From 7ebaebe21b526e3d6ce7f5237b574332785dd198 Mon Sep 17 00:00:00 2001 From: Apple Date: Tue, 26 Sep 2017 16:29:54 +0000 Subject: [PATCH] ipsec-317.tar.gz --- ipsec-tools/Common/config.h | 5 +- ipsec-tools/Common/pfkey.c | 6 +- ipsec-tools/racoon/cfparse.y | 3 +- ipsec-tools/racoon/crypto_cssm.c | 131 ++++---- ipsec-tools/racoon/crypto_cssm.h | 1 + ipsec-tools/racoon/dnssec.c | 4 + ipsec-tools/racoon/dnssec.h | 6 + ipsec-tools/racoon/fsm.c | 2 +- ipsec-tools/racoon/getcertsbyname.c | 13 + ipsec-tools/racoon/handler.c | 54 ++-- ipsec-tools/racoon/ike_session.c | 152 +++++----- ipsec-tools/racoon/ipsec_doi.c | 2 +- ipsec-tools/racoon/ipsec_doi.h | 2 +- ipsec-tools/racoon/isakmp.c | 157 +++++----- ipsec-tools/racoon/isakmp_agg.c | 23 +- ipsec-tools/racoon/isakmp_cfg.c | 21 +- ipsec-tools/racoon/isakmp_cfg.h | 5 +- ipsec-tools/racoon/isakmp_ident.c | 17 +- ipsec-tools/racoon/isakmp_inf.c | 83 +++--- ipsec-tools/racoon/isakmp_quick.c | 10 +- ipsec-tools/racoon/isakmp_unity.c | 1 - ipsec-tools/racoon/isakmp_xauth.c | 15 +- ipsec-tools/racoon/kmpstat.c | 3 +- ipsec-tools/racoon/localconf.h | 3 + ipsec-tools/racoon/main.c | 11 +- ipsec-tools/racoon/nattraversal.c | 2 +- ipsec-tools/racoon/netdb_dnssec.h | 6 + ipsec-tools/racoon/oakley.c | 84 ++++-- ipsec-tools/racoon/pfkey_racoon.c | 36 ++- ipsec-tools/racoon/proposal.c | 4 +- ipsec-tools/racoon/remoteconf.c | 68 ++--- ipsec-tools/racoon/sainfo.c | 5 +- ipsec-tools/racoon/session.c | 11 +- ipsec-tools/racoon/sockmisc.c | 1 + ipsec-tools/racoon/strnames.c | 3 - ipsec-tools/racoon/throttle.c | 1 - ipsec-tools/racoon/vendorid.c | 4 +- ipsec-tools/racoon/vpn.c | 5 +- ipsec-tools/racoon/vpn_control.c | 268 +++++++++-------- ipsec-tools/racoon_test/future_cert.der | Bin 0 -> 903 bytes ipsec-tools/racoon_test/past_cert.der | Bin 0 -> 901 bytes ipsec-tools/racoon_test/racoon_certs_data.h | 248 +++++++++++++++ ipsec-tools/racoon_test/racoon_test.c | 129 ++++++++ ipsec-tools/racoon_test/valid_cert.der | Bin 0 -> 902 bytes ipsec.xcodeproj/project.pbxproj | 315 +++++++++++++++++++- 45 files changed, 1359 insertions(+), 561 deletions(-) create mode 100644 ipsec-tools/racoon_test/future_cert.der create mode 100644 ipsec-tools/racoon_test/past_cert.der create mode 100644 ipsec-tools/racoon_test/racoon_certs_data.h create mode 100644 ipsec-tools/racoon_test/racoon_test.c create mode 100644 ipsec-tools/racoon_test/valid_cert.der diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index cd9cb92..5ded22d 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -80,6 +80,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_MEMORY_H 1 +/* Define to 1 to enable DNSSEC - not currently functional */ +#define ENABLE_DNSSEC_CERTS 0 + /* Define to 1 if keychain is used */ #if TARGET_OS_EMBEDDED #undef HAVE_KEYCHAIN @@ -106,7 +109,7 @@ #define HAVE_GETIFADDRS 1 -#if TARGET_OS_EMBEDDED +#if 1 #undef HAVE_OPENSSL #else #define HAVE_OPENSSL 1 diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index 3330ec7..15ab0cf 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -2189,11 +2189,11 @@ pfkey_setsadbipsecif(caddr_t buf, caddr_t lim, char *internal_if, char *outgoing p->sadb_x_ipsecif_exttype = SADB_X_EXT_IPSECIF; if (internal_if != NULL) - strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if)); + strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if) - 1); if (outgoing_if != NULL) - strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if)); + strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if) - 1); if (ipsec_if != NULL) - strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if)); + strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if) - 1); p->sadb_x_ipsecif_init_disabled = init_disabled; diff --git a/ipsec-tools/racoon/cfparse.y b/ipsec-tools/racoon/cfparse.y index bd81184..2067d61 100644 --- a/ipsec-tools/racoon/cfparse.y +++ b/ipsec-tools/racoon/cfparse.y @@ -85,7 +85,6 @@ #include "isakmp_frag.h" #include "session.h" #ifdef ENABLE_HYBRID -#include "resolv.h" #include "isakmp_unity.h" #include "isakmp_xauth.h" #include "isakmp_cfg.h" @@ -711,7 +710,7 @@ addrdns #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; - if (icc->dns4_index > MAXNS) { + if (icc->dns4_index >= MAXNS) { racoon_yyerror("No more than %d DNS", MAXNS); return -1; } diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index e8fdc98..008ba51 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -27,25 +27,23 @@ * Framework and CSSM */ +#include "config.h" + #include #include #include -#include +#include #include #include #include #include -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL #include #include #include #else #include #include -#include -#include -#include -#include #include #include #include @@ -54,6 +52,10 @@ #endif #include #if !TARGET_OS_EMBEDDED +#include +#include +#include +#include #include #endif #include "plog.h" @@ -68,8 +70,7 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef); -#if !TARGET_OS_EMBEDDED -#endif + static SecPolicyRef crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) @@ -124,11 +125,11 @@ crypto_cssm_CopySubjectSequence(SecCertificateRef certRef) } -static cert_status_t +cert_status_t crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) { cert_status_t certStatus = CERT_STATUS_OK; -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL CFAbsoluteTime timeNow = 0; CFAbsoluteTime notvalidbeforedate = 0; CFAbsoluteTime notvalidafterdate = 0; @@ -136,63 +137,57 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) CFDateRef notvalidbeforedatedata = NULL; CFDateRef notvalidafterdatedata = NULL; CFArrayRef certProparray = NULL; - CFDictionaryRef propDict = NULL; - const void *datevalue = NULL; - const void *labelvalue = NULL; - CFGregorianDate gregoriandate; - CFIndex count; - CFIndex i; - - if ((certProparray = SecCertificateCopyProperties(certificateRef))){ - if ((count = CFArrayGetCount( certProparray ))){ - for( i = 0; i < count; i++) { - if ((propDict = CFArrayGetValueAtIndex(certProparray, i))) { - if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){ - /* get kSecPropertyKeyLabel */ - if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){ - if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){ - if ( (notvalidbeforedate = CFDateGetAbsoluteTime(datevalue))) { - if (notvalidbeforedatedata) { - CFRelease(notvalidbeforedatedata); - } - notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); - } - }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){ - if ( (notvalidafterdate = CFDateGetAbsoluteTime(datevalue))) { - if (notvalidafterdatedata) { - CFRelease(notvalidafterdatedata); - } - notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); - } - } - } - } + + if ((timeNow = CFAbsoluteTimeGetCurrent())) { + if (SecCertificateIsValid(certificateRef, timeNow)) { + plog(ASL_LEVEL_NOTICE, "Certificate expiration date is OK\n"); + certStatus = CERT_STATUS_OK; + } else { + nowcfdatedata = CFDateCreate( NULL, timeNow); + + if ((notvalidbeforedate = SecCertificateNotValidBefore(certificateRef))) { + notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); + } + + if ((notvalidafterdate = SecCertificateNotValidAfter(certificateRef))) { + notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); + } + + int year = 0; + int month = 0; + int day = 0; + int hour = 0; + int minute = 0; + CFCalendarRef calendar = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar); + if (calendar) + { + if (notvalidbeforedate) { + CFCalendarDecomposeAbsoluteTime(calendar, notvalidbeforedate, "yMdHm", &year, &month, &day, &hour, &minute); + plog(ASL_LEVEL_DEBUG, "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute); } - } - } - } - if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){ - if ( notvalidbeforedatedata ){ - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL); - plog(ASL_LEVEL_DEBUG, - "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL); - plog(ASL_LEVEL_DEBUG, - "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){ - plog(ASL_LEVEL_ERR, - "current time before valid time\n"); - certStatus = CERT_STATUS_PREMATURE; - } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ - plog(ASL_LEVEL_ERR, - "current time after valid time\n"); - certStatus = CERT_STATUS_EXPIRED; - }else { - plog(ASL_LEVEL_INFO, "Certificate expiration date is OK\n"); - certStatus = CERT_STATUS_OK; + if (notvalidafterdate) { + CFCalendarDecomposeAbsoluteTime(calendar, notvalidafterdate, "yMdHm", &year, &month, &day, &hour, &minute); + plog(ASL_LEVEL_DEBUG, "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute); + } + CFRelease(calendar); + } + + if (nowcfdatedata != NULL) { + if (notvalidbeforedatedata && CFDateCompare(nowcfdatedata, notvalidbeforedatedata, NULL) == kCFCompareLessThan){ + plog(ASL_LEVEL_ERR, + "current time before valid time\n"); + certStatus = CERT_STATUS_PREMATURE; + } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ + plog(ASL_LEVEL_ERR, + "current time after valid time\n"); + certStatus = CERT_STATUS_EXPIRED; + } } } + } else { + plog(ASL_LEVEL_ERR, "CFAbsoluteTimeGetCurrent() failed"); + certStatus = CERT_STATUS_INVALID; } if (notvalidbeforedatedata) @@ -282,7 +277,7 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef if (status != noErr && status != -1) { plog(ASL_LEVEL_ERR, - "error %d %s.\n", (int)status, GetSecurityErrorString(status)); + "check_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) { status = -1; @@ -365,7 +360,7 @@ end: if (status != noErr && status != -1) { plog(ASL_LEVEL_ERR, - "error %d %s.\n", (int)status, GetSecurityErrorString(status)); + "getsign error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return sig; @@ -443,7 +438,7 @@ end: if (status != noErr && status != -1) { plog(ASL_LEVEL_ERR, - "error %d %s.\n", (int)status, GetSecurityErrorString(status)); + "get_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return cert; @@ -553,7 +548,7 @@ end: if (status != noErr && status != -1) { plog(ASL_LEVEL_ERR, - "error %d %s.\n", (int)status, GetSecurityErrorString(status)); + "EvaluateCert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return status; @@ -580,7 +575,9 @@ GetSecurityErrorString(OSStatus err) return "paramErr"; case unimpErr: return "unimpErr"; +#endif +#ifndef HAVE_OPENSSL /* SecBase.h: */ case errSecReadOnly: return "errSecReadOnly"; diff --git a/ipsec-tools/racoon/crypto_cssm.h b/ipsec-tools/racoon/crypto_cssm.h index aa17d59..2b2c5ce 100644 --- a/ipsec-tools/racoon/crypto_cssm.h +++ b/ipsec-tools/racoon/crypto_cssm.h @@ -34,6 +34,7 @@ #include +extern cert_status_t crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef); extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef); extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature, Boolean useSHA1); extern SecCertificateRef crypto_cssm_x509cert_CreateSecCertificateRef (vchar_t *cert); diff --git a/ipsec-tools/racoon/dnssec.c b/ipsec-tools/racoon/dnssec.c index d7c5148..f2b4d2c 100644 --- a/ipsec-tools/racoon/dnssec.c +++ b/ipsec-tools/racoon/dnssec.c @@ -33,6 +33,8 @@ #include "config.h" +#if ENABLE_DNSSEC_CERTS + #include #include #include @@ -151,3 +153,5 @@ err: goto end; } + +#endif /* ENABLE_DNSSEC_CERTS */ diff --git a/ipsec-tools/racoon/dnssec.h b/ipsec-tools/racoon/dnssec.h index b57b4a3..25c1f16 100644 --- a/ipsec-tools/racoon/dnssec.h +++ b/ipsec-tools/racoon/dnssec.h @@ -32,6 +32,12 @@ #ifndef _DNSSEC_H #define _DNSSEC_H +#include "config.h" + +#if ENABLE_DNSSEC_CERTS + extern cert_t *dnssec_getcert (vchar_t *); +#endif /* ENABLE_DNSSEC_CERTS */ + #endif /* _DNSSEC_H */ diff --git a/ipsec-tools/racoon/fsm.c b/ipsec-tools/racoon/fsm.c index 8ff862c..0dc4a98 100644 --- a/ipsec-tools/racoon/fsm.c +++ b/ipsec-tools/racoon/fsm.c @@ -47,7 +47,7 @@ void fsm_set_state(int *var, int state) { *var = state; - plog(ASL_LEVEL_DEBUG, "****** state changed to: %s\n", s_isakmp_state(0, 0, state)); + plog(ASL_LEVEL_NOTICE, "state changed to: %s\n", s_isakmp_state(0, 0, state)); } diff --git a/ipsec-tools/racoon/getcertsbyname.c b/ipsec-tools/racoon/getcertsbyname.c index 74a8501..7546e36 100644 --- a/ipsec-tools/racoon/getcertsbyname.c +++ b/ipsec-tools/racoon/getcertsbyname.c @@ -31,13 +31,20 @@ #include "config.h" +#if ENABLE_DNSSEC_CERTS + #include #include #include #include #include + +// Note: this is currently compiled out because ENABLE_DNSSEC_CERTS=0 +// TODO: switch to DNSServiceRef APIs before enabling +#error "Need to switch to DNSServiceRef APIs before enabling" #include + #ifdef HAVE_LWRES_GETRRSETBYNAME #include #include @@ -232,6 +239,10 @@ getcertsbyname(name, res) } answer = p; + // Note: this is currently compiled out because ENABLE_DNSSEC_CERTS=0 + // TODO: switch to DNSServiceRef APIs before enabling + #error "Need to switch to DNSServiceRef APIs before enabling" + anslen = res_query(name, C_IN, T_CERT, answer, buflen); if (anslen == -1) goto end; @@ -412,3 +423,5 @@ main(ac, av) exit(0); } #endif + +#endif /* ENABLE_DNSSEC_CERTS */ diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index 6fe8e46..9bb0d19 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -51,10 +51,6 @@ #include "debug.h" #include "fsm.h" -#ifdef ENABLE_HYBRID -#include -#endif - #include "schedule.h" #include "grabmyaddr.h" #include "algorithm.h" @@ -319,7 +315,7 @@ ike_session_newph1(unsigned int version) iph1->ping_sched = NULL; #endif iph1->is_dying = 0; - plog(ASL_LEVEL_DEBUG, "*** New Phase 1\n"); + plog(ASL_LEVEL_NOTICE, "New Phase 1\n"); return iph1; } @@ -432,7 +428,7 @@ ike_session_flush_all_phase1_for_session(ike_session_t *session, int ignore_esta LIST_FOREACH_SAFE(p, &session->ph1tree, ph1ofsession_chain, next) { if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Skipping Phase 1 %s that's asserted...\n", isakmp_pindex(&p->index, 0)); continue; @@ -442,13 +438,13 @@ ike_session_flush_all_phase1_for_session(ike_session_t *session, int ignore_esta if (FSM_STATE_IS_ESTABLISHED(p->status)) { if (ignore_estab_or_assert_handles && (ike_session_has_negoing_ph2(p->parent_session) || ike_session_has_established_ph2(p->parent_session))) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Skipping Phase 1 %s that's established... because it's needed by children Phase 2s\n", isakmp_pindex(&p->index, 0)); continue; } /* send delete information */ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Got a Phase 1 %s to flush...\n", isakmp_pindex(&p->index, 0)); isakmp_info_send_d1(p); @@ -470,7 +466,7 @@ ike_session_flush_all_phase1(int ignore_estab_or_assert_handles) ike_session_t *session = NULL; ike_session_t *next_session = NULL; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Flushing Phase 1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { @@ -575,7 +571,7 @@ ike_session_getph2byid(struct sockaddr_storage *src, struct sockaddr_storage *ds p->retry_counter == 0 && p->sce == 0 && p->scr == 0 && p->retry_checkph1 == 0){ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Zombie ph2 found, expiring it\n"); isakmp_ph2expire(p); }else @@ -701,7 +697,7 @@ ike_session_newph2(unsigned int version, int type) iph2->phase2_type = type; iph2->is_dying = 0; - plog(ASL_LEVEL_DEBUG, "*** New Phase 2\n"); + plog(ASL_LEVEL_NOTICE, "New Phase 2\n"); return iph2; } @@ -819,22 +815,22 @@ ike_session_flush_all_phase2_for_session(ike_session_t *session, int ignore_esta continue; } if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "skipping phase2 handle that's asserted...\n"); continue; } if (FSM_STATE_IS_ESTABLISHED(p->status)){ if (ignore_estab_or_assert_handles) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "skipping ph2 handler that's established...\n"); continue; } /* send delete information */ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "got an established ph2 handler to flush...\n"); isakmp_info_send_d2(p); }else{ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "got a ph2 handler to flush (state %d)\n", p->status); } @@ -851,7 +847,7 @@ ike_session_flush_all_phase2(int ignore_estab_or_assert_handles) ike_session_t *session = NULL; ike_session_t *next_session = NULL; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "flushing ph2 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) { @@ -900,7 +896,7 @@ ike_session_deleteallph2(struct sockaddr_storage *src, struct sockaddr_storage * } continue; zap_it: - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "deleteallph2: got a ph2 handler...\n"); if (FSM_STATE_IS_ESTABLISHED(iph2->status)) isakmp_info_send_d2(iph2); @@ -928,7 +924,7 @@ ike_session_deleteallph1(struct sockaddr_storage *src, struct sockaddr_storage * cmpsaddrwop(dst, iph1->remote) != 0) { continue; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "deleteallph1: got a ph1 handler...\n"); if (FSM_STATE_IS_ESTABLISHED(iph1->status)) isakmp_info_send_d1(iph1); @@ -1116,7 +1112,7 @@ vchar_t *rbuf; if (r->retry_counter <= 0) { ike_session_rem_recvdpkt(r); ike_session_del_recvdpkt(r); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "deleted the retransmission packet to %s.