From e8d9021d008d9729f3dfcdc16bb03a990513b007 Mon Sep 17 00:00:00 2001 From: Apple Date: Wed, 13 Jul 2011 00:07:47 +0000 Subject: [PATCH] ipsec-146.1.tar.gz --- entitlements.plist | 5 + ipsec-tools/Common/config.h | 22 +- ipsec-tools/Common/ipsecMessageTracer.h | 17 + ipsec-tools/Common/libpfkey.h | 33 - ipsec-tools/Common/pfkey.c | 462 +-------- ipsec-tools/Common/pfkey_dump.c | 13 - ipsec-tools/libipsec/policy_token.l | 8 - ipsec-tools/libipsec/test-policy.c | 4 - ipsec-tools/racoon/admin.c | 15 +- ipsec-tools/racoon/algorithm.c | 10 + ipsec-tools/racoon/backupsa.c | 19 - ipsec-tools/racoon/cfparse.y | 109 ++- ipsec-tools/racoon/cftoken.l | 76 +- ipsec-tools/racoon/crypto_cssm.c | 355 ++++--- ipsec-tools/racoon/crypto_cssm.h | 14 +- ipsec-tools/racoon/crypto_openssl.c | 523 ++-------- ipsec-tools/racoon/crypto_openssl.h | 18 +- ipsec-tools/racoon/eaytest.c | 18 - ipsec-tools/racoon/grabmyaddr.c | 260 +---- ipsec-tools/racoon/grabmyaddr.h | 2 - ipsec-tools/racoon/handler.c | 200 +++- ipsec-tools/racoon/handler.h | 30 +- ipsec-tools/racoon/ike_session.c | 321 ++++++- ipsec-tools/racoon/ike_session.h | 22 +- ipsec-tools/racoon/ipsec_doi.c | 96 +- ipsec-tools/racoon/ipsec_doi.h | 4 - ipsec-tools/racoon/isakmp.c | 284 +++--- ipsec-tools/racoon/isakmp.h | 4 +- ipsec-tools/racoon/isakmp_agg.c | 66 +- ipsec-tools/racoon/isakmp_base.c | 76 +- ipsec-tools/racoon/isakmp_cfg.c | 34 +- ipsec-tools/racoon/isakmp_cfg.h | 1 + ipsec-tools/racoon/isakmp_frag.c | 198 +++- ipsec-tools/racoon/isakmp_frag.h | 11 +- ipsec-tools/racoon/isakmp_ident.c | 75 +- ipsec-tools/racoon/isakmp_inf.c | 125 ++- ipsec-tools/racoon/isakmp_quick.c | 66 +- ipsec-tools/racoon/isakmp_var.h | 12 +- ipsec-tools/racoon/isakmp_xauth.c | 14 + ipsec-tools/racoon/kmpstat.c | 6 +- ipsec-tools/racoon/localconf.c | 35 +- ipsec-tools/racoon/localconf.h | 4 +- ipsec-tools/racoon/logger.c | 144 ++- ipsec-tools/racoon/logger.h | 2 + ipsec-tools/racoon/main.c | 33 +- ipsec-tools/racoon/misc.h | 5 - ipsec-tools/racoon/nattraversal.c | 155 --- ipsec-tools/racoon/nattraversal.h | 21 +- ipsec-tools/racoon/oakley.c | 1165 ++++++++++++++++------- ipsec-tools/racoon/oakley.h | 25 +- ipsec-tools/racoon/pfkey_racoon.c | 201 +--- ipsec-tools/racoon/plog.c | 72 +- ipsec-tools/racoon/plog.h | 9 +- ipsec-tools/racoon/policy.c | 4 - ipsec-tools/racoon/power_mgmt.c | 217 +++++ ipsec-tools/racoon/power_mgmt.h | 13 + ipsec-tools/racoon/privsep.c | 19 +- ipsec-tools/racoon/proposal.c | 4 - ipsec-tools/racoon/prsa_par.y | 6 +- ipsec-tools/racoon/prsa_tok.l | 7 +- ipsec-tools/racoon/racoon.8 | 27 +- ipsec-tools/racoon/racoon.conf.5 | 11 + ipsec-tools/racoon/racoonctl.c | 11 - ipsec-tools/racoon/remoteconf.c | 24 +- ipsec-tools/racoon/remoteconf.h | 16 +- ipsec-tools/racoon/sainfo.c | 38 +- ipsec-tools/racoon/sainfo.h | 4 - ipsec-tools/racoon/schedule.c | 10 +- ipsec-tools/racoon/schedule.h | 1 + ipsec-tools/racoon/session.c | 116 ++- ipsec-tools/racoon/session.h | 2 +- ipsec-tools/racoon/sockmisc.c | 180 +--- ipsec-tools/racoon/vendorid.c | 5 +- ipsec-tools/racoon/vendorid.h | 11 - ipsec-tools/racoon/vmbuf.h | 2 - ipsec-tools/racoon/vpn.c | 33 +- ipsec-tools/racoon/vpn.h | 3 +- ipsec-tools/racoon/vpn_control.c | 132 ++- ipsec-tools/racoon/vpn_control.h | 24 +- ipsec-tools/racoon/vpn_control_var.h | 11 +- ipsec-tools/setkey/parse.y | 4 - ipsec-tools/setkey/setkey.c | 4 - ipsec-tools/setkey/test-pfkey.c | 7 - ipsec-tools/setkey/token.l | 8 - ipsec.plist | 101 +- ipsec.txt | 150 +++ ipsec.xcodeproj/project.pbxproj | 430 +++++---- racoon.sb | 103 ++ 88 files changed, 3979 insertions(+), 3258 deletions(-) create mode 100644 ipsec-tools/racoon/power_mgmt.c create mode 100644 ipsec-tools/racoon/power_mgmt.h create mode 100644 ipsec.txt create mode 100644 racoon.sb diff --git a/entitlements.plist b/entitlements.plist index 93abc34..3e9e396 100644 --- a/entitlements.plist +++ b/entitlements.plist @@ -5,6 +5,11 @@ keychain-access-groups apple + com.apple.identities + + seatbelt-profiles + + racoon diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index 05028df..c7813f6 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -15,7 +15,7 @@ #define ENABLE_DPD 1 /* IKE fragmentation support */ -#undef ENABLE_FRAG +#define ENABLE_FRAG 1 /* Hybrid authentication support */ #define ENABLE_HYBRID 1 @@ -23,15 +23,6 @@ /* Enable NAT-Traversal */ #define ENABLE_NATT 1 -#ifndef __APPLE__ -/* our kernel does not have support for versions 00 or 01 */ -/* Enable NAT-Traversal draft 00 */ -#undef ENABLE_NATT_00 - -/* Enable NAT-Traversal draft 01 */ -#undef ENABLE_NATT_01 -#endif /* __APPLE__ */ - /* Enable NAT-Traversal draft 02 */ #define ENABLE_NATT_02 1 @@ -135,6 +126,13 @@ #define HAVE_GETIFADDRS 1 +#if TARGET_OS_EMBEDDED +#undef HAVE_OPENSSL +#else +#define HAVE_OPENSSL 1 +#endif + +#ifdef HAVE_OPENSSL /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_AES_H 1 @@ -146,6 +144,7 @@ /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_RC5_H 1 +#endif /* Define to 1 if you have the `pam_start' function. */ #if TARGET_OS_EMBEDDED @@ -237,6 +236,7 @@ /* Use advanced IPv6 API */ #define INET6_ADVAPI 1 +#define __APPLE_USE_RFC_3542 1 /* Name of package */ #undef PACKAGE @@ -290,6 +290,4 @@ /* Define to `unsigned' if does not define. */ #undef size_t -#ifdef __APPLE__ #define USE_SYSTEMCONFIGURATION_PRIVATE_HEADERS 1 -#endif diff --git a/ipsec-tools/Common/ipsecMessageTracer.h b/ipsec-tools/Common/ipsecMessageTracer.h index 9a3f50a..126926d 100644 --- a/ipsec-tools/Common/ipsecMessageTracer.h +++ b/ipsec-tools/Common/ipsecMessageTracer.h @@ -23,6 +23,8 @@ #ifndef _IPSECMESSAGETRACER_H #define _IPSECMESSAGETRACER_H +#import + #define CONSTSTR(str) (const char *)str #define L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.l2tpipsec") @@ -39,6 +41,9 @@ #define PLAINIPSEC_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.plain") #define PLAINIPSECDOMAIN CONSTSTR("com.apple.Networking.ipsec.main") +#define IPSECASLDOMAIN CONSTSTR("com.apple.Networking.ipsec.asl") +#define IPSECASLKEY CONSTSTR("IPSEC") + #if TARGET_OS_EMBEDDED #define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason) @@ -63,6 +68,18 @@ #endif +#if 1 //TARGET_OS_EMBEDDED +#define IPSECLOGASLMSG(format, args...) syslog(LOG_NOTICE, format, ##args); +#else +#define IPSECLOGASLMSG(format, args...) do { \ + aslmsg m = asl_new(ASL_TYPE_MSG); \ + asl_set(m, ASL_KEY_FACILITY, IPSECASLDOMAIN); \ + asl_set(m, ASL_KEY_MSG, IPSECASLKEY); \ + asl_log(NULL, m, ASL_LEVEL_NOTICE, format, ##args); \ + asl_free(m); \ + } while(0) +#endif + static inline double get_percentage (double numerator, double denominator) { if (numerator >= denominator || denominator == 0) { diff --git a/ipsec-tools/Common/libpfkey.h b/ipsec-tools/Common/libpfkey.h index ef41d0b..06d5228 100644 --- a/ipsec-tools/Common/libpfkey.h +++ b/ipsec-tools/Common/libpfkey.h @@ -87,7 +87,6 @@ u_int pfkey_set_softrate __P((u_int, u_int)); u_int pfkey_get_softrate __P((u_int)); int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -#ifdef __APPLE__ int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, @@ -96,26 +95,6 @@ int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t, u_int16_t)); -#else -int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t)); -int pfkey_send_update_nat __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t, - u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t)); -int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t)); -int pfkey_send_add_nat __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, - u_int64_t, u_int64_t, u_int32_t, - u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t)); -#endif /*__APPLE__ */ int pfkey_send_delete __P((int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t)); @@ -171,19 +150,7 @@ int pfkey_send_getsastats __P((int, u_int32_t, u_int64_t [], u_int32_t, u_int8_t static __inline u_int8_t sysdep_sa_len (const struct sockaddr *sa) { -#ifdef __linux__ - switch (sa->sa_family) - { - case AF_INET: - return sizeof (struct sockaddr_in); - case AF_INET6: - return sizeof (struct sockaddr_in6); - } - // log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family); - return sizeof (struct sockaddr_in); -#else return sa->sa_len; -#endif } #endif diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index 026ccd8..62cb528 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -36,11 +36,7 @@ #include #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifdef HAVE_NETINET6_IPSEC # include @@ -62,18 +58,10 @@ static int findsupportedmap __P((int)); static int setsupportedmap __P((struct sadb_supported *)); static struct sadb_alg *findsupportedalg __P((u_int, u_int)); -#ifdef __APPLE__ static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, u_int32_t, u_int32_t, u_int32_t, u_int16_t)); -#else -static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, - u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, - u_int32_t, u_int32_t, u_int32_t, - u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t)); -#endif static int pfkey_send_x2 __P((int, u_int, u_int, u_int, struct sockaddr *, struct sockaddr *, u_int32_t)); static int pfkey_send_x3 __P((int, u_int, u_int)); @@ -84,13 +72,8 @@ static int pfkey_send_x5 __P((int, u_int, u_int32_t)); static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int, u_int, u_int32_t, pid_t)); -#ifdef __APPLE__ static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int, u_int, u_int, u_int32_t, u_int16_t)); -#else -static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int, - u_int, u_int, u_int32_t)); -#endif static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int, struct sockaddr *, u_int, u_int)); static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int)); @@ -501,7 +484,6 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) } -#ifdef __APPLE__ /* * sending SADB_UPDATE message to the kernel. * The length of key material is a_keylen + e_keylen. @@ -570,141 +552,6 @@ pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, } -#else /* __APPLE__ */ - -/* - * sending SADB_UPDATE message to the kernel. - * The length of key material is a_keylen + e_keylen. - * OUT: - * positive: success and return length sent. - * -1 : error occured, and set errno. - */ -int -pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; -{ - int len; - if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, - reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0) - return -1; - - return len; -} - -#ifdef SADB_X_EXT_NAT_T_TYPE -int -pfkey_send_update_nat(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, - l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa, - l_natt_frag) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - u_int8_t l_natt_type; - u_int16_t l_natt_sport, l_natt_dport; - struct sockaddr *l_natt_oa; - u_int16_t l_natt_frag; -{ - int len; - if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, - reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, l_natt_type, l_natt_sport, - l_natt_dport, l_natt_oa, l_natt_frag)) < 0) - return -1; - - return len; -} -#endif - -/* - * sending SADB_ADD message to the kernel. - * The length of key material is a_keylen + e_keylen. - * OUT: - * positive: success and return length sent. - * -1 : error occured, and set errno. - */ -int -pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; -{ - int len; - if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, - reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, 0, 0, 0, NULL, 0)) < 0) - return -1; - - return len; -} - -#ifdef SADB_X_EXT_NAT_T_TYPE -int -pfkey_send_add_nat(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, - l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa, - l_natt_frag) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - u_int8_t l_natt_type; - u_int16_t l_natt_sport, l_natt_dport; - struct sockaddr *l_natt_oa; - u_int16_t l_natt_frag; -{ - int len; - if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, - reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (u_int)l_bytes, (u_int)l_addtime, - (u_int)l_usetime, seq, l_natt_type, l_natt_sport, - l_natt_dport, l_natt_oa, l_natt_frag)) < 0) - return -1; - - return len; -} -#endif -#endif /* __APPLE__ */ - /* * sending SADB_DELETE message to the kernel. * OUT: @@ -1285,7 +1132,7 @@ pfkey_send_spddump(so) return len; } -#ifdef __APPLE__ + /* sending SADB_ADD or SADB_UPDATE message to the kernel */ static int pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, @@ -1470,268 +1317,6 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, return len; } -#else /* __APPLE__ */ - -/* sending SADB_ADD or SADB_UPDATE message to the kernel */ -static int -pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, - l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa, - l_natt_frag) - int so; - u_int type, satype, mode; - struct sockaddr *src, *dst, *l_natt_oa; - u_int32_t spi, reqid; - u_int wsize; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; - u_int16_t l_natt_sport, l_natt_dport; - u_int8_t l_natt_type; - u_int16_t l_natt_frag; -{ - struct sadb_msg *newmsg; - int len; - caddr_t p; - int plen; - caddr_t ep; - - /* validity check */ - if (src == NULL || dst == NULL) { - __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; - return -1; - } - if (src->sa_family != dst->sa_family) { - __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; - return -1; - } - switch (src->sa_family) { - case AF_INET: - plen = sizeof(struct in_addr) << 3; - break; - case AF_INET6: - plen = sizeof(struct in6_addr) << 3; - break; - default: - __ipsec_errcode = EIPSEC_INVAL_FAMILY; - return -1; - } - - switch (satype) { - case SADB_SATYPE_ESP: - if (e_type == SADB_EALG_NONE) { - __ipsec_errcode = EIPSEC_NO_ALGS; - return -1; - } - break; - case SADB_SATYPE_AH: - if (e_type != SADB_EALG_NONE) { - __ipsec_errcode = EIPSEC_INVAL_ALGS; - return -1; - } - if (a_type == SADB_AALG_NONE) { - __ipsec_errcode = EIPSEC_NO_ALGS; - return -1; - } - break; - case SADB_X_SATYPE_IPCOMP: - if (e_type == SADB_X_CALG_NONE) { - __ipsec_errcode = EIPSEC_INVAL_ALGS; - return -1; - } - if (a_type != SADB_AALG_NONE) { - __ipsec_errcode = EIPSEC_NO_ALGS; - return -1; - } - break; -#ifdef SADB_X_AALG_TCP_MD5 - case SADB_X_SATYPE_TCPSIGNATURE: - if (e_type != SADB_EALG_NONE) { - __ipsec_errcode = EIPSEC_INVAL_ALGS; - return -1; - } - if (a_type != SADB_X_AALG_TCP_MD5) { - __ipsec_errcode = EIPSEC_INVAL_ALGS; - return -1; - } - break; -#endif - default: - __ipsec_errcode = EIPSEC_INVAL_SATYPE; - return -1; - } - - /* create new sadb_msg to reply. */ - len = sizeof(struct sadb_msg) - + sizeof(struct sadb_sa) - + sizeof(struct sadb_x_sa2) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) - + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(dst)) - + sizeof(struct sadb_lifetime) - + sizeof(struct sadb_lifetime); - - if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) - len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); - if (a_type != SADB_AALG_NONE) - len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); - -#ifdef SADB_X_EXT_NAT_T_TYPE - /* add nat-t packets */ - if (l_natt_type) { - switch(satype) { - case SADB_SATYPE_ESP: - case SADB_X_SATYPE_IPCOMP: - break; - default: - __ipsec_errcode = EIPSEC_NO_ALGS; - return -1; - } - - len += sizeof(struct sadb_x_nat_t_type); - len += sizeof(struct sadb_x_nat_t_port); - len += sizeof(struct sadb_x_nat_t_port); - if (l_natt_oa) - len += sizeof(struct sadb_address) + - PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)); -#ifdef SADB_X_EXT_NAT_T_FRAG - if (l_natt_frag) - len += sizeof(struct sadb_x_nat_t_frag); -#endif - } -#endif - - if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { - __ipsec_set_strerror(strerror(errno)); - return -1; - } - ep = ((caddr_t)(void *)newmsg) + len; - - p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, - satype, seq, getpid()); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadbxsa2(p, ep, mode, reqid); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen, - IPSEC_ULPROTO_ANY); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen, - IPSEC_ULPROTO_ANY); - if (!p) { - free(newmsg); - return -1; - } - - if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) { - p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, - keymat, e_keylen); - if (!p) { - free(newmsg); - return -1; - } - } - if (a_type != SADB_AALG_NONE) { - p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, - keymat + e_keylen, a_keylen); - if (!p) { - free(newmsg); - return -1; - } - } - - /* set sadb_lifetime for destination */ - p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, - l_alloc, l_bytes, l_addtime, l_usetime); - if (!p) { - free(newmsg); - return -1; - } - p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, - l_alloc, l_bytes, l_addtime, l_usetime); - if (!p) { - free(newmsg); - return -1; - } - -#ifdef SADB_X_EXT_NAT_T_TYPE - /* Add nat-t messages */ - if (l_natt_type) { - p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, l_natt_type); - if (!p) { - free(newmsg); - return -1; - } - - p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, - l_natt_sport); - if (!p) { - free(newmsg); - return -1; - } - - p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, - l_natt_dport); - if (!p) { - free(newmsg); - return -1; - } - - if (l_natt_oa) { - p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA, - l_natt_oa, - (u_int)PFKEY_ALIGN8(sysdep_sa_len(l_natt_oa)), - IPSEC_ULPROTO_ANY); - if (!p) { - free(newmsg); - return -1; - } - } - - if (l_natt_frag) { -#ifdef SADB_X_EXT_NAT_T_FRAG - p = pfkey_set_natt_frag(p, ep, SADB_X_EXT_NAT_T_FRAG, - l_natt_frag); - if (!p) { - free(newmsg); - return -1; - } -#endif - } - } -#endif - - if (p != ep) { - free(newmsg); - return -1; - } - - /* send message */ - len = pfkey_send(so, newmsg, len); - free(newmsg); - - if (len < 0) - return -1; - - __ipsec_errcode = EIPSEC_NO_ERROR; - return len; -} -#endif /* __APPLE__ */ /* sending SADB_DELETE or SADB_GET message to the kernel */ /*ARGSUSED*/ @@ -1771,11 +1356,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) -#ifdef __APPLE__ + sizeof(struct sadb_sa_2) -#else - + sizeof(struct sadb_sa) -#endif + sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(src)) + sizeof(struct sadb_address) @@ -1793,11 +1374,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) free(newmsg); return -1; } -#ifdef __APPLE__ p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0, 0); -#else - p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); -#endif if (!p) { free(newmsg); return -1; @@ -2454,7 +2031,6 @@ pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) return(buf + len); } -#ifdef __APPLE__ /* * copy secasvar data into sadb_address. * `buf' must has been allocated sufficiently. @@ -2489,42 +2065,6 @@ pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags, port) return(buf + len); } -#else - -/* - * copy secasvar data into sadb_address. - * `buf' must has been allocated sufficiently. - */ -static caddr_t -pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) - caddr_t buf; - caddr_t lim; - u_int32_t spi, flags; - u_int wsize, auth, enc; -{ - struct sadb_sa *p; - u_int len; - - p = (void *)buf; - len = sizeof(struct sadb_sa); - - if (buf + len > lim) - return NULL; - - memset(p, 0, len); - p->sadb_sa_len = PFKEY_UNIT64(len); - p->sadb_sa_exttype = SADB_EXT_SA; - p->sadb_sa_spi = spi; - p->sadb_sa_replay = wsize; - p->sadb_sa_state = SADB_SASTATE_LARVAL; - p->sadb_sa_auth = auth; - p->sadb_sa_encrypt = enc; - p->sadb_sa_flags = flags; - p->sadb_sa_natt_port = port; - - return(buf + len); -} -#endif /* * set data into sadb_address. diff --git a/ipsec-tools/Common/pfkey_dump.c b/ipsec-tools/Common/pfkey_dump.c index 5c8cd26..cf40fe9 100644 --- a/ipsec-tools/Common/pfkey_dump.c +++ b/ipsec-tools/Common/pfkey_dump.c @@ -42,11 +42,7 @@ # include #endif -#ifdef __APPLE__ #include -#else -#include -#endif #include #include @@ -497,15 +493,6 @@ pfkey_spdump1(m, withports) m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT]; m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD]; -#ifdef __linux__ - /* *bsd indicates per-socket policies by omiting src and dst - * extensions. Linux always includes them, but we can catch it - * by checkin for policy id. - */ - if (m_xpl->sadb_x_policy_id % 8 >= 3) { - printf("(per-socket policy) "); - } else -#endif if (m_saddr && m_daddr) { /* source address */ sa = (void *)(m_saddr + 1); diff --git a/ipsec-tools/libipsec/policy_token.l b/ipsec-tools/libipsec/policy_token.l index 3351855..4e746a3 100644 --- a/ipsec-tools/libipsec/policy_token.l +++ b/ipsec-tools/libipsec/policy_token.l @@ -37,11 +37,7 @@ #include #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifdef HAVE_NETINET6_IPSEC # include @@ -57,11 +53,7 @@ #include "libpfkey.h" -#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__) #include "y.tab.h" -#else -#include "policy_parse.h" -#endif #define yylval __libipseclval /* XXX */ int yylex __P((void)); diff --git a/ipsec-tools/libipsec/test-policy.c b/ipsec-tools/libipsec/test-policy.c index c6bf4f2..ea1b2ba 100644 --- a/ipsec-tools/libipsec/test-policy.c +++ b/ipsec-tools/libipsec/test-policy.c @@ -36,11 +36,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #include diff --git a/ipsec-tools/racoon/admin.c b/ipsec-tools/racoon/admin.c index d8e16b9..6cced94 100644 --- a/ipsec-tools/racoon/admin.c +++ b/ipsec-tools/racoon/admin.c @@ -40,11 +40,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifndef HAVE_NETINET6_IPSEC @@ -92,6 +88,8 @@ #endif #include "session.h" #include "gcmalloc.h" +#include "vpn.h" +#include "vpn_control_var.h" #ifdef ENABLE_ADMINPORT @@ -157,8 +155,13 @@ admin_handler() } if (com.ac_cmd == ADMIN_RELOAD_CONF) { + siginfo_t sigi; + bzero(&sigi, sizeof(sigi)); + sigi.si_signo = SIGUSR1; + sigi.si_pid = getpid(); + sigi.si_uid = getuid(); /* reload does not work at all! */ - signal_handler(SIGUSR1); + signal_handler(SIGUSR1, &sigi, (void *)NULL); goto end; } @@ -424,7 +427,7 @@ out2: target->user_pw = key; } #endif - vpn_connect(target); + vpn_connect(target, VPN_STARTED_BY_ADMIN); com->ac_errno = 0; outofhere: if (target->user_id != NULL) diff --git a/ipsec-tools/racoon/algorithm.c b/ipsec-tools/racoon/algorithm.c index 1fdd9e7..3440fc3 100644 --- a/ipsec-tools/racoon/algorithm.c +++ b/ipsec-tools/racoon/algorithm.c @@ -104,6 +104,7 @@ static struct enc_algorithm oakley_encdef[] = { { "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8, eay_des_encrypt, eay_des_decrypt, eay_des_weakkey, eay_des_keylen, }, +#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL_IDEA_H { "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8, eay_idea_encrypt, eay_idea_decrypt, @@ -117,12 +118,15 @@ static struct enc_algorithm oakley_encdef[] = { eay_rc5_encrypt, eay_rc5_decrypt, eay_rc5_weakkey, eay_rc5_keylen, }, #endif +#endif { "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8, eay_3des_encrypt, eay_3des_decrypt, eay_3des_weakkey, eay_3des_keylen, }, +#ifdef HAVE_OPENSSL { "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8, eay_cast_encrypt, eay_cast_decrypt, eay_cast_weakkey, eay_cast_keylen, }, +#endif { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, eay_aes_encrypt, eay_aes_decrypt, eay_aes_weakkey, eay_aes_keylen, }, @@ -138,6 +142,7 @@ static struct enc_algorithm ipsec_encdef[] = { { "3des", algtype_3des, IPSECDOI_ESP_3DES, 8, NULL, NULL, NULL, eay_3des_keylen, }, +#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL_RC5_H { "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8, NULL, NULL, @@ -149,6 +154,7 @@ static struct enc_algorithm ipsec_encdef[] = { { "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8, NULL, NULL, NULL, eay_bf_keylen, }, +#endif { "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8, NULL, NULL, NULL, eay_des_keylen, }, @@ -158,6 +164,7 @@ static struct enc_algorithm ipsec_encdef[] = { { "aes", algtype_aes, IPSECDOI_ESP_AES, 16, NULL, NULL, NULL, eay_aes_keylen, }, +#ifdef HAVE_OPENSSL { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, NULL, NULL, NULL, eay_twofish_keylen, }, @@ -172,6 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, NULL, NULL, NULL, NULL, }, +#endif }; static struct hmac_algorithm ipsec_hmacdef[] = { @@ -183,10 +191,12 @@ static struct hmac_algorithm ipsec_hmacdef[] = { NULL, NULL, NULL, eay_sha1_hashlen, NULL, }, +#ifdef HAVE_OPENSSL { "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK, NULL, NULL, NULL, eay_kpdk_hashlen, NULL, }, +#endif { "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE, NULL, NULL, NULL, eay_null_hashlen, diff --git a/ipsec-tools/racoon/backupsa.c b/ipsec-tools/racoon/backupsa.c index 1b9f1f8..47a3be5 100644 --- a/ipsec-tools/racoon/backupsa.c +++ b/ipsec-tools/racoon/backupsa.c @@ -319,7 +319,6 @@ do { \ continue; } l_addtime -= current - created; -#ifdef __APPLE__ if (pfkey_send_add( lcconf->sock_pfkey, satype, @@ -336,24 +335,6 @@ do { \ "restore SA filed line#%d in %s: %s\n", line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror()); } -#else - if (pfkey_send_add( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - spi, - reqid, - wsize, - keymat, - e_type, e_keylen, a_type, a_keylen, flags, - 0, l_bytes, l_addtime, 0, seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "restore SA filed line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror()); - } -#endif racoon_free(src); racoon_free(dst); racoon_free(keymat); diff --git a/ipsec-tools/racoon/cfparse.y b/ipsec-tools/racoon/cfparse.y index ce041c4..5024ad1 100644 --- a/ipsec-tools/racoon/cfparse.y +++ b/ipsec-tools/racoon/cfparse.y @@ -98,7 +98,9 @@ #include "gssapi.h" #endif #include "vendorid.h" +#ifdef HAVE_OPENSSL #include "rsalist.h" +#endif #include "ipsecConfigTracer.h" #include "ipsecMessageTracer.h" @@ -697,6 +699,13 @@ modecfg_stmt { #ifdef ENABLE_HYBRID isakmp_cfg_config.pfs_group = $2; +#ifndef HAVE_OPENSSL + if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 + && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { + yyerror("PFS group must be 2 or 5"); + return -1; + } +#endif #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ @@ -1223,6 +1232,13 @@ sainfo_spec : PFS_GROUP dh_group_num { cur_sainfo->pfs_group = $2; +#ifndef HAVE_OPENSSL + if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 + && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { + yyerror("PFS group must be 2 or 5"); + return -1; + } +#endif } EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time @@ -1410,9 +1426,7 @@ remote_specs_block if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { if (cur_rmconf->mycertfile -#ifdef __APPLE__ || cur_rmconf->identity_in_keychain) -#endif { if (cur_rmconf->idv) yywarn("Both CERT and ASN1 ID " @@ -1426,8 +1440,7 @@ remote_specs_block return -1; } } - -#ifdef __APPLE__ + if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { struct genlist_entry *gpb; if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { @@ -1436,7 +1449,6 @@ remote_specs_block return -1; } } -#endif if (cur_rmconf->prhead->spspec == NULL && cur_rmconf->inherited_from @@ -1512,6 +1524,7 @@ remote_spec | CERTIFICATE_TYPE cert_spec | PEERS_CERTFILE QUOTEDSTRING { +#ifdef HAVE_OPENSSL yywarn("This directive without certtype will be removed!\n"); yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; @@ -1521,10 +1534,15 @@ remote_spec cur_rmconf->peerscertfile = racoon_strdup($2->v); STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($2); +#else + yyerror("cert files not supported.\n"); + return -1; +#endif } EOS | CA_TYPE CERT_X509 QUOTEDSTRING { +#ifdef HAVE_OPENSSL cur_rmconf->cacerttype = $2; cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->cacertfile != NULL) @@ -1532,20 +1550,32 @@ remote_spec cur_rmconf->cacertfile = racoon_strdup($3->v); STRDUP_FATAL(cur_rmconf->cacertfile); vfree($3); +#else + yyerror("cert files not supported.\n"); + return -1; +#endif + } EOS | PEERS_CERTFILE CERT_X509 QUOTEDSTRING { +#ifdef HAVE_OPENSSL cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->peerscertfile != NULL) racoon_free(cur_rmconf->peerscertfile); cur_rmconf->peerscertfile = racoon_strdup($3->v); STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($3); +#else + yyerror("cert files not supported.\n"); + return -1; +#endif + } EOS | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING { +#ifdef HAVE_OPENSSL char path[MAXPATHLEN]; int ret = 0; @@ -1565,6 +1595,10 @@ remote_spec return -1; } plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path); +#else + yyerror("plainrsa not supported.\n"); + return -1; +#endif } EOS | PEERS_CERTFILE DNSSEC @@ -1582,27 +1616,17 @@ remote_spec | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS | CERTIFICATE_VERIFICATION VERIFICATION_MODULE { -#ifdef __APPLE__ cur_rmconf->cert_verification = $2; -#else - yyerror("Apple specific features not compiled in."); - return -1; -#endif } EOS | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION - { -#ifdef __APPLE__ + { cur_rmconf->cert_verification = $2; cur_rmconf->cert_verification_option = $3; -#else - yyerror("Apple specific features not compiled in."); - return -1; -#endif } EOS | OPEN_DIR_AUTH_GROUP QUOTEDSTRING { -#if defined(__APPLE__) && HAVE_OPENDIR +#if HAVE_OPENDIR cur_rmconf->open_dir_auth_group = $2; #else yyerror("Apple specific features not compiled in."); @@ -1686,27 +1710,16 @@ remote_spec | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS | SHARED_SECRET SECRETTYPE QUOTEDSTRING { -#ifdef __APPLE__ cur_rmconf->secrettype = $2; cur_rmconf->shared_secret = $3; -#else - yyerror("Apple specific features not compiled in."); - return -1; -#endif } EOS | SHARED_SECRET SECRETTYPE { -#ifdef __APPLE__ if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { yyerror("shared secret value missing.\n"); return -1; } cur_rmconf->secrettype = $2; -#else - yyerror("Apple specific features not compiled in."); - return -1; -#endif - } EOS | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS | DH_GROUP @@ -1769,11 +1782,7 @@ remote_spec | NAT_TRAVERSAL_MULTI_USER SWITCH { #ifdef ENABLE_NATT -#ifdef __APPLE__ cur_rmconf->natt_multiple_user = $2; -#else - yyerror("Apple specific features not compiled in."); -#endif #else yyerror("NAT-T support not compiled in."); #endif @@ -1781,11 +1790,7 @@ remote_spec | NAT_TRAVERSAL_KEEPALIVE SWITCH { #ifdef ENABLE_NATT -#ifdef __APPLE__ cur_rmconf->natt_keepalive = $2; -#else - yyerror("Apple specific features not compiled in."); -#endif #else yyerror("NAT-T support not compiled in."); #endif @@ -1913,27 +1918,23 @@ cert_spec EOS | CERT_X509 IN_KEYCHAIN { -#ifdef __APPLE__ cur_rmconf->certtype = $1; cur_rmconf->identity_in_keychain = 1; cur_rmconf->keychainCertRef = NULL; -#endif } EOS ; | CERT_X509 IN_KEYCHAIN QUOTEDSTRING { -#ifdef __APPLE__ - cur_rmconf->certtype = $1; cur_rmconf->identity_in_keychain = 1; cur_rmconf->keychainCertRef = $3; -#endif } EOS ; | CERT_PLAINRSA QUOTEDSTRING { +#ifdef HAVE_OPENSSL char path[MAXPATHLEN]; int ret = 0; @@ -1950,6 +1951,10 @@ cert_spec return -1; } plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path); +#else + yyerror("plainrsa not supported.\n"); + return -1; +#endif } EOS ; @@ -1961,6 +1966,12 @@ dh_group_num yyerror("must be DH group"); return -1; } +#ifndef HAVE_OPENSSL + if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { + yyerror("DH group must be 2 or 5"); + return -1; + } +#endif } | NUMBER { @@ -1971,6 +1982,12 @@ dh_group_num $$ = 0; return -1; } +#ifndef HAVE_OPENSSL + if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { + yyerror("DH group must be 2 or 5"); + return -1; + } +#endif } ; identifierstring @@ -2093,6 +2110,7 @@ isakmpproposal_spec cur_rmconf->prhead->spspec->vendorid = VENDORID_GSSAPI; break; +#ifdef HAVE_OPENSSL case algtype_rsasig: if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) { if (rsa_list_count(cur_rmconf->rsa_private) == 0) { @@ -2107,6 +2125,7 @@ isakmpproposal_spec } } break; +#endif default: break; } @@ -2415,13 +2434,11 @@ listen_addr (struct sockaddr *addr, int udp_encap) return -1; } p->udp_encap = udp_encap; -#ifdef __APPLE__ /* These need to be initialized for Apple modifications * to open code for isakmp sockets */ p->sock = -1; p->in_use = 1; -#endif insmyaddr(p, &lcconf->myaddrs); @@ -2508,7 +2525,7 @@ cfparse() int cfreparse(int sig) { - int ignore_established_handles = (sig == SIGUSR1); + int ignore_estab_or_assert_handles = (sig == SIGUSR1); if (sig >= 0 && sig < NSIG) { plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]); @@ -2520,8 +2537,8 @@ cfreparse(int sig) CONSTSTR("cfreparse: triggered by unknown signal")); } - flushph2(ignore_established_handles); - flushph1(ignore_established_handles); + flushph2(ignore_estab_or_assert_handles); + flushph1(ignore_estab_or_assert_handles); flushrmconf(); flushsainfo(); flushlcconf(); diff --git a/ipsec-tools/racoon/cftoken.l b/ipsec-tools/racoon/cftoken.l index 4d82599..b1b5f5c 100644 --- a/ipsec-tools/racoon/cftoken.l +++ b/ipsec-tools/racoon/cftoken.l @@ -60,9 +60,11 @@ //%%% BUG FIX - 2 missing include files when not using // the bison files +#ifdef HAVE_OPENSSL #include #include - +#endif + #include "var.h" #include "misc.h" #include "vmbuf.h" @@ -85,11 +87,7 @@ #include "gcmalloc.h" #endif -#ifdef __APPLE__ #include "y.tab.h" -#else -#include "cfparse.h" -#endif int yyerrorcount = 0; @@ -321,9 +319,15 @@ hexstring 0x{hexdigit}+ certificate_type { YYD; return(CERTIFICATE_TYPE); } ca_type { YYD; return(CA_TYPE); } x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); } -plain_rsa { YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); } +plain_rsa { +#ifdef HAVE_OPENSSL + YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); +#else + yyerror("plainrsa not supported."); +#endif +} open_dir_auth_group { -#if defined(__APPLE__) && HAVE_OPENDIR +#if HAVE_OPENDIR YYD; return(OPEN_DIR_AUTH_GROUP); #else @@ -331,28 +335,16 @@ hexstring 0x{hexdigit}+ #endif } shared_secret { -#ifdef __APPLE__ YYD; return(SHARED_SECRET); -#else - yyerror("Apple specific features not compiled in."); -#endif } in_keychain { -#ifdef __APPLE__ YYD; return(IN_KEYCHAIN); -#else - yyerror("Apple specific features not compiled in."); -#endif } certificate_verification { -#ifdef __APPLE__ YYD; return(CERTIFICATE_VERIFICATION); -#else - yyerror("Apple specific features not compiled in."); -#endif } peers_certfile { YYD; return(PEERS_CERTFILE); } dnssec { YYD; return(DNSSEC); } @@ -368,20 +360,12 @@ hexstring 0x{hexdigit}+ nat_traversal { YYD; return(NAT_TRAVERSAL); } force { YYD; yylval.num = NATT_FORCE; return(NAT_TRAVERSAL_LEVEL); } nat_traversal_multi_user { -#ifdef __APPLE__ YYD; return(NAT_TRAVERSAL_MULTI_USER); -#else - yyerror("Apple specific features not compiled in."); -#endif } nat_traversal_keepalive { -#ifdef __APPLE__ YYD; return(NAT_TRAVERSAL_KEEPALIVE); -#else - yyerror("Apple specific features not compiled in."); -#endif } proposal_check { YYD; return(PROPOSAL_CHECK); } obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); } @@ -596,13 +580,9 @@ user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); } fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); } keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); } keyid_use { -#ifdef __APPLE__ YYD; yylval.num = IDTYPE_KEYIDUSE; return(IDENTIFIERTYPE); -#else - yyerror("Apple specific features not compiled in."); -#endif } address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); } subnet { YYD; yylval.num = IDTYPE_SUBNET; return(IDENTIFIERTYPE); } @@ -611,25 +591,17 @@ certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num /* shared secret type */ use { -#ifdef __APPLE__ YYD; yylval.num = SECRETTYPE_USE; return(SECRETTYPE); -#else - yyerror("Apple specific features not compiled in."); -#endif } key { -#ifdef __APPLE__ YYD; yylval.num = SECRETTYPE_KEY; return(SECRETTYPE); -#else - yyerror("Apple specific features not compiled in."); -#endif } keychain { -#if defined(__APPLE__) && HAVE_KEYCHAIN +#if HAVE_KEYCHAIN YYD; yylval.num = SECRETTYPE_KEYCHAIN; return(SECRETTYPE); @@ -638,51 +610,31 @@ keychain { #endif } keychain_by_id { -#ifdef __APPLE__ YYD; yylval.num = SECRETTYPE_KEYCHAIN_BY_ID; return(SECRETTYPE); -#else - yyerror("Apple specific features not compiled in."); -#endif } /* certificate verification */ openssl { -#ifdef __APPLE__ YYD; yylval.num = VERIFICATION_MODULE_OPENSSL; return(VERIFICATION_MODULE); -#else - yyerror("Apple specific features not compiled in."); -#endif } sec_framework { -#ifdef __APPLE__ YYD; yylval.num = VERIFICATION_MODULE_SEC_FRAMEWORK; return(VERIFICATION_MODULE); -#else - yyerror("Apple specific features not compiled in."); -#endif } use_open_dir { -#ifdef __APPLE__ YYD; yylval.num = VERIFICATION_OPTION_OPEN_DIR; return(VERIFICATION_OPTION); -#else - yyerror("Apple specific features not compiled in."); -#endif } use_peers_identifier { -#ifdef __APPLE__ YYD; yylval.num = VERIFICATION_OPTION_PEERS_IDENTIFIER; return(VERIFICATION_OPTION); -#else - yyerror("Apple specific features not compiled in."); -#endif } /* identifier qualifier */ @@ -774,7 +726,9 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } yy_delete_buffer(YY_CURRENT_BUFFER); incstackp--; nextfile: - if (incstack[incstackp].matchon < + if (incstack[incstackp].matches.gl_pathc != 0 && + incstack[incstackp].matches.gl_pathv && + incstack[incstackp].matchon < incstack[incstackp].matches.gl_pathc) { char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon]; incstack[incstackp].matchon++; diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index e47aa6d..6e501cf 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -63,90 +63,255 @@ #include "crypto_cssm.h" +#if TARGET_OS_EMBEDDED +static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef); +#else +static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef); +#endif -static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef); -static const char *GetSecurityErrorString(OSStatus err); #if !TARGET_OS_EMBEDDED static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef); static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef); #endif -/* - * Verify cert using security framework - */ -int crypto_cssm_check_x509cert(vchar_t *cert, CFStringRef hostname, cert_status_t certStatus) +static SecPolicyRef +crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) { OSStatus status; - SecCertificateRef certRef = NULL; SecPolicyRef policyRef = NULL; +#if !TARGET_OS_EMBEDDED + CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; + // get our policy object + status = FindPolicy(&ourPolicyOID, &policyRef); + if (status != noErr && status != -1) { + plog(LLV_ERROR, LOCATION, NULL, + "error %d %s.\n", status, GetSecurityErrorString(status)); + } +#else + if (hostname) { + policyRef = SecPolicyCreateIPSec(FALSE, hostname); + if (policyRef == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "unable to create a SSL policyRef.\n"); + } + } +#endif + return policyRef; +} + +SecCertificateRef +crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert) +{ + OSStatus status; + SecCertificateRef certRef = NULL; #if !TARGET_OS_EMBEDDED CSSM_DATA certData; - CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; // create cert ref certData.Length = cert->l; certData.Data = (uint8 *)cert->v; status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, - &certRef); - if (status != noErr) - goto end; - - // get our policy object - status = FindPolicy(&ourPolicyOID, &policyRef); - if (status != noErr) - goto end; - // no options used at present - verification of subjectAltName fields, etc. - // are done elsewhere in racoon in oakley_check_certid() - + &certRef); + if (status != noErr && status != -1) { + plog(LLV_ERROR, LOCATION, NULL, + "error %d %s.\n", status, GetSecurityErrorString(status)); + } #else CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull); if (cert_data) { certRef = SecCertificateCreateWithData(NULL, cert_data); CFRelease(cert_data); } - +#endif if (certRef == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "unable to create a certRef.\n"); - status = -1; - goto end; + "unable to create a certRef.\n"); } + return certRef; +} - if (hostname) { - policyRef = SecPolicyCreateIPSec(FALSE, hostname); - if (policyRef == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to create a SSL policyRef.\n"); - status = -1; - goto end; +static cert_status_t +crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) +{ + cert_status_t certStatus = CERT_STATUS_OK; +#if TARGET_OS_EMBEDDED + CFAbsoluteTime timeNow = 0; + CFAbsoluteTime notvalidbeforedate = 0; + CFAbsoluteTime notvalidafterdate = 0; + CFDateRef nowcfdatedata = NULL; + CFDateRef notvalidbeforedatedata = NULL; + CFDateRef notvalidafterdatedata = NULL; + CFArrayRef certProparray = NULL; + CFDictionaryRef propDict = NULL; + const void *datevalue = NULL; + const void *labelvalue = NULL; + CFGregorianDate gregoriandate; + CFIndex count; + CFIndex i; + + if ((certProparray = SecCertificateCopyProperties(certificateRef))){ + if ((count = CFArrayGetCount( certProparray ))){ + for( i = 0; i < count; i++) { + if ((propDict = CFArrayGetValueAtIndex(certProparray, i))) { + if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){ + /* get kSecPropertyKeyLabel */ + if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){ + if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){ + if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue)) { + if (notvalidbeforedatedata) { + CFRelease(notvalidbeforedatedata); + } + notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); + } + }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){ + if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue)) { + if (notvalidafterdatedata) { + CFRelease(notvalidafterdatedata); + } + notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); + } + } + } + } + } + } } } - + + if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){ + if ( notvalidbeforedatedata ){ + gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL); + plog(LLV_DEBUG, LOCATION, NULL, + "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); + gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL); + plog(LLV_DEBUG, LOCATION, NULL, + "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); + if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){ + plog(LLV_ERROR, LOCATION, NULL, + "current time before valid time\n"); + certStatus = CERT_STATUS_PREMATURE; + } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ + plog(LLV_ERROR, LOCATION, NULL, + "current time after valid time\n"); + certStatus = CERT_STATUS_EXPIRED; + }else { + plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n"); + certStatus = CERT_STATUS_OK; + } + } + } + + if (notvalidbeforedatedata) + CFRelease(notvalidbeforedatedata); + if (notvalidafterdatedata) + CFRelease(notvalidafterdatedata); + if (certProparray) + CFRelease(certProparray); + if (nowcfdatedata) + CFRelease(nowcfdatedata); #endif + return certStatus; +} + +/* + * Verify cert using security framework + */ +#if TARGET_OS_EMBEDDED +int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef) +#else +int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname) +#endif +{ + cert_t *p; + cert_status_t certStatus = 0; + OSStatus status; + CFIndex certArrayRefNumValues = 0; + CFIndex n = 0; + int certArraySiz; + SecCertificateRef *certArrayRef = NULL; + SecPolicyRef policyRef = crypto_cssm_x509cert_get_SecPolicyRef(hostname); + + if (!hostcert || !certchain) { + return -1; + } + + // find the total number of certs + for (p = certchain; p; p = p->chain, n++); + if (n> 1) { + plog(LLV_DEBUG2, LOCATION, NULL, + "%s: checking chain of %d certificates.\n", __FUNCTION__, n); + } + + certArraySiz = n * sizeof(CFTypeRef); + certArrayRef = CFAllocatorAllocate(NULL, certArraySiz, 0); + if (!certArrayRef) { + return -1; + } + bzero(certArrayRef, certArraySiz); + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&hostcert->cert))) { + /* don't overwrite any pending status */ + if (!hostcert->status) { + hostcert->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); + if (hostcert->status) { + plog(LLV_ERROR, LOCATION, NULL, + "host certificate failed date verification: %d.\n", hostcert->status); + certStatus = hostcert->status; + } + } + certArrayRefNumValues++; + } + for (p = certchain; p && certArrayRefNumValues < n; p = p->chain) { + if (p != hostcert) { + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&p->cert))) { + /* don't overwrite any pending status */ + if (!p->status) { + p->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); + if (p->status) { + plog(LLV_ERROR, LOCATION, NULL, + "other certificate in chain failed date verification: %d.\n", p->status); + if (!certStatus) { + certStatus = p->status; + } + } + } + certArrayRefNumValues++; + } + } + } // evaluate cert - status = EvaluateCert(certRef, policyRef); +#if TARGET_OS_EMBEDDED + status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef, publicKeyRef); +#else + status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef); +#endif + + while (certArrayRefNumValues) { + CFRelease(certArrayRef[--certArrayRefNumValues]); + } + CFAllocatorDeallocate(NULL, certArrayRef); -end: - - if (certRef) - CFRelease(certRef); if (policyRef) CFRelease(policyRef); if (status != noErr && status != -1) { plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + "error %d %s.\n", status, GetSecurityErrorString(status)); status = -1; - } else if (certStatus) { - plog(LLV_ERROR, LOCATION, NULL, - "certificate failed date verification: %d.