2: %s\n", saddr2str(&spidx->dst)); if (cmpsaddrwop(iph2->dst, &spidx->dst) || spidx->prefd != prefixlen) return NULL; - plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n"); + plog(ASL_LEVEL_DEBUG, "looks to be transport mode\n"); for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { if (!cmpspidx_wild(spidx, &p->spidx)) @@ -239,8 +239,6 @@ int cmpspidxstrict(a, b) struct policyindex *a, *b; { - //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - //plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b)); /* XXX don't check direction now, but it's to be checked carefully. */ if (a->dir != b->dir @@ -269,9 +267,6 @@ cmpspidxwild(a, b) { struct sockaddr_storage sa1, sa2; - //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - //plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b)); - if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir)) return 1; @@ -287,7 +282,7 @@ cmpspidxwild(a, b) /* compare src address */ if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unexpected error: " "src.ss_len:%d dst.ss_len:%d\n", a->src.ss_len, b->src.ss_len); @@ -295,23 +290,23 @@ cmpspidxwild(a, b) } mask_sockaddr(&sa1, &a->src, b->prefs); mask_sockaddr(&sa2, &b->src, b->prefs); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + plog(ASL_LEVEL_DEBUG, "%p masked with /%d: %s\n", a, b->prefs, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + plog(ASL_LEVEL_DEBUG, "%p masked with /%d: %s\n", b, b->prefs, saddr2str((struct sockaddr *)&sa2)); if (cmpsaddrwild(&sa1, &sa2)) return 1; /* compare dst address */ if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) { - plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n"); + plog(ASL_LEVEL_ERR, "unexpected error\n"); exit(1); } mask_sockaddr(&sa1, &a->dst, b->prefd); mask_sockaddr(&sa2, &b->dst, b->prefd); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + plog(ASL_LEVEL_DEBUG, "%p masked with /%d: %s\n", a, b->prefd, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + plog(ASL_LEVEL_DEBUG, "%p masked with /%d: %s\n", b, b->prefd, saddr2str((struct sockaddr *)&sa2)); if (cmpsaddrwild(&sa1, &sa2)) return 1; diff --git a/ipsec-tools/racoon/policy.h b/ipsec-tools/racoon/policy.h index 48904b0..e1bd269 100644 --- a/ipsec-tools/racoon/policy.h +++ b/ipsec-tools/racoon/policy.h @@ -32,6 +32,7 @@ #ifndef _POLICY_H #define _POLICY_H +#include "racoon_types.h" #include /* refs. ipsec.h */ @@ -114,23 +115,23 @@ do { \ } while (0) #endif -struct ph2handle; + struct policyindex; -extern struct secpolicy *getsp __P((struct policyindex *)); -extern struct secpolicy *getsp_r __P((struct policyindex *, struct ph2handle *)); -struct secpolicy *getspbyspid __P((u_int32_t)); -extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); -extern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); -extern struct secpolicy *newsp __P((void)); -extern void delsp __P((struct secpolicy *)); -extern void delsp_bothdir __P((struct policyindex *)); -extern void inssp __P((struct secpolicy *)); -extern void remsp __P((struct secpolicy *)); -extern void flushsp __P((void)); -extern void initsp __P((void)); -extern struct ipsecrequest *newipsecreq __P((void)); -extern int policies_installed __P((void)); - -extern const char *spidx2str __P((const struct policyindex *)); +extern struct secpolicy *getsp (struct policyindex *); +extern struct secpolicy *getsp_r (struct policyindex *, phase2_handle_t *); +struct secpolicy *getspbyspid (u_int32_t); +extern int cmpspidxstrict (struct policyindex *, struct policyindex *); +extern int cmpspidxwild (struct policyindex *, struct policyindex *); +extern struct secpolicy *newsp (void); +extern void delsp (struct secpolicy *); +extern void delsp_bothdir (struct policyindex *); +extern void inssp (struct secpolicy *); +extern void remsp (struct secpolicy *); +extern void flushsp (void); +extern void initsp (void); +extern struct ipsecrequest *newipsecreq (void); +extern int policies_installed (void); + +extern const char *spidx2str (const struct policyindex *); #endif /* _POLICY_H */ diff --git a/ipsec-tools/racoon/power_mgmt.c b/ipsec-tools/racoon/power_mgmt.c index e020aa6..370b25f 100644 --- a/ipsec-tools/racoon/power_mgmt.c +++ b/ipsec-tools/racoon/power_mgmt.c @@ -3,10 +3,10 @@ #include #include #include -#include #include #include #include +#include #include #include @@ -40,13 +40,15 @@ io_connect_t gIOPort; CFUserNotificationRef gSleepNotification = NULL; #endif // !kIOPMAcknowledgmentOptionSystemCapabilityRequirements -pthread_t power_mgmt_thread; time_t slept_at = 0; time_t woke_at = 0; time_t swept_at = 0; static int sleeping = 0; +int check_power_context; // dummy field for dispatch call +extern void check_power_mgmt (void*); + #ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements #define WAKE_CAPS (kIOPMSystemPowerStateCapabilityCPU | kIOPMSystemPowerStateCapabilityNetwork) @@ -55,7 +57,7 @@ IOPMConnection gPMConnection = NULL; static void iosleep_capabilities_notifier(void *param, IOPMConnection connection, IOPMConnectionMessageToken token, IOPMSystemPowerStateCapabilities capabilities) { - plog(LLV_DEBUG, LOCATION, NULL,"received power-mgmt event: capabilities %X%s%s%s%s%s", + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: capabilities %X%s%s%s%s%s", capabilities, capabilities & kIOPMSystemPowerStateCapabilityCPU ? " CPU" : "", capabilities & kIOPMSystemPowerStateCapabilityVideo ? " Video" : "", @@ -65,32 +67,33 @@ iosleep_capabilities_notifier(void *param, IOPMConnection connection, IOPMConnec if ((capabilities & WAKE_CAPS) != WAKE_CAPS) { if (!sleeping) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will sleep\n"); sleeping = 1; slept_at = current_time(); } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignored power-mgmt event: sleep(%x) while asleep\n", capabilities); } IOPMConnectionAcknowledgeEvent(connection, token ); } else if ((capabilities & WAKE_CAPS) == WAKE_CAPS) { // allow processing of packets if (sleeping) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will wake(%x)\n", capabilities); sleeping = 0; woke_at = current_time(); } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignored power-mgmt event: wake(%x) while not asleep\n", capabilities); } IOPMConnectionAcknowledgeEvent(connection, token); } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignored power-mgmt event: capabilities(%x)\n", capabilities); IOPMConnectionAcknowledgeEvent(connection, token); } + dispatch_async_f(dispatch_get_main_queue(), &check_power_context, &check_power_mgmt); } #else @@ -102,7 +105,7 @@ void iosleep_notifier(void * x, io_service_t y, natural_t messageType, void *mes case kIOMessageSystemWillSleep: sleeping = 1; slept_at = current_time(); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will sleep\n"); IOAllowPowerChange(gIOPort, (long)messageArgument); break; @@ -111,41 +114,42 @@ void iosleep_notifier(void * x, io_service_t y, natural_t messageType, void *mes break; case kIOMessageSystemWillNotSleep: /* someone refused an idle sleep */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will not sleep\n"); sleeping = 0; slept_at = 0; break; case kIOMessageSystemWillPowerOn: if (sleeping) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will wake\n"); sleeping = 0; } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: will power-on\n"); } break; case kIOMessageSystemHasPoweredOn: woke_at = current_time(); if (slept_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: has woken\n"); } else { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: has powered-on\n"); } break; default: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received power-mgmt event: %x\n", messageType); break; } + dispatch_async_f(dispatch_get_main_queue(), &check_power_context, &check_power_mgmt); } #endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements -void * -power_mgmt_thread_func (void *arg) +int +init_power_mgmt (void) { #ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements IOReturn ret; @@ -154,63 +158,61 @@ power_mgmt_thread_func (void *arg) WAKE_CAPS, &gPMConnection); if (ret != kIOReturnSuccess) { - plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); - return NULL; + plog(ASL_LEVEL_ERR, "IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); + return -1; } ret = IOPMConnectionSetNotification(gPMConnection, NULL, iosleep_capabilities_notifier); if (ret != kIOReturnSuccess) { - plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); - return NULL; + plog(ASL_LEVEL_ERR, "IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); + return -1; } - ret = IOPMConnectionScheduleWithRunLoop(gPMConnection, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode); - if (ret != kIOReturnSuccess) { - plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); - return NULL; - } + IOPMConnectionSetDispatchQueue(gPMConnection, dispatch_get_main_queue()); + #else if ((gIOPort = IORegisterForSystemPower(0, ¬ify, iosleep_notifier, &iterator)) == MACH_PORT_NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "IORegisterForSystemPower failed for power-mgmt thread\n"); - return NULL; + return -1; } - - CFRunLoopAddSource(CFRunLoopGetCurrent(), - IONotificationPortGetRunLoopSource(notify), - kCFRunLoopDefaultMode); + + IONotificationPortSetDispatchQueue(notify, dispatch_get_main_queue()); + #endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements - CFRunLoopRun(); - return NULL; + return 0; } -int -init_power_mgmt (void) +void +cleanup_power_mgmt (void) { - int err; - - if ((err = pthread_create(&power_mgmt_thread, NULL, power_mgmt_thread_func, NULL))) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to create power-mgmt thread: %d\n", err); - return -1; - } - - return 0; +#ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements + + IOPMConnectionSetDispatchQueue(gPMConnection, NULL); + IOPMConnectionRelease(gPMConnection); + +#else + + IODeregisterForSystemPower(&iterator); + IONotificationPortDestroy(notify); + +#endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements + } void -check_power_mgmt (void) +check_power_mgmt (void *context) { if (slept_at && woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "handling power-mgmt event: sleep-wake\n"); swept_at = current_time(); sweep_sleepwake(); slept_at = 0; woke_at = 0; } else if (woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "handling power-mgmt event: power-on\n"); woke_at = 0; } diff --git a/ipsec-tools/racoon/power_mgmt.h b/ipsec-tools/racoon/power_mgmt.h index fbe7140..dd933ba 100644 --- a/ipsec-tools/racoon/power_mgmt.h +++ b/ipsec-tools/racoon/power_mgmt.h @@ -7,7 +7,8 @@ extern time_t slept_at; extern time_t woke_at; extern time_t swept_at; -extern int init_power_mgmt __P((void)); -extern void check_power_mgmt __P((void)); +extern int init_power_mgmt (void); +extern void cleanup_power_mgmt (void); +extern void check_power_mgmt (void); #endif /* _POWER_MGMT_H */ diff --git a/ipsec-tools/racoon/privsep.c b/ipsec-tools/racoon/privsep.c deleted file mode 100644 index 81ec7b8..0000000 --- a/ipsec-tools/racoon/privsep.c +++ /dev/null @@ -1,1353 +0,0 @@ -/* $NetBSD: privsep.c,v 1.6 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */ - -/* - * Copyright (C) 2004 Emmanuel Dreyfus - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#ifdef __NetBSD__ -#include /* for setproctitle */ -#endif -#include -#include -#include - -#include -#include - -#include "gcmalloc.h" -#include "vmbuf.h" -#include "misc.h" -#include "plog.h" -#include "var.h" -#include "libpfkey.h" - -#include "crypto_openssl.h" -#include "isakmp_var.h" -#include "isakmp.h" -#ifdef ENABLE_HYBRID -#include "resolv.h" -#include "isakmp_xauth.h" -#include "isakmp_cfg.h" -#endif -#include "localconf.h" -#include "remoteconf.h" -#include "admin.h" -#include "sockmisc.h" -#include "privsep.h" - -#ifdef HAVE_OPENSSL -static int privsep_sock[2] = { -1, -1 }; - -static int privsep_recv(int, struct privsep_com_msg **, size_t *); -static int privsep_send(int, struct privsep_com_msg *, size_t); -static int safety_check(struct privsep_com_msg *, int i); -static int port_check(int); -static int unsafe_env(char *const *); -static int unknown_name(int); -static int unsafe_path(char *, int); -#endif - -#ifdef HAVE_OPENSSL -static int -privsep_send(sock, buf, len) - int sock; - struct privsep_com_msg *buf; - size_t len; -{ - if (buf == NULL) - return 0; - - if (sendto(sock, (char *)buf, len, 0, NULL, 0) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_send failed: %s\n", - strerror(errno)); - return -1; - } - - racoon_free((char *)buf); - - return 0; -} - - -static int -privsep_recv(sock, bufp, lenp) - int sock; - struct privsep_com_msg **bufp; - size_t *lenp; -{ - struct admin_com com; - struct admin_com *combuf; - size_t len; - - *bufp = NULL; - *lenp = 0; - - /* Get the header */ - while ((len = recvfrom(sock, (char *)&com, - sizeof(com), MSG_PEEK, NULL, NULL)) == -1) { - if (errno == EINTR) - continue; - - plog(LLV_ERROR, LOCATION, NULL, - "privsep_recv failed: %s\n", - strerror(errno)); - return -1; - } - - /* Check for short packets */ - if (len < sizeof(com)) { - plog(LLV_ERROR, LOCATION, NULL, - "corrupted privsep message (short header)\n"); - return -1; - } - - /* Allocate buffer for the whole message */ - if ((combuf = (struct admin_com *)racoon_malloc(com.ac_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate memory: %s\n", strerror(errno)); - return -1; - } - - /* Get the whole buffer */ - while ((len = recvfrom(sock, (char *)combuf, - com.ac_len, 0, NULL, NULL)) == -1) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv privsep command: %s\n", - strerror(errno)); - return -1; - } - - /* We expect len to match */ - if (len != com.ac_len) { - plog(LLV_ERROR, LOCATION, NULL, - "corrupted privsep message (short packet)\n"); - return -1; - } - - *bufp = (struct privsep_com_msg *)combuf; - *lenp = len; - - return 0; -} -#endif /* HAVE_OPENSSL */ - -#ifdef HAVE_OPENSSL -int -privsep_init(void) -{ - int i; - pid_t child_pid; - - /* If running as root, we don't use the privsep code path */ - if (lcconf->uid == 0) - return 0; - - /* - * When running privsep, certificate and script paths - * are mandatory, as they enable us to check path safety - * in the privilegied instance - */ - if ((lcconf->pathinfo[LC_PATHTYPE_CERT] == NULL) || - (lcconf->pathinfo[LC_PATHTYPE_SCRIPT] == NULL)) { - plog(LLV_ERROR, LOCATION, NULL, "privilege separation " - "require path cert and path script in the config file\n"); - return -1; - } - - if (socketpair(PF_LOCAL, SOCK_DGRAM, 0, privsep_sock) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate privsep_sock: %s\n", strerror(errno)); - return -1; - } - - switch (child_pid = fork()) { - case -1: - plog(LLV_ERROR, LOCATION, NULL, "Cannot fork privsep: %s\n", - strerror(errno)); - return -1; - break; - - case 0: /* Child: drop privileges */ - if (lcconf->chroot != NULL) { - if (chdir(lcconf->chroot) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot chdir(%s): %s\n", lcconf->chroot, - strerror(errno)); - return -1; - } - if (chroot(lcconf->chroot) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot chroot(%s): %s\n", lcconf->chroot, - strerror(errno)); - return -1; - } - } - - if (setgid(lcconf->gid) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot setgid(%d): %s\n", lcconf->gid, - strerror(errno)); - return -1; - } - - if (setegid(lcconf->gid) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot setegid(%d): %s\n", lcconf->gid, - strerror(errno)); - return -1; - } - - if (setuid(lcconf->uid) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot setuid(%d): %s\n", lcconf->uid, - strerror(errno)); - return -1; - } - - if (seteuid(lcconf->uid) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot seteuid(%d): %s\n", lcconf->uid, - strerror(errno)); - return -1; - } - - return 0; - break; - - default: /* Parent: privilegied process */ - break; - } - - /* - * Close everything except the socketpair, - * and stdout if running in the forground. - */ - for (i = sysconf(_SC_OPEN_MAX); i > 0; i--) { - if (i == privsep_sock[0]) - continue; - if (i == privsep_sock[1]) - continue; - if ((f_foreground) && (i == 1)) - continue; - (void)close(i); - } - - /* Above trickery closed the log file, reopen it */ - ploginit(); - - plog(LLV_INFO, LOCATION, NULL, - "racoon privilegied process running with PID %d\n", getpid()); - -#ifdef __NetBSD__ - setproctitle("[priv]"); -#endif - - /* - * Don't catch any signal - * This duplicate session:signals[], which is static... - */ - signal(SIGHUP, SIG_DFL); - signal(SIGINT, SIG_DFL); - signal(SIGTERM, SIG_DFL); - signal(SIGUSR1, SIG_DFL); - signal(SIGUSR2, SIG_DFL); - signal(SIGCHLD, SIG_DFL); - - while (1) { - size_t len; - struct privsep_com_msg *combuf; - struct privsep_com_msg *reply; - char *data; - size_t *buflen; - size_t totallen; - char *bufs[PRIVSEP_NBUF_MAX]; - int i; - - if (privsep_recv(privsep_sock[0], &combuf, &len) != 0) - goto out; - - /* Safety checks and gather the data */ - if (len < sizeof(*combuf)) { - plog(LLV_ERROR, LOCATION, NULL, - "corrupted privsep message (short buflen)\n"); - goto out; - } - - data = (char *)(combuf + 1); - totallen = sizeof(*combuf); - for (i = 0; i < PRIVSEP_NBUF_MAX; i++) { - bufs[i] = (char *)data; - data += combuf->bufs.buflen[i]; - totallen += combuf->bufs.buflen[i]; - } - - if (totallen > len) { - plog(LLV_ERROR, LOCATION, NULL, - "corrupted privsep message (bufs too big)\n"); - goto out; - } - - /* Prepare the reply buffer */ - if ((reply = racoon_malloc(sizeof(*reply))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate reply buffer: %s\n", - strerror(errno)); - goto out; - } - bzero(reply, sizeof(*reply)); - reply->hdr.ac_cmd = combuf->hdr.ac_cmd; - reply->hdr.ac_len = sizeof(*reply); - - switch(combuf->hdr.ac_cmd) { - /* - * XXX Improvement: instead of returning the key, - * stuff eay_get_pkcs1privkey and eay_get_x509sign - * together and sign the hash in the privilegied - * instance? - * pro: the key remains inaccessible to unpriv - * con: a compromised unpriv racoon can still sign anything - */ - case PRIVSEP_EAY_GET_PKCS1PRIVKEY: { - vchar_t *privkey; - - /* Make sure the string is NULL terminated */ - if (safety_check(combuf, 0) != 0) - break; - bufs[0][combuf->bufs.buflen[0] - 1] = '\0'; - - if (unsafe_path(bufs[0], LC_PATHTYPE_CERT) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_eay_get_pkcs1privkey: " - "unsafe cert \"%s\"\n", bufs[0]); - } - - plog(LLV_DEBUG, LOCATION, NULL, - "eay_get_pkcs1privkey(\"%s\")\n", bufs[0]); - - if ((privkey = eay_get_pkcs1privkey(bufs[0])) == NULL){ - reply->hdr.ac_errno = errno; - break; - } - - reply->bufs.buflen[0] = privkey->l; - reply->hdr.ac_len = sizeof(*reply) + privkey->l; - reply = racoon_realloc(reply, reply->hdr.ac_len); - if (reply == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate reply buffer: %s\n", - strerror(errno)); - goto out; - } - - memcpy(reply + 1, privkey->v, privkey->l); - vfree(privkey); - break; - } - - case PRIVSEP_SCRIPT_EXEC: { - char *script; - int name; - char **envp = NULL; - int envc = 0; - int count = 0; - int i; - - /* - * First count the bufs, and make sure strings - * are NULL terminated. - * - * We expect: script, name, envp[], void - */ - if (safety_check(combuf, 0) != 0) - break; - bufs[0][combuf->bufs.buflen[0] - 1] = '\0'; - count++; /* script */ - count++; /* name */ - - for (; count < PRIVSEP_NBUF_MAX; count++) { - if (combuf->bufs.buflen[count] == 0) - break; - bufs[count] - [combuf->bufs.buflen[count] - 1] = '\0'; - envc++; - } - - /* count a void buf and perform safety check */ - count++; - if (count >= PRIVSEP_NBUF_MAX) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_script_exec: too many args\n"); - goto out; - } - - - /* - * Allocate the arrays for envp - */ - envp = racoon_malloc((envc + 1) * sizeof(char *)); - if (envp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", - strerror(errno)); - goto out; - } - bzero(envp, (envc + 1) * sizeof(char *)); - - - /* - * Populate script, name and envp - */ - count = 0; - script = bufs[count++]; - - if (combuf->bufs.buflen[count] != sizeof(name)) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_script_exec: corrupted message\n"); - goto out; - } - memcpy((char *)&name, bufs[count++], sizeof(name)); - - for (i = 0; combuf->bufs.buflen[count]; count++) - envp[i++] = bufs[count]; - - count++; /* void */ - - plog(LLV_DEBUG, LOCATION, NULL, - "script_exec(\"%s\", %d, %p)\n", - script, name, envp); - - /* - * Check env for dangerous variables - * Check script path and name - * Perform fork and execve - */ - if ((unsafe_env(envp) == 0) && - (unknown_name(name) == 0) && - (unsafe_path(script, LC_PATHTYPE_SCRIPT) == 0)) - (void)script_exec(script, name, envp); - else - plog(LLV_ERROR, LOCATION, NULL, - "privsep_script_exec: " - "unsafe script \"%s\"\n", script); - - racoon_free(envp); - break; - } - - case PRIVSEP_GETPSK: { - vchar_t *psk; - int keylen; - - /* Make sure the string is NULL terminated */ - if (safety_check(combuf, 0) != 0) - break; - bufs[0][combuf->bufs.buflen[0] - 1] = '\0'; - - if (combuf->bufs.buflen[1] != sizeof(keylen)) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_getpsk: corrupted message\n"); - goto out; - } - memcpy(&keylen, bufs[1], sizeof(keylen)); - - plog(LLV_DEBUG, LOCATION, NULL, - "getpsk(\"%s\", %d)\n", bufs[0], keylen); - - if ((psk = getpsk(bufs[0], keylen)) == NULL) { - reply->hdr.ac_errno = errno; - break; - } - - reply->bufs.buflen[0] = psk->l; - reply->hdr.ac_len = sizeof(*reply) + psk->l; - reply = racoon_realloc(reply, reply->hdr.ac_len); - if (reply == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate reply buffer: %s\n", - strerror(errno)); - goto out; - } - - memcpy(reply + 1, psk->v, psk->l); - vfree(psk); - break; - } - -#ifdef ENABLE_HYBRID - case PRIVSEP_ACCOUNTING_SYSTEM: { - int pool_size; - int port; - int inout; - struct sockaddr_storage *raddr; - - if (safety_check(combuf, 0) != 0) - break; - if (safety_check(combuf, 1) != 0) - break; - if (safety_check(combuf, 2) != 0) - break; - if (safety_check(combuf, 3) != 0) - break; - - memcpy(&port, bufs[0], sizeof(port)); - raddr = (struct sockaddr_storage *)bufs[1]; - - bufs[2][combuf->bufs.buflen[2] - 1] = '\0'; - memcpy(&inout, bufs[3], sizeof(port)); - - if (port_check(port) != 0) - break; - - plog(LLV_DEBUG, LOCATION, NULL, - "accounting_system(%d, %s, %s)\n", - port, saddr2str(raddr), bufs[2]); - - errno = 0; - if (isakmp_cfg_accounting_system(port, - raddr, bufs[2], inout) != 0) { - if (errno == 0) - reply->hdr.ac_errno = EINVAL; - else - reply->hdr.ac_errno = errno; - } - break; - } - case PRIVSEP_XAUTH_LOGIN_SYSTEM: { - if (safety_check(combuf, 0) != 0) - break; - bufs[0][combuf->bufs.buflen[0] - 1] = '\0'; - - if (safety_check(combuf, 1) != 0) - break; - bufs[1][combuf->bufs.buflen[1] - 1] = '\0'; - - plog(LLV_DEBUG, LOCATION, NULL, - "xauth_login_system(\"%s\", )\n", - bufs[0]); - - errno = 0; - if (xauth_login_system(bufs[0], bufs[1]) != 0) { - if (errno == 0) - reply->hdr.ac_errno = EINVAL; - else - reply->hdr.ac_errno = errno; - } - break; - } -#ifdef HAVE_LIBPAM - case PRIVSEP_ACCOUNTING_PAM: { - int port; - int inout; - int pool_size; - - if (safety_check(combuf, 0) != 0) - break; - if (safety_check(combuf, 1) != 0) - break; - if (safety_check(combuf, 2) != 0) - break; - - memcpy(&port, bufs[0], sizeof(port)); - memcpy(&inout, bufs[1], sizeof(inout)); - memcpy(&pool_size, bufs[2], sizeof(pool_size)); - - if (pool_size != isakmp_cfg_config.pool_size) - if (isakmp_cfg_resize_pool(pool_size) != 0) - break; - - if (port_check(port) != 0) - break; - - plog(LLV_DEBUG, LOCATION, NULL, - "isakmp_cfg_accounting_pam(%d, %d)\n", - port, inout); - - errno = 0; - if (isakmp_cfg_accounting_pam(port, inout) != 0) { - if (errno == 0) - reply->hdr.ac_errno = EINVAL; - else - reply->hdr.ac_errno = errno; - } - break; - } - - case PRIVSEP_XAUTH_LOGIN_PAM: { - int port; - int pool_size; - struct sockaddr_storage *raddr; - - if (safety_check(combuf, 0) != 0) - break; - if (safety_check(combuf, 1) != 0) - break; - if (safety_check(combuf, 2) != 0) - break; - if (safety_check(combuf, 3) != 0) - break; - if (safety_check(combuf, 4) != 0) - break; - - memcpy(&port, bufs[0], sizeof(port)); - memcpy(&pool_size, bufs[1], sizeof(pool_size)); - raddr = (struct sockaddr_storage *)bufs[2]; - - bufs[3][combuf->bufs.buflen[3] - 1] = '\0'; - bufs[4][combuf->bufs.buflen[4] - 1] = '\0'; - - if (pool_size != isakmp_cfg_config.pool_size) - if (isakmp_cfg_resize_pool(pool_size) != 0) - break; - - if (port_check(port) != 0) - break; - - plog(LLV_DEBUG, LOCATION, NULL, - "xauth_login_pam(%d, %s, \"%s\", )\n", - port, saddr2str(raddr), bufs[3]); - - errno = 0; - if (xauth_login_pam(port, - raddr, bufs[3], bufs[4]) != 0) { - if (errno == 0) - reply->hdr.ac_errno = EINVAL; - else - reply->hdr.ac_errno = errno; - } - break; - } - - case PRIVSEP_CLEANUP_PAM: { - int port; - int pool_size; - - if (safety_check(combuf, 0) != 0) - break; - if (safety_check(combuf, 1) != 0) - break; - - memcpy(&port, bufs[0], sizeof(port)); - memcpy(&pool_size, bufs[1], sizeof(pool_size)); - - if (pool_size != isakmp_cfg_config.pool_size) - if (isakmp_cfg_resize_pool(pool_size) != 0) - break; - - if (port_check(port) != 0) - break; - - plog(LLV_DEBUG, LOCATION, NULL, - "cleanup_pam(%d)\n", port); - - cleanup_pam(port); - reply->hdr.ac_errno = 0; - - break; - } -#endif /* HAVE_LIBPAM */ -#endif /* ENABLE_HYBRID */ - - default: - plog(LLV_ERROR, LOCATION, NULL, - "unexpected privsep command %d\n", - combuf->hdr.ac_cmd); - goto out; - break; - } - - /* This frees reply */ - if (privsep_send(privsep_sock[0], - reply, reply->hdr.ac_len) != 0) - goto out; - - racoon_free(combuf); - } - -out: - plog(LLV_INFO, LOCATION, NULL, "privsep exit\n"); - _exit(0); -} -#endif /* HAVE_OPENSSL */ - -#ifdef HAVE_OPENSSL -vchar_t * -privsep_eay_get_pkcs1privkey(path) - char *path; -{ - vchar_t *privkey; - struct privsep_com_msg *msg; - size_t len; - - if (geteuid() == 0) - return eay_get_pkcs1privkey(path); - - len = sizeof(*msg) + strlen(path) + 1; - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return NULL; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_EAY_GET_PKCS1PRIVKEY; - msg->hdr.ac_len = len; - msg->bufs.buflen[0] = len - sizeof(*msg); - memcpy(msg + 1, path, msg->bufs.buflen[0]); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return NULL; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return NULL; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - goto out; - } - - if ((privkey = vmalloc(len - sizeof(*msg))) == NULL) - goto out; - - memcpy(privkey->v, msg + 1, privkey->l); - racoon_free(msg); - return privkey; - -out: - racoon_free(msg); - return NULL; -} -#endif - -/* - * No prigilege separation trick here, we just open PFKEY before - * dropping root privs and we remember it later. - */ -static int pfkey_socket = -1; -int -privsep_pfkey_open(void) -{ - int ps; - - if (pfkey_socket != -1) - return pfkey_socket; - - ps = pfkey_open(); - if (ps != -1) - pfkey_socket = ps; - - return ps; -} - -/* - * Consequence of the above trickery: don't - * really close PFKEY as we never re-open it. - */ -void -privsep_pfkey_close(ps) - int ps; -{ - return; -} - -#ifdef HAVE_OPENSSL -int -privsep_script_exec(script, name, envp) - char *script; - int name; - char *const envp[]; -{ - int count = 0; - char *const *c; - char *data; - size_t len; - struct privsep_com_msg *msg; - - if (geteuid() == 0) - return script_exec(script, name, envp); - - if ((msg = racoon_malloc(sizeof(*msg))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - - bzero(msg, sizeof(*msg)); - msg->hdr.ac_cmd = PRIVSEP_SCRIPT_EXEC; - msg->hdr.ac_len = sizeof(*msg); - - /* - * We send: - * script, name, envp[0], ... envp[N], void - */ - - /* - * Safety check on the counts: PRIVSEP_NBUF_MAX max - */ - count = 0; - count++; /* script */ - count++; /* name */ - for (c = envp; *c; c++) /* envp */ - count++; - count++; /* void */ - - if (count > PRIVSEP_NBUF_MAX) { - plog(LLV_ERROR, LOCATION, NULL, "Unexpected error: " - "privsep_script_exec count > PRIVSEP_NBUF_MAX\n"); - racoon_free(msg); - return -1; - } - - - /* - * Compute the length - */ - count = 0; - msg->bufs.buflen[count] = strlen(script) + 1; /* script */ - msg->hdr.ac_len += msg->bufs.buflen[count++]; - - msg->bufs.buflen[count] = sizeof(name); /* name */ - msg->hdr.ac_len += msg->bufs.buflen[count++]; - - for (c = envp; *c; c++) { /* envp */ - msg->bufs.buflen[count] = strlen(*c) + 1; - msg->hdr.ac_len += msg->bufs.buflen[count++]; - } - - msg->bufs.buflen[count] = 0; /* void */ - msg->hdr.ac_len += msg->bufs.buflen[count++]; - - if ((msg = racoon_realloc(msg, msg->hdr.ac_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - - /* - * Now copy the data - */ - data = (char *)(msg + 1); - count = 0; - - memcpy(data, (char *)script, msg->bufs.buflen[count]); /* script */ - data += msg->bufs.buflen[count++]; - - memcpy(data, (char *)&name, msg->bufs.buflen[count]); /* name */ - data += msg->bufs.buflen[count++]; - - for (c = envp; *c; c++) { /* envp */ - memcpy(data, *c, msg->bufs.buflen[count]); - data += msg->bufs.buflen[count++]; - } - - count++; /* void */ - - /* - * And send it! - */ - if (privsep_send(privsep_sock[1], msg, msg->hdr.ac_len) != 0) - return -1; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return -1; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - racoon_free(msg); - return -1; - } - - racoon_free(msg); - return 0; -} -#endif - -#ifdef HAVE_OPENSSL -vchar_t * -privsep_getpsk(str, keylen) - const char *str; - int keylen; -{ - vchar_t *psk; - struct privsep_com_msg *msg; - size_t len; - int *keylenp; - char *data; - - if (geteuid() == 0) - return getpsk(str, keylen); - - len = sizeof(*msg) + strlen(str) + 1 + sizeof(keylen); - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return NULL; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_GETPSK; - msg->hdr.ac_len = len; - - data = (char *)(msg + 1); - msg->bufs.buflen[0] = strlen(str) + 1; - memcpy(data, str, msg->bufs.buflen[0]); - - data += msg->bufs.buflen[0]; - msg->bufs.buflen[1] = sizeof(keylen); - memcpy(data, &keylen, sizeof(keylen)); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return NULL; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return NULL; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - goto out; - } - - if ((psk = vmalloc(len - sizeof(*msg))) == NULL) - goto out; - - memcpy(psk->v, msg + 1, psk->l); - racoon_free(msg); - return psk; - -out: - racoon_free(msg); - return NULL; -} -#endif - -#ifdef HAVE_OPENSSL -#ifdef ENABLE_HYBRID -int -privsep_xauth_login_system(usr, pwd) - char *usr; - char *pwd; -{ - struct privsep_com_msg *msg; - size_t len; - char *data; - - if (geteuid() == 0) - return xauth_login_system(usr, pwd); - - len = sizeof(*msg) + strlen(usr) + 1 + strlen(pwd) + 1; - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_XAUTH_LOGIN_SYSTEM; - msg->hdr.ac_len = len; - - data = (char *)(msg + 1); - msg->bufs.buflen[0] = strlen(usr) + 1; - memcpy(data, usr, msg->bufs.buflen[0]); - data += msg->bufs.buflen[0]; - - msg->bufs.buflen[1] = strlen(pwd) + 1; - memcpy(data, pwd, msg->bufs.buflen[1]); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return -1; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return -1; - - if (msg->hdr.ac_errno != 0) { - racoon_free(msg); - return -1; - } - - racoon_free(msg); - return 0; -} - -int -privsep_accounting_system(port, raddr, usr, inout) - int port; - struct sockaddr_storage *raddr; - char *usr; - int inout; -{ - struct privsep_com_msg *msg; - size_t len; - char *data; - int result; - - if (geteuid() == 0) - return isakmp_cfg_accounting_system(port, raddr, - usr, inout); - - len = sizeof(*msg) - + sizeof(port) - + sysdep_sa_len(raddr) - + strlen(usr) + 1 - + sizeof(inout); - - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_ACCOUNTING_SYSTEM; - msg->hdr.ac_len = len; - msg->bufs.buflen[0] = sizeof(port); - msg->bufs.buflen[1] = sysdep_sa_len(raddr); - msg->bufs.buflen[2] = strlen(usr) + 1; - msg->bufs.buflen[3] = sizeof(inout); - - data = (char *)(msg + 1); - memcpy(data, &port, msg->bufs.buflen[0]); - - data += msg->bufs.buflen[0]; - memcpy(data, raddr, msg->bufs.buflen[1]); - - data += msg->bufs.buflen[1]; - memcpy(data, usr, msg->bufs.buflen[2]); - - data += msg->bufs.buflen[2]; - memcpy(data, &inout, msg->bufs.buflen[3]); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return -1; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return -1; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - goto out; - } - - racoon_free(msg); - return 0; - -out: - racoon_free(msg); - return -1; -} -#endif - -static int -port_check(port) - int port; -{ - if ((port < 0) || (port >= isakmp_cfg_config.pool_size)) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep: port %d outside of allowed range [0,%zu]\n", - port, isakmp_cfg_config.pool_size - 1); - return -1; - } - - return 0; -} -#endif /* HAVE_OPENSSL */ - -#ifdef HAVE_OPENSSL -static int -safety_check(msg, index) - struct privsep_com_msg *msg; - int index; -{ - if (index >= PRIVSEP_NBUF_MAX) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep: Corrupted message, too many buffers\n"); - return -1; - } - - if (msg->bufs.buflen[index] == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep: Corrupted message, unexpected void buffer\n"); - return -1; - } - - return 0; -} - -/* - * Filter unsafe environement variables - */ -static int -unsafe_env(envp) - char *const *envp; -{ - char *const *e; - char *const *be; - char *const bad_env[] = { "PATH=", "LD_LIBRARY_PATH=", "IFS=", NULL }; - - for (e = envp; *e; e++) { - for (be = bad_env; *be; be++) { - if (strncmp(*e, *be, strlen(*be)) == 0) { - goto found; - } - } - } - - return 0; -found: - plog(LLV_ERROR, LOCATION, NULL, - "privsep_script_exec: unsafe environement variable\n"); - return -1; -} - -/* - * Check path safety - */ -static int -unsafe_path(script, pathtype) - char *script; - int pathtype; -{ - char *path; - char rpath[MAXPATHLEN + 1]; - size_t len; - - if (script == NULL) - return -1; - - path = lcconf->pathinfo[pathtype]; - - /* No path was given for scripts: skip the check */ - if (path == NULL) - return 0; - - if (realpath(script, rpath) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "script path \"%s\" is invalid\n", script); - return -1; - } - - len = strlen(path); - if (strncmp(path, rpath, len) != 0) - return -1; - - return 0; -} - -static int -unknown_name(name) - int name; -{ - if ((name < 0) || (name > SCRIPT_MAX)) { - plog(LLV_ERROR, LOCATION, NULL, - "privsep_script_exec: unsafe name index\n"); - return -1; - } - - return 0; -} -#endif /* HAVE_OPENSSL */ - -#ifdef HAVE_LIBPAM -int -privsep_accounting_pam(port, inout) - int port; - int inout; -{ - struct privsep_com_msg *msg; - size_t len; - int *port_data; - int *inout_data; - int *pool_size_data; - int result; - - if (geteuid() == 0) - return isakmp_cfg_accounting_pam(port, inout); - - len = sizeof(*msg) - + sizeof(port) - + sizeof(inout) - + sizeof(isakmp_cfg_config.pool_size); - - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_ACCOUNTING_PAM; - msg->hdr.ac_len = len; - msg->bufs.buflen[0] = sizeof(port); - msg->bufs.buflen[1] = sizeof(inout); - msg->bufs.buflen[2] = sizeof(isakmp_cfg_config.pool_size); - - port_data = (int *)(msg + 1); - inout_data = (int *)(port_data + 1); - pool_size_data = (int *)(inout_data + 1); - - *port_data = port; - *inout_data = inout; - *pool_size_data = isakmp_cfg_config.pool_size; - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return -1; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return -1; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - goto out; - } - - racoon_free(msg); - return 0; - -out: - racoon_free(msg); - return -1; -} - -int -privsep_xauth_login_pam(port, raddr, usr, pwd) - int port; - struct sockaddr_storage *raddr; - char *usr; - char *pwd; -{ - struct privsep_com_msg *msg; - size_t len; - char *data; - int result; - - if (geteuid() == 0) - return xauth_login_pam(port, raddr, usr, pwd); - - len = sizeof(*msg) - + sizeof(port) - + sizeof(isakmp_cfg_config.pool_size) - + sysdep_sa_len(raddr) - + strlen(usr) + 1 - + strlen(pwd) + 1; - - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_XAUTH_LOGIN_PAM; - msg->hdr.ac_len = len; - msg->bufs.buflen[0] = sizeof(port); - msg->bufs.buflen[1] = sizeof(isakmp_cfg_config.pool_size); - msg->bufs.buflen[2] = sysdep_sa_len(raddr); - msg->bufs.buflen[3] = strlen(usr) + 1; - msg->bufs.buflen[4] = strlen(pwd) + 1; - - data = (char *)(msg + 1); - memcpy(data, &port, msg->bufs.buflen[0]); - - data += msg->bufs.buflen[0]; - memcpy(data, &isakmp_cfg_config.pool_size, msg->bufs.buflen[1]); - - data += msg->bufs.buflen[1]; - memcpy(data, raddr, msg->bufs.buflen[2]); - - data += msg->bufs.buflen[2]; - memcpy(data, usr, msg->bufs.buflen[3]); - - data += msg->bufs.buflen[3]; - memcpy(data, pwd, msg->bufs.buflen[4]); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return -1; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return -1; - - if (msg->hdr.ac_errno != 0) { - errno = msg->hdr.ac_errno; - goto out; - } - - racoon_free(msg); - return 0; - -out: - racoon_free(msg); - return -1; -} - -void -privsep_cleanup_pam(port) - int port; -{ - struct privsep_com_msg *msg; - size_t len; - char *data; - int result; - - if (geteuid() == 0) - return cleanup_pam(port); - - len = sizeof(*msg) - + sizeof(port) - + sizeof(isakmp_cfg_config.pool_size); - - if ((msg = racoon_malloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return; - } - bzero(msg, len); - msg->hdr.ac_cmd = PRIVSEP_CLEANUP_PAM; - msg->hdr.ac_len = len; - msg->bufs.buflen[0] = sizeof(port); - msg->bufs.buflen[1] = sizeof(isakmp_cfg_config.pool_size); - - data = (char *)(msg + 1); - memcpy(data, &port, msg->bufs.buflen[0]); - - data += msg->bufs.buflen[0]; - memcpy(data, &isakmp_cfg_config.pool_size, msg->bufs.buflen[1]); - - if (privsep_send(privsep_sock[1], msg, len) != 0) - return; - - if (privsep_recv(privsep_sock[1], &msg, &len) != 0) - return; - - if (msg->hdr.ac_errno != 0) - errno = msg->hdr.ac_errno; - - racoon_free(msg); - return; -} -#endif diff --git a/ipsec-tools/racoon/privsep.h b/ipsec-tools/racoon/privsep.h deleted file mode 100644 index 05c9279..0000000 --- a/ipsec-tools/racoon/privsep.h +++ /dev/null @@ -1,72 +0,0 @@ -/* $NetBSD: privsep.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: privsep.h,v 1.5 2005/06/07 12:22:11 fredsen Exp */ - -/* - * Copyright (C) 2004 Emmanuel Dreyfus - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _PRIVSEP_H -#define _PRIVSEP_H - -#define PRIVSEP_EAY_GET_PKCS1PRIVKEY 0x0801 /* admin_com_bufs follows */ -#define PRIVSEP_SCRIPT_EXEC 0x0803 /* admin_com_bufs follows */ -#define PRIVSEP_GETPSK 0x0804 /* admin_com_bufs follows */ -#define PRIVSEP_XAUTH_LOGIN_SYSTEM 0x0805 /* admin_com_bufs follows */ -#define PRIVSEP_ACCOUNTING_PAM 0x0806 /* admin_com_bufs follows */ -#define PRIVSEP_XAUTH_LOGIN_PAM 0x0807 /* admin_com_bufs follows */ -#define PRIVSEP_CLEANUP_PAM 0x0808 /* admin_com_bufs follows */ -#define PRIVSEP_ACCOUNTING_SYSTEM 0x0809 /* admin_com_bufs follows */ - -#define PRIVSEP_NBUF_MAX 24 -#define PRIVSEP_BUFLEN_MAX 4096 -struct admin_com_bufs { - size_t buflen[PRIVSEP_NBUF_MAX]; - /* Followed by the buffers */ -}; - -struct privsep_com_msg { - struct admin_com hdr; - struct admin_com_bufs bufs; -}; - -int privsep_init __P((void)); - -vchar_t *privsep_eay_get_pkcs1privkey __P((char *)); -int privsep_pfkey_open __P((void)); -void privsep_pfkey_close __P((int)); -int privsep_script_exec __P((char *, int, char * const *)); -vchar_t *privsep_getpsk __P((const char *, const int)); -int privsep_xauth_login_system __P((char *, char *)); -#ifdef HAVE_LIBPAM -int privsep_accounting_pam __P((int, int)); -int privsep_xauth_login_pam __P((int, struct sockaddr_storage *, char *, char *)); -void privsep_cleanup_pam __P((int)); -#endif -int privsep_accounting_system __P((int, struct sockaddr_storage *, char *, int)); -#endif /* _PRIVSEP_H */ diff --git a/ipsec-tools/racoon/proposal.c b/ipsec-tools/racoon/proposal.c index 63ee764..abb5a4c 100644 --- a/ipsec-tools/racoon/proposal.c +++ b/ipsec-tools/racoon/proposal.c @@ -72,6 +72,7 @@ #ifdef ENABLE_NATT #include "nattraversal.h" #endif +#include "ikev2_rfc.h" /* %%% * modules for ipsec sa spec @@ -180,6 +181,27 @@ inssatrns(pr, new) return; } +int +satrns_remove_from_list(struct satrns **listptr, struct satrns *trns) +{ + + struct satrns **ptr = listptr; + + if (ptr == NULL) + return -1; + + while (*ptr) { + if (*ptr == trns) { + *ptr = trns->next; + ptr = &trns->next; + trns->next = NULL; + return 0; + } + ptr = &((*ptr)->next); + } + return -1; +} + #ifdef ENABLE_NATT static void saprop_udp_encap (struct saproto *pr) @@ -206,7 +228,7 @@ saprop_adjust_encmode (struct saproto *pr2, struct saproto *pr1) if (natt_udp_encap(pr2->encmode)) { prev = pr2->encmode; saprop_udp_encap(pr2); - plog(LLV_INFO, LOCATION, NULL, "Adjusting my encmode %s(%d)->%s(%d)\n", + plog(ASL_LEVEL_INFO, "Adjusting my encmode %s(%d)->%s(%d)\n", s_ipsecdoi_encmode(prev), prev, s_ipsecdoi_encmode(pr2->encmode), @@ -215,7 +237,7 @@ saprop_adjust_encmode (struct saproto *pr2, struct saproto *pr1) if (natt_udp_encap(pr1->encmode)) { prev = pr1->encmode; saprop_udp_encap(pr1); - plog(LLV_INFO, LOCATION, NULL, "Adjusting peer's encmode %s(%d)->%s(%d)\n", + plog(ASL_LEVEL_INFO, "Adjusting peer's encmode %s(%d)->%s(%d)\n", s_ipsecdoi_encmode(prev), prev, s_ipsecdoi_encmode(pr1->encmode), @@ -236,7 +258,7 @@ saprop_adjust_encmode (struct saproto *pr2, struct saproto *pr1) */ struct saprop * cmpsaprop_alloc(ph1, pp1, pp2, side) - struct ph1handle *ph1; + phase1_handle_t *ph1; const struct saprop *pp1, *pp2; int side; { @@ -249,7 +271,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) newpp = newsaprop(); if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saprop.\n"); return NULL; } @@ -267,14 +289,14 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) case PROP_CHECK_STRICT: if (pp1->lifetime > pp2->lifetime) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "long lifetime proposed: " "my:%d peer:%d\n", (int)pp2->lifetime, (int)pp1->lifetime); goto err; } if (pp1->lifebyte > pp2->lifebyte) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "long lifebyte proposed: " "my:%d peer:%d\n", pp2->lifebyte, pp1->lifebyte); @@ -285,7 +307,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) prop_pfs_check: if (pp2->pfs_group != 0 && pp1->pfs_group != pp2->pfs_group) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfs group mismatched: " "my:%d peer:%d\n", pp2->pfs_group, pp1->pfs_group); @@ -301,7 +323,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) } else { newpp->lifetime = pp2->lifetime; newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; - plog(LLV_NOTIFY, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "use own lifetime: " "my:%d peer:%d\n", (int)pp2->lifetime, (int)pp1->lifetime); @@ -311,7 +333,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) if (pp1->lifebyte > pp2->lifebyte) { newpp->lifebyte = pp2->lifebyte; newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; - plog(LLV_NOTIFY, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "use own lifebyte: " "my:%d peer:%d\n", pp2->lifebyte, pp1->lifebyte); @@ -323,7 +345,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) case PROP_CHECK_EXACT: if (pp1->lifetime != pp2->lifetime) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "lifetime mismatched: " "my:%d peer:%d\n", (int)pp2->lifetime, (int)pp1->lifetime); @@ -331,14 +353,14 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) } if (pp1->lifebyte != pp2->lifebyte) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "lifebyte mismatched: " "my:%d peer:%d\n", pp2->lifebyte, pp1->lifebyte); goto err; } if (pp1->pfs_group != pp2->pfs_group) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfs group mismatched: " "my:%d peer:%d\n", pp2->pfs_group, pp1->pfs_group); @@ -350,7 +372,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid pcheck_level why?.