\n", saddr2str((struct sockaddr *)remote)); } else { @@ -1363,7 +1359,7 @@ ike_session_purgephXbydstaddrwop(struct sockaddr_storage *remote) continue; } if (cmpsaddrwop(remote, p2->dst) == 0) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "in %s... purging Phase 2 structures\n", __FUNCTION__); if (FSM_STATE_IS_ESTABLISHED(p2->status)) isakmp_info_send_d2(p2); @@ -1377,7 +1373,7 @@ ike_session_purgephXbydstaddrwop(struct sockaddr_storage *remote) continue; } if (cmpsaddrwop(remote, p->remote) == 0) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "in %s... purging Phase 1 and related Phase 2 structures\n", __FUNCTION__); ike_session_purge_ph2s_by_ph1(p); if (FSM_STATE_IS_ESTABLISHED(p->status)) @@ -1457,13 +1453,13 @@ ike_session_ph1_force_dpd (struct sockaddr_storage *remote) isakmp_info_send_r_u(p); status = 0; } else { - plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (dpd already in progress).\n"); + plog(ASL_LEVEL_NOTICE, "Skipping forced-DPD for Phase 1 (dpd already in progress).\n"); } if (p->parent_session) { p->parent_session->controller_awaiting_peer_resp = 1; } } else { - plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n", + plog(ASL_LEVEL_NOTICE, "Skipping forced-DPD for Phase 1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n", p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval); } } @@ -1488,12 +1484,12 @@ sweep_sleepwake(void) // do the ph1s. LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { if (iph1->parent_session && iph1->parent_session->is_asserted) { - plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's been asserted.\n", + plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 1 %s because it's been asserted.\n", isakmp_pindex(&iph1->index, 0)); continue; } if (iph1->is_dying || FSM_STATE_IS_EXPIRED(iph1->status)) { - plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's already expired.\n", + plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 1 %s because it's already expired.\n", isakmp_pindex(&iph1->index, 0)); continue; } @@ -1507,7 +1503,7 @@ sweep_sleepwake(void) fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); - plog(ASL_LEVEL_DEBUG, "Phase 1 %s expired while sleeping: quick deletion.\n", + plog(ASL_LEVEL_NOTICE, "Phase 1 %s expired while sleeping: quick deletion.\n", isakmp_pindex(&iph1->index, 0)); } } @@ -1543,11 +1539,11 @@ sweep_sleepwake(void) // do ph2's next LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) { if (iph2->parent_session && iph2->parent_session->is_asserted) { - plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's been asserted.\n"); + plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 2 because it's been asserted.\n"); continue; } if (iph2->is_dying || FSM_STATE_IS_EXPIRED(iph2->status)) { - plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's already expired.\n"); + plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 2 because it's already expired.\n"); continue; } if (iph2->sce) { @@ -1559,7 +1555,7 @@ sweep_sleepwake(void) isakmp_ph2expire(iph2); // iph2 will go down 1 second later. ike_session_stopped_by_controller(iph2->parent_session, ike_session_stopped_by_sleepwake); - plog(ASL_LEVEL_DEBUG, "Phase 2 expired while sleeping: quick deletion.\n"); + plog(ASL_LEVEL_NOTICE, "Phase 2 expired while sleeping: quick deletion.\n"); } } } diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index 184fbc8..cf47bef 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -85,7 +85,7 @@ new_ike_session (ike_session_id_t *id) ike_session_t *session; if (!id) { - plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -124,7 +124,7 @@ free_ike_session (ike_session_t *session) session->term_reason); } // do MessageTracer cleanup here - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Freeing IKE-Session to %s.\n", saddr2str((struct sockaddr *)&session->session_id.remote)); LIST_REMOVE(session, chain); @@ -169,7 +169,7 @@ ike_session_create_session (ike_session_id_t *session_id) if (!session_id) return NULL; - plog(ASL_LEVEL_DEBUG, "New IKE Session to %s.\n", saddr2str((struct sockaddr *)&session_id->remote)); + plog(ASL_LEVEL_NOTICE, "New IKE Session to %s.\n", saddr2str((struct sockaddr *)&session_id->remote)); return new_ike_session(session_id); } @@ -205,7 +205,7 @@ ike_session_get_session (struct sockaddr_storage *local, int is_isakmp_remote_port; if (!local || !remote) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -322,10 +322,11 @@ ike_session_init_traffic_cop_params (phase1_handle_t *iph1) if (!iph1->parent_session->traffic_monitor.interv_idle) { iph1->parent_session->traffic_monitor.interv_idle = iph1->rmconf->idle_timeout; } + if (!iph1->parent_session->traffic_monitor.dir_idle) { iph1->parent_session->traffic_monitor.dir_idle = iph1->rmconf->idle_timeout_dir; } - + if (!iph1->parent_session->traffic_monitor.interv_mon) { int min_period, max_period, sample_period = 0; @@ -415,7 +416,7 @@ ike_session_link_phase1 (ike_session_t *session, phase1_handle_t *iph1) { if (!session || !iph1) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return -1; } @@ -450,7 +451,7 @@ int ike_session_link_phase2 (ike_session_t *session, phase2_handle_t *iph2) { if (!iph2) { - plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__); return -1; } if (iph2->parent_session) { @@ -485,7 +486,7 @@ ike_session_link_ph2_to_ph1 (phase1_handle_t *iph1, phase2_handle_t *iph2) int error = 0; if (!iph2) { - plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__); return -1; } if (iph2->ph1) { @@ -513,7 +514,7 @@ ike_session_unlink_phase1 (phase1_handle_t *iph1) ike_session_t *session; if (!iph1 || !iph1->parent_session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return -1; } @@ -543,7 +544,7 @@ ike_session_unlink_phase2 (phase2_handle_t *iph2) ike_session_t *session; if (!iph2 || !iph2->parent_session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return -1; } sched_scrub_param(iph2); @@ -568,7 +569,7 @@ ike_session_update_ph1_ph2tree (phase1_handle_t *iph1) phase1_handle_t *new_iph1 = NULL; if (!iph1) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -576,16 +577,16 @@ ike_session_update_ph1_ph2tree (phase1_handle_t *iph1) new_iph1 = ike_session_get_established_ph1(iph1->parent_session); if (!new_iph1) { - plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. NULL ph1.\n"); + plog(ASL_LEVEL_NOTICE, "no ph1bind replacement found. NULL ph1.\n"); ike_session_unbind_all_ph2_from_ph1(iph1); } else if (iph1 == new_iph1) { - plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. same ph1.\n"); + plog(ASL_LEVEL_NOTICE, "no ph1bind replacement found. same ph1.\n"); ike_session_unbind_all_ph2_from_ph1(iph1); } else { ike_session_rebind_all_ph12_to_new_ph1(iph1, new_iph1); } } else { - plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__); } return new_iph1; } @@ -596,7 +597,7 @@ ike_session_update_ph2_ph1bind (phase2_handle_t *iph2) phase1_handle_t *iph1; if (!iph2 || iph2->phase2_type != PHASE2_TYPE_SA) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -616,7 +617,7 @@ ike_session_get_established_or_negoing_ph1 (ike_session_t *session) phase1_handle_t *p, *iph1 = NULL; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -640,7 +641,7 @@ ike_session_get_established_ph1 (ike_session_t *session) phase1_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return NULL; } @@ -680,7 +681,7 @@ ike_session_has_other_negoing_ph1 (ike_session_t *session, phase1_handle_t *iph1 phase1_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -701,7 +702,7 @@ ike_session_has_other_established_ph2 (ike_session_t *session, phase2_handle_t * phase2_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -722,7 +723,7 @@ ike_session_has_other_negoing_ph2 (ike_session_t *session, phase2_handle_t *iph2 phase2_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -762,7 +763,7 @@ ike_session_ikev1_float_ports (phase1_handle_t *iph1) set_port(remote, extract_port(iph1->remote)); } } else { - plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__); } } @@ -777,18 +778,18 @@ ike_session_traffic_cop (void *arg) /* get traffic query from kernel */ if (pk_sendget_inbound_sastats(session) < 0) { // log message - plog(ASL_LEVEL_DEBUG, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__); } if (pk_sendget_outbound_sastats(session) < 0) { // log message - plog(ASL_LEVEL_DEBUG, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__); } session->traffic_monitor.sc_mon = sched_new(session->traffic_monitor.interv_mon, ike_session_traffic_cop, session); } else { // log message - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); } } @@ -807,8 +808,8 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_INBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->peer_sent_data_sc_idle) { - plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n", - __FUNCTION__, session->traffic_monitor.dir_idle); + plog(ASL_LEVEL_NOTICE, "%s: restart idle-timeout because peer sent data. monitoring dir %d. idle timer %d s\n", + __FUNCTION__, session->traffic_monitor.dir_idle, session->traffic_monitor.interv_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle, @@ -823,8 +824,8 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_OUTBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->i_sent_data_sc_idle) { - plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n", - __FUNCTION__, session->traffic_monitor.dir_idle); + plog(ASL_LEVEL_NOTICE, "%s: restart idle-timeout because i sent data. monitoring dir %d. idle times %d s\n", + __FUNCTION__, session->traffic_monitor.dir_idle, session->traffic_monitor.interv_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle, @@ -857,7 +858,7 @@ void ike_session_ph2_established (phase2_handle_t *iph2) { if (!iph2->parent_session || iph2->phase2_type != PHASE2_TYPE_SA) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } SCHED_KILL(iph2->parent_session->sc_xauth); @@ -880,7 +881,7 @@ ike_session_ph2_established (phase2_handle_t *iph2) #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_peer_resp_ph2(1, iph2); #endif /* ENABLE_VPNCONTROL_PORT */ - plog(ASL_LEVEL_DEBUG, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid); + plog(ASL_LEVEL_NOTICE, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid); } void @@ -918,7 +919,7 @@ ike_session_replace_other_ph1 (phase1_handle_t *new_iph1, session = new_iph1->parent_session; if (!session || !new_iph1 || !old_iph1 || session != old_iph1->parent_session || new_iph1 == old_iph1) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -941,7 +942,7 @@ ike_session_replace_other_ph1 (phase1_handle_t *new_iph1, STRDUP_FATAL(local); STRDUP_FATAL(remote); STRDUP_FATAL(index); - plog(ASL_LEVEL_DEBUG, "ISAKMP-SA %s-%s (spi:%s) needs to be deleted, replaced by (spi:%s)\n", local, remote, index, isakmp_pindex(&new_iph1->index, 0)); + plog(ASL_LEVEL_NOTICE, "ISAKMP-SA %s-%s (spi:%s) needs to be deleted, replaced by (spi:%s)\n", local, remote, index, isakmp_pindex(&new_iph1->index, 0)); racoon_free(local); racoon_free(remote); racoon_free(index); @@ -966,7 +967,7 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, char *local, *remote; if (!session || !new_iph1 || session != new_iph1->parent_session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -993,7 +994,7 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, remote = racoon_strdup(saddr2str((struct sockaddr *)p->remote)); STRDUP_FATAL(local); STRDUP_FATAL(remote); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "ISAKMP-SA needs to be deleted %s-%s spi:%s\n", local, remote, isakmp_pindex(&p->index, 0)); racoon_free(local); @@ -1065,7 +1066,7 @@ ike_session_cleanup_other_established_ph2s (ike_session_t *session, phase2_handle_t *p, *next; if (!session || !new_iph2 || session != new_iph2->parent_session || new_iph2->phase2_type != PHASE2_TYPE_SA) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -1086,7 +1087,7 @@ ike_session_cleanup_other_established_ph2s (ike_session_t *session, p->is_dying = 1; //log deletion - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "IPsec-SA needs to be deleted: %s\n", sadbsecas2str(p->src, p->dst, p->satype, p->spid, 0)); @@ -1107,12 +1108,12 @@ ike_session_stopped_by_controller (ike_session_t *session, const char *reason) { if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } if (session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) { - plog(ASL_LEVEL_DEBUG, "already stopped %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "already stopped %s.\n", __FUNCTION__); return; } session->stopped_by_vpn_controller = 1; @@ -1131,7 +1132,7 @@ ike_sessions_stopped_by_controller (struct sockaddr_storage *remote, ike_session_t *next_session = NULL; if (!remote) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -1150,7 +1151,7 @@ ike_session_purge_ph1s_by_session (ike_session_t *session) phase1_handle_t *next_iph1 = NULL; LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { - plog(ASL_LEVEL_DEBUG, "deleteallph1 of given session: got a ph1 handler...\n"); + plog(ASL_LEVEL_NOTICE, "deleteallph1 of given session: got a ph1 handler...\n"); vpncontrol_notify_ike_failed(VPNCTL_NTYPE_NO_PROPOSAL_CHOSEN, FROM_REMOTE, iph1_get_remote_v4_address(iph1), 0, NULL); @@ -1165,7 +1166,7 @@ ike_session_purge_ph2s_by_ph1 (phase1_handle_t *iph1) phase2_handle_t *p, *next; if (!iph1 || !iph1->parent_session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -1177,7 +1178,7 @@ ike_session_purge_ph2s_by_ph1 (phase1_handle_t *iph1) p->is_dying = 1; //log deletion - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "IPsec-SA needs to be purged: %s\n", sadbsecas2str(p->src, p->dst, p->satype, p->spid, 0)); @@ -1199,7 +1200,7 @@ ike_session_update_ph2_ports (phase2_handle_t *iph2) set_port(iph2->src, extract_port(local)); set_port(iph2->dst, extract_port(remote)); } else { - plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__); } } @@ -1214,7 +1215,7 @@ ike_session_get_sas_for_stats (ike_session_t *session, phase2_handle_t *iph2; if (!session || !seq || !stats || !max_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) { - plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid args in %s.\n", __FUNCTION__); return found; } @@ -1252,12 +1253,12 @@ ike_session_update_traffic_idle_status (ike_session_t *session, int i, j, found = 0, idle = 1; if (!session || !new_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) { - plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid args in %s.\n", __FUNCTION__); return; } if (!session->established || session->stopped_by_vpn_controller || session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) { - plog(ASL_LEVEL_DEBUG, "dropping update on invalid session in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_NOTICE, "dropping update on invalid session in %s.\n", __FUNCTION__); return; } @@ -1286,7 +1287,7 @@ ike_session_update_traffic_idle_status (ike_session_t *session, // new SA.... check for any activity if (!found) { if (new_stats[i].lft_c.sadb_lifetime_bytes) { - plog(ASL_LEVEL_DEBUG, "new SA: dir %d....\n", dir); + plog(ASL_LEVEL_NOTICE, "new SA: dir %d....\n", dir); idle = 0; } } @@ -1326,10 +1327,12 @@ ike_session_cleanup (ike_session_t *session, phase2_handle_t *next_iph2 = NULL; phase1_handle_t *iph1 = NULL; phase1_handle_t *next_iph1 = NULL; + nw_nat64_prefix_t nat64_prefix; if (!session) return; + memset(&nat64_prefix, 0, sizeof(nat64_prefix)); session->is_dying = 1; ike_session_stopped_by_controller(session, reason); @@ -1344,6 +1347,11 @@ ike_session_cleanup (ike_session_t *session, // do the ph1s last. LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { + + if (iph1->nat64_prefix.length > 0) { + memcpy(&nat64_prefix, &iph1->nat64_prefix, sizeof(nat64_prefix)); + } + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) { isakmp_info_send_d1(iph1); } @@ -1353,11 +1361,17 @@ ike_session_cleanup (ike_session_t *session, // send ipsecManager a notification if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect && reason != ike_session_stopped_by_controller_comm_lost) { - u_int32_t address; + u_int32_t address = 0; if ((&session->session_id.remote)->ss_family == AF_INET) { address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr; } else { - address = 0; + if (nat64_prefix.length > 0) { + struct in_addr inaddr; + nw_nat64_extract_v4(&nat64_prefix, + &((struct sockaddr_in6 *)&session->session_id.remote)->sin6_addr, + &inaddr); + address = inaddr.s_addr; + } } // TODO: log if (reason == ike_session_stopped_by_idle) { @@ -1374,7 +1388,7 @@ ike_session_has_negoing_ph1 (ike_session_t *session) phase1_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -1393,7 +1407,7 @@ ike_session_has_established_ph1 (ike_session_t *session) phase1_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -1412,7 +1426,7 @@ ike_session_has_negoing_ph2 (ike_session_t *session) phase2_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -1431,7 +1445,7 @@ ike_session_has_established_ph2 (ike_session_t *session) phase2_handle_t *p; if (!session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return 0; } @@ -1451,7 +1465,7 @@ ike_session_cleanup_ph1s_by_ph2 (phase2_handle_t *iph2) phase1_handle_t *next_iph1 = NULL; if (!iph2 || !iph2->parent_session) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } @@ -1832,7 +1846,7 @@ ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_t time_t now = time(NULL); if ((now - session->last_time_data_sc_detected) > (session->traffic_monitor.interv_mon << 1)) { - plog(ASL_LEVEL_DEBUG, "btmm session is idle: drop ph%drekey.\n", + plog(ASL_LEVEL_NOTICE, "btmm session is idle: drop ph%drekey.\n", rekey_type); return 1; } @@ -1840,7 +1854,7 @@ ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_t if (rekey_type == IKE_SESSION_REKEY_TYPE_PH1 && !ike_session_has_negoing_ph2(session) && !ike_session_has_established_ph2(session)) { // for vpn: only drop ph1 if there are no more ph2s. - plog(ASL_LEVEL_DEBUG, "vpn session is idle: drop ph1 rekey.