\n", certStatus); + } else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) { status = -1; } return status; + +} +#if TARGET_OS_EMBEDDED +int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature) +{ + return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l); } +#endif /* * Encrypt a hash via CSSM using the private key in the keychain @@ -155,13 +320,13 @@ end: vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) { - OSStatus status; + OSStatus status = -1; SecIdentityRef identityRef = NULL; SecKeyRef privateKeyRef = NULL; vchar_t *sig = NULL; #if !TARGET_OS_EMBEDDED - u_int32_t bytesEncrypted = 0; + CSSM_SIZE bytesEncrypted = 0; SecCertificateRef certificateRef = NULL; SecIdentitySearchRef idSearchRef = NULL; SecKeychainRef keychainRef = NULL; @@ -169,7 +334,6 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) CSSM_CSP_HANDLE cspHandle = nil; CSSM_CC_HANDLE cssmContextHandle = nil; const CSSM_ACCESS_CREDENTIALS *credentials = NULL; - //CSSM_SIZE bytesEncrypted = 0; //%%%%HWR fix this - need new headers on Leopard CSSM_DATA clearData; CSSM_DATA cipherData; CSSM_DATA remData; @@ -353,7 +517,7 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus) { - OSStatus status; + OSStatus status = -1; vchar_t *cert = NULL; SecIdentityRef identityRef = NULL; SecCertificateRef certificateRef = NULL; @@ -419,25 +583,10 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, const void *values_persist[] = { kCFBooleanTrue, persistentCertRef }; size_t dataLen; CFDataRef certData = NULL; - CFAbsoluteTime timeNow = 0; - CFAbsoluteTime notvalidbeforedate = 0; - CFAbsoluteTime notvalidafterdate = 0; - CFDateRef nowcfdatedata = NULL; - CFDateRef notvalidbeforedatedata = NULL; - CFDateRef notvalidafterdatedata = NULL; - CFArrayRef certProparray = NULL; - CFRange range; - CFDictionaryRef *values = NULL; - CFDictionaryRef propDict = NULL; - const void *datevalue = NULL; - const void *labelvalue = NULL; - CFGregorianDate gregoriandate; - int count; - int i; /* find identity by persistent ref */ persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist, - (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL); + (sizeof(keys_persist) / sizeof(*keys_persist)), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (persistFind == NULL) goto end; @@ -465,64 +614,7 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, // verify expiry or missing fields if (certStatus) { - - *certStatus = CERT_STATUS_OK; - - if ((certProparray = SecCertificateCopyProperties(certificateRef))){ - if ((count = CFArrayGetCount( certProparray ))){ - range.location = 0; - range.length = count; - if ( (values = CFAllocatorAllocate(NULL, count * sizeof(CFDictionaryRef), 0))){ - CFArrayGetValues(certProparray, range, (const void **)values); - for( i = 0; i < count; i++) - { - if ((propDict = values[i])){ - if ( CFDictionaryContainsValue(propDict, kSecPropertyTypeDate) ){ - if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){ - /* get kSecPropertyKeyLabel */ - if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){ - if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){ - if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue)) - notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); - }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){ - if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue)) - notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); - } - } - } - } - } - - } - } - } - } - - if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){ - if ( notvalidbeforedatedata ){ - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){ - plog(LLV_ERROR, LOCATION, NULL, - "current time before valid time\n"); - *certStatus = CERT_STATUS_PREMATURE; - } - else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ - plog(LLV_ERROR, LOCATION, NULL, - "current time after valid time\n"); - *certStatus = CERT_STATUS_EXPIRED; - }else { - plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n"); - *certStatus = CERT_STATUS_OK; - } - - } - - } + *certStatus = crypto_cssm_check_x509cert_dates(certificateRef); } #endif @@ -538,16 +630,6 @@ end: if (keychainRef) CFRelease(keychainRef); #else - if (notvalidbeforedatedata) - CFRelease(notvalidbeforedatedata); - if (notvalidafterdatedata) - CFRelease(notvalidafterdatedata); - if (certProparray) - CFRelease(certProparray); - if (values) - CFAllocatorDeallocate(NULL, values); - if (nowcfdatedata) - CFRelease(nowcfdatedata); if (persistFind) CFRelease(persistFind); if (certData) @@ -595,7 +677,12 @@ end: /* * Evaluate the trust of a cert using the policy provided */ -static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef) +#if TARGET_OS_EMBEDDED +static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef) +#else +static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef) + +#endif { OSStatus status; SecTrustRef trustRef = 0; @@ -608,9 +695,7 @@ static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef) CFArrayRef certChain; #endif - SecCertificateRef evalCertArray[1] = { cert }; - - CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1, + CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, evalCertArrayNumValues, &kCFTypeArrayCallBacks); if (!cfCertRef) { @@ -706,9 +791,15 @@ static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef) #endif status = -1; + goto end; } +#if TARGET_OS_EMBEDDED + /* get and return the public key */ + *publicKeyRef = SecTrustCopyPublicKey(trustRef); +#endif + end: if (cfCertRef) CFRelease(cfCertRef); diff --git a/ipsec-tools/racoon/crypto_cssm.h b/ipsec-tools/racoon/crypto_cssm.h index d0562bf..e56a5f2 100644 --- a/ipsec-tools/racoon/crypto_cssm.h +++ b/ipsec-tools/racoon/crypto_cssm.h @@ -31,12 +31,18 @@ #include "vmbuf.h" #include - - -extern int crypto_cssm_check_x509cert(vchar_t *cert, CFStringRef hostname, cert_status_t certStatus); +#include + +#if TARGET_OS_EMBEDDED +extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef); +extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature); +#else +extern int crypto_cssm_check_x509cert(cert_t *hostcert, cert_t *certchain, CFStringRef hostname); +#endif +extern SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert); extern vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash); extern vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus); - +extern const char *GetSecurityErrorString(OSStatus err); #endif /* __CRYPTO_CSSM_H__ */ diff --git a/ipsec-tools/racoon/crypto_openssl.c b/ipsec-tools/racoon/crypto_openssl.c index c32f636..d93750a 100644 --- a/ipsec-tools/racoon/crypto_openssl.c +++ b/ipsec-tools/racoon/crypto_openssl.c @@ -33,9 +33,7 @@ #include "config.h" -#ifdef __APPLE__ #define COMMON_DIGEST_FOR_OPENSSL 1 -#endif #include #include @@ -45,13 +43,13 @@ #include #include +#ifdef HAVE_OPENSSL /* get openssl/ssleay version number */ #include #if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL) #error OpenSSL version 0.9.6 or later required. #endif - #include #include #include @@ -59,15 +57,6 @@ #include #include #include -#ifdef __APPLE__ -#include -#include -#include -#else -#include -#include -#include -#endif #include #include #ifdef HAVE_OPENSSL_ENGINE_H @@ -86,17 +75,17 @@ #include #elif defined(HAVE_OPENSSL_RIJNDAEL_H) #include -#else -#include "crypto/rijndael/rijndael-api-fst.h" -#endif -#ifdef WITH_SHA2 -#ifndef __APPLE__ -#ifdef HAVE_OPENSSL_SHA2_H -#include -#endif -#endif #endif +#else /* HAVE_OPENSSL */ +#include +#include +#endif /* HAVE_OPENSSL */ + +#include +#include +#include +#ifdef HAVE_OPENSSL /* 0.9.7 stuff? */ #if OPENSSL_VERSION_NUMBER < 0x0090700fL typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; @@ -105,12 +94,13 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; #endif #define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0) +#endif +#include "crypto_openssl.h" #include "var.h" #include "misc.h" #include "vmbuf.h" #include "plog.h" -#include "crypto_openssl.h" #include "debug.h" #include "gcmalloc.h" @@ -120,16 +110,15 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; * necessary for SSLeay/OpenSSL portability. It sucks. */ +#ifdef HAVE_OPENSSL static int cb_check_cert_local __P((int, X509_STORE_CTX *)); static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); static X509 *mem2x509 __P((vchar_t *)); - -#ifdef __APPLE__ -static caddr_t eay_hmac_init __P((vchar_t *, CCHmacAlgorithm)); -#else -static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *)); #endif +static caddr_t eay_hmac_init __P((vchar_t *, CCHmacAlgorithm)); + +#ifdef HAVE_OPENSSL /* X509 Certificate */ /* * convert the string of the subject name into DER @@ -643,8 +632,6 @@ error: return NULL; } -#ifdef __APPLE__ - /* * Get the common name from a cert */ @@ -776,115 +763,6 @@ eay_get_x509subjectaltname(cert, altname, type, pos, len) return error; } -#else /* __APPLE__ */ - -/* - * get the subjectAltName from X509 certificate. - * the name must be terminated by '\0'. - */ -int -eay_get_x509subjectaltname(cert, altname, type, pos) - vchar_t *cert; - char **altname; - int *type; - int pos; -{ - X509 *x509 = NULL; - GENERAL_NAMES *gens = NULL; - GENERAL_NAME *gen; - int len; - int error = -1; - - *altname = NULL; - *type = GENT_OTHERNAME; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); - if (gens == NULL) - goto end; - - /* there is no data at "pos" */ - if (pos > sk_GENERAL_NAME_num(gens)) - goto end; - - gen = sk_GENERAL_NAME_value(gens, pos - 1); - - /* read DNSName / Email */ - if (gen->type == GEN_DNS || - gen->type == GEN_EMAIL || - gen->type == GEN_URI ) - { - /* make sure if the data is terminated by '\0'. */ - if (gen->d.ia5->data[gen->d.ia5->length] != '\0') - { - plog(LLV_ERROR, LOCATION, NULL, - "data is not terminated by NUL."); - hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); - goto end; - } - - len = gen->d.ia5->length + 1; - *altname = racoon_malloc(len); - if (!*altname) - goto end; - - strlcpy(*altname, (char *) gen->d.ia5->data, len); - *type = gen->type; - error = 0; - } - /* read IP address */ - else if (gen->type == GEN_IPADD) - { - unsigned char p[5], *ip; - const int maxaltnamelen = 20; - ip = p; - - /* only support IPv4 */ - if (gen->d.ip->length != 4) - goto end; - - /* convert Octet String to String - * XXX ??????? - */ - /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/ - ip = gen->d.ip->data; - - /* XXX Magic, enough for an IPv4 address - */ - *altname = racoon_malloc(maxaltnamelen); - if (!*altname) - goto end; - - snprintf(*altname, maxaltnamelen, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]); - *type = gen->type; - error = 0; - } - /* XXX other possible types ? - * For now, error will be -1 if unsupported type - */ - -end: - if (error) { - if (*altname) { - racoon_free(*altname); - *altname = NULL; - } - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - } - if (x509) - X509_free(x509); - if (gens) - /* free the whole stack. */ - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - - return error; -} - -#endif - /* * decode a X509 certificate and make a readable text terminated '\n'. * return the buffer allocated, so must free it later. @@ -1397,6 +1275,7 @@ evp_keylen(int len, const EVP_CIPHER *e) return EVP_CIPHER_key_length(e) << 3; } +#endif /* HAVE_OPENSSL */ vchar_t * eay_CCCrypt(CCOperation oper, @@ -1444,40 +1323,35 @@ vchar_t * eay_des_encrypt(data, key, iv) vchar_t *data, *key, *iv; { -#ifdef __APPLE__ return(eay_CCCrypt(kCCEncrypt, kCCAlgorithmDES, 0 /* CBC */, data, key, iv)); -#else - return evp_crypt(data, key, iv, EVP_des_cbc(), 1); -#endif /* __APPLE__ */ } vchar_t * eay_des_decrypt(data, key, iv) vchar_t *data, *key, *iv; { -#ifdef __APPLE__ return(eay_CCCrypt(kCCDecrypt, kCCAlgorithmDES, 0 /* CBC */, data, key, iv)); -#else - return evp_crypt(data, key, iv, EVP_des_cbc(), 0); -#endif /* __APPLE__ */ } int eay_des_weakkey(key) vchar_t *key; { +#ifdef HAVE_OPENSSL #ifdef USE_NEW_DES_API return DES_is_weak_key((void *)key->v); #else return des_is_weak_key((void *)key->v); #endif +#else + return 0; +#endif } int eay_des_keylen(len) int len; { -#ifdef __APPLE__ /* CommonCrypto return lengths in bytes, ipsec-tools * uses lengths in bits, therefore conversion is required. */ @@ -1485,9 +1359,6 @@ eay_des_keylen(len) return -1; return kCCKeySizeDES << 3; -#else - return evp_keylen(len, EVP_des_cbc()); -#endif /* __APPLE__ */ } #ifdef HAVE_OPENSSL_IDEA_H @@ -1552,6 +1423,7 @@ eay_idea_keylen(len) } #endif +#ifdef HAVE_OPENSSL /* * BLOWFISH-CBC */ @@ -1586,6 +1458,7 @@ eay_bf_keylen(len) return -1; return len; } +#endif #ifdef HAVE_OPENSSL_RC5_H /* @@ -1660,28 +1533,21 @@ vchar_t * eay_3des_encrypt(data, key, iv) vchar_t *data, *key, *iv; { -#ifdef __APPLE__ return(eay_CCCrypt(kCCEncrypt, kCCAlgorithm3DES, 0 /* CBC */, data, key, iv)); -#else - return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 1); -#endif /* __APPLE__ */ } vchar_t * eay_3des_decrypt(data, key, iv) vchar_t *data, *key, *iv; { -#ifdef __APPLE__ return(eay_CCCrypt(kCCDecrypt, kCCAlgorithm3DES, 0 /* CBC */, data, key, iv)); -#else - return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 0); -#endif /* __APPLE__ */ } int eay_3des_weakkey(key) vchar_t *key; { +#ifdef HAVE_OPENSSL #ifdef USE_NEW_DES_API return (DES_is_weak_key((void *)key->v) || DES_is_weak_key((void *)(key->v + 8)) || @@ -1694,13 +1560,16 @@ eay_3des_weakkey(key) des_is_weak_key((void *)(key->v + 8)) || des_is_weak_key((void *)(key->v + 16))); #endif +#else /* HAVE_OPENSSL */ + return 0; +#endif + } int eay_3des_keylen(len) int len; { -#ifdef __APPLE__ /* CommonCrypto return lengths in bytes, ipsec-tools * uses lengths in bits, therefore conversion is required. */ @@ -1708,13 +1577,9 @@ eay_3des_keylen(len) return -1; return kCCKeySize3DES << 3; -#else - if (len != 0 && len != 192) - return -1; - return 192; -#endif /* __APPLE__ */ } +#ifdef HAVE_OPENSSL /* * CAST-CBC */ @@ -1749,11 +1614,11 @@ eay_cast_keylen(len) return -1; return len; } +#endif /* * AES(RIJNDAEL)-CBC */ -#ifdef __APPLE__ vchar_t * eay_aes_encrypt(data, key, iv) vchar_t *data, *key, *iv; @@ -1786,113 +1651,6 @@ int len; return len; } -#else - -#ifndef HAVE_OPENSSL_AES_H -vchar_t * -eay_aes_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - keyInstance k; - cipherInstance c; - - memset(&k, 0, sizeof(k)); - if (rijndael_makeKey(&k, DIR_ENCRYPT, key->l << 3, key->v) < 0) - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* encryption data */ - memset(&c, 0, sizeof(c)); - if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){ - vfree(res); - return NULL; - } - if (rijndael_blockEncrypt(&c, &k, data->v, data->l << 3, res->v) < 0){ - vfree(res); - return NULL; - } - - return res; -} - -vchar_t * -eay_aes_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - keyInstance k; - cipherInstance c; - - memset(&k, 0, sizeof(k)); - if (rijndael_makeKey(&k, DIR_DECRYPT, key->l << 3, key->v) < 0) - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - memset(&c, 0, sizeof(c)); - if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){ - vfree(res); - return NULL; - } - if (rijndael_blockDecrypt(&c, &k, data->v, data->l << 3, res->v) < 0){ - vfree(res); - return NULL; - } - - return res; -} -#else -static inline const EVP_CIPHER * -aes_evp_by_keylen(int keylen) -{ - switch(keylen) { - case 16: - case 128: - return EVP_aes_128_cbc(); - case 24: - case 192: - return EVP_aes_192_cbc(); - case 32: - case 256: - return EVP_aes_256_cbc(); - default: - return NULL; - } -} - -vchar_t * -eay_aes_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 1); -} - -vchar_t * -eay_aes_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 0); -} -#endif /* HAVE_OPENSSL_AES_H */ - -int -eay_aes_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len != 128 && len != 192 && len != 256) - return -1; - return len; -} -#endif /* __APPLE__ */ int eay_aes_weakkey(key) @@ -1908,6 +1666,7 @@ eay_null_hashlen() return 0; } +#ifdef HAVE_OPENSSL int eay_kpdk_hashlen() { @@ -1922,6 +1681,7 @@ eay_twofish_keylen(len) return -1; return len; } +#endif int eay_null_keylen(len) @@ -1933,8 +1693,6 @@ eay_null_keylen(len) /* * HMAC functions */ - -#ifdef __APPLE__ static caddr_t eay_hmac_init(key, algorithm) vchar_t *key; @@ -1946,19 +1704,6 @@ eay_hmac_init(key, algorithm) return (caddr_t)c; } -#else -static caddr_t -eay_hmac_init(key, md) - vchar_t *key; - const EVP_MD *md; -{ - HMAC_CTX *c = racoon_malloc(sizeof(*c)); - - HMAC_Init(c, key->v, key->l, md); - - return (caddr_t)c; -} -#endif /* __APPLE__ */ #ifdef WITH_SHA2 /* @@ -1982,11 +1727,7 @@ caddr_t eay_hmacsha2_512_init(key) vchar_t *key; { -#ifdef __APPLE__ return eay_hmac_init(key, kCCHmacAlgSHA512); -#else - return eay_hmac_init(key, EVP_sha2_512()); -#endif } void @@ -1994,14 +1735,9 @@ eay_hmacsha2_512_update(c, data) caddr_t c; vchar_t *data; { -#ifdef __APPLE__ CCHmacUpdate((CCHmacContext *)c, data->v, data->l); -#else - HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l); -#endif } -#ifdef __APPLE__ vchar_t * eay_hmacsha2_512_final(c) caddr_t c; @@ -2017,33 +1753,6 @@ eay_hmacsha2_512_final(c) (void)racoon_free(c); return(res); } -#else -vchar_t * -eay_hmacsha2_512_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - - (void)racoon_free(c); - - if (SHA512_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_512 length mismatch %zd.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* __APPLE__ */ /* * HMAC SHA2-384 @@ -2066,11 +1775,7 @@ caddr_t eay_hmacsha2_384_init(key) vchar_t *key; { -#ifdef __APPLE__ return eay_hmac_init(key, kCCHmacAlgSHA384); -#else - return eay_hmac_init(key, EVP_sha2_384()); -#endif } void @@ -2078,14 +1783,9 @@ eay_hmacsha2_384_update(c, data) caddr_t c; vchar_t *data; { -#ifdef __APPLE__ CCHmacUpdate((CCHmacContext *)c, data->v, data->l); -#else - HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l); -#endif } -#ifdef __APPLE__ vchar_t * eay_hmacsha2_384_final(c) caddr_t c; @@ -2101,33 +1801,6 @@ eay_hmacsha2_384_final(c) (void)racoon_free(c); return(res); } -#else -vchar_t * -eay_hmacsha2_384_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - - (void)racoon_free(c); - - if (SHA384_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_384 length mismatch %zd.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* __APPLE__ */ /* * HMAC SHA2-256 @@ -2150,11 +1823,7 @@ caddr_t eay_hmacsha2_256_init(key) vchar_t *key; { -#ifdef __APPLE__ return eay_hmac_init(key, kCCHmacAlgSHA256); -#else - return eay_hmac_init(key, EVP_sha2_256()); -#endif } void @@ -2162,14 +1831,9 @@ eay_hmacsha2_256_update(c, data) caddr_t c; vchar_t *data; { -#ifdef __APPLE__ CCHmacUpdate((CCHmacContext *)c, data->v, data->l); -#else - HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l); -#endif } -#ifdef __APPLE__ vchar_t * eay_hmacsha2_256_final(c) caddr_t c; @@ -2185,33 +1849,6 @@ eay_hmacsha2_256_final(c) (void)racoon_free(c); return(res); } -#else -vchar_t * -eay_hmacsha2_256_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - - (void)racoon_free(c); - - if (SHA256_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_256 length mismatch %zd.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* __APPLE__ */ #endif /* WITH_SHA2 */ /* @@ -2235,11 +1872,7 @@ caddr_t eay_hmacsha1_init(key) vchar_t *key; { -#ifdef __APPLE__ return eay_hmac_init(key, kCCHmacAlgSHA1); -#else - return eay_hmac_init(key, EVP_sha1()); -#endif } void @@ -2247,14 +1880,9 @@ eay_hmacsha1_update(c, data) caddr_t c; vchar_t *data; { -#ifdef __APPLE__ CCHmacUpdate((CCHmacContext *)c, data->v, data->l); -#else - HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l); -#endif } -#ifdef __APPLE__ vchar_t * eay_hmacsha1_final(c) caddr_t c; @@ -2270,33 +1898,6 @@ eay_hmacsha1_final(c) (void)racoon_free(c); return(res); } -#else -vchar_t * -eay_hmacsha1_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - - (void)racoon_free(c); - - if (SHA_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha1 length mismatch %zd.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* __APPLE__ */ /* * HMAC MD5 @@ -2319,11 +1920,7 @@ caddr_t eay_hmacmd5_init(key) vchar_t *key; { -#ifdef __APPLE__ return eay_hmac_init(key, kCCHmacAlgMD5); -#else - return eay_hmac_init(key, EVP_md5()); -#endif } void @@ -2331,14 +1928,9 @@ eay_hmacmd5_update(c, data) caddr_t c; vchar_t *data; { -#ifdef __APPLE__ CCHmacUpdate((CCHmacContext *)c, data->v, data->l); -#else - HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l); -#endif } -#ifdef __APPLE__ vchar_t * eay_hmacmd5_final(c) caddr_t c; @@ -2354,33 +1946,7 @@ eay_hmacmd5_final(c) return(res); } -#else -vchar_t * -eay_hmacmd5_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0) - return NULL; - HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - - (void)racoon_free(c); - - if (MD5_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac md5 length mismatch %zd.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* __APPLE__ */ #ifdef WITH_SHA2 /* @@ -2447,9 +2013,7 @@ eay_sha2_512_hashlen() * SHA2-384 functions */ -#ifdef __APPLE__ typedef SHA512_CTX SHA384_CTX; -#endif caddr_t eay_sha2_384_init() @@ -2683,6 +2247,8 @@ eay_md5_hashlen() return MD5_DIGEST_LENGTH << 3; } + +#ifdef HAVE_OPENSSL /* * eay_set_random * size: number of bytes. @@ -2704,7 +2270,25 @@ end: BN_free(r); return(res); } +#else +vchar_t * +eay_set_random(u_int32_t size) +{ + vchar_t *res = vmalloc(size); + + if (res == NULL) + return NULL; + + if (SecRandomCopyBytes(kSecRandomDefault, size, res->v)) { + vfree(res); + return NULL; + } + + return res; +} +#endif +#ifdef HAVE_OPENSSL /* DH */ int eay_dh_generate(prime, g, publen, pub, priv) @@ -3012,6 +2596,7 @@ out: return rsa_pub; } +#endif /* HAVE_OPENSSL */ u_int32_t eay_random() @@ -3026,8 +2611,10 @@ eay_random() return result; } +#ifdef HAVE_OPENSSL const char * eay_version() { return SSLeay_version(SSLEAY_VERSION); } +#endif \ No newline at end of file diff --git a/ipsec-tools/racoon/crypto_openssl.h b/ipsec-tools/racoon/crypto_openssl.h index 8b71a7d..0d59ec2 100644 --- a/ipsec-tools/racoon/crypto_openssl.h +++ b/ipsec-tools/racoon/crypto_openssl.h @@ -32,8 +32,9 @@ #ifndef _CRYPTO_OPENSSL_H #define _CRYPTO_OPENSSL_H +#include "vmbuf.h" #include "crypto_openssl.h" - +#ifdef HAVE_OPENSSL #include #include @@ -52,12 +53,8 @@ extern vchar_t *eay_hex2asn1dn __P((const char *, int)); extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); extern int eay_check_x509cert __P((vchar_t *, char *, char *, int)); extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); -#ifdef __APPLE__ extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int, int*)); extern vchar_t *eay_get_x509_common_name __P((vchar_t *)); -#else -extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int)); -#endif extern char *eay_get_x509text __P((vchar_t *)); extern vchar_t *eay_get_x509cert __P((char *)); extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *)); @@ -85,6 +82,7 @@ extern vchar_t *evp_crypt __P((vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)); extern int evp_weakkey __P((vchar_t *key, const EVP_CIPHER *e)); extern int evp_keylen __P((int len, const EVP_CIPHER *e)); +#endif /* HAVE_OPENSSL */ /* DES */ extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); @@ -92,6 +90,7 @@ extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_des_weakkey __P((vchar_t *)); extern int eay_des_keylen __P((int)); +#ifdef HAVE_OPENSSL /* IDEA */ extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); @@ -109,6 +108,7 @@ extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_rc5_weakkey __P((vchar_t *)); extern int eay_rc5_keylen __P((int)); +#endif /* HAVE_OPENSSL */ /* 3DES */ extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); @@ -116,11 +116,13 @@ extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_3des_weakkey __P((vchar_t *)); extern int eay_3des_keylen __P((int)); +#ifdef HAVE_OPENSSL /* CAST */ extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_cast_weakkey __P((vchar_t *)); extern int eay_cast_keylen __P((int)); +#endif /* AES(RIJNDAEL) */ extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); @@ -131,8 +133,10 @@ extern int eay_aes_keylen __P((int)); /* misc */ extern int eay_null_keylen __P((int)); extern int eay_null_hashlen __P((void)); +#ifdef HAVE_OPENSSL extern int eay_kpdk_hashlen __P((void)); extern int eay_twofish_keylen __P((int)); +#endif /* hash */ #if defined(WITH_SHA2) @@ -208,20 +212,24 @@ extern u_int32_t eay_random __P((void)); extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **)); extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **)); +#ifdef HAVE_OPENSSL /* Base 64 */ vchar_t *base64_encode(char *in, long inlen); vchar_t *base64_decode(char *in, long inlen); RSA *base64_pubkey2rsa(char *in); RSA *bignum_pubkey2rsa(BIGNUM *in); +#endif /* misc */ +#ifdef HAVE_OPENSSL extern int eay_revbnl __P((vchar_t *)); #include extern int eay_v2bn __P((BIGNUM **, vchar_t *)); extern int eay_bn2v __P((vchar_t **, BIGNUM *)); extern const char *eay_version __P((void)); +#endif #define CBC_BLOCKLEN 8 #define IPSEC_ENCRYPTKEYLEN 8 diff --git a/ipsec-tools/racoon/eaytest.c b/ipsec-tools/racoon/eaytest.c index 3265546..df6a65a 100644 --- a/ipsec-tools/racoon/eaytest.c +++ b/ipsec-tools/racoon/eaytest.c @@ -379,7 +379,6 @@ certtest(ac, av) printf("\n"); vfree(vstr); -#ifdef __APPLE__ /* print subject alt name */ { int pos; @@ -396,23 +395,6 @@ certtest(ac, av) racoon_free(str); } } -#else - /* print subject alt name */ - { - int pos; - for (pos = 1; ; pos++) { - error = eay_get_x509subjectaltname(&c, &str, &type, pos); - if (error) { - printf("no subjectaltname found.