\n"); goto err; } @@ -396,7 +418,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) break; if (pr1->proto_id != pr2->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "proto_id mismatched: " "my:%s peer:%s\n", s_ipsecdoi_proto(pr2->proto_id), @@ -419,13 +441,13 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) spisizematch = 1; } if (spisizematch) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "IPComp SPI size promoted " "from 16bit to 32bit\n"); } } if (!spisizematch) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "spisize mismatched: " "my:%d peer:%d\n", (int)pr2->spisize, (int)pr1->spisize); @@ -439,7 +461,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) #endif if (pr1->encmode != pr2->encmode) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "encmode mismatched: " "my:%s peer:%s\n", s_ipsecdoi_encmode(pr2->encmode), @@ -459,7 +481,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) found: newpr = newsaproto(); if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saproto.\n"); goto err; } @@ -476,7 +498,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) newtr = newsatrns(); if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate satrns.\n"); racoon_free(newpr); goto err; @@ -524,20 +546,20 @@ cmpsaprop(pp1, pp2) const struct saprop *pp1, *pp2; { if (pp1->pfs_group != pp2->pfs_group) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "pfs_group mismatch. mine:%d peer:%d\n", pp1->pfs_group, pp2->pfs_group); /* FALLTHRU */ } if (pp1->lifetime > pp2->lifetime) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "less lifetime proposed. mine:%d peer:%d\n", (int)pp1->lifetime, (int)pp2->lifetime); /* FALLTHRU */ } if (pp1->lifebyte > pp2->lifebyte) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "less lifebyte proposed. mine:%d peer:%d\n", pp1->lifebyte, pp2->lifebyte); /* FALLTHRU */ @@ -557,7 +579,7 @@ cmpsatrns(proto_id, tr1, tr2) const struct satrns *tr1, *tr2; { if (tr1->trns_id != tr2->trns_id) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "trns_id mismatched: " "my:%s peer:%s\n", s_ipsecdoi_trns(proto_id, tr2->trns_id), @@ -566,7 +588,7 @@ cmpsatrns(proto_id, tr1, tr2) } if (tr1->authtype != tr2->authtype) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "authtype mismatched: " "my:%s peer:%s\n", s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr2->authtype), @@ -579,7 +601,7 @@ cmpsatrns(proto_id, tr1, tr2) * the initiator. It should be defined a notify message. */ if (tr1->encklen > tr2->encklen) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "less key length proposed, " "mine:%d peer:%d. Use initiaotr's one.\n", tr2->encklen, tr1->encklen); @@ -590,9 +612,7 @@ cmpsatrns(proto_id, tr1, tr2) } int -set_satrnsbysainfo(pr, sainfo) - struct saproto *pr; - struct sainfo *sainfo; +set_satrnsbysainfo(struct saproto *pr, struct sainfo *sainfo, u_int8_t ike_version, int pfs_group) { struct sainfoalg *a, *b; struct satrns *newtr; @@ -601,7 +621,7 @@ set_satrnsbysainfo(pr, sainfo) switch (pr->proto_id) { case IPSECDOI_PROTO_IPSEC_AH: if (sainfo->algs[algclass_ipsec_auth] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no auth algorithm found\n"); goto err; } @@ -614,13 +634,13 @@ set_satrnsbysainfo(pr, sainfo) /* allocate satrns */ newtr = newsatrns(); if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate satrns.\n"); goto err; } newtr->trns_no = t++; - newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); + newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); // IKEv1 only newtr->authtype = a->alg; inssatrns(pr, newtr); @@ -628,33 +648,35 @@ set_satrnsbysainfo(pr, sainfo) break; case IPSECDOI_PROTO_IPSEC_ESP: if (sainfo->algs[algclass_ipsec_enc] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no encryption algorithm found\n"); goto err; } t = 1; - for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) { - for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) { - /* allocate satrns */ - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - - newtr->trns_no = t++; - newtr->trns_id = a->alg; - newtr->encklen = a->encklen; - newtr->authtype = b->alg; - - inssatrns(pr, newtr); - } - } + if (ike_version == ISAKMP_VERSION_NUMBER_IKEV1) { + for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) { + for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) { + /* allocate satrns */ + newtr = newsatrns(); + if (newtr == NULL) { + plog(ASL_LEVEL_ERR, + "failed to allocate satrns.\n"); + goto err; + } + + newtr->trns_no = t++; + newtr->trns_id = a->alg; + newtr->encklen = a->encklen; + newtr->authtype = b->alg; + + inssatrns(pr, newtr); + } + } + } break; case IPSECDOI_PROTO_IPCOMP: if (sainfo->algs[algclass_ipsec_comp] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no ipcomp algorithm found\n"); goto err; } @@ -664,7 +686,7 @@ set_satrnsbysainfo(pr, sainfo) /* allocate satrns */ newtr = newsatrns(); if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate satrns.\n"); goto err; } @@ -677,14 +699,14 @@ set_satrnsbysainfo(pr, sainfo) } break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown proto_id (%d).\n", pr->proto_id); goto err; } - + /* no proposal found */ if (pr->head == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no algorithms found.\n"); + plog(ASL_LEVEL_ERR, "no algorithms found.\n"); return -1; } @@ -711,7 +733,7 @@ aproppair2saprop(p0) /* allocate ipsec a sa proposal */ newpp = newsaprop(); if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saprop.\n"); return NULL; } @@ -723,7 +745,7 @@ aproppair2saprop(p0) /* allocate ipsec sa protocol */ newpr = newsaproto(); if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saproto.\n"); goto err; } @@ -731,7 +753,7 @@ aproppair2saprop(p0) /* check spi size */ /* XXX should be handled isakmp cookie */ if (sizeof(newpr->spi) < p->prop->spi_size) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid spi size %d.\n", p->prop->spi_size); racoon_free(newpr); goto err; @@ -753,7 +775,7 @@ aproppair2saprop(p0) for (t = p; t; t = t->tnext) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "prop#=%d prot-id=%s spi-size=%d " "#trns=%d trns#=%d trns-id=%s\n", t->prop->p_no, @@ -766,7 +788,7 @@ aproppair2saprop(p0) /* allocate ipsec sa transform */ newtr = newsatrns(); if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate satrns.\n"); racoon_free(newpr); goto err; @@ -860,7 +882,7 @@ printsaprop(pri, pp) const struct saprop *p; if (pp == NULL) { - plog(pri, LOCATION, NULL, "(null)"); + plog(pri, "(null)"); return; } @@ -901,7 +923,7 @@ printsaproto(pri, pr) if (pr == NULL) return; - plog(pri, LOCATION, NULL, + plog(pri, " (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx " "encmode=%s reqid=%d:%d)\n", s_ipsecdoi_proto(pr->proto_id), @@ -929,25 +951,25 @@ printsatrns(pri, proto_id, tr) switch (proto_id) { case IPSECDOI_PROTO_IPSEC_AH: - plog(pri, LOCATION, NULL, + plog(pri, " (trns_id=%s authtype=%s)\n", s_ipsecdoi_trns(proto_id, tr->trns_id), s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); break; case IPSECDOI_PROTO_IPSEC_ESP: - plog(pri, LOCATION, NULL, + plog(pri, " (trns_id=%s encklen=%d authtype=%s)\n", s_ipsecdoi_trns(proto_id, tr->trns_id), tr->encklen, s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); break; case IPSECDOI_PROTO_IPCOMP: - plog(pri, LOCATION, NULL, + plog(pri, " (trns_id=%s)\n", s_ipsecdoi_trns(proto_id, tr->trns_id)); break; default: - plog(pri, LOCATION, NULL, + plog(pri, "(unknown proto_id %d)\n", proto_id); } @@ -968,7 +990,7 @@ print_proppair0(pri, p, level) spc[level] = '\0'; } - plog(pri, LOCATION, NULL, + plog(pri, "%s%p: next=%p tnext=%p\n", spc, p, p->next, p->tnext); if (p->next) print_proppair0(pri, p->next, level + 1); @@ -986,7 +1008,7 @@ print_proppair(pri, p) int set_proposal_from_policy(iph2, sp_main, sp_sub) - struct ph2handle *iph2; + phase2_handle_t *iph2; struct secpolicy *sp_main, *sp_sub; { struct saprop *newpp; @@ -995,15 +1017,17 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) newpp = newsaprop(); if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saprop.\n"); goto err; } newpp->prop_no = 1; newpp->lifetime = iph2->sainfo->lifetime; newpp->lifebyte = iph2->sainfo->lifebyte; - newpp->pfs_group = iph2->sainfo->pfs_group; + newpp->pfs_group = iph2->sainfo->pfs_group; + //%%%% to do - verify DH group is OK - tried that here and iphone failed to connect + if (lcconf->complex_bundle) goto skip1; @@ -1026,6 +1050,8 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) } skip1: + //%%%%%%s IKEv2 - no support for bundle - fix this - return error if bundle ??? + // %%%% need special handling for ipcomp for (req = sp_main->req; req; req = req->next) { struct saproto *newpr; caddr_t paddr = NULL; @@ -1047,7 +1073,7 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) /* allocate ipsec sa protocol */ newpr = newsaproto(); if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saproto.\n"); goto err; } @@ -1058,22 +1084,21 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) else newpr->spisize = 4; if (lcconf->complex_bundle) { - newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode); + encmodesv = newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode); #ifdef ENABLE_NATT if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED)) newpr->encmode += iph2->ph1->natt_options->mode_udp_diff; #endif } else - newpr->encmode = encmodesv; - + encmodesv = newpr->encmode = encmodesv; if (iph2->side == INITIATOR) newpr->reqid_out = req->saidx.reqid; else newpr->reqid_in = req->saidx.reqid; - if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (set_satrnsbysainfo(newpr, iph2->sainfo, iph2->version, newpp->pfs_group) < 0) { + plog(ASL_LEVEL_ERR, "failed to get algorithms.\n"); racoon_free(newpr); goto err; @@ -1098,7 +1123,7 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) req = req->next; } if (pr || req) { - plog(LLV_NOTIFY, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "There is a difference " "between the in/out bound policies in SPD.\n"); } @@ -1108,7 +1133,7 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) ike_session_update_mode(iph2); - printsaprop0(LLV_DEBUG, newpp); + printsaprop0(ASL_LEVEL_DEBUG, newpp); return 0; err: @@ -1124,7 +1149,7 @@ err: */ int set_proposal_from_proposal(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saprop *newpp = NULL, *pp0, *pp_peer = NULL; struct saproto *newpr = NULL, *pr; @@ -1133,7 +1158,8 @@ set_proposal_from_proposal(iph2) int i; /* get proposal pair */ - pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) + pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); if (pair == NULL) goto end; @@ -1154,7 +1180,7 @@ set_proposal_from_proposal(iph2) pp0 = newsaprop(); if (pp0 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saprop.\n"); goto end; } @@ -1164,7 +1190,7 @@ set_proposal_from_proposal(iph2) pp0->pfs_group = iph2->sainfo->pfs_group; if (pp_peer->next != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pp_peer is inconsistency, ignore it.\n"); /*FALLTHROUGH*/ } @@ -1173,7 +1199,7 @@ set_proposal_from_proposal(iph2) newpr = newsaproto(); if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate saproto.\n"); racoon_free(pp0); goto end; @@ -1186,8 +1212,8 @@ set_proposal_from_proposal(iph2) newpr->reqid_in = 0; newpr->reqid_out = 0; - if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (set_satrnsbysainfo(newpr, iph2->sainfo, iph2->version, 0) < 0) { + plog(ASL_LEVEL_ERR, "failed to get algorithms.\n"); racoon_free(newpr); racoon_free(pp0); @@ -1199,8 +1225,8 @@ set_proposal_from_proposal(iph2) inssaprop(&newpp, pp0); } - plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n"); - printsaprop0(LLV_DEBUG, newpp); + plog(ASL_LEVEL_DEBUG, "make a proposal from peer's:\n"); + printsaprop0(ASL_LEVEL_DEBUG, newpp); iph2->proposal = newpp; @@ -1231,6 +1257,23 @@ tunnel_mode_prop(p) return 0; } +struct satrns * +dupsatrns_1(struct satrns *tr) +{ + struct satrns *newtr; + + newtr = racoon_calloc(1, sizeof(*newtr)); + if (newtr == NULL) + return NULL; + newtr->trns_no = tr->trns_no; + newtr->trns_type = tr->trns_type; + newtr->trns_id = tr->trns_id; + newtr->encklen = tr->encklen; + newtr->authtype = tr->authtype; + + return newtr; +} + void dupsatrns(newpr, head) struct saproto *newpr; @@ -1242,6 +1285,7 @@ dupsatrns(newpr, head) newtr = newsatrns(); if (newtr) { newtr->trns_no = p->trns_no; + newtr->trns_type = p->trns_type; newtr->trns_id = p->trns_id; newtr->encklen = p->encklen; newtr->authtype = p->authtype; diff --git a/ipsec-tools/racoon/proposal.h b/ipsec-tools/racoon/proposal.h index a9cc8da..381b43d 100644 --- a/ipsec-tools/racoon/proposal.h +++ b/ipsec-tools/racoon/proposal.h @@ -55,10 +55,10 @@ /* SA proposal specification */ struct saprop { int prop_no; - time_t lifetime; - int lifebyte; - int pfs_group; /* pfs group */ - int claim; /* flag to send RESPONDER-LIFETIME. */ + time_t lifetime; // For IKEv2 - only used to set lifetime in kernel + int lifebyte; // For IKEv2 - only used to set lifetime in kernel + int pfs_group; // For IKEv2 - also saved in transform + int claim; /* IKEv1 only - flag to send RESPONDER-LIFETIME. */ /* XXX assumed DOI values are 1 or 2. */ struct saproto *head; @@ -69,9 +69,9 @@ struct saprop { struct saproto { int proto_id; size_t spisize; /* spi size */ - int encmode; /* encryption mode */ + int encmode; // For IKEv2 - only used to set encode mode in the kernel - int udp_encap; /* UDP encapsulation */ + int udp_encap; // For IKEv2 - only used to set kernel /* XXX should be vchar_t * */ /* these are network byte order */ @@ -84,7 +84,7 @@ struct saproto { int reqid_out; /* request id (outbound) */ int reqid_in; /* request id (inbound) */ - int ok; /* if 1, success to set SA in kenrel */ + int ok; /* if 1, success to set SA in kenrel */ struct satrns *head; /* header of transform */ struct saproto *next; /* next protocol */ @@ -93,7 +93,8 @@ struct saproto { /* SA algorithm specification */ struct satrns { int trns_no; - int trns_id; /* transform id */ + int trns_type; /* IKEv2 only - transform type */ + int trns_id; /* transform id */ int encklen; /* key length of encryption algorithm */ int authtype; /* authentication algorithm if ESP */ @@ -176,37 +177,39 @@ struct prop_pair { #define PROP_CHECK_STRICT 2 #define PROP_CHECK_CLAIM 3 #define PROP_CHECK_EXACT 4 +#define PROP_CHECK_IKEV2 5 struct sainfo; -struct ph1handle; struct secpolicy; -extern struct saprop *newsaprop __P((void)); -extern struct saproto *newsaproto __P((void)); -extern void inssaprop __P((struct saprop **, struct saprop *)); -extern void inssaproto __P((struct saprop *, struct saproto *)); -extern void inssaprotorev __P((struct saprop *, struct saproto *)); -extern struct satrns *newsatrns __P((void)); -extern void inssatrns __P((struct saproto *, struct satrns *)); -extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *, - const struct saprop *, const struct saprop *, int)); -extern int cmpsaprop __P((const struct saprop *, const struct saprop *)); -extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *)); -extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *)); -extern struct saprop *aproppair2saprop __P((struct prop_pair *)); -extern void free_proppair __P((struct prop_pair **)); -extern void flushsaprop __P((struct saprop *)); -extern void flushsaproto __P((struct saproto *)); -extern void flushsatrns __P((struct satrns *)); -extern void printsaprop __P((const int, const struct saprop *)); -extern void printsaprop0 __P((const int, const struct saprop *)); -extern void printsaproto __P((const int, const struct saproto *)); -extern void printsatrns __P((const int, const int, const struct satrns *)); -extern void print_proppair0 __P((int, struct prop_pair *, int)); -extern void print_proppair __P((int, struct prop_pair *)); -extern int set_proposal_from_policy __P((struct ph2handle *, - struct secpolicy *, struct secpolicy *)); -extern int set_proposal_from_proposal __P((struct ph2handle *)); -extern int tunnel_mode_prop __P((struct saprop *)); -extern struct saprop *dupsaprop __P((struct saprop *, int)); +extern struct saprop *newsaprop (void); +extern struct saproto *newsaproto (void); +extern void inssaprop (struct saprop **, struct saprop *); +extern void inssaproto (struct saprop *, struct saproto *); +extern void inssaprotorev (struct saprop *, struct saproto *); +extern struct satrns *newsatrns (void); +extern void inssatrns (struct saproto *, struct satrns *); +extern int satrns_remove_from_list(struct satrns **, struct satrns *); +extern struct saprop *cmpsaprop_alloc (phase1_handle_t *, + const struct saprop *, const struct saprop *, int); +extern int cmpsaprop (const struct saprop *, const struct saprop *); +extern int cmpsatrns (int, const struct satrns *, const struct satrns *); +extern int set_satrnsbysainfo (struct saproto *, struct sainfo *, u_int8_t, int); +extern struct saprop *aproppair2saprop (struct prop_pair *); +extern void free_proppair (struct prop_pair **); +extern void flushsaprop (struct saprop *); +extern void flushsaproto (struct saproto *); +extern void flushsatrns (struct satrns *); +extern void printsaprop (const int, const struct saprop *); +extern void printsaprop0 (const int, const struct saprop *); +extern void printsaproto (const int, const struct saproto *); +extern void printsatrns (const int, const int, const struct satrns *); +extern void print_proppair0 (int, struct prop_pair *, int); +extern void print_proppair (int, struct prop_pair *); +extern int set_proposal_from_policy (phase2_handle_t *, + struct secpolicy *, struct secpolicy *); +extern int set_proposal_from_proposal (phase2_handle_t *); +extern int tunnel_mode_prop (struct saprop *); +extern struct saprop *dupsaprop (struct saprop *, int); +extern struct satrns *dupsatrns_1(struct satrns *); #endif /* _PROPOSAL_H */ diff --git a/ipsec-tools/racoon/prsa_par.y b/ipsec-tools/racoon/prsa_par.y deleted file mode 100644 index 61698dc..0000000 --- a/ipsec-tools/racoon/prsa_par.y +++ /dev/null @@ -1,352 +0,0 @@ -/* $NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */ - -%{ -/* - * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. - * Contributed by: Michal Ludvig , SUSE Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* This file contains a parser for FreeS/WAN-style ipsec.secrets RSA keys. */ - -#include "config.h" - -#include -#include -#include -#include -#include - -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif - -#include -#include -#include -#include -#include - -#include -#include - -#ifdef HAVE_OPENSSL -#include -#include -#endif -#include "crypto_openssl.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "oakley.h" -#include "isakmp_var.h" -#include "handler.h" - -#include "sockmisc.h" -#include "rsalist.h" - -extern void prsaerror(const char *str, ...); -extern int prsawrap (void); -extern int prsalex (void); - -extern char *prsatext; -extern int prsa_cur_lineno; -extern char *prsa_cur_fname; -extern FILE *prsain; - -int prsa_cur_lineno = 0; -char *prsa_cur_fname = NULL; -struct genlist *prsa_cur_list = NULL; -enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY; - -static RSA *rsa_cur; - -void -prsaerror(const char *s, ...) -{ - char fmt[512]; - - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: %s", - prsa_cur_fname, prsa_cur_lineno, s); - plogv(LLV_ERROR, LOCATION, NULL, fmt, &ap); - va_end(ap); -} - -void -prsawarning(const char *s, ...) -{ - char fmt[512]; - - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: %s", - prsa_cur_fname, prsa_cur_lineno, s); - plogv(LLV_WARNING, LOCATION, NULL, fmt, &ap); - va_end(ap); -} - -int -prsawrap() -{ - return 1; -} -%} -%union { - BIGNUM *bn; - RSA *rsa; - char *chr; - long num; - struct netaddr *naddr; -} - -%token COLON HEX -%token OBRACE EBRACE COLON HEX -%token TAG_RSA TAG_PUB TAG_PSK -%token MODULUS PUBLIC_EXPONENT PRIVATE_EXPONENT -%token PRIME1 PRIME2 EXPONENT1 EXPONENT2 COEFFICIENT -%token ADDR4 ADDR6 ADDRANY SLASH NUMBER BASE64 - -%type HEX -%type NUMBER -%type ADDR4 ADDR6 BASE64 - -%type rsa_statement -%type prefix -%type addr4 addr6 addr - -%% -statements: - statements statement - | statement - ; - -statement: - addr addr COLON rsa_statement - { - rsa_key_insert(prsa_cur_list, $1, $2, $4); - } - | addr COLON rsa_statement - { - rsa_key_insert(prsa_cur_list, NULL, $1, $3); - } - | COLON rsa_statement - { - rsa_key_insert(prsa_cur_list, NULL, NULL, $2); - } - ; - -rsa_statement: - TAG_RSA OBRACE params EBRACE - { - if (prsa_cur_type == RSA_TYPE_PUBLIC) { - prsawarning("Using private key for public key purpose.\n"); - if (!rsa_cur->n || !rsa_cur->e) { - prsaerror("Incomplete key. Mandatory parameters are missing!\n"); - YYABORT; - } - } - else { - if (!rsa_cur->n || !rsa_cur->e || !rsa_cur->d) { - prsaerror("Incomplete key. Mandatory parameters are missing!\n"); - YYABORT; - } - if (!rsa_cur->p || !rsa_cur->q || !rsa_cur->dmp1 - || !rsa_cur->dmq1 || !rsa_cur->iqmp) { - if (rsa_cur->p) BN_clear_free(rsa_cur->p); - if (rsa_cur->q) BN_clear_free(rsa_cur->q); - if (rsa_cur->dmp1) BN_clear_free(rsa_cur->dmp1); - if (rsa_cur->dmq1) BN_clear_free(rsa_cur->dmq1); - if (rsa_cur->iqmp) BN_clear_free(rsa_cur->iqmp); - - rsa_cur->p = NULL; - rsa_cur->q = NULL; - rsa_cur->dmp1 = NULL; - rsa_cur->dmq1 = NULL; - rsa_cur->iqmp = NULL; - } - } - $$ = rsa_cur; - rsa_cur = RSA_new(); - } - | TAG_PUB BASE64 - { - if (prsa_cur_type == RSA_TYPE_PRIVATE) { - prsaerror("Public key in private-key file!\n"); - YYABORT; - } - $$ = base64_pubkey2rsa($2); - } - | TAG_PUB HEX - { - if (prsa_cur_type == RSA_TYPE_PRIVATE) { - prsaerror("Public key in private-key file!\n"); - YYABORT; - } - $$ = bignum_pubkey2rsa($2); - } - ; - -addr: - addr4 - | addr6 - | ADDRANY - { - $$ = NULL; - } - ; - -addr4: - ADDR4 prefix - { - int err; - struct sockaddr_in *sap; - - if ($2 == -1) $2 = 32; - if ($2 < 0 || $2 > 32) { - prsaerror ("Invalid IPv4 prefix\n"); - YYABORT; - } - $$ = calloc (sizeof(struct netaddr), 1); - $$->prefix = $2; - sap = (struct sockaddr_in *)(&$$->sa); - sap->sin_family = AF_INET; - err = inet_pton(AF_INET, $1, (struct in_addr*)(&sap->sin_addr)); - if (err <= 0) { - prsaerror("inet_pton(%s): %s\n", $1, strerror(errno)); - YYABORT; - } - } - ; - -addr6: - ADDR6 prefix - { - int err; - struct sockaddr_in6 *sap; - - if ($2 == -1) $2 = 128; - if ($2 < 0 || $2 > 128) { - prsaerror ("Invalid IPv6 prefix\n"); - YYABORT; - } - $$ = calloc (sizeof(struct netaddr), 1); - $$->prefix = $2; - sap = (struct sockaddr_in6 *)(&$$->sa); - sap->sin6_family = AF_INET6; - err = inet_pton(AF_INET6, $1, (struct in6_addr*)(&sap->sin6_addr)); - if (err <= 0) { - prsaerror("inet_pton(%s): %s\n", $1, strerror(errno)); - YYABORT; - } - } - ; - -prefix: - /* nothing */ { $$ = -1; } - | SLASH NUMBER { $$ = $2; } - ; -params: - params param - | param - ; - -param: - MODULUS COLON HEX - { if (!rsa_cur->n) rsa_cur->n = $3; else { prsaerror ("Modulus already defined\n"); YYABORT; } } - | PUBLIC_EXPONENT COLON HEX - { if (!rsa_cur->e) rsa_cur->e = $3; else { prsaerror ("PublicExponent already defined\n"); YYABORT; } } - | PRIVATE_EXPONENT COLON HEX - { if (!rsa_cur->d) rsa_cur->d = $3; else { prsaerror ("PrivateExponent already defined\n"); YYABORT; } } - | PRIME1 COLON HEX - { if (!rsa_cur->p) rsa_cur->p = $3; else { prsaerror ("Prime1 already defined\n"); YYABORT; } } - | PRIME2 COLON HEX - { if (!rsa_cur->q) rsa_cur->q = $3; else { prsaerror ("Prime2 already defined\n"); YYABORT; } } - | EXPONENT1 COLON HEX - { if (!rsa_cur->dmp1) rsa_cur->dmp1 = $3; else { prsaerror ("Exponent1 already defined\n"); YYABORT; } } - | EXPONENT2 COLON HEX - { if (!rsa_cur->dmq1) rsa_cur->dmq1 = $3; else { prsaerror ("Exponent2 already defined\n"); YYABORT; } } - | COEFFICIENT COLON HEX - { if (!rsa_cur->iqmp) rsa_cur->iqmp = $3; else { prsaerror ("Coefficient already defined\n"); YYABORT; } } - ; -%% - -int prsaparse(void); - -int -prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type) -{ - FILE *fp = NULL; - int ret; - - if (!fname) - return -1; - if (type == RSA_TYPE_PRIVATE) { - struct stat st; - if (stat(fname, &st) < 0) - return -1; - if (st.st_mode & (S_IRWXG | S_IRWXO)) { - plog(LLV_ERROR, LOCATION, NULL, - "Too slack permissions on private key '%s'\n", - fname); - plog(LLV_ERROR, LOCATION, NULL, - "Should be at most 0600, now is 0%o\n", - st.st_mode & 0777); - return -1; - } - } - fp = fopen(fname, "r"); - if (!fp) - return -1; - prsain = fp; - prsa_cur_lineno = 1; - prsa_cur_fname = fname; - prsa_cur_list = list; - prsa_cur_type = type; - rsa_cur = RSA_new(); - ret = prsaparse(); - if (rsa_cur) { - RSA_free(rsa_cur); - rsa_cur = NULL; - } - fclose (fp); - prsain = NULL; - return ret; -} diff --git a/ipsec-tools/racoon/prsa_tok.l b/ipsec-tools/racoon/prsa_tok.l deleted file mode 100644 index d9b4601..0000000 --- a/ipsec-tools/racoon/prsa_tok.l +++ /dev/null @@ -1,92 +0,0 @@ -/* $NetBSD: prsa_tok.l,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: prsa_tok.l,v 1.2 2004/07/12 20:43:51 ludvigm Exp */ - -%{ -/* - * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. - * Contributed by: Michal Ludvig , SUSE Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* This file contains a tokeniser for FreeS/WAN-style ipsec.secrets RSA keys. */ - -#include -#include -#ifdef HAVE_OPENSSL -#include -#include -#endif -#include "y.tab.h" - -extern int prsalex (void); -extern int prsa_cur_lineno; - -%} - -comment \#.* -digit [0-9] -octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5]))) -addr4 {octet}\.{octet}\.{octet}\.{octet} -hex [0-9a-fA-F] -word6 {hex}{0,4} -base64 [A-Za-z0-9+/=] -addr6 (::({word6}|{addr4})?|({word6}:)+:?({word6}|{addr4})?) -%% -\{ { return OBRACE; } -\} { return EBRACE; } -: { return COLON; } -RSA { return TAG_RSA; } -PSK { return TAG_PSK; } -PUB { return TAG_PUB; } -0x[0-9a-fA-F]+ { - BIGNUM *bn = BN_new(); - BN_hex2bn(&bn, prsatext+2); - prsalval.bn = bn; - return HEX; - } -0s{base64}+ { - prsalval.chr = strdup(prsatext); - return BASE64; - } -Modulus { return MODULUS; } -PublicExponent { return PUBLIC_EXPONENT; } -PrivateExponent { return PRIVATE_EXPONENT; } -Prime1 { return PRIME1; } -Prime2 { return PRIME2; } -Exponent1 { return EXPONENT1; } -Exponent2 { return EXPONENT2; } -Coefficient { return COEFFICIENT; } -\/ { return SLASH; } -{digit}+ { prsalval.num = atol(prsatext); return NUMBER; } -any { return ADDRANY; } -{addr4} { prsalval.chr = strdup(prsatext); return ADDR4; } -{addr6} { prsalval.chr = strdup(prsatext); return ADDR6; } -[ \t]* ; -\n { prsa_cur_lineno++; } -\#.* ; -%% diff --git a/ipsec-tools/racoon/racoon.conf.5 b/ipsec-tools/racoon/racoon.conf.5 index a9172e3..27a8f61 100644 --- a/ipsec-tools/racoon/racoon.conf.5 +++ b/ipsec-tools/racoon/racoon.conf.5 @@ -126,58 +126,6 @@ is one of following: .Ic hour , hours . .El .\" -.Ss Privilege separation -.Bl -tag -width Ds -compact -.It Ic privsep { Ar statements Ic } -Specifies privilege separation parameters. -When enabled, these enable -.Xr racoon 8 -to operate with an unprivileged instance doing most of the work, while -a privileged instance takes care of performing the following operations -as root: reading PSK and private keys, launching hook scripts, and -validating passwords against system databases or against PAM. -Please note that using privilege separation makes changes to the -.Ar listen -and -.Ar paths -sections ignored upon configuration reloads. -A -.Xr racoon 8 -restart is required if you want such changes to be taken into account. -.Pp -.Bl -tag -width Ds -compact -.It Ic user Ar user ; -The user to which the unprivileged instance of -.Xr racoon 8 , -should switch. -This can be a quoted user name or a numeric UID. -.It Ic group Ar group ; -The group the unprivilegied instance of -.Xr racoon 8 , -should switch. -This can be a quoted group name or a numeric GID. -.It Ic chroot Ar path ; -A directory to which the unprivileged instance of -.Xr racoon 8 -should -.Xr chroot 2 . -This directory should hold a tree where the following files must be -reachable: -.Bl -tag -width Ds -compact -.It Pa /dev/random -.It Pa /dev/urandom -.It The certificates -.It The file containing the Xauth banner -.El -.Pp -The PSK file, the private keys, and the hook scripts are accessed through the -privileged instance of -.Xr racoon 8 -and do not need to be reachable in the -.Xr chroot 2 Ap ed -tree. -.El -.El .Ss Path Specification This section specifies various paths used by racoon. When running in privilege separation mode, @@ -196,29 +144,6 @@ See Specifies a file containing pre-shared key(s) for various ID(s). See .Sx Pre-shared key File . -.It Ic path certificate Ar path ; -.Xr racoon 8 -will search this directory if a certificate or certificate request is received. -If you run with privilege separation, -.Xr racoon 8 -will refuse to use a certificate stored outside of this directory. -.It Ic path backupsa Ar file ; -Specifies a file to which SA information negotiated by -racoon should be stored. -.Xr racoon 8 -will install SA(s) from the file when started with the -.Fl B -flag. -The file is growing because -.Xr racoon 8 -simply adds SAs to it. -You should maintain the file manually. -.It Ic path script Ar path ; -.Xr racoon 8 -will search this directory for scripts hooks. -If you run with privilege separation, -.Xr racoon 8 -will refuse to execute a script stored outside of this directory. .It Ic path pidfile Ar file ; Specifies file where to store PID of process. If path starts with @@ -313,34 +238,8 @@ There is no default. Requires that all addresses for ISAKMP be bound. This statement will be ignored if you do not specify address definitions. .El -When running in privilege separation mode, you need to restart -.Xr racoon 8 -to have changes to the -.Ar listen -section taken into account. -.Pp -The -.Ar listen -section can also be used to specify the admin socket mode and ownership -if racoon was built with support for admin port. -.Bl -tag -width Ds -compact -.It Ic adminsock Ar path Op Ar owner\ group\ mode ; -The -.Ar path , -.Ar owner , -and -.Ar group -values specify the socket path, owner, and group. They must be quoted. -The defaults are -.Pa /var/racoon/racoon.sock , -UID 0, and GID 0. -.Ar mode -is the access mode in octal. The default is 0600. -.It Ic adminsock disabled ; -This directive tells racoon to not listen on the admin socket. -.El .El -.\" +./" .Ss Remote Nodes Specifications .Bl -tag -width Ds -compact .It Xo @@ -479,32 +378,25 @@ The default is off. .It Ic certificate_type Ar certspec ; Specifies a certificate specification. .Ar certspec -is one of followings: +must be as follows: .Bl -tag -width Ds -compact -.It Ic x509 Ar certfile Ar privkeyfile ; -.Ar certfile -means a file name of a certificate. -.Ar privkeyfile -means a file name of a secret key. +.It Ic x509 Ar in_keychain Ar keychain_identifier ; +.Ar in_keychain +means the certificate is in the system keychain. +.Ar keychain_identifier +is the keychain ID for the certificate in base64 format. .El +.It Ic certificate_verification Ar verification_spec ; +Specifies how the certificate is verified. This is required. +.Ar verification_spec +must be as follows: .Bl -tag -width Ds -compact -.It Ic plain_rsa Ar privkeyfile ; -.Ar privkeyfile -means a file name of a private key generated by plainrsa-gen(8). Required -for RSA authentication. -.El -.It Ic ca_type Ar cacertspec ; -Specifies a root certificate authority specification. -.Ar cacertspec -is one of followings: -.Bl -tag -width Ds -compact -.It Ic x509 Ar cacertfile ; -.Ar cacertfile -means a file name of the root certificate authority. -Default is -.Pa /etc/openssl/cert.pem +.It Ic sec_framework Ar use_peers_identifier ; +.Ar sec_framework +means the certificate is verified by the security framework. +.Ar use_peers_identifier +means the certificate must contain the peers ID. .El -.\" .It Ic mode_cfg (on | off) ; Gather network information through ISAKMP mode configuration. Default is off. @@ -515,81 +407,6 @@ This is a small security risk, so the default is off, meaning that racoon will keep on trying to establish a connection even if the user credentials are wrong, for instance. .\" -.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ; -If -.Ic dnssec -is defined, -.Xr racoon 8 -will ignore the CERT payload from the peer, -and try to get the peer's certificate from DNS instead. -If -.Ar certfile -is defined, -.Xr racoon 8 -will ignore the CERT payload from the peer, -and will use this certificate as the peer's certificate. -If -.Ic plain_rsa -is defined, -.Xr racoon 8 -will expect -.Ar pubkeyfile -to be the peer's public key that was generated -by plainrsa-gen(8). -.\" -.It Ic script Ar script Ic phase1_up -.It Ic script Ar script Ic phase1_down -Shell scripts that get executed when a phase 1 SA goes up or down. -Both scripts get either -.Ic phase1_up -or -.Ic phase1_down -as first argument, and the following -variables are set in their environment: -.Bl -tag -width Ds -compact -.It Ev LOCAL_ADDR -The local address of the phase 1 SA. -.It Ev LOCAL_PORT -The local port used for IKE for the phase 1 SA. -.It Ev REMOTE_ADDR -The remote address of the phase 1 SA. -.It Ev REMOTE_PORT -The remote port used for IKE for the phase 1 SA. -.El -The following variables are only set if -.Ic mode_cfg -was enabled: -.Bl -tag -width Ds -compact -.It INTERNAL_ADDR4 -An IPv4 internal address obtained by ISAKMP mode config. -.It INTERNAL_NETMASK4 -An IPv4 internal netmask obtained by ISAKMP mode config. -.It INTERNAL_CIDR4 -An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation. -.It INTERNAL_DNS4 -The first internal DNS server IPv4 address obtained by ISAKMP mode config. -.It INTERNAL_DNS4_LIST -A list of internal DNS servers IPv4 address obtained by ISAKMP mode config, -separated by spaces. -.It INTERNAL_WINS4 -The first internal WINS server IPv4 address obtained by ISAKMP mode config. -.It INTERNAL_WINS4_LIST -A list of internal WINS servers IPv4 address obtained by ISAKMP mode config, -separated by spaces. -.It SPLIT_INCLUDE -The space separated list of IPv4 addresses and masks (address slash mask) -that define the networks to be encrypted (as opposed to the default where -all the traffic should be encrypted) ; obtained by ISAKMP mode config ; -SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive. -.It SPLIT_LOCAL -The space separated list of IPv4 addresses and masks (address slash mask) -that define the networks to be considered local, and thus excluded from the -tunnels ; obtained by ISAKMP mode config. -.It DEFAULT_DOMAIN -The DNS default domain name obtained by ISAKMP mode config. -.El -.\" -.\" .It Ic send_cert (on | off) ; If you do not want to send a certificate, set this to off. The default is on. @@ -835,15 +652,15 @@ is one of: .Ic hybrid_rsa_server , .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server or -.Ic xauth_psk_client . +.Ic xauth_psk_client , eap_psk_client , eap_rsa_client . .\" .It Ic dh_group Ar group ; Defines the group used for the Diffie-Hellman exponentiations. This directive must be defined. .Ar group is one of following: -.Ic modp1024 , modp1536 . -Or you can define 2 or 5 as the DH group number. +.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 . +Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number. When you want to use aggressive mode, you must define the same DH group in each proposal. .It Ic lifetime time Ar number Ar timeunit ; @@ -855,6 +672,7 @@ directive defined in the directive. .El .El +.El .\" .Ss Policy Specifications The policy directive is obsolete, policies are now in the SPD. @@ -926,8 +744,8 @@ If you do not require PFS then you can omit this directive. Any proposal will be accepted if you do not specify one. .Ar group is one of following: -.Ic modp1024 , modp1536 . -Or you can define 2 or 5 as the DH group number. +.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 . +Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number. .\" .It Ic lifetime time Ar number Ar timeunit ; define how long an IPsec-SA will be used, in timeunits. @@ -1034,232 +852,6 @@ Means to constrain the peer to set the number of pad bytes. The default is off. .El .El -.Ss ISAKMP mode configuration settings -.Bl -tag -width Ds -compact -.It Ic mode_cfg { Ar statements Ic } -Defines the information to return for remote hosts' ISAKMP mode config -requests. -Also defines the authentication source for remote peers -authenticating through Xauth. -.Pp -The following are valid statements: -.Bl -tag -width Ds -compact -.It Ic auth_source (system | radius | pam | ldap) ; -Specifies the source for authentication of users through Xauth. -.Ar system -means to use the Unix user database. -This is the default. -.Ar radius -means to use a RADIUS server. -It works only if -.Xr racoon 8 -was built with libradius support. Radius configuration is hanlded by -.Xr radius.conf 5 . -.Ar pam -means to use PAM. -It works only if -.Xr racoon 8 -was built with libpam support. -.Ar ldap -means to use LDAP. -It works only if -.Xr racoon 8 -was built with libldap support. LDAP configuration is handled by -statements in the -.Ic ldapcfg -section. -.It Ic auth_groups Ar "group1", ... ; -Specifies the group memberships for Xauth in quoted group name strings. -When defined, the authenticating user must be a member of at least one -group for Xauth to succeed. -.It Ic group_source (system | ldap) ; -Specifies the source for group validataion of users through Xauth. -.Ar system -means to use the Unix user database. -This is the default. -.Ar ldap -means to use LDAP. -It works only if -.Xr racoon 8 -was built with libldap support and requires LDAP authentication. -LDAP configuration is handled by statements in the -.Ic ldapcfg -section. -.It Ic conf_source (local | radius | ldap) ; -Specifies the source for IP addresses and netmask allocated through ISAKMP -mode config. -.Ar local -means to use the local IP pool defined by the -.Ic network4 -and -.Ic pool_size -statements. -This is the default. -.Ar radius -means to use a RADIUS server. -It works only if -.Xr racoon 8 -was built with libradius support and requires RADIUS authentiation. -RADIUS configuration is handled by -.Xr radius.conf 5 . -.Ar ldap -means to use an LDAP server. -It works only if -.Xr racoon 8 -was built with libldap support and requires LDAP authentication. -LDAP configuration is handled by -statements in the -.Ic ldapcfg -section. -.It Ic accounting (none | system | radius | pam) ; -Enables or disables accounting for Xauth logins and logouts. -The default is -.Ar none -which disable accounting. -Specifying -.Ar system -enables system accounting through -.Xr utmp 5 . -Specifying -.Ar radius -enables RADIUS accounting. -It works only if -.Xr racoon 8 -was built with libradius support and requires RADIUS authentication. -RADIUS configuration is handled by -.Xr radius.conf 5 . -Specifying -.Ar pam -enables PAM accounting. -It works only if -.Xr racoon 8 -was build with libpam support and requires PAM authentication. -.It Ic pool_size Ar size -Specify the size of the IP address pool, either local or allocated -through RADIUS. -.Ic conf_source -selects the local pool or the RADIUS configuration, but in both -configurations, you cannot have more than -.Ar size -users connected at the same time. -The default is 255. -.It Ic network4 Ar address ; -.It Ic netmask4 Ar address ; -The local IP pool base address and network mask from which dynamically -allocated IPv4 addresses should be taken. -This is used if -.Ic conf_source -is set to -.Ar local -or if the RADIUS server returned -.Ar 255.255.255.254 . -Default is -.Ar 0.0.0.0/0.0.0.0 . -.It Ic dns4 Ar addresses ; -A list of IPv4 addresses for DNS servers, separated by commas, or on multiple -.Ic dns4 -lines. -.It Ic nbns4 Ar addresses ; -A list of IPv4 address for WINS servers. -.It Ic split_network (include | local_lan) Ar network/mask, ... -The network configuration to send, in cidr notation (e.g. 192.168.1.0/24). -If -.Ic include -is specified, the tunnel should be only used to encrypt the indicated -destinations ; otherwise, if -.Ic local_lan -is used, everything will pass through the tunnel but those destinations. -.It Ic default_domain Ar domain ; -The default DNS domain to send. -.It Ic split_dns Ar "domain", ... -The split dns configuration to send, in quoted domain name strings. -This list can be used to describe a list of domain names for which -a peer should query a modecfg assigned dns server. -DNS queries for all other domains would be handled locally. -(Cisco VPN client only). -.It Ic banner Ar path ; -The path of a file displayed on the client at connection time. -Default is -.Ar /etc/motd . -.It Ic auth_throttle Ar delay ; -On each failed Xauth authentication attempt, refuse new attempts for a set -.Ar delay -of seconds. -This is to avoid dictionary attacks on Xauth passwords. -Default is one second. -Set to zero to disable authentication delay. -.It Ic pfs_group Ar group ; -Sets the PFS group used in the client proposal (Cisco VPN client only). -Default is 0. -.It Ic save_passwd (on | off) ; -Allow the client to save the Xauth password (Cisco VPN client only). -Default is off. -.El -.El -.Ss Ldap configuration settings -.Bl -tag -width Ds -compact -.It Ic ldapcfg { Ar statements Ic } -Defines the parameters that will be used to communicate with an ldap -server for -.Ic xauth -authentication. -.Pp -The following are valid statements: -.Bl -tag -width Ds -compact -.It Ic version (2 | 3) ; -The ldap protocol version used to communicate with the server. -The default is -.Ic 3 . -.It Ic host Ar (hostname | address) ; -The host name or ip address of the ldap server. -The default is -.Ic localhost . -.It Ic port Ar number; -The port that the ldap server is configured to listen on. -The default is -.Ic 389 . -.It Ic base Ar distinguished name; -The ldap search base. -This option has no default value. -.It Ic subtree (on | off) ; -Use the subtree ldap search scope. -Otherwise, use the one level search scope. -The default is -.Ic off . -.It Ic bind_dn Ar distinguised name; -The user dn used to optionaly bind as before performing ldap search operations. -If this option is not specified, anonymous binds are used. -.It Ic bind_pw Ar string; -The password used when binding as -.Ic bind_dn . -.It Ic attr_user Ar attribute name; -The attribute used to specify a users name in an ldap directory. -For example, -if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn". -The default value is -.Ic cn . -.It Ic attr_addr Ar attribute name; -.It Ic attr_mask Ar attribute name; -The attributes used to specify a users network address and subnet mask in an -ldap directory. -These values are forwarded during mode_cfg negotiation when -the conf_source is set to ldap. -The default values are -.Ic racoon-address -and -.Ic racoon-netmask . -.It Ic attr_group Ar attribute name; -The attribute used to specify a group name in an ldap directory. -For example, -if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn". -The default value is -.Ic cn . -.It Ic attr_member Ar attribute name; -The attribute used to specify group membership in an ldap directory. -The default value is -.Ic member . -.El -.El .Ss Special directives .Bl -tag -width Ds -compact .It Ic complex_bundle (on | off) ; @@ -1317,31 +909,12 @@ sainfo anonymous { pfs_group 2; lifetime time 12 hour ; - encryption_algorithm 3des, blowfish 448, twofish, rijndael ; + encryption_algorithm 3des, aes ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } .Ed .Pp -If you are configuring plain RSA authentication, the remote directive -should look like the following: -.Bd -literal -offset -path certificate "/usr/local/v6/etc" ; -remote anonymous -{ - exchange_mode main,base ; - lifetime time 12 hour ; - certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv"; - peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub"; - proposal { - encryption_algorithm aes ; - hash_algorithm sha1 ; - authentication_method rsasig ; - dh_group 2 ; - } -} -.Ed -.Pp The following is a sample for the pre-shared key file. .Bd -literal -offset 10.160.94.3 mekmitasdigoat diff --git a/ipsec-tools/racoon/racoon_types.h b/ipsec-tools/racoon/racoon_types.h new file mode 100644 index 0000000..bf1cbbd --- /dev/null +++ b/ipsec-tools/racoon/racoon_types.h @@ -0,0 +1,32 @@ + +/* + * Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#ifndef _RACOON_TYPES_H +#define _RACOON_TYPES_H + +typedef struct ike_session ike_session_t; +typedef struct phase1handle phase1_handle_t; +typedef struct phase2handle phase2_handle_t; +typedef struct ikev2_ike_sa_window ikev2_ike_sa_window_t; +#endif /* _RACOON_TYPES_H */ diff --git a/ipsec-tools/racoon/racoonctl.8 b/ipsec-tools/racoon/racoonctl.8 deleted file mode 100644 index b27b188..0000000 --- a/ipsec-tools/racoon/racoonctl.8 +++ /dev/null @@ -1,199 +0,0 @@ -.\" $NetBSD: racoonctl.8,v 1.13 2006/09/09 16:22:10 manu Exp $ -.\" -.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp -.\" -.