\n"); + plog(ASL_LEVEL_NOTICE, "vpn session is idle: drop ph1 rekey.\n"); return 1; } } @@ -1862,7 +1876,7 @@ ike_session_sweep_sleepwake (void) // flag session as dying if all ph1/ph2 are dead/dying LIST_FOREACH_SAFE(p, &ike_session_tree, chain, next_session) { if (p->is_dying) { - plog(ASL_LEVEL_DEBUG, "skipping sweep of dying session.\n"); + plog(ASL_LEVEL_NOTICE, "skipping sweep of dying session.\n"); continue; } SCHED_KILL(p->sc_xauth); @@ -1870,19 +1884,19 @@ ike_session_sweep_sleepwake (void) // for asserted session, traffic monitors will be restared after phase2 becomes established. SCHED_KILL(p->traffic_monitor.sc_mon); SCHED_KILL(p->traffic_monitor.sc_idle); - plog(ASL_LEVEL_DEBUG, "skipping sweep of asserted session.\n"); + plog(ASL_LEVEL_NOTICE, "skipping sweep of asserted session.\n"); continue; } // cleanup any stopped sessions as they will go down if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) { - plog(ASL_LEVEL_DEBUG, "sweeping stopped session.\n"); + plog(ASL_LEVEL_NOTICE, "sweeping stopped session.\n"); ike_session_cleanup(p, ike_session_stopped_by_sleepwake); continue; } if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) { - plog(ASL_LEVEL_DEBUG, "session died while sleeping.\n"); + plog(ASL_LEVEL_NOTICE, "session died while sleeping.\n"); ike_session_cleanup(p, ike_session_stopped_by_sleepwake); continue; } @@ -1929,7 +1943,7 @@ ike_session_assert_session (ike_session_t *session) phase1_handle_t *iph1_next = NULL; if (!session || session->is_dying) { - plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return -1; } @@ -1946,7 +1960,7 @@ ike_session_assert_session (ike_session_t *session) for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { if (pr->ok) { //log deletion - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Assert: Phase 2 %s deleted\n", sadbsecas2str(iph2->src, iph2->dst, iph2->satype, iph2->spid, ipsecdoi2pfkey_mode(pr->encmode))); @@ -1971,7 +1985,7 @@ ike_session_assert_session (ike_session_t *session) iph1->is_dying = 1; //log deletion - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Assert: Phase 1 %s deleted\n", isakmp_pindex(&iph1->index, 0)); @@ -1994,7 +2008,7 @@ ike_session_assert (struct sockaddr_storage *local, ike_session_t *sess; if (!local || !remote) { - plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return -1; } @@ -2032,7 +2046,7 @@ ike_session_ph2_retransmits (phase2_handle_t *iph2) * * in all these cases, one sure way to know is to trigger a phase1 rekey early. */ - plog(ASL_LEVEL_DEBUG, "Many Phase 2 retransmits: try Phase 1 rekey and this Phase 2 to quit earlier.\n"); + plog(ASL_LEVEL_NOTICE, "Many Phase 2 retransmits: try Phase 1 rekey and this Phase 2 to quit earlier.\n"); isakmp_ph1rekeyexpire(iph2->ph1, TRUE); iph2->retry_counter = 0; } @@ -2054,7 +2068,7 @@ ike_session_ph1_retransmits (phase1_handle_t *iph1) !ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) { num_retransmits = iph1->rmconf->retry_counter - iph1->retry_counter; if (num_retransmits == 3) { - plog(ASL_LEVEL_DEBUG, "Many Phase 1 retransmits: try quit earlier.\n"); + plog(ASL_LEVEL_NOTICE, "Many Phase 1 retransmits: try quit earlier.\n"); iph1->retry_counter = 0; } } @@ -2094,7 +2108,7 @@ ike_session_rebindph12(phase1_handle_t *new_ph1, phase2_handle_t *iph2) oakley_delivm(iph2->ivm); if (FSM_STATE_IS_ESTABLISHED(new_ph1->status)) { iph2->ivm = oakley_newiv2(new_ph1, iph2->msgid); - plog(ASL_LEVEL_DEBUG, "Phase 1-2 binding changed... recalculated ivm.\n"); + plog(ASL_LEVEL_NOTICE, "Phase 1-2 binding changed... recalculated ivm.\n"); } else { iph2->ivm = NULL; } @@ -2120,12 +2134,12 @@ ike_session_rebind_all_ph12_to_new_ph1 (phase1_handle_t *old_iph1, phase2_handle_t *next = NULL; if (old_iph1 == new_iph1 || !old_iph1 || !new_iph1) { - plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__); return; } if (old_iph1->parent_session != new_iph1->parent_session) { - plog(ASL_LEVEL_DEBUG, "Invalid parent sessions in %s.\n", __FUNCTION__); + plog(ASL_LEVEL_ERR, "Invalid parent sessions in %s.\n", __FUNCTION__); return; } diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 0de36fd..5a30862 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -3011,7 +3011,7 @@ ipsecdoi_setph2proposal(phase2_handle_t *iph2, int return_sa) // IKEv1 sends encode mode in SA - uses diferent codes when NATT being used #ifdef ENABLE_NATT if (iph2->ph1->natt_flags & NAT_DETECTED) { - plog (ASL_LEVEL_INFO, "NAT detected -> UDP encapsulation\n"); + plog (ASL_LEVEL_NOTICE, "NAT detected -> UDP encapsulation\n"); b->udp_encap = 1; if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { int udp_diff = iph2->ph1->natt_options->mode_udp_diff; diff --git a/ipsec-tools/racoon/ipsec_doi.h b/ipsec-tools/racoon/ipsec_doi.h index 6175286..476c369 100644 --- a/ipsec-tools/racoon/ipsec_doi.h +++ b/ipsec-tools/racoon/ipsec_doi.h @@ -186,7 +186,7 @@ struct ipsecdoi_pl_id { #define IDTYPE_LOGIN 6 #define IDTYPE_SUBNET 7 #define IDTYPE_KEYIDUSE 8 -#define IDTYPE_MAX IDTYPE_KEYIDUSE +#define IDTYPE_MAX IDTYPE_KEYIDUSE + 1 /* shared secret type, it's internal use. */ #define SECRETTYPE_USE 0 diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index d7d6941..2e19673 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -70,9 +70,6 @@ #include #endif #include -#ifdef ENABLE_HYBRID -#include -#endif #include "var.h" #include "misc.h" @@ -170,7 +167,7 @@ isakmp_handler(int so_isakmp) int error = -1; if (slept_at || woke_at) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_DEBUG, /* this log is high volume */ "ignoring isakmp port until power-mgmt event is handled.\n"); return; } @@ -423,7 +420,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka session = ike_session_get_session(local, remote, 1, NULL); } if (!session) { - plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); + plog (ASL_LEVEL_NOTICE, "failed to allocate or find ike session.\n"); fatal_error(-1); } @@ -436,7 +433,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("Malformed or unexpected cookie"), CONSTSTR("Failed to process packet (malformed/unexpected cookie)")); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Malformed cookie received or " "the initiator's cookies collide.\n"); return; @@ -483,7 +480,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; /* print some neat info */ - plog (ASL_LEVEL_INFO, + plog (ASL_LEVEL_NOTICE, "NAT-T: ports changed to: %s\n", saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local)); } @@ -543,7 +540,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) != 0) { - plog(ASL_LEVEL_DEBUG, "Malformed cookie received " + plog(ASL_LEVEL_NOTICE, "Malformed cookie received " "or the spi expired.\n"); return; } @@ -726,7 +723,7 @@ ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct socka if (session == NULL) { session = ike_session_get_session(local, remote, 1, NULL); if (!session) { - plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); + plog (ASL_LEVEL_NOTICE, "failed to allocate or find ike session.\n"); fatal_error(-1); } } @@ -771,7 +768,7 @@ ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct socka } if (ike_session_link_phase1(session, iph1) != 0) { - plog(ASL_LEVEL_DEBUG, "Failed to link ph1 to session\n"); + plog(ASL_LEVEL_NOTICE, "Failed to link ph1 to session\n"); ike_session_delph1(iph1); return -1; } @@ -799,12 +796,12 @@ ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct socka a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "initiate new phase 1 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "begin %s mode.\n", s_isakmp_etype(iph1->etype)); @@ -881,12 +878,14 @@ ikev1_ph1begin_r(ike_session_t *session, vchar_t *msg, struct sockaddr_storage * iph1->version = isakmp->v; iph1->msgid = 0; - if (iph1->etype == ISAKMP_ETYPE_IDENT) + if (iph1->etype == ISAKMP_ETYPE_IDENT) { fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_START); - else if (iph1->etype == ISAKMP_ETYPE_AGG) + } else if (iph1->etype == ISAKMP_ETYPE_AGG) { fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_START); - else + } else { + ike_session_delph1(iph1); return -1; + } #ifdef ENABLE_HYBRID @@ -927,12 +926,12 @@ ikev1_ph1begin_r(ike_session_t *session, vchar_t *msg, struct sockaddr_storage * a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "respond new phase 1 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "begin %s mode.\n", s_isakmp_etype(etype)); #ifdef ENABLE_STATS @@ -970,7 +969,7 @@ ikev1_ph2begin_i(phase1_handle_t *iph1, phase2_handle_t *iph2) a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "initiate new phase 2 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); @@ -1093,7 +1092,7 @@ ikev1_ph2begin_r(phase1_handle_t *iph1, vchar_t *msg) a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "respond new phase 2 negotiation: %s<=>%s\n", a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); @@ -1147,7 +1146,7 @@ ikev1_phase1_established(phase1_handle_t *iph1) } else { memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t)); (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr); - plog(ASL_LEVEL_DEBUG, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); + plog(ASL_LEVEL_NOTICE, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); vfree(raddr); if (addr->force) { (void)ike_session_update_ph1_ph2tree(iph1); @@ -1281,19 +1280,19 @@ isakmp_parsewoh(np0, gen, len) if (tlen <= sizeof(struct isakmp_gen)) { /* don't send information, see isakmp_ident_r1() */ plog(ASL_LEVEL_ERR, - "invalid length of payload\n"); + "isakmp_parsewoh invalid length of payload (1)\n"); vfree(result); return NULL; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); p->type = np; p->len = ntohs(gen->len); if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { - plog(ASL_LEVEL_DEBUG, - "invalid length of payload\n"); + plog(ASL_LEVEL_NOTICE, + "isakmp_parsewoh invalid length of payload (2)\n"); vfree(result); return NULL; } @@ -1305,7 +1304,7 @@ isakmp_parsewoh(np0, gen, len) off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v; result = vrealloc(result, result->l * 2); if (result == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "failed to realloc buffer.\n"); vfree(result); return NULL; @@ -1461,7 +1460,7 @@ isakmp_open(void) IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) p->addr)->sin6_addr)) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Ignoring multicast address %s\n", saddr2str((struct sockaddr *)p->addr)); racoon_free(p->addr); @@ -1633,7 +1632,7 @@ isakmp_open(void) dispatch_release(the_source); }); dispatch_resume(p->source); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "%s used as isakmp port (fd=%d)\n", saddr2str((struct sockaddr *)p->addr), p->sock); continue; @@ -1879,7 +1878,7 @@ isakmp_ph1resend(iph1) CONSTSTR(NULL)); } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Resend Phase 1 packet %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); @@ -1965,7 +1964,7 @@ isakmp_ph2resend(iph2) CONSTSTR(NULL)); } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Resend Phase 2 packet %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); @@ -2012,7 +2011,7 @@ isakmp_ph1expire(iph1) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "ISAKMP-SA expired %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); @@ -2071,7 +2070,7 @@ int ignore_sess_drop_policy; STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "ISAKMP-SA rekey-timer expired %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); @@ -2084,7 +2083,7 @@ int ignore_sess_drop_policy; // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Request for ISAKMP-SA rekey was ignored " "due to another established ph1.\n"); return; @@ -2106,11 +2105,11 @@ int ignore_sess_drop_policy; if (rmconf) { /* begin quick mode */ - plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n"); + plog(ASL_LEVEL_NOTICE, "Begin Phase 1 rekey.\n"); /* start phase 1 negotiation as a initiator. */ if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) { - plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); + plog(ASL_LEVEL_NOTICE, "Phase 1 rekey Failed.\n"); } iph1->is_rekey = TRUE; } else { @@ -2143,7 +2142,7 @@ phase1_handle_t *iph1; STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "ISAKMP-SA rekey failed... retrying %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); @@ -2151,7 +2150,7 @@ phase1_handle_t *iph1; racoon_free(dst); if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "request for ISAKMP-SA rekey was ignored " "due to idleness.\n"); return 0; @@ -2159,7 +2158,7 @@ phase1_handle_t *iph1; // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "request to retry ISAKMP-SA rekey was ignored " "due to another established ph1.\n"); return -1; @@ -2176,11 +2175,11 @@ phase1_handle_t *iph1; rmconf = getrmconf(iph1->remote); if (rmconf) { /* begin quick mode */ - plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n"); + plog(ASL_LEVEL_NOTICE, "begin Phase 1 rekey retry.\n"); /* start phase 1 negotiation as a initiator. */ if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) { - plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n"); + plog(ASL_LEVEL_NOTICE, "Phase 1 rekey retry Failed.\n"); return -1; } iph1->is_rekey = TRUE; @@ -2228,7 +2227,10 @@ isakmp_ph1delete(iph1) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, + "ISAKMP-SA deleted spi:%s\n", + isakmp_pindex(&iph1->index, 0)); + plog(ASL_LEVEL_DEBUG, "ISAKMP-SA deleted %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); racoon_free(src); @@ -2270,7 +2272,7 @@ isakmp_ph2expire(iph2) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Phase 2 sa expired %s-%s\n", src, dst); racoon_free(src); racoon_free(dst); @@ -2317,7 +2319,7 @@ isakmp_ph2delete(iph2) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Phase 2 sa deleted %s-%s\n", src, dst); racoon_free(src); racoon_free(dst); @@ -2352,7 +2354,7 @@ isakmp_post_acquire(phase2_handle_t *iph2) } /* if passive mode, ignore the acquire message */ if (rmconf->passive) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Because of passive mode, ignore the acquire message for %s.\n", saddrwop2str((struct sockaddr *)iph2->dst)); return 0; @@ -2362,7 +2364,7 @@ isakmp_post_acquire(phase2_handle_t *iph2) // what if there is another ph2 that is negotiating if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) { // TODO: postpone this rekey for a second later - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Request for establishing IPsec-SA was ignored due to another negoing ph2.\n"); return -1; } @@ -2382,19 +2384,19 @@ isakmp_post_acquire(phase2_handle_t *iph2) /* start phase 1 negotiation as a initiator. */ sched_new(1, isakmp_chkph1there_stub, iph2); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "IPsec-SA request for %s queued due to no Phase 1 found.\n", saddrwop2str((struct sockaddr *)iph2->dst)); // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_negoing_ph1(iph2->parent_session)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Request for Phase 1 was ignored due to another negotiating Phase 1.\n"); return 0; } if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, &iph2->nat64_prefix) < 0) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Request for Phase 1 failed. Will try later.\n"); } return 0; @@ -2405,7 +2407,7 @@ isakmp_post_acquire(phase2_handle_t *iph2) if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { iph2->retry_checkph1 = lcconf->retry_checkph1; sched_new(1, isakmp_chkph1there_stub, iph2); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Request for establishing IPsec-SA was queued due to no phase1 found.\n"); return 0; /*NOTREACHED*/ @@ -2416,7 +2418,7 @@ isakmp_post_acquire(phase2_handle_t *iph2) /* found ISAKMP-SA. */ /* begin quick mode */ - plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n"); + plog(ASL_LEVEL_NOTICE, "Begin QUICK mode.\n"); if (ikev1_ph2begin_i(iph1, iph2)) return -1; return 0; @@ -2484,7 +2486,7 @@ isakmp_chkph1there(iph2) if ((iph2->version == ISAKMP_VERSION_NUMBER_IKEV1 && iph2->status != IKEV1_STATE_QUICK_I_START) || iph2->is_dying) { - plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying); + plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying); return; } @@ -2505,7 +2507,7 @@ isakmp_chkph1there(iph2) sadbsecas2str(iph2->dst, iph2->src, iph2->satype, 0, 0)); } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "delete Phase 2 handler.\n"); /* send acquire to kernel as error */ @@ -2545,14 +2547,14 @@ isakmp_chkph1there(iph2) /* start phase 1 negotiation as a initiator. */ if (rmconf) { if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, iph1 != NULL ? &iph1->nat64_prefix : NULL) < 0) { - plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); + plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); } } else if (rmconf == NULL) { - plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n"); + plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n"); } } - plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established ph1 handler found\n"); + plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no established ph1 handler found\n"); /* no isakmp-sa found */ sched_new(1, isakmp_chkph1there_stub, iph2); @@ -3121,7 +3123,7 @@ copy_ph1addresses(iph1, rmconf, remote, local) } #ifdef ENABLE_NATT if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) { - plog (ASL_LEVEL_DEBUG, "Marking ports as changed\n"); + plog (ASL_LEVEL_NOTICE, "Marking ports as changed\n"); iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; } #endif @@ -3140,10 +3142,13 @@ log_ph1established(iph1) STRDUP_FATAL(src); STRDUP_FATAL(dst); - plog(ASL_LEVEL_INFO, - "ISAKMP-SA established %s-%s spi:%s\n", - src, dst, + plog(ASL_LEVEL_NOTICE, + "ISAKMP-SA established spi:%s\n", isakmp_pindex(&iph1->index, 0)); + plog(ASL_LEVEL_DEBUG, + "ISAKMP-SA established %s-%s spi:%s\n", + src, dst, + isakmp_pindex(&iph1->index, 0)); racoon_free(src); racoon_free(dst); @@ -3274,7 +3279,7 @@ purge_remote(iph1) phase2_handle_t *iph2; phase1_handle_t *new_iph1; - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purging ISAKMP-SA spi=%s.