\n"); - break; - } - if (!str) - break; - printf("SubjectAltName: %d: %s\n", type, str); - racoon_free(str); - } - } -#endif /* NULL => name of the certificate file */ error = eay_check_x509cert(&c, certpath, NULL, 1); diff --git a/ipsec-tools/racoon/grabmyaddr.c b/ipsec-tools/racoon/grabmyaddr.c index 6afc4ef..55b62b9 100644 --- a/ipsec-tools/racoon/grabmyaddr.c +++ b/ipsec-tools/racoon/grabmyaddr.c @@ -37,13 +37,9 @@ #include #include -#if defined(__FreeBSD__) && __FreeBSD__ >= 3 #include -#endif -#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__APPLE__) #include #include -#endif #include #include @@ -74,15 +70,6 @@ #include "gcmalloc.h" #include "nattraversal.h" -#ifdef __linux__ -#include -#include -#ifndef HAVE_GETIFADDRS -#define HAVE_GETIFADDRS -#define NEED_LINUX_GETIFADDRS -#endif -#endif - #ifndef HAVE_GETIFADDRS static unsigned int if_maxindex __P((void)); #endif @@ -92,184 +79,6 @@ static int suitable_ifaddr __P((const char *, const struct sockaddr *)); static int suitable_ifaddr6 __P((const char *, const struct sockaddr *)); #endif -#ifdef NEED_LINUX_GETIFADDRS - -/* We could do this _much_ better. kame racoon in its current form - * will esentially die at frequent changes of address configuration. - */ - -struct ifaddrs -{ - struct ifaddrs *ifa_next; - char ifa_name[16]; - int ifa_ifindex; - struct sockaddr *ifa_addr; - struct sockaddr_storage ifa_addrbuf; -}; - -static int parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len) -{ - while (RTA_OK(rta, len)) { - if (rta->rta_type <= max) - tb[rta->rta_type] = rta; - rta = RTA_NEXT(rta,len); - } - return 0; -} - -static void recvaddrs(int fd, struct ifaddrs **ifa, __u32 seq) -{ - char buf[8192]; - struct sockaddr_nl nladdr; - struct iovec iov = { buf, sizeof(buf) }; - struct ifaddrmsg *m; - struct rtattr * rta_tb[IFA_MAX+1]; - struct ifaddrs *I; - - while (1) { - int status; - struct nlmsghdr *h; - - struct msghdr msg = { - (void*)&nladdr, sizeof(nladdr), - &iov, 1, - NULL, 0, - 0 - }; - - status = recvmsg(fd, &msg, 0); - - if (status < 0) - continue; - - if (status == 0) - return; - - if (nladdr.nl_pid) /* Message not from kernel */ - continue; - - h = (struct nlmsghdr*)buf; - while (NLMSG_OK(h, status)) { - if (h->nlmsg_seq != seq) - goto skip_it; - - if (h->nlmsg_type == NLMSG_DONE) - return; - - if (h->nlmsg_type == NLMSG_ERROR) - return; - - if (h->nlmsg_type != RTM_NEWADDR) - goto skip_it; - - m = NLMSG_DATA(h); - - if (m->ifa_family != AF_INET && - m->ifa_family != AF_INET6) - goto skip_it; - - if (m->ifa_flags&IFA_F_TENTATIVE) - goto skip_it; - - memset(rta_tb, 0, sizeof(rta_tb)); - parse_rtattr(rta_tb, IFA_MAX, IFA_RTA(m), h->nlmsg_len - NLMSG_LENGTH(sizeof(*m))); - - if (rta_tb[IFA_LOCAL] == NULL) - rta_tb[IFA_LOCAL] = rta_tb[IFA_ADDRESS]; - if (rta_tb[IFA_LOCAL] == NULL) - goto skip_it; - - I = malloc(sizeof(struct ifaddrs)); - if (!I) - return; - memset(I, 0, sizeof(*I)); - - I->ifa_ifindex = m->ifa_index; - I->ifa_addr = (struct sockaddr*)&I->ifa_addrbuf; - I->ifa_addr->sa_family = m->ifa_family; - if (m->ifa_family == AF_INET) { - struct sockaddr_in *sin = (void*)I->ifa_addr; - memcpy(&sin->sin_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 4); - } else { - struct sockaddr_in6 *sin = (void*)I->ifa_addr; - memcpy(&sin->sin6_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 16); - if (IN6_IS_ADDR_LINKLOCAL(&sin->sin6_addr)) - sin->sin6_scope_id = I->ifa_ifindex; - } - I->ifa_next = *ifa; - *ifa = I; - -skip_it: - h = NLMSG_NEXT(h, status); - } - if (msg.msg_flags & MSG_TRUNC) - continue; - } - return; -} - -static int getifaddrs(struct ifaddrs **ifa0) -{ - struct { - struct nlmsghdr nlh; - struct rtgenmsg g; - } req; - struct sockaddr_nl nladdr; - static __u32 seq; - struct ifaddrs *i; - int fd; - - fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (fd < 0) - return -1; - - memset(&nladdr, 0, sizeof(nladdr)); - nladdr.nl_family = AF_NETLINK; - - req.nlh.nlmsg_len = sizeof(req); - req.nlh.nlmsg_type = RTM_GETADDR; - req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; - req.nlh.nlmsg_pid = 0; - req.nlh.nlmsg_seq = ++seq; - req.g.rtgen_family = AF_UNSPEC; - - if (sendto(fd, (void*)&req, sizeof(req), 0, (struct sockaddr*)&nladdr, sizeof(nladdr)) < 0) { - close(fd); - return -1; - } - - *ifa0 = NULL; - - recvaddrs(fd, ifa0, seq); - - close(fd); - - fd = socket(AF_INET, SOCK_DGRAM, 0); - - for (i=*ifa0; i; i = i->ifa_next) { - struct ifreq ifr; - ifr.ifr_ifindex = i->ifa_ifindex; - ioctl(fd, SIOCGIFNAME, (void*)&ifr); - memcpy(i->ifa_name, ifr.ifr_name, 16); - } - close(fd); - - return 0; -} - -static void freeifaddrs(struct ifaddrs *ifa0) -{ - struct ifaddrs *i; - - while (ifa0) { - i = ifa0; - ifa0 = i->ifa_next; - free(i); - } -} - -#endif - #ifndef HAVE_GETIFADDRS static unsigned int if_maxindex() @@ -457,7 +266,7 @@ suitable_ifaddr(ifname, ifaddr) const char *ifname; const struct sockaddr *ifaddr; { -#ifdef ENABLE_HYBRID +#if 0 //we need to be able to do nested ipsec for BTMM... stub out ifdef ENABLE_HYBRID /* Exclude any address we got through ISAKMP mode config */ if (exclude_cfg_addr(ifaddr) == 0) return 0; @@ -481,15 +290,12 @@ suitable_ifaddr6(ifname, ifaddr) const char *ifname; const struct sockaddr *ifaddr; { -#ifndef __linux__ struct in6_ifreq ifr6; int s; -#endif if (ifaddr->sa_family != AF_INET6) return 0; -#ifndef __linux__ s = socket(PF_INET6, SOCK_DGRAM, 0); if (s == -1) { plog(LLV_ERROR, LOCATION, NULL, @@ -515,7 +321,6 @@ suitable_ifaddr6(ifname, ifaddr) || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST) return 0; -#endif /* suitable */ return 1; @@ -525,23 +330,6 @@ suitable_ifaddr6(ifname, ifaddr) int update_myaddrs() { -#ifdef __linux__ - char msg[BUFSIZ]; - int len; - struct nlmsghdr *h = (void*)msg; - len = read(lcconf->rtsock, msg, sizeof(msg)); - if (len < 0) - return errno == ENOBUFS; - if (len < sizeof(*h)) - return 0; - if (h->nlmsg_pid) /* not from kernel! */ - return 0; - if (h->nlmsg_type == RTM_NEWLINK) - return 0; - plog(LLV_DEBUG, LOCATION, NULL, - "netlink signals update interface address list\n"); - return 1; -#else char msg[BUFSIZ]; int len; struct rt_msghdr *rtm; @@ -587,7 +375,6 @@ update_myaddrs() rtm->rtm_type); return 1; -#endif /* __linux__ */ } /* @@ -739,10 +526,8 @@ delmyaddr(myaddr) { if (myaddr->addr) racoon_free(myaddr->addr); -#ifdef __APPLE__ if (myaddr->ifname) racoon_free(myaddr->ifname); -#endif racoon_free(myaddr); } @@ -758,31 +543,6 @@ initmyaddr() return -1; } -#ifdef __linux__ - { - struct sockaddr_nl nl; - u_int addr_len; - - memset(&nl, 0, sizeof(nl)); - nl.nl_family = AF_NETLINK; - nl.nl_groups = RTMGRP_IPV4_IFADDR|RTMGRP_LINK; - - if (bind(lcconf->rtsock, (struct sockaddr*)&nl, sizeof(nl)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "bind(PF_NETLINK) failed: %s\n", - strerror(errno)); - return -1; - } - addr_len = sizeof(nl); - if (getsockname(lcconf->rtsock, (struct sockaddr*)&nl, &addr_len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getsockname(PF_NETLINK) failed: %s\n", - strerror(errno)); - return -1; - } - } -#endif - if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) { grab_myaddrs(); @@ -800,11 +560,6 @@ getsockmyaddr(my) struct sockaddr *my; { struct myaddrs *p, *lastresort = NULL; -#if defined(INET6) && defined(__linux__) - struct myaddrs *match_wo_scope_id = NULL; - int check_wo_scope_id = (my->sa_family == AF_INET6) && - IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)my)->sin6_addr); -#endif for (p = lcconf->myaddrs; p; p = p->next) { if (p->addr == NULL) @@ -816,20 +571,7 @@ getsockmyaddr(my) && memcmp(my, p->addr, sysdep_sa_len(my)) == 0) { break; } -#if defined(INET6) && defined(__linux__) - if (check_wo_scope_id && IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)p->addr)->sin6_addr) && - /* XXX: this depends on sin6_scope_id to be last - * item in struct sockaddr_in6 */ - memcmp(my, p->addr, - sysdep_sa_len(my) - sizeof(uint32_t)) == 0) { - match_wo_scope_id = p; - } -#endif } -#if defined(INET6) && defined(__linux__) - if (!p) - p = match_wo_scope_id; -#endif if (!p) p = lastresort; if (!p) { diff --git a/ipsec-tools/racoon/grabmyaddr.h b/ipsec-tools/racoon/grabmyaddr.h index 22fc0a2..85a901c 100644 --- a/ipsec-tools/racoon/grabmyaddr.h +++ b/ipsec-tools/racoon/grabmyaddr.h @@ -37,10 +37,8 @@ struct myaddrs { struct sockaddr *addr; int sock; int udp_encap; -#ifdef __APPLE__ int in_use; char *ifname; -#endif }; extern void clear_myaddr __P((void)); diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index 3eb3a0b..f8bed5f 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -81,6 +81,7 @@ #ifdef HAVE_GSSAPI #include "gssapi.h" #endif +#include "power_mgmt.h" static LIST_HEAD(_ph1tree_, ph1handle) ph1tree; static LIST_HEAD(_ph2tree_, ph2handle) ph2tree; @@ -213,7 +214,7 @@ islast_ph1(ph1) struct ph1handle *p; LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) + if (p->is_dying || p->status == PHASE1ST_EXPIRED) continue; if (CMPSADDR(ph1->remote, p->remote) == 0) { if (p == ph1) @@ -309,10 +310,6 @@ delph1(iph1) EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); #ifdef ENABLE_NATT -#ifndef __APPLE__ - if (iph1->natt_flags & NAT_KA_QUEUED) - natt_keepalive_remove (iph1->local, iph1->remote); -#endif /* __APPLE__ */ if (iph1->natt_options) { racoon_free(iph1->natt_options); iph1->natt_options = NULL; @@ -400,7 +397,6 @@ delph1(iph1) gssapi_free_state(iph1); #endif -#ifdef __APPLE__ if (iph1->parent_session) { ike_session_unlink_ph1_from_session(iph1); } @@ -408,7 +404,6 @@ delph1(iph1) unlink_rmconf_from_ph1(iph1->rmconf); iph1->rmconf = NULL; } -#endif racoon_free(iph1); } @@ -442,25 +437,36 @@ remph1(iph1) * flush isakmp-sa */ void -flushph1(int ignore_established_handles) +flushph1(int ignore_estab_or_assert_handles) { struct ph1handle *p, *next; + plog(LLV_DEBUG2, LOCATION, NULL, + "flushing ph1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); + for (p = LIST_FIRST(&ph1tree); p; p = next) { next = LIST_NEXT(p, chain); - + + if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { + plog(LLV_DEBUG2, LOCATION, NULL, + "skipping phase1 %s that's asserted...\n", + isakmp_pindex(&p->index, 0)); + continue; + } + /* send delete information */ if (p->status == PHASE1ST_ESTABLISHED) { - if (ignore_established_handles && - (ike_session_has_negoing_ph2(p->parent_session) || - p->mode_cfg->flags)) { + if (ignore_estab_or_assert_handles && + ike_session_has_negoing_ph2(p->parent_session)) { plog(LLV_DEBUG2, LOCATION, NULL, - "skipping ph1 handler that's established... because it's needed by children phase2s\n"); + "skipping phase1 %s that's established... because it's needed by children phase2s\n", + isakmp_pindex(&p->index, 0)); continue; } /* send delete information */ plog(LLV_DEBUG2, LOCATION, NULL, - "got a ph1 handler to flush...\n"); + "got a phase1 %s to flush...\n", + isakmp_pindex(&p->index, 0)); isakmp_info_send_d1(p); } @@ -724,7 +730,6 @@ delph2(iph2) iph2->proposal = NULL; } -#ifdef __APPLE__ if (iph2->parent_session) { ike_session_unlink_ph2_from_session(iph2); } @@ -740,7 +745,6 @@ delph2(iph2) vfree(iph2->ext_nat_id_p); iph2->ext_nat_id_p = NULL; } -#endif racoon_free(iph2); } @@ -771,20 +775,25 @@ initph2tree() } void -flushph2(int ignore_established_handles) +flushph2(int ignore_estab_or_assert_handles) { struct ph2handle *p, *next; plog(LLV_DEBUG2, LOCATION, NULL, - "flushing all ph2 handlers...\n"); + "flushing ph2 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles); for (p = LIST_FIRST(&ph2tree); p; p = next) { next = LIST_NEXT(p, chain); if (p->is_dying || p->status == PHASE2ST_EXPIRED) { continue; } + if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) { + plog(LLV_DEBUG2, LOCATION, NULL, + "skipping phase2 handle that's asserted...\n"); + continue; + } if (p->status == PHASE2ST_ESTABLISHED){ - if (ignore_established_handles) { + if (ignore_estab_or_assert_handles) { plog(LLV_DEBUG2, LOCATION, NULL, "skipping ph2 handler that's established...\n"); continue; @@ -999,6 +1008,17 @@ initctdtree() LIST_INIT(&ctdtree); } +time_t +get_exp_retx_interval (int num_retries, int fixed_retry_interval) +{ + // first 3 retries aren't exponential + if (num_retries <= 3) { + return (time_t)fixed_retry_interval; + } else { + return (time_t)(num_retries * fixed_retry_interval); + } +} + /* * check the response has been sent to the peer. when not, simply reply * the buffered packet to the peer. @@ -1015,7 +1035,7 @@ check_recvdpkt(remote, local, rbuf) { vchar_t *hash; struct recvdpkt *r; - time_t t; + time_t t, d; int len, s; /* set current time */ @@ -1064,9 +1084,33 @@ check_recvdpkt(remote, local, rbuf) if (s == -1) return -1; + // don't send if we recently sent a response. + if (r->time_send && t > r->time_send) { + d = t - r->time_send; + if (d < r->retry_interval) { + plog(LLV_ERROR, LOCATION, NULL, "already responded within the past %ld secs\n", d); + return 1; + } + } + +#ifdef ENABLE_FRAG + if (r->frag_flags && r->sendbuf->l > ISAKMP_FRAG_MAXLEN) { + /* resend the packet if needed */ + plog(LLV_ERROR, LOCATION, NULL, "!!! retransmitting frags\n"); + len = sendfragsfromto(s, r->sendbuf, + r->local, r->remote, lcconf->count_persend, + r->frag_flags); + } else { + plog(LLV_ERROR, LOCATION, NULL, "!!! skipped retransmitting frags: frag_flags %x, r->sendbuf->l %d, max %d\n", r->frag_flags, r->sendbuf->l, ISAKMP_FRAG_MAXLEN); + /* resend the packet if needed */ + len = sendfromto(s, r->sendbuf->v, r->sendbuf->l, + r->local, r->remote, lcconf->count_persend); + } +#else /* resend the packet if needed */ len = sendfromto(s, r->sendbuf->v, r->sendbuf->l, r->local, r->remote, lcconf->count_persend); +#endif if (len == -1) { plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); return -1; @@ -1080,8 +1124,11 @@ check_recvdpkt(remote, local, rbuf) plog(LLV_DEBUG, LOCATION, NULL, "deleted the retransmission packet to %s.\n", saddr2str(remote)); - } else + } else { r->time_send = t; + r->retry_interval = get_exp_retx_interval((lcconf->retry_counter - r->retry_counter), + lcconf->retry_interval); + } return 1; } @@ -1090,10 +1137,11 @@ check_recvdpkt(remote, local, rbuf) * adding a hash of received packet into the received list. */ int -add_recvdpkt(remote, local, sbuf, rbuf, non_esp) +add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) struct sockaddr *remote, *local; vchar_t *sbuf, *rbuf; size_t non_esp; + u_int32_t frag_flags; { struct recvdpkt *new = NULL; @@ -1158,6 +1206,13 @@ add_recvdpkt(remote, local, sbuf, rbuf, non_esp) new->retry_counter = lcconf->retry_counter; new->time_send = 0; new->created = time(NULL); +#ifdef ENABLE_FRAG + if (frag_flags) { + new->frag_flags = frag_flags; + } +#endif + new->retry_interval = get_exp_retx_interval((lcconf->retry_counter - new->retry_counter), + lcconf->retry_interval); LIST_INSERT_HEAD(&rcptree, new, chain); @@ -1304,7 +1359,23 @@ struct sockaddr *remote; { int found = 0; struct ph1handle *p; - + struct ph2handle *p2; + + LIST_FOREACH(p2, &ph2tree, chain) { + if (cmpsaddrwop(remote, p2->dst) == 0) { + plog(LLV_WARNING, LOCATION, NULL, + "in %s... purging phase2s\n", __FUNCTION__); + if (p2->status == PHASE2ST_ESTABLISHED) + isakmp_info_send_d2(p2); + if (p2->status < PHASE2ST_EXPIRED) { + isakmp_ph2expire(p2); + } else { + isakmp_ph2delete(p2); + } + found++; + } + } + LIST_FOREACH(p, &ph1tree, chain) { if (cmpsaddrwop(remote, p->remote) == 0) { plog(LLV_WARNING, LOCATION, NULL, @@ -1381,6 +1452,9 @@ ph1_force_dpd (struct sockaddr *remote) } else { plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (dpd already in progress).\n"); } + if (p->parent_session) { + p->parent_session->controller_awaiting_peer_resp = 1; + } } else { plog(LLV_DEBUG2, LOCATION, NULL, "skipping forced-DPD for phase1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n", p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval); @@ -1391,3 +1465,83 @@ ph1_force_dpd (struct sockaddr *remote) return status; } #endif + +void +sweep_sleepwake(void) +{ + struct ph2handle *iph2; + struct ph1handle *iph1; + + // do the ph1s. + LIST_FOREACH(iph1, &ph1tree, chain) { + if (iph1->parent_session && iph1->parent_session->is_asserted) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's been asserted.\n", + isakmp_pindex(&iph1->index, 0)); + continue; + } + if (iph1->is_dying || iph1->status >= PHASE1ST_EXPIRED) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase1 %s because it's already expired.\n", + isakmp_pindex(&iph1->index, 0)); + continue; + } + if (iph1->sce) { + if (iph1->sce->xtime <= swept_at) { + SCHED_KILL(iph1->sce); + SCHED_KILL(iph1->sce_rekey); + iph1->is_dying = 1; + iph1->status = PHASE1ST_EXPIRED; + ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1 + iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); + plog(LLV_DEBUG2, LOCATION, NULL, "phase1 %s expired while sleeping: quick deletion.\n", + isakmp_pindex(&iph1->index, 0)); + } + } + if (iph1->sce_rekey) { + if (iph1->status == PHASE1ST_EXPIRED || iph1->sce_rekey->xtime <= swept_at) { + SCHED_KILL(iph1->sce_rekey); + } + } + if (iph1->scr) { + if (iph1->status == PHASE1ST_EXPIRED || iph1->scr->xtime <= swept_at) { + SCHED_KILL(iph1->scr); + } + } +#ifdef ENABLE_DPD + if (iph1->dpd_r_u) { + if (iph1->status == PHASE1ST_EXPIRED || iph1->dpd_r_u->xtime <= swept_at) { + SCHED_KILL(iph1->dpd_r_u); + } + } +#endif + } + + // do ph2's next + LIST_FOREACH(iph2, &ph2tree, chain) { + if (iph2->parent_session && iph2->parent_session->is_asserted) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's been asserted.\n"); + continue; + } + if (iph2->is_dying || iph2->status >= PHASE2ST_EXPIRED) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of phase2 because it's already expired.\n"); + continue; + } + if (iph2->sce) { + if (iph2->sce->xtime <= swept_at) { + iph2->status = PHASE2ST_EXPIRED; + iph2->is_dying = 1; + isakmp_ph2expire(iph2); // iph2 will go down 1 second later. + ike_session_stopped_by_controller(iph2->parent_session, + ike_session_stopped_by_sleepwake); + plog(LLV_DEBUG2, LOCATION, NULL, "phase2 expired while sleeping: quick deletion.