\" Copyright (C) 2004 Emmanuel Dreyfus -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd November 16, 2004 -.Dt RACOONCTL 8 -.Os -.\" -.Sh NAME -.Nm racoonctl -.Nd racoon administrative control tool -.\" -.Sh SYNOPSIS -.Nm -reload-config -.Nm -show-schedule -.Nm -.Op Fl l Op Fl l -show-sa -.Op isakmp|esp|ah|ipsec -.Nm -flush-sa -.Op isakmp|esp|ah|ipsec -.Nm -delete-sa -.Ar saopts -.Nm -establish-sa -.Op Fl u Ar identity -.Ar saopts -.Nm -vpn-connect -.Op Fl u identity -.Ar vpn_gateway -.Nm -vpn-disconnect -.Ar vpn_gateway -.Nm -show-event -.Op Fl l -.Nm -logout-user -.Ar login -.\" -.Sh DESCRIPTION -.Nm -is used to control -.Xr racoon 8 -operation, if ipsec-tools was configured with adminport support. -Communication between -.Nm -and -.Xr racoon 8 -is done through a UNIX socket. -By changing the default mode and ownership -of the socket, you can allow non-root users to alter -.Xr racoon 8 -behavior, so do that with caution. -.Pp -The following commands are available: -.Bl -tag -width Ds -.It reload-config -This should cause -.Xr racoon 8 -to reload its configuration file. -.It show-schedule -Unknown command. -.It show-sa Op isakmp|esp|ah|ipsec -Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, -IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. -Use -.Fl l -to increase verbosity. -.It flush-sa Op isakmp|esp|ah|ipsec -is used to flush all SAs if no SA class is provided, or a class of SAs, -either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. -.It Xo establish-sa -.Oo Fl u Ar username -.Oc Ar saopts -.Xc -Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. -The optional -.Fl u Ar username -can be used when establishing an ISAKMP SA while hybrid auth is in use. -.Nm -will prompt you for the password associated with -.Ar username -and these credentials will be used in the Xauth exchange. -.Pp -.Ar saopts -has the following format: -.Bl -tag -width Bl -.It isakmp {inet|inet6} Ar src Ar dst -.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port -{icmp|tcp|udp|any} -.El -.It Xo vpn-connect -.Oo Fl u Ar username -.Oc Ar vpn_gateway -.Xc -This is a particular case of the previous command. -It will establish an ISAKMP SA with -.Ar vpn_gateway . -.It delete-sa Ar saopts -Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. -.It vpn-disconnect Ar vpn_gateway -This is a particular case of the previous command. -It will kill all SAs associated with -.Ar vpn_gateway . -.It show-event Op Fl l -Dump all events reported by -.Xr racoon 8 , -then quit. -The -.Fl l -flag causes -.Nm -to not stop once all the events have been read, but rather to loop -awaiting and reporting new events. -.It logout-user Ar login -Delete all SA established on behalf of the Xauth user -.Ar login . -.El -.Pp -Command shortcuts are available: -.Bl -tag -width XXX -compact -offset indent -.It rc -reload-config -.It ss -show-sa -.It sc -show-schedule -.It fs -flush-sa -.It ds -delete-sa -.It es -establish-sa -.It vc -vpn-connect -.It vd -vpn-disconnect -.It se -show-event -.It lu -logout-user -.El -.\" -.Sh RETURN VALUES -The command should exit with 0 on success, and non-zero on errors. -.\" -.Sh FILES -.Bl -tag -width 30n -compact -.It Pa /var/racoon/racoon.sock No or -.It Pa /var/run/racoon.sock -.Xr racoon 8 -control socket. -.El -.\" -.Sh SEE ALSO -.Xr ipsec 4 , -.Xr racoon 8 -.Sh HISTORY -Once was -.Ic kmpstat -in the KAME project. -It turned into -.Nm -but remained undocumented for a while. -.An Emmanuel Dreyfus Aq manu@NetBSD.org -wrote this man page. diff --git a/ipsec-tools/racoon/racoonctl.c b/ipsec-tools/racoon/racoonctl.c deleted file mode 100644 index 661f85e..0000000 --- a/ipsec-tools/racoon/racoonctl.c +++ /dev/null @@ -1,1813 +0,0 @@ -/* $NetBSD: racoonctl.c,v 1.7 2006/10/02 07:12:26 manu Exp $ */ - -/* Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include -#include - -#include "var.h" -#include "vmbuf.h" -#include "misc.h" -#include "gcmalloc.h" - -#include "racoonctl.h" -#include "admin.h" -#include "schedule.h" -#include "handler.h" -#include "sockmisc.h" -#include "vmbuf.h" -#include "plog.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_xauth.h" -#include "isakmp_cfg.h" -#include "isakmp_unity.h" -#include "ipsec_doi.h" -#include "evt.h" - -char *adminsock_path = ADMINSOCK_PATH; - -static void usage __P((void)); -static vchar_t *get_combuf __P((int, char **)); -static int handle_recv __P((vchar_t *)); -static vchar_t *f_reload __P((int, char **)); -static vchar_t *f_getsched __P((int, char **)); -static vchar_t *f_getsa __P((int, char **)); -static vchar_t *f_flushsa __P((int, char **)); -static vchar_t *f_deletesa __P((int, char **)); -static vchar_t *f_exchangesa __P((int, char **)); -static vchar_t *f_vpnc __P((int, char **)); -static vchar_t *f_exchangesatest __P((int, char **)); -static vchar_t *f_vpntest __P((int, char **)); -static vchar_t *f_vpnd __P((int, char **)); -static vchar_t *f_getevt __P((int, char **)); -#ifdef ENABLE_HYBRID -static vchar_t *f_logoutusr __P((int, char **)); -#endif - -struct cmd_tag { - vchar_t *(*func) __P((int, char **)); - int cmd; - char *str; -} cmdtab[] = { - { f_reload, ADMIN_RELOAD_CONF, "reload-config" }, - { f_reload, ADMIN_RELOAD_CONF, "rc" }, - { f_getsched, ADMIN_SHOW_SCHED, "show-schedule" }, - { f_getsched, ADMIN_SHOW_SCHED, "sc" }, - { f_getsa, ADMIN_SHOW_SA, "show-sa" }, - { f_getsa, ADMIN_SHOW_SA, "ss" }, - { f_flushsa, ADMIN_FLUSH_SA, "flush-sa" }, - { f_flushsa, ADMIN_FLUSH_SA, "fs" }, - { f_deletesa, ADMIN_DELETE_SA, "delete-sa" }, - { f_deletesa, ADMIN_DELETE_SA, "ds" }, - { f_exchangesa, ADMIN_ESTABLISH_SA, "establish-sa" }, - { f_exchangesa, ADMIN_ESTABLISH_SA, "es" }, - { f_vpnc, ADMIN_ESTABLISH_SA, "vpn-connect" }, - { f_vpnc, ADMIN_ESTABLISH_SA, "vc" }, - { f_vpntest, ADMIN_ESTABLISH_SA_VPNCONTROL, "vpntest" }, - { f_vpnd, ADMIN_DELETE_ALL_SA_DST,"vpn-disconnect" }, - { f_vpnd, ADMIN_DELETE_ALL_SA_DST,"vd" }, - { f_getevt, ADMIN_SHOW_EVT, "show-event" }, - { f_getevt, ADMIN_SHOW_EVT, "se" }, -#ifdef ENABLE_HYBRID - { f_logoutusr, ADMIN_LOGOUT_USER, "logout-user" }, - { f_logoutusr, ADMIN_LOGOUT_USER, "lu" }, -#endif - { NULL, 0, NULL }, -}; - -struct evtmsg { - int type; - char *msg; - enum { UNSPEC, ERROR, INFO } level; -} evtmsg[] = { - { EVTT_PHASE1_UP, "Phase 1 established", INFO }, - { EVTT_PHASE1_DOWN, "Phase 1 deleted", INFO }, - { EVTT_XAUTH_SUCCESS, "Xauth exchange passed", INFO }, - { EVTT_ISAKMP_CFG_DONE, "ISAKMP mode config done", INFO }, - { EVTT_PHASE2_UP, "Phase 2 established", INFO }, - { EVTT_PHASE2_DOWN, "Phase 2 deleted", INFO }, - { EVTT_DPD_TIMEOUT, "Peer not reachable anymore", ERROR }, - { EVTT_PEER_NO_RESPONSE, "Peer not responding", ERROR }, - { EVTT_PEER_DELETE, "Peer terminated security association", ERROR }, - { EVTT_RACOON_QUIT, "Raccon terminated", ERROR }, - { EVTT_OVERFLOW, "Event queue overflow", ERROR }, - { EVTT_XAUTH_FAILED, "Xauth exchange failed", ERROR }, - { EVTT_PEERPH1AUTH_FAILED, "Peer failed phase 1 authentication " - "(certificate problem?)", ERROR }, - { EVTT_PEERPH1_NOPROP, "Peer failed phase 1 initiation " - "(proposal problem?)", ERROR }, - { 0, NULL, UNSPEC }, - { EVTT_NO_ISAKMP_CFG, "No need for ISAKMP mode config ", INFO }, -}; - -static int get_proto __P((char *)); -static vchar_t *get_index __P((int, char **)); -static int get_family __P((char *)); -static vchar_t *get_comindexes __P((int, int, char **)); -static int get_comindex __P((char *, char **, char **, char **)); -static int get_ulproto __P((char *)); - -struct proto_tag { - int proto; - char *str; -} prototab[] = { - { ADMIN_PROTO_ISAKMP, "isakmp" }, - { ADMIN_PROTO_IPSEC, "ipsec" }, - { ADMIN_PROTO_AH, "ah" }, - { ADMIN_PROTO_ESP, "esp" }, - { ADMIN_PROTO_INTERNAL, "internal" }, - { 0, NULL }, -}; - -struct ulproto_tag { - int ul_proto; - char *str; -} ulprototab[] = { - { 0, "any" }, - { IPPROTO_ICMP, "icmp" }, - { IPPROTO_TCP, "tcp" }, - { IPPROTO_UDP, "udp" }, - { 0, NULL }, -}; - -int so; - -static char _addr1_[NI_MAXHOST], _addr2_[NI_MAXHOST]; - -char *pname; -int long_format = 0; - -#define EVTF_NONE 0x0000 /* Ignore any events */ -#define EVTF_LOOP 0x0001 /* Loop awaiting for new events */ -#define EVTF_CFG_STOP 0x0002 /* Stop after ISAKMP mode config */ -#define EVTF_CFG 0x0004 /* Print ISAKMP mode config info */ -#define EVTF_ALL 0x0008 /* Print any events */ -#define EVTF_PURGE 0x0010 /* Print all available events */ -#define EVTF_PH1DOWN_STOP 0x0020 /* Stop when phase 1 SA gets down */ -#define EVTF_PH1DOWN 0x0040 /* Print that phase 1 SA got down */ -#define EVTF_ERR 0x0080 /* Print any error */ -#define EVTF_ERR_STOP 0x0100 /* Stop on any error */ - -int evt_filter = EVTF_NONE; -time_t evt_start; - -void dump_isakmp_sa __P((char *, int)); -void dump_internal __P((char *, int)); -char *pindex_isakmp __P((isakmp_index *)); -void print_schedule __P((caddr_t, int)); -void print_evt __P((caddr_t, int)); -void print_cfg __P((caddr_t, int)); -void print_err __P((caddr_t, int)); -void print_ph1down __P((caddr_t, int)); -void print_ph1up __P((caddr_t, int)); -int evt_poll __P((void)); -char * fixed_addr __P((char *, char *, int)); - -static void -usage() -{ - printf( -"Usage:\n" -" %s reload-config\n" -" %s [-l [-l]] show-sa [protocol]\n" -" %s flush-sa [protocol]\n" -" %s delete-sa \n" -" %s establish-sa [-u identity] \n" -" %s vpn-connect [-u identity] vpn_gateway\n" -" %s vpn-disconnect vpn_gateway\n" -"\n" -" : \"isakmp\", \"esp\" or \"ah\".\n" -" In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n" -"\n" -" : \"isakmp\" \n" -" : {\"esp\",\"ah\"} \n" -" \n" -" : \"inet\" or \"inet6\"\n" -" : \"icmp\", \"tcp\", \"udp\" or \"any\"\n", - pname, pname, pname, pname, pname, pname, pname); -} - -/* - * Check for proper racoonctl interface - */ -#if ((RACOONCTL_INTERFACE_MAJOR != 1) || (RACOONCTL_INTERFACE < 20041230)) -#error "Incompatible racoonctl interface" -#endif - -int -main(ac, av) - int ac; - char **av; -{ - vchar_t *combuf; - int c; - - pname = *av; - - /* - * Check for proper racoonctl interface - */ - if ((racoonctl_interface_major != RACOONCTL_INTERFACE_MAJOR) || - (racoonctl_interface < RACOONCTL_INTERFACE)) - errx(1, "Incompatible racoonctl interface"); - - while ((c = getopt(ac, av, "lds:")) != -1) { - switch(c) { - case 'l': - long_format++; - break; - - case 'd': - loglevel++; - break; - - case 's': - adminsock_path = optarg; - break; - - default: - usage(); - exit(0); - } - } - - ac -= optind; - av += optind; - - combuf = get_combuf(ac, av); - if (!combuf) - err(1, "kmpstat"); - - if (loglevel) - hexdump(combuf, ((struct admin_com *)combuf)->ac_len); - - com_init(); - - if (com_send(combuf) != 0) - goto bad; - - vfree(combuf); - - if (com_recv(&combuf) != 0) - goto bad; - if (handle_recv(combuf) != 0) - goto bad; - - vfree(combuf); - - if (evt_filter != EVTF_NONE) - if (evt_poll() != 0) - goto bad; - - exit(0); - - bad: - exit(1); -} - -int -evt_poll(void) { - struct timeval tv; - vchar_t *recvbuf; - vchar_t *sendbuf; - - if ((sendbuf = f_getevt(0, NULL)) == NULL) - errx(1, "Cannot make combuf"); - - while (evt_filter & (EVTF_LOOP|EVTF_PURGE)) { - /* handle_recv closes the socket time, so open it each time */ - com_init(); - if (com_send(sendbuf) != 0) - errx(1, "Cannot send combuf"); - - if (com_recv(&recvbuf) == 0) { - handle_recv(recvbuf); - vfree(recvbuf); - } - - tv.tv_sec = 0; - tv.tv_usec = 10; - (void)select(0, NULL, NULL, NULL, &tv); - } - - vfree(sendbuf); - return 0; -} - -/* %%% */ -/* - * return command buffer. - */ -static vchar_t * -get_combuf(ac, av) - int ac; - char **av; -{ - struct cmd_tag *cp; - - if (ac == 0) { - usage(); - exit(0); - } - - /* checking the string of command. */ - for (cp = &cmdtab[0]; cp->str; cp++) { - if (strcmp(*av, cp->str) == 0) { - break; - } - } - if (!cp->str) { - printf("Invalid command [%s]\n", *av); - errno = EINVAL; - return NULL; - } - - ac--; - av++; - return (cp->func)(ac, av); -} - -static vchar_t * -f_reload(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_RELOAD_CONF; - head->ac_errno = 0; - head->ac_proto = 0; - - return buf; -} - -static vchar_t * -f_getevt(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - - /* - * There are 3 ways of getting here - * 1) racoonctl vc => evt_filter = (EVTF_LOOP|EVTF_CFG| ... ) - * 2) racoonctl es => evt_filter = EVTF_NONE - * 3) racoonctl es -l => evt_filter = EVTF_LOOP - * Catch the second case: show-event is here to purge all - */ - if (evt_filter == EVTF_NONE) - evt_filter = (EVTF_ALL|EVTF_PURGE); - - if ((ac >= 1) && (strcmp(av[0], "-l") == 0)) - evt_filter |= EVTF_LOOP; - - if (ac >= 2) - errx(1, "too many arguments"); - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_SHOW_EVT; - head->ac_errno = 0; - head->ac_proto = 0; - - return buf; -} - -static vchar_t * -f_getsched(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_SHOW_SCHED; - head->ac_errno = 0; - head->ac_proto = 0; - - return buf; -} - -static vchar_t * -f_getsa(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac != 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_SHOW_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - return buf; -} - -static vchar_t * -f_flushsa(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac != 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_FLUSH_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - return buf; -} - -static vchar_t * -f_deletesa(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - buf = vmalloc(sizeof(*head) + index->l); - if (buf == NULL) - goto out; - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l + index->l; - head->ac_cmd = ADMIN_DELETE_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - memcpy(buf->v+sizeof(*head), index->v, index->l); - -out: - if (index != NULL) - vfree(index); - - return buf; -} - -static vchar_t * -f_deleteallsadst(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - buf = vmalloc(sizeof(*head) + index->l); - if (buf == NULL) - goto out; - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l + index->l; - head->ac_cmd = ADMIN_DELETE_ALL_SA_DST; - head->ac_errno = 0; - head->ac_proto = proto; - - memcpy(buf->v+sizeof(*head), index->v, index->l); - -out: - if (index != NULL) - vfree(index); - - return buf; -} - -static vchar_t * -f_exchangesa(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - int cmd = ADMIN_ESTABLISH_SA; - size_t com_len = 0; - char *id = NULL; - char *key = NULL; - struct admin_com_psk *acp; - - if (ac < 1) - errx(1, "insufficient arguments"); - - /* Optional -u identity */ - if (strcmp(av[0], "-u") == 0) { - if (ac < 2) - errx(1, "-u require an argument"); - - id = av[1]; - if ((key = getpass("Password: ")) == NULL) - errx(1, "getpass() failed: %s", strerror(errno)); - - com_len += sizeof(*acp) + strlen(id) + 1 + strlen(key) + 1; - cmd = ADMIN_ESTABLISH_SA_PSK; - - av += 2; - ac -= 2; - } - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - if ((proto = get_proto(*av)) == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - com_len += sizeof(*head) + index->l; - if ((buf = vmalloc(com_len)) == NULL) - errx(1, "Cannot allocate buffer"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = cmd; - head->ac_errno = 0; - head->ac_proto = proto; - - memcpy(buf->v+sizeof(*head), index->v, index->l); - - if (id && key) { - // overload com_len to track the number of unused bytes in buf->v - char *data; - acp = (struct admin_com_psk *) - (buf->v + sizeof(*head) + index->l); - com_len -= sizeof(*head) + index->l; - - acp->id_type = IDTYPE_USERFQDN; - acp->id_len = strlen(id) + 1; - acp->key_len = strlen(key) + 1; - - data = (char *)(acp + 1); - com_len -= sizeof(*acp); - strlcpy(data, id, com_len); - - data = (char *)(data + acp->id_len); - com_len -= acp->id_len; - strlcpy(data, key, com_len); - } - - vfree(index); - - return buf; -} - -// %%%%% testing -static vchar_t * -f_exchangesatest(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - int cmd = ADMIN_ESTABLISH_SA_VPNCONTROL; - size_t com_len = 0; - char *id = NULL; - char *key = NULL; - struct admin_com_psk *acp; - - if (ac < 1) - errx(1, "insufficient arguments"); - - /* Optional -u identity */ - if (strcmp(av[0], "-u") == 0) { - if (ac < 2) - errx(1, "-u require an argument"); - - id = av[1]; - if ((key = getpass("Password: ")) == NULL) - errx(1, "getpass() failed: %s", strerror(errno)); - - com_len += sizeof(*acp) + strlen(id) + 1 + strlen(key) + 1; - cmd = ADMIN_ESTABLISH_SA_VPNCONTROL; - - av += 2; - ac -= 2; - } - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - if ((proto = get_proto(*av)) == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - com_len += sizeof(*head) + index->l; - if ((buf = vmalloc(com_len)) == NULL) - errx(1, "Cannot allocate buffer"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = cmd; - head->ac_errno = 0; - head->ac_proto = proto; - - memcpy(buf->v+sizeof(*head), index->v, index->l); - - if (id && key) { - // overload com_len to track the number of unused bytes in buf->v - char *data; - acp = (struct admin_com_psk *) - (buf->v + sizeof(*head) + index->l); - com_len -= sizeof(*head) + index->l; - - acp->id_type = IDTYPE_USERFQDN; - acp->id_len = strlen(id) + 1; - acp->key_len = strlen(key) + 1; - - data = (char *)(acp + 1); - strlcpy(data, id, com_len); - - data = (char *)(data + acp->id_len); - com_len -= acp->id_len; - strlcpy(data, key, com_len); - } - - vfree(index); - - return buf; -} - -static vchar_t * -f_vpnc(ac, av) - int ac; - char **av; -{ - char *nav[] = {NULL, NULL, NULL, NULL, NULL, NULL}; - int nac = 0; - char *isakmp = "isakmp"; - char *inet = "inet"; - char *srcaddr; - struct addrinfo hints, *res; - struct sockaddr_storage *src; - char *idx; - - if (ac < 1) - errx(1, "insufficient arguments"); - - evt_filter = (EVTF_LOOP|EVTF_CFG|EVTF_CFG_STOP|EVTF_ERR|EVTF_ERR_STOP); - time(&evt_start); - - /* Optional -u identity */ - if (strcmp(av[0], "-u") == 0) { - if (ac < 2) - errx(1, "-u require an argument"); - - nav[nac++] = av[0]; - nav[nac++] = av[1]; - - ac -= 2; - av += 2; - } - - if (ac < 1) - errx(1, "VPN gateway required"); - if (ac > 1) - warnx("Extra arguments"); - - /* - * Find the source address - */ - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_DGRAM; - if (getaddrinfo(av[0], "4500", &hints, &res) != 0) - errx(1, "Cannot resolve destination address"); - - if ((src = getlocaladdr(res->ai_addr)) == NULL) - errx(1, "cannot find source address"); - - if ((srcaddr = saddr2str(src)) == NULL) - errx(1, "cannot read source address"); - - /* We get "ip[port]" strip the port */ - if ((idx = index(srcaddr, '[')) == NULL) - errx(1, "unexpected source address format"); - *idx = '\0'; - - nav[nac++] = isakmp; - nav[nac++] = inet; - nav[nac++] = srcaddr; - nav[nac++] = av[0]; - - return f_exchangesa(nac, nav); -} - -// %%% testing -static vchar_t * -f_vpntest(ac, av) - int ac; - char **av; -{ - char *nav[] = {NULL, NULL, NULL, NULL, NULL, NULL}; - int nac = 0; - char *isakmp = "isakmp"; - char *inet = "inet"; - char *srcaddr; - struct addrinfo hints, *res; - struct sockaddr_storage *src; - char *idx; - - if (ac < 1) - errx(1, "insufficient arguments"); - - evt_filter = (EVTF_LOOP|EVTF_CFG|EVTF_CFG_STOP|EVTF_ERR|EVTF_ERR_STOP); - time(&evt_start); - - /* Optional -u identity */ - if (strcmp(av[0], "-u") == 0) { - if (ac < 2) - errx(1, "-u require an argument"); - - nav[nac++] = av[0]; - nav[nac++] = av[1]; - - ac -= 2; - av += 2; - } - - if (ac < 1) - errx(1, "VPN gateway required"); - if (ac > 1) - warnx("Extra arguments"); - - /* - * Find the source address - */ - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_DGRAM; - if (getaddrinfo(av[0], "4500", &hints, &res) != 0) - errx(1, "Cannot resolve destination address"); - - if ((src = getlocaladdr(res->ai_addr)) == NULL) - errx(1, "cannot find source address"); - - if ((srcaddr = saddr2str(src)) == NULL) - errx(1, "cannot read source address"); - - /* We get "ip[port]" strip the port */ - if ((idx = index(srcaddr, '[')) == NULL) - errx(1, "unexpected source address format"); - *idx = '\0'; - - nav[nac++] = isakmp; - nav[nac++] = inet; - nav[nac++] = srcaddr; - nav[nac++] = av[0]; - - return f_exchangesa(nac, nav); -} - -static vchar_t * -f_vpnd(ac, av) - int ac; - char **av; -{ - char *nav[] = {NULL, NULL, NULL, NULL}; - int nac = 0; - char *isakmp = "isakmp"; - char *inet = "inet"; - char *anyaddr = "0.0.0.0"; - char *idx; - - if (ac < 1) - errx(1, "VPN gateway required"); - if (ac > 1) - warnx("Extra arguments"); - - evt_filter = - (EVTF_PH1DOWN|EVTF_PH1DOWN_STOP|EVTF_LOOP|EVTF_ERR|EVTF_ERR_STOP); - - nav[nac++] = isakmp; - nav[nac++] = inet; - nav[nac++] = anyaddr; - nav[nac++] = av[0]; - - return f_deleteallsadst(nac, nav); -} - -#ifdef ENABLE_HYBRID -static vchar_t * -f_logoutusr(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - char *user; - - /* need username */ - if (ac < 1) - errx(1, "insufficient arguments"); - user = av[0]; - if ((user == NULL) || ((strlen(user) + 1) > LOGINLEN)) - errx(1, "bad login (too long?)"); - - buf = vmalloc(sizeof(*head) + LOGINLEN); - if (buf == NULL) - return NULL; - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_LOGOUT_USER; - head->ac_errno = 0; - head->ac_proto = 0; - - strlcpy((char *)(head + 1), user, LOGINLEN); - - return buf; -} -#endif /* ENABLE_HYBRID */ - - -static int -get_proto(str) - char *str; -{ - struct proto_tag *cp; - - if (str == NULL) { - errno = EINVAL; - return -1; - } - - /* checking the string of command. */ - for (cp = &prototab[0]; cp->str; cp++) { - if (strcmp(str, cp->str) == 0) - return cp->proto; - } - - errno = EINVAL; - return -1; -} - -static vchar_t * -get_index(ac, av) - int ac; - char **av; -{ - int family; - - if (ac != 3 && ac != 4) { - errno = EINVAL; - return NULL; - } - - /* checking the string of family */ - family = get_family(*av); - if (family == -1) - return NULL; - av++; - ac--; - - return get_comindexes(family, ac, av); -} - -static int -get_family(str) - char *str; -{ - if (strcmp("inet", str) == 0) - return AF_INET; -#ifdef INET6 - else if (strcmp("inet6", str) == 0) - return AF_INET6; -#endif - errno = EAFNOSUPPORT; - return -1; -} - -static vchar_t * -get_comindexes(family, ac, av) - int family; - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com_indexes *ci; - char *p_name = NULL, *p_port = NULL; - char *p_prefs = NULL, *p_prefd = NULL; - struct sockaddr_storage *src = NULL, *dst = NULL; - int ulproto; - - if (ac != 2 && ac != 3) { - errno = EINVAL; - return NULL; - } - - if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1) - goto bad; - src = get_sockaddr(family, p_name, p_port); - if (p_name) { - racoon_free(p_name); - p_name = NULL; - } - if (p_port) { - racoon_free(p_port); - p_port = NULL; - } - if (src == NULL) - goto bad; - av++; - ac--; - if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1) - goto bad; - dst = get_sockaddr(family, p_name, p_port); - if (p_name) { - racoon_free(p_name); - p_name = NULL; - } - if (p_port) { - racoon_free(p_port); - p_port = NULL; - } - if (dst == NULL) - goto bad; - - buf = vmalloc(sizeof(*ci)); - if (buf == NULL) - goto bad; - - av++; - ac--; - if(ac){ - ulproto = get_ulproto(*av); - if (ulproto == -1) - goto bad; - }else - ulproto=0; - - ci = (struct admin_com_indexes *)buf->v; - if(p_prefs) - ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */ - else - ci->prefs = 32; - if(p_prefd) - ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */ - else - ci->prefd = 32; - ci->ul_proto = ulproto; - memcpy(&ci->src, src, sysdep_sa_len(src)); - memcpy(&ci->dst, dst, sysdep_sa_len(dst)); - - if (p_name) - racoon_free(p_name); - - return buf; - - bad: - if (p_name) - racoon_free(p_name); - if (p_port) - racoon_free(p_port); - if (p_prefs) - racoon_free(p_prefs); - if (p_prefd) - racoon_free(p_prefd); - return NULL; -} - -static int -get_comindex(str, name, port, pref) - char *str, **name, **port, **pref; -{ - char *p; - - *name = *port = *pref = NULL; - - *name = racoon_strdup(str); - STRDUP_FATAL(*name); - p = strpbrk(*name, "/["); - if (p != NULL) { - if (*(p + 1) == '\0') - goto bad; - if (*p == '/') { - *p = '\0'; - *pref = racoon_strdup(p + 1); - STRDUP_FATAL(*pref); - p = strchr(*pref, '['); - if (p != NULL) { - if (*(p + 1) == '\0') - goto bad; - *p = '\0'; - *port = racoon_strdup(p + 1); - STRDUP_FATAL(*port); - p = strchr(*pref, ']'); - if (p == NULL) - goto bad; - *p = '\0'; - } - } else if (*p == '[') { - if (*pref == NULL) - goto bad; - *p = '\0'; - *port = racoon_strdup(p + 1); - STRDUP_FATAL(*port); - p = strchr(*pref, ']'); - if (p == NULL) - goto bad; - *p = '\0'; - } else { - /* XXX */ - } - } - - return 0; - - bad: - - if (*name) - racoon_free(*name); - if (*port) - racoon_free(*port); - if (*pref) - racoon_free(*pref); - *name = *port = *pref = NULL; - return -1; -} - -static int -get_ulproto(str) - char *str; -{ - struct ulproto_tag *cp; - - if(str == NULL){ - errno = EINVAL; - return -1; - } - - /* checking the string of upper layer protocol. */ - for (cp = &ulprototab[0]; cp->str; cp++) { - if (strcmp(str, cp->str) == 0) - return cp->ul_proto; - } - - errno = EINVAL; - return -1; -} - -/* %%% */ -void -dump_isakmp_sa(buf, len) - char *buf; - int len; -{ - struct ph1dump *pd; - struct tm *tm; - char tbuf[56]; - caddr_t p = NULL; - -/* isakmp status header */ -/* short header; - 1234567890123456789012 0000000000000000:0000000000000000 000000000000 -*/ -char *header1 = -"Destination Cookies Created"; - -/* semi long header; - 1234567890123456789012 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000 -*/ -char *header2 = -"Destination Cookies ST S V E Created Phase2"; - -/* long header; - 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000 -*/ -char *header3 = -"Source Destination Cookies ST S V E Created Phase2"; - -/* phase status header */ -/* short format; - side stats source address destination address - xxx xxxxx 1234567890123456789012 1234567890123456789012 -*/ - - static char *estr[] = { "", "B", "M", "U", "A", "I", }; - - switch (long_format) { - case 0: - printf("%s\n", header1); - break; - case 1: - printf("%s\n", header2); - break; - case 2: - default: - printf("%s\n", header3); - break; - } - - if (len % sizeof(*pd)) - printf("invalid length %d\n", len); - len /= sizeof(*pd); - - pd = (struct ph1dump *)buf; - - while (len-- > 0) { - /* source address */ - if (long_format >= 2) { - GETNAMEINFO((struct sockaddr_storage *)&pd->local, _addr1_, _addr2_); - switch (long_format) { - case 0: - break; - case 1: - p = fixed_addr(_addr1_, _addr2_, 22); - break; - case 2: - default: - p = fixed_addr(_addr1_, _addr2_, 45); - break; - } - printf("%s ", p); - } - - /* destination address */ - GETNAMEINFO((struct sockaddr_storage *)&pd->remote, _addr1_, _addr2_); - switch (long_format) { - case 0: - case 1: - p = fixed_addr(_addr1_, _addr2_, 22); - break; - case 2: - default: - p = fixed_addr(_addr1_, _addr2_, 45); - break; - } - printf("%s ", p); - - printf("%s ", pindex_isakmp(&pd->index)); - - /* statuc, side and version */ - if (long_format >= 1) { - printf("%2d %c %2x ", - pd->status, - pd->side == INITIATOR ? 'I' : 'R', - pd->version); - if (ARRAYLEN(estr) > pd->etype) - printf("%s ", estr[pd->etype]); - } - - /* created date */ - if (pd->created) { - tm = localtime(&pd->created); - strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm); - } else - snprintf(tbuf, sizeof(tbuf), " "); - printf("%s ", tbuf); - - /* counter of phase 2 */ - if (long_format >= 1) - printf("%6d ", pd->ph2cnt); - - printf("\n"); - - pd++; - } - - return; -} - -/* %%% */ -void -dump_internal(buf, tlen) - char *buf; - int tlen; -{ - struct ph2handle *iph2; - struct sockaddr_storage *addr; - -/* -short header; - source address destination address - 1234567890123456789012 1234567890123456789012 -*/ -char *short_h1 = -"Source Destination "; - -/* -long header; - source address destination address - 123456789012345678901234567890123456789012345 123456789012345678901234567890123456789012345 - 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 -*/ -char *long_h1 = -"Source Destination "; - - printf("%s\n", long_format ? long_h1 : short_h1); - - while (tlen > 0) { - iph2 = (struct ph2handle *)buf; - addr = (struct sockaddr_storage *)(++iph2); - - GETNAMEINFO(addr, _addr1_, _addr2_); - printf("%s ", long_format ? - fixed_addr(_addr1_, _addr2_, 45) - : fixed_addr(_addr1_, _addr2_, 22)); - addr++; - tlen -= sysdep_sa_len(addr); - - GETNAMEINFO(addr, _addr1_, _addr2_); - printf("%s ", long_format ? - fixed_addr(_addr1_, _addr2_, 45) - : fixed_addr(_addr1_, _addr2_, 22)); - addr++; - tlen -= sysdep_sa_len(addr); - - printf("\n"); - } - - return; -} - -/* %%% */ -char * -pindex_isakmp(index) - isakmp_index *index; -{ - static char buf[64]; - u_char *p; - int i, j; - - memset(buf, 0, sizeof(buf)); - - /* copy index */ - p = (u_char *)index; - for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { - snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); - j += 2; - switch (i) { - case 7: -#if 0 - case 15: -#endif - buf[j++] = ':'; - } - } - - return buf; -} - -/* print schedule */ -char *str_sched_stat[] = { -"off", -"on", -"dead", -}; - -char *str_sched_id[] = { -"PH1resend", -"PH1lifetime", -"PH2resend", -"PSTacquire", -"PSTlifetime", -}; - -void -print_schedule(buf, len) - caddr_t buf; - int len; -{ - struct scheddump *sc = (struct scheddump *)buf; - struct tm *tm; - char tbuf[56]; - - if (len % sizeof(*sc)) - printf("invalid length %d\n", len); - len /= sizeof(*sc); - - /* 00000000 00000000 00000000 xxx........*/ - printf("index tick xtime created\n"); - - while (len-- > 0) { - tm = localtime(&sc->created); - strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm); - - printf("%-8ld %-8ld %-8ld %s\n", - sc->id, - (long)sc->tick, - (long)sc->xtime, - tbuf); - sc++; - } - - return; -} - - -void -print_evt(buf, len) - caddr_t buf; - int len; -{ - struct evtdump *evtdump = (struct evtdump *)buf; - int i; - char *srcstr; - char *dststr; - - for (i = 0; evtmsg[i].msg; i++) - if (evtmsg[i].type == evtdump->type) - break; - - if (evtmsg[i].msg == NULL) - printf("Event %d: ", evtdump->type); - else - printf("%s : ", evtmsg[i].msg); - - if ((srcstr = saddr2str((struct sockaddr_storage *)&evtdump->src)) == NULL) - printf("unknown"); - else - printf("%s", srcstr); - printf(" -> "); - if ((dststr = saddr2str((struct sockaddr_storage *)&evtdump->dst)) == NULL) - printf("unknown"); - else - printf("%s", dststr); - printf("\n"); - - return; -} - -void -print_err(buf, len) - caddr_t buf; - int len; -{ - struct evtdump *evtdump = (struct evtdump *)buf; - int i; - - - for (i = 0; evtmsg[i].msg; i++) - if (evtmsg[i].type == evtdump->type) - break; - - if (evtmsg[i].level != ERROR) - return; - - if (evtmsg[i].msg == NULL) - printf("Error: Event %d\n", evtdump->type); - else - printf("Error: %s\n", evtmsg[i].msg); - - if (evt_filter & EVTF_ERR_STOP) - evt_filter &= ~EVTF_LOOP; - - return; -} - -/* - * Print a message when phase 1 SA goes down - */ -void -print_ph1down(buf, len) - caddr_t buf; - int len; -{ - struct evtdump *evtdump = (struct evtdump *)buf; - - if (evtdump->type != EVTT_PHASE1_DOWN) - return; - - printf("VPN connexion terminated\n"); - - if (evt_filter & EVTF_PH1DOWN_STOP) - evt_filter &= ~EVTF_LOOP; - - return; -} - -/* - * Print ISAKMP mode config info (IP and banner) - */ -void -print_cfg(buf, len) - caddr_t buf; - int len; -{ - struct evtdump *evtdump = (struct evtdump *)buf; - struct isakmp_data *attr; - char *banner = NULL; - struct in_addr addr4; - - memset(&addr4, 0, sizeof(addr4)); - - if (evtdump->type != EVTT_ISAKMP_CFG_DONE && - evtdump->type != EVTT_NO_ISAKMP_CFG) - return; - - len -= sizeof(*evtdump); - attr = (struct isakmp_data *)(evtdump + 1); - - while (len > 0) { - if (len < sizeof(*attr)) { - printf("short attribute too short\n"); - break; - } - - if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { - /* Short attribute, skip */ - len -= sizeof(*attr); - attr++; - } else { /* Long attribute */ - char *n; - - if (len < (sizeof(*attr) + ntohs(attr->lorv))) { - printf("long attribute too long\n"); - break; - } - - switch (ntohs(attr->type) & ~ISAKMP_GEN_MASK) { - case INTERNAL_IP4_ADDRESS: - if (ntohs(attr->lorv) < sizeof(addr4)) { - printf("addr4 attribute too short\n"); - break; - } - memcpy(&addr4, attr + 1, sizeof(addr4)); - break; - - case UNITY_BANNER: - banner = racoon_malloc(ntohs(attr->lorv) + 1); - if (banner == NULL) { - printf("malloc failed\n"); - break; - } - memcpy(banner, attr + 1, ntohs(attr->lorv)); - banner[ntohs(attr->lorv)] = '\0'; - break; - - default: - break; - } - - len -= (sizeof(*attr) + ntohs(attr->lorv)); - n = (char *)attr; - attr = (struct isakmp_data *) - (n + sizeof(*attr) + ntohs(attr->lorv)); - } - } - - if (evtdump->type == EVTT_ISAKMP_CFG_DONE) - printf("Bound to address %s\n", inet_ntoa(addr4)); - else - printf("VPN connexion established\n"); - - if (banner) { - struct winsize win; - int col = 0; - int i; - - if (ioctl(1, TIOCGWINSZ, &win) != 1) - col = win.ws_col; - - for (i = 0; i < col; i++) - printf("%c", '='); - printf("\n%s\n", banner); - for (i = 0; i < col; i++) - printf("%c", '='); - printf("\n"); - racoon_free(banner); - } - - if (evt_filter & EVTF_CFG_STOP) - evt_filter &= ~EVTF_LOOP; - - return; -} - - -char * -fixed_addr(addr, port, len) - char *addr, *port; - int len; -{ - static char _addr_buf_[BUFSIZ]; - char *p; - int plen, i; - - /* initialize */ - memset(_addr_buf_, ' ', sizeof(_addr_buf_)); - - plen = strlen(port); - if (len < plen + 1) - return NULL; - - p = _addr_buf_; - for (i = 0; i < len - plen - 1 && addr[i] != '\0'; /*noting*/) - *p++ = addr[i++]; - *p++ = '.'; - - for (i = 0; i < plen && port[i] != '\0'; /*noting*/) - *p++ = port[i++]; - - _addr_buf_[len] = '\0'; - - return _addr_buf_; -} - -static int -handle_recv(combuf) - vchar_t *combuf; -{ - struct admin_com h, *com; - caddr_t buf; - int len; - - com = (struct admin_com *)combuf->v; - len = com->ac_len - sizeof(*com); - buf = combuf->v + sizeof(*com); - - switch (com->ac_cmd) { - case ADMIN_SHOW_SCHED: - print_schedule(buf, len); - break; - - case ADMIN_SHOW_EVT: { - struct evtdump *evtdump; - - /* We got no event */ - if (len == 0) { - /* If we were purging the queue, it is now done */ - if (evt_filter & EVTF_PURGE) - evt_filter &= ~EVTF_PURGE; - break; - } - - if (len < sizeof(struct evtdump)) - errx(1, "Short buffer\n"); - - /* Toss outdated events */ - evtdump = (struct evtdump *)buf; - if (evtdump->timestamp < evt_start) - break; - - if (evt_filter & EVTF_ALL) - print_evt(buf, len); - if (evt_filter & EVTF_ERR) - print_err(buf, len); - if (evt_filter & EVTF_CFG) - print_cfg(buf, len); - if (evt_filter & EVTF_PH1DOWN) - print_ph1down(buf, len); - break; - } - - case ADMIN_SHOW_SA: - { - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: - dump_isakmp_sa(buf, len); - break; - case ADMIN_PROTO_IPSEC: - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - { - struct sadb_msg *msg = (struct sadb_msg *)buf; - - switch (msg->sadb_msg_errno) { - case ENOENT: - switch (msg->sadb_msg_type) { - case SADB_DELETE: - case SADB_GET: - printf("No entry.\n"); - break; - case SADB_DUMP: - printf("No SAD entries.\n"); - break; - } - break; - case 0: - while (1) { - pfkey_sadump(msg); - if (msg->sadb_msg_seq == 0) - break; - msg = (struct sadb_msg *)((caddr_t)msg + - PFKEY_UNUNIT64(msg->sadb_msg_len)); - } - break; - default: - printf("%s.\n", strerror(msg->sadb_msg_errno)); - } - } - break; - case ADMIN_PROTO_INTERNAL: - dump_internal(buf, len); - break; - default: - printf("Invalid proto [%d]\n", com->ac_proto); - } - - } - break; - - default: - /* IGNORE */ - break; - } - - close(so); - return 0; - - bad: - close(so); - return -1; -} diff --git a/ipsec-tools/racoon/racoonctl.h b/ipsec-tools/racoon/racoonctl.h deleted file mode 100644 index d507213..0000000 --- a/ipsec-tools/racoon/racoonctl.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $NetBSD: racoonctl.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: racoonctl.h,v 1.3 2005/06/19 22:37:47 manubsd Exp */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _RACOONCTL_H -#define _RACOONCTL_H - -/* bumped on any change to the interface */ -#define RACOONCTL_INTERFACE 20050619 -extern u_int32_t racoonctl_interface; - -/* bumped when introducing changes that break backward compatibility */ -#define RACOONCTL_INTERFACE_MAJOR 1 -extern u_int32_t racoonctl_interface_major; - -extern u_int32_t loglevel; - -int com_init(void); -int com_send(vchar_t *); -int com_recv(vchar_t **); -struct sockaddr *get_sockaddr(int, char *, char *); - -#endif /* _RACOONCTL_H */ - diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 7e97356..09139c6 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -83,10 +83,6 @@ static TAILQ_HEAD(_rmtree, remoteconf) rmtree; -/* - * Script hook names and script hook paths - */ -char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" }; /*%%%*/ /* @@ -139,7 +135,7 @@ getrmconf_strict(remote, allow_anon) break; default: - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid ip address family: %d\n", remote->ss_family); return NULL; } @@ -155,21 +151,15 @@ getrmconf_strict(remote, allow_anon) } TAILQ_FOREACH(p, &rmtree, chain) { - if (p->to_delete || p->to_remove) { - continue; - } - if (remote->ss_family == AF_UNSPEC && remote->ss_family == p->remote->ss_family) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p; } if (p->remote_prefix == 0) { if ((!withport && cmpsaddrwop(remote, p->remote) == 0) || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p; } else if (withport && cmpsaddrwop(remote, p->remote) == 0) { // for withport: save the pointer for the best-effort search @@ -196,27 +186,24 @@ getrmconf_strict(remote, allow_anon) } if (p_withport_besteffort) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p_withport_besteffort; } if (p_with_prefix) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p_with_prefix; } if (p_with_prefix_besteffort) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p_with_prefix_besteffort; } if (allow_anon && anon != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "anonymous configuration selected for %s.\n", buf); return anon; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "no remote configuration found.\n"); return NULL; @@ -260,56 +247,23 @@ getrmconf(remote) return getrmconf_strict(remote, 1); } -int -link_rmconf_to_ph1 (struct remoteconf *new) -{ - if (!new) { - return(-1); - } - if (new->to_delete || - new->to_remove) { - return(-1); - } - new->linked_to_ph1++; - return(0); -} - -int -unlink_rmconf_from_ph1 (struct remoteconf *old) -{ - if (!old) { - return(-1); - } - if (old->linked_to_ph1 <= 0) { - return(-1); - } - old->linked_to_ph1--; - if (old->linked_to_ph1 == 0) { - if (old->to_remove) { - remrmconf(old); - } - if (old->to_delete) { - delrmconf(old); - } - } - return(0); -} - struct remoteconf * -newrmconf() +create_rmconf() { struct remoteconf *new; - int i; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) return NULL; + new->refcount = 1; + new->in_list = 0; new->proposal = NULL; /* set default */ new->doitype = IPSEC_DOI; new->sittype = IPSECDOI_SIT_IDENTITY_ONLY; + new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1; new->idvtype = IDTYPE_UNDEFINED; new->idvl_p = genlist_init(); new->nonce_size = DEFAULT_NONCE_SIZE; @@ -322,24 +276,17 @@ newrmconf() new->verify_identifier = FALSE; new->verify_cert = TRUE; new->getcert_method = ISAKMP_GETCERT_PAYLOAD; - new->getcacert_method = ISAKMP_GETCERT_LOCALFILE; new->cacerttype = ISAKMP_CERT_X509SIGN; new->certtype = ISAKMP_CERT_NONE; - new->cacertfile = NULL; new->send_cert = TRUE; new->send_cr = TRUE; new->support_proxy = FALSE; - for (i = 0; i <= SCRIPT_MAX; i++) - new->script[i] = NULL; new->gen_policy = FALSE; new->retry_counter = lcconf->retry_counter; new->retry_interval = lcconf->retry_interval; new->nat_traversal = NATT_ON; new->natt_multiple_user = FALSE; new->natt_keepalive = TRUE; - new->to_remove = FALSE; - new->to_delete = FALSE; - new->linked_to_ph1 = 0; new->idv = NULL; new->key = NULL; @@ -360,14 +307,13 @@ newrmconf() } struct remoteconf * -copyrmconf(remote) - struct sockaddr_storage *remote; +copyrmconf(struct sockaddr_storage *remote) { struct remoteconf *new, *old; old = getrmconf_strict (remote, 0); if (old == NULL) { - plog (LLV_ERROR, LOCATION, NULL, + plog (ASL_LEVEL_ERR, "Remote configuration for '%s' not found!