\n", isakmp_pindex(&(iph1->index), iph1->msgid)); @@ -3289,7 +3294,7 @@ purge_remote(iph1) */ buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); if (buf == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -3349,7 +3354,7 @@ purge_remote(iph1) if (iph2 == NULL) { /* No handler... still send a pfkey_delete message, but log this !*/ - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Unknown IPsec-SA spi=%u, hmmmm?\n", ntohl(sa->sadb_sa_spi)); }else{ @@ -3366,7 +3371,7 @@ purge_remote(iph1) /* If the ph2handle is established, do not purge IPsec-SA */ if (FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(iph2->status)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", ntohl(sa->sadb_sa_spi), isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); @@ -3388,7 +3393,7 @@ purge_remote(iph1) ike_session_unlink_phase2(iph2); } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purged IPsec-SA spi=%u.\n", ntohl(sa->sadb_sa_spi)); @@ -3399,7 +3404,7 @@ purge_remote(iph1) vfree(buf); /* Mark the phase1 handler as EXPIRED */ - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purged ISAKMP-SA spi=%s.\n", isakmp_pindex(&(iph1->index), iph1->msgid)); @@ -3429,7 +3434,7 @@ delete_spd(iph2) int error; int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "generated policy, deleting it.\n"); memset(&u.spidx, 0, sizeof(u.spidx)); @@ -3482,7 +3487,7 @@ delete_spd(iph2) } else { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Get a destination address of SP index " "from Phase 1 address " "due to no ID payloads found " @@ -3546,7 +3551,7 @@ delete_spd(iph2) } } else { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Get a source address of SP index " "from Phase 1 address " "due to no ID payloads found " @@ -3573,12 +3578,16 @@ delete_spd(iph2) #undef _XIDT - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, + "get src/dst address from ID payload " + "prefixlen=%u ul_proto=%u\n", + u.spidx.prefs, u.spidx.ul_proto); + plog(ASL_LEVEL_DEBUG, "get a src address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&u.spidx.src), u.spidx.prefs, u.spidx.ul_proto); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_DEBUG, "get dst address from ID payload " "%s prefixlen=%u ul_proto=%u\n", saddr2str((struct sockaddr *)&u.spidx.dst), @@ -3600,7 +3609,7 @@ delete_spd(iph2) plog(ASL_LEVEL_ERR, "pfkey spddelete(inbound) failed.\n"); }else{ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey spddelete(inbound) sent.\n"); } @@ -3612,7 +3621,7 @@ delete_spd(iph2) plog(ASL_LEVEL_ERR, "pfkey spddelete(forward) failed.\n"); }else{ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey spddelete(forward) sent.\n"); } } @@ -3633,7 +3642,7 @@ delete_spd(iph2) plog(ASL_LEVEL_ERR, "pfkey spddelete(outbound) failed.\n"); }else{ - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey spddelete(outbound) sent.\n"); } purge: @@ -3696,7 +3705,7 @@ isakmp_plist_append_initial_contact (iph1, plist) cptr = notp_ini->v + sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen); memcpy(cptr, &iph1->index, sizeof(isakmp_index)); plist = isakmp_plist_append(plist, notp_ini, ISAKMP_NPTYPE_N); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "added initial-contact payload.\n"); /* insert a node into contacted list. */ @@ -3712,7 +3721,7 @@ isakmp_plist_append_initial_contact (iph1, plist) return NULL; } } else { - plog(ASL_LEVEL_DEBUG, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n", + plog(ASL_LEVEL_NOTICE, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n", iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, ike_session_getcontacted(iph1->remote)? 1:0); } return NULL; diff --git a/ipsec-tools/racoon/isakmp_agg.c b/ipsec-tools/racoon/isakmp_agg.c index 9a3ccfb..13bf4d3 100644 --- a/ipsec-tools/racoon/isakmp_agg.c +++ b/ipsec-tools/racoon/isakmp_agg.c @@ -61,10 +61,6 @@ #include "schedule.h" #include "debug.h" -#ifdef ENABLE_HYBRID -#include -#endif - #include "fsm.h" #include "localconf.h" #include "remoteconf.h" @@ -519,6 +515,7 @@ agg_i2recv(iph1, msg) if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) { plog(ASL_LEVEL_ERR, "failed to process NATD payload"); + racoon_free(natd); goto end; } @@ -578,7 +575,7 @@ agg_i2recv(iph1, msg) struct natd_payload *natd = NULL; int natd_verified; - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); @@ -592,7 +589,7 @@ agg_i2recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd->payload, natd->seq); - plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n", natd->seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -602,7 +599,7 @@ agg_i2recv(iph1, msg) racoon_free (natd); } - plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", + plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -806,7 +803,7 @@ agg_i3send(iph1, msg) #ifdef ENABLE_NATT /* generate NAT-D payloads */ if (NATT_AVAILABLE(iph1)) { - plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); @@ -1048,7 +1045,7 @@ agg_r1recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -1232,7 +1229,7 @@ agg_r2send(iph1, msg) vid_natt = set_vendorid(iph1->natt_options->version); /* generate NAT-D payloads */ - plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(ASL_LEVEL_ERR, "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); @@ -1346,7 +1343,7 @@ agg_r2send(iph1, msg) #ifdef ENABLE_HYBRID if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n"); + plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n"); if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { plog(ASL_LEVEL_ERR, "Cannot create Xauth vendor ID\n"); @@ -1570,7 +1567,7 @@ agg_r3recv(iph1, msg0) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -1594,7 +1591,7 @@ agg_r3recv(iph1, msg0) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) - plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", + plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index 3092a92..da12c1d 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -74,7 +74,6 @@ #include #endif #include -#include #include "var.h" #include "misc.h" @@ -187,7 +186,7 @@ isakmp_cfg_r(iph1, msg) return; } - plog(ASL_LEVEL_DEBUG, "MODE_CFG packet\n"); + plog(ASL_LEVEL_NOTICE, "MODE_CFG packet\n"); /* Now work with the decrypted packet */ packet = (struct isakmp *)dmsg->v; @@ -310,7 +309,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) { int type = attrpl->type; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); switch (type) { case ISAKMP_CFG_ACK: @@ -684,7 +683,7 @@ isakmp_cfg_request(iph1, attrpl, msg) reply->type = ISAKMP_CFG_REPLY; reply->id = attrpl->id; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG REPLY\n"); error = isakmp_cfg_send(iph1, payload, @@ -771,7 +770,7 @@ isakmp_cfg_set(iph1, attrpl, msg) reply->type = ISAKMP_CFG_ACK; reply->id = attrpl->id; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG ACK\n"); error = isakmp_cfg_send(iph1, payload, @@ -1261,7 +1260,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); #endif - plog(ASL_LEVEL_DEBUG, "MODE_CFG packet to send\n"); + plog(ASL_LEVEL_NOTICE, "MODE_CFG packet to send\n"); /* encoding */ if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { @@ -1311,7 +1310,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) } } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "sendto mode config %s.\n", s_isakmp_nptype(np)); /* @@ -1421,7 +1420,7 @@ isakmp_cfg_getport(iph1) isakmp_cfg_config.port_pool[i].used = 1; - plog(ASL_LEVEL_INFO, "Using port %d\n", i); + plog(ASL_LEVEL_NOTICE, "Using port %d\n", i); iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; iph1->mode_cfg->port = i; @@ -1450,7 +1449,7 @@ isakmp_cfg_putport(iph1, index) isakmp_cfg_config.port_pool[index].used = 0; iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; - plog(ASL_LEVEL_INFO, "Released port %d\n", index); + plog(ASL_LEVEL_NOTICE, "Released port %d\n", index); return 0; } @@ -1534,7 +1533,7 @@ isakmp_cfg_getconfig(iph1) } } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG REQUEST\n"); error = isakmp_cfg_send(iph1, buffer, @@ -1657,7 +1656,7 @@ isakmp_cfg_resize_pool(size) if (size == isakmp_cfg_config.pool_size) return 0; - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Resize address pool from %zu to %d\n", isakmp_cfg_config.pool_size, size); diff --git a/ipsec-tools/racoon/isakmp_cfg.h b/ipsec-tools/racoon/isakmp_cfg.h index 56dfe43..78622c9 100644 --- a/ipsec-tools/racoon/isakmp_cfg.h +++ b/ipsec-tools/racoon/isakmp_cfg.h @@ -35,7 +35,6 @@ #include "racoon_types.h" -#include @@ -62,6 +61,10 @@ /* For the wins servers -- XXX find the value somewhere ? */ #define MAXWINS 4 +#ifndef MAXNS +#define MAXNS 3 +#endif + /* * Global configuration for ISAKMP mode confiration address allocation * Read from the mode_cfg section of racoon.conf diff --git a/ipsec-tools/racoon/isakmp_ident.c b/ipsec-tools/racoon/isakmp_ident.c index 71fbd5a..6c1a293 100644 --- a/ipsec-tools/racoon/isakmp_ident.c +++ b/ipsec-tools/racoon/isakmp_ident.c @@ -79,7 +79,6 @@ #include "nattraversal.h" #endif #ifdef ENABLE_HYBRID -#include #include "isakmp_xauth.h" #include "isakmp_cfg.h" #endif @@ -374,7 +373,7 @@ ident_i2recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -623,7 +622,7 @@ ident_i4recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -647,7 +646,7 @@ ident_i4recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", + plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -1146,7 +1145,7 @@ ident_r1recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Selected NAT-T version: %s\n", vid_string_by_id(iph1->natt_options->version)); ike_session_update_natt_version(iph1); @@ -1231,7 +1230,7 @@ ident_r2send(iph1, msg) #ifdef ENABLE_HYBRID if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { - plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n"); + plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n"); if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { plog(ASL_LEVEL_ERR, "Cannot create Xauth vendor ID\n"); @@ -1431,7 +1430,7 @@ ident_r3recv(iph1, msg) natd_verified = natt_compare_addr_hash (iph1, natd_received, natd_seq++); - plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", + plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n", natd_seq - 1, natd_verified ? "verified" : "doesn't match"); @@ -1455,7 +1454,7 @@ ident_r3recv(iph1, msg) #ifdef ENABLE_NATT if (NATT_AVAILABLE(iph1)) - plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", + plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n", iph1->natt_flags & NAT_DETECTED ? "detected:" : "not detected", iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", @@ -2015,7 +2014,7 @@ ident_ir2mx(iph1) goto end; } - plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); + plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n"); /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index 7c10ffd..0f1ed28 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -61,9 +61,6 @@ # include # endif #endif -#ifdef ENABLE_HYBRID -#include -#endif #include "libpfkey.h" @@ -134,7 +131,7 @@ isakmp_ph1_responder_lifetime (phase1_handle_t *iph1, struct isakmp_pl_resp_life } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "notification message ISAKMP-SA RESPONDER-LIFETIME, " "doi=%d proto_id=%d spi=%s(size=%d).\n", ntohl(notify->doi), notify->proto_id, spi, notify->spi_size); @@ -165,7 +162,7 @@ isakmp_ph2_responder_lifetime (phase2_handle_t *iph2, struct isakmp_pl_resp_life } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "notification message IPSEC-SA RESPONDER-LIFETIME, " "doi=%d proto_id=%d spi=%s(size=%d).\n", ntohl(notify->doi), notify->proto_id, spi, notify->spi_size); @@ -200,7 +197,7 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) int flag = 0; int disconnect = 0; - plog(ASL_LEVEL_DEBUG, "receive Information.\n"); + plog(ASL_LEVEL_NOTICE, "receive Information.\n"); encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E); msgid = ((struct isakmp *)msg0->v)->msgid; @@ -551,7 +548,7 @@ isakmp_info_recv_n(phase1_handle_t *iph1, struct isakmp_pl_n *notify, u_int32_t } spi = val2str((char *)(notify + 1), notify->spi_size); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Notification message %d:%s, " "doi=%d proto_id=%d spi=%s(size=%d).\n", type, s_isakmp_notify_msg(type), @@ -677,7 +674,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t return 0; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "delete payload for protocol %s\n", s_ipsecdoi_proto(delete->proto_id)); @@ -727,7 +724,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t #endif if (del_ph1->rmconf->natt_multiple_user && del_ph1->parent_session->is_l2tpvpn_ipsec) { - plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n"); + plog(ASL_LEVEL_NOTICE, "Ignoring IKE delete from peer for L2TP server\n"); break; } isakmp_ph1expire(del_ph1); @@ -750,7 +747,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t if (iph2 != NULL) { iph2->is_defunct = 1; - plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n"); + plog(ASL_LEVEL_NOTICE, "Ignoring SA delete from peer for L2TP server\n"); break; } } @@ -785,7 +782,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t return 0; } - plog(ASL_LEVEL_DEBUG, "purged SAs.\n"); + plog(ASL_LEVEL_NOTICE, "purged SAs.\n"); return 0; } @@ -878,7 +875,7 @@ isakmp_info_send_d2(phase2_handle_t *iph2) IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL, CONSTSTR("Delete IPSEC-SA"), CONSTSTR("Failed to transmit Delete-IPSEC-SA message")); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "No ph1 handler found, could not send DELETE_SA\n"); return 0; } @@ -1369,7 +1366,7 @@ isakmp_info_send_common(phase1_handle_t *iph1, vchar_t *payload, u_int32_t np, i goto err; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "sendto Information %s.\n", s_isakmp_nptype(np)); /* @@ -1468,7 +1465,7 @@ purge_ipsec_spi(struct sockaddr_storage *dst0, int proto, u_int32_t *spi /*netwo buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); if (buf == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -1553,7 +1550,7 @@ purge_ipsec_spi(struct sockaddr_storage *dst0, int proto, u_int32_t *spi /*netwo } } - plog(ASL_LEVEL_INFO, "Purged IPsec-SA proto_id=%s spi=%u.\n", + plog(ASL_LEVEL_NOTICE, "Purged IPsec-SA proto_id=%s spi=%u.\n", s_ipsecdoi_proto(proto), ntohl(spi[i])); } @@ -1608,7 +1605,7 @@ info_recv_initialcontact(phase1_handle_t *iph1) for (i = 0; i < pfkey_nsatypes; i++) { proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purging %s SAs for %s -> %s\n", pfkey_satypes[i].ps_name, loc, rem); if (pfkey_send_delete_all(lcconf->sock_pfkey, @@ -1623,7 +1620,7 @@ info_recv_initialcontact(phase1_handle_t *iph1) ike_session_deleteallph2(iph1->local, iph1->remote, proto_id); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purging %s SAs for %s -> %s\n", pfkey_satypes[i].ps_name, rem, loc); if (pfkey_send_delete_all(lcconf->sock_pfkey, @@ -1650,7 +1647,7 @@ info_recv_initialcontact(phase1_handle_t *iph1) buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); if (buf == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "pfkey_dump_sadb returned nothing.\n"); return; } @@ -1747,7 +1744,7 @@ info_recv_initialcontact(phase1_handle_t *iph1) continue; } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); pfkey_send_delete(lcconf->sock_pfkey, msg->sadb_msg_satype, @@ -1776,7 +1773,7 @@ isakmp_check_notify(struct isakmp_gen *gen /* points to Notify payload */, phase { struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Notify Message received\n"); switch (ntohs(notify->type)) { @@ -1816,7 +1813,7 @@ isakmp_check_ph2_notify(struct isakmp_gen *gen /* points to Notify payload */, p { struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Phase 2 Notify Message received\n"); switch (ntohs(notify->type)) { @@ -1861,18 +1858,18 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted if (iph1->side != INITIATOR) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "LOAD-BALANCE notification ignored - we are not the initiator.\n"); return 0; } if (!encrypted) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "LOAD-BALANCE notification ignored - not protected.\n"); return 0; } if (ntohs(n->h.len) != sizeof(struct isakmp_pl_lb)) { - plog(ASL_LEVEL_DEBUG, - "Invalid length of payload\n"); + plog(ASL_LEVEL_NOTICE, + "isakmp_info_recv_lb Invalid length of payload\n"); return -1; } @@ -1883,7 +1880,7 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted "Received LOAD_BALANCE notification.\n"); if (((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr != ntohl(n->address)) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "Deleting old Phase 1 because of LOAD_BALANCE notification - redirect address=%x.