\n"); + } + } + if (iph2->scr) { + if (iph2->status == PHASE2ST_EXPIRED || iph2->scr->xtime <= swept_at) { + SCHED_KILL(iph2->scr); + } + } + } + + // do the ike_session last + ike_session_sweep_sleepwake(); +} diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index 9523316..8c8c43e 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -34,13 +34,20 @@ #ifndef _HANDLER_H #define _HANDLER_H +#include "config.h" + #include +#ifdef HAVE_OPENSSL #include +#endif #include #include "isakmp_var.h" #include "oakley.h" +#ifndef HAVE_OPENSSL +#include +#endif typedef struct ike_session ike_session_t; @@ -150,6 +157,10 @@ struct ph1handle { int retry_counter; /* for resend. */ vchar_t *sendbuf; /* buffer for re-sending */ +#ifndef HAVE_OPENSSL + SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */ + size_t publicKeySize; +#endif vchar_t *dhpriv; /* DH; private value */ vchar_t *dhpub; /* DH; public value */ vchar_t *dhpub_p; /* DH; partner's public value */ @@ -168,9 +179,11 @@ struct ph1handle { cert_t *cert_p; /* peer's CERT minus general header */ cert_t *crl_p; /* peer's CRL minus general header */ cert_t *cr_p; /* peer's CR not including general */ +#ifdef HAVE_OPENSSL RSA *rsa; /* my RSA key */ RSA *rsa_p; /* peer's RSA key */ struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ +#endif vchar_t *id; /* ID minus gen header */ vchar_t *id_p; /* partner's ID minus general header */ /* i.e. struct ipsecdoi_id_b*. */ @@ -223,12 +236,10 @@ struct ph1handle { u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */ vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */ #endif -#ifdef __APPLE__ int is_rekey:1; int is_dying:1; ike_session_t *parent_session; LIST_ENTRY(ph1handle) ph1ofsession_chain; -#endif }; /* Phase 2 handler */ @@ -307,6 +318,10 @@ struct ph2handle { struct saprop *approval; /* SA(s) approved. */ caddr_t spidx_gen; /* policy from peer's proposal */ +#ifndef HAVE_OPENSSL + SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */ + size_t publicKeySize; +#endif struct dhgroup *pfsgrp; /* DH; prime number */ vchar_t *dhpriv; /* DH; private value */ vchar_t *dhpub; /* DH; public value */ @@ -334,14 +349,12 @@ struct ph2handle { struct timeval end; #endif struct ph1handle *ph1; /* back pointer to isakmp status */ -#ifdef __APPLE__ int is_rekey:1; int is_dying:1; ike_session_t *parent_session; LIST_ENTRY(ph2handle) ph2ofsession_chain; vchar_t *ext_nat_id; vchar_t *ext_nat_id_p; -#endif LIST_ENTRY(ph2handle) chain; LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ @@ -366,6 +379,10 @@ struct recvdpkt { int retry_counter; /* how many times to send */ time_t time_send; /* timestamp to send a packet */ time_t created; /* timestamp to create a queue */ + time_t retry_interval; +#ifdef ENABLE_FRAG + u_int32_t frag_flags; /* IKE phase 1 fragmentation */ +#endif struct sched *scr; /* schedule for resend, may not used */ @@ -501,10 +518,12 @@ extern int inscontacted __P((struct sockaddr *)); extern void clear_contacted __P((void)); extern void initctdtree __P((void)); +extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval)); + extern int check_recvdpkt __P((struct sockaddr *, struct sockaddr *, vchar_t *)); extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, - vchar_t *, vchar_t *, size_t)); + vchar_t *, vchar_t *, size_t, u_int32_t)); extern void clear_recvdpkt __P((void)); extern void init_recvdpkt __P((void)); @@ -515,5 +534,6 @@ extern int exclude_cfg_addr __P((const struct sockaddr *)); #ifdef ENABLE_DPD extern int ph1_force_dpd __P((struct sockaddr *)); #endif +extern void sweep_sleepwake __P((void)); #endif /* _HANDLER_H */ diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index 3d4608d..489fd5c 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -49,11 +49,24 @@ #include "vpn_control.h" #include "proposal.h" #include "sainfo.h" +#include "power_mgmt.h" + +#define GET_SAMPLE_PERIOD(s,m) do { \ + s = m / 20; \ + if (s < 3) { \ + s = 3; \ + if (m < (s * 2)) { \ + s = 1; /* bad */\ + } \ + } \ + } while(0); const char *ike_session_stopped_by_vpn_disconnect = "Stopped by VPN disconnect"; const char *ike_session_stopped_by_flush = "Stopped by Flush"; const char *ike_session_stopped_by_idle = "Stopped by Idle"; const char *ike_session_stopped_by_xauth_timeout = "Stopped by XAUTH timeout"; +const char *ike_session_stopped_by_sleepwake = "Stopped by Sleep-Wake"; +const char *ike_session_stopped_by_assert = "Stopped by Assert"; static LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree = { NULL }; @@ -322,13 +335,9 @@ ike_session_init_traffic_cop_params (struct ph1handle *iph1) return; } if (min_period) { - sample_period = min_period / 20; - if (!sample_period) - sample_period = 1; // bad + GET_SAMPLE_PERIOD(sample_period, min_period); } else { - sample_period = max_period / 20; - if (!sample_period) - sample_period = 1; // bad + GET_SAMPLE_PERIOD(sample_period, max_period); } iph1->parent_session->traffic_monitor.interv_mon = sample_period; } @@ -520,6 +529,7 @@ ike_session_unlink_ph1_from_session (struct ph1handle *iph1) iph1->parent_session = NULL; session->ikev1_state.active_ph1cnt--; if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) { + session->is_dying = 1; free_ike_session(session); } @@ -541,6 +551,7 @@ ike_session_unlink_ph2_from_session (struct ph2handle *iph2) iph2->parent_session = NULL; session->ikev1_state.active_ph2cnt--; if (session->ikev1_state.active_ph1cnt == 0 && session->ikev1_state.active_ph2cnt == 0) { + session->is_dying = 1; free_ike_session(session); } @@ -771,7 +782,8 @@ ike_session_traffic_cop (void *arg) { ike_session_t *session = (__typeof__(session))arg; - if (session) { + if (session && + (session->established && !session->stopped_by_vpn_controller && !session->stop_timestamp.tv_sec && !session->stop_timestamp.tv_usec)) { SCHED_KILL(session->traffic_monitor.sc_mon); /* get traffic query from kernel */ if (pk_sendget_inbound_sastats(session) < 0) { @@ -806,6 +818,8 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_INBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->peer_sent_data_sc_idle) { + plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n", + __FUNCTION__, session->traffic_monitor.dir_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle, @@ -820,6 +834,8 @@ ike_session_monitor_idle (ike_session_t *session) if (session->traffic_monitor.dir_idle == IPSEC_DIR_OUTBOUND || session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) { if (session->i_sent_data_sc_idle) { + plog(LLV_DEBUG2, LOCATION, NULL, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n", + __FUNCTION__, session->traffic_monitor.dir_idle); SCHED_KILL(session->traffic_monitor.sc_idle); if (session->traffic_monitor.interv_idle) { session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle, @@ -833,6 +849,21 @@ ike_session_monitor_idle (ike_session_t *session) } } +static void +ike_session_start_traffic_mon (ike_session_t *session) +{ + if (session->traffic_monitor.interv_mon) { + session->traffic_monitor.sc_mon = sched_new(session->traffic_monitor.interv_mon, + ike_session_traffic_cop, + session); + } + if (session->traffic_monitor.interv_idle) { + session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle, + ike_session_cleanup_idle, + session); + } +} + void ike_session_ph2_established (struct ph2handle *iph2) { @@ -844,23 +875,21 @@ ike_session_ph2_established (struct ph2handle *iph2) if (!iph2->parent_session->established) { gettimeofday(&iph2->parent_session->estab_timestamp, NULL); iph2->parent_session->established = 1; - IPSECSESSIONTRACERESTABLISHED(iph2->parent_session); - if (iph2->parent_session->traffic_monitor.interv_mon) { - iph2->parent_session->traffic_monitor.sc_mon = sched_new(iph2->parent_session->traffic_monitor.interv_mon, - ike_session_traffic_cop, - iph2->parent_session); - } - if (iph2->parent_session->traffic_monitor.interv_idle) { - iph2->parent_session->traffic_monitor.sc_idle = sched_new(iph2->parent_session->traffic_monitor.interv_idle, - ike_session_cleanup_idle, - iph2->parent_session); - } + IPSECSESSIONTRACERESTABLISHED(iph2->parent_session); + ike_session_start_traffic_mon(iph2->parent_session); + } else if (iph2->parent_session->is_asserted) { + ike_session_start_traffic_mon(iph2->parent_session); } + iph2->parent_session->is_asserted = 0; // nothing happening to this session iph2->parent_session->term_reason = NULL; ike_session_update_mode(iph2); - plog(LLV_DEBUG2, LOCATION, NULL, "%s phase2 established, spid %d.\n", __FUNCTION__, iph2->spid); + +#ifdef ENABLE_VPNCONTROL_PORT + vpncontrol_notify_peer_resp_ph2(1, iph2); +#endif /* ENABLE_VPNCONTROL_PORT */ + plog(LLV_DEBUG2, LOCATION, NULL, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid); } void @@ -946,36 +975,36 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, void ike_session_cleanup_ph2 (struct ph2handle *iph2) { - if (iph2->status == PHASE2ST_EXPIRED) { - return; - } + if (iph2->status == PHASE2ST_EXPIRED) { + return; + } - SCHED_KILL(iph2->sce); + SCHED_KILL(iph2->sce); plog(LLV_ERROR, LOCATION, NULL, "about to cleanup ph2: status %d, seq %d dying %d\n", iph2->status, iph2->seq, iph2->is_dying); - + /* send delete information */ if (iph2->status == PHASE2ST_ESTABLISHED) { isakmp_info_send_d2(iph2); - } - // delete outgoing SAs - if (iph2->approval) { - struct saproto *pr; - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - if (pr->ok) { - pfkey_send_delete(lcconf->sock_pfkey, + // delete outgoing SAs + if (iph2->approval) { + struct saproto *pr; + + for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { + if (pr->ok) { + pfkey_send_delete(lcconf->sock_pfkey, ipsecdoi2pfkey_proto(pr->proto_id), IPSEC_MODE_ANY, iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */); - } - } - } + } + } + } + } - delete_spd(iph2); + delete_spd(iph2); unbindph12(iph2); remph2(iph2); delph2(iph2); @@ -1175,7 +1204,7 @@ ike_session_update_traffic_idle_status (ike_session_t *session, } if (!session->established || session->stopped_by_vpn_controller || session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) { - plog(LLV_DEBUG2, LOCATION, NULL, "dropping update on invalid session.\n", __FUNCTION__); + plog(LLV_DEBUG2, LOCATION, NULL, "dropping update on invalid session in %s.\n", __FUNCTION__); return; } @@ -1246,6 +1275,8 @@ ike_session_cleanup (ike_session_t *session, if (!session) return; + session->is_dying = 1; + SCHED_KILL(session->traffic_monitor.sc_idle); // do ph2's first... we need the ph1s for notifications for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = LIST_NEXT(iph2, ph2ofsession_chain)) { @@ -1263,16 +1294,21 @@ ike_session_cleanup (ike_session_t *session, } isakmp_ph1expire(iph1); } - + // send ipsecManager a notification - if (reason == ike_session_stopped_by_idle) { + if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect) { u_int32_t address; if (((struct sockaddr *)&session->session_id.remote)->sa_family == AF_INET) { address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr; } else { address = 0; } - (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_IDLE_TIMEOUT, FROM_LOCAL, address, 0, NULL); + // TODO: log + if (reason == ike_session_stopped_by_idle) { + (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_IDLE_TIMEOUT, FROM_LOCAL, address, 0, NULL); + } else { + (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_INTERNAL_ERROR, FROM_LOCAL, address, 0, NULL); + } } } @@ -1295,6 +1331,25 @@ ike_session_has_negoing_ph1 (ike_session_t *session) return 0; } +int +ike_session_has_established_ph1 (ike_session_t *session) +{ + struct ph1handle *p; + + if (!session) { + plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + return 0; + } + + for (p = LIST_FIRST(&session->ikev1_state.ph1tree); p; p = LIST_NEXT(p, ph1ofsession_chain)) { + if (!p->is_dying && p->status == PHASE1ST_ESTABLISHED) { + return 1; + } + } + + return 0; +} + int ike_session_has_negoing_ph2 (ike_session_t *session) { @@ -1534,7 +1589,7 @@ ike_session_cmp_ph2_ids (struct ph2handle *iph2, if ((older_ph2->ext_nat_id && ike_session_is_id_portany(older_ph2->ext_nat_id)) || (older_ph2->ext_nat_id_p && ike_session_is_id_portany(older_ph2->ext_nat_id_p))) { // try ignoring ports in iph2->id and iph2->id - if (iph2->id && (portany_id = vdup(iph2->id))) { + if (iph2->id && (portany_id = vdup(iph2->id))) { ike_session_set_id_portany(portany_id); } if (iph2->id_p && (portany_id_p = vdup(iph2->id_p))) { @@ -1554,7 +1609,7 @@ ike_session_cmp_ph2_ids (struct ph2handle *iph2, } return 0; } - if (iph2->id && older_ph2->ext_nat_id && + if (portany_id && iph2->id && older_ph2->ext_nat_id && iph2->id->l == older_ph2->ext_nat_id->l && memcmp(portany_id->v, older_ph2->ext_nat_id->v, portany_id->l) == 0 && iph2->id_p && older_ph2->id_p && @@ -1568,7 +1623,7 @@ ike_session_cmp_ph2_ids (struct ph2handle *iph2, } return 0; } - if (iph2->id && older_ph2->id && + if (portany_id_p && iph2->id && older_ph2->id && iph2->id->l == older_ph2->id->l && memcmp(iph2->id->v, older_ph2->id->v, iph2->id->l) == 0 && iph2->id_p && older_ph2->ext_nat_id_p && @@ -1608,7 +1663,7 @@ ike_session_get_sainfo_r (struct ph2handle *iph2) plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 found in %s.\n", __FUNCTION__); if (ipany_ids || ike_session_cmp_ph2_ids(iph2, p) == 0) { - plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s, spid %d.\n", __FUNCTION__, p->spid); + plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__); iph2->sainfo = p->sainfo; if (!iph2->spid) { iph2->spid = p->spid; @@ -1688,18 +1743,26 @@ ike_session_get_natt_version (struct ph1handle *iph1) } int -ike_session_drop_rekey (ike_session_t *session) +ike_session_drop_rekey (ike_session_t *session, ike_session_rekey_type_t rekey_type) { if (session) { - // drop if btmm session is idle) { if (session->is_btmm_ipsec && session->last_time_data_sc_detected && session->traffic_monitor.interv_mon && session->traffic_monitor.interv_idle) { + // for btmm: drop ph1/ph2 rekey if session is idle time_t now = time(NULL); if ((now - session->last_time_data_sc_detected) > (session->traffic_monitor.interv_mon << 1)) { - plog(LLV_DEBUG2, LOCATION, NULL, "session is idle: drop rekey.\n"); + plog(LLV_DEBUG2, LOCATION, NULL, "btmm session is idle: drop ph%drekey.\n", + rekey_type); + return 1; + } + } else if (!session->is_btmm_ipsec) { + if (rekey_type == IKE_SESSION_REKEY_TYPE_PH1 && + !ike_session_has_negoing_ph2(session)) { + // for vpn: only drop ph1 if there are no more ph2s. + plog(LLV_DEBUG2, LOCATION, NULL, "vpn session is idle: drop ph1 rekey.\n"); return 1; } } @@ -1707,6 +1770,149 @@ ike_session_drop_rekey (ike_session_t *session) return 0; } +/* + * this is called after racooon receives a 'kIOMessageSystemHasPoweredOn' + * a lot is done to make sure that we don't sweep a session that's already been asserted. + * however, it'll be too bad if the assertion comes after the session has already been swept. + */ +void +ike_session_sweep_sleepwake (void) +{ + ike_session_t *p; + + // flag session as dying if all ph1/ph2 are dead/dying + for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) { + if (p->is_dying) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of dying session.\n"); + continue; + } + SCHED_KILL(p->sc_xauth); + if (p->is_asserted) { + // for asserted session, traffic monitors will be restared after phase2 becomes established. + SCHED_KILL(p->traffic_monitor.sc_mon); + SCHED_KILL(p->traffic_monitor.sc_idle); + plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n"); + continue; + } + + if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) { + p->is_dying = 1; + plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n"); + } + if (p->traffic_monitor.sc_mon) { + if (p->traffic_monitor.sc_mon->xtime <= swept_at) { + SCHED_KILL(p->traffic_monitor.sc_mon); + if (!p->is_dying && p->traffic_monitor.interv_mon) { + p->traffic_monitor.sc_mon = sched_new(p->traffic_monitor.interv_mon, + ike_session_traffic_cop, + p); + } + } + } + if (p->traffic_monitor.sc_idle) { + if (p->traffic_monitor.sc_idle->xtime <= swept_at) { + SCHED_KILL(p->traffic_monitor.sc_idle); + if (!p->is_dying && p->traffic_monitor.interv_idle) { + p->traffic_monitor.sc_idle = sched_new(p->traffic_monitor.interv_idle, + ike_session_cleanup_idle, + p); + } + } + } + } +} + +/* + * this is called after racooon receives an assert command from the controller/pppd. + * this is intended to make racoon prepare to rekey both SAs because a network event occurred. + * in the event of a sleepwake, the assert could happen before or after 'ike_session_sweep_sleepwake'. + */ +int +ike_session_assert_session (ike_session_t *session) +{ + struct ph2handle *iph2, *iph2_next; + struct ph1handle *iph1, *iph1_next; + + if (!session || session->is_dying) { + plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + return -1; + } + + // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase2s + for (iph2 = LIST_FIRST(&session->ikev1_state.ph2tree); iph2; iph2 = iph2_next) { + // take next pointer now, since delete change the underlying ph2tree list + iph2_next = LIST_NEXT(iph2, ph2ofsession_chain); + if (!iph2->is_dying && iph2->status < PHASE2ST_EXPIRED) { + SCHED_KILL(iph2->sce); + iph2->is_dying = 1; + + // delete SAs (in the kernel) + if (iph2->status == PHASE2ST_ESTABLISHED && iph2->approval) { + struct saproto *pr; + + for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { + if (pr->ok) { + //log deletion + plog(LLV_DEBUG, LOCATION, NULL, + "assert: phase2 %s deleted\n", + sadbsecas2str(iph2->src, iph2->dst, iph2->satype, iph2->spid, ipsecdoi2pfkey_mode(pr->encmode))); + + pfkey_send_delete(lcconf->sock_pfkey, + ipsecdoi2pfkey_proto(pr->proto_id), + ipsecdoi2pfkey_mode(pr->encmode), + iph2->src, iph2->dst, pr->spi_p); + } + } + } + + iph2->status = PHASE2ST_EXPIRED; // we want to delete SAs without telling the PEER + iph2->sce = sched_new(3, ike_session_cleanup_ph2_stub, iph2); + } + } + + // the goal is to prepare the session for fresh rekeys by silently deleting the currently active phase1s + for (iph1 = LIST_FIRST(&session->ikev1_state.ph1tree); iph1; iph1 = iph1_next) { + // take next pointer now, since delete change the underlying ph1tree list + iph1_next = LIST_NEXT(iph1, ph1ofsession_chain); + if (!iph1->is_dying && iph1->status < PHASE1ST_EXPIRED) { + SCHED_KILL(iph1->sce); + SCHED_KILL(iph1->sce_rekey); + iph1->is_dying = 1; + + //log deletion + plog(LLV_DEBUG, LOCATION, NULL, + "assert: phase1 %s deleted\n", + isakmp_pindex(&iph1->index, 0)); + + ike_session_unbindph12_from_ph1(iph1); + + iph1->status = PHASE1ST_EXPIRED; // we want to delete SAs without telling the PEER + /* responder sets up timer to delete old inbound SAs... say 7 secs later and flags them as rekeyed */ + iph1->sce = sched_new(5, ike_session_cleanup_ph1_stub, iph1); + } + } + session->is_asserted = 1; + + return 0; +} + +int +ike_session_assert (struct sockaddr *local, + struct sockaddr *remote) +{ + ike_session_t *sess; + + if (!local || !remote) { + plog(LLV_DEBUG2, LOCATION, NULL, "invalid parameters in %s.\n", __FUNCTION__); + return -1; + } + + if ((sess = ike_session_get_session(local, remote, FALSE))) { + return(ike_session_assert_session(sess)); + } + return -1; +} + void ike_session_ph2_retransmits (struct ph2handle *iph2) { @@ -1741,3 +1947,24 @@ ike_session_ph2_retransmits (struct ph2handle *iph2) } } } + +void +ike_session_ph1_retransmits (struct ph1handle *iph1) +{ + int num_retransmits; + + if (!iph1->is_dying && + iph1->is_rekey && + !iph1->sce_rekey && + iph1->status >= PHASE1ST_START && iph1->status < PHASE1ST_ESTABLISHED && + iph1->side == INITIATOR && + iph1->parent_session && + iph1->parent_session->is_client && + !ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) { + num_retransmits = iph1->rmconf->retry_counter - iph1->retry_counter; + if (num_retransmits == 3) { + plog(LLV_DEBUG2, LOCATION, NULL, "many phase1 retransmits: try quit earlier.\n"); + iph1->retry_counter = 0; + } + } +} diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h index bc018d6..bbee7e1 100644 --- a/ipsec-tools/racoon/ike_session.h +++ b/ipsec-tools/racoon/ike_session.h @@ -27,11 +27,7 @@ #include #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #include "handler.h" #include "ipsecSessionTracer.h" @@ -97,6 +93,9 @@ struct ike_session { int i_sent_data_sc_idle:1; int is_client:1; time_t last_time_data_sc_detected; + int controller_awaiting_peer_resp:1; + int is_dying:1; + int is_asserted:1; u_int32_t natt_flags; u_int32_t natt_version; char *term_reason; @@ -115,8 +114,16 @@ struct ike_session { LIST_ENTRY(ike_session) chain; }; +typedef enum ike_session_rekey_type { + IKE_SESSION_REKEY_TYPE_NONE = 0, + IKE_SESSION_REKEY_TYPE_PH1, + IKE_SESSION_REKEY_TYPE_PH2, +} ike_session_rekey_type_t; + extern const char * ike_session_stopped_by_vpn_disconnect; extern const char * ike_session_stopped_by_flush; +extern const char * ike_session_stopped_by_sleepwake; +extern const char * ike_session_stopped_by_assert; extern void ike_session_init __P((void)); extern ike_session_t * ike_session_get_session __P((struct sockaddr *, struct sockaddr *, int)); @@ -146,6 +153,7 @@ extern u_int32_t ike_session_get_sas_for_stats __P((ike_session_t *, u_ extern void ike_session_update_traffic_idle_status __P((ike_session_t *, u_int32_t, struct sastat *, u_int32_t)); extern void ike_session_cleanup __P((ike_session_t *, const char *)); extern int ike_session_has_negoing_ph1 __P((ike_session_t *)); +extern int ike_session_has_established_ph1 __P((ike_session_t *)); extern int ike_session_has_negoing_ph2 __P((ike_session_t *)); extern int ike_session_has_established_ph2 __P((ike_session_t *)); extern void ike_session_cleanup_ph1s_by_ph2 __P((struct ph2handle *)); @@ -157,7 +165,11 @@ extern int ike_session_get_sainfo_r __P((struct ph2handle *)); extern int ike_session_get_proposal_r __P((struct ph2handle *)); extern void ike_session_update_natt_version __P((struct ph1handle *)); extern int ike_session_get_natt_version __P((struct ph1handle *)); -extern int ike_session_drop_rekey __P((ike_session_t *)); +extern int ike_session_drop_rekey __P((ike_session_t *, ike_session_rekey_type_t)); +extern void ike_session_sweep_sleepwake __P((void)); +extern int ike_session_assert __P((struct sockaddr *, struct sockaddr *)); +extern int ike_session_assert_session __P((ike_session_t *)); extern void ike_session_ph2_retransmits __P((struct ph2handle *)); +extern void ike_session_ph1_retransmits __P((struct ph1handle *)); #endif /* _IKE_SESSION_H */ diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 56cb6b7..d413a08 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -604,6 +604,12 @@ t2isakmpsa(trns, sa) p = (u_char *)&d->lorv; } else { /*TLV*/ len = ntohs(d->lorv); + if (len > tlen) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid ISAKMP-SA attr, attr-len %d, overall-len %d\n", + len, tlen); + return -1; + } p = (u_char *)(d + 1); } val = vmalloc(len); @@ -3201,7 +3207,6 @@ ipsecdoi_setph2proposal(iph2) return 0; } -#ifdef __APPLE__ /* * return 1 if all of the given protocols are tunnel mode. */ @@ -3244,7 +3249,6 @@ struct saprop *pp; return 0; } -#endif /* * return 1 if all of the given protocols are transport mode. @@ -3406,6 +3410,7 @@ ipsecdoi_subnetisaddr_v6( subnet, address ) #endif +#ifdef NOT_USED /* * Check and Compare two IDs * - specify 0 for exact if wildcards are allowed @@ -3601,6 +3606,7 @@ cmpid_invalid: return -1; } +#endif /* * check the following: @@ -3731,10 +3737,15 @@ ipsecdoi_checkid1(iph1) switch (id->idtype) { case IDTYPE_ASN1DN: +#ifdef HAVE_OPENSSL ident.v = iph1->id_p->v + sizeof(*id_b); ident.l = iph1->id_p->l - sizeof(*id_b); if (eay_cmp_asn1dn(ident0, &ident) == 0) goto matched; +#else + plog(LLV_WARNING, LOCATION, NULL, "ASN1DN ID matching not implemented - passed.\n"); + goto matched; //%%%%%% hack for now until we have code to do this. +#endif break; case IDTYPE_ADDRESS: sa = (struct sockaddr *)ident0->v; @@ -3810,9 +3821,7 @@ ipsecdoi_setid1(iph1) ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); break; case IDTYPE_KEYID: -#ifdef __APPLE__ case IDTYPE_KEYIDUSE: -#endif id_b.type = IPSECDOI_ID_KEY_ID; ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); break; @@ -3827,7 +3836,44 @@ ipsecdoi_setid1(iph1) "failed to get own CERT.\n"); goto err; } +#if TARGET_OS_EMBEDDED + { + SecCertificateRef certificate; + CFDataRef subject; + UInt8* namePtr; + int len; + + certificate = crypto_cssm_x509cert_get_SecCertificateRef(&iph1->cert->cert); + if (certificate == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to get SecCertificateRef\n"); + break; + } + subject = SecCertificateCopySubjectSequence(certificate); + if (subject == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to get subjectName\n"); + CFRelease(certificate); + break; + } + len = CFDataGetLength(subject); + namePtr = CFDataGetBytePtr(subject); + ident = vmalloc(len); + if (ident == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to get subjectName\n"); + CFRelease(certificate); + CFRelease(subject); + break; + } + memcpy(ident->v, namePtr, len); + CFRelease(certificate); + CFRelease(subject); + break; + } +#else ident = eay_get_x509asn1subjectname(&iph1->cert->cert); +#endif } break; case IDTYPE_ADDRESS: @@ -3897,6 +3943,7 @@ ipsecdoi_setid1(iph1) plog(LLV_DEBUG, LOCATION, NULL, "use ID type of %s\n", s_ipsecdoi_ident(id_b.type)); + plogdump(LLV_DEBUG, iph1->id->v, iph1->id->l); if (ident) vfree(ident); return 0; @@ -3958,9 +4005,7 @@ set_identifier_qual(vpp, type, value, qual) "Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn"); return -1; } -#ifdef __APPLE__ case IDTYPE_KEYIDUSE: -#endif #ifdef ENABLE_HYBRID case IDTYPE_LOGIN: #endif @@ -4043,6 +4088,7 @@ set_identifier_qual(vpp, type, value, qual) break; } case IDTYPE_ASN1DN: +#ifdef HAVE_OPENSSL if (value->v[0] == '~') /* Hex-encoded ASN1 strings */ new = eay_hex2asn1dn(value->v + 1, - 1); @@ -4072,6 +4118,10 @@ set_identifier_qual(vpp, type, value, qual) X509_NAME_free(xn); BIO_free(bio); } +#else + plog(LLV_DEBUG, LOCATION, NULL, "Setting ID type ASN1DN from string not supported\n"); + return -1; +#endif break; } @@ -4110,8 +4160,19 @@ ipsecdoi_setid2(iph2) spidx2str(&sp->spidx)); return -1; } + if ((((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR || + ((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) && + iph2->side == RESPONDER && + iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED_ME) && + lcconf->ext_nat_id) { + vfree(iph2->id); + if (!