\n", saddr2str((struct sockaddr *)remote)); return NULL; @@ -379,9 +325,7 @@ copyrmconf(remote) } void * -dupidvl(entry, arg) - void *entry; - void *arg; +dupidvl(void *entry, void *arg) { struct idspec *id; struct idspec *old = (struct idspec *) entry; @@ -400,38 +344,32 @@ dupidvl(entry, arg) } struct remoteconf * -duprmconf (rmconf) - struct remoteconf *rmconf; +duprmconf (struct remoteconf *rmconf) { - struct remoteconf *new; - int i; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - memcpy (new, rmconf, sizeof (*new)); - // FIXME: We should duplicate remote, proposal, etc. - // This is now handled in the cfparse.y - // new->proposal = ...; - - // zero-out pointers - new->remote = NULL; - new->keychainCertRef = NULL; /* peristant keychain ref for cert */ - new->shared_secret = NULL; /* shared secret */ - new->open_dir_auth_group = NULL; /* group to be used to authorize user */ - new->proposal = NULL; - new->cacertfile = NULL; - for (i = 0; i <= SCRIPT_MAX; i++) - new->script[i] = NULL; - new->to_remove = FALSE; - new->to_delete = FALSE; - new->linked_to_ph1 = 0; - new->idv = NULL; - new->key = NULL; + struct remoteconf *new; + + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL) + return NULL; + memcpy (new, rmconf, sizeof (*new)); + // FIXME: We should duplicate remote, proposal, etc. + // This is now handled in the cfparse.y + // new->proposal = ...; + + // zero-out pointers + new->remote = NULL; + new->keychainCertRef = NULL; /* peristant keychain ref for cert */ + new->shared_secret = NULL; /* shared secret */ + new->open_dir_auth_group = NULL; /* group to be used to authorize user */ + new->proposal = NULL; + new->in_list = 0; + new->refcount = 1; + new->idv = NULL; + new->key = NULL; #ifdef ENABLE_HYBRID - new->xauth = NULL; + new->xauth = NULL; #endif - + /* duplicate dynamic structures */ if (new->etypes) new->etypes=dupetypes(new->etypes); @@ -478,13 +416,8 @@ proposalspec_free(struct proposalspec *head) } void -delrmconf(rmconf) - struct remoteconf *rmconf; +delrmconf(struct remoteconf *rmconf) { - if (rmconf->linked_to_ph1) { - rmconf->to_delete = TRUE; - return; - } if (rmconf->remote) racoon_free(rmconf->remote); #ifdef ENABLE_HYBRID @@ -503,14 +436,6 @@ delrmconf(rmconf) oakley_dhgrp_free(rmconf->dhgrp); if (rmconf->proposal) delisakmpsa(rmconf->proposal); - if (rmconf->mycertfile) - racoon_free(rmconf->mycertfile); - if (rmconf->myprivfile) - racoon_free(rmconf->myprivfile); - if (rmconf->peerscertfile) - racoon_free(rmconf->peerscertfile); - if (rmconf->cacertfile) - racoon_free(rmconf->cacertfile); if (rmconf->prhead) proposalspec_free(rmconf->prhead); if (rmconf->shared_secret) @@ -519,28 +444,29 @@ delrmconf(rmconf) vfree(rmconf->keychainCertRef); if (rmconf->open_dir_auth_group) vfree(rmconf->open_dir_auth_group); + + if (rmconf->eap_options) + CFRelease(rmconf->eap_options); + if (rmconf->eap_types) + deletypes(rmconf->eap_types); + if (rmconf->ikev2_cfg_request) + CFRelease(rmconf->ikev2_cfg_request); racoon_free(rmconf); } void -delisakmpsa(sa) - struct isakmpsa *sa; +delisakmpsa(struct isakmpsa *sa) { if (sa->dhgrp) oakley_dhgrp_free(sa->dhgrp); if (sa->next) delisakmpsa(sa->next); -#ifdef HAVE_GSSAPI - if (sa->gssid) - vfree(sa->gssid); -#endif racoon_free(sa); } struct etypes * -dupetypes(orig) - struct etypes *orig; +dupetypes(struct etypes *orig) { struct etypes *new; @@ -561,8 +487,7 @@ dupetypes(orig) } void -deletypes(e) - struct etypes *e; +deletypes(struct etypes *e) { if (e->next) deletypes(e->next); @@ -573,21 +498,33 @@ deletypes(e) * insert into head of list. */ void -insrmconf(new) - struct remoteconf *new; +insrmconf(struct remoteconf *new) { TAILQ_INSERT_HEAD(&rmtree, new, chain); + new->in_list = 1; } void -remrmconf(rmconf) - struct remoteconf *rmconf; +remrmconf(struct remoteconf *rmconf) { - if (rmconf->linked_to_ph1) { - rmconf->to_remove = TRUE; - return; - } - TAILQ_REMOVE(&rmtree, rmconf, chain); + if (rmconf->in_list) + TAILQ_REMOVE(&rmtree, rmconf, chain); + rmconf->in_list = 0; +} + +void +retain_rmconf(struct remoteconf *rmconf) +{ + (rmconf->refcount)++; +} + +void +release_rmconf(struct remoteconf *rmconf) +{ + if (--(rmconf->refcount) <= 0) { + remrmconf(rmconf); + delrmconf(rmconf); + } } void @@ -598,7 +535,8 @@ flushrmconf() for (p = TAILQ_FIRST(&rmtree); p; p = next) { next = TAILQ_NEXT(p, chain); remrmconf(p); - delrmconf(p); + if (--(p->refcount) <= 0) + delrmconf(p); } } @@ -610,9 +548,7 @@ initrmconf() /* check exchange type to be acceptable */ struct etypes * -check_etypeok(rmconf, etype) - struct remoteconf *rmconf; - u_int8_t etype; +check_etypeok(struct remoteconf *rmconf, u_int8_t etype) { struct etypes *e; @@ -642,9 +578,6 @@ newisakmpsa() new->next = NULL; new->rmconf = NULL; -#ifdef HAVE_GSSAPI - new->gssid = NULL; -#endif return new; } @@ -653,9 +586,7 @@ newisakmpsa() * insert into tail of list. */ void -insisakmpsa(new, rmconf) - struct isakmpsa *new; - struct remoteconf *rmconf; +insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf) { struct isakmpsa *p; @@ -697,7 +628,7 @@ dump_peers_identifiers (void *entry, void *arg) s_idtype (id->idtype)); if (id->id) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v); - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); + plog(ASL_LEVEL_INFO, "%s;\n", buf); return NULL; } @@ -717,7 +648,7 @@ dump_rmconf_single (struct remoteconf *p, void *data) if (p->inherited_from) pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s", saddr2str((struct sockaddr *)p->inherited_from->remote)); - plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf); + plog(ASL_LEVEL_INFO, "%s {\n", buf); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type "); while (etype) { @@ -725,90 +656,83 @@ dump_rmconf_single (struct remoteconf *p, void *data) etype->next != NULL ? ", " : ";\n"); etype = etype->next; } - plog(LLV_INFO, LOCATION, NULL, "%s", buf); - plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype)); + plog(ASL_LEVEL_INFO, "%s", buf); + plog(ASL_LEVEL_INFO, "\tdoi %s;\n", s_doi(p->doitype)); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype)); if (p->idvtype == IDTYPE_ASN1DN) { - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); - plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n", - p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*", - p->mycertfile, p->myprivfile); + plog(ASL_LEVEL_INFO, "%s;\n", buf); switch (p->getcert_method) { case 0: break; case ISAKMP_GETCERT_PAYLOAD: - plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n"); - break; - case ISAKMP_GETCERT_LOCALFILE: - plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile); - break; - case ISAKMP_GETCERT_DNS: - plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n"); + plog(ASL_LEVEL_INFO, "\t/* peers certificate from payload */\n"); break; default: - plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); + plog(ASL_LEVEL_INFO, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); } } else { if (p->idv) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v); - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); + plog(ASL_LEVEL_INFO, "%s;\n", buf); genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL); } - plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n", + plog(ASL_LEVEL_INFO, "\tsend_cert %s;\n", s_switch (p->send_cert)); - plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n", + plog(ASL_LEVEL_INFO, "\tsend_cr %s;\n", s_switch (p->send_cr)); - plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n", + plog(ASL_LEVEL_INFO, "\tverify_cert %s;\n", s_switch (p->verify_cert)); - plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n", + plog(ASL_LEVEL_INFO, "\tverify_identifier %s;\n", s_switch (p->verify_identifier)); - plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n", + plog(ASL_LEVEL_INFO, "\tnat_traversal %s;\n", p->nat_traversal == NATT_FORCE ? "force" : s_switch (p->nat_traversal)); - plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n", + plog(ASL_LEVEL_INFO, "\tnatt_multiple_user %s;\n", s_switch (p->natt_multiple_user)); - plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n", + plog(ASL_LEVEL_INFO, "\tnonce_size %d;\n", p->nonce_size); - plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n", + plog(ASL_LEVEL_INFO, "\tpassive %s;\n", s_switch (p->passive)); - plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n", + plog(ASL_LEVEL_INFO, "\tike_frag %s;\n", p->ike_frag == ISAKMP_FRAG_FORCE ? "force" : s_switch (p->ike_frag)); - plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag); - plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n", + plog(ASL_LEVEL_INFO, "\tesp_frag %d;\n", p->esp_frag); + plog(ASL_LEVEL_INFO, "\tinitial_contact %s;\n", s_switch (p->ini_contact)); - plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n", + plog(ASL_LEVEL_INFO, "\tgenerate_policy %s;\n", s_switch (p->gen_policy)); - plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n", + plog(ASL_LEVEL_INFO, "\tsupport_proxy %s;\n", s_switch (p->support_proxy)); while (prop) { - plog(LLV_INFO, LOCATION, NULL, "\n"); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "\n"); + plog(ASL_LEVEL_INFO, "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n", prop->prop_no, prop->trns_no, saddr2str((struct sockaddr *)prop->rmconf->remote)); - plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n"); - plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n", + plog(ASL_LEVEL_INFO, "\tproposal {\n"); + plog(ASL_LEVEL_INFO, "\t\tlifetime time %lu sec;\n", (long)prop->lifetime); - plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n", + plog(ASL_LEVEL_INFO, "\t\tlifetime bytes %zd;\n", prop->lifebyte); - plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n", + plog(ASL_LEVEL_INFO, "\t\tdh_group %s;\n", alg_oakley_dhdef_name(prop->dh_group)); - plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n", + plog(ASL_LEVEL_INFO, "\t\tencryption_algorithm %s;\n", alg_oakley_encdef_name(prop->enctype)); - plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n", + plog(ASL_LEVEL_INFO, "\t\thash_algorithm %s;\n", alg_oakley_hashdef_name(prop->hashtype)); - plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n", + plog(ASL_LEVEL_INFO, "\t\tprf_algorithm %s;\n", + alg_oakley_hashdef_name(prop->prf)); + plog(ASL_LEVEL_INFO, "\t\tauthentication_method %s;\n", alg_oakley_authdef_name(prop->authmethod)); - plog(LLV_INFO, LOCATION, NULL, "\t}\n"); + plog(ASL_LEVEL_INFO, "\t}\n"); prop = prop->next; } - plog(LLV_INFO, LOCATION, NULL, "}\n"); - plog(LLV_INFO, LOCATION, NULL, "\n"); + plog(ASL_LEVEL_INFO, "}\n"); + plog(ASL_LEVEL_INFO, "\n"); return NULL; } @@ -832,38 +756,6 @@ newidspec() return new; } -vchar_t * -script_path_add(path) - vchar_t *path; -{ - char *script_dir; - vchar_t *new_path; - size_t len; - - script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT]; - - /* Try to find the script in the script directory */ - if ((path->v[0] != '/') && (script_dir != NULL)) { - len = strlen(script_dir) + sizeof("/") + path->l + 1; - - if ((new_path = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return NULL; - } - - new_path->v[0] = '\0'; - (void)strlcat(new_path->v, script_dir, new_path->l); - (void)strlcat(new_path->v, "/", new_path->l); - (void)strlcat(new_path->v, path->v, new_path->l); - - vfree(path); - path = new_path; - } - - return path; -} - struct isakmpsa * dupisakmpsa(struct isakmpsa *sa) @@ -878,9 +770,6 @@ dupisakmpsa(struct isakmpsa *sa) return NULL; *res = *sa; -#ifdef HAVE_GSSAPI - res->gssid=vdup(sa->gssid); -#endif res->next=NULL; if (sa->dhgrp != NULL) diff --git a/ipsec-tools/racoon/remoteconf.h b/ipsec-tools/racoon/remoteconf.h index f1b556a..aef7e76 100644 --- a/ipsec-tools/racoon/remoteconf.h +++ b/ipsec-tools/racoon/remoteconf.h @@ -46,6 +46,7 @@ #include "algorithm.h" + struct proposalspec { time_t lifetime; /* for isakmp/ipsec */ int lifebyte; /* for isakmp/ipsec */ @@ -87,11 +88,6 @@ enum { DPD_ALGO_MAX, }; -/* Script hooks */ -#define SCRIPT_PHASE1_UP 0 -#define SCRIPT_PHASE1_DOWN 1 -#define SCRIPT_MAX 1 -extern char *script_names[SCRIPT_MAX + 1]; struct remoteconf { struct sockaddr_storage *remote; /* remote IP address */ @@ -116,13 +112,8 @@ struct remoteconf { vchar_t *open_dir_auth_group; /* group to be used to authorize user */ int certtype; /* certificate type if need */ - char *mycertfile; /* file name of my certificate */ - char *myprivfile; /* file name of my private key file */ - char *peerscertfile; /* file name of peer's certifcate */ int getcert_method; /* the way to get peer's certificate */ int cacerttype; /* CA type is needed */ - char *cacertfile; /* file name of CA */ - int getcacert_method; /* the way to get the CA */ int send_cert; /* send to CERT or not */ int send_cr; /* send to CR or not */ int verify_cert; /* verify a CERT strictly */ @@ -144,7 +135,6 @@ struct remoteconf { int nat_traversal; /* NAT-Traversal */ int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */ int natt_keepalive; /* do we need to send natt keep alive */ - vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */ int dh_group; /* use it when only aggressive mode */ struct dhgroup *dhgrp; /* use it when only aggressive mode */ /* above two can't be defined by user*/ @@ -174,10 +164,15 @@ struct remoteconf { #ifdef ENABLE_HYBRID struct xauth_rmconf *xauth; #endif - int initiate_ph1rekey; - int to_remove; - int to_delete; - int linked_to_ph1; + int initiate_ph1rekey; + int in_list; // in the linked list + int refcount; // ref count - in use + int ike_version; + + // IKEV2 configs + struct etypes *eap_types; + CFDictionaryRef eap_options; + CFDictionaryRef ikev2_cfg_request; TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ }; @@ -186,20 +181,21 @@ struct dhgroup; /* ISAKMP SA specification */ struct isakmpsa { + int version; int prop_no; int trns_no; time_t lifetime; + time_t lifetimegap; size_t lifebyte; int enctype; int encklen; int authmethod; int hashtype; int vendorid; -#ifdef HAVE_GSSAPI - vchar_t *gssid; -#endif - int dh_group; /* don't use it if aggressive mode */ + int dh_group; /* don't use it if aggressive mode */ struct dhgroup *dhgrp; /* don't use it if aggressive mode */ + int prf; + int prfklen; struct isakmpsa *next; /* next transform */ struct remoteconf *rmconf; /* backpointer to remoteconf */ @@ -210,42 +206,38 @@ struct idspec { vchar_t *id; /* identifier */ }; -typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data); +typedef struct remoteconf *(rmconf_func_t) (struct remoteconf *rmconf, void *data); -extern struct remoteconf *getrmconf __P((struct sockaddr_storage *)); +extern struct remoteconf *getrmconf (struct sockaddr_storage *); extern struct remoteconf *getrmconf_strict - __P((struct sockaddr_storage *remote, int allow_anon)); - -extern int link_rmconf_to_ph1 __P((struct remoteconf *)); -extern int unlink_rmconf_from_ph1 __P((struct remoteconf *)); -extern int no_remote_configs __P((int)); -extern struct remoteconf *copyrmconf __P((struct sockaddr_storage *)); -extern struct remoteconf *newrmconf __P((void)); -extern struct remoteconf *duprmconf __P((struct remoteconf *)); -extern void delrmconf __P((struct remoteconf *)); -extern void delisakmpsa __P((struct isakmpsa *)); -extern void deletypes __P((struct etypes *)); -extern struct etypes * dupetypes __P((struct etypes *)); -extern void insrmconf __P((struct remoteconf *)); -extern void remrmconf __P((struct remoteconf *)); -extern void flushrmconf __P((void)); -extern void initrmconf __P((void)); + (struct sockaddr_storage *remote, int allow_anon); + +extern int no_remote_configs (int); +extern struct remoteconf *copyrmconf (struct sockaddr_storage *); +extern struct remoteconf *create_rmconf (void); +extern void retain_rmconf(struct remoteconf *); +extern void release_rmconf(struct remoteconf *); +extern struct remoteconf *duprmconf (struct remoteconf *); +extern void delrmconf (struct remoteconf *); +extern void delisakmpsa (struct isakmpsa *); +extern void deletypes (struct etypes *); +extern struct etypes * dupetypes (struct etypes *); +extern void insrmconf (struct remoteconf *); +extern void remrmconf (struct remoteconf *); +extern void flushrmconf (void); +extern void initrmconf (void); extern struct etypes *check_etypeok - __P((struct remoteconf *, u_int8_t)); -extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func, - void *data)); - -extern struct isakmpsa *newisakmpsa __P((void)); -extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *)); - -extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *)); + (struct remoteconf *, u_int8_t); +extern struct remoteconf *foreachrmconf (rmconf_func_t rmconf_func, + void *data); -extern void dumprmconf __P((void)); +extern struct isakmpsa *newisakmpsa (void); +extern struct isakmpsa *dupisakmpsa (struct isakmpsa *); -extern struct idspec *newidspec __P((void)); +extern void insisakmpsa (struct isakmpsa *, struct remoteconf *); -extern vchar_t *script_path_add __P((vchar_t *)); +extern void dumprmconf (void); -extern void rsa_key_free __P((void *entry)); +extern struct idspec *newidspec (void); #endif /* _REMOTECONF_H */ diff --git a/ipsec-tools/racoon/rsalist.c b/ipsec-tools/racoon/rsalist.c deleted file mode 100644 index 850aa4c..0000000 --- a/ipsec-tools/racoon/rsalist.c +++ /dev/null @@ -1,216 +0,0 @@ -/* $NetBSD: rsalist.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */ - -/* - * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. - * Contributed by: Michal Ludvig , SUSE Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include - -#include -#include -#include -#include - -#include -#include - -#include "misc.h" -#include "plog.h" -#include "sockmisc.h" -#include "rsalist.h" -#include "genlist.h" -#include "remoteconf.h" -#include "crypto_openssl.h" - -#ifndef LIST_FIRST -#define LIST_FIRST(head) ((head)->lh_first) -#endif - -#ifndef LIST_NEXT -#define LIST_NEXT(elm, field) ((elm)->field.le_next) -#endif - -/* from prsa_tok.l */ -int prsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type); - -int -rsa_key_insert(struct genlist *list, struct netaddr *src, - struct netaddr *dst, RSA *rsa) -{ - struct rsa_key *rsa_key; - - rsa_key = calloc(sizeof(struct rsa_key), 1); - rsa_key->rsa = rsa; - - if (src) - rsa_key->src = src; - else - rsa_key->src = calloc(sizeof(*rsa_key->src), 1); - - if (dst) - rsa_key->dst = dst; - else - rsa_key->dst = calloc(sizeof(*rsa_key->dst), 1); - - genlist_append(list, rsa_key); - - return 0; -} - -static void * -rsa_key_dump_one(void *entry, void *arg) -{ - struct rsa_key *key = entry; - - plog(LLV_DEBUG, LOCATION, NULL, "Entry %s\n", - naddrwop2str_fromto("%s -> %s", key->src, - key->dst)); - if (loglevel > LLV_DEBUG) - RSA_print_fp(stdout, key->rsa, 4); - - return NULL; -} - -void -rsa_key_dump(struct genlist *list) -{ - genlist_foreach(list, rsa_key_dump_one, NULL); -} - -static void * -rsa_list_count_one(void *entry, void *arg) -{ - if (arg) - (*(unsigned long *)arg)++; - return NULL; -} - -unsigned long -rsa_list_count(struct genlist *list) -{ - unsigned long count = 0; - genlist_foreach(list, rsa_list_count_one, &count); - return count; -} - -struct lookup_result { - struct ph1handle *iph1; - int max_score; - struct genlist *winners; -}; - -static void * -rsa_lookup_key_one(void *entry, void *data) -{ - int local_score, remote_score; - struct lookup_result *req = data; - struct rsa_key *key = entry; - - local_score = naddr_score(key->src, req->iph1->local); - remote_score = naddr_score(key->dst, req->iph1->remote); - - plog(LLV_DEBUG, LOCATION, NULL, "Entry %s scored %d/%d\n", - naddrwop2str_fromto("%s -> %s", key->src, key->dst), - local_score, remote_score); - - if (local_score >= 0 && remote_score >= 0) { - if (local_score + remote_score > req->max_score) { - req->max_score = local_score + remote_score; -// genlist_free(req->winners, NULL); - } - - if (local_score + remote_score >= req->max_score) { - genlist_append(req->winners, key); - } - } - - /* Always traverse the whole list */ - return NULL; -} - -struct genlist * -rsa_lookup_keys(struct ph1handle *iph1, int my) -{ - struct genlist *list; - struct lookup_result r; - - plog(LLV_DEBUG, LOCATION, NULL, "Looking up RSA key for %s\n", - saddr2str_fromto("%s <-> %s", iph1->local, iph1->remote)); - - r.iph1 = iph1; - r.max_score = -1; - r.winners = genlist_init(); - - if (my) - list = iph1->rmconf->rsa_private; - else - list = iph1->rmconf->rsa_public; - - genlist_foreach(list, rsa_lookup_key_one, &r); - - if (loglevel >= LLV_DEBUG) - rsa_key_dump(r.winners); - - return r.winners; -} - -int -rsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type) -{ - int ret; - - plog(LLV_DEBUG, LOCATION, NULL, "Parsing %s\n", fname); - ret = prsa_parse_file(list, fname, type); - if (loglevel >= LLV_DEBUG) - rsa_key_dump(list); - return ret; -} - -RSA * -rsa_try_check_rsasign(vchar_t *source, vchar_t *sig, struct genlist *list) -{ - struct rsa_key *key; - struct genlist_entry *gp; - - for(key = genlist_next(list, &gp); key; key = genlist_next(NULL, &gp)) { - plog(LLV_DEBUG, LOCATION, NULL, "Checking key %s...\n", - naddrwop2str_fromto("%s -> %s", key->src, key->dst)); - if (eay_check_rsasign(source, sig, key->rsa) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, " ... YEAH!\n"); - return key->rsa; - } - plog(LLV_DEBUG, LOCATION, NULL, " ... nope.\n"); - } - return NULL; -} diff --git a/ipsec-tools/racoon/rsalist.h b/ipsec-tools/racoon/rsalist.h deleted file mode 100644 index 911670f..0000000 --- a/ipsec-tools/racoon/rsalist.h +++ /dev/null @@ -1,65 +0,0 @@ -/* $NetBSD: rsalist.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */ - -/* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */ -/* - * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. - * Contributed by: Michal Ludvig , SUSE Labs - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _RSALIST_H -#define _RSALIST_H - -#include -#include - -#include "handler.h" -#include "genlist.h" - -enum rsa_key_type { - RSA_TYPE_ANY = 0, - RSA_TYPE_PUBLIC, - RSA_TYPE_PRIVATE -}; - -struct rsa_key { - struct netaddr *src; - struct netaddr *dst; - RSA *rsa; -}; - -int rsa_key_insert(struct genlist *list, struct netaddr *src, struct netaddr *dst, RSA *rsa); -void rsa_key_dump(struct genlist *list); - -struct genlist *rsa_lookup_keys(struct ph1handle *iph1, int my); -RSA *rsa_try_check_rsasign(vchar_t *source, vchar_t *sig, struct genlist *list); - -unsigned long rsa_list_count(struct genlist *list); - -int rsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type); - -#endif /* _RSALIST_H */ diff --git a/ipsec-tools/racoon/safefile.c b/ipsec-tools/racoon/safefile.c index 5241092..fdeb26c 100644 --- a/ipsec-tools/racoon/safefile.c +++ b/ipsec-tools/racoon/safefile.c @@ -54,7 +54,7 @@ safefile(path, secret) /* no setuid */ if (getuid() != geteuid()) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setuid'ed execution not allowed\n"); return -1; } @@ -65,7 +65,7 @@ safefile(path, secret) /* the file must be owned by the running uid */ me = getuid(); if (s.st_uid != me) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s has invalid owner uid\n", path); return -1; } @@ -74,7 +74,7 @@ safefile(path, secret) case S_IFREG: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s is an invalid file type 0x%x\n", path, (s.st_mode & S_IFMT)); return -1; @@ -83,7 +83,7 @@ safefile(path, secret) /* secret file should not be read by others */ if (secret) { if ((s.st_mode & S_IRWXG) != 0 || (s.st_mode & S_IRWXO) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s has weak file permission\n", path); return -1; } diff --git a/ipsec-tools/racoon/safefile.h b/ipsec-tools/racoon/safefile.h index c8d6a6c..8f5694a 100644 --- a/ipsec-tools/racoon/safefile.h +++ b/ipsec-tools/racoon/safefile.h @@ -34,6 +34,6 @@ #ifndef _SAFEFILE_H #define _SAFEFILE_H -extern int safefile __P((const char *, int)); +extern int safefile (const char *, int); #endif /* _SAFEFILE_H */ diff --git a/ipsec-tools/racoon/sainfo.c b/ipsec-tools/racoon/sainfo.c index 0f8c888..d11e636 100644 --- a/ipsec-tools/racoon/sainfo.c +++ b/ipsec-tools/racoon/sainfo.c @@ -79,9 +79,7 @@ static LIST_HEAD(_sitree, sainfo) sitree; * First pass is for sainfo from a specified peer, second for others. */ struct sainfo * -getsainfo(src, dst, peer, use_nat_addr) - const vchar_t *src, *dst, *peer; - int use_nat_addr; +getsainfo(const vchar_t *src, const vchar_t *dst, const vchar_t *peer, int use_nat_addr) { struct sainfo *s = NULL; struct sainfo *anonymous = NULL; @@ -90,30 +88,10 @@ getsainfo(src, dst, peer, use_nat_addr) if (use_nat_addr && lcconf->ext_nat_id == NULL) return NULL; - //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - src id:\n"); - //if (src != NULL) - // plogdump(LLV_DEBUG2, src->v, src->l); - //else - // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); - //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - dst id:\n"); - //if (dst != NULL) - // plogdump(LLV_DEBUG2, dst->v, dst->l); - //else - // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); if (peer == NULL) pass = 2; again: LIST_FOREACH(s, &sitree, chain) { - if (s->to_delete || s->to_remove) { - continue; - } - //if (s->idsrc != NULL) { - // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n"); - // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); - // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); - //} else { - // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id = anonymous\n"); - //} if (s->id_i != NULL) { if (pass == 2) continue; @@ -133,12 +111,11 @@ getsainfo(src, dst, peer, use_nat_addr) continue; } - if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) { + // TODO: handle wildcard port numbers in the id + if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) { if (use_nat_addr) { if (memcmp(lcconf->ext_nat_id->v, s->iddst->v, s->iddst->l) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "matched external nat address.\n"); - plogdump(LLV_DEBUG2, lcconf->ext_nat_id->v, lcconf->ext_nat_id->l); + plogdump(ASL_LEVEL_DEBUG, lcconf->ext_nat_id->v, lcconf->ext_nat_id->l, "matched external nat address.\n"); return s; } } else if (memcmp(dst->v, s->iddst->v, s->iddst->l) == 0) @@ -147,7 +124,7 @@ getsainfo(src, dst, peer, use_nat_addr) } if (anonymous) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "anonymous sainfo selected.\n"); } else if (pass == 1) { pass = 2; @@ -164,32 +141,26 @@ getsainfo(src, dst, peer, use_nat_addr) * XXX by each data type, should be changed to compare the buffer. */ struct sainfo * -getsainfo_by_dst_id(dst, peer) - const vchar_t *dst, *peer; +getsainfo_by_dst_id(const vchar_t *dst, const vchar_t *peer) { struct sainfo *s = NULL; struct sainfo *anonymous = NULL; - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - dst id:\n"); + plog(ASL_LEVEL_DEBUG, "getsainfo_by_dst_id - dst id:\n"); if (dst != NULL) - plogdump(LLV_DEBUG2, dst->v, dst->l); + plogdump(ASL_LEVEL_DEBUG, dst->v, dst->l, "getsainfo_by_dst_id - dst id:\n"); else return NULL; LIST_FOREACH(s, &sitree, chain) { - if (s->to_delete || s->to_remove) { - continue; + if (s->idsrc != NULL) { + plogdump(ASL_LEVEL_DEBUG, s->idsrc->v, s->idsrc->l, "getsainfo_by_dst_id - sainfo id - src:\n"); + plogdump(ASL_LEVEL_DEBUG, s->iddst->v, s->iddst->l, "getsainfo_by_dst_id - sainfo id - dst:\n"); + } else { + plog(ASL_LEVEL_DEBUG, "getsainfo_by_dst_id - sainfo id = anonymous\n"); } - //if (s->idsrc != NULL) { - // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id - src & dst:\n"); - // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); - // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); - //} else { - // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id = anonymous\n"); - //} if (s->id_i != NULL) { - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id_i:\n"); - plogdump(LLV_DEBUG2, s->id_i->v, s->id_i->l); + plogdump(ASL_LEVEL_DEBUG, s->id_i->v, s->id_i->l, "getsainfo_by_dst_id - sainfo id_i:\n"); if (peer == NULL) continue; if (memcmp(peer->v, s->id_i->v, s->id_i->l) != 0) @@ -205,50 +176,16 @@ getsainfo_by_dst_id(dst, peer) } if (anonymous) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "anonymous sainfo selected.\n"); } return anonymous; } -int -link_sainfo_to_ph2 (struct sainfo *new) -{ - if (!new) { - return(-1); - } - if (new->to_delete || - new->to_remove) { - return(-1); - } - new->linked_to_ph2++; - return(0); -} - -int -unlink_sainfo_from_ph2 (struct sainfo *old) -{ - if (!old) { - return(-1); - } - if (old->linked_to_ph2 <= 0) { - return(-1); - } - old->linked_to_ph2--; - if (old->linked_to_ph2 == 0) { - if (old->to_remove) { - remsainfo(old); - } - if (old->to_delete) { - delsainfo(old); - } - } - return(0); -} struct sainfo * -newsainfo() +create_sainfo() { struct sainfo *new; @@ -258,23 +195,17 @@ newsainfo() new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX; - new->to_remove = FALSE; - new->to_delete = FALSE; - new->linked_to_ph2 = 0; + new->refcount = 1; + new->in_list = 0; return new; } + void -delsainfo(si) - struct sainfo *si; +delsainfo(struct sainfo *si) { int i; - - if (si->linked_to_ph2) { - si->to_delete = TRUE; - return; - } for (i = 0; i < MAXALGCLASS; i++) delsainfoalg(si->algs[i]); @@ -293,51 +224,68 @@ delsainfo(si) } void -inssainfo(new) - struct sainfo *new; +inssainfo(struct sainfo *new) { LIST_INSERT_HEAD(&sitree, new, chain); + new->in_list = 1; } void -remsainfo(si) - struct sainfo *si; +remsainfo(struct sainfo *si) { - if (si->linked_to_ph2) { - si->to_remove = TRUE; - return; - } - LIST_REMOVE(si, chain); + if (si->in_list) { + LIST_REMOVE(si, chain); + si->in_list = 0; + } } +// remove sainfos from linked list +// if not used - delete it void flushsainfo() { struct sainfo *s, *next; - for (s = LIST_FIRST(&sitree); s; s = next) { - next = LIST_NEXT(s, chain); + LIST_FOREACH_SAFE(s, &sitree, chain, next) { if (s->dynamic == 0) { - remsainfo(s); - delsainfo(s); + remsainfo(s); + if (--(s->refcount) <= 0) + delsainfo(s); } } } +// remove sainfos from linked list +// if not used - delete it void flushsainfo_dynamic(u_int32_t addr) { struct sainfo *s, *next; - for (s = LIST_FIRST(&sitree); s; s = next) { - next = LIST_NEXT(s, chain); + LIST_FOREACH_SAFE(s, &sitree, chain, next) { if (s->dynamic == addr) { - remsainfo(s); - delsainfo(s); + remsainfo(s); + if (--(s->refcount) <= 0) + delsainfo(s); } } } +void +retain_sainfo(struct sainfo *si) +{ + (si->refcount)++; +} + +void +release_sainfo(struct sainfo *si) +{ + if (--(si->refcount) <= 0) { + remsainfo(si); + delsainfo(si); + } +} + void initsainfo() { @@ -357,8 +305,7 @@ newsainfoalg() } void -delsainfoalg(alg) - struct sainfoalg *alg; +delsainfoalg(struct sainfoalg *alg) { struct sainfoalg *a, *next; @@ -369,9 +316,7 @@ delsainfoalg(alg) } void -inssainfoalg(head, new) - struct sainfoalg **head; - struct sainfoalg *new; +inssainfoalg(struct sainfoalg **head, struct sainfoalg *new) { struct sainfoalg *a; @@ -383,9 +328,10 @@ inssainfoalg(head, new) *head = new; } + + const char * -sainfo2str(si) - const struct sainfo *si; +sainfo2str(const struct sainfo *si) { char *idsrc_str; char *iddst_str; diff --git a/ipsec-tools/racoon/sainfo.h b/ipsec-tools/racoon/sainfo.h index 7b29d2d..004f4e5 100644 --- a/ipsec-tools/racoon/sainfo.h +++ b/ipsec-tools/racoon/sainfo.h @@ -50,16 +50,15 @@ struct sainfo { vchar_t *group; #endif - time_t lifetime; - int lifebyte; - int pfs_group; /* only use when pfs is required. */ - vchar_t *id_i; /* identifier of the authorized initiator */ - struct sainfoalg *algs[MAXALGCLASS]; - int dynamic; /* created through vpn control socket */ - int to_remove; - int to_delete; - int linked_to_ph2; - LIST_ENTRY(sainfo) chain; + time_t lifetime; + int lifebyte; + int pfs_group; /* only use when pfs is required. */ + vchar_t *id_i; /* identifier of the authorized initiator */ + struct sainfoalg *algs[MAXALGCLASS]; + int dynamic; /* created through vpn control socket */ + int in_list; + int refcount; + LIST_ENTRY(sainfo) chain; }; /* algorithm type */ @@ -69,21 +68,21 @@ struct sainfoalg { struct sainfoalg *next; }; -extern struct sainfo *getsainfo __P((const vchar_t *, - const vchar_t *, const vchar_t *, int)); -extern struct sainfo *getsainfo_by_dst_id __P((const vchar_t *, const vchar_t *)); -extern int link_sainfo_to_ph2 __P((struct sainfo *)); -extern int unlink_sainfo_from_ph2 __P((struct sainfo *)); -extern struct sainfo *newsainfo __P((void)); -extern void delsainfo __P((struct sainfo *)); -extern void inssainfo __P((struct sainfo *)); -extern void remsainfo __P((struct sainfo *)); -extern void flushsainfo __P((void)); -extern void flushsainfo_dynamic __P((u_int32_t)); -extern void initsainfo __P((void)); -extern struct sainfoalg *newsainfoalg __P((void)); -extern void delsainfoalg __P((struct sainfoalg *)); -extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *)); -extern const char * sainfo2str __P((const struct sainfo *)); +extern struct sainfo *getsainfo (const vchar_t *, + const vchar_t *, const vchar_t *, int); +extern struct sainfo *getsainfo_by_dst_id (const vchar_t *, const vchar_t *); +extern struct sainfo *create_sainfo (void); +extern void delsainfo (struct sainfo *); +extern void inssainfo (struct sainfo *); +extern void remsainfo (struct sainfo *); +void retain_sainfo(struct sainfo *si); +void release_sainfo(struct sainfo *si); +extern void flushsainfo (void); +extern void flushsainfo_dynamic (u_int32_t); +extern void initsainfo (void); +extern struct sainfoalg *newsainfoalg (void); +extern void delsainfoalg (struct sainfoalg *); +extern void inssainfoalg (struct sainfoalg **, struct sainfoalg *); +extern const char * sainfo2str (const struct sainfo *); #endif /* _SAINFO_H */ diff --git a/ipsec-tools/racoon/schedule.c b/ipsec-tools/racoon/schedule.c index f2e4c37..9907c35 100644 --- a/ipsec-tools/racoon/schedule.c +++ b/ipsec-tools/racoon/schedule.c @@ -44,6 +44,7 @@ #include #include #include +#include #include "misc.h" #include "plog.h" @@ -51,19 +52,15 @@ #include "var.h" #include "gcmalloc.h" #include "power_mgmt.h" +#include "localconf.h" #if !defined(__LP64__) // year 2038 problem and fix for 32-bit only #define FIXY2038PROBLEM #endif -#ifndef TAILQ_FOREACH -#define TAILQ_FOREACH(elm, head, field) \ - for (elm = TAILQ_FIRST(head); elm; elm = TAILQ_NEXT(elm, field)) -#endif extern int terminated; -static struct timeval timeout; #ifdef FIXY2038PROBLEM #define Y2038TIME_T 0x7fffffff @@ -73,113 +70,53 @@ static time_t deltaY2038; static TAILQ_HEAD(_schedtree, sched) sctree; -static void sched_add __P((struct sched *)); -/* - * schedule handler - * OUT: - * time to block until next event. - * if no entry, NULL returned. - */ -struct timeval * -schedular() +void +timer_handler(struct sched *sched) { - time_t now, delta; - struct sched *p, *next = NULL; - - if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignoring schedular until power-mgmt event is handled.\n"); - return NULL; - } - - now = current_time(); - - for (p = TAILQ_FIRST(&sctree); p; p = next) { - /* if the entry has been dead, remove it */ - if (p->dead) - goto next_schedule; - - /* if the time hasn't come, proceed to the next entry */ - if (now < p->xtime) { - next = TAILQ_NEXT(p, chain); - continue; - } - - /* mark it with dead. and call the function. */ - p->dead = 1; - if (p->func != NULL && !terminated) - (p->func)(p->param); - - next_schedule: - next = TAILQ_NEXT(p, chain); - TAILQ_REMOVE(&sctree, p, chain); - racoon_free(p); - } - - p = TAILQ_FIRST(&sctree); - if (p == NULL) - return NULL; - - now = current_time(); - - delta = p->xtime - now; - timeout.tv_sec = delta < 0 ? 0 : delta; - timeout.tv_usec = 0; - - return &timeout; + if (slept_at || woke_at) + sched->dead = 1; + + TAILQ_REMOVE(&sctree, sched, chain); + + if (!sched->dead) { + if (sched->func != NULL && !terminated) { + (sched->func)(sched->param); + } + } + racoon_free(sched); } /* * add new schedule to schedule table. */ -struct sched * -sched_new(tick, func, param) - time_t tick; - void (*func) __P((void *)); - void *param; +schedule_ref +sched_new(time_t tick, void (*func) (void *), void *param) { - static long id = 1; - struct sched *new; - - new = (struct sched *)racoon_malloc(sizeof(*new)); - if (new == NULL) - return NULL; - - memset(new, 0, sizeof(*new)); - new->func = func; - new->param = param; - - new->id = id++; - time(&new->created); - new->tick = tick; - - new->xtime = current_time() + tick; - new->dead = 0; - + static schedule_ref next_ref = 1; + struct sched *new_sched; + + if (next_ref == 0) + next_ref++; + + new_sched = (struct sched *)racoon_malloc(sizeof(*new_sched)); + if (new_sched == NULL) + return 0; + + new_sched->ref = next_ref++; + new_sched->dead = 0; + new_sched->func = func; + new_sched->param = param; + new_sched->xtime = current_time() + tick; + /* add to schedule table */ - sched_add(new); - - return(new); -} - -/* add new schedule to schedule table */ -static void -sched_add(sc) - struct sched *sc; -{ - struct sched *p; - - TAILQ_FOREACH(p, &sctree, chain) { - if (sc->xtime < p->xtime) { - TAILQ_INSERT_BEFORE(p, sc, chain); - return; - } - } - if (p == NULL) - TAILQ_INSERT_TAIL(&sctree, sc, chain); - - return; + TAILQ_INSERT_TAIL(&sctree, new_sched, chain); + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, tick * NSEC_PER_SEC), dispatch_get_main_queue(), + ^{ + timer_handler(new_sched); + }); + + return new_sched->ref; } /* get current time. @@ -192,92 +129,90 @@ current_time() time_t n; #ifdef FIXY2038PROBLEM time_t t; - + time(&n); t = n - launched; if (t < 0) t += deltaY2038; - + return t; #else return time(&n); #endif } -void -sched_kill(sc) - struct sched *sc; +int +sched_is_dead(schedule_ref ref) { - sc->dead = 1; + struct sched *sc; + + if (ref == 0) + return 1; + TAILQ_FOREACH(sc, &sctree, chain) { + if (sc->ref == ref) { + if (sc->dead) + return 1; + return 0; + } + } + return 1; +} - return; + +int +sched_get_time(schedule_ref ref, time_t *time) +{ + struct sched *sc; + + if (ref != 0) { + TAILQ_FOREACH(sc, &sctree, chain) { + if (sc->ref == ref) { + if (sc->dead) + return 0; + *time = sc->xtime; + return 1; + } + } + } + return 0; } -/* XXX this function is probably unnecessary. */ void -sched_scrub_param(param) - void *param; +sched_kill(schedule_ref ref) { - struct sched *sc; - - TAILQ_FOREACH(sc, &sctree, chain) { - if (sc->param == param) { - if (!sc->dead) { - plog(LLV_DEBUG, LOCATION, NULL, - "an undead schedule has been deleted.\n"); - } - sched_kill(sc); - } + struct sched *sc; + + if (ref != 0) { + TAILQ_FOREACH(sc, &sctree, chain) { + if (sc->ref == ref) { + sc->dead = 1; + return; + } + } } } -/* - * for debug - */ -int -sched_dump(buf, len) - caddr_t *buf; - int *len; +void +sched_killall(void) { - struct scheddump *new; - struct sched *p; - struct scheddump *dst; - int cnt = 0; - - /* initialize */ - *len = 0; - *buf = NULL; - - TAILQ_FOREACH(p, &sctree, chain) - cnt++; - - /* no entry */ - if (cnt == 0) - return -1; - - *len = cnt * sizeof(*dst); - - new = (struct scheddump *)racoon_malloc(*len); - if (new == NULL) - return -1; - dst = new; + struct sched *sc; + + TAILQ_FOREACH(sc, &sctree, chain) + sc->dead = 1; +} - p = TAILQ_FIRST(&sctree); - while (p) { - dst->xtime = p->xtime; - dst->id = p->id; - dst->created = p->created; - dst->tick = p->tick; - p = TAILQ_NEXT(p, chain); - if (p == NULL) - break; - dst++; +/* XXX this function is probably unnecessary. */ +void +sched_scrub_param(void *param) +{ + struct sched *sc; + + TAILQ_FOREACH(sc, &sctree, chain) { + if (sc->param == param) { + sc->dead = 1; + } } - - *buf = (caddr_t)new; - - return 0; } /* initialize schedule table */ @@ -286,89 +221,11 @@ sched_init() { #ifdef FIXY2038PROBLEM time(&launched); - + deltaY2038 = Y2038TIME_T - launched; #endif - + TAILQ_INIT(&sctree); - return; } -#ifdef STEST -#include -#include -#include -#include - -void -test(tick) - int *tick; -{ - printf("execute %d\n", *tick); - racoon_free(tick); -} - -void -getstdin() -{ - int *tick; - char buf[16]; - - read(0, buf, sizeof(buf)); - if (buf[0] == 'd') { - struct scheddump *scbuf, *p; - int len; - sched_dump((caddr_t *)&scbuf, &len); - if (scbuf == NULL) - return; - for (p = scbuf; len; p++) { - printf("xtime=%ld\n", p->xtime); - len -= sizeof(*p); - } - racoon_free(scbuf); - return; - } - - tick = (int *)racoon_malloc(sizeof(*tick)); - *tick = atoi(buf); - printf("new queue tick = %d\n", *tick); - sched_new(*tick, test, tick); -} - -int -main() -{ - static fd_set mask0; - int nfds = 0; - fd_set rfds; - struct timeval *timeout; - int error; - - FD_ZERO(&mask0); - FD_SET(0, &mask0); - nfds = 1; - - /* initialize */ - sched_init(); - - while (1) { - rfds = mask0; - - timeout = schedular(); - - error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout); - if (error < 0) { - switch (errno) { - case EINTR: continue; - default: - err(1, "select"); - } - /*NOTREACHED*/ - } - - if (FD_ISSET(0, &rfds)) - getstdin(); - } -} -#endif diff --git a/ipsec-tools/racoon/schedule.h b/ipsec-tools/racoon/schedule.h index 72c0105..79fb504 100644 --- a/ipsec-tools/racoon/schedule.h +++ b/ipsec-tools/racoon/schedule.h @@ -35,54 +35,38 @@ #define _SCHEDULE_H #include -#include "gnuc.h" +#include + +typedef int schedule_ref; /* scheduling table */ /* the head is the nearest event. */ struct sched { - time_t xtime; /* event time which is as time(3). */ - /* - * if defined FIXY2038PROBLEM, this time - * is from the time when called sched_init(). - */ - void (*func) __P((void *)); /* call this function when timeout. */ - void *param; /* pointer to parameter */ - - int dead; /* dead or alive */ - long id; /* for debug */ - time_t created; /* for debug */ - time_t tick; /* for debug */ - + schedule_ref ref; + time_t xtime; /* event time which is as time(3). */ + void (*func) (void *); /* call this function when timeout. */ + void *param; /* pointer to parameter */ + int dead; /* dead or alive */ TAILQ_ENTRY(sched) chain; }; /* cancel schedule */ -#define SCHED_KILL(s) \ -do { \ - if(s != NULL){ \ - sched_kill(s); \ - s = NULL; \ - }\ +#define SCHED_KILL(s) \ +do { \ + if(s != 0){ \ + sched_kill(s); \ + s = 0; \ + } \ } while(0) -/* must be called after it's called from scheduler. */ -#define SCHED_INIT(s) (s) = NULL -#define SELECT_SEC_MAX 86400 /* kernel's upper limit is actually 100000000 */ -#define SELECT_USEC_MAX 1000000 /* kernel's upper limit */ - -struct scheddump { - time_t xtime; - long id; - time_t created; - time_t tick; -}; - -struct timeval *schedular __P((void)); -struct sched *sched_new __P((time_t, void (*func) __P((void *)), void *)); -void sched_kill __P((struct sched *)); -int sched_dump __P((caddr_t *, int *)); -void sched_init __P((void)); -void sched_scrub_param __P((void *)); -time_t current_time __P((void)); +void timer_handler (struct sched *); +schedule_ref sched_new (time_t, void (*func) (void *), void *); +int sched_is_dead(schedule_ref ref); +int sched_get_time(schedule_ref ref, time_t *time); +void sched_kill (schedule_ref); +void sched_killall(void); +void sched_init (void); +void sched_scrub_param (void *); +time_t current_time (void); #endif /* _SCHEDULE_H */ diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index f2a1bc6..f561076 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -71,6 +71,7 @@ #include #include #include +#include #include "libpfkey.h" @@ -79,24 +80,20 @@ #include "vmbuf.h" #include "plog.h" #include "debug.h" +#include "plog.h" #include "schedule.h" #include "session.h" #include "grabmyaddr.h" -#include "evt.h" #include "cfparse_proto.h" #include "isakmp_var.h" #include "isakmp_xauth.h" #include "isakmp_cfg.h" -#include "admin_var.h" -#include "admin.h" -#include "privsep.h" #include "oakley.h" #include "pfkey.h" #include "handler.h" #include "localconf.h" #include "remoteconf.h" -#include "backupsa.h" #ifdef ENABLE_NATT #include "nattraversal.h" #endif @@ -110,56 +107,23 @@ extern pid_t racoon_pid; -extern char logFileStr[]; extern int launchdlaunched; -static void close_session __P((void)); -static void check_rtsock __P((void *)); -static void initfds __P((void)); -static void init_signal __P((void)); -static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int, siginfo_t *, void *)))); -static void check_sigreq __P((void)); -static void check_flushsa_stub __P((void *)); -static void check_flushsa __P((void)); -static void auto_exit_do __P((void *)); -static int close_sockets __P((void)); - -static fd_set mask0; -static fd_set maskdying; -static int nfds = 0; +static void close_session (int); +static int init_signal (void); +static int set_signal (int sig, RETSIGTYPE (*func) (int, siginfo_t *, void *)); +static void check_sigreq (void); +static void check_flushsa_stub (void *); +static void check_flushsa (void); +static void auto_exit_do (void *); +static int close_sockets (void); + static volatile sig_atomic_t sigreq[NSIG + 1]; -static int dying = 0; -static struct sched *check_rtsock_sched = NULL; int terminated = 0; -#define HANDLE_TENTATIVE_INTF_FAILURES() do { \ - if (tentative_failures) { \ - plog(LLV_ERROR, LOCATION, NULL, \ - "detected tentative interface/address issues: will retry later.\n"); \ - if (check_rtsock_sched == NULL) { \ - /* only schedule if not already done */ \ - check_rtsock_sched = sched_new(5, check_rtsock, NULL); \ - } \ - } \ - } while(0) - -static void -reinit_socks (void) -{ - int tentative_failures; - - isakmp_close(); - close(lcconf->rtsock); - initmyaddr(); - if (isakmp_open(&tentative_failures) < 0) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to reopen isakmp sockets\n"); - } - initfds(); - HANDLE_TENTATIVE_INTF_FAILURES(); -} - static int64_t racoon_keepalive = -1; +dispatch_queue_t main_queue; + /* * This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly) * launched on demand and for requires a keepalive on dirty/failure exits. @@ -168,79 +132,70 @@ static int64_t racoon_keepalive = -1; int64_t launchd_update_racoon_keepalive (Boolean enabled) { - if (launchdlaunched) { - vproc_t vp = vprocmgr_lookup_vproc("com.apple.racoon"); - if (vp) { - int64_t val = (__typeof__(val))enabled; - if (vproc_swap_integer(vp, - VPROC_GSK_BASIC_KEEPALIVE, - &val, - &racoon_keepalive)) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to swap launchd keepalive integer %d\n", enabled); - } - vproc_release(vp); + if (launchdlaunched) { + int64_t val = (__typeof__(val))enabled; + /* Set our own KEEPALIVE value */ + if (vproc_swap_integer(NULL, + VPROC_GSK_BASIC_KEEPALIVE, + &val, + &racoon_keepalive)) { + plog(ASL_LEVEL_ERR, + "failed to swap launchd keepalive integer %d\n", enabled); } } return racoon_keepalive; } -int +// +// Session +// +// Initialize listening sockets, timers, vpn control etc., +// write the PID file and call dispatch_main. +// +void session(void) { - fd_set rfds; - struct timeval *timeout; - int error; - struct myaddrs *p; char pid_file[MAXPATHLEN]; FILE *fp; - int i, update_fds; - int tentative_failures; + int i; + + main_queue = dispatch_get_main_queue(); /* initialize schedular */ sched_init(); /* needs to be called after schedular */ if (init_power_mgmt() < 0) { - errx(1, "failed to initialize power-mgmt."); - } - - initmyaddr(); - - if (isakmp_init(false, &tentative_failures) < 0) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to initialize isakmp"); + plog(ASL_LEVEL_ERR, + "failed to initialize power-mgmt."); exit(1); } - HANDLE_TENTATIVE_INTF_FAILURES(); - -#ifdef ENABLE_ADMINPORT - if (admin_init() < 0) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to initialize admin port"); + + if (lcconf->autograbaddr == 1) + if (pfroute_init()) { + plog(ASL_LEVEL_ERR, "failed to initialize route socket.\n"); + exit(1); + } + if (initmyaddr()) { + plog(ASL_LEVEL_ERR, "failed to initialize listening addresses.\n"); + exit(1); + } + if (isakmp_init()) { + plog(ASL_LEVEL_ERR, "failed to initialize isakmp"); exit(1); - } -#endif + } #ifdef ENABLE_VPNCONTROL_PORT - if (vpncontrol_init() < 0) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to initialize vpn control port"); - exit(1); + if (vpncontrol_init()) { + plog(ASL_LEVEL_ERR, "failed to initialize vpn control port"); + //exit(1); } - #endif - init_signal(); - initfds(); - -#ifdef HAVE_OPENSSL - if (privsep_init() != 0) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to initialize privsep"); - exit(1); - } -#endif - + if (init_signal()) { + plog(ASL_LEVEL_ERR, "failed to initialize signals.