\n", ntohl(n->address)); @@ -1906,7 +1903,7 @@ isakmp_info_recv_r_u (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t int tlen; int error = 0; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "DPD R-U-There received\n"); /* XXX should compare cookies with iph1->index? @@ -1950,7 +1947,7 @@ isakmp_info_recv_r_u (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t CONSTSTR(NULL)); } - plog(ASL_LEVEL_DEBUG, "received a valid R-U-THERE, ACK sent\n"); + plog(ASL_LEVEL_NOTICE, "received a valid R-U-THERE, ACK sent\n"); /* Should we mark tunnel as active ? */ return error; @@ -1960,7 +1957,7 @@ static int isakmp_info_recv_r_u_ack (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t msgid) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "DPD R-U-There-Ack received\n"); /* XXX Maintain window of acceptable sequence numbers ? @@ -2002,7 +1999,7 @@ isakmp_info_recv_r_u_ack (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int3 CONSTSTR("Responder DPD Response"), CONSTSTR(NULL)); } - plog(ASL_LEVEL_DEBUG, "received an R-U-THERE-ACK\n"); + plog(ASL_LEVEL_NOTICE, "received an R-U-THERE-ACK\n"); #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_peer_resp_ph1(1, iph1); @@ -2027,7 +2024,7 @@ isakmp_info_send_r_u(void *arg) int error = 0; if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { - plog(ASL_LEVEL_DEBUG, "DPD r-u send aborted, invalid Phase 1 status %d....\n", + plog(ASL_LEVEL_NOTICE, "DPD r-u send aborted, invalid Phase 1 status %d....\n", iph1->status); return; } @@ -2041,7 +2038,7 @@ isakmp_info_send_r_u(void *arg) (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL); purge_remote(iph1); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "DPD: remote seems to be dead\n"); /* Do not reschedule here: phase1 is deleted, @@ -2105,7 +2102,7 @@ isakmp_info_send_r_u(void *arg) CONSTSTR("Responder DPD Request"), CONSTSTR(NULL)); } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "DPD R-U-There sent (%d)\n", error); /* will be decreased if ACK received... */ @@ -2115,7 +2112,7 @@ isakmp_info_send_r_u(void *arg) * will be deleted/rescheduled if ACK received before */ isakmp_sched_r_u(iph1, 1); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry); } @@ -2126,12 +2123,12 @@ static void isakmp_info_monitor_r_u_algo_inbound_detect (phase1_handle_t *iph1) { if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { - plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid Phase 1 status %d....\n", + plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid Phase 1 status %d....\n", iph1->status); return; } - plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n"); + plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n"); // check phase1 for ike packets received from peer if (iph1->peer_sent_ike) { @@ -2141,7 +2138,7 @@ isakmp_info_monitor_r_u_algo_inbound_detect (phase1_handle_t *iph1) /* ike packets received from peer... reschedule dpd */ isakmp_sched_r_u(iph1, 0); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "ike packets received from peer... reschedule monitor.\n"); return; @@ -2153,7 +2150,7 @@ isakmp_info_monitor_r_u_algo_inbound_detect (phase1_handle_t *iph1) } else { isakmp_sched_r_u(iph1, 0); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "rescheduling DPD monitoring (for ALGORITHM_INBOUND_DETECT).\n"); } iph1->parent_session->peer_sent_data_sc_dpd = 0; @@ -2166,12 +2163,12 @@ static void isakmp_info_monitor_r_u_algo_blackhole_detect (phase1_handle_t *iph1) { if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { - plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid Phase 1 status %d....\n", + plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid Phase 1 status %d....\n", iph1->status); return; } - plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n"); + plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n"); // check if data was sent but none was received if (iph1->parent_session->i_sent_data_sc_dpd && @@ -2180,7 +2177,7 @@ isakmp_info_monitor_r_u_algo_blackhole_detect (phase1_handle_t *iph1) } else { isakmp_sched_r_u(iph1, 0); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "rescheduling DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) i = %d, peer %d.\n", iph1->parent_session->i_sent_data_sc_dpd, iph1->parent_session->peer_sent_data_sc_dpd); @@ -2203,7 +2200,7 @@ isakmp_info_monitor_r_u(void *arg) } else if (iph1->rmconf->dpd_algo == DPD_ALGO_BLACKHOLE_DETECT) { isakmp_info_monitor_r_u_algo_blackhole_detect(iph1); } else { - plog(ASL_LEVEL_DEBUG, "DPD monitoring aborted, invalid algorithm %d....\n", + plog(ASL_LEVEL_NOTICE, "DPD monitoring aborted, invalid algorithm %d....\n", iph1->rmconf->dpd_algo); } } @@ -2260,7 +2257,7 @@ isakmp_reschedule_info_monitor_if_pending (phase1_handle_t *iph1, char *reason) isakmp_sched_r_u(iph1, 0); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "%s... rescheduling send_r_u.\n", reason); } diff --git a/ipsec-tools/racoon/isakmp_quick.c b/ipsec-tools/racoon/isakmp_quick.c index 808ce2b..b31a34c 100644 --- a/ipsec-tools/racoon/isakmp_quick.c +++ b/ipsec-tools/racoon/isakmp_quick.c @@ -53,9 +53,6 @@ # include # endif #endif -#ifdef ENABLE_HYBRID -#include -#endif #ifndef HAVE_NETINET6_IPSEC #include @@ -1385,7 +1382,8 @@ quick_r1recv(iph2, msg0) plog(ASL_LEVEL_ERR, "failed to generate a proposal template " "from client's proposal.\n"); - return ISAKMP_INTERNAL_ERROR; + error = ISAKMP_INTERNAL_ERROR; + goto end; } /*FALLTHROUGH*/ case 0: @@ -2610,11 +2608,11 @@ get_proposal_r_remote(iph2, ignore_id) if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) { if (iph2->ph1->rmconf->gen_policy) { if (sp_in) - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "Update the generated policy : %s\n", spidx2str(&spidx)); else - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "no policy found, " "try to generate the policy : %s\n", spidx2str(&spidx)); diff --git a/ipsec-tools/racoon/isakmp_unity.c b/ipsec-tools/racoon/isakmp_unity.c index 53943b0..75d5dd1 100644 --- a/ipsec-tools/racoon/isakmp_unity.c +++ b/ipsec-tools/racoon/isakmp_unity.c @@ -61,7 +61,6 @@ #include #endif #include -#include #include "var.h" #include "misc.h" diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c index d2e8d02..1c005d0 100644 --- a/ipsec-tools/racoon/isakmp_xauth.c +++ b/ipsec-tools/racoon/isakmp_xauth.c @@ -61,7 +61,6 @@ #include #endif #include -#include #ifdef HAVE_SHADOW_H #include @@ -121,7 +120,7 @@ xauth_sendreq(iph1) return; } - plog(ASL_LEVEL_INFO, "Sending Xauth request\n"); + plog(ASL_LEVEL_NOTICE, "Sending Xauth request\n"); tlen = sizeof(*attr) + + sizeof(*typeattr) + @@ -344,7 +343,7 @@ xauth_reply(iph1, port, id, res) char *usr = xst->authdata.generic.usr; if (iph1->is_dying) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "dropped login for user \"%s\"\n", usr); return -1; } @@ -353,7 +352,7 @@ xauth_reply(iph1, port, id, res) if (port != -1) isakmp_cfg_putport(iph1, port); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "login failed for user \"%s\"\n", usr); xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); @@ -368,7 +367,7 @@ xauth_reply(iph1, port, id, res) } xst->status = XAUTHST_OK; - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "login succeeded for user \"%s\"\n", usr); xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); @@ -471,7 +470,7 @@ xauth_group_system(usr, grp) while ((member = gr->gr_mem[index++])!=NULL) { if (!strcmp(member,usr)) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "membership validated\n"); return 0; } @@ -572,13 +571,13 @@ group_check(iph1, grp_list, grp_count) } if( !res ) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "user \"%s\" is a member of group \"%s\"\n", usr, grp_list[grp_index]); break; } else { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "user \"%s\" is not a member of group \"%s\"\n", usr, grp_list[grp_index]); diff --git a/ipsec-tools/racoon/kmpstat.c b/ipsec-tools/racoon/kmpstat.c index 591b3a9..cc6cde5 100644 --- a/ipsec-tools/racoon/kmpstat.c +++ b/ipsec-tools/racoon/kmpstat.c @@ -60,8 +60,7 @@ #include #endif #include -#include -#include +#include #include "libpfkey.h" diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index e1489cc..80ede5b 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -78,6 +78,9 @@ struct vpnctl_socket_elem { LIST_ENTRY(vpnctl_socket_elem) chain; int sock; dispatch_source_t source; + uint32_t read_bytes_len; + uint32_t pending_bytes_len; + uint8_t *buffer; LIST_HEAD(_bound_addrs, bound_addr) bound_addresses; }; diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 4d654cb..80ec2e4 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -67,7 +67,6 @@ #include "cfparse_proto.h" #include "isakmp_var.h" #ifdef ENABLE_HYBRID -#include #include "isakmp.h" #include "isakmp_xauth.h" #include "isakmp_cfg.h" @@ -198,14 +197,14 @@ main(ac, av) parse(ac, av); - plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); - plog(ASL_LEVEL_INFO, "%s\n", version); + plog(ASL_LEVEL_NOTICE, "racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); + plog(ASL_LEVEL_NOTICE, "%s\n", version); #ifdef HAVE_OPENSSL - plog(ASL_LEVEL_INFO, "@(#)" + plog(ASL_LEVEL_NOTICE, "@(#)" "This product linked %s (http://www.openssl.org/)" "\n", eay_version()); #endif - plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n", + plog(ASL_LEVEL_NOTICE, "Reading configuration from \"%s\"\n", lcconf->racoon_conf); //%%%%% this sould probably be moved to session() @@ -256,7 +255,7 @@ main(ac, av) close(0); else { if ( !exec_done && launchdlaunched ){ - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "racoon launched by launchd.\n"); exec_done = 1; if (atexit(cleanup_pidfile) < 0) { diff --git a/ipsec-tools/racoon/nattraversal.c b/ipsec-tools/racoon/nattraversal.c index 1cd7280..b04ccfb 100644 --- a/ipsec-tools/racoon/nattraversal.c +++ b/ipsec-tools/racoon/nattraversal.c @@ -123,7 +123,7 @@ natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr) size_t buf_size, addr_size; if (iph1->approval) { - plog(ASL_LEVEL_INFO, "Hashing %s with algo #%d %s\n", + plog(ASL_LEVEL_NOTICE, "Hashing %s with algo #%d %s\n", saddr2str((struct sockaddr *)addr), iph1->approval->hashtype, (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); } diff --git a/ipsec-tools/racoon/netdb_dnssec.h b/ipsec-tools/racoon/netdb_dnssec.h index 8e875b1..b8c80c2 100644 --- a/ipsec-tools/racoon/netdb_dnssec.h +++ b/ipsec-tools/racoon/netdb_dnssec.h @@ -32,6 +32,10 @@ #ifndef _NETDB_DNSSEC_H #define _NETDB_DNSSEC_H +#include "config.h" + +#if ENABLE_DNSSEC_CERTS + #ifndef T_CERT #define T_CERT 37 /* defined by RFC2538 section 2 */ #endif @@ -69,4 +73,6 @@ struct certinfo { extern void freecertinfo (struct certinfo *); extern int getcertsbyname (char *, struct certinfo **); +#endif /* ENABLE_DNSSEC_CERTS */ + #endif /* _NETDB_DNSSEC_H */ diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index dc9f4fe..24bdba8 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -60,9 +60,6 @@ # include # endif #endif -#ifdef ENABLE_HYBRID -#include -#endif #include "var.h" #include "misc.h" @@ -91,14 +88,13 @@ #if HAVE_OPENDIR #include "open_dir.h" #endif -#include "dnssec.h" #include "sockmisc.h" #include "strnames.h" #include "gcmalloc.h" #include #include "remoteconf.h" #include "vpn_control.h" -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL #include #include #endif @@ -851,7 +847,7 @@ oakley_compute_hash3(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body) len = 1 + sizeof(u_int32_t) + body->l; buf = vmalloc(len); if (buf == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "failed to get hash buffer\n"); goto end; } @@ -899,7 +895,7 @@ oakley_compute_hash1(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body) len = sizeof(u_int32_t) + body->l; buf = vmalloc(len); if (buf == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "failed to get hash buffer\n"); goto end; } @@ -1262,8 +1258,15 @@ oakley_verify_userid(phase1_handle_t *iph1) cert_t *p; vchar_t *user_id; int user_id_found = 0; +#ifndef HAVE_OPENSSL + SecCertificateRef certificate; + CFArrayRef commonNames; + CFIndex i, l; + CFStringRef name; +#endif /* HAVE_OPENSSL */ for (p = iph1->cert_p; p; p = p->chain) { +#ifdef HAVE_OPENSSL user_id = eay_get_x509_common_name(&p->cert); //%%%%%%%% fix this if (user_id) { user_id_found = 1; @@ -1274,6 +1277,45 @@ oakley_verify_userid(phase1_handle_t *iph1) } vfree(user_id); } +#else /* HAVE_OPENSSL */ + certificate = crypto_cssm_x509cert_CreateSecCertificateRef(&p->cert); + if (certificate == NULL) { + plog(ASL_LEVEL_ERR, + "ovuid failed to get SecCertificateRef\n"); + continue; + } + + commonNames = SecCertificateCopyCommonNames(certificate); + if (commonNames == NULL) { + plog(ASL_LEVEL_ERR, + "ovuid failed to get commonNames\n"); + CFRelease(certificate); + continue; + } + + l = CFArrayGetCount(commonNames); + for (i = 0; i < l; i++) { + name = CFArrayGetValueAtIndex(commonNames, i); + user_id = vmalloc(CFStringGetMaximumSizeForEncoding(CFStringGetLength(name), + kCFStringEncodingUTF8) + 1); + if (user_id) { + if (CFStringGetCString(name, user_id->v, user_id->l, + kCFStringEncodingUTF8)) { + user_id_found = 1; + // the following functions will check if user_id == 0 + if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group)) { + vfree(user_id); + CFRelease(certificate); + CFRelease(commonNames); + return 0; + } + } + vfree(user_id); + } + } + CFRelease(certificate); + CFRelease(commonNames); +#endif /* HAVE_OPENSSL */ } if (user_id_found) { plog(ASL_LEVEL_ERR, @@ -1393,7 +1435,7 @@ oakley_validate_auth(phase1_handle_t *iph1) return ISAKMP_NTYPE_PAYLOAD_MALFORMED; } - plog(ASL_LEVEL_DEBUG, "*** SIGN passed\n"); + plog(ASL_LEVEL_DEBUG, "SIGN passed\n"); /* get peer's cert */ switch (iph1->rmconf->getcert_method) { @@ -1565,7 +1607,7 @@ oakley_validate_auth(phase1_handle_t *iph1) return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; break; } - plog(ASL_LEVEL_INFO, "No SIG was passed, " + plog(ASL_LEVEL_NOTICE, "No SIG was passed, " "but hybrid auth is enabled\n"); return 0; @@ -1622,7 +1664,7 @@ static int oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, int notify_initiator) { -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED); if (premature || expired) { @@ -1636,7 +1678,7 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, in vpncontrol_notify_ike_failed(fail_reason, notify_initiator, iph1_get_remote_v4_address(iph1), 0, NULL); return -1; } -#endif /* TARGET_OS_EMBEDDED */ +#endif /* HAVE_OPENSSL */ return 0; } @@ -1873,10 +1915,10 @@ static int oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_status_t *certStatus) { - int len; + int len = 0; int error = 0; -#if !TARGET_OS_EMBEDDED +#ifdef HAVE_OPENSSL int type; char *altname = NULL; #endif @@ -1886,7 +1928,7 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu { CFDataRef subject; SecCertificateRef certificate; - UInt8* namePtr; + UInt8* namePtr = NULL; certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert); if (certificate == NULL) { @@ -1920,8 +1962,12 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu if (error) { plog(ASL_LEVEL_ERR, "ID mismatched with certificate subjectName\n"); - plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n", - s_ipsecdoi_ident(idtype)); + if (namePtr != NULL) { + plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n", + s_ipsecdoi_ident(idtype)); + } else { + plog(ASL_LEVEL_ERR, "subjectName (type %s):\n", s_ipsecdoi_ident(idtype)); + } plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n"); if (certStatus && !*certStatus) { *certStatus = CERT_STATUS_INVALID_SUBJNAME; @@ -1938,7 +1984,7 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV6_ADDR: { -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL CFIndex pos, count; SecCertificateRef certificate; CFArrayRef addresses; @@ -2100,10 +2146,10 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; return ISAKMP_NTYPE_INVALID_ID_INFORMATION; -#endif /* TARGET_OS_EMBEDDED */ +#endif /* HAVE_OPENSSL */ } -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL case IPSECDOI_ID_FQDN: { CFIndex pos, count; diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 009acf0..672a9fd 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -223,7 +223,7 @@ pfkey_process(msg) /* when SPD is empty, treat the state as no error. */ if (msg->sadb_msg_type == SADB_X_SPDDUMP && msg->sadb_msg_errno == ENOENT) - pri = ASL_LEVEL_DEBUG; + pri = ASL_LEVEL_NOTICE; else pri = ASL_LEVEL_ERR; @@ -243,7 +243,7 @@ pfkey_process(msg) } if (pkrecvf[msg->sadb_msg_type] == NULL) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "unsupported PF_KEY message %s\n", s_pfkey_type(msg->sadb_msg_type)); goto end; @@ -273,7 +273,7 @@ pfkey_handler(void *unused) ssize_t len; if (slept_at || woke_at) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_DEBUG, "ignoring pfkey port until power-mgmt event is handled.