(iph2->id = vdup(lcconf->ext_nat_id))) { + return -1; + } + } plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n", s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type)); + plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); /* remote side */ iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst, @@ -4126,6 +4187,7 @@ ipsecdoi_setid2(iph2) plog(LLV_DEBUG, LOCATION, NULL, "use remote ID type %s\n", s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type)); + plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); return 0; } @@ -4316,9 +4378,7 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) switch (id_b->type) { case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV4_ADDR_SUBNET: -#ifndef __linux__ saddr->sa_len = sizeof(struct sockaddr_in); -#endif saddr->sa_family = AF_INET; ((struct sockaddr_in *)saddr)->sin_port = (id_b->port == 0 @@ -4330,9 +4390,7 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: case IPSECDOI_ID_IPV6_ADDR_SUBNET: -#ifndef __linux__ saddr->sa_len = sizeof(struct sockaddr_in6); -#endif saddr->sa_family = AF_INET6; ((struct sockaddr_in6 *)saddr)->sin6_port = (id_b->port == 0 @@ -4443,9 +4501,7 @@ ipsecdoi_id2str(id) case IPSECDOI_ID_IPV4_ADDR_SUBNET: case IPSECDOI_ID_IPV4_ADDR_RANGE: -#ifndef __linux__ ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in); -#endif ((struct sockaddr *)&saddr)->sa_family = AF_INET; ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, @@ -4455,10 +4511,7 @@ ipsecdoi_id2str(id) case IPSECDOI_ID_IPV6_ADDR: case IPSECDOI_ID_IPV6_ADDR_SUBNET: case IPSECDOI_ID_IPV6_ADDR_RANGE: - -#ifndef __linux__ ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6); -#endif ((struct sockaddr *)&saddr)->sa_family = AF_INET6; ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, @@ -4540,9 +4593,7 @@ ipsecdoi_id2str(id) len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr)); -#ifndef __linux__ ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in); -#endif ((struct sockaddr *)&saddr)->sa_family = AF_INET; ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, @@ -4560,9 +4611,7 @@ ipsecdoi_id2str(id) len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr)); -#ifndef __linux__ ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6); -#endif ((struct sockaddr *)&saddr)->sa_family = AF_INET6; ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, @@ -4591,11 +4640,13 @@ ipsecdoi_id2str(id) case IPSECDOI_ID_DER_ASN1_DN: case IPSECDOI_ID_DER_ASN1_GN: { +#ifdef HAVE_OPENSSL X509_NAME *xn = NULL; +#endif dat = id->v + sizeof(*id_b); len = id->l - sizeof(*id_b); - +#ifdef HAVE_OPENSSL if (d2i_X509_NAME(&xn, (void*) &dat, len) != NULL) { BIO *bio = BIO_new(BIO_s_mem()); X509_NAME_print_ex(bio, xn, 0, 0); @@ -4605,7 +4656,10 @@ ipsecdoi_id2str(id) memcpy(buf,dat,len); BIO_free(bio); X509_NAME_free(xn); - } else { + } else +#endif + { + plog(LLV_ERROR, LOCATION, NULL, "unable to extract asn1dn from id\n"); diff --git a/ipsec-tools/racoon/ipsec_doi.h b/ipsec-tools/racoon/ipsec_doi.h index ff07bd3..37f7657 100644 --- a/ipsec-tools/racoon/ipsec_doi.h +++ b/ipsec-tools/racoon/ipsec_doi.h @@ -181,7 +181,6 @@ struct ipsecdoi_pl_id { #define IDTYPE_ASN1DN 5 #define IDTYPE_LOGIN 6 #define IDTYPE_SUBNET 7 -#ifdef __APPLE__ #define IDTYPE_KEYIDUSE 8 /* shared secret type, it's internal use. */ @@ -198,7 +197,6 @@ struct ipsecdoi_pl_id { #define VERIFICATION_OPTION_NONE 0 #define VERIFICATION_OPTION_PEERS_IDENTIFIER 1 #define VERIFICATION_OPTION_OPEN_DIR 2 -#endif /* qualifiers for KEYID (and maybe others) */ #define IDQUAL_UNSPEC 0 @@ -241,10 +239,8 @@ extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *, extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); extern int ipsecdoi_transportmode __P((struct saprop *)); -#ifdef __APPLE__ extern int ipsecdoi_tunnelmode __P((struct ph2handle *)); extern int ipsecdoi_any_transportmode __P((struct saprop *)); -#endif extern int ipsecdoi_get_defaultlifetime __P((void)); extern int ipsecdoi_checkalgtypes __P((int, int, int, int)); extern int ipproto2doi __P((int)); diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index 0be5221..8498336 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -30,18 +30,19 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -#ifdef __APPLE__ #define __APPLE_API_PRIVATE -#endif #include "config.h" #include #include #include +#include #include #include +#include +#include #include #ifndef HAVE_NETINET6_IPSEC @@ -121,23 +122,14 @@ # include "nattraversal.h" #endif #include "ike_session.h" -# ifdef __linux__ -# include -# include -# ifndef SOL_UDP -# define SOL_UDP 17 -# endif -# endif /* __linux__ */ -# if defined(__NetBSD__) || defined(__FreeBSD__) || \ - (defined(__APPLE__) && defined(__MACH__)) # include # include # include # include # define SOL_UDP IPPROTO_UDP -# endif /* __NetBSD__ / __FreeBSD__ */ #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" +#include "power_mgmt.h" static int nostate1 __P((struct ph1handle *, vchar_t *)); static int nostate2 __P((struct ph2handle *, vchar_t *)); @@ -212,11 +204,7 @@ isakmp_handler(so_isakmp) char buf[sizeof (isakmp) + 4]; u_int32_t non_esp[2]; char lbuf[sizeof(struct udphdr) + -#ifdef __linux - sizeof(struct iphdr) + -#else sizeof(struct ip) + -#endif sizeof(isakmp) + 4]; } x; struct sockaddr_storage remote; @@ -228,6 +216,12 @@ isakmp_handler(so_isakmp) vchar_t *buf = NULL, *tmpbuf = NULL; int error = -1; + if (slept_at || woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "ignoring isakmp port until power-mgmt event is handled.\n"); + return 0; + } + /* read message by MSG_PEEK */ while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), MSG_PEEK, (struct sockaddr *)&remote, &remote_len, @@ -255,15 +249,6 @@ isakmp_handler(so_isakmp) /* Lucent IKE in UDP encapsulation */ { struct udphdr *udp; -#ifdef __linux__ - struct iphdr *ip; - - udp = (struct udphdr *)&x.lbuf[0]; - if (ntohs(udp->dest) == 501) { - ip = (struct iphdr *)(x.lbuf + sizeof(*udp)); - extralen += sizeof(*udp) + ip->ihl; - } -#else struct ip *ip; udp = (struct udphdr *)&x.lbuf[0]; @@ -271,7 +256,6 @@ isakmp_handler(so_isakmp) ip = (struct ip *)(x.lbuf + sizeof(*udp)); extralen += sizeof(*udp) + ip->ip_hl; } -#endif } #ifdef ENABLE_NATT @@ -324,9 +308,7 @@ isakmp_handler(so_isakmp) plog(LLV_ERROR, LOCATION, NULL, "failed to receive isakmp packet: %s\n", strerror (errno)); -#ifdef __APPLE__ error = -2; /* serious problem with socket */ -#endif } goto end; } @@ -342,6 +324,13 @@ isakmp_handler(so_isakmp) goto end; } + if (len < extralen) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid len (%d Bytes) & extralen (%d Bytes)\n", + len, extralen); + goto end; + } + if ((buf = vmalloc(len - extralen)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate reading buffer (%u Bytes)\n", @@ -396,6 +385,9 @@ isakmp_handler(so_isakmp) /* simply reply if the packet was processed. */ if (check_recvdpkt((struct sockaddr *)&remote, (struct sockaddr *)&local, buf)) { + IPSECLOGASLMSG("Received retransmitted packet from %s.\n", + saddr2str((struct sockaddr *)&remote)); + plog(LLV_NOTIFY, LOCATION, NULL, "the packet is retransmitted by %s.\n", saddr2str((struct sockaddr *)&remote)); @@ -547,12 +539,8 @@ isakmp_main(msg, remote, local) plog (LLV_INFO, LOCATION, NULL, "NAT-T: ports changed to: %s\n", saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); -#ifndef __APPLE__ - natt_keepalive_add_ph1 (iph1); -#endif } #endif - /* must be same addresses in one stream of a phase at least. */ if (cmpsaddrstrict(iph1->remote, remote) != 0) { char *saddr_db, *saddr_act; @@ -819,7 +807,14 @@ isakmp_main(msg, remote, local) isakmp->etype, saddr2str(remote)); return -1; } - + if (iph1->status != PHASE1ST_ESTABLISHED) { + plog(LLV_ERROR, LOCATION, NULL, + "mode config %d from %s, " + "but ISAKMP-SA %s isn't established.\n", + isakmp->etype, saddr2str(remote), + isakmp_pindex(&iph1->index, iph1->msgid)); + return -1; + } #ifdef ENABLE_FRAG if (isakmp->np == ISAKMP_NPTYPE_FRAG) return frag_handler(iph1, msg, remote, local); @@ -1073,6 +1068,7 @@ ph1_main(iph1, msg) #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); + vpncontrol_notify_peer_resp_ph1(1, iph1); #endif } @@ -1182,7 +1178,6 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) iph1->status = PHASE1ST_START; iph1->rmconf = rmconf; -#ifdef __APPLE__ if (link_rmconf_to_ph1(rmconf) < 0) { plog(LLV_ERROR, LOCATION, remote, "couldn't link " @@ -1192,7 +1187,6 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) delph1(iph1); return -1; } -#endif iph1->side = INITIATOR; iph1->started_by_api = started_by_api; iph1->version = ISAKMP_VERSION_NUMBER; @@ -1234,6 +1228,13 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) delph1(iph1); return -1; } + // HACK!!! to track rekeys across SIGHUPs + if (started_by_api == VPN_RESTARTED_BY_API && + !iph1->is_rekey) { + iph1->parent_session->established = 1; + iph1->parent_session->ikev1_state.ph2cnt++; + iph1->is_rekey = 1; + } /* start phase 1 exchange */ iph1->etype = rmconf->etypes->type; @@ -1258,6 +1259,9 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) gettimeofday(&iph1->start, NULL); gettimeofday(&start, NULL); #endif + + IPSECLOGASLMSG("IPSec Phase1 started (Initiated by me).\n"); + /* start exchange */ if ((ph1exchange[etypesw1(iph1->etype)] [iph1->side] @@ -1280,7 +1284,6 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) #ifdef ENABLE_VPNCONTROL_PORT vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); #endif - return 0; } @@ -1325,7 +1328,6 @@ isakmp_ph1begin_r(msg, remote, local, etype) memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); iph1->status = PHASE1ST_START; iph1->rmconf = rmconf; -#ifdef __APPLE__ if (link_rmconf_to_ph1(rmconf) < 0) { plog(LLV_ERROR, LOCATION, remote, "couldn't link " @@ -1335,7 +1337,6 @@ isakmp_ph1begin_r(msg, remote, local, etype) delph1(iph1); return -1; } -#endif iph1->flags = 0; iph1->side = RESPONDER; iph1->started_by_api = 0; @@ -1401,6 +1402,8 @@ isakmp_ph1begin_r(msg, remote, local, etype) gettimeofday(&start, NULL); #endif + IPSECLOGASLMSG("IPSec Phase1 started (Initiated by peer).\n"); + #ifndef ENABLE_FRAG /* start exchange */ @@ -1486,6 +1489,8 @@ isakmp_ph2begin_i(iph1, iph2) } iph2->status = PHASE2ST_STATUS2; + IPSECLOGASLMSG("IPSec Phase2 started (Initiated by me).\n"); + if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] [iph2->side] [iph2->status])(iph2, NULL) < 0) { @@ -1615,6 +1620,8 @@ isakmp_ph2begin_r(iph1, msg) gettimeofday(&start, NULL); #endif + IPSECLOGASLMSG("IPSec Phase2 started (Initiated by peer).\n"); + error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] [iph2->side] [iph2->status])(iph2, msg); @@ -1765,29 +1772,8 @@ isakmp_parse(buf) return result; } -/* %%% */ -#ifndef __APPLE__ -int -isakmp_init() -{ - /* initialize a isakmp status table */ - initph1tree(); - initph2tree(); - initctdtree(); - init_recvdpkt(); - - if (isakmp_open() < 0) - goto err; - - return(0); - -err: - isakmp_close(); - return(-1); -} -#else int -isakmp_init(int ignore_phX) +isakmp_init(int ignore_phX, int *tentative_failures) { /* initialize a isakmp status table */ if (!ignore_phX) { @@ -1797,7 +1783,7 @@ isakmp_init(int ignore_phX) initctdtree(); init_recvdpkt(); - if (isakmp_open() < 0) + if (isakmp_open(tentative_failures) < 0) goto err; return(0); @@ -1806,7 +1792,6 @@ err: isakmp_close(); return(-1); } -#endif /* __APPLE__ */ void isakmp_cleanup() @@ -1851,7 +1836,7 @@ isakmp_pindex(index, msgid) /* open ISAKMP sockets. */ int -isakmp_open() +isakmp_open(int *tentative_failures) { const int yes = 1; int ifnum = 0, encap_ifnum = 0; @@ -1860,18 +1845,19 @@ isakmp_open() #endif struct myaddrs *p; + if (tentative_failures) { + *tentative_failures = FALSE; + } + for (p = lcconf->myaddrs; p; p = p->next) { if (!p->addr) continue; - -#ifdef __APPLE__ if (p->sock != -1) { ifnum++; if (p->udp_encap) encap_ifnum++; continue; // socket already open } -#endif /* warn if wildcard address - should we forbid this? */ switch (p->addr->sa_family) { @@ -1924,11 +1910,7 @@ isakmp_open() switch (p->addr->sa_family) { case AF_INET: if (setsockopt(p->sock, IPPROTO_IP, -#ifdef __linux__ - IP_PKTINFO, -#else IP_RECVDSTADDR, -#endif (const void *)&yes, sizeof(yes)) < 0) { plog(LLV_ERROR, LOCATION, NULL, "setsockopt IP_RECVDSTADDR (%s)\n", @@ -1939,11 +1921,7 @@ isakmp_open() #ifdef INET6 case AF_INET6: #ifdef INET6_ADVAPI -#ifdef IPV6_RECVPKTINFO pktinfo = IPV6_RECVPKTINFO; -#else /* old adv. API */ - pktinfo = IPV6_PKTINFO; -#endif /* IPV6_RECVPKTINFO */ #else pktinfo = IPV6_RECVDSTADDR; #endif @@ -1973,7 +1951,6 @@ isakmp_open() if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0) goto err_and_next; -#ifdef __APPLE__ if (extract_port(p->addr) == PORT_ISAKMP) { if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, (void *)&yes, sizeof(yes)) < 0) { @@ -1982,59 +1959,60 @@ isakmp_open() goto err_and_next; } } -#endif if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) { + int tmp_errno = errno; plog(LLV_ERROR, LOCATION, p->addr, "failed to bind to address %s (%s).\n", - saddr2str(p->addr), strerror(errno)); + saddr2str(p->addr), strerror(tmp_errno)); +#ifdef INET6 + // if bind failed b/c of a tentative v6 address, try again later + if (tmp_errno == EADDRNOTAVAIL && p->addr->sa_family == AF_INET6) { + struct in6_ifreq ifr6; + + bzero(&ifr6, sizeof(ifr6)); + strlcpy(ifr6.ifr_name, p->ifname, sizeof(ifr6.ifr_name)); + memcpy(&ifr6.ifr_addr, p->addr, sizeof(ifr6.ifr_addr)); + if (ioctl(p->sock, SIOCGIFAFLAG_IN6, &ifr6) >= 0) { + /* + * the tentative flag may have cleared between the bind() and ioctl() calls (i.e due to timing), so + * try infering that it was tentative from ensuring the absense other cases of EADDRNOTAVAIL. + */ + if ((ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_ANYCAST | IN6_IFF_DUPLICATED | IN6_IFF_DETACHED | IN6_IFF_DEPRECATED)) == 0) { + // address may have been tentantive... invalidate sock but leave address around for another try later + plog(LLV_ERROR, LOCATION, p->addr, + "failed to bind to address %s: because interface address is/was not ready (flags %x).\n", + saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6); + close(p->sock); + p->sock = -1; + if (tentative_failures) { + *tentative_failures = TRUE; + } + continue; + } else { + plog(LLV_ERROR, LOCATION, p->addr, + "failed to bind to address %s: because of interface address error, flags %x.\n", + saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6); + } + } else { + plog(LLV_ERROR, LOCATION, p->addr, + "failed to bind to address %s: can't read interface address flags.\n", + saddr2str(p->addr)); + } + } +#endif close(p->sock); p->sock = -1; goto err_and_next; } ifnum++; -#ifdef __APPLE__ if (p->udp_encap) encap_ifnum++; -#endif plog(LLV_INFO, LOCATION, NULL, "%s used as isakmp port (fd=%d)\n", saddr2str(p->addr), p->sock); - -#ifndef __APPLE__ -#ifdef ENABLE_NATT - if (p->addr->sa_family == AF_INET) { - int option = -1; - - if(p->udp_encap) - option = UDP_ENCAP_ESPINUDP; -#if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01) - else - option = UDP_ENCAP_ESPINUDP_NON_IKE; -#endif - if(option != -1){ - if (setsockopt (p->sock, SOL_UDP, - UDP_ENCAP, &option, sizeof (option)) < 0) { - plog(LLV_WARNING, LOCATION, NULL, - "setsockopt(%s): UDP_ENCAP %s\n", - option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE", - strerror(errno)); - goto skip_encap; - } - else { - plog(LLV_INFO, LOCATION, NULL, - "%s used for NAT-T\n", - saddr2str(p->addr)); - encap_ifnum++; - } - } - } -skip_encap: -#endif -#endif /* __APPLE__ */ - continue; err_and_next: @@ -2212,6 +2190,13 @@ int isakmp_ph1resend(iph1) struct ph1handle *iph1; { + time_t retry_interval; + + // make sure there is a buffer to send + // isakmp_plist_set_all() could have returned NULL + if (iph1->sendbuf == NULL) + return -1; + /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function */ if (iph1->retry_counter <= 0) { @@ -2231,6 +2216,8 @@ isakmp_ph1resend(iph1) return 0; } return -1; + } else { + ike_session_ph1_retransmits(iph1); } if (isakmp_send(iph1, iph1->sendbuf) < 0){ @@ -2260,8 +2247,9 @@ isakmp_ph1resend(iph1) isakmp_pindex(&iph1->index, iph1->msgid)); iph1->retry_counter--; - - iph1->scr = sched_new(iph1->rmconf->retry_interval, + retry_interval = get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter), + iph1->rmconf->retry_interval); + iph1->scr = sched_new(retry_interval, isakmp_ph1resend_stub, iph1); return 0; @@ -2287,6 +2275,8 @@ int isakmp_ph2resend(iph2) struct ph2handle *iph2; { + time_t retry_interval; + /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function */ //%%% BUG FIX - related to commit bit usage - crash happened here @@ -2347,8 +2337,9 @@ isakmp_ph2resend(iph2) isakmp_pindex(&iph2->ph1->index, iph2->msgid)); iph2->retry_counter--; - - iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval, + retry_interval = get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter), + iph2->ph1->rmconf->retry_interval); + iph2->scr = sched_new(retry_interval, isakmp_ph2resend_stub, iph2); #ifdef ENABLE_DPD @@ -2446,7 +2437,7 @@ int ignore_sess_drop_policy; racoon_free(src); racoon_free(dst); - if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session)) { + if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { return; } @@ -2515,6 +2506,13 @@ struct ph1handle *iph1; racoon_free(src); racoon_free(dst); + if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { + plog(LLV_INFO, LOCATION, iph1->remote, + "request for ISAKMP-SA rekey was ignored " + "due to idleness.\n"); + return 0; + } + // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { plog(LLV_INFO, LOCATION, iph1->remote, @@ -2758,10 +2756,18 @@ isakmp_post_acquire(iph2) "due to no phase1 found.\n", saddrwop2str(iph2->dst)); + // exit if there is another ph1 that is established (with a pending rekey timer) + if (ike_session_has_negoing_ph1(iph2->parent_session)) { + plog(LLV_INFO, LOCATION, iph2->dst, + "request for phase1 was ignored " + "due to another negotiating ph1.\n"); + return 0; + } + /* start phase 1 negotiation as a initiator. */ if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) { - SCHED_KILL(sc); - return -1; + plog(LLV_INFO, LOCATION, iph2->dst, + "request for phase1 failed. will try later.\n"); } return 0; @@ -3128,6 +3134,13 @@ isakmp_p2ph(buf, gen) return -1; } + if (ntohs(gen->len) < sizeof(*gen)) { + plog(LLV_ERROR, LOCATION, NULL, + "ignore this payload, invalid payload len %d.\n", + ntohs(gen->len)); + return -1; + } + *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); if (*buf == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -3285,9 +3298,7 @@ getname(ap) static char ntop_buf[NI_MAXHOST]; memset(&addr, 0, sizeof(addr)); -#ifndef __linux__ addr.sin_len = sizeof(struct sockaddr_in); -#endif addr.sin_family = AF_INET; memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); if (getnameinfo((struct sockaddr *)&addr, sizeof(addr), @@ -3552,6 +3563,9 @@ log_ph1established(iph1) racoon_free(src); racoon_free(dst); + IPSECLOGASLMSG("IPSec Phase1 established (Initiated by %s).\n", + (iph1->side == INITIATOR)? "me" : "peer"); + return; } @@ -3641,6 +3655,19 @@ frag_handler(iph1, msg, remote, local) "Packet reassembly failed\n"); return -1; } + + /* simply reply if the packet was processed. */ + if (check_recvdpkt((struct sockaddr *)remote, + (struct sockaddr *)local, newmsg) > 0) { + IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n", + saddr2str((struct sockaddr *)remote)); + + plog(LLV_NOTIFY, LOCATION, NULL, + "the reassembled packet is retransmitted by %s.