\n"); + exit(1); + } + for (i = 0; i <= NSIG; i++) sigreq[i] = 0; @@ -259,418 +214,51 @@ session(void) if (fp) { if (fchmod(fileno(fp), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { - syslog(LOG_ERR, "%s", strerror(errno)); + plog(ASL_LEVEL_ERR, "%s", strerror(errno)); fclose(fp); exit(1); } fprintf(fp, "%ld\n", (long)racoon_pid); fclose(fp); } else { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot open %s", pid_file); } } - #if !TARGET_OS_EMBEDDED // enable keepalive for recovery (from crashes and bad exits... after init) (void)launchd_update_racoon_keepalive(true); #endif // !TARGET_OS_EMBEDDED - while (1) { - if (!TAILQ_EMPTY(&lcconf->saved_msg_queue)) - pfkey_post_handler(); - update_fds = 0; - /* - * asynchronous requests via signal. - * make sure to reset sigreq to 0. - */ - check_sigreq(); - - check_power_mgmt(); - - /* scheduling */ - timeout = schedular(); - // Workaround: make sure timeout is playing nice - if (timeout) { - if (timeout->tv_usec < 0 || timeout->tv_usec > SELECT_USEC_MAX ) { - timeout->tv_sec += ((__typeof__(timeout->tv_sec))timeout->tv_usec)/SELECT_USEC_MAX; - timeout->tv_usec %= SELECT_USEC_MAX; - } - if (timeout->tv_sec > SELECT_SEC_MAX /* tv_sec is unsigned */) { - timeout->tv_sec = SELECT_SEC_MAX; - } - if (!timeout->tv_sec && !timeout->tv_usec) { - timeout->tv_sec = 1; - } - } - - if (dying) - rfds = maskdying; - else - rfds = mask0; - error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout); - if (error < 0) { - switch (errno) { - case EINTR: - continue; - default: - plog(LLV_ERROR2, LOCATION, NULL, - "failed select (%s) nfds %d\n", - strerror(errno), nfds); - reinit_socks(); - update_fds = 0; - continue; - } - /*NOTREACHED*/ - } - -#ifdef ENABLE_ADMINPORT - if ((lcconf->sock_admin != -1) && - (FD_ISSET(lcconf->sock_admin, &rfds))) - admin_handler(); -#endif -#ifdef ENABLE_VPNCONTROL_PORT - { - struct vpnctl_socket_elem *elem; - struct vpnctl_socket_elem *t_elem; - - if ((lcconf->sock_vpncontrol != -1) && - (FD_ISSET(lcconf->sock_vpncontrol, &rfds))) { - vpncontrol_handler(); - update_fds = 1; // in case new socket created - update mask - } - /* The handler may close and remove the list element - * so we can't rely on it being valid after calling - * the handler. - */ - LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem) { - if ((elem->sock != -1) && - (FD_ISSET(elem->sock, &rfds))) - if (vpncontrol_comm_handler(elem)) - update_fds = 1; // socket closed by peer - update mask - } - } -#endif - - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - if ((p->sock != -1) && - (FD_ISSET(p->sock, &rfds))) - if ((error = isakmp_handler(p->sock)) == -2) - break; - } - if (error == -2) { - plog(LLV_ERROR2, LOCATION, NULL, - "failed to process isakmp port\n"); - reinit_socks(); - update_fds = 0; - continue; - } - - if (FD_ISSET(lcconf->sock_pfkey, &rfds)) - pfkey_handler(); - - if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) { - if (update_myaddrs() && lcconf->autograbaddr) - if (check_rtsock_sched == NULL) /* only schedule if not already done */ - check_rtsock_sched = sched_new(1, check_rtsock, NULL); - else { - // force reinit if schedule is too far off (3 seconds or more) - time_t too_far = current_time() + 3; - if (check_rtsock_sched->dead || - check_rtsock_sched->xtime >= too_far) { - plog(LLV_DEBUG, LOCATION, NULL, - "forced reinit of addrs\n"); - update_fds = 0; - check_rtsock(NULL); - } - } - // initfds(); //%%% BUG FIX - not needed here - } - if (update_fds) { - initfds(); - update_fds = 0; - } - } + // Off to the races! + if (!terminated) { + dispatch_main(); + } + + exit(1); // should not be reached!!! } /* clear all status and exit program. */ static void -close_session() +close_session(int error) { + sched_killall(); + cleanup_power_mgmt(); if ( terminated ) - flushph2(false); - flushph1(false); + ike_session_flush_all_phase2(false); + ike_session_flush_all_phase1(false); close_sockets(); - backupsa_clean(); #if !TARGET_OS_EMBEDDED // a clean exit, so disable launchd keepalive (void)launchd_update_racoon_keepalive(false); #endif // !TARGET_OS_EMBEDDED - plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n"); + plog(ASL_LEVEL_INFO, "racoon shutdown\n"); exit(0); } -static void -check_rtsock(p) - void *p; -{ - int tentative_failures; - - check_rtsock_sched = NULL; - grab_myaddrs(); - isakmp_close_unused(); - - autoconf_myaddrsport(); - isakmp_open(&tentative_failures); - - /* initialize socket list again */ - initfds(); - HANDLE_TENTATIVE_INTF_FAILURES(); -} - -static void -initfds() -{ - struct myaddrs *p; - - nfds = 0; - - FD_ZERO(&mask0); - FD_ZERO(&maskdying); - -#ifdef ENABLE_ADMINPORT - if (lcconf->sock_admin != -1) { - if (lcconf->sock_admin >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - admin socket\n"); - exit(1); - } - FD_SET(lcconf->sock_admin, &mask0); - /* XXX should we listen on admin socket when dying ? - */ -#if 0 - FD_SET(lcconf->sock_admin, &maskdying); -#endif - nfds = (nfds > lcconf->sock_admin ? nfds : lcconf->sock_admin); - } -#endif -#ifdef ENABLE_VPNCONTROL_PORT - { - struct vpnctl_socket_elem *elem; - - if (lcconf->sock_vpncontrol != -1) { - if (lcconf->sock_vpncontrol >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - vpncontrol socket\n"); - exit(1); - } - FD_SET(lcconf->sock_vpncontrol, &mask0); - nfds = (nfds > lcconf->sock_vpncontrol ? nfds : lcconf->sock_vpncontrol); - } - - LIST_FOREACH(elem, &lcconf->vpnctl_comm_socks, chain) { - if (elem->sock != -1) { - if (elem->sock >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun vpnctl_comm socket\n"); - exit(1); - } - FD_SET(elem->sock, &mask0); - nfds = (nfds > elem->sock ? nfds : elem->sock); - } - } - } -#endif - - if (lcconf->sock_pfkey >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - pfkey socket\n"); - exit(1); - } - FD_SET(lcconf->sock_pfkey, &mask0); - FD_SET(lcconf->sock_pfkey, &maskdying); - nfds = (nfds > lcconf->sock_pfkey ? nfds : lcconf->sock_pfkey); - if (lcconf->rtsock >= 0) { - if (lcconf->rtsock >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - rt socket\n"); - exit(1); - } - FD_SET(lcconf->rtsock, &mask0); - nfds = (nfds > lcconf->rtsock ? nfds : lcconf->rtsock); - } - - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - if (p->sock < 0) - continue; - if (p->sock >= FD_SETSIZE) { - plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - isakmp socket\n"); - exit(1); - } - FD_SET(p->sock, &mask0); - nfds = (nfds > p->sock ? nfds : p->sock); - } - nfds++; -} - - -static int signals[] = { - SIGHUP, - SIGINT, - SIGTERM, - SIGUSR1, - SIGUSR2, - SIGCHLD, - SIGPIPE, - 0 -}; - -/* - * asynchronous requests will actually dispatched in the - * main loop in session(). - */ -RETSIGTYPE -signal_handler(sig, sigi, ctx) - int sig; - siginfo_t *sigi; - void *ctx; -{ -#if 0 - plog(LLV_DEBUG, LOCATION, NULL, - "%s received signal %d from pid %d uid %d\n\n", - __FUNCTION__, sig, sigi->si_pid, sigi->si_uid); -#endif - - /* Do not just set it to 1, because we may miss some signals by just setting - * values to 0/1 - */ - sigreq[sig]++; - if ( sig == SIGTERM ){ - terminated = 1; - } -} - -static void -check_sigreq() -{ - int sig; - int tentative_failures; - - /* - * XXX We are not able to tell if we got - * several time the same signal. This is - * not a problem for the current code, - * but we shall remember this limitation. - */ - for (sig = 0; sig <= NSIG; sig++) { - if (sigreq[sig] == 0) - continue; - - sigreq[sig]--; - switch(sig) { - case 0: - return; - - /* Catch up childs, mainly scripts. - */ - case SIGCHLD: - { - pid_t pid; - int s; - - pid = wait(&s); - } - break; - -#ifdef DEBUG_RECORD_MALLOCATION - /* - * XXX This operation is signal handler unsafe and may lead to - * crashes and security breaches: See Henning Brauer talk at - * EuroBSDCon 2005. Do not run in production with this option - * enabled. - */ - case SIGUSR2: - DRM_dump(); - break; -#endif - - case SIGUSR1: - case SIGHUP: -#ifdef ENABLE_HYBRID - if ((isakmp_cfg_init(ISAKMP_CFG_INIT_WARM)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ISAKMP mode config structure reset failed, " - "not reloading\n"); - return; - } -#endif - if ( terminated ) - break; - - /* - * if we got a HUP... try graceful teardown of sessions before we close and reopen sockets... - * so that info-deletes notifications can make it to the peer. - */ - if (sig == SIGHUP) { - flushph2(true); - flushph1(true); - } - /* Save old configuration, load new one... */ - isakmp_close(); - close(lcconf->rtsock); - if (cfreparse(sig)) { - plog(LLV_ERROR2, LOCATION, NULL, - "configuration read failed\n"); - exit(1); - } - if (lcconf->logfile_param == NULL && logFileStr[0] == 0) - plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); - - initmyaddr(); - isakmp_cleanup(); - isakmp_init(true, &tentative_failures); - HANDLE_TENTATIVE_INTF_FAILURES(); - initfds(); -#if TARGET_OS_EMBEDDED - if (no_remote_configs(TRUE)) { - EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL); - pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); -#ifdef ENABLE_FASTQUIT - close_session(); -#else - sched_new(1, check_flushsa_stub, NULL); -#endif - dying = 1; - } -#endif - break; - - case SIGINT: - case SIGTERM: - plog(LLV_INFO, LOCATION, NULL, - "caught signal %d\n", sig); - EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL); - pfkey_send_flush(lcconf->sock_pfkey, - SADB_SATYPE_UNSPEC); - if ( sig == SIGTERM ){ - terminated = 1; /* in case if it hasn't been set yet */ - close_session(); - } - else - sched_new(1, check_flushsa_stub, NULL); - - dying = 1; - break; - - default: - plog(LLV_INFO, LOCATION, NULL, - "caught signal %d\n", sig); - break; - } - } -} /* * waiting the termination of processing until sending DELETE message @@ -680,7 +268,6 @@ static void check_flushsa_stub(p) void *p; { - check_flushsa(); } @@ -695,7 +282,7 @@ check_flushsa() buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey_dump_sadb: returned nothing.\n"); return; } @@ -715,7 +302,7 @@ check_flushsa() } if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey_check (%s)\n", ipsec_strerror()); msg = next; continue; @@ -744,69 +331,201 @@ check_flushsa() return; } - close_session(); #if !TARGET_OS_EMBEDDED if (lcconf->vt) vproc_transaction_end(NULL, lcconf->vt); #endif + close_session(0); } void auto_exit_do(void *p) { - EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "performing auto exit\n"); pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); sched_new(1, check_flushsa_stub, NULL); - dying = 1; + dying(); } void check_auto_exit(void) { - if (lcconf->auto_exit_sched != NULL) { /* exit scheduled? */ + if (lcconf->auto_exit_sched) { /* exit scheduled? */ if (lcconf->auto_exit_state != LC_AUTOEXITSTATE_ENABLED - || vpn_control_connected() /* vpn control connected */ - || policies_installed() /* policies installed in kernel */ - || !no_remote_configs(FALSE)) /* remote or anonymous configs */ + || vpn_control_connected() /* vpn control connected */ + || policies_installed() /* policies installed in kernel */ + || !no_remote_configs(FALSE)) { /* remote or anonymous configs */ SCHED_KILL(lcconf->auto_exit_sched); + } } else { /* exit not scheduled */ if (lcconf->auto_exit_state == LC_AUTOEXITSTATE_ENABLED - && !vpn_control_connected() + && !vpn_control_connected() && !policies_installed() - && no_remote_configs(FALSE)) - if (lcconf->auto_exit_delay == 0) - auto_exit_do(NULL); /* immediate exit */ - else - lcconf->auto_exit_sched = sched_new(lcconf->auto_exit_delay, auto_exit_do, NULL); + && no_remote_configs(FALSE)) { + if (lcconf->auto_exit_delay == 0) { + auto_exit_do(NULL); /* immediate exit */ + } else { + lcconf->auto_exit_sched = sched_new(lcconf->auto_exit_delay, auto_exit_do, NULL); + } + } } } +static int signals[] = { + SIGHUP, + SIGINT, + SIGTERM, + SIGUSR1, + SIGUSR2, + SIGPIPE, + 0 +}; + static void +check_sigreq() +{ + int sig; + + /* + * XXX We are not able to tell if we got + * several time the same signal. This is + * not a problem for the current code, + * but we shall remember this limitation. + */ + for (sig = 0; sig <= NSIG; sig++) { + if (sigreq[sig] == 0) + continue; + + sigreq[sig]--; + switch(sig) { + case 0: + return; + + /* Catch up childs, mainly scripts. + */ + + case SIGUSR1: + case SIGHUP: +#ifdef ENABLE_HYBRID + if ((isakmp_cfg_init(ISAKMP_CFG_INIT_WARM)) != 0) { + plog(ASL_LEVEL_ERR, + "ISAKMP mode config structure reset failed, " + "not reloading\n"); + return; + } +#endif + if ( terminated ) + break; + + /* + * if we got a HUP... try graceful teardown of sessions before we close and reopen sockets... + * so that info-deletes notifications can make it to the peer. + */ + if (sig == SIGHUP) { + ike_session_flush_all_phase2(true); + ike_session_flush_all_phase1(true); + } + + /* Save old configuration, load new one... */ + if (cfreparse(sig)) { + plog(ASL_LEVEL_ERR, + "configuration read failed\n"); + exit(1); + } + if (lcconf->logfile_param == NULL && logFileStr[0] == 0) + plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); + +#if TARGET_OS_EMBEDDED + if (no_remote_configs(TRUE)) { + pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); +#ifdef ENABLE_FASTQUIT + close_session(0); +#else + sched_new(1, check_flushsa_stub, NULL); +#endif + dying(); + } +#endif + + break; + + case SIGINT: + case SIGTERM: + plog(ASL_LEVEL_INFO, + "caught signal %d\n", sig); + pfkey_send_flush(lcconf->sock_pfkey, + SADB_SATYPE_UNSPEC); + if ( sig == SIGTERM ){ + terminated = 1; /* in case if it hasn't been set yet */ + close_session(0); + } + else + sched_new(1, check_flushsa_stub, NULL); + + dying(); + break; + + default: + plog(ASL_LEVEL_INFO, + "caught signal %d\n", sig); + break; + } + } +} + + +/* + * asynchronous requests will actually dispatched in the + * main loop in session(). + */ +RETSIGTYPE +signal_handler(int sig, siginfo_t *sigi, void *ctx) +{ +#if 0 + plog(ASL_LEVEL_DEBUG, + "%s received signal %d from pid %d uid %d\n\n", + __FUNCTION__, sig, sigi->si_pid, sigi->si_uid); +#endif + + /* Do not just set it to 1, because we may miss some signals by just setting + * values to 0/1 + */ + sigreq[sig]++; + if ( sig == SIGTERM ){ + terminated = 1; + } + dispatch_async(main_queue, + ^{ + check_sigreq(); + }); +} + + +static int init_signal() { int i; - for (i = 0; signals[i] != 0; i++) + for (i = 0; signals[i] != 0; i++) { if (set_signal(signals[i], signal_handler) < 0) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set_signal (%s)\n", strerror(errno)); - exit(1); + return (1); } + } + return 0; } static int -set_signal(sig, func) - int sig; - RETSIGTYPE (*func) __P((int, siginfo_t *, void *)); +set_signal(int sig, RETSIGTYPE (*func) (int, siginfo_t *, void *)) { struct sigaction sa; memset((caddr_t)&sa, 0, sizeof(sa)); - sa.sa_handler = func; + sa.sa_sigaction = func; sa.sa_flags = SA_RESTART | SA_SIGINFO; if (sigemptyset(&sa.sa_mask) < 0) @@ -818,17 +537,33 @@ set_signal(sig, func) return 0; } +void +fatal_error(int error) +{ + close_session(error == 0 ? -1 : error); +} + +/* suspend all socket sources except pf_key */ +void +dying(void) +{ + if (lcconf->rt_source) + dispatch_suspend(lcconf->rt_source); + if (lcconf->vpncontrol_source) + dispatch_suspend(lcconf->vpncontrol_source); + isakmp_suspend_sockets(); +} + static int close_sockets() { + pfroute_close(); isakmp_close(); - pfkey_close(lcconf->sock_pfkey); -#ifdef ENABLE_ADMINPORT - (void)admin_close(); -#endif + pfkey_close(); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_close(); #endif + return 0; } diff --git a/ipsec-tools/racoon/session.h b/ipsec-tools/racoon/session.h index 3ee56c2..b17ca70 100644 --- a/ipsec-tools/racoon/session.h +++ b/ipsec-tools/racoon/session.h @@ -34,8 +34,10 @@ #include "handler.h" -extern int session __P((void)); -extern RETSIGTYPE signal_handler __P((int, siginfo_t *, void *)); -extern void check_auto_exit __P((void)); +extern void session (void); +extern RETSIGTYPE signal_handler (int, siginfo_t *, void *); +extern void check_auto_exit (void); +extern void dying (void); +extern void fatal_error (int); #endif /* _SESSION_H */ diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c index 9deb6ab..33222c5 100644 --- a/ipsec-tools/racoon/sockmisc.c +++ b/ipsec-tools/racoon/sockmisc.c @@ -63,7 +63,6 @@ #include "sockmisc.h" #include "debug.h" #include "gcmalloc.h" -#include "debugrm.h" #include "libpfkey.h" #ifndef IP_IPSEC_POLICY @@ -245,9 +244,7 @@ cmpsaddrwild(addr1, addr2) * 1: not equal. */ int -cmpsaddrstrict(addr1, addr2) - const struct sockaddr_storage *addr1; - const struct sockaddr_storage *addr2; +cmpsaddrstrict(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2) { caddr_t sa1, sa2; u_short port1, port2; @@ -363,8 +360,7 @@ cmpsaddrstrict_withprefix(const struct sockaddr_storage *addr1, const struct soc /* get local address against the destination. */ struct sockaddr_storage * -getlocaladdr(remote) - struct sockaddr *remote; +getlocaladdr(struct sockaddr *remote) { struct sockaddr_storage *local; u_int local_len = sizeof(struct sockaddr); @@ -372,34 +368,33 @@ getlocaladdr(remote) /* allocate buffer */ if ((local = racoon_calloc(1, local_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get address buffer.\n"); goto err; } /* get real interface received packet */ if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "socket (%s)\n", strerror(errno)); goto err; } if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put localaddr socket in non-blocking mode\n"); + plog(ASL_LEVEL_ERR, "failed to put localaddr socket in non-blocking mode\n"); } - + setsockopt_bypass(s, remote->sa_family); if (connect(s, remote, sysdep_sa_len(remote)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "connect (%s)\n", strerror(errno)); close(s); goto err; } if (getsockname(s, (struct sockaddr *)local, &local_len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getsockname (%s)\n", strerror(errno)); close(s); return NULL; @@ -419,15 +414,14 @@ getlocaladdr(remote) * setsockopt() have already performed on socket. */ int -recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) - int s; - void *buf; - size_t buflen; - int flags; - struct sockaddr_storage *from; - socklen_t *fromlen; - struct sockaddr_storage *to; - u_int *tolen; +recvfromto(int s, + void *buf, + size_t buflen, + int flags, + struct sockaddr_storage *from, + socklen_t *fromlen, + struct sockaddr_storage *to, + u_int *tolen) { int otolen; ssize_t len; @@ -445,8 +439,8 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) #endif len = sizeof(ss); - if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) { + plog(ASL_LEVEL_ERR, "getsockname (%s)\n", strerror(errno)); return -1; } @@ -464,8 +458,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) while ((len = recvmsg(s, &m, flags)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, - "recvmsg (%s)\n", strerror(errno)); + plog(ASL_LEVEL_ERR, "recvmsg (%s)\n", strerror(errno)); return -1; } if (len == 0) { @@ -479,7 +472,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) m.msg_controllen != 0 && cm && cm != cm_prev; cm_prev = cm, cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) { #if 0 - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);) #endif #if defined(INET6) && defined(INET6_ADVAPI) @@ -540,7 +533,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) continue; } } - + plogdump(ASL_LEVEL_DEBUG, buf, buflen, "@@@@@@ data from readmsg:\n"); return len; } @@ -558,27 +551,27 @@ sendfromto(s, buf, buflen, src, dst, cnt) int i; if (src->ss_family != dst->ss_family) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "address family mismatch\n"); return -1; } len = sizeof(ss); - if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) { + plog(ASL_LEVEL_ERR, "getsockname (%s)\n", strerror(errno)); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sockname %s\n", saddr2str((struct sockaddr *)&ss)); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "send packet from %s\n", saddr2str((struct sockaddr *)src)); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "send packet to %s\n", saddr2str((struct sockaddr *)dst)); if (src->ss_family != ss.ss_family) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "address family mismatch\n"); return -1; } @@ -630,19 +623,19 @@ sendfromto(s, buf, buflen, src, dst, cnt) memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr)); pi->ipi6_ifindex = ifindex; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "src6 %s %d\n", saddr2str((struct sockaddr *)&src6), src6.sin6_scope_id); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "dst6 %s %d\n", saddr2str((struct sockaddr *)&dst6), dst6.sin6_scope_id); - + for (i = 0; i < cnt; i++) { len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/); if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "sendmsg (%s)\n", strerror(errno)); if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) { return -1; @@ -651,12 +644,11 @@ sendfromto(s, buf, buflen, src, dst, cnt) // packet loss, in case the network interface is flaky len = 0; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%d times of %d bytes message will be sent " "to %s\n", i + 1, len, saddr2str((struct sockaddr *)dst)); } - plogdump(LLV_DEBUG, (char *)buf, buflen); return len; } @@ -680,18 +672,17 @@ sendfromto(s, buf, buflen, src, dst, cnt) */ sendsock = socket(src->ss_family, SOCK_DGRAM, 0); if (sendsock < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "socket (%s)\n", strerror(errno)); return -1; } if (fcntl(sendsock, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put sendsock socket in non-blocking mode\n"); + plog(ASL_LEVEL_ERR, "failed to put sendsock socket in non-blocking mode\n"); } if (setsockopt(sendsock, SOL_SOCKET, SO_REUSEPORT, (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEPORT (%s)\n", strerror(errno)); close(sendsock); @@ -701,7 +692,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) if (src->ss_family == AF_INET6 && setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IPV6_USE_MIN_MTU (%s)\n", strerror(errno)); close(sendsock); @@ -714,35 +705,37 @@ sendfromto(s, buf, buflen, src, dst, cnt) } if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len((struct sockaddr *)src)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "bind 1 (%s)\n", strerror(errno)); close(sendsock); return -1; } needclose = 1; } - - for (i = 0; i < cnt; i++) { + + plogdump(ASL_LEVEL_DEBUG, (void*)buf, buflen, "@@@@@@ data being sent:\n"); + + for (i = 0; i < cnt; i++) { len = sendto(sendsock, buf, buflen, 0, (struct sockaddr *)dst, sysdep_sa_len((struct sockaddr *)dst)); if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "sendto (%s)\n", strerror(errno)); if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) { if (needclose) close(sendsock); return -1; } - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "treating socket error (%s) like packet loss\n", strerror(errno)); // else treat these failures like a packet loss len = 0; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%d times of %d bytes message will be sent " "to %s\n", i + 1, len, saddr2str((struct sockaddr *)dst)); } - plogdump(LLV_DEBUG, (char *)buf, buflen); + //plog(ASL_LEVEL_DEBUG, "sent %d bytes", buflen); if (needclose) close(sendsock); @@ -753,8 +746,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) } int -setsockopt_bypass(so, family) - int so, family; +setsockopt_bypass(int so, int family) { int level; char *buf; @@ -770,7 +762,7 @@ setsockopt_bypass(so, family) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported address family %d\n", family); return -1; } @@ -778,7 +770,7 @@ setsockopt_bypass(so, family) policy = "in bypass"; buf = ipsec_set_policy(policy, strlen(policy)); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ipsec_set_policy (%s)\n", ipsec_strerror()); return -1; @@ -787,7 +779,7 @@ setsockopt_bypass(so, family) (level == IPPROTO_IP ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), buf, ipsec_get_policylen(buf)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IP_IPSEC_POLICY (%s)\n", strerror(errno)); return -1; @@ -797,7 +789,7 @@ setsockopt_bypass(so, family) policy = "out bypass"; buf = ipsec_set_policy(policy, strlen(policy)); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ipsec_set_policy (%s)\n", ipsec_strerror()); return -1; @@ -806,7 +798,7 @@ setsockopt_bypass(so, family) (level == IPPROTO_IP ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), buf, ipsec_get_policylen(buf)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "setsockopt IP_IPSEC_POLICY (%s)\n", strerror(errno)); return -1; @@ -817,13 +809,12 @@ setsockopt_bypass(so, family) } struct sockaddr_storage * -newsaddr(len) - int len; +newsaddr(int len) { struct sockaddr_storage *new; - if ((new = racoon_calloc(1, len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + if ((new = racoon_calloc(1, sizeof(*new))) == NULL) { + plog(ASL_LEVEL_ERR, "%s\n", strerror(errno)); goto out; } @@ -834,26 +825,23 @@ out: } struct sockaddr_storage * -dupsaddr(src) - struct sockaddr *src; +dupsaddr(struct sockaddr_storage *addr) { - struct sockaddr_storage *dst; + struct sockaddr_storage *new; - dst = racoon_calloc(1, sysdep_sa_len(src)); - if (dst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "%s\n", strerror(errno)); + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL) { + plog(ASL_LEVEL_ERR, "%s\n", strerror(errno)); return NULL; } - memcpy(dst, src, sysdep_sa_len(src)); - - return dst; + memcpy(new, addr, addr->ss_len); + + return new; } char * -saddr2str(saddr) - const struct sockaddr *saddr; +saddr2str(const struct sockaddr *saddr) { static char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST], port[NI_MAXSERV]; @@ -874,9 +862,7 @@ saddr2str(saddr) } char * -saddr2str_with_prefix(saddr, prefix) -const struct sockaddr *saddr; -int prefix; +saddr2str_with_prefix(const struct sockaddr *saddr, int prefix) { static char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST], port[NI_MAXSERV]; @@ -898,8 +884,7 @@ int prefix; char * -saddrwop2str(saddr) - const struct sockaddr *saddr; +saddrwop2str(const struct sockaddr *saddr) { static char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST]; @@ -990,9 +975,7 @@ saddr2str_fromto(format, saddr, daddr) } struct sockaddr_storage * -str2saddr(host, port) - char *host; - char *port; +str2saddr(char *host, char *port) { struct addrinfo hints, *res; struct sockaddr_storage *saddr; @@ -1004,14 +987,14 @@ str2saddr(host, port) hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(host, port, &hints, &res); if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getaddrinfo(%s%s%s): %s\n", host, port ? "," : "", port ? port : "", gai_strerror(error)); return NULL; } if (res->ai_next != NULL) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "getaddrinfo(%s%s%s): " "resolved to multiple address, " "taking the first one\n", @@ -1019,7 +1002,7 @@ str2saddr(host, port) } saddr = newsaddr(sizeof(*saddr)); if (saddr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer.\n"); freeaddrinfo(res); return NULL; @@ -1051,13 +1034,13 @@ mask_sockaddr(a, b, l) break; #endif default: - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid address family: %d\n", b->ss_family); exit(1); } if ((alen << 3) < l) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unexpected inconsistency: %d %zu\n", b->ss_family, l); exit(1); } @@ -1088,7 +1071,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr) int port_score; if (!naddr || !saddr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Call with null args: naddr=%p, saddr=%p\n", naddr, saddr); return -1; @@ -1114,7 +1097,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr) /* Here it comes - compare network addresses. */ mask_sockaddr(&sa, saddr, naddr->prefix); - if (loglevel >= LLV_DEBUG) { /* debug only */ + if (loglevel >= ASL_LEVEL_DEBUG) { /* debug only */ char *a1, *a2, *a3; a1 = racoon_strdup(naddrwop2str(naddr)); a2 = racoon_strdup(saddrwop2str((struct sockaddr *)saddr)); @@ -1122,7 +1105,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr) STRDUP_FATAL(a1); STRDUP_FATAL(a2); STRDUP_FATAL(a3); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "naddr=%s, saddr=%s (masked=%s)\n", a1, a2, a3); free(a1); @@ -1135,7 +1118,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr) return -1; } -/* Some usefull functions for sockaddr_storage port manipulations. */ +/* Some useful functions for sockaddr_storage port manipulations. */ u_int16_t extract_port (const struct sockaddr_storage *addr) { @@ -1152,7 +1135,7 @@ extract_port (const struct sockaddr_storage *addr) port = ((struct sockaddr_in6 *)addr)->sin6_port; break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family); + plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family); break; } @@ -1175,7 +1158,7 @@ get_port_ptr (struct sockaddr_storage *addr) port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port); break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family); + plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family); return NULL; break; } diff --git a/ipsec-tools/racoon/sockmisc.h b/ipsec-tools/racoon/sockmisc.h index 557d345..d4e935d 100644 --- a/ipsec-tools/racoon/sockmisc.h +++ b/ipsec-tools/racoon/sockmisc.h @@ -43,11 +43,10 @@ struct netaddr { extern const int niflags; -extern int cmpsaddrwop __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); +extern int cmpsaddrwop (const struct sockaddr_storage *, const struct sockaddr_storage *); extern int cmpsaddrwop_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int); - -extern int cmpsaddrwild __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); -extern int cmpsaddrstrict __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); +extern int cmpsaddrwild (const struct sockaddr_storage *, const struct sockaddr_storage *); +extern int cmpsaddrstrict (const struct sockaddr_storage *, const struct sockaddr_storage *); extern int cmpsaddrstrict_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int); #ifdef ENABLE_NATT @@ -58,36 +57,36 @@ extern int cmpsaddrstrict_withprefix(const struct sockaddr_storage *, const stru #define CMPSADDR2(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2)) #endif -extern struct sockaddr_storage *getlocaladdr __P((struct sockaddr *)); +extern struct sockaddr_storage *getlocaladdr (struct sockaddr *); -extern int recvfromto __P((int, void *, size_t, int, - struct sockaddr_storage *, socklen_t *, struct sockaddr_storage *, unsigned int *)); -extern int sendfromto __P((int, const void *, size_t, - struct sockaddr_storage *, struct sockaddr_storage *, int)); +extern int recvfromto (int, void *, size_t, int, + struct sockaddr_storage *, socklen_t *, struct sockaddr_storage *, unsigned int *); +extern int sendfromto (int, const void *, size_t, + struct sockaddr_storage *, struct sockaddr_storage *, int); -extern int setsockopt_bypass __P((int, int)); +extern int setsockopt_bypass (int, int); -extern struct sockaddr_storage *newsaddr __P((int)); -extern struct sockaddr_storage *dupsaddr __P((struct sockaddr *)); -extern char *saddr2str __P((const struct sockaddr *)); +extern struct sockaddr_storage *newsaddr (int); +extern struct sockaddr_storage *dupsaddr (struct sockaddr_storage *); +extern char *saddr2str (const struct sockaddr *); extern char *saddr2str_with_prefix __P((const struct sockaddr *, int)); -extern char *saddrwop2str __P((const struct sockaddr *)); -extern char *saddr2str_fromto __P((const char *format, +extern char *saddrwop2str (const struct sockaddr *); +extern char *saddr2str_fromto (const char *format, const struct sockaddr *saddr, - const struct sockaddr *daddr)); -extern struct sockaddr_storage *str2saddr __P((char *, char *)); -extern void mask_sockaddr __P((struct sockaddr_storage *, const struct sockaddr_storage *, - size_t)); + const struct sockaddr *daddr); +extern struct sockaddr_storage *str2saddr (char *, char *); +extern void mask_sockaddr (struct sockaddr_storage *, const struct sockaddr_storage *, + size_t); /* struct netaddr functions */ -extern char *naddrwop2str __P((const struct netaddr *naddr)); -extern char *naddrwop2str_fromto __P((const char *format, const struct netaddr *saddr, - const struct netaddr *daddr)); +extern char *naddrwop2str (const struct netaddr *naddr); +extern char *naddrwop2str_fromto (const char *format, const struct netaddr *saddr, + const struct netaddr *daddr); extern int naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr); /* Some usefull functions for sockaddr port manipulations. */ -extern u_int16_t extract_port __P((const struct sockaddr_storage *addr)); -extern u_int16_t *set_port __P((struct sockaddr_storage *addr, u_int16_t new_port)); -extern u_int16_t *get_port_ptr __P((struct sockaddr_storage *addr)); +extern u_int16_t extract_port (const struct sockaddr_storage *addr); +extern u_int16_t *set_port (struct sockaddr_storage *addr, u_int16_t new_port); +extern u_int16_t *get_port_ptr (struct sockaddr_storage *addr); #endif /* _SOCKMISC_H */ diff --git a/ipsec-tools/racoon/str2val.h b/ipsec-tools/racoon/str2val.h index 4c286cc..fa63801 100644 --- a/ipsec-tools/racoon/str2val.h +++ b/ipsec-tools/racoon/str2val.h @@ -32,7 +32,7 @@ #ifndef _STR2VAL_H #define _STR2VAL_H -extern caddr_t val2str __P((const char *, size_t)); -extern char *str2val __P((const char *, int, size_t *)); +extern caddr_t val2str (const char *, size_t); +extern char *str2val (const char *, int, size_t *); #endif /* _STR2VAL_H */ diff --git a/ipsec-tools/racoon/strnames.c b/ipsec-tools/racoon/strnames.c index ad6fea3..7f6733f 100644 --- a/ipsec-tools/racoon/strnames.c +++ b/ipsec-tools/racoon/strnames.c @@ -55,6 +55,7 @@ #include "misc.h" #include "vmbuf.h" #include "plog.h" +#include "fsm.h" #include "isakmp_var.h" #include "isakmp.h" @@ -69,11 +70,12 @@ #include "pfkey.h" #include "strnames.h" #include "algorithm.h" +#include "ikev2_rfc.h" struct ksmap { int key; char *str; - char *(*f) __P((int)); + char *(*f) (int); }; char * @@ -92,107 +94,94 @@ char * s_isakmp_state(t, d, s) int t, d, s; { - switch (t) { - case ISAKMP_ETYPE_AGG: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "agg I msg1"; - case PHASE1ST_ESTABLISHED: - return "agg I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "agg R msg1"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_BASE: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "base I msg1"; - case PHASE1ST_MSG2SENT: - return "base I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "base R msg1"; - case PHASE1ST_ESTABLISHED: - return "base R msg2"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_IDENT: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "ident I msg1"; - case PHASE1ST_MSG2SENT: - return "ident I msg2"; - case PHASE1ST_MSG3SENT: - return "ident I msg3"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "ident R msg1"; - case PHASE1ST_MSG2SENT: - return "ident R msg2"; - case PHASE1ST_ESTABLISHED: - return "ident R msg3"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_QUICK: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE2ST_MSG1SENT: - return "quick I msg1"; - case PHASE2ST_ADDSA: - return "quick I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE2ST_MSG1SENT: - return "quick R msg1"; - case PHASE2ST_COMMIT: - return "quick R msg2"; - default: - break; - } - } - break; - default: - case ISAKMP_ETYPE_NONE: - case ISAKMP_ETYPE_AUTH: - case ISAKMP_ETYPE_INFO: - case ISAKMP_ETYPE_NEWGRP: - case ISAKMP_ETYPE_ACKINFO: - break; - } - /*NOTREACHED*/ - + switch (s) { + case IKEV1_STATE_PHASE1_ESTABLISHED: + return "Phase 1 Established"; + case IKEV1_STATE_PHASE2_ESTABLISHED: + return "Phase 2 established"; + case IKEV1_STATE_PHASE1_EXPIRED: + return "Phase 1 expired"; + case IKEV1_STATE_PHASE2_EXPIRED: + return "Phase 2 expired"; + case IKEV1_STATE_INFO: + return "IKEv1 info"; + case IKEV1_STATE_IDENT_I_START: + return "IKEv1 ident I start"; + case IKEV1_STATE_IDENT_I_MSG1SENT: + return "IKEv1 ident I msg1 sent"; + case IKEV1_STATE_IDENT_I_MSG2RCVD: + return "IKEv1 ident I msg2 rcvd"; + case IKEV1_STATE_IDENT_I_MSG3SENT: + return "IKEv1 ident I msg3 sent"; + case IKEV1_STATE_IDENT_I_MSG4RCVD: + return "IKEv1 ident I msg4 rcvd"; + case IKEV1_STATE_IDENT_I_MSG5SENT: + return "IKEv1 ident I msg5 sent"; + case IKEV1_STATE_IDENT_I_MSG6RCVD: + return "IKEv1 ident I msg6 rcvd"; + + case IKEV1_STATE_IDENT_R_START: + return "IKEv1 ident R start"; + case IKEV1_STATE_IDENT_R_MSG1RCVD: + return "IKEv1 ident R msg1 rcvd"; + case IKEV1_STATE_IDENT_R_MSG2SENT: + return "IKEv1 ident R msg2 sent"; + case IKEV1_STATE_IDENT_R_MSG3RCVD: + return "IKEv1 ident R msg3 rcvd"; + case IKEV1_STATE_IDENT_R_MSG4SENT: + return "IKEv1 ident R msg4 sent"; + case IKEV1_STATE_IDENT_R_MSG5RCVD: + return "IKEv1 ident R msg5 rcvd"; + + case IKEV1_STATE_AGG_I_START: + return "IKEv1 agg I start"; + case IKEV1_STATE_AGG_I_MSG1SENT: + return "IKEv1 agg I msg1 sent"; + case IKEV1_STATE_AGG_I_MSG2RCVD: + return "IKEv1 agg I msg2 rcvd"; + case IKEV1_STATE_AGG_I_MSG3SENT: + return "IKEv1 agg I msg3 sent"; + case IKEV1_STATE_AGG_R_START: + return "IKEv1 agg R start"; + case IKEV1_STATE_AGG_R_MSG1RCVD: + return "IKEv1 agg R msg1 rcvd"; + case IKEV1_STATE_AGG_R_MSG2SENT: + return "IKEv1 agg R msg2 sent"; + case IKEV1_STATE_AGG_R_MSG3RCVD: + return "IKEv1 agg R msg3 rcvd"; + + case IKEV1_STATE_QUICK_I_START: + return "IKEv1 quick I start"; + case IKEV1_STATE_QUICK_I_GETSPISENT: + return "IKEv1 quick I getspi sent"; + case IKEV1_STATE_QUICK_I_GETSPIDONE: + return "IKEv1 quick I getspi done"; + case IKEV1_STATE_QUICK_I_MSG1SENT: + return "IKEv1 quick I msg1 sent"; + case IKEV1_STATE_QUICK_I_MSG2RCVD: + return "IKEv1 quick I msg2 rcvd"; + case IKEV1_STATE_QUICK_I_MSG3SENT: + return "IKEv1 quick I msg3 sent"; + case IKEV1_STATE_QUICK_I_ADDSA: + return "IKEv1 quick I addsa"; + case IKEV1_STATE_QUICK_R_START: + return "IKEv1 quick R start"; + case IKEV1_STATE_QUICK_R_MSG1RCVD: + return "IKEv1 quick R msg1 rcvd"; + case IKEV1_STATE_QUICK_R_GETSPISENT: + return "IKEv1 quick R getspi sent"; + case IKEV1_STATE_QUICK_R_GETSPIDONE: + return "IKEv1 quick R getspi done"; + case IKEV1_STATE_QUICK_R_MSG2SENT: + return "IKEv1 quick R msg2 sent"; + case IKEV1_STATE_QUICK_R_MSG3RCVD: + return "IKEv1 quick R msg3 rcvd"; + case IKEV1_STATE_QUICK_R_COMMIT: + return "IKEv1 quick R commit"; + case IKEV1_STATE_QUICK_R_ADDSA: + return "IKEv1 quick R addsa"; + + } return "???"; } @@ -716,9 +705,6 @@ static struct ksmap name_attr_isakmp_method[] = { { OAKLEY_ATTR_AUTH_METHOD_RSAREV, "Revised encryption with RSA", NULL }, { OAKLEY_ATTR_AUTH_METHOD_EGENC, "Encryption with El-Gamal", NULL }, { OAKLEY_ATTR_AUTH_METHOD_EGREV, "Revised encryption with El-Gamal", NULL }, -#ifdef HAVE_GSSAPI -{ OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, "GSS-API on Kerberos 5", NULL }, -#endif #ifdef ENABLE_HYBRID { OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, "Hybrid DSS server", NULL }, { OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, "Hybrid RSA server", NULL }, diff --git a/ipsec-tools/racoon/strnames.h b/ipsec-tools/racoon/strnames.h index 02ebbb5..9693dff 100644 --- a/ipsec-tools/racoon/strnames.h +++ b/ipsec-tools/racoon/strnames.h @@ -34,47 +34,47 @@ #ifndef _STRNAMES_H #define _STRNAMES_H -extern char *num2str __P((int n)); +extern char *num2str (int n); -extern char *s_isakmp_state __P((int, int, int)); -extern char *s_isakmp_certtype __P((int)); -extern char *s_isakmp_etype __P((int)); -extern char *s_isakmp_notify_msg __P((int)); -extern char *s_isakmp_nptype __P((int)); -extern char *s_ipsecdoi_proto __P((int)); -extern char *s_ipsecdoi_trns_isakmp __P((int)); -extern char *s_ipsecdoi_trns_ah __P((int)); -extern char *s_ipsecdoi_trns_esp __P((int)); -extern char *s_ipsecdoi_trns_ipcomp __P((int)); -extern char *s_ipsecdoi_trns __P((int, int)); -extern char *s_ipsecdoi_attr __P((int)); -extern char *s_ipsecdoi_ltype __P((int)); -extern char *s_ipsecdoi_encmode __P((int)); -extern char *s_ipsecdoi_auth __P((int)); -extern char *s_ipsecdoi_attr_v __P((int, int)); -extern char *s_ipsecdoi_ident __P((int)); -extern char *s_oakley_attr __P((int)); -extern char *s_attr_isakmp_enc __P((int)); -extern char *s_attr_isakmp_hash __P((int)); -extern char *s_oakley_attr_method __P((int)); -extern char *s_attr_isakmp_desc __P((int)); -extern char *s_attr_isakmp_group __P((int)); -extern char *s_attr_isakmp_ltype __P((int)); -extern char *s_oakley_attr_v __P((int, int)); -extern char *s_ipsec_level __P((int)); -extern char *s_algclass __P((int)); -extern char *s_algtype __P((int, int)); -extern char *s_pfkey_type __P((int)); -extern char *s_pfkey_satype __P((int)); -extern char *s_direction __P((int)); -extern char *s_proto __P((int)); -extern char *s_doi __P((int)); -extern char *s_etype __P((int)); -extern char *s_idtype __P((int)); -extern char *s_switch __P((int)); +extern char *s_isakmp_state (int, int, int); +extern char *s_isakmp_certtype (int); +extern char *s_isakmp_etype (int); +extern char *s_isakmp_notify_msg (int); +extern char *s_isakmp_nptype (int); +extern char *s_ipsecdoi_proto (int); +extern char *s_ipsecdoi_trns_isakmp (int); +extern char *s_ipsecdoi_trns_ah (int); +extern char *s_ipsecdoi_trns_esp (int); +extern char *s_ipsecdoi_trns_ipcomp (int); +extern char *s_ipsecdoi_trns (int, int); +extern char *s_ipsecdoi_attr (int); +extern char *s_ipsecdoi_ltype (int); +extern char *s_ipsecdoi_encmode (int); +extern char *s_ipsecdoi_auth (int); +extern char *s_ipsecdoi_attr_v (int, int); +extern char *s_ipsecdoi_ident (int); +extern char *s_oakley_attr (int); +extern char *s_attr_isakmp_enc (int); +extern char *s_attr_isakmp_hash (int); +extern char *s_oakley_attr_method (int); +extern char *s_attr_isakmp_desc (int); +extern char *s_attr_isakmp_group (int); +extern char *s_attr_isakmp_ltype (int); +extern char *s_oakley_attr_v (int, int); +extern char *s_ipsec_level (int); +extern char *s_algclass (int); +extern char *s_algtype (int, int); +extern char *s_pfkey_type (int); +extern char *s_pfkey_satype (int); +extern char *s_direction (int); +extern char *s_proto (int); +extern char *s_doi (int); +extern char *s_etype (int); +extern char *s_idtype (int); +extern char *s_switch (int); #ifdef ENABLE_HYBRID -extern char *s_isakmp_cfg_type __P((int)); -extern char *s_isakmp_cfg_ptype __P((int)); +extern char *s_isakmp_cfg_type (int); +extern char *s_isakmp_cfg_ptype (int); #endif #endif /* _STRNAMES_H */ diff --git a/ipsec-tools/racoon/throttle.c b/ipsec-tools/racoon/throttle.c index 753470f..5103204 100644 --- a/ipsec-tools/racoon/throttle.c +++ b/ipsec-tools/racoon/throttle.c @@ -128,7 +128,7 @@ restart: if (!found) { if (authfail) { if ((te = throttle_add(addr)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Throttle insertion failed\n"); return (time(NULL) + isakmp_cfg_config.auth_throttle); diff --git a/ipsec-tools/racoon/throttle.h b/ipsec-tools/racoon/throttle.h index 1dda58a..6390f6f 100644 --- a/ipsec-tools/racoon/throttle.h +++ b/ipsec-tools/racoon/throttle.h @@ -43,7 +43,7 @@ TAILQ_HEAD(throttle_list, throttle_entry); #define THROTTLE_PENALTY 1 #define THROTTLE_PENALTY_MAX 10 -struct throttle_entry *throttle_add(struct sockaddr_storage *); -int throttle_host(struct sockaddr_storage *, int); +struct throttle_entry *throttle_add (struct sockaddr_storage *); +int throttle_host (struct sockaddr_storage *, int); #endif /* _THROTTLE_H */ diff --git a/ipsec-tools/racoon/vendorid.c b/ipsec-tools/racoon/vendorid.c index 8e3f43a..ca6f67b 100644 --- a/ipsec-tools/racoon/vendorid.c +++ b/ipsec-tools/racoon/vendorid.c @@ -140,7 +140,7 @@ compute_vendorids (void) if(i == VENDORID_DPD){ all_vendor_ids[i].hash = vmalloc(sizeof(vendorid_dpd_hash)); if (all_vendor_ids[i].hash == NULL) { - plog(LLV_ERROR2, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to get memory for VID hash\n"); exit(1); /* this really shouldn't happen */ } @@ -154,7 +154,7 @@ compute_vendorids (void) all_vendor_ids[i].hash = eay_md5_one(&vid); if (all_vendor_ids[i].hash == NULL) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to hash vendor ID string\n"); /* Special cases */ @@ -183,7 +183,7 @@ set_vendorid(int vendorid) current = lookup_vendor_id_by_id(vendorid); if (current == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid vendor ID index: %d\n", vendorid); return (NULL); } @@ -216,19 +216,18 @@ check_vendorid(struct isakmp_gen *gen) goto unknown; if (current->hash->l < vidlen) - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "received broken Microsoft ID: %s\n", current->string); else - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "received Vendor ID: %s\n", current->string); return current->id; unknown: - plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID:\n"); - plogdump(LLV_DEBUG, (char *)(gen + 1), vidlen); + plogdump(ASL_LEVEL_DEBUG, (char *)(gen + 1), vidlen, "received unknown Vendor ID:\n"); return (VENDORID_UNKNOWN); } @@ -242,7 +241,7 @@ vendorid_fixup(vendorid, vidhash) vchar_t *tmp; if ((tmp = vmalloc(8)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to hash vendor ID string\n"); return NULL; } diff --git a/ipsec-tools/racoon/vendorid.h b/ipsec-tools/racoon/vendorid.h index d66ef73..464584d 100644 --- a/ipsec-tools/racoon/vendorid.h +++ b/ipsec-tools/racoon/vendorid.h @@ -84,10 +84,10 @@ struct vendor_id { vchar_t *hash; }; -vchar_t *set_vendorid __P((int)); -int check_vendorid __P((struct isakmp_gen *)); +vchar_t *set_vendorid (int); +int check_vendorid (struct isakmp_gen *); -void compute_vendorids __P((void)); -const char *vid_string_by_id __P((int id)); +void compute_vendorids (void); +const char *vid_string_by_id (int id); #endif /* _VENDORID_H */ diff --git a/ipsec-tools/racoon/vmbuf.c b/ipsec-tools/racoon/vmbuf.c index 6c1aed1..17929ee 100644 --- a/ipsec-tools/racoon/vmbuf.c +++ b/ipsec-tools/racoon/vmbuf.c @@ -124,7 +124,7 @@ vdup(src) vchar_t *new; if (src == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "vdup(NULL) called\n"); + plog(ASL_LEVEL_ERR, "vdup(NULL) called\n"); return NULL; } @@ -135,3 +135,22 @@ vdup(src) return new; } + +vchar_t * +vnew(in, in_len) + u_int8_t *in; + size_t in_len; +{ + vchar_t *new; + + if (in == NULL) { + return NULL; + } + + if ((new = vmalloc(in_len)) == NULL) + return NULL; + + memcpy(new->v, in, in_len); + + return new; +} diff --git a/ipsec-tools/racoon/vmbuf.h b/ipsec-tools/racoon/vmbuf.h index 0254d7c..5986223 100644 --- a/ipsec-tools/racoon/vmbuf.h +++ b/ipsec-tools/racoon/vmbuf.h @@ -63,9 +63,10 @@ do { \ /* vfree is already defined in Apple's system libraries */ #define vfree vmbuf_free -extern vchar_t *vmalloc __P((size_t)); -extern vchar_t *vrealloc __P((vchar_t *, size_t)); -extern void vfree __P((vchar_t *)); -extern vchar_t *vdup __P((vchar_t *)); +extern vchar_t *vmalloc (size_t); +extern vchar_t *vrealloc (vchar_t *, size_t); +extern void vfree (vchar_t *); +extern vchar_t *vdup (vchar_t *); +extern vchar_t *vnew (u_int8_t *, size_t); #endif /* _VMBUF_H */ diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index df085de..11adf7c 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -58,7 +58,7 @@ #include #include -#include +#include #include #ifndef HAVE_NETINET6_IPSEC @@ -94,11 +94,8 @@ #include "isakmp_var.h" #include "isakmp.h" #include "oakley.h" -#include "evt.h" #include "pfkey.h" #include "ipsec_doi.h" -#include "admin.h" -#include "admin_var.h" #include "isakmp_inf.h" #ifdef ENABLE_HYBRID #include "isakmp_cfg.h" @@ -109,6 +106,7 @@ #include "sainfo.h" #include "ipsec_doi.h" #include "nattraversal.h" +#include "fsm.h" #include "vpn_control.h" #include "vpn_control_var.h" @@ -117,7 +115,7 @@ #include "ipsecMessageTracer.h" -static int vpn_get_ph2pfs(struct ph1handle *); +static int vpn_get_ph2pfs (phase1_handle_t *); int vpn_connect(struct bound_addr *srv, int oper) @@ -141,7 +139,7 @@ vpn_connect(struct bound_addr *srv, int oper) * Find the source address */ if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot get local address\n"); goto out1; } @@ -149,15 +147,15 @@ vpn_connect(struct bound_addr *srv, int oper) /* find appropreate configuration */ rmconf = getrmconf(dst); if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no configuration found " "for %s\n", saddrwop2str((struct sockaddr *)dst)); goto out1; } /* get remote IP address and port number. */ - if ((remote = dupsaddr((struct sockaddr *)dst)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + if ((remote = dupsaddr(dst)) == NULL) { + plog(ASL_LEVEL_ERR, "failed to duplicate address\n"); goto out1; } @@ -174,7 +172,7 @@ vpn_connect(struct bound_addr *srv, int oper) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid family: %d\n", remote->ss_family); goto out1; @@ -185,17 +183,16 @@ vpn_connect(struct bound_addr *srv, int oper) if (set_port(local, port) == NULL) goto out1; - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "accept a request to establish IKE-SA: " "%s\n", saddrwop2str((struct sockaddr *)remote)); IPSECLOGASLMSG("IPSec connecting to server %s\n", saddrwop2str((struct sockaddr *)remote)); - - /* begin ident mode */ - if (isakmp_ph1begin_i(rmconf, remote, local, oper) < 0) - goto out1; - + { + if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0) + goto out1; + } error = 0; out1: @@ -230,7 +227,7 @@ vpn_disconnect(struct bound_addr *srv, const char *reason) ike_sessions_stopped_by_controller(&u.ss, 0, reason); - if (purgephXbydstaddrwop(&u.ss) > 0) { + if (ike_session_purgephXbydstaddrwop(&u.ss) > 0) { return 0; } else { return -1; @@ -246,7 +243,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) struct sainfoalg *new_algo; struct sainfo *new_sainfo = NULL, *check; u_int16_t class, algorithm, keylen; - struct ph1handle *ph1; + phase1_handle_t *ph1; struct sockaddr_in saddr; struct id { @@ -263,15 +260,15 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) saddr.sin_addr.s_addr = addr->address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - ph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr)); + ph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr)); if (ph1 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot start phase2 - no phase1 found.