\n"); return; } @@ -290,7 +290,7 @@ pfkey_handler(void *unused) return; } else { /* short message - msg not ready */ - plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n"); + plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n"); return; } } @@ -304,7 +304,7 @@ pfkey_post_handler() struct saved_msg_elem *elem_tmp = NULL; if (slept_at || woke_at) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); return; } @@ -1327,11 +1327,14 @@ pk_recvupdate(mhp) sa->sadb_sa_spi, sa_mode)); - plog(ASL_LEVEL_INFO, - "IPsec-SA established: %s\n", - sadbsecas2str(iph2->dst, iph2->src, - msg->sadb_msg_satype, sa->sadb_sa_spi, - sa_mode)); + plog(ASL_LEVEL_NOTICE, + "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, + "IPsec-SA established (update): %s\n", + sadbsecas2str(iph2->dst, iph2->src, + msg->sadb_msg_satype, sa->sadb_sa_spi, + sa_mode)); } if (pr->ok == 0) @@ -1609,8 +1612,11 @@ pk_recvadd(mhp) * because they must be updated by SADB_UPDATE message */ - plog(ASL_LEVEL_INFO, - "IPsec-SA established: %s\n", + plog(ASL_LEVEL_NOTICE, + "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, + "IPsec-SA established (add): %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -1663,7 +1669,10 @@ pk_recvexpire(mhp) return -1; } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, + "IPsec-SA expired: satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, "IPsec-SA expired: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -3076,6 +3085,7 @@ addnewsp(mhp) default: plog(ASL_LEVEL_ERR, "invalid policy type.\n"); + delsp(new); return -1; } diff --git a/ipsec-tools/racoon/proposal.c b/ipsec-tools/racoon/proposal.c index 62d3db6..9fed429 100644 --- a/ipsec-tools/racoon/proposal.c +++ b/ipsec-tools/racoon/proposal.c @@ -227,7 +227,7 @@ saprop_adjust_encmode (struct saproto *pr2, struct saproto *pr1) if (natt_udp_encap(pr2->encmode)) { prev = pr2->encmode; saprop_udp_encap(pr2); - plog(ASL_LEVEL_INFO, "Adjusting my encmode %s(%d)->%s(%d)\n", + plog(ASL_LEVEL_NOTICE, "Adjusting my encmode %s(%d)->%s(%d)\n", s_ipsecdoi_encmode(prev), prev, s_ipsecdoi_encmode(pr2->encmode), @@ -236,7 +236,7 @@ saprop_adjust_encmode (struct saproto *pr2, struct saproto *pr1) if (natt_udp_encap(pr1->encmode)) { prev = pr1->encmode; saprop_udp_encap(pr1); - plog(ASL_LEVEL_INFO, "Adjusting peer's encmode %s(%d)->%s(%d)\n", + plog(ASL_LEVEL_NOTICE, "Adjusting peer's encmode %s(%d)->%s(%d)\n", s_ipsecdoi_encmode(prev), prev, s_ipsecdoi_encmode(pr1->encmode), diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 3fca302..59a6341 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -646,7 +646,7 @@ dump_peers_identifiers (void *entry, void *arg) s_idtype (id->idtype)); if (id->id) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v); - plog(ASL_LEVEL_INFO, "%s;\n", buf); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); return NULL; } @@ -666,7 +666,7 @@ dump_rmconf_single (struct remoteconf *p, void *data) if (p->inherited_from) pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s", saddr2str((struct sockaddr *)p->inherited_from->remote)); - plog(ASL_LEVEL_INFO, "%s {\n", buf); + plog(ASL_LEVEL_NOTICE, "%s {\n", buf); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type "); while (etype) { @@ -674,83 +674,83 @@ dump_rmconf_single (struct remoteconf *p, void *data) etype->next != NULL ? ", " : ";\n"); etype = etype->next; } - plog(ASL_LEVEL_INFO, "%s", buf); - plog(ASL_LEVEL_INFO, "\tdoi %s;\n", s_doi(p->doitype)); + plog(ASL_LEVEL_NOTICE, "%s", buf); + plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype)); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype)); if (p->idvtype == IDTYPE_ASN1DN) { - plog(ASL_LEVEL_INFO, "%s;\n", buf); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); switch (p->getcert_method) { case 0: break; case ISAKMP_GETCERT_PAYLOAD: - plog(ASL_LEVEL_INFO, "\t/* peers certificate from payload */\n"); + plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n"); break; default: - plog(ASL_LEVEL_INFO, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); + plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); } } else { if (p->idv) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v); - plog(ASL_LEVEL_INFO, "%s;\n", buf); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL); } - plog(ASL_LEVEL_INFO, "\tsend_cert %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n", s_switch (p->send_cert)); - plog(ASL_LEVEL_INFO, "\tsend_cr %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n", s_switch (p->send_cr)); - plog(ASL_LEVEL_INFO, "\tverify_cert %s;\n", + plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n", s_switch (p->verify_cert)); - plog(ASL_LEVEL_INFO, "\tverify_identifier %s;\n", + plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n", s_switch (p->verify_identifier)); - plog(ASL_LEVEL_INFO, "\tnat_traversal %s;\n", + plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n", p->nat_traversal == NATT_FORCE ? "force" : s_switch (p->nat_traversal)); - plog(ASL_LEVEL_INFO, "\tnatt_multiple_user %s;\n", + plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n", s_switch (p->natt_multiple_user)); - plog(ASL_LEVEL_INFO, "\tnonce_size %d;\n", + plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n", p->nonce_size); - plog(ASL_LEVEL_INFO, "\tpassive %s;\n", + plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n", s_switch (p->passive)); - plog(ASL_LEVEL_INFO, "\tike_frag %s;\n", + plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n", p->ike_frag == ISAKMP_FRAG_FORCE ? "force" : s_switch (p->ike_frag)); - plog(ASL_LEVEL_INFO, "\tesp_frag %d;\n", p->esp_frag); - plog(ASL_LEVEL_INFO, "\tinitial_contact %s;\n", + plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag); + plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n", s_switch (p->ini_contact)); - plog(ASL_LEVEL_INFO, "\tgenerate_policy %s;\n", + plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n", s_switch (p->gen_policy)); - plog(ASL_LEVEL_INFO, "\tsupport_proxy %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n", s_switch (p->support_proxy)); while (prop) { - plog(ASL_LEVEL_INFO, "\n"); - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "\n"); + plog(ASL_LEVEL_NOTICE, "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n", prop->prop_no, prop->trns_no, saddr2str((struct sockaddr *)prop->rmconf->remote)); - plog(ASL_LEVEL_INFO, "\tproposal {\n"); - plog(ASL_LEVEL_INFO, "\t\tlifetime time %lu sec;\n", + plog(ASL_LEVEL_NOTICE, "\tproposal {\n"); + plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n", (long)prop->lifetime); - plog(ASL_LEVEL_INFO, "\t\tlifetime bytes %zd;\n", + plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n", prop->lifebyte); - plog(ASL_LEVEL_INFO, "\t\tdh_group %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n", alg_oakley_dhdef_name(prop->dh_group)); - plog(ASL_LEVEL_INFO, "\t\tencryption_algorithm %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n", alg_oakley_encdef_name(prop->enctype)); - plog(ASL_LEVEL_INFO, "\t\thash_algorithm %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n", alg_oakley_hashdef_name(prop->hashtype)); - plog(ASL_LEVEL_INFO, "\t\tprf_algorithm %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n", alg_oakley_hashdef_name(prop->prf)); - plog(ASL_LEVEL_INFO, "\t\tauthentication_method %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n", alg_oakley_authdef_name(prop->authmethod)); - plog(ASL_LEVEL_INFO, "\t}\n"); + plog(ASL_LEVEL_NOTICE, "\t}\n"); prop = prop->next; } - plog(ASL_LEVEL_INFO, "}\n"); - plog(ASL_LEVEL_INFO, "\n"); + plog(ASL_LEVEL_NOTICE, "}\n"); + plog(ASL_LEVEL_NOTICE, "\n"); return NULL; } diff --git a/ipsec-tools/racoon/sainfo.c b/ipsec-tools/racoon/sainfo.c index d11e636..2aa57b7 100644 --- a/ipsec-tools/racoon/sainfo.c +++ b/ipsec-tools/racoon/sainfo.c @@ -112,14 +112,15 @@ getsainfo(const vchar_t *src, const vchar_t *dst, const vchar_t *peer, int use_n } // TODO: handle wildcard port numbers in the id - if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) { + if ((src->l == s->idsrc->l) && memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) { if (use_nat_addr) { if (memcmp(lcconf->ext_nat_id->v, s->iddst->v, s->iddst->l) == 0) { plogdump(ASL_LEVEL_DEBUG, lcconf->ext_nat_id->v, lcconf->ext_nat_id->l, "matched external nat address.\n"); return s; } - } else if (memcmp(dst->v, s->iddst->v, s->iddst->l) == 0) + } else if ((dst->l == s->iddst->l) && memcmp(dst->v, s->iddst->v, s->iddst->l) == 0) { return s; + } } } diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index 1f9dee4..208ff5d 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -68,7 +68,6 @@ #include #include -#include #include #include #include @@ -350,7 +349,7 @@ close_session(int error) (void)launchd_update_racoon_keepalive(false); #endif // !TARGET_OS_EMBEDDED - plog(ASL_LEVEL_INFO, "racoon shutdown\n"); + plog(ASL_LEVEL_NOTICE, "racoon shutdown\n"); exit(0); } @@ -436,7 +435,7 @@ check_flushsa() void auto_exit_do(void *p) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "performing auto exit\n"); #if ENABLE_NO_SA_FLUSH close_session(0); @@ -556,7 +555,7 @@ check_sigreq() case SIGINT: case SIGTERM: - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "caught signal %d\n", sig); #if ENABLE_NO_SA_FLUSH close_session(0); @@ -575,7 +574,7 @@ check_sigreq() break; default: - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "caught signal %d\n", sig); break; } @@ -591,7 +590,7 @@ RETSIGTYPE signal_handler(int sig, siginfo_t *sigi, void *ctx) { #if 0 - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "%s received signal %d from pid %d uid %d\n\n", __FUNCTION__, sig, sigi->si_pid, sigi->si_uid); #endif diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c index 2bb1bef..ac0645f 100644 --- a/ipsec-tools/racoon/sockmisc.c +++ b/ipsec-tools/racoon/sockmisc.c @@ -455,6 +455,7 @@ recvfromto(int s, cm = (struct cmsghdr *)cmsgbuf; m.msg_control = (caddr_t)cm; m.msg_controllen = sizeof(cmsgbuf); + m.msg_flags = 0; while ((len = recvmsg(s, &m, flags)) < 0) { if (errno == EINTR) continue; diff --git a/ipsec-tools/racoon/strnames.c b/ipsec-tools/racoon/strnames.c index 1987a37..e346827 100644 --- a/ipsec-tools/racoon/strnames.c +++ b/ipsec-tools/racoon/strnames.c @@ -47,9 +47,6 @@ #include #include -#ifdef ENABLE_HYBRID -#include -#endif #include "var.h" #include "misc.h" diff --git a/ipsec-tools/racoon/throttle.c b/ipsec-tools/racoon/throttle.c index 5103204..f152695 100644 --- a/ipsec-tools/racoon/throttle.c +++ b/ipsec-tools/racoon/throttle.c @@ -51,7 +51,6 @@ #include #include -#include #include "vmbuf.h" #include "misc.h" diff --git a/ipsec-tools/racoon/vendorid.c b/ipsec-tools/racoon/vendorid.c index ca6f67b..8b1a53c 100644 --- a/ipsec-tools/racoon/vendorid.c +++ b/ipsec-tools/racoon/vendorid.c @@ -216,11 +216,11 @@ check_vendorid(struct isakmp_gen *gen) goto unknown; if (current->hash->l < vidlen) - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "received broken Microsoft ID: %s\n", current->string); else - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "received Vendor ID: %s\n", current->string); diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index 393e4d3..4f6867d 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -76,9 +76,6 @@ #ifdef HAVE_UNISTD_H #include #endif -#ifdef ENABLE_HYBRID -#include -#endif #include "var.h" #include "misc.h" @@ -195,7 +192,7 @@ vpn_connect(struct bound_addr *srv, int oper) if (set_port(local, port) == NULL) goto out1; - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "accept a request to establish IKE-SA: " "%s\n", saddrwop2str((struct sockaddr *)remote)); diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index 1b70dd2..be334db 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -4,13 +4,13 @@ * Copyright (c) 2006 Apple Computer, Inc. All rights reserved. * * @APPLE_LICENSE_HEADER_START@ - * + * * The contents of this file constitute Original Code as defined in and * are subject to the Apple Public Source License Version 1.1 (the * "License"). You may not use this file except in compliance with the * License. Please obtain a copy of the License at * http://www.apple.com/publicsource and read it before using this file. - * + * * This Original Code and all software distributed under the License are * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, @@ -18,14 +18,14 @@ * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the * License for the specific language governing rights and limitations * under the License. - * + * * @APPLE_LICENSE_HEADER_END@ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -37,7 +37,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -68,7 +68,7 @@ #include #ifndef HAVE_NETINET6_IPSEC #include -#else +#else #include #endif @@ -127,10 +127,10 @@ extern int vpn_get_config (phase1_handle_t *, struct vpnctl_status_phase_change extern int vpn_xauth_reply (u_int32_t, void *, size_t); -int -checklaunchd() -{ - launch_data_t checkin_response = NULL; +int +checklaunchd() +{ + launch_data_t checkin_response = NULL; #ifdef LION_TEST launch_data_t checkin_request = NULL; #endif @@ -150,7 +150,7 @@ checklaunchd() #else if ((checkin_response = launch_socket_service_check_in()) == NULL) { #endif - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to launch_socket_service_check_in.\n"); goto done; } @@ -161,24 +161,24 @@ checklaunchd() } #endif if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "launch_data_get_type error %d\n", launch_data_get_errno(checkin_response)); goto done; } if ( (sockets_dict = launch_data_dict_lookup(checkin_response, LAUNCH_JOBKEY_SOCKETS)) == NULL){ - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to launch_data_dict_lookup.\n"); goto done; } if ( !(socketct = launch_data_dict_get_count(sockets_dict))){ - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "launch_data_dict_get_count returns no socket defined.\n"); goto done; } if ( (listening_fd_array = launch_data_dict_lookup(sockets_dict, "Listeners")) == NULL ){ - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to launch_data_dict_lookup.\n"); goto done; } @@ -190,11 +190,11 @@ checklaunchd() continue; } - /* Is this the VPN control socket? */ - if ( fdsockaddr.ss_family == AF_UNIX && + /* Is this the VPN control socket? */ + if ( fdsockaddr.ss_family == AF_UNIX && (!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path)))) - { - plog(ASL_LEVEL_INFO, + { + plog(ASL_LEVEL_NOTICE, "found launchd socket.\n"); returnval = fd; break; @@ -202,12 +202,12 @@ checklaunchd() } // TODO: check if we have any leaked fd if ( listenerct == i){ - plog(ASL_LEVEL_ERR, - "failed to find launchd socket\n"); + plog(ASL_LEVEL_ERR, + "failed to find launchd socket\n"); returnval = 0; } -done: +done: if (checkin_response) launch_data_free(checkin_response); return(returnval); @@ -224,30 +224,30 @@ vpncontrol_handler(void *unused) struct vpnctl_socket_elem *sock_elem; - sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem)); + sock_elem = racoon_calloc(1, sizeof(struct vpnctl_socket_elem)); if (sock_elem == NULL) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "memory error: %s\n", strerror(errno)); return; //%%%%%% terminate } LIST_INIT(&sock_elem->bound_addresses); - + sock_elem->sock = accept(lcconf->sock_vpncontrol, (struct sockaddr *)&from, &fromlen); if (sock_elem->sock < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to accept vpn_control command: %s\n", strerror(errno)); racoon_free(sock_elem); return; //%%%%% terminate } LIST_INSERT_HEAD(&lcconf->vpnctl_comm_socks, sock_elem, chain); - + sock_elem->source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, sock_elem->sock, 0, dispatch_get_main_queue()); if (sock_elem->source == NULL) { plog(ASL_LEVEL_ERR, "could not create comm socket source."); racoon_free(sock_elem); return; //%%%%% terminate } - dispatch_source_set_event_handler(sock_elem->source, + dispatch_source_set_event_handler(sock_elem->source, ^{ vpncontrol_comm_handler(sock_elem); }); @@ -260,8 +260,8 @@ vpncontrol_handler(void *unused) dispatch_release(the_source); /* Release the source on cancel */ }); dispatch_resume(sock_elem->source); - - plog(ASL_LEVEL_NOTICE, + + plog(ASL_LEVEL_NOTICE, "accepted connection on vpn control socket.\n"); check_auto_exit(); @@ -272,62 +272,74 @@ void vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) { struct vpnctl_hdr hdr; - char *combuf = NULL; ssize_t len; /* get buffer length */ - while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) { - if (errno == EINTR) - continue; - plog(ASL_LEVEL_ERR, - "failed to recv vpn_control command: %s\n", strerror(errno)); - goto end; - } - if (len == 0) { - plog(ASL_LEVEL_DEBUG, - "vpn_control socket closed by peer.\n"); - /* kill all related connections */ - vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost); - vpncontrol_close_comm(elem); - return; // %%%%%% terminate - } - - /* sanity check */ - if (len < sizeof(hdr)) { - plog(ASL_LEVEL_ERR, - "invalid header length of vpn_control command - len=%ld - expected %ld\n", len, sizeof(hdr)); - goto end; - } + if (elem->buffer == NULL) { + while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) { + if (errno == EINTR) + continue; + plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n", strerror(errno)); + return; + } + if (len == 0) { + plog(ASL_LEVEL_NOTICE, "vpn_control socket closed by peer.