\n", + saddr2str((struct sockaddr *)remote)); + return 0; + } + return isakmp_main(newmsg, remote, local); } @@ -3707,11 +3734,18 @@ script_hook(iph1, script) } } +#ifdef HAVE_OPENSSL if (privsep_script_exec(iph1->rmconf->script[script]->v, script, envp) != 0) plog(LLV_ERROR, LOCATION, NULL, "Script %s execution failed\n", script_names[script]); - +#else + if (script_exec(iph1->rmconf->script[script]->v, + script, envp) != 0) + plog(LLV_ERROR, LOCATION, NULL, + "Script %s execution failed\n", script_names[script]); +#endif + out: for (c = envp; *c; c++) racoon_free(*c); @@ -4211,14 +4245,14 @@ setscopeid(sp_addr0, sa_addr0) vchar_t * isakmp_plist_append_initial_contact (iph1, plist) -struct ph1handle *iph1; -struct payload_list *plist; + struct ph1handle *iph1; + struct payload_list *plist; { if (!iph1->is_rekey && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { vchar_t *notp_ini = NULL; struct isakmp_pl_n np, *nptr; char *cptr; - + np.doi = htonl(iph1->rmconf->doitype); np.proto_id = IPSECDOI_PROTO_ISAKMP; np.spi_size = sizeof(isakmp_index); diff --git a/ipsec-tools/racoon/isakmp.h b/ipsec-tools/racoon/isakmp.h index 8a3936e..628276c 100644 --- a/ipsec-tools/racoon/isakmp.h +++ b/ipsec-tools/racoon/isakmp.h @@ -413,9 +413,9 @@ struct isakmp_pl_attr { /* IKE fragmentation payload */ struct isakmp_frag { - u_int16_t unknown0; /* always set to zero? */ + u_int16_t unknown0; /* Next Payload (1st u_int8_t) and RESERVED (2nd u_int8_t), both must set to 0 */ u_int16_t len; - u_int16_t unknown1; /* always set to 1? */ + u_int16_t unknown1; /* fragid */ u_int8_t index; u_int8_t flags; } __attribute__((__packed__)); diff --git a/ipsec-tools/racoon/isakmp_agg.c b/ipsec-tools/racoon/isakmp_agg.c index d2c59b7..2b29675 100644 --- a/ipsec-tools/racoon/isakmp_agg.c +++ b/ipsec-tools/racoon/isakmp_agg.c @@ -99,6 +99,9 @@ #include "vpn_control_var.h" #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" +#ifndef HAVE_OPENSSL +#include +#endif /* * begin Aggressive Mode as initiator. @@ -180,8 +183,13 @@ agg_i1send(iph1, msg) } /* generate DH public value */ +#ifdef HAVE_OPENSSL + if (oakley_dh_generate(iph1->rmconf->dhgrp, + &iph1->dhpub, &iph1->dhpriv) < 0) { +#else if (oakley_dh_generate(iph1->rmconf->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) { + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH"); goto end; @@ -383,6 +391,7 @@ agg_i2recv(iph1, msg) #ifdef HAVE_GSSAPI vchar_t *gsstoken = NULL; #endif + int received_cert = 0; #ifdef ENABLE_NATT int natd_seq = 0; @@ -471,6 +480,7 @@ agg_i2recv(iph1, msg) "failed to process CERT payload"); goto end; } + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { @@ -507,6 +517,14 @@ agg_i2recv(iph1, msg) plog(LLV_DEBUG, LOCATION, NULL, "remote supports DPD\n"); } +#endif +#ifdef ENABLE_FRAG + if ((vid_numeric == VENDORID_FRAG) && + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); + iph1->frag = 1; + } #endif break; case ISAKMP_NPTYPE_N: @@ -526,9 +544,7 @@ agg_i2recv(iph1, msg) #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_RFC: -#ifdef __APPLE__ case ISAKMP_NPTYPE_NATD_BADDRAFT: -#endif if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && pa->type == iph1->natt_options->payload_nat_d) { struct natd_payload *natd; @@ -567,6 +583,10 @@ agg_i2recv(iph1, msg) } } + if (received_cert) { + oakley_verify_certid(iph1); + } + /* payload existency check */ if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { plog(LLV_ERROR, LOCATION, iph1->remote, @@ -636,8 +656,12 @@ agg_i2recv(iph1, msg) #endif /* compute sharing secret of DH */ +#ifdef HAVE_OPENSSL if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#else + if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to compute DH"); goto end; @@ -820,6 +844,7 @@ agg_i2send(iph1, msg) need_cert = 1; /* add CERT payload if there */ + // we don't support sending of certchains if (need_cert) plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); @@ -865,14 +890,11 @@ agg_i2send(iph1, msg) "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); goto end; } - -#ifdef __APPLE__ /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); } else -#endif { plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -897,7 +919,7 @@ agg_i2send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -1059,8 +1081,11 @@ agg_r1recv(iph1, msg) #endif #ifdef ENABLE_FRAG if ((vid_numeric == VENDORID_FRAG) && - (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); iph1->frag = 1; + } #endif break; @@ -1220,8 +1245,13 @@ agg_r1send(iph1, msg) } /* generate DH public value */ +#ifdef HAVE_OPENSSL if (oakley_dh_generate(iph1->rmconf->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) { + &iph1->dhpub, &iph1->dhpriv) < 0) { +#else + if (oakley_dh_generate(iph1->rmconf->dhgrp, + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH"); goto end; @@ -1236,8 +1266,12 @@ agg_r1send(iph1, msg) } /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#ifdef HAVE_OPENSSL + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, + iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#else + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to compute DH"); goto end; @@ -1502,13 +1536,11 @@ agg_r1send(iph1, msg) /* chosen VID */ plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); /* NAT-D */ -#ifdef __APPLE__ /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); } else -#endif { plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -1542,7 +1574,7 @@ agg_r1send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -1626,6 +1658,7 @@ agg_r2recv(iph1, msg0) #ifdef ENABLE_NATT int natd_seq = 0; #endif + int received_cert = 0; /* validity check */ if (iph1->status != PHASE1ST_MSG1SENT) { @@ -1674,6 +1707,7 @@ agg_r2recv(iph1, msg0) "failed to process CERT payload"); goto end; } + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { @@ -1738,6 +1772,10 @@ agg_r2recv(iph1, msg0) iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); #endif + if (received_cert) { + oakley_verify_certid(iph1); + } + /* validate authentication value */ ptype = oakley_validate_auth(iph1); if (ptype != 0) { diff --git a/ipsec-tools/racoon/isakmp_base.c b/ipsec-tools/racoon/isakmp_base.c index 5a26c50..1fc93e2 100644 --- a/ipsec-tools/racoon/isakmp_base.c +++ b/ipsec-tools/racoon/isakmp_base.c @@ -90,6 +90,9 @@ #endif #include "vpn_control.h" #include "vpn_control_var.h" +#ifndef HAVE_OPENSSL +#include +#endif /* %%% * begin Identity Protection Mode as initiator. @@ -372,6 +375,14 @@ base_i2recv(iph1, msg) "remote supports DPD\n"); } #endif +#ifdef ENABLE_FRAG + if ((vid_numeric == VENDORID_FRAG) && + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); + iph1->frag = 1; + } +#endif break; default: /* don't send information, see ident_r1recv() */ @@ -465,8 +476,13 @@ base_i2send(iph1, msg) sizeof(cookie_t)); /* generate DH public value */ +#ifdef HAVE_OPENSSL + if (oakley_dh_generate(iph1->approval->dhgrp, + &iph1->dhpub, &iph1->dhpriv) < 0) +#else if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) +#endif goto end; /* generate SKEYID to compute hash if not signature mode */ @@ -571,13 +587,11 @@ base_i2send(iph1, msg) goto end; } -#ifdef __APPLE__ /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); } else -#endif { plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -598,7 +612,7 @@ base_i2send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -634,6 +648,7 @@ base_i3recv(iph1, msg) vchar_t *natd_received; int natd_seq = 0, natd_verified; #endif + int received_cert = 0; /* validity check */ if (iph1->status != PHASE1ST_MSG2SENT) { @@ -662,6 +677,7 @@ base_i3recv(iph1, msg) case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) goto end; + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) @@ -674,9 +690,7 @@ base_i3recv(iph1, msg) #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_RFC: -#ifdef __APPLE__ case ISAKMP_NPTYPE_NATD_BADDRAFT: -#endif if (NATT_AVAILABLE(iph1) && iph1->natt_options && pa->type == iph1->natt_options->payload_nat_d) { natd_received = NULL; @@ -727,6 +741,10 @@ base_i3recv(iph1, msg) } #endif + if (received_cert) { + oakley_verify_certid(iph1); + } + /* payload existency check */ /* validate authentication value */ ptype = oakley_validate_auth(iph1); @@ -742,8 +760,12 @@ base_i3recv(iph1, msg) } /* compute sharing secret of DH */ +#ifdef HAVE_OPENSSL if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) + iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) +#else + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) +#endif goto end; /* generate SKEYID to compute hash if signature mode */ @@ -887,11 +909,6 @@ base_r1recv(iph1, msg) if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) natt_handle_vendorid(iph1, vid_numeric); #endif -#ifdef ENABLE_FRAG - if ((vid_numeric == VENDORID_FRAG) && - (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) - iph1->frag = 1; -#endif #ifdef ENABLE_HYBRID switch (vid_numeric) { case VENDORID_XAUTH: @@ -915,6 +932,14 @@ base_r1recv(iph1, msg) "remote supports DPD\n"); } #endif +#ifdef ENABLE_FRAG + if ((vid_numeric == VENDORID_FRAG) && + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); + iph1->frag = 1; + } +#endif break; default: /* don't send information, see ident_r1recv() */ @@ -1102,7 +1127,7 @@ base_r1send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -1161,6 +1186,7 @@ base_r2recv(iph1, msg) #ifdef ENABLE_NATT int natd_seq = 0; #endif + int received_cert = 0; /* validity check */ if (iph1->status != PHASE1ST_MSG1SENT) { @@ -1191,6 +1217,7 @@ base_r2recv(iph1, msg) case ISAKMP_NPTYPE_CERT: if (oakley_savecert(iph1, pa->ptr) < 0) goto end; + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) @@ -1203,9 +1230,7 @@ base_r2recv(iph1, msg) #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_RFC: -#ifdef __APPLE__ case ISAKMP_NPTYPE_NATD_BADDRAFT: -#endif if (pa->type == iph1->natt_options->payload_nat_d) { vchar_t *natd_received = NULL; @@ -1242,14 +1267,27 @@ base_r2recv(iph1, msg) } } + if (received_cert) { + oakley_verify_certid(iph1); + } + /* generate DH public value */ +#ifdef HAVE_OPENSSL + if (oakley_dh_generate(iph1->approval->dhgrp, + &iph1->dhpub, &iph1->dhpriv) < 0) +#else if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) +#endif goto end; /* compute sharing secret of DH */ +#ifdef HAVE_OPENSSL if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) + iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) +#else + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) +#endif goto end; /* generate SKEYID */ @@ -1437,13 +1475,11 @@ base_r2send(iph1, msg) goto end; } -#ifdef __APPLE__ /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); } else -#endif { plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -1463,7 +1499,7 @@ base_r2send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index 9672fd1..f71c012 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -39,9 +39,8 @@ #include #include -#if defined(__APPLE__) && defined(__MACH__) #include -#endif + #ifdef __FreeBSD__ # include @@ -236,7 +235,15 @@ isakmp_cfg_r(iph1, msg) plen = ntohs(ph->len); nph = (struct isakmp_gen *)((char *)ph + plen); plen = ntohs(nph->len); - + /* Check that the hash payload fits in the packet */ + if (tlen < (plen + ntohs(ph->len))) { + plog(LLV_WARNING, LOCATION, NULL, + "Invalid Hash payload. len %d, overall-len %d\n", + ntohs(nph->len), + plen); + goto out; + } + if ((payload = vmalloc(plen)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); @@ -503,6 +510,12 @@ isakmp_cfg_reply(iph1, attrpl) /* connection was started by API - save attr list for passing to VPN controller */ if (iph1->mode_cfg->attr_list != NULL) /* shouldn't happen */ vfree(iph1->mode_cfg->attr_list); + if (ntohs(attrpl->h.len) < sizeof(*attrpl)) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid cfg-attr-list, attr-len %d\n", + ntohs(attrpl->h.len)); + return -1; + } alen = ntohs(attrpl->h.len) - sizeof(*attrpl); if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -545,6 +558,12 @@ isakmp_cfg_reply(iph1, attrpl) { vchar_t *buf; + if (ntohs(attrpl->h.len) < sizeof(*attrpl)) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid cfg-attr-list, attr-len %d\n", + ntohs(attrpl->h.len)); + return -1; + } alen = ntohs(attrpl->h.len) - sizeof(*attrpl); if ((buf = vmalloc(alen)) == NULL) { plog(LLV_WARNING, LOCATION, NULL, @@ -601,6 +620,9 @@ isakmp_cfg_request(iph1, attrpl, msg) iph1->xauth_awaiting_userinput = 1; iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later ike_session_start_xauth_timer(iph1); + + IPSECLOGASLMSG("IPSec Extended Authentication requested.\n"); + return 0; } @@ -1417,7 +1439,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) if (msg) { /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg, - PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) { + PH2_NON_ESP_EXTRA_LEN(iph2), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); } @@ -1604,9 +1626,11 @@ isakmp_cfg_accounting(iph1, inout) if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) return isakmp_cfg_accounting_radius(iph1, inout); #endif +#ifdef HAVE_OPENSSL if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) return privsep_accounting_system(iph1->mode_cfg->port, iph1->remote, iph1->mode_cfg->login, inout); +#endif return 0; } @@ -1964,6 +1988,8 @@ isakmp_cfg_getconfig(iph1) vfree(buffer); + IPSECLOGASLMSG("IPSec Network Configuration requested.\n"); + return error; } diff --git a/ipsec-tools/racoon/isakmp_cfg.h b/ipsec-tools/racoon/isakmp_cfg.h index 1a0ce03..e206f39 100644 --- a/ipsec-tools/racoon/isakmp_cfg.h +++ b/ipsec-tools/racoon/isakmp_cfg.h @@ -34,6 +34,7 @@ #ifdef HAVE_LIBPAM #include #endif +#include /* * XXX don't forget to update diff --git a/ipsec-tools/racoon/isakmp_frag.c b/ipsec-tools/racoon/isakmp_frag.c index af19b91..de09443 100644 --- a/ipsec-tools/racoon/isakmp_frag.c +++ b/ipsec-tools/racoon/isakmp_frag.c @@ -41,7 +41,9 @@ #include #include +#ifdef HAVE_OPENSSL #include +#endif #include #include @@ -77,6 +79,9 @@ #include "handler.h" #include "isakmp_frag.h" #include "strnames.h" +#include "nattraversal.h" +#include "grabmyaddr.h" +#include "localconf.h" int isakmp_sendfrags(iph1, buf) @@ -95,6 +100,20 @@ isakmp_sendfrags(iph1, buf) unsigned int fragnum = 0; size_t len; int etype; +#ifdef ENABLE_NATT + size_t extralen = NON_ESP_MARKER_USE(iph1)? NON_ESP_MARKER_LEN : 0; +#else + size_t extralen = 0; +#endif + int s; + vchar_t *vbuf; + + + /* select the socket to be sent */ + s = getsockmyaddr(iph1->local); + if (s == -1){ + return -1; + } /* * Catch the exchange type for later: the fragments and the @@ -108,7 +127,7 @@ isakmp_sendfrags(iph1, buf) * First compute the maximum data length that will fit in it */ max_datalen = ISAKMP_FRAG_MAXLEN - - (sizeof(*hdr) + sizeof(*fraghdr) + sizeof(trailer)); + (sizeof(*hdr) + sizeof(*fraghdr)); sdata = buf->v; len = buf->l; @@ -121,9 +140,7 @@ isakmp_sendfrags(iph1, buf) else datalen = len; - fraglen = sizeof(*hdr) - + sizeof(*fraghdr) - + datalen; + fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen; if ((frag = vmalloc(fraglen)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -136,7 +153,7 @@ isakmp_sendfrags(iph1, buf) hdr->etype = etype; fraghdr = (struct isakmp_frag *)(hdr + 1); - fraghdr->unknown0 = htons(0); + fraghdr->unknown0 = 0; fraghdr->len = htons(fraglen - sizeof(*hdr)); fraghdr->unknown1 = htons(1); fraghdr->index = fragnum; @@ -148,8 +165,28 @@ isakmp_sendfrags(iph1, buf) data = (caddr_t)(fraghdr + 1); memcpy(data, sdata, datalen); - if (isakmp_send(iph1, frag) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, "isakmp_send failed\n"); +#ifdef ENABLE_NATT + /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) + must added just before the packet itself. For this we must + allocate a new buffer and release it at the end. */ + if (extralen) { + if ((vbuf = vmalloc(frag->l + extralen)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "%s: vbuf allocation failed\n", __FUNCTION__); + vfree(frag); + return -1; + } + *(u_int32_t *)vbuf->v = 0; // non-esp marker + memcpy(vbuf->v + extralen, frag->v, frag->l); + vfree(frag); + frag = vbuf; + } +#endif + + if (sendfromto(s, frag->v, frag->l, + iph1->local, iph1->remote, lcconf->count_persend) == -1) { + plog(LLV_ERROR, LOCATION, NULL, "%s: sendfromto failed\n", __FUNCTION__); + vfree(frag); return -1; } @@ -158,7 +195,10 @@ isakmp_sendfrags(iph1, buf) len -= datalen; sdata += datalen; } - + + plog(LLV_DEBUG2, LOCATION, NULL, + "%s: processed %d fragments\n", __FUNCTION__, fragnum); + return fragnum; } @@ -167,10 +207,11 @@ vendorid_frag_cap(gen) struct isakmp_gen *gen; { int *hp; + int hashlen_bytes = eay_md5_hashlen() >> 3; hp = (int *)(gen + 1); - return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + return ntohl(hp[hashlen_bytes / sizeof(*hp)]); } int @@ -205,6 +246,13 @@ isakmp_frag_extract(iph1, msg) return -1; } + if (ntohs(frag->len) < sizeof(*frag)) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid Frag, frag-len %d\n", + ntohs(frag->len)); + return -1; + } + if ((buf = vmalloc(ntohs(frag->len) - sizeof(*frag))) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); return -1; @@ -223,6 +271,7 @@ isakmp_frag_extract(iph1, msg) item->frag_last = (frag->flags & ISAKMP_FRAG_LAST); item->frag_next = NULL; item->frag_packet = buf; + item->frag_id = ntohs(frag->unknown1); /* Look for the last frag while inserting the new item in the chain */ if (item->frag_last) @@ -259,7 +308,10 @@ isakmp_frag_extract(iph1, msg) if (item != NULL) /* It is complete */ return 1; } - + + plog(LLV_DEBUG2, LOCATION, NULL, + "%s: processed %d fragments\n", __FUNCTION__, last_frag); + return 0; } @@ -310,9 +362,13 @@ isakmp_frag_reassembly(iph1) data += item->frag_packet->l; } + plog(LLV_DEBUG2, LOCATION, NULL, + "%s: processed %d fragments\n", __FUNCTION__, frag_count); + out: item = iph1->frag_chain; - do { + + while (item != NULL) { struct isakmp_frag_item *next_item; next_item = item->frag_next; @@ -321,7 +377,7 @@ out: racoon_free(item); item = next_item; - } while (item != NULL); + } iph1->frag_chain = NULL; @@ -335,10 +391,11 @@ isakmp_frag_addcap(buf, cap) { int *capp; size_t len; + int hashlen_bytes = eay_md5_hashlen() >> 3; /* If the capability has not been added, add room now */ len = buf->l; - if (len == MD5_DIGEST_LENGTH) { + if (len == hashlen_bytes) { if ((buf = vrealloc(buf, len + sizeof(cap))) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); @@ -348,9 +405,122 @@ isakmp_frag_addcap(buf, cap) *capp = htonl(0); } - capp = (int *)(buf->v + MD5_DIGEST_LENGTH); + capp = (int *)(buf->v + hashlen_bytes); *capp |= htonl(cap); return buf; } +int +sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) + int s; + vchar_t *buf; + struct sockaddr *local; + struct sockaddr *remote; + int count_persend; + u_int32_t frag_flags; +{ + struct isakmp *main_hdr; + struct isakmp *hdr; + struct isakmp_frag *fraghdr; + caddr_t data; + caddr_t sdata; + size_t datalen; + size_t max_datalen; + size_t fraglen; + vchar_t *frag; + unsigned int trailer; + unsigned int fragnum = 0; + size_t len; +#ifdef ENABLE_NATT + size_t extralen = (frag_flags & FRAG_PUT_NON_ESP_MARKER)? NON_ESP_MARKER_LEN : 0; +#else + size_t extralen = 0; +#endif + + /* + * fragmented packet must have the same exchange type (amongst other fields in the header). + */ + main_hdr = (struct isakmp *)buf->v; + + /* + * We want to send a a packet smaller than ISAKMP_FRAG_MAXLEN + * First compute the maximum data length that will fit in it + */ + max_datalen = ISAKMP_FRAG_MAXLEN - + (sizeof(*main_hdr) + sizeof(*fraghdr)); + + sdata = buf->v; + len = buf->l; + + while (len > 0) { + fragnum++; + + if (len > max_datalen) + datalen = max_datalen; + else + datalen = len; + + fraglen = sizeof(*hdr) + sizeof(*fraghdr) + datalen; + + if ((frag = vmalloc(fraglen)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "Cannot allocate memory\n"); + return -1; + } + + hdr = (struct isakmp *)frag->v; + bcopy(main_hdr, hdr, sizeof(*hdr)); + hdr->len = htonl(frag->l); + hdr->np = ISAKMP_NPTYPE_FRAG; + + fraghdr = (struct isakmp_frag *)(hdr + 1); + fraghdr->unknown0 = 0; + fraghdr->len = htons(fraglen - sizeof(*hdr)); + fraghdr->unknown1 = htons(1); + fraghdr->index = fragnum; + if (len == datalen) + fraghdr->flags = ISAKMP_FRAG_LAST; + else + fraghdr->flags = 0; + + data = (caddr_t)(fraghdr + 1); + memcpy(data, sdata, datalen); + +#ifdef ENABLE_NATT + /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) + must added just before the packet itself. For this we must + allocate a new buffer and release it at the end. */ + if (extralen) { + vchar_t *vbuf; + + if ((vbuf = vmalloc(frag->l + extralen)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "%s: vbuf allocation failed\n", __FUNCTION__); + vfree(frag); + return -1; + } + *(u_int32_t *)vbuf->v = 0; // non-esp marker + memcpy(vbuf->v + extralen, frag->v, frag->l); + vfree(frag); + frag = vbuf; + } +#endif + + if (sendfromto(s, frag->v, frag->l, local, remote, count_persend) == -1) { + plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); + vfree(frag); + return -1; + } + + vfree(frag); + + len -= datalen; + sdata += datalen; + } + + plog(LLV_DEBUG2, LOCATION, NULL, + "%s: processed %d fragments\n", __FUNCTION__, fragnum); + + return fragnum; +} diff --git a/ipsec-tools/racoon/isakmp_frag.h b/ipsec-tools/racoon/isakmp_frag.h index f2d4c33..9d6a208 100644 --- a/ipsec-tools/racoon/isakmp_frag.h +++ b/ipsec-tools/racoon/isakmp_frag.h @@ -31,6 +31,9 @@ * SUCH DAMAGE. */ +#ifndef _ISAKMP_FRAG_H +#define _ISAKMP_FRAG_H + /* These are the values from parsing "remote {}" block of the config file. */ #define ISAKMP_FRAG_OFF FLASE /* = 0 */ @@ -42,11 +45,14 @@ #define VENDORID_FRAG_BASE 0x40000000 #define VENDORID_FRAG_AGG 0x80000000 -#define ISAKMP_FRAG_MAXLEN 552 +#define ISAKMP_FRAG_MAXLEN 1280 // TODO: make configurable (for now, use 1280 to make enough room for typical overhead) + +#define FRAG_PUT_NON_ESP_MARKER 1 struct isakmp_frag_item { int frag_num; int frag_last; + u_int16_t frag_id; struct isakmp_frag_item *frag_next; vchar_t *frag_packet; }; @@ -56,3 +62,6 @@ unsigned int vendorid_frag_cap(struct isakmp_gen *); int isakmp_frag_extract(struct ph1handle *, vchar_t *); vchar_t *isakmp_frag_reassembly(struct ph1handle *); vchar_t *isakmp_frag_addcap(vchar_t *, int); +int sendfragsfromto(int s, vchar_t *, struct sockaddr *, struct sockaddr *, int, u_int32_t); + +#endif /* _ISAKMP_FRAG_H */ diff --git a/ipsec-tools/racoon/isakmp_ident.c b/ipsec-tools/racoon/isakmp_ident.c index 06f41d3..09aa685 100644 --- a/ipsec-tools/racoon/isakmp_ident.c +++ b/ipsec-tools/racoon/isakmp_ident.c @@ -94,6 +94,9 @@ #include "vpn_control_var.h" #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" +#ifndef HAVE_OPENSSL +#include +#endif static vchar_t *ident_ir2mx __P((struct ph1handle *)); static vchar_t *ident_ir3mx __P((struct ph1handle *)); @@ -351,6 +354,14 @@ ident_i2recv(iph1, msg) #ifdef ENABLE_DPD if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) iph1->dpd_support=1; +#endif +#ifdef ENABLE_FRAG + if ((vid_numeric == VENDORID_FRAG) && + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); + iph1->frag = 1; + } #endif break; default: @@ -436,8 +447,13 @@ ident_i2send(iph1, msg) sizeof(cookie_t)); /* generate DH public value */ +#ifdef HAVE_OPENSSL if (oakley_dh_generate(iph1->approval->dhgrp, &iph1->dhpub, &iph1->dhpriv) < 0) { +#else + if (oakley_dh_generate(iph1->approval->dhgrp, + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH"); goto end; @@ -482,7 +498,7 @@ ident_i2send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -611,9 +627,7 @@ ident_i3recv(iph1, msg) #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_RFC: -#ifdef __APPLE__ case ISAKMP_NPTYPE_NATD_BADDRAFT: -#endif if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && pa->type == iph1->natt_options->payload_nat_d) { natd_received = NULL; @@ -739,8 +753,12 @@ ident_i3send(iph1, msg0) } /* compute sharing secret of DH */ +#ifdef HAVE_OPENSSL if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#else + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to compute DH"); goto end; @@ -821,7 +839,7 @@ ident_i3send(iph1, msg0) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -871,6 +889,7 @@ ident_i4recv(iph1, msg0) #ifdef HAVE_GSSAPI vchar_t *gsstoken = NULL; #endif + int received_cert = 0; /* validity check */ if (iph1->status != PHASE1ST_MSG3SENT) { @@ -924,6 +943,7 @@ ident_i4recv(iph1, msg0) "failed to process CERT payload"); goto end; } + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { @@ -962,6 +982,10 @@ ident_i4recv(iph1, msg0) } } + if (received_cert) { + oakley_verify_certid(iph1); + } + /* payload existency check */ /* verify identifier */ @@ -1149,11 +1173,6 @@ ident_r1recv(iph1, msg) if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) natt_handle_vendorid(iph1, vid_numeric); #endif -#ifdef ENABLE_FRAG - if ((vid_numeric == VENDORID_FRAG) && - (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) - iph1->frag = 1; -#endif #ifdef ENABLE_HYBRID switch (vid_numeric) { case VENDORID_XAUTH: @@ -1173,6 +1192,14 @@ ident_r1recv(iph1, msg) #ifdef ENABLE_DPD if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) iph1->dpd_support=1; +#endif +#ifdef ENABLE_FRAG + if ((vid_numeric == VENDORID_FRAG) && + (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { + plog(LLV_DEBUG, LOCATION, NULL, + "remote supports FRAGMENTATION\n"); + iph1->frag = 1; + } #endif break; default: @@ -1356,7 +1383,7 @@ ident_r1send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -1487,9 +1514,7 @@ ident_r2recv(iph1, msg) #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_RFC: -#ifdef __APPLE__ case ISAKMP_NPTYPE_NATD_BADDRAFT: -#endif if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && pa->type == iph1->natt_options->payload_nat_d) { @@ -1601,8 +1626,13 @@ ident_r2send(iph1, msg) } /* generate DH public value */ +#ifdef HAVE_OPENSSL if (oakley_dh_generate(iph1->approval->dhgrp, &iph1->dhpub, &iph1->dhpriv) < 