\n"); + plog(ASL_LEVEL_ERR, + "Cannot start Phase 2 - no Phase 1 found.\n"); return -1; } - if (ph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot start phase2 - phase1 not established.\n"); + if (!FSM_STATE_IS_ESTABLISHED(ph1->status)) { + plog(ASL_LEVEL_ERR, + "Cannot start Phase 2 - Phase 1 not established.\n"); return -1; } @@ -279,10 +276,10 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) algo_ptr = (struct vpnctl_algo *)(selector_ptr + ntohs(pkt->selector_count)); for (i = 0; i < ntohs(pkt->selector_count); i++, selector_ptr++) { - new_sainfo = newsainfo(); + new_sainfo = create_sainfo(); if (new_sainfo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to allocate sainfo struct.\n"); + plog(ASL_LEVEL_ERR, + "Unable to allocate sainfo struct.\n"); goto fail; } @@ -291,8 +288,8 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) else new_sainfo->idsrc = vmalloc(sizeof(struct id)); if (new_sainfo->idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to allocate id struct.\n"); + plog(ASL_LEVEL_ERR, + "Unable to allocate id struct.\n"); goto fail; } if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF) @@ -300,8 +297,8 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) else new_sainfo->iddst = vmalloc(sizeof(struct id)); if (new_sainfo->iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to allocate id struct.\n"); + plog(ASL_LEVEL_ERR, + "Unable to allocate id struct.\n"); goto fail; } @@ -333,7 +330,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) if (ntohs(pkt->pfs_group) != 0) { new_sainfo->pfs_group = algtype2doi(algclass_isakmp_dh, ntohs(pkt->pfs_group)); if (new_sainfo->pfs_group == -1) { - plog(LLV_ERROR, LOCATION, NULL, "invalid dh group specified\n"); + plog(ASL_LEVEL_ERR, "Invalid dh group specified\n"); goto fail; } } @@ -341,8 +338,8 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) new_algo = newsainfoalg(); if (new_algo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate algorithm structure\n"); + plog(ASL_LEVEL_ERR, + "Failed to allocate algorithm structure\n"); goto fail; } @@ -352,7 +349,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) new_algo->alg = algtype2doi(class, algorithm); if (new_algo->alg == -1) { - plog(LLV_ERROR, LOCATION, NULL, "algorithm mismatched\n"); + plog(ASL_LEVEL_ERR, "Algorithm mismatched\n"); racoon_free(new_algo); goto fail; } @@ -360,13 +357,13 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) defklen = default_keylen(class, algorithm); if (defklen == 0) { if (keylen) { - plog(LLV_ERROR, LOCATION, NULL, "keylen not allowed\n"); + plog(ASL_LEVEL_ERR, "keylen not allowed\n"); racoon_free(new_algo); goto fail; } } else { if (keylen && check_keylen(class, algorithm, keylen) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "invalid keylen %d\n", keylen); + plog(ASL_LEVEL_ERR, "invalid keylen %d\n", keylen); racoon_free(new_algo); goto fail; } @@ -384,8 +381,8 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) int b = new_algo->alg; if (a == IPSECDOI_ATTR_AUTH) a = IPSECDOI_PROTO_IPSEC_AH; - plog(LLV_ERROR, LOCATION, NULL, - "algorithm %s not supported by the kernel (missing module?)\n", s_ipsecdoi_trns(a, b)); + plog(ASL_LEVEL_ERR, + "Algorithm %s not supported by the kernel (missing module?)\n", s_ipsecdoi_trns(a, b)); racoon_free(new_algo); goto fail; } @@ -393,28 +390,28 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) } if (new_sainfo->algs[algclass_ipsec_enc] == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no encryption algorithm at %s\n", sainfo2str(new_sainfo)); + plog(ASL_LEVEL_ERR, + "No encryption algorithm at %s\n", sainfo2str(new_sainfo)); goto fail; } if (new_sainfo->algs[algclass_ipsec_auth] == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no authentication algorithm at %s\n", sainfo2str(new_sainfo)); + plog(ASL_LEVEL_ERR, + "No authentication algorithm at %s\n", sainfo2str(new_sainfo)); goto fail; } if (new_sainfo->algs[algclass_ipsec_comp] == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no compression algorithm at %s\n", sainfo2str(new_sainfo)); + plog(ASL_LEVEL_ERR, + "No compression algorithm at %s\n", sainfo2str(new_sainfo)); goto fail; } /* duplicate check */ check = getsainfo(new_sainfo->idsrc, new_sainfo->iddst, new_sainfo->id_i, 0); if (check && (!check->idsrc && !new_sainfo->idsrc)) { - plog(LLV_ERROR, LOCATION, NULL,"duplicated sainfo: %s\n", sainfo2str(new_sainfo)); + plog(ASL_LEVEL_ERR, "Duplicated sainfo: %s\n", sainfo2str(new_sainfo)); goto fail; } - //plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo)); + //plog(ASL_LEVEL_DEBUG, "create sainfo: %s\n", sainfo2str(new_sainfo)); inssainfo(new_sainfo); new_sainfo = NULL; } @@ -423,19 +420,19 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) fail: if (new_sainfo) - delsainfo(new_sainfo); + release_sainfo(new_sainfo); flushsainfo_dynamic((u_int32_t)addr->address); return -1; } static int -vpn_get_ph2pfs(struct ph1handle *ph1) +vpn_get_ph2pfs(phase1_handle_t *ph1) { } int -vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, size_t *msg_size) +vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, size_t *msg_size) { struct vpnctl_modecfg_params *params; @@ -447,7 +444,7 @@ vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, msize = 0; if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "IPv6 not supported for mode config.\n"); return -1; } @@ -457,8 +454,8 @@ vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, myaddr = find_myaddr((struct sockaddr *)iph1->local, 0); if (myaddr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to find address structure.\n"); + plog(ASL_LEVEL_ERR, + "Unable to find address structure.\n"); return -1; } @@ -468,8 +465,8 @@ vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, *msg = racoon_calloc(1, msize); if (*msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "faled to allocate space for message.\n"); + plog(ASL_LEVEL_ERR, + "Failed to allocate space for message.\n"); return -1; } @@ -498,7 +495,7 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) struct isakmp_pl_attr *reply; void* attr_ptr; vchar_t *payload = NULL; - struct ph1handle *iph1; + phase1_handle_t *iph1; struct sockaddr_in saddr; int error = -1; int tlen = attr_len; @@ -511,15 +508,15 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) saddr.sin_addr.s_addr = address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - iph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr)); + iph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr)); if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot reply to xauth request - no ph1 found.\n"); + plog(ASL_LEVEL_ERR, + "Cannot reply to xauth request - no ph1 found.\n"); goto end; } if (iph1->xauth_awaiting_userinput == 0) { - plog(LLV_ERROR, LOCATION, NULL, "Huh? recvd xauth reply data with no xauth reply pending \n"); + plog(ASL_LEVEL_ERR, "Received xauth reply data with no xauth reply pending \n"); goto end; } @@ -539,13 +536,13 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) dataptr += sizeof(u_int32_t); } if (tlen != 0) { - plog(LLV_ERROR, LOCATION, NULL, "invalid auth info received from VPN Control socket.\n"); + plog(ASL_LEVEL_ERR, "Invalid auth info received from VPN Control socket.\n"); goto end; } payload = vmalloc(sizeof(struct isakmp_pl_attr) + attr_len); if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory for xauth reply\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory for xauth reply\n"); goto end; } memset(payload->v, 0, sizeof(reply)); @@ -558,7 +555,7 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) attr_ptr = reply + 1; memcpy(attr_ptr, attr_list, attr_len); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Sending MODE_CFG REPLY\n"); error = isakmp_cfg_send(iph1, payload, ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, iph1->xauth_awaiting_userinput_msg); @@ -577,10 +574,11 @@ int vpn_assert(struct sockaddr_storage *src_addr, struct sockaddr_storage *dst_addr) { if (ike_session_assert(src_addr, dst_addr)) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot assert - no matching session.\n"); + plog(ASL_LEVEL_ERR, + "Cannot assert - no matching session.\n"); return -1; } return 0; } + diff --git a/ipsec-tools/racoon/vpn.h b/ipsec-tools/racoon/vpn.h index 7cab472..3e793af 100644 --- a/ipsec-tools/racoon/vpn.h +++ b/ipsec-tools/racoon/vpn.h @@ -49,4 +49,4 @@ * SUCH DAMAGE. */ -int vpn_connect __P((struct bound_addr *, int)); +int vpn_connect (struct bound_addr *, int); diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index da31d76..39c20a9 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -51,6 +51,9 @@ * SUCH DAMAGE. */ +//#define LION_TEST 1 + + #include "config.h" #include @@ -60,7 +63,7 @@ #include #include -#include +#include #include #ifndef HAVE_NETINET6_IPSEC @@ -79,7 +82,9 @@ #include #endif #include +#ifndef LION_TEST #include +#endif #include #include "var.h" @@ -97,7 +102,6 @@ #include "isakmp.h" #include "oakley.h" #include "handler.h" -#include "evt.h" #include "pfkey.h" #include "ipsec_doi.h" #include "vpn_control.h" @@ -115,18 +119,21 @@ gid_t vpncontrolsock_group = 0; mode_t vpncontrolsock_mode = 0600; static struct sockaddr_un sunaddr; -static int vpncontrol_process(struct vpnctl_socket_elem *, char *); -static int vpncontrol_reply(int, char *); -static void vpncontrol_close_comm(struct vpnctl_socket_elem *); -static int checklaunchd(); -extern int vpn_get_config __P((struct ph1handle *, struct vpnctl_status_phase_change **, size_t *)); -extern int vpn_xauth_reply __P((u_int32_t, void *, size_t)); +static int vpncontrol_process (struct vpnctl_socket_elem *, char *); +static int vpncontrol_reply (int, char *); +static void vpncontrol_close_comm (struct vpnctl_socket_elem *); +static int checklaunchd (void); +extern int vpn_get_config (phase1_handle_t *, struct vpnctl_status_phase_change **, size_t *); +extern int vpn_xauth_reply (u_int32_t, void *, size_t); int checklaunchd() { launch_data_t checkin_response = NULL; +#ifdef LION_TEST + launch_data_t checkin_request = NULL; +#endif launch_data_t sockets_dict, listening_fd_array; launch_data_t listening_fd; struct sockaddr_storage fdsockaddr; @@ -138,30 +145,40 @@ checklaunchd() int fd; /* check in with launchd */ +#ifdef LION_TEST + if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) { +#else if ((checkin_response = launch_socket_service_check_in()) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, +#endif + plog(ASL_LEVEL_ERR, "failed to launch_socket_service_check_in.\n"); goto done; } +#ifdef LION_TEST + if ((checkin_response = launch_msg(checkin_request)) == NULL) { + plog(ASL_LEVEL_ERR, "failed to launch_msg.\n"); + goto done; + } +#endif if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "launch_data_get_type error %d\n", launch_data_get_errno(checkin_response)); goto done; } if ( (sockets_dict = launch_data_dict_lookup(checkin_response, LAUNCH_JOBKEY_SOCKETS)) == NULL){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to launch_data_dict_lookup.\n"); goto done; } if ( !(socketct = launch_data_dict_get_count(sockets_dict))){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "launch_data_dict_get_count returns no socket defined.\n"); goto done; } if ( (listening_fd_array = launch_data_dict_lookup(sockets_dict, "Listeners")) == NULL ){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to launch_data_dict_lookup.\n"); goto done; } @@ -177,7 +194,7 @@ checklaunchd() if ( fdsockaddr.ss_family == AF_UNIX && (!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path)))) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "found launchd socket.\n"); returnval = fd; break; @@ -185,7 +202,7 @@ checklaunchd() } // TODO: check if we have any leaked fd if ( listenerct == i){ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to find launchd socket\n"); returnval = 0; } @@ -197,39 +214,60 @@ done: } -int -vpncontrol_handler() +void +vpncontrol_handler(void *unused) { struct sockaddr_storage from; socklen_t fromlen = sizeof(from); + int sock; struct vpnctl_socket_elem *sock_elem; - sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem)); + sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem)); if (sock_elem == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "memory error: %s\n", strerror(errno)); - return -1; + return; //%%%%%% terminate } LIST_INIT(&sock_elem->bound_addresses); - + sock_elem->sock = accept(lcconf->sock_vpncontrol, (struct sockaddr *)&from, &fromlen); if (sock_elem->sock < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to accept vpn_control command: %s\n", strerror(errno)); racoon_free(sock_elem); - return -1; + return; //%%%%% terminate } LIST_INSERT_HEAD(&lcconf->vpnctl_comm_socks, sock_elem, chain); - plog(LLV_NOTIFY, LOCATION, NULL, - "accepted connection on vpn control socket.\n"); - + + sock_elem->source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, sock_elem->sock, 0, dispatch_get_main_queue()); + if (sock_elem->source == NULL) { + plog(ASL_LEVEL_ERR, "could not create comm socket source."); + racoon_free(sock_elem); + return; //%%%%% terminate + } + dispatch_source_set_event_handler(sock_elem->source, + ^{ + vpncontrol_comm_handler(sock_elem); + }); + sock = sock_elem->sock; + + dispatch_source_t the_source = sock_elem->source; + dispatch_source_set_cancel_handler(sock_elem->source, + ^{ + close(sock); + dispatch_release(the_source); /* Release the source on cancel */ + }); + dispatch_resume(sock_elem->source); + + plog(ASL_LEVEL_NOTICE, + "accepted connection on vpn control socket.\n"); check_auto_exit(); - return 0; + return; } -int +void vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) { struct vpnctl_hdr hdr; @@ -240,29 +278,29 @@ vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n", strerror(errno)); goto end; } if (len == 0) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "vpn_control socket closed by peer.\n"); /* kill all related connections */ vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost); vpncontrol_close_comm(elem); - return -1; + return; // %%%%%% terminate } /* sanity check */ if (len < sizeof(hdr)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid header length of vpn_control command - len=%d - expected %d\n", len, sizeof(hdr)); + plog(ASL_LEVEL_ERR, + "invalid header length of vpn_control command - len=%ld - expected %ld\n", len, sizeof(hdr)); goto end; } /* get buffer to receive */ if ((combuf = racoon_malloc(ntohs(hdr.len) + sizeof(hdr))) == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to alloc buffer for vpn_control command\n"); goto end; } @@ -271,7 +309,7 @@ vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) while ((len = recv(elem->sock, combuf, ntohs(hdr.len) + sizeof(hdr), 0)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n", strerror(errno)); goto end; @@ -282,7 +320,7 @@ vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) end: if (combuf) racoon_free(combuf); - return 0; // return -1 only if a socket is closed + return; } static int @@ -298,11 +336,11 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct vpnctl_cmd_bind *pkt = ALIGNED_CAST(struct vpnctl_cmd_bind *)combuf; struct bound_addr *addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received bind command on vpn control socket.\n"); addr = racoon_calloc(1, sizeof(struct bound_addr)); if (addr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "memory error: %s\n", strerror(errno)); error = -1; break; @@ -310,7 +348,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) if (ntohs(pkt->vers_len)) { addr->version = vmalloc(ntohs(pkt->vers_len)); if (addr->version == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "memory error: %s\n", strerror(errno)); error = -1; break; @@ -329,7 +367,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received unbind command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == 0xFFFFFFFF || @@ -351,7 +389,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct redirect *t_raddr; int found = 0; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received redirect command on vpn control socket - address = %x.\n", ntohl(redirect_msg->redirect_address)); LIST_FOREACH_SAFE(raddr, &lcconf->redirect_addresses, chain, t_raddr) { @@ -370,7 +408,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) if (!found) { raddr = racoon_malloc(sizeof(struct redirect)); if (raddr == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "cannot allcoate memory for redirect address.\n"); error = -1; break; @@ -394,7 +432,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *t_addr; void *attr_list; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received xauth info command vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -413,7 +451,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received connect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -431,7 +469,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received disconnect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -449,9 +487,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, - "received start_ph2 command on vpn control socket.\n"); - plogdump(LLV_DEBUG2, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr)); + plog(ASL_LEVEL_DEBUG, "received start_ph2 command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { /* start the connection */ @@ -468,7 +504,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *srv; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received start_dpd command on vpn control socket.\n"); LIST_FOREACH_SAFE(srv, &elem->bound_addresses, chain, t_addr) { if (pkt->address == srv->address) { @@ -484,7 +520,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) daddr.addr_in.sin_family = AF_INET; /* start the dpd */ - error = ph1_force_dpd(&daddr.ss); + error = ike_session_ph1_force_dpd(&daddr.ss); break; } } @@ -499,9 +535,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct sockaddr_in saddr; struct sockaddr_in daddr; - plog(LLV_DEBUG, LOCATION, NULL, - "received assert command on vpn control socket.\n"); - plogdump(LLV_DEBUG2, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr)); + plogdump(ASL_LEVEL_DEBUG, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr), "received assert command on vpn control socket.\n"); // LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { // if (pkt->dst_address == addr->address) { bzero(&saddr, sizeof(saddr)); @@ -528,7 +562,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received reconnect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -541,7 +575,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid command: %d\n", ntohs(hdr->msg_type)); error = -1; // for now break; @@ -563,7 +597,7 @@ vpncontrol_reply(int so, char *combuf) tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send vpn_control message: %s\n", strerror(errno)); return -1; } @@ -572,7 +606,7 @@ vpncontrol_reply(int so, char *combuf) } int -vpncontrol_notify_need_authinfo(struct ph1handle *iph1, void* attr_list, size_t attr_len) +vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len) { struct vpnctl_status_need_authinfo *msg = NULL; struct vpnctl_socket_elem *sock_elem; @@ -585,12 +619,12 @@ vpncontrol_notify_need_authinfo(struct ph1handle *iph1, void* attr_list, size_t if (!iph1) goto end; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sending vpn_control xauth need info status\n"); msg = (struct vpnctl_status_need_authinfo *)racoon_malloc(msg_size = sizeof(struct vpnctl_status_need_authinfo) + attr_len); if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to allocate space for vpn control message.\n"); return -1; } @@ -616,12 +650,10 @@ vpncontrol_notify_need_authinfo(struct ph1handle *iph1, void* attr_list, size_t LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { if (bound_addr->address == 0xFFFFFFFF || bound_addr->address == address) { - plog(LLV_DEBUG, LOCATION, NULL, - "vpn control writing %d bytes\n", msg_size); - plogdump(LLV_DEBUG, msg, msg_size); + plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size); tlen = send(sock_elem->sock, msg, msg_size, 0); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send vpn_control need authinfo status: %s\n", strerror(errno)); } break; @@ -648,7 +680,7 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad msg = (struct vpnctl_status_failed *)racoon_malloc(len); if (msg == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "unable to allcate memory for vpn control status message.\n"); return -1; } @@ -661,7 +693,7 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad msg->from = htons(from); if (data_len > 0) memcpy(msg->data, data, data_len); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sending vpn_control ike failed message - code=%d from=%s.\n", notify_code, (from == FROM_LOCAL ? "local" : "remote")); @@ -671,8 +703,8 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad bound_addr->address == address) { tlen = send(sock_elem->sock, msg, len, 0); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to send vpn_control ike notify failed: %s\n", strerror(errno)); + plog(ASL_LEVEL_ERR, + "Unable to send vpn_control ike notify failed: %s\n", strerror(errno)); } break; } @@ -684,9 +716,34 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad return 0; } +char * +vpncontrol_status_2_str(u_int16_t msg_type) +{ + switch (msg_type) { + case VPNCTL_STATUS_IKE_FAILED: + return "IKE failed"; + case VPNCTL_STATUS_PH1_START_US: + return "Phase 1 started by us"; + case VPNCTL_STATUS_PH1_START_PEER: + return "Phase 1 started by peer"; + case VPNCTL_STATUS_PH1_ESTABLISHED: + return "Phase 1 established"; + case VPNCTL_STATUS_PH2_START: + return "Phase 2 started"; + case VPNCTL_STATUS_PH2_ESTABLISHED: + return "Phase 2 established"; + case VPNCTL_STATUS_NEED_AUTHINFO: + return "Need authentication info"; + case VPNCTL_STATUS_NEED_REAUTHINFO: + return "Need re-authentication info"; + default: + return ""; + } +} + int -vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1, struct ph2handle *iph2) +vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2) { struct vpnctl_status_phase_change *msg; struct vpnctl_socket_elem *sock_elem; @@ -695,10 +752,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 size_t msg_size; u_int32_t address; - plog(LLV_DEBUG, LOCATION, NULL, - "sending vpn_control phase change status\n"); - - if (iph1 && !start && iph1->mode_cfg && iph1->mode_cfg->xauth.status != XAUTHST_OK) { + if (iph1 && !start && iph1->mode_cfg && iph1->mode_cfg->xauth.status != XAUTHST_OK) { if (vpn_get_config(iph1, &msg, &msg_size) == 1) return 0; /* mode config not finished yet */ } else { @@ -707,7 +761,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 } if (msg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to allocate space for vpn control message.\n"); return -1; } @@ -719,13 +773,18 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 msg->hdr.msg_type = htons(start ? (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) : VPNCTL_STATUS_PH1_ESTABLISHED); + // TODO: indicate version } else { if (iph2->dst->ss_family == AF_INET) address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; else goto end; // for now msg->hdr.msg_type = htons(start ? VPNCTL_STATUS_PH2_START : VPNCTL_STATUS_PH2_ESTABLISHED); + // TODO: indicate version } + plog(ASL_LEVEL_NOTICE, + ">>>>> phase change status = %s\n", vpncontrol_status_2_str(ntohs(msg->hdr.msg_type))); + msg->hdr.cookie = msg->hdr.reserved = msg->hdr.result = 0; msg->hdr.len = htons((msg_size) - sizeof(struct vpnctl_hdr)); msg->address = address; @@ -734,12 +793,10 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { if (bound_addr->address == 0xFFFFFFFF || bound_addr->address == address) { - plog(LLV_DEBUG, LOCATION, NULL, - "vpn control writing %d bytes\n", msg_size); - plogdump(LLV_DEBUG, msg, msg_size); + plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size); tlen = send(sock_elem->sock, msg, msg_size, 0); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send vpn_control phase change status: %s\n", strerror(errno)); } break; @@ -768,7 +825,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) msg.hdr.len = htons(sizeof(msg) - sizeof(msg.hdr)); msg.address = address; msg.ike_code = notify_code; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "sending vpn_control status (peer response) message - code=%d addr=%x.\n", notify_code, address); LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { @@ -777,7 +834,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) bound_addr->address == address) { tlen = send(sock_elem->sock, &msg, sizeof(msg), 0); if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to send vpn_control status (peer response): %s\n", strerror(errno)); } else { rc = 0; @@ -791,7 +848,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) } int -vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, struct ph1handle *iph1) +vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, phase1_handle_t *iph1) { u_int32_t address; int rc; @@ -812,7 +869,7 @@ vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, struct ph1handle *iph1) } int -vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, struct ph2handle *iph2) +vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, phase2_handle_t *iph2) { u_int32_t address; int rc; @@ -833,18 +890,16 @@ vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, struct ph2handle *iph2) } int -vpncontrol_init() +vpncontrol_init(void) { + int sock; + if (vpncontrolsock_path == NULL) { lcconf->sock_vpncontrol = -1; return 0; } - if ( (lcconf->sock_vpncontrol = checklaunchd()) ){ - return 0; - } - else { - + if ( (lcconf->sock_vpncontrol = checklaunchd()) == 0 ) { memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), @@ -852,20 +907,19 @@ vpncontrol_init() lcconf->sock_vpncontrol = socket(AF_UNIX, SOCK_STREAM, 0); if (lcconf->sock_vpncontrol == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "socket: %s\n", strerror(errno)); return -1; } if (fcntl(lcconf->sock_vpncontrol, F_SETFL, O_NONBLOCK) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to put VPN-Control socket in non-blocking mode\n"); + plog(ASL_LEVEL_ERR, "failed to put VPN-Control socket in non-blocking mode\n"); } - + unlink(sunaddr.sun_path); if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "bind(sockname:%s): %s\n", sunaddr.sun_path, strerror(errno)); (void)close(lcconf->sock_vpncontrol); @@ -873,7 +927,7 @@ vpncontrol_init() } if (chown(sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "chown(%s, %d, %d): %s\n", sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group, strerror(errno)); @@ -882,7 +936,7 @@ vpncontrol_init() } if (chmod(sunaddr.sun_path, vpncontrolsock_mode) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "chmod(%s, 0%03o): %s\n", sunaddr.sun_path, vpncontrolsock_mode, strerror(errno)); (void)close(lcconf->sock_vpncontrol); @@ -890,17 +944,28 @@ vpncontrol_init() } if (listen(lcconf->sock_vpncontrol, 5) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "listen(sockname:%s): %s\n", sunaddr.sun_path, strerror(errno)); (void)close(lcconf->sock_vpncontrol); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "opened %s as racoon management.\n", sunaddr.sun_path); - - return 0; } + lcconf->vpncontrol_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_vpncontrol, 0, dispatch_get_main_queue()); + if (lcconf->vpncontrol_source == NULL) { + plog(ASL_LEVEL_ERR, "could not create vpncontrol socket source."); + return -1; + } + dispatch_source_set_event_handler_f(lcconf->vpncontrol_source, vpncontrol_handler); + sock = lcconf->sock_vpncontrol; + dispatch_source_set_cancel_handler(lcconf->vpncontrol_source, + ^{ + close(sock); + }); + dispatch_resume(lcconf->vpncontrol_source); + return 0; } void @@ -909,7 +974,7 @@ vpncontrol_disconnect_all(struct vpnctl_socket_elem *elem, const char *reason) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "received disconnect all command.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { @@ -918,23 +983,21 @@ vpncontrol_disconnect_all(struct vpnctl_socket_elem *elem, const char *reason) } } - void vpncontrol_close() { - struct vpnctl_socket_elem *elem; + struct vpnctl_socket_elem *elem; struct vpnctl_socket_elem *t_elem; - plog(LLV_DEBUG, LOCATION, NULL, - "vpncontrol_close.\n"); + plog(ASL_LEVEL_DEBUG, + "vpncontrol_close.\n"); - if (lcconf->sock_vpncontrol != -1) { - close(lcconf->sock_vpncontrol); - lcconf->sock_vpncontrol = -1; - } - LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem) - vpncontrol_close_comm(elem); - + dispatch_source_cancel(lcconf->vpncontrol_source); + lcconf->vpncontrol_source = NULL; + + lcconf->sock_vpncontrol = -1; + LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem) + vpncontrol_close_comm(elem); } static void @@ -943,12 +1006,12 @@ vpncontrol_close_comm(struct vpnctl_socket_elem *elem) struct bound_addr *addr; struct bound_addr *t_addr; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "vpncontrol_close_comm.\n"); LIST_REMOVE(elem, chain); - if (elem->sock != -1) - close(elem->sock); + if (elem->sock != -1) + dispatch_source_cancel(elem->source); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { flushsainfo_dynamic(addr->address); LIST_REMOVE(addr, chain); diff --git a/ipsec-tools/racoon/vpn_control.h b/ipsec-tools/racoon/vpn_control.h index 5144465..54144e5 100644 --- a/ipsec-tools/racoon/vpn_control.h +++ b/ipsec-tools/racoon/vpn_control.h @@ -97,6 +97,8 @@ extern mode_t vpncontrolsock_mode; * Flags */ #define VPNCTL_FLAG_MODECFG_USED 0x0001 +#define VPNCTL_FLAG_IKE_VERSION 0x0002 +#define VPNCTL_FLAG_IKEV2 VPNCTL_FLAG_IKE_VERSION /* * XAUTH Attribute Types diff --git a/ipsec-tools/racoon/vpn_control_var.h b/ipsec-tools/racoon/vpn_control_var.h index 3935810..e5b681c 100644 --- a/ipsec-tools/racoon/vpn_control_var.h +++ b/ipsec-tools/racoon/vpn_control_var.h @@ -55,6 +55,8 @@ #define _VPN_CONTROL_VAR_H #include "vpn_control.h" +#include +#include "localconf.h" enum { VPN_STARTED_BY_API = 1, @@ -62,20 +64,20 @@ enum { VPN_RESTARTED_BY_API, }; -extern int vpncontrol_handler __P((void)); -extern int vpncontrol_comm_handler __P((struct vpnctl_socket_elem *)); -extern int vpncontrol_notify_ike_failed __P((u_int16_t, u_int16_t, u_int32_t, u_int16_t, u_int8_t*)); -extern int vpncontrol_notify_phase_change __P((int, u_int16_t, struct ph1handle*, struct ph2handle*)); -extern int vpncontrol_init __P((void)); -extern void vpncontrol_close __P((void)); -extern int vpn_control_connected __P((void)); -extern int vpn_connect __P((struct bound_addr *, int)); -extern int vpn_disconnect __P((struct bound_addr *, const char *)); -extern void vpncontrol_disconnect_all __P((struct vpnctl_socket_elem *, const char *)); -extern int vpn_start_ph2 __P((struct bound_addr *, struct vpnctl_cmd_start_ph2 *)); -extern int vpncontrol_notify_need_authinfo __P((struct ph1handle *, void*, size_t)); -extern int vpncontrol_notify_peer_resp_ph1 __P((u_int16_t, struct ph1handle*)); -extern int vpncontrol_notify_peer_resp_ph2 __P((u_int16_t, struct ph2handle*)); -extern int vpn_assert __P((struct sockaddr_storage *, struct sockaddr_storage *)); +extern void vpncontrol_handler (void *); +extern void vpncontrol_comm_handler (struct vpnctl_socket_elem *); +extern int vpncontrol_notify_ike_failed (u_int16_t, u_int16_t, u_int32_t, u_int16_t, u_int8_t*); +extern int vpncontrol_notify_phase_change (int, u_int16_t, phase1_handle_t*, phase2_handle_t*); +extern int vpncontrol_init (void); +extern void vpncontrol_close (void); +extern int vpn_control_connected (void); +extern int vpn_connect (struct bound_addr *, int); +extern int vpn_disconnect (struct bound_addr *, const char *); +extern void vpncontrol_disconnect_all (struct vpnctl_socket_elem *, const char *); +extern int vpn_start_ph2 (struct bound_addr *, struct vpnctl_cmd_start_ph2 *); +extern int vpncontrol_notify_need_authinfo (phase1_handle_t *, void*, size_t); +extern int vpncontrol_notify_peer_resp_ph1 (u_int16_t, phase1_handle_t*); +extern int vpncontrol_notify_peer_resp_ph2 (u_int16_t, phase2_handle_t*); +extern int vpn_assert (struct sockaddr_storage *, struct sockaddr_storage *); #endif /* _VPN_CONTROL_VAR_H */ diff --git a/ipsec-tools/racoon/xpc_racoon.c b/ipsec-tools/racoon/xpc_racoon.c new file mode 100644 index 0000000..a58aed9 --- /dev/null +++ b/ipsec-tools/racoon/xpc_racoon.c @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "config.h" diff --git a/ipsec-tools/setkey/extern.h b/ipsec-tools/setkey/extern.h index 3a8a751..7365640 100644 --- a/ipsec-tools/setkey/extern.h +++ b/ipsec-tools/setkey/extern.h @@ -1,16 +1,16 @@ -void parse_init __P((void)); -int parse __P((FILE **)); -int parse_string __P((char *)); +void parse_init(void); +int parse(FILE **); +int parse_string(char *); -int setkeymsg __P((char *, size_t *)); -int sendkeymsg __P((char *, size_t)); +int setkeymsg(char *, size_t *); +int sendkeymsg(char *, size_t); -int yylex __P((void)); -int yyparse __P((void)); -void yyfatal __P((const char *)); -void yyerror __P((const char *)); +int yylex(void); +int yyparse(void); +void yyfatal(const char *); +void yyerror(const char *); extern int f_rfcmode; extern int lineno; diff --git a/ipsec-tools/setkey/parse.y b/ipsec-tools/setkey/parse.y index cfc4171..42762a0 100644 --- a/ipsec-tools/setkey/parse.y +++ b/ipsec-tools/setkey/parse.y @@ -40,7 +40,7 @@ #include #include -#include +#include #ifdef HAVE_NETINET6_IPSEC # include #else @@ -85,21 +85,20 @@ static struct addrinfo * p_natt_oa = NULL; static int p_aiflags = 0, p_aifamily = PF_UNSPEC; -static struct addrinfo *parse_addr __P((char *, char *)); -static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *)); -static int setvarbuf __P((char *, int *, struct sadb_ext *, int, - const void *, int)); -void parse_init __P((void)); -void free_buffer __P((void)); - -int setkeymsg0 __P((struct sadb_msg *, unsigned int, unsigned int, size_t)); -static int setkeymsg_spdaddr __P((unsigned int, unsigned int, vchar_t *, - struct addrinfo *, int, struct addrinfo *, int)); -static int setkeymsg_spdaddr_tag __P((unsigned int, char *, vchar_t *)); -static int setkeymsg_addr __P((unsigned int, unsigned int, - struct addrinfo *, struct addrinfo *, int)); -static int setkeymsg_add __P((unsigned int, unsigned int, - struct addrinfo *, struct addrinfo *)); +static struct addrinfo *parse_addr(char *, char *); +static int fix_portstr(vchar_t *, vchar_t *, vchar_t *); +static int setvarbuf(char *, int *, struct sadb_ext *, int, const void *, int); +void parse_init(void); +void free_buffer(void); + +int setkeymsg0(struct sadb_msg *, unsigned int, unsigned int, size_t); +static int setkeymsg_spdaddr(unsigned int, unsigned int, vchar_t *, + struct addrinfo *, int, struct addrinfo *, int); +static int setkeymsg_spdaddr_tag(unsigned int, char *, vchar_t *); +static int setkeymsg_addr(unsigned int, unsigned int, + struct addrinfo *, struct addrinfo *, int); +static int setkeymsg_add(unsigned int, unsigned int, + struct addrinfo *, struct addrinfo *); %} %union { diff --git a/ipsec-tools/setkey/setkey.c b/ipsec-tools/setkey/setkey.c index a301b69..972416d 100644 --- a/ipsec-tools/setkey/setkey.c +++ b/ipsec-tools/setkey/setkey.c @@ -41,7 +41,7 @@ #include #include #include -#include +#include #ifdef HAVE_NETINET6_IPSEC # include #else @@ -75,20 +75,20 @@ #include "ipsecMessageTracer.h" -void usage __P((/*int*/)); -int main __P((int, char **)); -int get_supported __P((void)); -void sendkeyshort __P((u_int)); -void promisc __P((void)); -int postproc __P((struct sadb_msg *, int)); -int verifypriority __P((struct sadb_msg *m)); -int fileproc __P((const char *)); -const char *numstr __P((int)); -void shortdump_hdr __P((void)); -void shortdump __P((struct sadb_msg *)); -static void printdate __P((void)); -static int32_t gmt2local __P((time_t)); -void stdin_loop __P((void)); +void usage (/*int*/); +int main (int, char **); +int get_supported (void); +void sendkeyshort (u_int); +void promisc (void); +int postproc (struct sadb_msg *, int); +int verifypriority (struct sadb_msg *m); +int fileproc (const char *); +const char *numstr (int); +void shortdump_hdr (void); +void shortdump (struct sadb_msg *); +static void printdate (void); +static int32_t gmt2local (time_t); +void stdin_loop (void); #define MODE_SCRIPT 1 #define MODE_CMDDUMP 2 @@ -152,7 +152,7 @@ main(argc, argv) int c; if (argc == 1) { - usage(0); + usage(); /* NOTREACHED */ } @@ -227,7 +227,7 @@ main(argc, argv) #endif break; case 'V': - usage(1); + usage(); break; /*NOTREACHED*/ #ifndef __NetBSD__ @@ -235,7 +235,7 @@ main(argc, argv) #endif case '?': default: - usage(0); + usage(); /*NOTREACHED*/ } } @@ -296,7 +296,7 @@ main(argc, argv) promisc(); /*NOTREACHED*/ default: - usage(0); + usage(); /*NOTREACHED*/ } diff --git a/ipsec-tools/setkey/test-pfkey.c b/ipsec-tools/setkey/test-pfkey.c index 857cbb7..c1eee73 100644 --- a/ipsec-tools/setkey/test-pfkey.c +++ b/ipsec-tools/setkey/test-pfkey.c @@ -34,7 +34,7 @@ #include #include #include -#include +#include #include #include #include @@ -52,18 +52,18 @@ u_char m_buf[BUFSIZ]; u_int m_len; char *pname; -void Usage __P((void)); -int sendkeymsg __P((void)); -void key_setsadbmsg __P((u_int)); -void key_setsadbsens __P((void)); -void key_setsadbprop __P((void)); -void key_setsadbid __P((u_int, caddr_t)); -void key_setsadblft __P((u_int, u_int)); -void key_setspirange __P((void)); -void key_setsadbkey __P((u_int, caddr_t)); -void key_setsadbsa __P((void)); -void key_setsadbaddr __P((u_int, u_int, caddr_t)); -void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int)); +void Usage (void); +int sendkeymsg (void); +void key_setsadbmsg (u_int); +void key_setsadbsens (void); +void key_setsadbprop (void); +void key_setsadbid (u_int, caddr_t); +void key_setsadblft (u_int, u_int); +void key_setspirange (void); +void key_setsadbkey (u_int, caddr_t); +void key_setsadbsa (void); +void key_setsadbaddr (u_int, u_int, caddr_t); +void key_setsadbextbuf (caddr_t, int, caddr_t, int, caddr_t, int); void Usage() diff --git a/ipsec-tools/setkey/token.l b/ipsec-tools/setkey/token.l index 5d76543..9b6687a 100644 --- a/ipsec-tools/setkey/token.l +++ b/ipsec-tools/setkey/token.l @@ -39,7 +39,7 @@ #include #include #include -#include +#include #include #ifdef HAVE_NETINET6_IPSEC # include diff --git a/ipsec.plist b/ipsec.plist index aa53f4e..d8506fd 100644 --- a/ipsec.plist +++ b/ipsec.plist @@ -1,72 +1,58 @@ + + - - OpenSourceProject - racoon - OpenSourceImportDate - 2002-04-01 - OpenSourceVersion - Original version number unavailable, but later based on 0.6.7 - OpenSourceWebsiteURL - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src - OpenSourceSCM - cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src - OpenSourceModifications - - Several select security updates, memory leak fixes from 0.7.2 - - OpenSourceLicense - BSD - OpenSourceLicenseFile - ipsec.txt - - - OpenSourceProject - libipsec - OpenSourceImportDate - 2002-04-01 - OpenSourceVersion - Original version number unavailable, but later based on 0.6.5 - OpenSourceWebsiteURL - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src - OpenSourceSCM - cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src - OpenSourceLicense - BSD - OpenSourceLicenseFile - ipsec.txt - - - OpenSourceProject - setkey - OpenSourceImportDate - 2002-04-01 - OpenSourceVersion - Original version number unavailable, but later based on 0.6.5 - OpenSourceWebsiteURL - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src - OpenSourceSCM - cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src - OpenSourceLicense - BSD - OpenSourceLicenseFile - ipsec.txt - - - OpenSourceProject - racoonctl - OpenSourceImportDate - 2002-04-01 - OpenSourceVersion - Original version number unavailable, but later based on 0.6.5 - OpenSourceWebsiteURL - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src - OpenSourceSCM - cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src - OpenSourceLicense - BSD - OpenSourceLicenseFile - ipsec.txt - + + OpenSourceProject + racoon + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.7 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceModifications + + Several select security updates, memory leak fixes from 0.7.2 + + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + OpenSourceProject + libipsec + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.5 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + OpenSourceProject + setkey + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.5 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 3243a0c..64d7e29 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -3,7 +3,7 @@ archiveVersion = 1; classes = { }; - objectVersion = 45; + objectVersion = 46; objects = { /* Begin PBXAggregateTarget section */ @@ -11,53 +11,53 @@ isa = PBXAggregateTarget; buildConfigurationList = 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */; buildPhases = ( + BAA6806112B17CF900ACF6D3 /* CopyFiles */, + 72265DD80F818ED700730A7D /* CopyFiles */, ); dependencies = ( - 815C35FB152520C000502220 /* PBXTargetDependency */, - 815C35F9152520BC00502220 /* PBXTargetDependency */, + 724ED876168515A7008F2EBD /* PBXTargetDependency */, + 72B3C21916850CC5004E4548 /* PBXTargetDependency */, ); name = "IPSec (Aggregate)"; productName = "IPSec (Aggregate)"; }; - 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */ = { + 72B3C2081684F5C4004E4548 /* ipsec_executables */ = { isa = PBXAggregateTarget; - buildConfigurationList = 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */; + buildConfigurationList = 72B3C20C1684F5C4004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_executables" */; buildPhases = ( + 72B3C21C16850D02004E4548 /* CopyFiles */, + 72B3C21E16850D1E004E4548 /* CopyFiles */, ); dependencies = ( - 812531110D3FEA28006BDF4F /* PBXTargetDependency */, - 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */, - 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */, - 81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */, + 72B3C2101684F5E1004E4548 /* PBXTargetDependency */, + 72B3C20E1684F5DE004E4548 /* PBXTargetDependency */, ); - name = "IPSec Embedded (Aggregate)"; - productName = "IPSec (Aggregate) Embedded"; + name = ipsec_executables; + productName = ipsec_executables; }; - 815C35E61525201900502220 /* Project_base */ = { + 72B3C21116850B87004E4548 /* ipsec_libraries */ = { isa = PBXAggregateTarget; - buildConfigurationList = 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */; + buildConfigurationList = 72B3C21216850B87004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_libraries" */; buildPhases = ( - 815C35FC152522A900502220 /* CopyFiles */, - 815C35FD152522AC00502220 /* CopyFiles */, ); dependencies = ( - 815C35F11525208900502220 /* PBXTargetDependency */, + 72B3C21716850BA0004E4548 /* PBXTargetDependency */, ); - name = Project_base; - productName = Project_base; + name = ipsec_libraries; + productName = ipsec_libraries; }; - 815C35EB1525203F00502220 /* Project_executables */ = { + 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */ = { isa = PBXAggregateTarget; - buildConfigurationList = 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */; + buildConfigurationList = 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */; buildPhases = ( ); dependencies = ( - 815C35F71525209800502220 /* PBXTargetDependency */, - 815C35F51525209400502220 /* PBXTargetDependency */, - 815C35F31525209000502220 /* PBXTargetDependency */, + 812531110D3FEA28006BDF4F /* PBXTargetDependency */, + 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */, + 81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */, ); - name = Project_executables; - productName = Project_executables; + name = "IPSec Embedded (Aggregate)"; + productName = "IPSec (Aggregate) Embedded"; }; /* End PBXAggregateTarget section */ @@ -72,20 +72,9 @@ 2537A1BA09E4867A00D0ECDA /* policy_token.l in Sources */ = {isa = PBXBuildFile; fileRef = 252DF9600989B4EE00E5B678 /* policy_token.l */; }; 2537A1C109E494B300D0ECDA /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; 2537A1C709E49D0600D0ECDA /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 2537A1CB09E49D5600D0ECDA /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 2543473209DCAE27007943DE /* racoonctl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2590C0988657000D15623 /* racoonctl.c */; }; - 2543474E09DCAEF8007943DE /* str2val.