\n"); + /* kill all related connections */ + vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost); + vpncontrol_close_comm(elem); + return; // %%%%%% terminate + } - /* get buffer to receive */ - if ((combuf = racoon_malloc(ntohs(hdr.len) + sizeof(hdr))) == 0) { - plog(ASL_LEVEL_ERR, - "failed to alloc buffer for vpn_control command\n"); - goto end; + /* sanity check */ + if (len < sizeof(hdr)) { + plog(ASL_LEVEL_ERR, + "invalid header length of vpn_control command - len=%ld - expected %ld\n", len, sizeof(hdr)); + return; + } + + elem->read_bytes_len = 0; // Sanity + elem->pending_bytes_len = ntohs(hdr.len) + sizeof(hdr); + + /* get buffer to receive */ + elem->buffer = racoon_malloc(elem->pending_bytes_len); + if (elem->buffer == NULL) { + plog(ASL_LEVEL_ERR, + "failed to alloc buffer for vpn_control command\n"); + return; + } } /* get real data */ - while ((len = recv(elem->sock, combuf, ntohs(hdr.len) + sizeof(hdr), 0)) < 0) { + while ((len = recv(elem->sock, elem->buffer + elem->read_bytes_len, elem->pending_bytes_len, 0)) < 0) { if (errno == EINTR) continue; - plog(ASL_LEVEL_ERR, - "failed to recv vpn_control command: %s\n", - strerror(errno)); - goto end; + plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n", + strerror(errno)); + return; } - if (len < (sizeof(hdr) + ntohs(hdr.len))) { - plog(ASL_LEVEL_ERR, - "invalid length of vpn_control command - len=%ld - expected %ld\n", len, (sizeof(hdr) + ntohs(hdr.len))); - goto end; + if (len == 0) { + plog(ASL_LEVEL_NOTICE, "vpn_control socket closed by peer while reading packet\n"); + /* kill all related connections */ + vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost); + vpncontrol_close_comm(elem); + return; } - (void)vpncontrol_process(elem, combuf, len); + elem->read_bytes_len += len; -end: - if (combuf) - racoon_free(combuf); - return; + if (len < elem->pending_bytes_len) { + plog(ASL_LEVEL_NOTICE, + "received partial vpn_control command - len=%ld - expected %u\n", len, elem->pending_bytes_len); + elem->pending_bytes_len -= len; + return; + } else { + (void)vpncontrol_process(elem, elem->buffer, elem->read_bytes_len); + free(elem->buffer); + elem->buffer = NULL; + elem->read_bytes_len = 0; + elem->pending_bytes_len = 0; + } } static int @@ -355,7 +367,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ break; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received bind command on vpn control socket.\n"); addr = racoon_calloc(1, sizeof(struct bound_addr)); if (addr == NULL) { @@ -370,6 +382,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ plog(ASL_LEVEL_ERR, "memory error: %s\n", strerror(errno)); error = -1; + racoon_free(addr); break; } memcpy(addr->version->v, pkt + 1, ntohs(pkt->vers_len)); @@ -392,7 +405,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received unbind command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == 0xFFFFFFFF || @@ -420,7 +433,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct redirect *t_raddr; int found = 0; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received redirect command on vpn control socket - address = %x.\n", ntohl(redirect_msg->redirect_address)); LIST_FOREACH_SAFE(raddr, &lcconf->redirect_addresses, chain, t_raddr) { @@ -439,7 +452,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ if (!found) { raddr = racoon_malloc(sizeof(struct redirect)); if (raddr == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_ERR, "cannot allcoate memory for redirect address.\n"); error = -1; break; @@ -475,7 +488,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ break; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received xauth info command vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -500,7 +513,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received set v6 prefix of len %u command on vpn control socket, adding to all addresses.\n", pkt->nat64_prefix.length); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { memcpy(&addr->nat64_prefix, &pkt->nat64_prefix, sizeof(addr->nat64_prefix)); @@ -529,7 +542,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ pending_signal_handle = 0; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received connect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -553,7 +566,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received disconnect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -577,7 +590,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, "received start_ph2 command on vpn control socket.\n"); + plog(ASL_LEVEL_NOTICE, "received start_ph2 command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { /* start the connection */ @@ -600,7 +613,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *srv; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received start_dpd command on vpn control socket.\n"); LIST_FOREACH_SAFE(srv, &elem->bound_addresses, chain, t_addr) { if (pkt->address == srv->address) { @@ -637,7 +650,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct sockaddr_in saddr; struct sockaddr_in daddr; - plogdump(ASL_LEVEL_DEBUG, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr), "received assert command on vpn control socket.\n"); + plogdump(ASL_LEVEL_NOTICE, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr), "received assert command on vpn control socket.\n"); // LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { // if (pkt->dst_address == addr->address) { bzero(&saddr, sizeof(saddr)); @@ -670,7 +683,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "received reconnect command on vpn control socket.\n"); LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { @@ -683,7 +696,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_ break; default: - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "invalid command: %d\n", ntohs(hdr->msg_type)); error = -1; // for now break; @@ -705,7 +718,7 @@ vpncontrol_reply(int so, char *combuf) tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0); if (tlen < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to send vpn_control message: %s\n", strerror(errno)); return -1; } @@ -733,7 +746,7 @@ vpncontrol_set_nat64_prefix(nw_nat64_prefix_t *prefix) int vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len) { - struct vpnctl_status_need_authinfo *msg = NULL; + struct vpnctl_status_need_authinfo *msg = NULL; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; size_t msg_size; @@ -744,12 +757,12 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a if (!iph1) goto end; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "sending vpn_control xauth need info status\n"); msg = (struct vpnctl_status_need_authinfo *)racoon_malloc(msg_size = sizeof(struct vpnctl_status_need_authinfo) + attr_len); if (msg == NULL) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "unable to allocate space for vpn control message.\n"); return -1; } @@ -778,7 +791,7 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size); tlen = send(sock_elem->sock, msg, msg_size, 0); if (tlen < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to send vpn_control need authinfo status: %s\n", strerror(errno)); } break; @@ -795,7 +808,7 @@ end: int vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t address, u_int16_t data_len, u_int8_t *data) { - struct vpnctl_status_failed *msg = NULL; + struct vpnctl_status_failed *msg = NULL; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; size_t len; @@ -805,7 +818,7 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad msg = (struct vpnctl_status_failed *)racoon_malloc(len); if (msg == NULL) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_ERR, "unable to allcate memory for vpn control status message.\n"); return -1; } @@ -818,7 +831,7 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad msg->from = htons(from); if (data_len > 0) memcpy(msg->data, data, data_len); - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_ERR, "sending vpn_control ike failed message - code=%d from=%s.\n", notify_code, (from == FROM_LOCAL ? "local" : "remote")); @@ -828,8 +841,11 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad bound_addr->address == address) { tlen = send(sock_elem->sock, msg, len, 0); if (tlen < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "Unable to send vpn_control ike notify failed: %s\n", strerror(errno)); + } else { + plog(ASL_LEVEL_DEBUG, + "Sent %zd/%zu bytes\n", tlen, len); } break; } @@ -870,7 +886,7 @@ vpncontrol_status_2_str(u_int16_t msg_type) int vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2) { - struct vpnctl_status_phase_change *msg; + struct vpnctl_status_phase_change *msg; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; ssize_t tlen; @@ -886,7 +902,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, } if (msg == NULL) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "unable to allocate space for vpn control message.\n"); return -1; } @@ -896,8 +912,8 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, plog(ASL_LEVEL_ERR, "bad address for ph1 status change.\n"); goto end; } - msg->hdr.msg_type = htons(start ? - (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) + msg->hdr.msg_type = htons(start ? + (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) : VPNCTL_STATUS_PH1_ESTABLISHED); // TODO: indicate version } else { @@ -923,7 +939,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size); tlen = send(sock_elem->sock, msg, msg_size, 0); if (tlen < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "failed to send vpn_control phase change status: %s\n", strerror(errno)); } break; @@ -940,7 +956,7 @@ end: static int vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) { - struct vpnctl_status_peer_resp msg; + struct vpnctl_status_peer_resp msg; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; ssize_t tlen; @@ -952,7 +968,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) msg.hdr.len = htons(sizeof(msg) - sizeof(msg.hdr)); msg.address = address; msg.ike_code = notify_code; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "sending vpn_control status (peer response) message - code=%d addr=%x.\n", notify_code, address); LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { @@ -961,7 +977,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) bound_addr->address == address) { tlen = send(sock_elem->sock, &msg, sizeof(msg), 0); if (tlen < 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "unable to send vpn_control status (peer response): %s\n", strerror(errno)); } else { rc = 0; @@ -1006,13 +1022,13 @@ int vpncontrol_init(void) { int sock; - + if (vpncontrolsock_path == NULL) { lcconf->sock_vpncontrol = -1; return 0; } - if ( (lcconf->sock_vpncontrol = checklaunchd()) == 0 ) { + if ( (lcconf->sock_vpncontrol = checklaunchd()) == 0 ) { memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), @@ -1020,7 +1036,7 @@ vpncontrol_init(void) lcconf->sock_vpncontrol = socket(AF_UNIX, SOCK_STREAM, 0); if (lcconf->sock_vpncontrol == -1) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "socket: %s\n", strerror(errno)); return -1; } @@ -1028,11 +1044,11 @@ vpncontrol_init(void) if (fcntl(lcconf->sock_vpncontrol, F_SETFL, O_NONBLOCK) == -1) { plog(ASL_LEVEL_ERR, "failed to put VPN-Control socket in non-blocking mode\n"); } - + unlink(sunaddr.sun_path); if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) != 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "bind(sockname:%s): %s\n", sunaddr.sun_path, strerror(errno)); (void)close(lcconf->sock_vpncontrol); @@ -1040,30 +1056,30 @@ vpncontrol_init(void) } if (chown(sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group) != 0) { - plog(ASL_LEVEL_ERR, - "chown(%s, %d, %d): %s\n", - sunaddr.sun_path, vpncontrolsock_owner, + plog(ASL_LEVEL_ERR, + "chown(%s, %d, %d): %s\n", + sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group, strerror(errno)); (void)close(lcconf->sock_vpncontrol); return -1; } if (chmod(sunaddr.sun_path, vpncontrolsock_mode) != 0) { - plog(ASL_LEVEL_ERR, - "chmod(%s, 0%03o): %s\n", + plog(ASL_LEVEL_ERR, + "chmod(%s, 0%03o): %s\n", sunaddr.sun_path, vpncontrolsock_mode, strerror(errno)); (void)close(lcconf->sock_vpncontrol); return -1; } if (listen(lcconf->sock_vpncontrol, 5) != 0) { - plog(ASL_LEVEL_ERR, + plog(ASL_LEVEL_ERR, "listen(sockname:%s): %s\n", sunaddr.sun_path, strerror(errno)); (void)close(lcconf->sock_vpncontrol); return -1; } - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "opened %s as racoon management.\n", sunaddr.sun_path); } lcconf->vpncontrol_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_vpncontrol, 0, dispatch_get_main_queue()); @@ -1073,7 +1089,7 @@ vpncontrol_init(void) } dispatch_source_set_event_handler_f(lcconf->vpncontrol_source, vpncontrol_handler); sock = lcconf->sock_vpncontrol; - dispatch_source_set_cancel_handler(lcconf->vpncontrol_source, + dispatch_source_set_cancel_handler(lcconf->vpncontrol_source, ^{ close(sock); }); @@ -1086,10 +1102,10 @@ vpncontrol_disconnect_all(struct vpnctl_socket_elem *elem, const char *reason) { struct bound_addr *addr; struct bound_addr *t_addr; - - plog(ASL_LEVEL_DEBUG, + + plog(ASL_LEVEL_NOTICE, "received disconnect all command.\n"); - + LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { /* stop any connections */ vpn_disconnect(addr, reason); @@ -1102,12 +1118,12 @@ vpncontrol_close() struct vpnctl_socket_elem *elem; struct vpnctl_socket_elem *t_elem; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "vpncontrol_close.\n"); dispatch_source_cancel(lcconf->vpncontrol_source); lcconf->vpncontrol_source = NULL; - + lcconf->sock_vpncontrol = -1; LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem) vpncontrol_close_comm(elem); @@ -1119,12 +1135,20 @@ vpncontrol_close_comm(struct vpnctl_socket_elem *elem) struct bound_addr *addr; struct bound_addr *t_addr; - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "vpncontrol_close_comm.\n"); LIST_REMOVE(elem, chain); - if (elem->sock != -1) + if (elem->sock != -1) { dispatch_source_cancel(elem->source); + elem->sock = -1; + } + if (elem->buffer != NULL) { + free(elem->buffer); + elem->buffer = NULL; + elem->pending_bytes_len = 0; + elem->read_bytes_len = 0; + } LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { flushsainfo_dynamic(addr->address); LIST_REMOVE(addr, chain); diff --git a/ipsec-tools/racoon_test/future_cert.der b/ipsec-tools/racoon_test/future_cert.der new file mode 100644 index 0000000000000000000000000000000000000000..5b6c30743fa25a55bca37171bb9a591dcd12c380 GIT binary patch literal 903 zcmXqLVs18QV#;P>WHjJqYmnHWVuxkgZ~L1QbbQ=wLH2y=m)nnq=}N*IWN-73PLR$5Y8lp3E5^f}m_ zO^iy&p~%R}z}&>h&tTBR$i>ve$jESzjp3oKt0~tl*NR_)%CRqdc3=FW{BV8jDboi| z*IF8+irF7JH^@w1)1}Eb(wTQN0kGrYK3QsJ3o_BxwiaIHggEN0BPHgx2 zx#NZcx8@fk^U1xw6`R)9?G`@$%-i(kEN-@WTjp~-a|>cjuCe>epW|fXvX|j)s=eX8 z`7VW*zHK#;5l(wru;XlA>(dnn6uHmMJF$W1(3Az6nV1quC#skan-`G?Rg72d>WlUu-eU${vNUO?>g(_zh52w zRqd1}wD3vyLy@#>r#oA1?00`S{xxFCaeKk(*YgkjyV7#}FKcYAis$NMFB4Z=GrDi) z+8V4ayv~jJY2*9_ZgNkB=E+382rW`r9rDj^$v#8J|DGJcgqy8W`_bh><>cL0S1eY1 z$YQmOL1cZoLXPF8^D);h_Em~0y^HYA_^B(;cKyZ%RnAvz?q|GLuBc^XvCcEtu=Kt3 zredZ;QHS-+oXjsg%bNIZ3a9BZzS!)O-@5DcUR*sd-jWk_Nt%Uk=i&^fH?f*qJg#&< F1OQ()QC0u| literal 0 HcmV?d00001 diff --git a/ipsec-tools/racoon_test/past_cert.der b/ipsec-tools/racoon_test/past_cert.der new file mode 100644 index 0000000000000000000000000000000000000000..51b9503513a27442a8a56cbc7055b7d2f97b5dfc GIT binary patch literal 901 zcmXqLVs12OV#;JWu|nf&2=iXSVM)&@*A$+5qom1SN}?W zyn09MM#$50v2t-{tC|b1_idi{KoL7@;#EWYTBip@5Ixi z*WOzDG(2J9q)8pw_D7$1-sa-Jnc?`}w`Piv +#include +#include +#include + +#define racoon_test_pass 0 +#define racoon_test_failure 1 + +static struct option long_options[] = +{ + {"unit_test", no_argument, 0, 'u'}, + {"help" , no_argument, 0, 'h'} +}; + +static void +print_usage(char *name) +{ + printf("Usage: %s\n", name); + printf(" -unit_test\n"); +} + +static int +racoon_cert_validity_test(void) +{ + int result = racoon_test_pass; +#ifndef HAVE_OPENSSL + /* + * Below tests are applicable only for embedded + * because the crypto_cssm_check_x509cert_dates() + * does nothing on osx. + */ + cert_status_t cert_status; + + fprintf(stdout, "[TEST] RacoonCertValidity\n"); + + // For certificate info, look at past_cert.der + fprintf(stdout, "[BEGIN] ExpiredCertTest\n"); + CFDataRef past_cert_data = CFDataCreate(kCFAllocatorDefault, past_cert_der, sizeof(past_cert_der)); + SecCertificateRef past_cert_ref = SecCertificateCreateWithData(NULL, past_cert_data); + cert_status = crypto_cssm_check_x509cert_dates (past_cert_ref); + if (cert_status != CERT_STATUS_EXPIRED) { + fprintf(stdout, "[FAIL] ExpiredCertTest\n"); + result = racoon_test_failure; + } else { + fprintf(stdout, "[PASS] ExpiredCertTest\n"); + } + + // For certificate info, look at future_cert.der + fprintf(stdout, "[BEGIN] PrematureCertTest\n"); + CFDataRef future_cert_data = CFDataCreate(kCFAllocatorDefault, future_cert_der, sizeof(future_cert_der)); + SecCertificateRef future_cert_ref = SecCertificateCreateWithData(NULL, future_cert_data); + cert_status = crypto_cssm_check_x509cert_dates (future_cert_ref); + if (cert_status != CERT_STATUS_PREMATURE) { + fprintf(stdout, "[FAIL] PrematureCertTest\n"); + result = racoon_test_failure; + } else { + fprintf(stdout, "[PASS] PrematureCertTest\n"); + } + + + // For certificate info, look at valid_cert.der + fprintf(stdout, "[BEGIN] ValidCertTest\n"); + CFDataRef valid_cert_data = CFDataCreate(kCFAllocatorDefault, valid_cert_der, sizeof(valid_cert_der)); + SecCertificateRef valid_cert_ref = SecCertificateCreateWithData(NULL, valid_cert_data); + cert_status = crypto_cssm_check_x509cert_dates (valid_cert_ref); + if (cert_status != CERT_STATUS_OK) { + fprintf(stdout, "[FAIL] ValidCertTest\n"); + result = racoon_test_failure; + } else { + fprintf(stdout, "[PASS] ValidCertTest\n"); + } +#endif // HAVE_OPENSSL + return result; +} + +static void +racoon_unit_test(void) +{ + int result = racoon_test_pass; + + if (racoon_cert_validity_test() == racoon_test_failure) { + result = racoon_test_failure; + } + + if (result == racoon_test_pass) { + fprintf(stdout, "\nAll Tests Passed\n\n"); + } +} + +int +main(int argc, char *argv[]) +{ + int opt = 0; + int opt_index = 0; + + if (argc < 2) { + print_usage(argv[0]); + return (0); + } + + while ((opt = getopt_long_only(argc, argv, "", long_options, &opt_index)) != -1) { + switch (opt) { + case 'u': + { + racoon_unit_test(); + break; + } + case 'h': + default: + { + print_usage(argv[0]); + exit(EXIT_FAILURE); + } + } + } + + return (0); +} diff --git a/ipsec-tools/racoon_test/valid_cert.der b/ipsec-tools/racoon_test/valid_cert.der new file mode 100644 index 0000000000000000000000000000000000000000..3a453016d8555e2ad8ed2cc0c9a0be85e1ced6c3 GIT binary patch literal 902 zcmXqLVs0{MV#;D-WHjJqIO;3qW z26`Oq%qB)9V@2S93&c^4Lb35NY@@UIE z-@A?qY6dn73PT@!