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591D0988657000D15623 /* str2val.c */; }; - 2543475109DCB063007943DE /* kmpstat.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E80988657000D15623 /* kmpstat.c */; }; - 2543475509DCB0D9007943DE /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 2543475609DCB0DB007943DE /* sockmisc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591A0988657000D15623 /* sockmisc.c */; }; - 2543475709DCB0E6007943DE /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; - 2543476409DCB396007943DE /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; - 2543476709DCB400007943DE /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; - 2543476909DCB420007943DE /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; 258CF2CB0A19197400166B38 /* setkey.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F258890988648C00D15623 /* setkey.8 */; }; 258CF2CD0A1919A800166B38 /* ipsec_set_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9540989B4EE00E5B678 /* ipsec_set_policy.3 */; }; 258CF2CE0A1919AF00166B38 /* ipsec_strerror.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9550989B4EE00E5B678 /* ipsec_strerror.3 */; }; - 258CF2D20A191A0600166B38 /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; }; 258CF2E10A191A9200166B38 /* racoon.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F259090988657000D15623 /* racoon.8 */; }; 258CF2E40A191AD500166B38 /* racoon.conf.5 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590A0988657000D15623 /* racoon.conf.5 */; }; 25DC9ED409DB16F300C89F86 /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; }; @@ -103,36 +92,28 @@ 25F258900988648C00D15623 /* parse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258870988648C00D15623 /* parse.y */; }; 25F258910988648C00D15623 /* setkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588A0988648C00D15623 /* setkey.c */; }; 25F258940988648C00D15623 /* token.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588D0988648C00D15623 /* token.l */; }; - 25F259280988657000D15623 /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; }; 25F259290988657000D15623 /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; - 25F2592A0988657000D15623 /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; }; 25F2592B0988657000D15623 /* cfparse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B40988657000D15623 /* cfparse.y */; }; 25F2592C0988657000D15623 /* cftoken.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B60988657000D15623 /* cftoken.l */; }; 25F2592E0988657000D15623 /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; }; 25F2592F0988657000D15623 /* dnssec.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258BE0988657000D15623 /* dnssec.c */; }; - 25F259310988657000D15623 /* evt.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C20988657000D15623 /* evt.c */; }; 25F259320988657000D15623 /* genlist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C50988657000D15623 /* genlist.c */; }; 25F259330988657000D15623 /* getcertsbyname.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C70988657000D15623 /* getcertsbyname.c */; }; 25F259340988657000D15623 /* grabmyaddr.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C90988657000D15623 /* grabmyaddr.c */; }; - 25F259350988657000D15623 /* gssapi.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CB0988657000D15623 /* gssapi.c */; }; 25F259360988657000D15623 /* handler.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CD0988657000D15623 /* handler.c */; }; 25F259370988657000D15623 /* ipsec_doi.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CF0988657000D15623 /* ipsec_doi.c */; }; 25F259380988657000D15623 /* isakmp_agg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D10988657000D15623 /* isakmp_agg.c */; }; - 25F259390988657000D15623 /* isakmp_base.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D30988657000D15623 /* isakmp_base.c */; }; 25F2593C0988657000D15623 /* isakmp_ident.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D90988657000D15623 /* isakmp_ident.c */; }; 25F2593D0988657000D15623 /* isakmp_inf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DB0988657000D15623 /* isakmp_inf.c */; }; - 25F2593E0988657000D15623 /* isakmp_newg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DD0988657000D15623 /* isakmp_newg.c */; }; 25F2593F0988657000D15623 /* isakmp_quick.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DF0988657000D15623 /* isakmp_quick.c */; }; 25F259420988657000D15623 /* isakmp.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E60988657000D15623 /* isakmp.c */; }; 25F259440988657000D15623 /* localconf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E90988657000D15623 /* localconf.c */; }; - 25F259450988657000D15623 /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; }; 25F259460988657000D15623 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258ED0988657000D15623 /* main.c */; }; 25F259470988657000D15623 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; 25F259490988657000D15623 /* oakley.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F30988657000D15623 /* oakley.c */; }; 25F2594C0988657000D15623 /* pfkey_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F80988657000D15623 /* pfkey_racoon.c */; }; 25F2594F0988657000D15623 /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; 25F259500988657000D15623 /* policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FF0988657000D15623 /* policy.c */; }; - 25F259510988657000D15623 /* privsep.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259010988657000D15623 /* privsep.c */; }; 25F259520988657000D15623 /* proposal.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259030988657000D15623 /* proposal.c */; }; 25F259580988657000D15623 /* remoteconf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2590E0988657000D15623 /* remoteconf.c */; }; 25F2595A0988657000D15623 /* safefile.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259120988657000D15623 /* safefile.c */; }; @@ -145,37 +126,39 @@ 25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; }; 25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; }; 25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; + 72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */ = {isa = PBXBuildFile; fileRef = 72171DAE166443AB0050B3B9 /* eap_aka.c */; }; + 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; + 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; + 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; + 724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; + 724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; + 727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; }; + 727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; }; 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; - 812530C20D3FE9DC006BDF4F /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; }; + 72F5C72E1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; + 72F5C72F1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; 812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; - 812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; }; 812530C50D3FE9DC006BDF4F /* cfparse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B40988657000D15623 /* cfparse.y */; }; 812530C60D3FE9DC006BDF4F /* cftoken.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B60988657000D15623 /* cftoken.l */; }; 812530C70D3FE9DC006BDF4F /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; }; 812530C80D3FE9DC006BDF4F /* dnssec.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258BE0988657000D15623 /* dnssec.c */; }; - 812530C90D3FE9DC006BDF4F /* evt.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C20988657000D15623 /* evt.c */; }; 812530CA0D3FE9DC006BDF4F /* genlist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C50988657000D15623 /* genlist.c */; }; 812530CB0D3FE9DC006BDF4F /* getcertsbyname.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C70988657000D15623 /* getcertsbyname.c */; }; 812530CC0D3FE9DC006BDF4F /* grabmyaddr.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258C90988657000D15623 /* grabmyaddr.c */; }; - 812530CD0D3FE9DC006BDF4F /* gssapi.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CB0988657000D15623 /* gssapi.c */; }; 812530CE0D3FE9DC006BDF4F /* handler.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CD0988657000D15623 /* handler.c */; }; 812530CF0D3FE9DC006BDF4F /* ipsec_doi.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CF0988657000D15623 /* ipsec_doi.c */; }; 812530D00D3FE9DC006BDF4F /* isakmp_agg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D10988657000D15623 /* isakmp_agg.c */; }; - 812530D10D3FE9DC006BDF4F /* isakmp_base.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D30988657000D15623 /* isakmp_base.c */; }; 812530D20D3FE9DC006BDF4F /* isakmp_ident.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D90988657000D15623 /* isakmp_ident.c */; }; 812530D30D3FE9DC006BDF4F /* isakmp_inf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DB0988657000D15623 /* isakmp_inf.c */; }; - 812530D40D3FE9DC006BDF4F /* isakmp_newg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DD0988657000D15623 /* isakmp_newg.c */; }; 812530D50D3FE9DC006BDF4F /* isakmp_quick.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258DF0988657000D15623 /* isakmp_quick.c */; }; 812530D60D3FE9DC006BDF4F /* isakmp.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E60988657000D15623 /* isakmp.c */; }; 812530D70D3FE9DC006BDF4F /* localconf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E90988657000D15623 /* localconf.c */; }; - 812530D80D3FE9DC006BDF4F /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; }; 812530D90D3FE9DC006BDF4F /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258ED0988657000D15623 /* main.c */; }; 812530DA0D3FE9DC006BDF4F /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; 812530DB0D3FE9DC006BDF4F /* oakley.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F30988657000D15623 /* oakley.c */; }; 812530DC0D3FE9DC006BDF4F /* pfkey_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F80988657000D15623 /* pfkey_racoon.c */; }; 812530DD0D3FE9DC006BDF4F /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; 812530DE0D3FE9DC006BDF4F /* policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FF0988657000D15623 /* policy.c */; }; - 812530DF0D3FE9DC006BDF4F /* privsep.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259010988657000D15623 /* privsep.c */; }; 812530E00D3FE9DC006BDF4F /* proposal.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259030988657000D15623 /* proposal.c */; }; 812530E10D3FE9DC006BDF4F /* remoteconf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2590E0988657000D15623 /* remoteconf.c */; }; 812530E20D3FE9DC006BDF4F /* safefile.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259120988657000D15623 /* safefile.c */; }; @@ -199,23 +182,10 @@ 812530F90D3FE9DC006BDF4F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */; }; 812530FC0D3FE9DC006BDF4F /* racoon.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F259090988657000D15623 /* racoon.8 */; }; 812530FE0D3FE9DC006BDF4F /* racoon.conf.5 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590A0988657000D15623 /* racoon.conf.5 */; }; - 812531160D3FEA33006BDF4F /* racoonctl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2590C0988657000D15623 /* racoonctl.c */; }; - 812531170D3FEA33006BDF4F /* str2val.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591D0988657000D15623 /* str2val.c */; }; - 812531180D3FEA33006BDF4F /* kmpstat.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E80988657000D15623 /* kmpstat.c */; }; - 812531190D3FEA33006BDF4F /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 8125311A0D3FEA33006BDF4F /* sockmisc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591A0988657000D15623 /* sockmisc.c */; }; - 8125311B0D3FEA33006BDF4F /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; - 8125311C0D3FEA33006BDF4F /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; - 8125311D0D3FEA33006BDF4F /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; - 8125311E0D3FEA33006BDF4F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 812531220D3FEA33006BDF4F /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; }; 812A64ED0D4AA082004CB7EB /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 812A64EC0D4AA082004CB7EB /* Security.framework */; }; - 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; - 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; + 8141336B149015E900028D76 /* fsm.c in Sources */ = {isa = PBXBuildFile; fileRef = 81CBCFE81447A1C20000D6E6 /* fsm.c */; }; 8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103A0D5BE18800C7B441 /* racoon.conf */; }; - 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8176A6B80D45661700BC5251 /* libldap.dylib */; }; 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 817FFC5A0D613729004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; 818710410D5BE22B00C7B441 /* psk.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103D0D5BE1CF00C7B441 /* psk.txt */; }; 818710420D5BE22F00C7B441 /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103B0D5BE1B400C7B441 /* racoon.conf */; }; 818710510D5BE29300C7B441 /* psk.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103D0D5BE1CF00C7B441 /* psk.txt */; }; @@ -224,13 +194,12 @@ 81C386AA0D451EC300975D5E /* crypto_cssm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B70988657000D15623 /* crypto_cssm.c */; }; 81C387560D45208700975D5E /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE83109D875790042CC7F /* Security.framework */; }; 81C387570D45208700975D5E /* DirectoryService.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE83709D875BF0042CC7F /* DirectoryService.framework */; }; - 81C3877A0D4524E700975D5E /* libpam.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87309D87A390042CC7F /* libpam.dylib */; }; - 81C387890D4524F600975D5E /* libgssapi_krb5.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87109D87A160042CC7F /* libgssapi_krb5.dylib */; }; 81C387EC0D45268300975D5E /* open_dir.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F50988657000D15623 /* open_dir.c */; }; 81C964590DA2CBEF00257BC8 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */; }; 81C9645E0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 81C9645D0DA2CC2D00257BC8 /* SystemConfiguration.framework */; }; 81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 81C9645D0DA2CC2D00257BC8 /* SystemConfiguration.framework */; }; 81CA08920CE3BC870055C0AF /* vpn.c in Sources */ = {isa = PBXBuildFile; fileRef = 81CA08910CE3BC870055C0AF /* vpn.c */; }; + 81CBCFE91447A1C20000D6E6 /* fsm.c in Sources */ = {isa = PBXBuildFile; fileRef = 81CBCFE81447A1C20000D6E6 /* fsm.c */; }; 81DDFD9B0D622C1700C5CB87 /* parse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258870988648C00D15623 /* parse.y */; }; 81DDFD9C0D622C1700C5CB87 /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; 81DDFD9D0D622C1700C5CB87 /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; @@ -255,6 +224,7 @@ 834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; 8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; + BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA04622A1562E6E400EF348A /* EAP8021X.framework */; }; BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; }; @@ -271,85 +241,65 @@ BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; + BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */ = {isa = PBXBuildFile; fileRef = BA8BE71615655D360068DEB9 /* eap_sim.c */; }; + BA952E79156704DF00B07934 /* eap.c in Sources */ = {isa = PBXBuildFile; fileRef = BA952E77156704DF00B07934 /* eap.c */; }; + BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; }; + BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; }; + BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; }; + BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; }; + BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; }; + BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; }; + BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; + BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; + BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; + BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; }; + BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; }; + BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; }; + BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; }; /* End PBXBuildFile section */ /* Begin PBXContainerItemProxy section */ - 2537A1C209E494D300D0ECDA /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; - }; - 2537A1C809E49D1400D0ECDA /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; - }; - 2537A1CC09E49D5C00D0ECDA /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; - }; - 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; - remoteInfo = "racoon arm"; - }; - 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 812531120D3FEA33006BDF4F; - remoteInfo = "racoonctl arm"; - }; - 815C35F01525208900502220 /* PBXContainerItemProxy */ = { + 724ED875168515A7008F2EBD /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; + remoteGlobalIDString = 72B3C21116850B87004E4548; + remoteInfo = ipsec_libraries; }; - 815C35F21525209000502220 /* PBXContainerItemProxy */ = { + 72B3C20D1684F5DE004E4548 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 25F258040987FBFA00D15623; remoteInfo = racoon; }; - 815C35F41525209400502220 /* PBXContainerItemProxy */ = { + 72B3C20F1684F5E1004E4548 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 25F2580E0987FC3400D15623; - remoteInfo = racoonctl; + remoteGlobalIDString = 25F258090987FC1500D15623; + remoteInfo = setkey; }; - 815C35F61525209800502220 /* PBXContainerItemProxy */ = { + 72B3C21616850BA0004E4548 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 25F258090987FC1500D15623; - remoteInfo = setkey; + remoteGlobalIDString = 2537A1A709E4864800D0ECDA; + remoteInfo = libipsec; }; - 815C35F8152520BC00502220 /* PBXContainerItemProxy */ = { + 72B3C21816850CC5004E4548 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 815C35E61525201900502220; - remoteInfo = Project_base; + remoteGlobalIDString = 72B3C2081684F5C4004E4548; + remoteInfo = ipsec_executables; }; - 815C35FA152520C000502220 /* PBXContainerItemProxy */ = { + 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 815C35EB1525203F00502220; - remoteInfo = Project_executables; + remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; + remoteInfo = "racoon arm"; }; 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; @@ -405,16 +355,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - 258CF2D50A191A6E00166B38 /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /usr/share/man/man8; - dstSubfolderSpec = 0; - files = ( - 258CF2D20A191A0600166B38 /* racoonctl.8 in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; 258CF2E20A191AB000166B38 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -446,94 +386,94 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - 724A38A20E3676FB00F6B25F /* CopyFiles */ = { + 72265DD80F818ED700730A7D /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /System/Library/LaunchDaemons; + dstPath = /usr/local/OpenSourceVersions/; dstSubfolderSpec = 0; files = ( - 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */, + 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 725F453B0E36A15C005BB55C /* CopyFiles */ = { + 724A38A20E3676FB00F6B25F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; dstPath = /System/Library/LaunchDaemons; dstSubfolderSpec = 0; files = ( - 834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */, + 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 812530FB0D3FE9DC006BDF4F /* CopyFiles */ = { + 725F453B0E36A15C005BB55C /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /usr/share/man/man8; + dstPath = /System/Library/LaunchDaemons; dstSubfolderSpec = 0; files = ( - 812530FC0D3FE9DC006BDF4F /* racoon.8 in CopyFiles */, + 834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 812530FD0D3FE9DC006BDF4F /* CopyFiles */ = { + 72B3C21C16850D02004E4548 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /usr/share/man/man5; + dstPath = /usr/local/OpenSourceLicenses; dstSubfolderSpec = 0; files = ( - 812530FE0D3FE9DC006BDF4F /* racoon.conf.5 in CopyFiles */, + 724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 812530FF0D3FE9DC006BDF4F /* CopyFiles */ = { + 72B3C21E16850D1E004E4548 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /private/etc/racoon/remote; + dstPath = /usr/local/OpenSourceVersions/; dstSubfolderSpec = 0; files = ( - 818710530D5BE2B500C7B441 /* anonymous.conf in CopyFiles */, + 724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 812531020D3FE9DC006BDF4F /* CopyFiles */ = { + 812530FB0D3FE9DC006BDF4F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /private/etc/racoon; + dstPath = /usr/share/man/man8; dstSubfolderSpec = 0; files = ( - 818710510D5BE29300C7B441 /* psk.txt in CopyFiles */, - 8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */, + 812530FC0D3FE9DC006BDF4F /* racoon.8 in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 812531210D3FEA33006BDF4F /* CopyFiles */ = { + 812530FD0D3FE9DC006BDF4F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /usr/share/man/man8; + dstPath = /usr/share/man/man5; dstSubfolderSpec = 0; files = ( - 812531220D3FEA33006BDF4F /* racoonctl.8 in CopyFiles */, + 812530FE0D3FE9DC006BDF4F /* racoon.conf.5 in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 815C35FC152522A900502220 /* CopyFiles */ = { + 812530FF0D3FE9DC006BDF4F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /usr/local/OpenSourceVersions/; + dstPath = /private/etc/racoon/remote; dstSubfolderSpec = 0; files = ( - 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */, + 818710530D5BE2B500C7B441 /* anonymous.conf in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; - 815C35FD152522AC00502220 /* CopyFiles */ = { + 812531020D3FE9DC006BDF4F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; - dstPath = /usr/local/OpenSourceLicenses; + dstPath = /private/etc/racoon; dstSubfolderSpec = 0; files = ( - 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */, + 818710510D5BE29300C7B441 /* psk.txt in CopyFiles */, + 8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 1; }; @@ -589,6 +529,16 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + BAA6806112B17CF900ACF6D3 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/OpenSourceLicenses; + dstSubfolderSpec = 0; + files = ( + BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; /* End PBXCopyFilesBuildPhase section */ /* Begin PBXFileReference section */ @@ -619,7 +569,6 @@ 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = /System/Library/Frameworks/CoreFoundation.framework; sourceTree = ""; }; 25F258050987FBFA00D15623 /* racoon */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon; sourceTree = BUILT_PRODUCTS_DIR; }; 25F2580A0987FC1500D15623 /* setkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = setkey; sourceTree = BUILT_PRODUCTS_DIR; }; - 25F2580F0987FC3400D15623 /* racoonctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoonctl; sourceTree = BUILT_PRODUCTS_DIR; }; 25F258840988648C00D15623 /* extern.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = extern.h; sourceTree = ""; }; 25F258870988648C00D15623 /* parse.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; path = parse.y; sourceTree = ""; }; 25F258880988648C00D15623 /* scriptdump.pl */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.script.perl; path = scriptdump.pl; sourceTree = ""; }; @@ -630,25 +579,9 @@ 25F25895098864AB00D15623 /* sample-policy01.cf */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = "sample-policy01.cf"; sourceTree = ""; }; 25F25896098864AB00D15623 /* sample-policy02.cf */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = "sample-policy02.cf"; sourceTree = ""; }; 25F25897098864AB00D15623 /* sample.cf */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = sample.cf; sourceTree = ""; }; - 25F2589B098864F500D15623 /* FAQ */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = FAQ; sourceTree = ""; }; - 25F2589C098864F500D15623 /* README.certificate */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = README.certificate; sourceTree = ""; }; - 25F2589D098864F500D15623 /* README.gssapi */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = README.gssapi; sourceTree = ""; }; - 25F2589E098864F500D15623 /* TODO */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = TODO; sourceTree = ""; }; - 25F2589F0988651000D15623 /* boxes-fst.dat */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = "boxes-fst.dat"; sourceTree = ""; }; - 25F258A00988651000D15623 /* rijndael_local.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = rijndael_local.h; sourceTree = ""; }; - 25F258A10988651000D15623 /* rijndael-alg-fst.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "rijndael-alg-fst.c"; sourceTree = ""; }; - 25F258A20988651000D15623 /* rijndael-alg-fst.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "rijndael-alg-fst.h"; sourceTree = ""; }; - 25F258A30988651000D15623 /* rijndael-api-fst.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "rijndael-api-fst.c"; sourceTree = ""; }; - 25F258A40988651000D15623 /* rijndael-api-fst.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "rijndael-api-fst.h"; sourceTree = ""; }; - 25F258A50988651000D15623 /* rijndael.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = rijndael.h; sourceTree = ""; }; - 25F258AB0988657000D15623 /* admin_var.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = admin_var.h; sourceTree = ""; }; - 25F258AC0988657000D15623 /* admin.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = admin.c; sourceTree = ""; }; - 25F258AD0988657000D15623 /* admin.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = admin.h; sourceTree = ""; }; 25F258AE0988657000D15623 /* algorithm.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = algorithm.c; sourceTree = ""; }; 25F258AF0988657000D15623 /* algorithm.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = algorithm.h; sourceTree = ""; }; 25F258B00988657000D15623 /* arc4random.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = arc4random.h; sourceTree = ""; }; - 25F258B10988657000D15623 /* backupsa.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = backupsa.c; sourceTree = ""; }; - 25F258B20988657000D15623 /* backupsa.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = backupsa.h; sourceTree = ""; }; 25F258B30988657000D15623 /* cfparse_proto.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cfparse_proto.h; sourceTree = ""; }; 25F258B40988657000D15623 /* cfparse.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; path = cfparse.y; sourceTree = ""; }; 25F258B50988657000D15623 /* cftoken_proto.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cftoken_proto.h; sourceTree = ""; }; @@ -658,30 +591,22 @@ 25F258B90988657000D15623 /* crypto_openssl.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = crypto_openssl.c; sourceTree = ""; }; 25F258BA0988657000D15623 /* crypto_openssl.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = crypto_openssl.h; sourceTree = ""; }; 25F258BB0988657000D15623 /* debug.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = debug.h; sourceTree = ""; }; - 25F258BC0988657000D15623 /* debugrm.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = debugrm.h; sourceTree = ""; }; 25F258BD0988657000D15623 /* dhgroup.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = dhgroup.h; sourceTree = ""; }; 25F258BE0988657000D15623 /* dnssec.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = dnssec.c; sourceTree = ""; }; 25F258BF0988657000D15623 /* dnssec.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = dnssec.h; sourceTree = ""; }; 25F258C00988657000D15623 /* dump.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = dump.h; sourceTree = ""; }; - 25F258C20988657000D15623 /* evt.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = evt.c; sourceTree = ""; }; - 25F258C30988657000D15623 /* evt.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = evt.h; sourceTree = ""; }; 25F258C40988657000D15623 /* gcmalloc.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = gcmalloc.h; sourceTree = ""; }; 25F258C50988657000D15623 /* genlist.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = genlist.c; sourceTree = ""; }; 25F258C60988657000D15623 /* genlist.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = genlist.h; sourceTree = ""; }; 25F258C70988657000D15623 /* getcertsbyname.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = getcertsbyname.c; sourceTree = ""; }; - 25F258C80988657000D15623 /* gnuc.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = gnuc.h; sourceTree = ""; }; 25F258C90988657000D15623 /* grabmyaddr.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = grabmyaddr.c; sourceTree = ""; }; 25F258CA0988657000D15623 /* grabmyaddr.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = grabmyaddr.h; sourceTree = ""; }; - 25F258CB0988657000D15623 /* gssapi.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = gssapi.c; sourceTree = ""; }; - 25F258CC0988657000D15623 /* gssapi.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = gssapi.h; sourceTree = ""; }; 25F258CD0988657000D15623 /* handler.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = handler.c; sourceTree = ""; }; 25F258CE0988657000D15623 /* handler.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = handler.h; sourceTree = ""; }; 25F258CF0988657000D15623 /* ipsec_doi.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = ipsec_doi.c; sourceTree = ""; }; 25F258D00988657000D15623 /* ipsec_doi.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ipsec_doi.h; sourceTree = ""; }; 25F258D10988657000D15623 /* isakmp_agg.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_agg.c; sourceTree = ""; }; 25F258D20988657000D15623 /* isakmp_agg.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_agg.h; sourceTree = ""; }; - 25F258D30988657000D15623 /* isakmp_base.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_base.c; sourceTree = ""; }; - 25F258D40988657000D15623 /* isakmp_base.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_base.h; sourceTree = ""; }; 25F258D50988657000D15623 /* isakmp_cfg.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_cfg.c; sourceTree = ""; }; 25F258D60988657000D15623 /* isakmp_cfg.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_cfg.h; sourceTree = ""; }; 25F258D70988657000D15623 /* isakmp_frag.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_frag.c; sourceTree = ""; }; @@ -690,8 +615,6 @@ 25F258DA0988657000D15623 /* isakmp_ident.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_ident.h; sourceTree = ""; }; 25F258DB0988657000D15623 /* isakmp_inf.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_inf.c; sourceTree = ""; }; 25F258DC0988657000D15623 /* isakmp_inf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_inf.h; sourceTree = ""; }; - 25F258DD0988657000D15623 /* isakmp_newg.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_newg.c; sourceTree = ""; }; - 25F258DE0988657000D15623 /* isakmp_newg.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_newg.h; sourceTree = ""; }; 25F258DF0988657000D15623 /* isakmp_quick.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_quick.c; sourceTree = ""; }; 25F258E00988657000D15623 /* isakmp_quick.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = isakmp_quick.h; sourceTree = ""; }; 25F258E10988657000D15623 /* isakmp_unity.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = isakmp_unity.c; sourceTree = ""; }; @@ -704,8 +627,6 @@ 25F258E80988657000D15623 /* kmpstat.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = kmpstat.c; sourceTree = ""; }; 25F258E90988657000D15623 /* localconf.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = localconf.c; sourceTree = ""; }; 25F258EA0988657000D15623 /* localconf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = localconf.h; sourceTree = ""; }; - 25F258EB0988657000D15623 /* logger.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = logger.c; sourceTree = ""; }; - 25F258EC0988657000D15623 /* logger.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = logger.h; sourceTree = ""; }; 25F258ED0988657000D15623 /* main.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; 25F258EE0988657000D15623 /* misc.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = misc.c; sourceTree = ""; }; 25F258EF0988657000D15623 /* misc.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = misc.h; sourceTree = ""; }; @@ -722,15 +643,10 @@ 25F258FE0988657000D15623 /* plog.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = plog.h; sourceTree = ""; }; 25F258FF0988657000D15623 /* policy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = policy.c; sourceTree = ""; }; 25F259000988657000D15623 /* policy.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = policy.h; sourceTree = ""; }; - 25F259010988657000D15623 /* privsep.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = privsep.c; sourceTree = ""; }; - 25F259020988657000D15623 /* privsep.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = privsep.h; sourceTree = ""; }; 25F259030988657000D15623 /* proposal.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = proposal.c; sourceTree = ""; }; 25F259040988657000D15623 /* proposal.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = proposal.h; sourceTree = ""; }; 25F259090988657000D15623 /* racoon.8 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = racoon.8; sourceTree = ""; }; 25F2590A0988657000D15623 /* racoon.conf.5 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = racoon.conf.5; sourceTree = ""; }; - 25F2590B0988657000D15623 /* racoonctl.8 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = racoonctl.8; sourceTree = ""; }; - 25F2590C0988657000D15623 /* racoonctl.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = racoonctl.c; sourceTree = ""; }; - 25F2590D0988657000D15623 /* racoonctl.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = racoonctl.h; sourceTree = ""; }; 25F2590E0988657000D15623 /* remoteconf.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = remoteconf.c; sourceTree = ""; }; 25F2590F0988657000D15623 /* remoteconf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = remoteconf.h; sourceTree = ""; }; 25F259120988657000D15623 /* safefile.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = safefile.c; sourceTree = ""; }; @@ -757,11 +673,18 @@ 25F259270988657000D15623 /* vmbuf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vmbuf.h; sourceTree = ""; }; 25F777B909ABE3E100C99783 /* key_debug.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = key_debug.c; path = Common/key_debug.c; sourceTree = ""; }; 25F777ED09ABE58400C99783 /* pfkey_dump.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey_dump.c; path = Common/pfkey_dump.c; sourceTree = ""; }; + 72171DAE166443AB0050B3B9 /* eap_aka.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_aka.c; sourceTree = ""; }; 72265DDB0F818F9300730A7D /* ipsec.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; path = ipsec.plist; sourceTree = ""; }; + 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = xpc_racoon.c; sourceTree = ""; }; + 723B6A33162F7C1100895EE5 /* ipsec_xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsec_xpc.h; sourceTree = ""; }; 724F99500E3672FD00C56897 /* com.apple.racoon.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.racoon.plist; sourceTree = ""; }; + 727FA35F163A1A24000A3986 /* ipsec_interface.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsec_interface.c; sourceTree = ""; }; + 727FA362163A1A43000A3986 /* ipsec_interface.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipsec_interface.h; sourceTree = ""; }; + 72F5C72D1607A1AE004C192F /* api_support.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = api_support.c; sourceTree = ""; }; + 72F5C7311607A1DD004C192F /* api_support.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = api_support.h; sourceTree = ""; }; 8125310A0D3FE9DC006BDF4F /* racoon */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon; sourceTree = BUILT_PRODUCTS_DIR; }; - 812531290D3FEA33006BDF4F /* racoonctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoonctl; sourceTree = BUILT_PRODUCTS_DIR; }; 812A64EC0D4AA082004CB7EB /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = SDKs/Purple/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; + 81657D551457582300B8A054 /* racoon_types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = racoon_types.h; sourceTree = ""; }; 8176A6B80D45661700BC5251 /* libldap.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libldap.dylib; path = /usr/lib/libldap.dylib; sourceTree = ""; }; 81856B700D6B8BC5001DAE21 /* algorithm_types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = algorithm_types.h; sourceTree = ""; }; 8187103A0D5BE18800C7B441 /* racoon.conf */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = racoon.conf; path = Sample/Embedded/racoon.conf; sourceTree = ""; }; @@ -771,11 +694,14 @@ 81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.Internal.sdk/System/Library/Frameworks/SystemConfiguration.framework; sourceTree = DEVELOPER_DIR; }; 81C9645D0DA2CC2D00257BC8 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = /System/Library/Frameworks/SystemConfiguration.framework; sourceTree = ""; }; 81CA08910CE3BC870055C0AF /* vpn.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = vpn.c; sourceTree = ""; }; + 81CBCFE71447A1680000D6E6 /* fsm.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = fsm.h; sourceTree = ""; }; + 81CBCFE81447A1C20000D6E6 /* fsm.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fsm.c; sourceTree = ""; }; 81DDFDAA0D622C1700C5CB87 /* setkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = setkey; sourceTree = BUILT_PRODUCTS_DIR; }; 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libipsec.A.dylib; sourceTree = BUILT_PRODUCTS_DIR; }; 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_dump_policy.3; path = libipsec/ipsec_dump_policy.3; sourceTree = ""; }; 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_get_policylen.3; path = libipsec/ipsec_get_policylen.3; sourceTree = ""; }; 8D5B16230E5F7E9300E72675 /* libresolv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libresolv.dylib; path = /usr/lib/libresolv.dylib; sourceTree = ""; }; + BA04622A1562E6E400EF348A /* EAP8021X.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = EAP8021X.framework; path = System/Library/PrivateFrameworks/EAP8021X.framework; sourceTree = SDKROOT; }; BA485FA1109C1ECA00545E19 /* power_mgmt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = power_mgmt.c; sourceTree = ""; }; BA485FA6109C243900545E19 /* power_mgmt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = power_mgmt.h; sourceTree = ""; }; BA48611B109C2BBA00545E19 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; @@ -790,7 +716,23 @@ BA64A933114EFE5C00F3574C /* racoon.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = racoon.sb; sourceTree = ""; }; BA6F10940EA1D67700546773 /* ike_session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ike_session.h; sourceTree = ""; }; BA6F109A0EA1DEC200546773 /* ike_session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ike_session.c; sourceTree = ""; }; + BA8BE71615655D360068DEB9 /* eap_sim.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_sim.c; sourceTree = ""; }; + BA8BE71715655D360068DEB9 /* eap_sim.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap_sim.h; sourceTree = ""; }; + BA952E77156704DF00B07934 /* eap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap.c; sourceTree = ""; }; + BA952E78156704DF00B07934 /* eap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap.h; sourceTree = ""; }; + BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ike_sa_rfc.c; sourceTree = ""; }; + BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ike_sa_rfc.h; sourceTree = ""; }; + BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_info_rfc.h; sourceTree = ""; }; + BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ipsec_sa_rfc.c; sourceTree = ""; }; + BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ipsec_sa_rfc.h; sourceTree = ""; }; + BAC2E172146DFD05009D4506 /* ikev2_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_rfc.c; sourceTree = ""; }; + BAC2E173146DFD06009D4506 /* ikev2_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_rfc.h; sourceTree = ""; }; + BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_sessresume_rfc.h; sourceTree = ""; }; BACBF18B10290AE000BBFC85 /* ipsec.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ipsec.txt; sourceTree = ""; }; + BACD8C681496A50C0042DEA1 /* Preferences.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = Preferences.c; sourceTree = ""; }; + BACD8C691496A50C0042DEA1 /* Preferences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Preferences.h; sourceTree = ""; }; + BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_info_rfc.c; sourceTree = ""; }; + BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_sessresume_rfc.c; sourceTree = ""; }; C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenSDK.xcconfig; path = AppleInternal/XcodeConfig/AspenSDK.xcconfig; sourceTree = DEVELOPER_DIR; }; /* End PBXFileReference section */ @@ -813,10 +755,7 @@ 2537A1C709E49D0600D0ECDA /* libipsec.A.dylib in Frameworks */, 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */, 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */, - 81C387890D4524F600975D5E /* libgssapi_krb5.dylib in Frameworks */, - 81C3877A0D4524E700975D5E /* libpam.dylib in Frameworks */, 25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */, - 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */, 81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */, BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */, ); @@ -830,18 +769,11 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 25F2580D0987FC3400D15623 /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 2537A1CB09E49D5600D0ECDA /* libipsec.A.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 812530F40D3FE9DC006BDF4F /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */, 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */, 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */, 812530F80D3FE9DC006BDF4F /* libiconv.dylib in Frameworks */, @@ -853,14 +785,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 8125311F0D3FEA33006BDF4F /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 817FFC5A0D613729004A8DD8 /* libipsec.A.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 81DDFDA10D622C1700C5CB87 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -882,6 +806,7 @@ 23D2D78C087071FC00C51098 = { isa = PBXGroup; children = ( + BA04622A1562E6E400EF348A /* EAP8021X.framework */, BA64A933114EFE5C00F3574C /* racoon.sb */, BACBF18B10290AE000BBFC85 /* ipsec.txt */, 72265DDB0F818F9300730A7D /* ipsec.plist */, @@ -898,10 +823,8 @@ children = ( 25F258050987FBFA00D15623 /* racoon */, 25F2580A0987FC1500D15623 /* setkey */, - 25F2580F0987FC3400D15623 /* racoonctl */, 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */, 8125310A0D3FE9DC006BDF4F /* racoon */, - 812531290D3FEA33006BDF4F /* racoonctl */, 81DDFDAA0D622C1700C5CB87 /* setkey */, 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */, ); @@ -999,21 +922,10 @@ 25F258000987FB1600D15623 /* racoon */ = { isa = PBXGroup; children = ( - BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */, - BA5B6F360EC1A03C003774E7 /* ipsecConfigTracer.h */, - BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */, - BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */, - BA6F109A0EA1DEC200546773 /* ike_session.c */, - BA6F10940EA1D67700546773 /* ike_session.h */, - 25F258AB0988657000D15623 /* admin_var.h */, - 25F258AC0988657000D15623 /* admin.c */, - 25F258AD0988657000D15623 /* admin.h */, 25F258AE0988657000D15623 /* algorithm.c */, 81856B700D6B8BC5001DAE21 /* algorithm_types.h */, 25F258AF0988657000D15623 /* algorithm.h */, 25F258B00988657000D15623 /* arc4random.h */, - 25F258B10988657000D15623 /* backupsa.c */, - 25F258B20988657000D15623 /* backupsa.h */, 25F258B30988657000D15623 /* cfparse_proto.h */, 25F258B40988657000D15623 /* cfparse.y */, 25F258B50988657000D15623 /* cftoken_proto.h */, @@ -1024,30 +936,40 @@ 25F258B90988657000D15623 /* crypto_openssl.c */, 25F258BA0988657000D15623 /* crypto_openssl.h */, 25F258BB0988657000D15623 /* debug.h */, - 25F258BC0988657000D15623 /* debugrm.h */, 25F258BD0988657000D15623 /* dhgroup.h */, 25F258BE0988657000D15623 /* dnssec.c */, 25F258BF0988657000D15623 /* dnssec.h */, 25F258C00988657000D15623 /* dump.h */, - 25F258C20988657000D15623 /* evt.c */, - 25F258C30988657000D15623 /* evt.h */, + 81CBCFE81447A1C20000D6E6 /* fsm.c */, + 81CBCFE71447A1680000D6E6 /* fsm.h */, 25F258C40988657000D15623 /* gcmalloc.h */, 25F258C50988657000D15623 /* genlist.c */, 25F258C60988657000D15623 /* genlist.h */, 25F258C70988657000D15623 /* getcertsbyname.c */, - 25F258C80988657000D15623 /* gnuc.h */, 25F258C90988657000D15623 /* grabmyaddr.c */, 25F258CA0988657000D15623 /* grabmyaddr.h */, - 25F258CB0988657000D15623 /* gssapi.c */, - 25F258CC0988657000D15623 /* gssapi.h */, 25F258CD0988657000D15623 /* handler.c */, 25F258CE0988657000D15623 /* handler.h */, + BA6F109A0EA1DEC200546773 /* ike_session.c */, + BA6F10940EA1D67700546773 /* ike_session.h */, + BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */, + BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */, + BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */, + BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */, + BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */, + BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */, + BAC2E172146DFD05009D4506 /* ikev2_rfc.c */, + BAC2E173146DFD06009D4506 /* ikev2_rfc.h */, + BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */, + BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */, 25F258CF0988657000D15623 /* ipsec_doi.c */, 25F258D00988657000D15623 /* ipsec_doi.h */, + BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */, + BA5B6F360EC1A03C003774E7 /* ipsecConfigTracer.h */, + BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */, + BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */, 25F258D10988657000D15623 /* isakmp_agg.c */, 25F258D20988657000D15623 /* isakmp_agg.h */, - 25F258D30988657000D15623 /* isakmp_base.c */, - 25F258D40988657000D15623 /* isakmp_base.h */, 25F258D50988657000D15623 /* isakmp_cfg.c */, 25F258D60988657000D15623 /* isakmp_cfg.h */, 25F258D70988657000D15623 /* isakmp_frag.c */, @@ -1056,8 +978,6 @@ 25F258DA0988657000D15623 /* isakmp_ident.h */, 25F258DB0988657000D15623 /* isakmp_inf.c */, 25F258DC0988657000D15623 /* isakmp_inf.h */, - 25F258DD0988657000D15623 /* isakmp_newg.c */, - 25F258DE0988657000D15623 /* isakmp_newg.h */, 25F258DF0988657000D15623 /* isakmp_quick.c */, 25F258E00988657000D15623 /* isakmp_quick.h */, 25F258E10988657000D15623 /* isakmp_unity.c */, @@ -1070,8 +990,6 @@ 25F258E80988657000D15623 /* kmpstat.c */, 25F258E90988657000D15623 /* localconf.c */, 25F258EA0988657000D15623 /* localconf.h */, - 25F258EB0988657000D15623 /* logger.c */, - 25F258EC0988657000D15623 /* logger.h */, 25F258ED0988657000D15623 /* main.c */, 25F258EE0988657000D15623 /* misc.c */, 25F258EF0988657000D15623 /* misc.h */, @@ -1090,15 +1008,13 @@ 25F259000988657000D15623 /* policy.h */, BA485FA1109C1ECA00545E19 /* power_mgmt.c */, BA485FA6109C243900545E19 /* power_mgmt.h */, - 25F259010988657000D15623 /* privsep.c */, - 25F259020988657000D15623 /* privsep.h */, + BACD8C681496A50C0042DEA1 /* Preferences.c */, + BACD8C691496A50C0042DEA1 /* Preferences.h */, 25F259030988657000D15623 /* proposal.c */, 25F259040988657000D15623 /* proposal.h */, 25F259090988657000D15623 /* racoon.8 */, 25F2590A0988657000D15623 /* racoon.conf.5 */, - 25F2590B0988657000D15623 /* racoonctl.8 */, - 25F2590C0988657000D15623 /* racoonctl.c */, - 25F2590D0988657000D15623 /* racoonctl.h */, + 81657D551457582300B8A054 /* racoon_types.h */, 25F2590E0988657000D15623 /* remoteconf.c */, 25F2590F0988657000D15623 /* remoteconf.h */, 25F259120988657000D15623 /* safefile.c */, @@ -1127,10 +1043,19 @@ 25DE2DE60A8BD40E0010A46D /* vpn_control.c */, 25DE2DE70A8BD40E0010A46D /* vpn_control.h */, 81CA08910CE3BC870055C0AF /* vpn.c */, + BA8BE71615655D360068DEB9 /* eap_sim.c */, + 72171DAE166443AB0050B3B9 /* eap_aka.c */, + BA8BE71715655D360068DEB9 /* eap_sim.h */, + BA952E77156704DF00B07934 /* eap.c */, + BA952E78156704DF00B07934 /* eap.h */, BA5B6F4F0EC1A136003774E7 /* vpn.h */, + 727FA35F163A1A24000A3986 /* ipsec_interface.c */, + 727FA362163A1A43000A3986 /* ipsec_interface.h */, + 72F5C72D1607A1AE004C192F /* api_support.c */, + 72F5C7311607A1DD004C192F /* api_support.h */, + 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */, + 723B6A33162F7C1100895EE5 /* ipsec_xpc.h */, 818710380D5BE15400C7B441 /* Sample */, - 25F2584D098861F500D15623 /* Documents */, - 25F2584C098861ED00D15623 /* Crypto */, ); path = racoon; sourceTree = ""; @@ -1145,31 +1070,6 @@ path = Sample; sourceTree = ""; }; - 25F2584C098861ED00D15623 /* Crypto */ = { - isa = PBXGroup; - children = ( - 25F2589F0988651000D15623 /* boxes-fst.dat */, - 25F258A00988651000D15623 /* rijndael_local.h */, - 25F258A10988651000D15623 /* rijndael-alg-fst.c */, - 25F258A20988651000D15623 /* rijndael-alg-fst.h */, - 25F258A30988651000D15623 /* rijndael-api-fst.c */, - 25F258A40988651000D15623 /* rijndael-api-fst.h */, - 25F258A50988651000D15623 /* rijndael.h */, - ); - path = Crypto; - sourceTree = ""; - }; - 25F2584D098861F500D15623 /* Documents */ = { - isa = PBXGroup; - children = ( - 25F2589B098864F500D15623 /* FAQ */, - 25F2589C098864F500D15623 /* README.certificate */, - 25F2589D098864F500D15623 /* README.gssapi */, - 25F2589E098864F500D15623 /* TODO */, - ); - path = Documents; - sourceTree = ""; - }; 818710380D5BE15400C7B441 /* Sample */ = { isa = PBXGroup; children = ( @@ -1248,7 +1148,6 @@ buildRules = ( ); dependencies = ( - 2537A1C909E49D1400D0ECDA /* PBXTargetDependency */, ); name = racoon; productName = racoon; @@ -1267,32 +1166,12 @@ buildRules = ( ); dependencies = ( - 2537A1C309E494D300D0ECDA /* PBXTargetDependency */, ); name = setkey; productName = setkey; productReference = 25F2580A0987FC1500D15623 /* setkey */; productType = "com.apple.product-type.tool"; }; - 25F2580E0987FC3400D15623 /* racoonctl */ = { - isa = PBXNativeTarget; - buildConfigurationList = 25D3DAC4098952B20025F703 /* Build configuration list for PBXNativeTarget "racoonctl" */; - buildPhases = ( - 25F2580C0987FC3400D15623 /* Sources */, - 25F2580D0987FC3400D15623 /* Frameworks */, - 258CF2D50A191A6E00166B38 /* CopyFiles */, - 258CF31E0A19432A00166B38 /* ShellScript */, - ); - buildRules = ( - ); - dependencies = ( - 2537A1CD09E49D5C00D0ECDA /* PBXTargetDependency */, - ); - name = racoonctl; - productName = racoonctl; - productReference = 25F2580F0987FC3400D15623 /* racoonctl */; - productType = "com.apple.product-type.tool"; - }; 812530BA0D3FE9DC006BDF4F /* racoon Embedded */ = { isa = PBXNativeTarget; buildConfigurationList = 812531050D3FE9DC006BDF4F /* Build configuration list for PBXNativeTarget "racoon Embedded" */; @@ -1318,24 +1197,6 @@ productReference = 8125310A0D3FE9DC006BDF4F /* racoon */; productType = "com.apple.product-type.tool"; }; - 812531120D3FEA33006BDF4F /* racoonctl Embedded */ = { - isa = PBXNativeTarget; - buildConfigurationList = 812531240D3FEA33006BDF4F /* Build configuration list for PBXNativeTarget "racoonctl Embedded" */; - buildPhases = ( - 812531150D3FEA33006BDF4F /* Sources */, - 8125311F0D3FEA33006BDF4F /* Frameworks */, - 812531210D3FEA33006BDF4F /* CopyFiles */, - 812531230D3FEA33006BDF4F /* ShellScript */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = "racoonctl Embedded"; - productName = racoonctl; - productReference = 812531290D3FEA33006BDF4F /* racoonctl */; - productType = "com.apple.product-type.tool"; - }; 81DDFD970D622C1700C5CB87 /* setkey Embedded */ = { isa = PBXNativeTarget; buildConfigurationList = 81DDFDA60D622C1700C5CB87 /* Build configuration list for PBXNativeTarget "setkey Embedded" */; @@ -1379,8 +1240,11 @@ /* Begin PBXProject section */ 23D2D790087071FC00C51098 /* Project object */ = { isa = PBXProject; + attributes = { + LastUpgradeCheck = 0430; + }; buildConfigurationList = 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */; - compatibilityVersion = "Xcode 3.0"; + compatibilityVersion = "Xcode 3.2"; developmentRegion = English; hasScannedForEncodings = 0; knownRegions = ( @@ -1395,15 +1259,13 @@ projectRoot = ""; targets = ( 23B20D2F0871D62A00A3B0FC /* IPSec (Aggregate) */, - 815C35E61525201900502220 /* Project_base */, - 815C35EB1525203F00502220 /* Project_executables */, + 72B3C2081684F5C4004E4548 /* ipsec_executables */, + 72B3C21116850B87004E4548 /* ipsec_libraries */, 25F258040987FBFA00D15623 /* racoon */, - 25F2580E0987FC3400D15623 /* racoonctl */, 25F258090987FC1500D15623 /* setkey */, 2537A1A709E4864800D0ECDA /* libipsec */, 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */, 812530BA0D3FE9DC006BDF4F /* racoon Embedded */, - 812531120D3FEA33006BDF4F /* racoonctl Embedded */, 81DDFD970D622C1700C5CB87 /* setkey Embedded */, 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */, ); @@ -1424,19 +1286,6 @@ shellPath = /bin/sh; shellScript = "/bin/chmod 600 $DSTROOT/private/etc/racoon/psk.txt\n/bin/chmod 644 $DSTROOT/private/etc/racoon/racoon.conf\n/bin/chmod 600 $DSTROOT/private/etc/racoon/remote/anonymous.conf\n/bin/chmod 444 $DSTROOT/usr/share/man/man5/racoon.conf.5\n/bin/chmod 444 $DSTROOT/usr/share/man/man8/racoon.8\n"; }; - 258CF31E0A19432A00166B38 /* ShellScript */ = { - isa = PBXShellScriptBuildPhase; - buildActionMask = 8; - files = ( - ); - inputPaths = ( - ); - outputPaths = ( - ); - runOnlyForDeploymentPostprocessing = 1; - shellPath = /bin/sh; - shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/racoonctl.8"; - }; 258CF3200A19435B00166B38 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 8; @@ -1476,19 +1325,6 @@ shellPath = /bin/sh; shellScript = "/bin/chmod 600 $DSTROOT/private/etc/racoon/psk.txt\n/bin/chmod 644 $DSTROOT/private/etc/racoon/racoon.conf\n/bin/chmod 600 $DSTROOT/private/etc/racoon/remote/anonymous.conf\n/bin/chmod 444 $DSTROOT/usr/share/man/man5/racoon.conf.5\n/bin/chmod 444 $DSTROOT/usr/share/man/man8/racoon.8\n"; }; - 812531230D3FEA33006BDF4F /* ShellScript */ = { - isa = PBXShellScriptBuildPhase; - buildActionMask = 8; - files = ( - ); - inputPaths = ( - ); - outputPaths = ( - ); - runOnlyForDeploymentPostprocessing = 1; - shellPath = /bin/sh; - shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/racoonctl.8"; - }; 81DDFDA50D622C1700C5CB87 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 8; @@ -1534,31 +1370,24 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - 25F259280988657000D15623 /* admin.c in Sources */, 25F259290988657000D15623 /* algorithm.c in Sources */, - 25F2592A0988657000D15623 /* backupsa.c in Sources */, 25F2592B0988657000D15623 /* cfparse.y in Sources */, 25F2592C0988657000D15623 /* cftoken.l in Sources */, 81C386AA0D451EC300975D5E /* crypto_cssm.c in Sources */, 25F2592E0988657000D15623 /* crypto_openssl.c in Sources */, 25F2592F0988657000D15623 /* dnssec.c in Sources */, - 25F259310988657000D15623 /* evt.c in Sources */, 25F259320988657000D15623 /* genlist.c in Sources */, 25F259330988657000D15623 /* getcertsbyname.c in Sources */, 25F259340988657000D15623 /* grabmyaddr.c in Sources */, - 25F259350988657000D15623 /* gssapi.c in Sources */, 25F259360988657000D15623 /* handler.c in Sources */, 25F259370988657000D15623 /* ipsec_doi.c in Sources */, 25F259380988657000D15623 /* isakmp_agg.c in Sources */, - 25F259390988657000D15623 /* isakmp_base.c in Sources */, BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */, 25F2593C0988657000D15623 /* isakmp_ident.c in Sources */, 25F2593D0988657000D15623 /* isakmp_inf.c in Sources */, - 25F2593E0988657000D15623 /* isakmp_newg.c in Sources */, 25F2593F0988657000D15623 /* isakmp_quick.c in Sources */, 25F259420988657000D15623 /* isakmp.c in Sources */, 25F259440988657000D15623 /* localconf.c in Sources */, - 25F259450988657000D15623 /* logger.c in Sources */, 25F259460988657000D15623 /* main.c in Sources */, 25F259470988657000D15623 /* misc.c in Sources */, 25F259490988657000D15623 /* oakley.c in Sources */, @@ -1566,7 +1395,6 @@ 25F2594C0988657000D15623 /* pfkey_racoon.c in Sources */, 25F2594F0988657000D15623 /* plog.c in Sources */, 25F259500988657000D15623 /* policy.c in Sources */, - 25F259510988657000D15623 /* privsep.c in Sources */, 25F259520988657000D15623 /* proposal.c in Sources */, 25F259580988657000D15623 /* remoteconf.c in Sources */, 25F2595A0988657000D15623 /* safefile.c in Sources */, @@ -1590,6 +1418,16 @@ BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */, BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */, + 81CBCFE91447A1C20000D6E6 /* fsm.c in Sources */, + BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */, + BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */, + BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */, + BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */, + BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */, + BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */, + 72F5C72E1607A1AE004C192F /* api_support.c in Sources */, + 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */, + 727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1607,58 +1445,35 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 25F2580C0987FC3400D15623 /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 2543473209DCAE27007943DE /* racoonctl.c in Sources */, - 2543474E09DCAEF8007943DE /* str2val.c in Sources */, - 2543475109DCB063007943DE /* kmpstat.c in Sources */, - 2543475509DCB0D9007943DE /* vmbuf.c in Sources */, - 2543475609DCB0DB007943DE /* sockmisc.c in Sources */, - 2543475709DCB0E6007943DE /* misc.c in Sources */, - 2543476409DCB396007943DE /* pfkey_dump.c in Sources */, - 2543476709DCB400007943DE /* key_debug.c in Sources */, - 2543476909DCB420007943DE /* pfkey.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 812530BF0D3FE9DC006BDF4F /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - 812530C20D3FE9DC006BDF4F /* admin.c in Sources */, + 8141336B149015E900028D76 /* fsm.c in Sources */, 812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */, - 812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */, 812530C50D3FE9DC006BDF4F /* cfparse.y in Sources */, 812530C60D3FE9DC006BDF4F /* cftoken.l in Sources */, 81C325A80D46A36900E65EB7 /* crypto_cssm.c in Sources */, 812530C70D3FE9DC006BDF4F /* crypto_openssl.c in Sources */, 812530C80D3FE9DC006BDF4F /* dnssec.c in Sources */, - 812530C90D3FE9DC006BDF4F /* evt.c in Sources */, 812530CA0D3FE9DC006BDF4F /* genlist.c in Sources */, 812530CB0D3FE9DC006BDF4F /* getcertsbyname.c in Sources */, 812530CC0D3FE9DC006BDF4F /* grabmyaddr.c in Sources */, - 812530CD0D3FE9DC006BDF4F /* gssapi.c in Sources */, 812530CE0D3FE9DC006BDF4F /* handler.c in Sources */, 812530CF0D3FE9DC006BDF4F /* ipsec_doi.c in Sources */, 812530D00D3FE9DC006BDF4F /* isakmp_agg.c in Sources */, - 812530D10D3FE9DC006BDF4F /* isakmp_base.c in Sources */, BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */, 812530D20D3FE9DC006BDF4F /* isakmp_ident.c in Sources */, 812530D30D3FE9DC006BDF4F /* isakmp_inf.c in Sources */, - 812530D40D3FE9DC006BDF4F /* isakmp_newg.c in Sources */, 812530D50D3FE9DC006BDF4F /* isakmp_quick.c in Sources */, 812530D60D3FE9DC006BDF4F /* isakmp.c in Sources */, 812530D70D3FE9DC006BDF4F /* localconf.c in Sources */, - 812530D80D3FE9DC006BDF4F /* logger.c in Sources */, 812530D90D3FE9DC006BDF4F /* main.c in Sources */, 812530DA0D3FE9DC006BDF4F /* misc.c in Sources */, 812530DB0D3FE9DC006BDF4F /* oakley.c in Sources */, 812530DC0D3FE9DC006BDF4F /* pfkey_racoon.c in Sources */, 812530DD0D3FE9DC006BDF4F /* plog.c in Sources */, 812530DE0D3FE9DC006BDF4F /* policy.c in Sources */, - 812530DF0D3FE9DC006BDF4F /* privsep.c in Sources */, 812530E00D3FE9DC006BDF4F /* proposal.c in Sources */, 812530E10D3FE9DC006BDF4F /* remoteconf.c in Sources */, 812530E20D3FE9DC006BDF4F /* safefile.c in Sources */, @@ -1682,22 +1497,18 @@ BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */, BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 812531150D3FEA33006BDF4F /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 812531160D3FEA33006BDF4F /* racoonctl.c in Sources */, - 812531170D3FEA33006BDF4F /* str2val.c in Sources */, - 812531180D3FEA33006BDF4F /* kmpstat.c in Sources */, - 812531190D3FEA33006BDF4F /* vmbuf.c in Sources */, - 8125311A0D3FEA33006BDF4F /* sockmisc.c in Sources */, - 8125311B0D3FEA33006BDF4F /* misc.c in Sources */, - 8125311C0D3FEA33006BDF4F /* pfkey_dump.c in Sources */, - 8125311D0D3FEA33006BDF4F /* key_debug.c in Sources */, - 8125311E0D3FEA33006BDF4F /* pfkey.c in Sources */, + BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */, + BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */, + BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */, + BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */, + BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */, + BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */, + BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */, + BA952E79156704DF00B07934 /* eap.c in Sources */, + 72F5C72F1607A1AE004C192F /* api_support.c in Sources */, + 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */, + 727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */, + 72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1730,60 +1541,35 @@ /* End PBXSourcesBuildPhase section */ /* Begin PBXTargetDependency section */ - 2537A1C309E494D300D0ECDA /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 2537A1C209E494D300D0ECDA /* PBXContainerItemProxy */; - }; - 2537A1C909E49D1400D0ECDA /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 2537A1C809E49D1400D0ECDA /* PBXContainerItemProxy */; - }; - 2537A1CD09E49D5C00D0ECDA /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 2537A1CC09E49D5C00D0ECDA /* PBXContainerItemProxy */; - }; - 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { + 724ED876168515A7008F2EBD /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; - targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; - }; - 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 812531120D3FEA33006BDF4F /* racoonctl Embedded */; - targetProxy = 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */; + target = 72B3C21116850B87004E4548 /* ipsec_libraries */; + targetProxy = 724ED875168515A7008F2EBD /* PBXContainerItemProxy */; }; - 815C35F11525208900502220 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 815C35F01525208900502220 /* PBXContainerItemProxy */; - }; - 815C35F31525209000502220 /* PBXTargetDependency */ = { + 72B3C20E1684F5DE004E4548 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 25F258040987FBFA00D15623 /* racoon */; - targetProxy = 815C35F21525209000502220 /* PBXContainerItemProxy */; + targetProxy = 72B3C20D1684F5DE004E4548 /* PBXContainerItemProxy */; }; - 815C35F51525209400502220 /* PBXTargetDependency */ = { + 72B3C2101684F5E1004E4548 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 25F2580E0987FC3400D15623 /* racoonctl */; - targetProxy = 815C35F41525209400502220 /* PBXContainerItemProxy */; + target = 25F258090987FC1500D15623 /* setkey */; + targetProxy = 72B3C20F1684F5E1004E4548 /* PBXContainerItemProxy */; }; - 815C35F71525209800502220 /* PBXTargetDependency */ = { + 72B3C21716850BA0004E4548 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 25F258090987FC1500D15623 /* setkey */; - targetProxy = 815C35F61525209800502220 /* PBXContainerItemProxy */; + target = 2537A1A709E4864800D0ECDA /* libipsec */; + targetProxy = 72B3C21616850BA0004E4548 /* PBXContainerItemProxy */; }; - 815C35F9152520BC00502220 /* PBXTargetDependency */ = { + 72B3C21916850CC5004E4548 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 815C35E61525201900502220 /* Project_base */; - targetProxy = 815C35F8152520BC00502220 /* PBXContainerItemProxy */; + target = 72B3C2081684F5C4004E4548 /* ipsec_executables */; + targetProxy = 72B3C21816850CC5004E4548 /* PBXContainerItemProxy */; }; - 815C35FB152520C000502220 /* PBXTargetDependency */ = { + 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 815C35EB1525203F00502220 /* Project_executables */; - targetProxy = 815C35FA152520C000502220 /* PBXContainerItemProxy */; + target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; + targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; }; 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; @@ -1820,7 +1606,6 @@ DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; GCC_DYNAMIC_NO_PIC = NO; - GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_OPTIMIZATION_LEVEL = 0; @@ -1837,7 +1622,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; @@ -1856,7 +1640,6 @@ CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; - GCC_ENABLE_FIX_AND_CONTINUE = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -1872,7 +1655,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; @@ -1890,7 +1672,6 @@ CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; - GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( "HAVE_CONFIG_H=1", @@ -1905,7 +1686,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; @@ -1915,58 +1695,48 @@ 25D3DAB9098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ""; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - ); + WARNING_CFLAGS = ""; }; name = Development; }; 25D3DABA098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ""; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - ); + WARNING_CFLAGS = ""; }; name = Deployment; }; 25D3DABB098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ""; - "ARCHS[arch=*]" = ""; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - ); + WARNING_CFLAGS = ""; }; name = Default; }; @@ -1978,6 +1748,7 @@ ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_OPTIMIZATION_LEVEL = 0; @@ -1991,6 +1762,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2008,7 +1780,6 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; @@ -2016,6 +1787,8 @@ "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", + "-Wimplicit-function-declaration", ); YACCFLAGS = "$(YACCFLAGS) -d"; YACC_GENERATE_DEBUGGING_DIRECTIVES = NO; @@ -2031,6 +1804,7 @@ ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PRECOMPILE_PREFIX_HEADER = YES; @@ -2043,6 +1817,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2059,13 +1834,14 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", + "-Wimplicit-function-declaration", ); YACCFLAGS = "$(YACCFLAGS) -d"; }; @@ -2080,6 +1856,7 @@ ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PRECOMPILE_PREFIX_HEADER = YES; @@ -2092,6 +1869,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2108,13 +1886,14 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", + "-Wimplicit-function-declaration", ); YACCFLAGS = "$(YACCFLAGS) -d"; }; @@ -2123,7 +1902,6 @@ 25D3DAC1098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_PERMISSIONS_FILES = ""; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -2135,6 +1913,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2145,7 +1924,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2162,7 +1940,6 @@ 25D3DAC2098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_PERMISSIONS_FILES = ""; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -2174,6 +1951,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2184,7 +1962,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2201,7 +1978,6 @@ 25D3DAC3098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_PERMISSIONS_FILES = ""; ARCHS = "$(ARCHS_STANDARD_64_BIT)"; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -2212,6 +1988,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2222,7 +1999,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2235,152 +2011,102 @@ }; name = Default; }; - 25D3DAC5098952B20025F703 /* Development */ = { + 25D3DACD098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; - COPY_PHASE_STRIP = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/var/run\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - SKIP_INSTALL = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", + /System/Library/Frameworks/System.framework/PrivateHeaders, + /System/Library/PrivateFrameworks, + /System/Library/PrivateFrameworks/SecureNetworking.framework/Headers, ); + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Development; }; - 25D3DAC6098952B20025F703 /* Deployment */ = { + 25D3DACE098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; - COPY_PHASE_STRIP = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/var/run\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - STRIP_INSTALLED_PRODUCT = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", + /System/Library/Frameworks/System.framework/PrivateHeaders, + /System/Library/PrivateFrameworks, + /System/Library/PrivateFrameworks/SecureNetworking.framework/Headers, ); + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Deployment; }; - 25D3DAC7098952B20025F703 /* Default */ = { + 25D3DACF098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_64_BIT)"; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/var/run\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - STRIP_INSTALLED_PRODUCT = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", + /System/Library/Frameworks/System.framework/PrivateHeaders, + /System/Library/PrivateFrameworks, + /System/Library/PrivateFrameworks/SecureNetworking.framework/Headers, ); + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Default; }; - 25D3DACD098952B20025F703 /* Development */ = { + 72B3C2091684F5C4004E4548 /* Development */ = { isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ADDITIONAL_SDKS = ""; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Development; }; - 25D3DACE098952B20025F703 /* Deployment */ = { + 72B3C20A1684F5C4004E4548 /* Deployment */ = { isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ADDITIONAL_SDKS = ""; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Deployment; }; - 25D3DACF098952B20025F703 /* Default */ = { + 72B3C20B1684F5C4004E4548 /* Default */ = { isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ADDITIONAL_SDKS = ""; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Default; + }; + 72B3C21316850B87004E4548 /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Development; + }; + 72B3C21416850B87004E4548 /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Deployment; + }; + 72B3C21516850B87004E4548 /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; + PRODUCT_NAME = "$(TARGET_NAME)"; }; name = Default; }; 812530B60D3FE994006BDF4F /* Development */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( + armv6, armv7, - armv7s, ); COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ""; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; @@ -2397,13 +2123,16 @@ }; 812530B70D3FE994006BDF4F /* Deployment */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( + armv6, armv7, - armv7s, ); COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ""; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; @@ -2420,14 +2149,16 @@ }; 812530B90D3FE994006BDF4F /* Default */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; - ARCHS = ""; - "ARCHS[arch=*]" = ( + ARCHS = ( + armv6, armv7, - armv7s, ); COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ""; + HEADER_SEARCH_PATHS = "$(HEADER_SEARCH_PATHS)"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; @@ -2449,18 +2180,11 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; - CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; - FRAMEWORK_SEARCH_PATHS = ( - "$(inherited)", - "\\\"$(SDKROOT)/System/Library/Frameworks\\\"", - "\\\"$(DEVELOPER_DIR)/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.Internal.sdk/System/Library/Frameworks\\\"", - ); + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_OPTIMIZATION_LEVEL = 0; @@ -2474,6 +2198,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2484,6 +2209,7 @@ "$(OTHER_CFLAGS_QUOTED_1)", "$(OTHER_CFLAGS_QUOTED_2)", "$(OTHER_CFLAGS_QUOTED_3)", + "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS", ); OTHER_CFLAGS_QUOTED_1 = "-DSYSCONFDIR=\\\"/etc/racoon\\\""; OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; @@ -2491,7 +2217,6 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; @@ -2513,19 +2238,12 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; - CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; - FRAMEWORK_SEARCH_PATHS = ( - "$(inherited)", - "\\\"$(SDKROOT)/System/Library/Frameworks\\\"", - "\\\"$(DEVELOPER_DIR)/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.Internal.sdk/System/Library/Frameworks\\\"", - ); + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PRECOMPILE_PREFIX_HEADER = YES; @@ -2538,6 +2256,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2547,6 +2266,7 @@ "$(OTHER_CFLAGS_QUOTED_1)", "$(OTHER_CFLAGS_QUOTED_2)", "$(OTHER_CFLAGS_QUOTED_3)", + "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS", ); OTHER_CFLAGS_QUOTED_1 = "-DSYSCONFDIR=\\\"/etc/racoon\\\""; OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; @@ -2554,7 +2274,6 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( @@ -2574,19 +2293,12 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; - CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; - FRAMEWORK_SEARCH_PATHS = ( - "$(inherited)", - "\\\"$(SDKROOT)/System/Library/Frameworks\\\"", - "\\\"$(DEVELOPER_DIR)/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.Internal.sdk/System/Library/Frameworks\\\"", - ); + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PRECOMPILE_PREFIX_HEADER = YES; @@ -2599,6 +2311,7 @@ ../Common, Crypto, /tmp/ipsec.dst/usr/include, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2608,6 +2321,7 @@ "$(OTHER_CFLAGS_QUOTED_1)", "$(OTHER_CFLAGS_QUOTED_2)", "$(OTHER_CFLAGS_QUOTED_3)", + "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS", ); OTHER_CFLAGS_QUOTED_1 = "-DSYSCONFDIR=\\\"/etc/racoon\\\""; OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; @@ -2615,7 +2329,6 @@ OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( @@ -2628,185 +2341,14 @@ }; name = Default; }; - 812531250D3FEA33006BDF4F /* Development */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); - COPY_PHASE_STRIP = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); - HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/tmp/racoon\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - SKIP_INSTALL = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - "-Wcast-align", - ); - }; - name = Development; - }; - 812531260D3FEA33006BDF4F /* Deployment */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); - COPY_PHASE_STRIP = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); - HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/tmp/racoon\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - STRIP_INSTALLED_PRODUCT = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - "-Wcast-align", - ); - }; - name = Deployment; - }; - 812531280D3FEA33006BDF4F /* Default */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - ALTERNATE_GROUP = "$(inherited)"; - ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(GCC_PREPROCESSOR_DEFINITIONS)", - ); - HEADER_SEARCH_PATHS = ( - "$(DSTROOT)/usr/include", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - OTHER_CFLAGS = "-DADMINPORTDIR=\\\"/tmp/racoon\\\""; - OTHER_LDFLAGS = ""; - OTHER_REZFLAGS = ""; - PREBINDING = NO; - PRODUCT_NAME = racoonctl; - SECTORDER_FLAGS = ""; - STRIP_INSTALLED_PRODUCT = YES; - WARNING_CFLAGS = ( - "-Wmost", - "-Wno-four-char-constants", - "-Wno-unknown-pragmas", - "-Wcast-align", - ); - }; - name = Default; - }; - 815C35E81525201900502220 /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - TARGETED_DEVICE_FAMILY = ""; - }; - name = Development; - }; - 815C35E91525201900502220 /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - TARGETED_DEVICE_FAMILY = ""; - }; - name = Deployment; - }; - 815C35EA1525201900502220 /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - TARGETED_DEVICE_FAMILY = ""; - }; - name = Default; - }; - 815C35ED1525203F00502220 /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - }; - name = Development; - }; - 815C35EE1525203F00502220 /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - }; - name = Deployment; - }; - 815C35EF1525203F00502220 /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - PRODUCT_NAME = "$(TARGET_NAME)"; - }; - name = Default; - }; 81DDFDA70D622C1700C5CB87 /* Development */ = { isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -2817,6 +2359,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2827,7 +2370,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2846,11 +2388,10 @@ isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = YES; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -2860,6 +2401,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2870,7 +2412,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2889,10 +2430,9 @@ isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -2902,6 +2442,7 @@ HEADER_SEARCH_PATHS = ( "$(DSTROOT)/usr/include", ../Common, + "$(HEADER_SEARCH_PATHS)", ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; @@ -2912,7 +2453,6 @@ OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; - PREBINDING = NO; PRELINK_LIBS = ""; PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; @@ -2933,16 +2473,14 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; + FRAMEWORK_SEARCH_PATHS = ""; GCC_DYNAMIC_NO_PIC = NO; - GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_OPTIMIZATION_LEVEL = 0; @@ -2959,7 +2497,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; WARNING_CFLAGS = "-Wcast-align"; @@ -2975,15 +2512,13 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; - GCC_ENABLE_FIX_AND_CONTINUE = NO; + FRAMEWORK_SEARCH_PATHS = ""; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -2999,7 +2534,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; WARNING_CFLAGS = "-Wcast-align"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; @@ -3014,15 +2548,13 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - armv7, - armv7s, - ); + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; + CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; EXECUTABLE_PREFIX = lib; - GCC_ENABLE_FIX_AND_CONTINUE = YES; + FRAMEWORK_SEARCH_PATHS = ""; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( "HAVE_CONFIG_H=1", @@ -3037,7 +2569,6 @@ INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; - PREBINDING = NO; PRODUCT_NAME = ipsec.A; WARNING_CFLAGS = "-Wcast-align"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; @@ -3056,7 +2587,7 @@ 2537A1AC09E4866800D0ECDA /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */ = { isa = XCConfigurationList; @@ -3066,7 +2597,7 @@ 25D3DABB098952B20025F703 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 25D3DABC098952B20025F703 /* Build configuration list for PBXNativeTarget "racoon" */ = { isa = XCConfigurationList; @@ -3076,7 +2607,7 @@ 25D3DABF098952B20025F703 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 25D3DAC0098952B20025F703 /* Build configuration list for PBXNativeTarget "setkey" */ = { isa = XCConfigurationList; @@ -3086,17 +2617,7 @@ 25D3DAC3098952B20025F703 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; - 25D3DAC4098952B20025F703 /* Build configuration list for PBXNativeTarget "racoonctl" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 25D3DAC5098952B20025F703 /* Development */, - 25D3DAC6098952B20025F703 /* Deployment */, - 25D3DAC7098952B20025F703 /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */ = { isa = XCConfigurationList; @@ -3106,57 +2627,47 @@ 25D3DACF098952B20025F703 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; - 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 812530B60D3FE994006BDF4F /* Development */, - 812530B70D3FE994006BDF4F /* Deployment */, - 812530B90D3FE994006BDF4F /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; - 812531050D3FE9DC006BDF4F /* Build configuration list for PBXNativeTarget "racoon Embedded" */ = { + 72B3C20C1684F5C4004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_executables" */ = { isa = XCConfigurationList; buildConfigurations = ( - 812531060D3FE9DC006BDF4F /* Development */, - 812531070D3FE9DC006BDF4F /* Deployment */, - 812531090D3FE9DC006BDF4F /* Default */, + 72B3C2091684F5C4004E4548 /* Development */, + 72B3C20A1684F5C4004E4548 /* Deployment */, + 72B3C20B1684F5C4004E4548 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; - 812531240D3FEA33006BDF4F /* Build configuration list for PBXNativeTarget "racoonctl Embedded" */ = { + 72B3C21216850B87004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_libraries" */ = { isa = XCConfigurationList; buildConfigurations = ( - 812531250D3FEA33006BDF4F /* Development */, - 812531260D3FEA33006BDF4F /* Deployment */, - 812531280D3FEA33006BDF4F /* Default */, + 72B3C21316850B87004E4548 /* Development */, + 72B3C21416850B87004E4548 /* Deployment */, + 72B3C21516850B87004E4548 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; - 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */ = { + 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = { isa = XCConfigurationList; buildConfigurations = ( - 815C35E81525201900502220 /* Development */, - 815C35E91525201900502220 /* Deployment */, - 815C35EA1525201900502220 /* Default */, + 812530B60D3FE994006BDF4F /* Development */, + 812530B70D3FE994006BDF4F /* Deployment */, + 812530B90D3FE994006BDF4F /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; - 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */ = { + 812531050D3FE9DC006BDF4F /* Build configuration list for PBXNativeTarget "racoon Embedded" */ = { isa = XCConfigurationList; buildConfigurations = ( - 815C35ED1525203F00502220 /* Development */, - 815C35EE1525203F00502220 /* Deployment */, - 815C35EF1525203F00502220 /* Default */, + 812531060D3FE9DC006BDF4F /* Development */, + 812531070D3FE9DC006BDF4F /* Deployment */, + 812531090D3FE9DC006BDF4F /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 81DDFDA60D622C1700C5CB87 /* Build configuration list for PBXNativeTarget "setkey Embedded" */ = { isa = XCConfigurationList; @@ -3166,7 +2677,7 @@ 81DDFDA90D622C1700C5CB87 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; 81DDFDC90D622C2700C5CB87 /* Build configuration list for PBXNativeTarget "libipsec Embedded" */ = { isa = XCConfigurationList; @@ -3176,7 +2687,7 @@ 81DDFDCC0D622C2700C5CB87 /* Default */, ); defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; + defaultConfigurationName = Default; }; /* End XCConfigurationList section */ }; diff --git a/racoon.sb b/racoon.sb index 1d1e972..8aefd9c 100644 --- a/racoon.sb +++ b/racoon.sb @@ -6,6 +6,8 @@ (allow system-socket sysctl-read sysctl-write) +(allow system-info (info-type "net.link.addr")) + (allow ipc-posix* (ipc-posix-name "com.apple.securityd")) (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center") @@ -47,6 +49,7 @@ (allow mach-lookup (global-name "com.apple.SecurityServer") + (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.ocspd")) ;;;;;; Common system sandbox rules @@ -75,7 +78,8 @@ ;;; Allow access to standard special files. (allow file-read* - (literal "/private/var/db/timezone/localtime") + (subpath "/usr/share") + (subpath "/private/var/db/timezone") (literal "/dev/random") (literal "/dev/urandom")) @@ -102,3 +106,11 @@ (global-name "com.apple.bsd.dirhelper") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center")) + +;;; Allow creating an ipsec interface + (allow network-outbound + (control-name "com.apple.net.ipsec_control")) + +;;; Allow racoon to check entitlements + (allow iokit-open + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) -- 2.45.2