{c`hol#;Lcqx-%r?q7?IOKxm?sLB;Fm7V$U6oFOd-*$_fbNN}r zJx5Pt^~7hNgbz*#^vz@5Z6PA_e%}-4%4@sNq{!x&%WF@$TYu)ox33ItvDz*F1s>;L z=-E3*!*fjy^KF-hS1)KS>wT@eZ}Ojedrn&HxAA{evCGnTp_Ze?_PWW8ob#V9_~>E5 zp%7plQ1f|l)!S=R-!{&$h-_!u<&m>XJZ|yK=^=5Kd4+{~ZgMOwtTH~kyl-NIG53X{ z@^*psJjMx~|Bk3O?tOVjuE_Xe?nzJSgUip`1awLT7aTe3SjxoA$bg>AfFZ=lz>qZ8 zmVbY#Wh~p}li5oy?%s4fbj`++#WxLFCtUmcP$N&L&1d0P!!^N2*;>^^FPNTdWO}V| za^kIHVVx1>Tqh3r6iNNscvW-y9sQRd+wV_G@AC0wS#@t`@6$Y~7n1^=^8HtD_*pKr zCr$Un(|4e^q*xUDSWM_3gRW>!hU4HLUKK$M5?@NiBMI&QGdr*CUw<8jt$Yk%4;*=?{Pw&2U+hkondKWTFIyv5=h_{Jvg zt%{oOMJu0H>)W}>i_@% literal 0 HcmV?d00001 diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 44cb4da..140c9cf 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -29,6 +29,7 @@ 72B3C21E16850D1E004E4548 /* CopyFiles */, ); dependencies = ( + 69983DBD1E7B3D30007683BF /* PBXTargetDependency */, 72B3C2101684F5E1004E4548 /* PBXTargetDependency */, 72B3C20E1684F5DE004E4548 /* PBXTargetDependency */, ); @@ -75,6 +76,7 @@ buildPhases = ( ); dependencies = ( + 69983DBF1E7B4DE4007683BF /* PBXTargetDependency */, 812531110D3FEA28006BDF4F /* PBXTargetDependency */, 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */, 81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */, @@ -104,8 +106,6 @@ 25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; }; 25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; }; 25DE2DE90A8BD40E0010A46D /* vpn_control.c in Sources */ = {isa = PBXBuildFile; fileRef = 25DE2DE60A8BD40E0010A46D /* vpn_control.c */; }; - 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; }; - 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; }; 25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87609D87A770042CC7F /* libiconv.dylib */; }; 25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */; }; 25EAE8C609D87B990042CC7F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; @@ -149,11 +149,19 @@ 25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; }; 25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; }; 25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; + 6912CB6E1E78D94B00631D9A /* crypto_cssm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B70988657000D15623 /* crypto_cssm.c */; }; + 6912CB701E78D96900631D9A /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB6F1E78D96900631D9A /* Security.framework */; }; + 6912CB721E78D97200631D9A /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB711E78D97200631D9A /* CoreFoundation.framework */; }; + 6912CB731E78D9A900631D9A /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; + 6912CB741E78D9D800631D9A /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; + 6912CB761E78DD7100631D9A /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */; }; + 6912CB771E78DD8800631D9A /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; 724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; 724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; + 7253CC651E7B3F4600B2DDF5 /* racoon_test.c in Sources */ = {isa = PBXBuildFile; fileRef = 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */; }; 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; 72F5C72E1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; 72F5C72F1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; }; @@ -267,6 +275,20 @@ /* End PBXBuildFile section */ /* Begin PBXContainerItemProxy section */ + 69983DBC1E7B3D30007683BF /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 23D2D790087071FC00C51098 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 69BB7E331E777E3C009EE2BA; + remoteInfo = racoon_test; + }; + 69983DBE1E7B4DE4007683BF /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 23D2D790087071FC00C51098 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 69BB7E331E777E3C009EE2BA; + remoteInfo = racoon_test; + }; 724ED875168515A7008F2EBD /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; @@ -401,6 +423,15 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + 69BB7E321E777E3C009EE2BA /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; 72265DD80F818ED700730A7D /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -678,10 +709,20 @@ 25F259270988657000D15623 /* vmbuf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vmbuf.h; sourceTree = ""; }; 25F777B909ABE3E100C99783 /* key_debug.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = key_debug.c; path = Common/key_debug.c; sourceTree = ""; }; 25F777ED09ABE58400C99783 /* pfkey_dump.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey_dump.c; path = Common/pfkey_dump.c; sourceTree = ""; }; + 6912CB6F1E78D96900631D9A /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; + 6912CB711E78D97200631D9A /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/CoreFoundation.framework; sourceTree = DEVELOPER_DIR; }; + 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/SystemConfiguration.framework; sourceTree = DEVELOPER_DIR; }; + 69BB7E341E777E3C009EE2BA /* racoon_test */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon_test; sourceTree = BUILT_PRODUCTS_DIR; }; + 69BB7E351E777E3D009EE2BA /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; }; 72265DDB0F818F9300730A7D /* ipsec.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; path = ipsec.plist; sourceTree = ""; }; 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = xpc_racoon.c; sourceTree = ""; }; 723B6A33162F7C1100895EE5 /* ipsec_xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsec_xpc.h; sourceTree = ""; }; 724F99500E3672FD00C56897 /* com.apple.racoon.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.racoon.plist; sourceTree = ""; }; + 7253CC601E7B3EAB00B2DDF5 /* racoon_certs_data.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = racoon_certs_data.h; path = "ipsec-tools/racoon_test/racoon_certs_data.h"; sourceTree = SOURCE_ROOT; }; + 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = racoon_test.c; path = "ipsec-tools/racoon_test/racoon_test.c"; sourceTree = SOURCE_ROOT; }; + 7253CC621E7B3EB700B2DDF5 /* future_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = future_cert.der; path = "ipsec-tools/racoon_test/future_cert.der"; sourceTree = SOURCE_ROOT; }; + 7253CC631E7B3EB700B2DDF5 /* past_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = past_cert.der; path = "ipsec-tools/racoon_test/past_cert.der"; sourceTree = SOURCE_ROOT; }; + 7253CC641E7B3EB700B2DDF5 /* valid_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = valid_cert.der; path = "ipsec-tools/racoon_test/valid_cert.der"; sourceTree = SOURCE_ROOT; }; 72F5C72D1607A1AE004C192F /* api_support.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = api_support.c; sourceTree = ""; }; 72F5C7311607A1DD004C192F /* api_support.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = api_support.h; sourceTree = ""; }; 7822D11D188DB07300874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = ../../../../../System/Library/Frameworks/NetworkExtension.framework; sourceTree = ""; }; @@ -742,8 +783,6 @@ 25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */, 8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */, 2537A1C709E49D0600D0ECDA /* libipsec.A.dylib in Frameworks */, - 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */, - 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */, 25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */, 81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */, BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */, @@ -758,6 +797,16 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 69BB7E311E777E3C009EE2BA /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 6912CB761E78DD7100631D9A /* SystemConfiguration.framework in Frameworks */, + 6912CB721E78D97200631D9A /* CoreFoundation.framework in Frameworks */, + 6912CB701E78D96900631D9A /* Security.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 812530F40D3FE9DC006BDF4F /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -814,6 +863,7 @@ 8125310A0D3FE9DC006BDF4F /* racoon */, 81DDFDAA0D622C1700C5CB87 /* setkey */, 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */, + 69BB7E341E777E3C009EE2BA /* racoon_test */, ); name = Products; sourceTree = ""; @@ -853,6 +903,9 @@ 25D3DB4C098998230025F703 /* Frameworks */ = { isa = PBXGroup; children = ( + 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */, + 6912CB711E78D97200631D9A /* CoreFoundation.framework */, + 6912CB6F1E78D96900631D9A /* Security.framework */, 7822D11F188DB07C00874E91 /* NetworkExtension.framework */, 7822D11D188DB07300874E91 /* NetworkExtension.framework */, 81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */, @@ -862,6 +915,7 @@ 25EAE83709D875BF0042CC7F /* DirectoryService.framework */, 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */, BA48611B109C2BBA00545E19 /* IOKit.framework */, + 69BB7E351E777E3D009EE2BA /* Foundation.framework */, ); name = Frameworks; sourceTree = ""; @@ -886,6 +940,7 @@ 25D3DB1B098996310025F703 /* libipsec */, 25F258000987FB1600D15623 /* racoon */, 25F257FF0987FB0E00D15623 /* setkey */, + 69BB7E2F1E777DEB009EE2BA /* Tests */, ); path = "ipsec-tools"; sourceTree = ""; @@ -1042,6 +1097,43 @@ path = Sample; sourceTree = ""; }; + 69983DB81E7B1BC6007683BF /* Source */ = { + isa = PBXGroup; + children = ( + 7253CC601E7B3EAB00B2DDF5 /* racoon_certs_data.h */, + 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */, + ); + path = Source; + sourceTree = ""; + }; + 69983DB91E7B1BCE007683BF /* Support */ = { + isa = PBXGroup; + children = ( + 7253CC621E7B3EB700B2DDF5 /* future_cert.der */, + 7253CC631E7B3EB700B2DDF5 /* past_cert.der */, + 7253CC641E7B3EB700B2DDF5 /* valid_cert.der */, + ); + path = Support; + sourceTree = ""; + }; + 69BB7E2F1E777DEB009EE2BA /* Tests */ = { + isa = PBXGroup; + children = ( + 69BB7E371E777E3D009EE2BA /* racoon_test */, + ); + path = Tests; + sourceTree = ""; + }; + 69BB7E371E777E3D009EE2BA /* racoon_test */ = { + isa = PBXGroup; + children = ( + 69983DB81E7B1BC6007683BF /* Source */, + 69983DB91E7B1BCE007683BF /* Support */, + ); + name = racoon_test; + path = ../../racoon_test; + sourceTree = ""; + }; 818710380D5BE15400C7B441 /* Sample */ = { isa = PBXGroup; children = ( @@ -1144,6 +1236,23 @@ productReference = 25F2580A0987FC1500D15623 /* setkey */; productType = "com.apple.product-type.tool"; }; + 69BB7E331E777E3C009EE2BA /* racoon_test */ = { + isa = PBXNativeTarget; + buildConfigurationList = 69BB7E3C1E777E3D009EE2BA /* Build configuration list for PBXNativeTarget "racoon_test" */; + buildPhases = ( + 69BB7E301E777E3C009EE2BA /* Sources */, + 69BB7E311E777E3C009EE2BA /* Frameworks */, + 69BB7E321E777E3C009EE2BA /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = racoon_test; + productName = racoon_test; + productReference = 69BB7E341E777E3C009EE2BA /* racoon_test */; + productType = "com.apple.product-type.tool"; + }; 812530BA0D3FE9DC006BDF4F /* racoon Embedded */ = { isa = PBXNativeTarget; buildConfigurationList = 812531050D3FE9DC006BDF4F /* Build configuration list for PBXNativeTarget "racoon Embedded" */; @@ -1211,6 +1320,12 @@ isa = PBXProject; attributes = { LastUpgradeCheck = 0430; + TargetAttributes = { + 69BB7E331E777E3C009EE2BA = { + CreatedOnToolsVersion = 9.0; + ProvisioningStyle = Automatic; + }; + }; }; buildConfigurationList = 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */; compatibilityVersion = "Xcode 3.2"; @@ -1239,6 +1354,7 @@ 812530BA0D3FE9DC006BDF4F /* racoon Embedded */, 81DDFD970D622C1700C5CB87 /* setkey Embedded */, 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */, + 69BB7E331E777E3C009EE2BA /* racoon_test */, ); }; /* End PBXProject section */ @@ -1410,6 +1526,18 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 69BB7E301E777E3C009EE2BA /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 7253CC651E7B3F4600B2DDF5 /* racoon_test.c in Sources */, + 6912CB771E78DD8800631D9A /* Preferences.c in Sources */, + 6912CB741E78D9D800631D9A /* plog.c in Sources */, + 6912CB731E78D9A900631D9A /* vmbuf.c in Sources */, + 6912CB6E1E78D94B00631D9A /* crypto_cssm.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 812530BF0D3FE9DC006BDF4F /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -1497,6 +1625,16 @@ /* End PBXSourcesBuildPhase section */ /* Begin PBXTargetDependency section */ + 69983DBD1E7B3D30007683BF /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 69BB7E331E777E3C009EE2BA /* racoon_test */; + targetProxy = 69983DBC1E7B3D30007683BF /* PBXContainerItemProxy */; + }; + 69983DBF1E7B4DE4007683BF /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 69BB7E331E777E3C009EE2BA /* racoon_test */; + targetProxy = 69983DBE1E7B4DE4007683BF /* PBXContainerItemProxy */; + }; 724ED876168515A7008F2EBD /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 72B3C21116850B87004E4548 /* ipsec_libraries */; @@ -2005,6 +2143,165 @@ }; name = Default; }; + 69BB7E3D1E777E3D009EE2BA /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + APPLY_RULES_IN_COPY_FILES = YES; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "c++14"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = NO; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INFINITE_RECURSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_SUSPICIOUS_MOVE = YES; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-"; + COPY_PHASE_STRIP = NO; + DEBUG_INFORMATION_FORMAT = dwarf; + ENABLE_STRICT_OBJC_MSGSEND = YES; + ENABLE_TESTABILITY = YES; + GCC_C_LANGUAGE_STANDARD = c11; + GCC_DYNAMIC_NO_PIC = NO; + GCC_NO_COMMON_BLOCKS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 11.0; + MACOSX_DEPLOYMENT_TARGET = 10.13; + MTL_ENABLE_DEBUG_INFO = YES; + ONLY_ACTIVE_ARCH = NO; + OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS"; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; + STRIP_INSTALLED_PRODUCT = NO; + SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator"; + TVOS_DEPLOYMENT_TARGET = 11.0; + VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386"; + VERSIONING_SYSTEM = "apple-generic"; + }; + name = Development; + }; + 69BB7E3E1E777E3D009EE2BA /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + APPLY_RULES_IN_COPY_FILES = YES; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "c++14"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = NO; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INFINITE_RECURSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_SUSPICIOUS_MOVE = YES; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-"; + COPY_PHASE_STRIP = YES; + DEAD_CODE_STRIPPING = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = c11; + GCC_NO_COMMON_BLOCKS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 11.0; + MACOSX_DEPLOYMENT_TARGET = 10.13; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS"; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; + SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator"; + TVOS_DEPLOYMENT_TARGET = 11.0; + VALIDATE_PRODUCT = YES; + VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386"; + VERSIONING_SYSTEM = "apple-generic"; + }; + name = Deployment; + }; + 69BB7E3F1E777E3D009EE2BA /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + APPLY_RULES_IN_COPY_FILES = YES; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "c++14"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = NO; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INFINITE_RECURSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_SUSPICIOUS_MOVE = YES; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-"; + COPY_PHASE_STRIP = YES; + DEAD_CODE_STRIPPING = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = c11; + GCC_NO_COMMON_BLOCKS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 11.0; + MACOSX_DEPLOYMENT_TARGET = 10.13; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS"; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; + SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator"; + TVOS_DEPLOYMENT_TARGET = 11.0; + VALIDATE_PRODUCT = YES; + VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386"; + VERSIONING_SYSTEM = "apple-generic"; + }; + name = Default; + }; 72B3C2091684F5C4004E4548 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { @@ -2614,6 +2911,16 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Default; }; + 69BB7E3C1E777E3D009EE2BA /* Build configuration list for PBXNativeTarget "racoon_test" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 69BB7E3D1E777E3D009EE2BA /* Development */, + 69BB7E3E1E777E3D009EE2BA /* Deployment */, + 69BB7E3F1E777E3D009EE2BA /* Default */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Default; + }; 72B3C20C1684F5C4004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_executables" */ = { isa = XCConfigurationList; buildConfigurations = ( -- 2.47.2