0) { +#else + if (oakley_dh_generate(iph1->approval->dhgrp, + &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH"); goto end; @@ -1643,15 +1673,19 @@ ident_r2send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; } /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#ifdef HAVE_OPENSSL + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, + iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { +#else + if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to compute DH"); goto end; @@ -1719,6 +1753,7 @@ ident_r3recv(iph1, msg0) #ifdef HAVE_GSSAPI vchar_t *gsstoken = NULL; #endif + int received_cert = 0; /* validity check */ if (iph1->status != PHASE1ST_MSG2SENT) { @@ -1779,6 +1814,7 @@ ident_r3recv(iph1, msg0) "failed to process CERT payload"); goto end; } + received_cert = 1; break; case ISAKMP_NPTYPE_SIG: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { @@ -1813,6 +1849,10 @@ ident_r3recv(iph1, msg0) } } + if (received_cert) { + oakley_verify_certid(iph1); + } + /* payload existency check */ /* XXX same as ident_i4recv(), should be merged. */ { @@ -2033,7 +2073,7 @@ ident_r3send(iph1, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, - PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) { + PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -2153,13 +2193,11 @@ ident_ir2mx(iph1) } plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); -#ifdef __APPLE__ /* old Apple version sends natd payloads in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); } else -#endif { plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); @@ -2284,6 +2322,7 @@ ident_ir3mx(iph1) plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); /* add CERT payload if there */ + // we don't support sending of certchains if (need_cert) plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); /* add SIG payload */ diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index 003e3ce..e3c9afa 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -37,11 +37,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #include #ifndef HAVE_NETINET6_IPSEC @@ -208,7 +204,7 @@ isakmp_info_recv(iph1, msg0) struct isakmp_gen *nd; u_int8_t np; int encrypted; - int flag; + int flag = 0; plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n"); @@ -232,7 +228,7 @@ isakmp_info_recv(iph1, msg0) ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid); if (ivm == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to compute IV"); + "failed to compute IV\n"); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("Information message"), @@ -244,7 +240,7 @@ isakmp_info_recv(iph1, msg0) oakley_delivm(ivm); if (msg == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to decrypt packet"); + "failed to decrypt packet\n"); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("Information message"), @@ -465,9 +461,10 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) } break; case ISAKMP_NTYPE_INITIAL_CONTACT: - if (encrypted) + if (encrypted) { info_recv_initialcontact(iph1); return 0; + } break; #ifdef ENABLE_DPD case ISAKMP_NTYPE_R_U_THERE: @@ -560,6 +557,64 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) return 0; } +#ifdef ENABLE_VPNCONTROL_PORT +static +void +isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, + int isakmp_info_initiator, + int type, + vchar_t *data) +{ + u_int32_t address; + u_int32_t fail_reason; + + /* notify the API that we have received the delete */ + if (iph1->remote->sa_family == AF_INET) + address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; + else + address = 0; + + if (isakmp_info_initiator == FROM_REMOTE) { + int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); + int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED); + + if (premature) { + fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE; + } else if (expired) { + fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED; + } else { + fail_reason = type; + } + vpncontrol_notify_ike_failed(fail_reason, isakmp_info_initiator, address, 0, NULL); + return; + } else { + /* FROM_LOCAL */ + if (type == ISAKMP_INTERNAL_ERROR || + type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) { + int premature = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_PREMATURE); + int expired = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_EXPIRED); + int subjname = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_INVALID_SUBJNAME); + int subjaltname = oakley_find_status_in_certchain(iph1->cert_p, CERT_STATUS_INVALID_SUBJALTNAME); + + if (premature) { + fail_reason = VPNCTL_NTYPE_PEER_CERT_PREMATURE; + } else if (expired) { + fail_reason = VPNCTL_NTYPE_PEER_CERT_EXPIRED; + } else if (subjname) { + fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME; + } else if (subjaltname) { + fail_reason = VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME; + } else { + fail_reason = type; + } + (void)vpncontrol_notify_ike_failed(fail_reason, isakmp_info_initiator, address, + (data ? data->l : 0), (u_int8_t *)(data ? data->v : NULL)); + return; + } + } +} +#endif /* ENABLE_VPNCONTROL_PORT */ + /* * handling of Deletion payload */ @@ -648,22 +703,11 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) * Just delete the IKE SA. */ #ifdef ENABLE_VPNCONTROL_PORT - - if (del_ph1->started_by_api) + if (del_ph1->started_by_api || (del_ph1->is_rekey && del_ph1->parent_session && del_ph1->parent_session->is_client)) { if (islast_ph1(del_ph1)) { - u_int32_t address; - - /* notify the API that we have received the delete */ - if (iph1->remote->sa_family == AF_INET) - address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; - else - address = 0; - if (iph1->cert && IS_CERT_STATUS_ERROR(iph1->cert->status)) { - vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR + iph1->cert->status, FROM_REMOTE, address, 0, NULL); - } else { - vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE, FROM_REMOTE, address, 0, NULL); - } + isakmp_info_vpncontrol_notify_ike_failed(del_ph1, FROM_REMOTE, VPNCTL_NTYPE_PH1_DELETE, NULL); } + } #endif isakmp_ph1expire(del_ph1); } @@ -919,7 +963,6 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); iph1->status = PHASE1ST_START; iph1->rmconf = rmconf; -#ifdef __APPLE__ if (link_rmconf_to_ph1(rmconf) < 0) { IPSECSESSIONTRACEREVENT(sess, IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, @@ -932,7 +975,6 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) error = -1; goto end; } -#endif iph1->side = INITIATOR; iph1->version = isakmp->v; iph1->flags = 0; @@ -989,18 +1031,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data) memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); #ifdef ENABLE_VPNCONTROL_PORT - { - u_int32_t address; - if (type == ISAKMP_INTERNAL_ERROR || - type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) { - if (remote->sa_family == AF_INET) - address = ((struct sockaddr_in *)remote)->sin_addr.s_addr; - else - address = 0; - (void)vpncontrol_notify_ike_failed(type, FROM_LOCAL, address, - (data ? data->l : 0), (data ? data->v : NULL)); - } - } + isakmp_info_vpncontrol_notify_ike_failed(iph1, FROM_LOCAL, type, data); #endif error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); @@ -1082,19 +1113,7 @@ isakmp_info_send_n1(iph1, type, data) memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); #ifdef ENABLE_VPNCONTROL_PORT - { - u_int32_t address; - - if (type == ISAKMP_INTERNAL_ERROR || - type <= ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS) { - if (iph1->remote->sa_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else - address = 0; - (void)vpncontrol_notify_ike_failed(type, FROM_LOCAL, address, - (data ? data->l : 0), (data ? data->v : NULL)); - } - } + isakmp_info_vpncontrol_notify_ike_failed(iph1, FROM_LOCAL, type, data); #endif error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags); @@ -1486,6 +1505,7 @@ purge_ipsec_spi(dst0, proto, spi, n) "purge_ipsec_spi:\n"); plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0)); plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0])); + plog(LLV_DEBUG2, LOCATION, NULL, "num SPI: %d\n", n); buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); if (buf == NULL) { @@ -1543,6 +1563,7 @@ purge_ipsec_spi(dst0, proto, spi, n) /* don't delete inbound SAs at the moment */ /* XXX should we remove SAs with opposite direction as well? */ if (CMPSADDR2(dst0, dst)) { + plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str(dst)); msg = next; continue; } @@ -2041,6 +2062,10 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgid) } plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n"); +#ifdef ENABLE_VPNCONTROL_PORT + vpncontrol_notify_peer_resp_ph1(1, iph1); +#endif /* ENABLE_VPNCONTROL_PORT */ + return 0; } @@ -2201,7 +2226,7 @@ isakmp_info_monitor_r_u_algo_inbound_detect (struct ph1handle *iph1) } /* - * monitor DPD (ALGORITHM_INBOUND_DETECT) Informational exchange. + * monitor DPD (ALGORITHM_BLACKHOLE_DETECT) Informational exchange. */ static void isakmp_info_monitor_r_u_algo_blackhole_detect (struct ph1handle *iph1) diff --git a/ipsec-tools/racoon/isakmp_quick.c b/ipsec-tools/racoon/isakmp_quick.c index 871072c..a734abb 100644 --- a/ipsec-tools/racoon/isakmp_quick.c +++ b/ipsec-tools/racoon/isakmp_quick.c @@ -93,6 +93,9 @@ #include "nattraversal.h" #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" +#ifndef HAVE_OPENSSL +#include +#endif /* quick mode */ static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); @@ -218,8 +221,13 @@ quick_i1send(iph2, msg) "failed to set DH value.\n"); goto end; } +#ifdef HAVE_OPENSSL if (oakley_dh_generate(iph2->pfsgrp, - &iph2->dhpub, &iph2->dhpriv) < 0) { + &iph2->dhpub, &iph2->dhpriv) < 0) { +#else + if (oakley_dh_generate(iph2->pfsgrp, + &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH"); goto end; @@ -468,6 +476,12 @@ quick_i2recv(iph2, msg0) /* allocate buffer for computing HASH(2) */ tlen = iph2->nonce->l + ntohl(isakmp->len) - sizeof(*isakmp); + if (tlen < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid length (%d,%d) while getting hash buffer.\n", + iph2->nonce->l, ntohl(isakmp->len)); + goto end; + } hbuf = vmalloc(tlen); if (hbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -555,6 +569,10 @@ quick_i2recv(iph2, msg0) if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) { if (lcconf->ext_nat_id) vfree(lcconf->ext_nat_id); + if (idp_ptr->h.len < sizeof(struct isakmp_gen)) { + plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len); + goto end; + } lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen)); if (lcconf->ext_nat_id == NULL) { plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n"); @@ -843,7 +861,7 @@ quick_i2send(iph2, msg0) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0, - PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) { + PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -944,7 +962,7 @@ quick_i3recv(iph2, msg0) msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to decrypt packet"); + "failed to decrypt packet\n"); goto end; } @@ -952,7 +970,7 @@ quick_i3recv(iph2, msg0) pbuf = isakmp_parse(msg); if (pbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to parse msg"); + "failed to parse msg\n"); goto end; } @@ -1012,7 +1030,7 @@ quick_i3recv(iph2, msg0) vfree(tmp); if (my_hash == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to compute HASH"); + "failed to compute HASH\n"); goto end; } @@ -1116,7 +1134,7 @@ quick_r1recv(iph2, msg0) msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to decrypt packet"); + "failed to decrypt packet\n"); goto end; } @@ -1130,7 +1148,7 @@ quick_r1recv(iph2, msg0) pbuf = isakmp_parse(msg); if (pbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to parse msg"); + "failed to parse msg\n"); goto end; } pa = (struct isakmp_parse_t *)pbuf->v; @@ -1163,6 +1181,11 @@ quick_r1recv(iph2, msg0) /* allocate buffer for computing HASH(1) */ tlen = ntohl(isakmp->len) - sizeof(*isakmp); + if (tlen < 0) { + plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while extracting hash.\n", + ntohl(isakmp->len)); + goto end; + } hbuf = vmalloc(tlen); if (hbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -1207,7 +1230,7 @@ quick_r1recv(iph2, msg0) } if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to process SA payload"); + "failed to process SA payload\n"); goto end; } break; @@ -1215,7 +1238,7 @@ quick_r1recv(iph2, msg0) case ISAKMP_NPTYPE_NONCE: if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to process NONCE payload"); + "failed to process NONCE payload\n"); goto end; } break; @@ -1223,7 +1246,7 @@ quick_r1recv(iph2, msg0) case ISAKMP_NPTYPE_KE: if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to process KE payload"); + "failed to process KE payload\n"); goto end; } break; @@ -1235,7 +1258,7 @@ quick_r1recv(iph2, msg0) if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to process IDci2 payload"); + "failed to process IDci2 payload\n"); goto end; } @@ -1251,7 +1274,7 @@ quick_r1recv(iph2, msg0) if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to process IDcr2 payload"); + "failed to process IDcr2 payload\n"); goto end; } } else { @@ -1348,7 +1371,7 @@ quick_r1recv(iph2, msg0) my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); if (my_hash == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to compute HASH"); + "failed to compute HASH\n"); goto end; } @@ -1558,8 +1581,13 @@ quick_r2send(iph2, msg) goto end; } /* generate DH public value */ +#ifdef HAVE_OPENSSL if (oakley_dh_generate(iph2->pfsgrp, &iph2->dhpub, &iph2->dhpriv) < 0) { +#else + if (oakley_dh_generate(iph2->pfsgrp, + &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) { +#endif plog(LLV_ERROR, LOCATION, NULL, "failed to generate DH public"); goto end; @@ -1750,7 +1778,7 @@ quick_r2send(iph2, msg) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1, - PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) { + PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -1816,7 +1844,7 @@ quick_r3recv(iph2, msg0) msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); if (msg == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to decrypt packet"); + "failed to decrypt packet\n"); goto end; } @@ -1824,7 +1852,7 @@ quick_r3recv(iph2, msg0) pbuf = isakmp_parse(msg); if (pbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to parse msg"); + "failed to parse msg\n"); goto end; } @@ -1882,7 +1910,7 @@ quick_r3recv(iph2, msg0) vfree(tmp); if (my_hash == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to compute HASH"); + "failed to compute HASH\n"); goto end; } @@ -2023,7 +2051,7 @@ quick_r3send(iph2, msg0) /* the sending message is added to the received-list. */ if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0, - PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) { + PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) { plog(LLV_ERROR , LOCATION, NULL, "failed to add a response packet to the tree.\n"); goto end; @@ -2353,14 +2381,12 @@ get_sainfo_r(iph2) } iph2->sainfo = anonymous; } -#ifdef __APPLE__ if (link_sainfo_to_ph2(iph2->sainfo) != 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to link sainfo\n"); iph2->sainfo = NULL; goto end; } -#endif #ifdef ENABLE_HYBRID /* xauth group inclusion check */ diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h index 26d5716..8310fcc 100644 --- a/ipsec-tools/racoon/isakmp_var.h +++ b/ipsec-tools/racoon/isakmp_var.h @@ -66,20 +66,14 @@ extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *, extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int)); extern vchar_t *isakmp_parse __P((vchar_t *)); -#ifndef __APPLE__ -extern int isakmp_init __P((void)); -#else -extern int isakmp_init __P((int)); -#endif /* __APPLE__ */ +extern int isakmp_init __P((int, int *)); extern void isakmp_cleanup __P((void)); extern const char *isakmp_pindex __P((const isakmp_index *, const u_int32_t)); -extern int isakmp_open __P((void)); +extern int isakmp_open __P((int *)); extern void isakmp_close __P((void)); -#ifdef __APPLE__ extern void isakmp_close_sockets __P((void)); extern void isakmp_close_unused __P((void)); -#endif extern int isakmp_send __P((struct ph1handle *, vchar_t *)); extern void isakmp_ph1resend_stub __P((void *)); @@ -122,7 +116,7 @@ extern struct payload_list *isakmp_plist_append __P((struct payload_list *plist, extern vchar_t *isakmp_plist_set_all __P((struct payload_list **plist, struct ph1handle *iph1)); extern vchar_t *isakmp_plist_append_initial_contact __P((struct ph1handle *, - struct payload_list *)); + struct payload_list *)); #ifdef HAVE_PRINT_ISAKMP_C extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *, diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c index 4cf6c49..63e9290 100644 --- a/ipsec-tools/racoon/isakmp_xauth.c +++ b/ipsec-tools/racoon/isakmp_xauth.c @@ -277,7 +277,11 @@ xauth_attr_reply(iph1, attr, id) switch (isakmp_cfg_config.authsource) { case ISAKMP_CFG_AUTH_SYSTEM: +#ifdef HAVE_OPENSSL res = privsep_xauth_login_system(usr, pwd); +#else + res = xauth_login_system(usr, pwd); +#endif break; #ifdef HAVE_LIBRADIUS case ISAKMP_CFG_AUTH_RADIUS: @@ -382,6 +386,12 @@ xauth_reply(iph1, port, id, res) struct xauth_state *xst = &iph1->mode_cfg->xauth; char *usr = xst->authdata.generic.usr; + if (iph1->is_dying) { + plog(LLV_INFO, LOCATION, NULL, + "dropped login for user \"%s\"\n", usr); + return -1; + } + if (res != 0) { if (port != -1) isakmp_cfg_putport(iph1, port); @@ -1651,6 +1661,8 @@ isakmp_xauth_set(iph1, attr) ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 0, NULL); iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; + + IPSECLOGASLMSG("IPSec Extended Authentication Failed.\n"); } else { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC, @@ -1661,6 +1673,8 @@ isakmp_xauth_set(iph1, attr) if (iph1->is_rekey) { xst->status = XAUTHST_OK; } + + IPSECLOGASLMSG("IPSec Extended Authentication Passed.\n"); } diff --git a/ipsec-tools/racoon/kmpstat.c b/ipsec-tools/racoon/kmpstat.c index f4629ac..21497ea 100644 --- a/ipsec-tools/racoon/kmpstat.c +++ b/ipsec-tools/racoon/kmpstat.c @@ -39,11 +39,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #include @@ -190,7 +186,7 @@ bad1: * Dumb plog functions (used by sockmisc.c) */ void -plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) +plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) { va_list ap; diff --git a/ipsec-tools/racoon/localconf.c b/ipsec-tools/racoon/localconf.c index 7b2c5ba..5a1af09 100644 --- a/ipsec-tools/racoon/localconf.c +++ b/ipsec-tools/racoon/localconf.c @@ -62,14 +62,12 @@ #include "gcmalloc.h" #include "session.h" -#ifdef __APPLE__ #include #if HAVE_SECURITY_FRAMEWORK #include #else typedef void * SecKeychainRef; #endif -#endif struct localconf *lcconf; @@ -152,6 +150,8 @@ getpskbyname(id0) char *id; vchar_t *key = NULL; + plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by name.\n"); + id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b)); if (id == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -162,7 +162,11 @@ getpskbyname(id0) id0->l - sizeof(struct ipsecdoi_id_b)); id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0'; +#ifdef HAVE_OPENSSL key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); +#else + key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); +#endif end: if (id) @@ -170,7 +174,7 @@ end: return key; } -#if defined(__APPLE__) && HAVE_KEYCHAIN +#if HAVE_KEYCHAIN /* * get PSK from keyChain. */ @@ -184,6 +188,8 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id OSStatus status; char serviceName[] = "com.apple.net.racoon"; + plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from keychain.\n"); + status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem); if (status != noErr) { plog(LLV_ERROR, LOCATION, NULL, @@ -202,7 +208,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) { /* try looking up based on peers id */ - char* peer_id; + char* peer_id = NULL; int idlen = id_p->l - sizeof(struct ipsecdoi_id_b); u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type; @@ -221,7 +227,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id case IPSECDOI_ID_FQDN: case IPSECDOI_ID_USER_FQDN: case IPSECDOI_ID_KEY_ID: - peer_id = racoon_malloc(idlen); + peer_id = racoon_malloc(1 + idlen); if (peer_id == NULL) goto end; memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen); @@ -254,7 +260,8 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id &cur_password_len, &cur_password, NULL); - + if (peer_id) + racoon_free(peer_id); if (status == noErr) goto end; /* otherwise fall through to use the default value */ @@ -302,14 +309,12 @@ no_id: end: if (cur_password) { - key = vmalloc(cur_password_len + 1); + key = vmalloc(cur_password_len); if (key == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate key buffer.\n"); - } else { - memcpy(key->v, cur_password, key->l); - key->v[cur_password_len] = 0; - } + } else + memcpy(key->v, cur_password, cur_password_len); free(cur_password); } @@ -330,9 +335,15 @@ getpskbyaddr(remote) vchar_t *key = NULL; char addr[NI_MAXHOST], port[NI_MAXSERV]; + plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by addr.\n"); + GETNAMEINFO(remote, addr, port); +#ifdef HAVE_OPENSSL key = privsep_getpsk(addr, strlen(addr)); +#else + key = getpsk(addr, strlen(addr)); +#endif return key; } @@ -348,6 +359,8 @@ getpsk(str, len) char *p, *q; size_t keylen; char *k = NULL; + + plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key from file.\n"); if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0) fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r"); diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index f2671be..a21f5b6 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -55,7 +55,7 @@ #define LC_DEFAULT_PAD_STRICT FALSE #define LC_DEFAULT_PAD_EXCLTAIL TRUE #define LC_DEFAULT_RETRY_COUNTER 5 -#define LC_DEFAULT_RETRY_INTERVAL 10 +#define LC_DEFAULT_RETRY_INTERVAL 2 #define LC_DEFAULT_COUNT_PERSEND 1 #define LC_DEFAULT_RETRY_CHECKPH1 30 #define LC_DEFAULT_WAIT_PH2COMPLETE 30 @@ -174,7 +174,7 @@ extern void initlcconf __P((void)); extern void flushlcconf __P((void)); extern vchar_t *getpskbyname __P((vchar_t *)); extern vchar_t *getpskbyaddr __P((struct sockaddr *)); -#if defined(__APPLE__) && HAVE_KEYCHAIN +#if HAVE_KEYCHAIN extern vchar_t *getpskfromkeychain __P((const char *, u_int8_t, int, vchar_t *)); #endif extern void getpathname __P((char *, int, int, const char *)); diff --git a/ipsec-tools/racoon/logger.c b/ipsec-tools/racoon/logger.c index b9ac558..5d307b8 100644 --- a/ipsec-tools/racoon/logger.c +++ b/ipsec-tools/racoon/logger.c @@ -33,6 +33,7 @@ #include #include +#include #include #include @@ -58,6 +59,84 @@ #include "var.h" #include "gcmalloc.h" +#define MAX_LOG_FILESIZE_BYTES 2097152 // 2MB +#define MAX_LOG_FILESIZE_KBYTES (MAX_LOG_FILESIZE_BYTES/1024) +#define MAX_LOG_FILESIZE_MBYTES (MAX_LOG_FILESIZE_BYTES/(1024 * 1024)) +#define LOG_DISCARD_BYTES (MAX_LOG_FILESIZE_BYTES/3) + +static int log_flush (struct log *p, int newbytes) +{ + struct stat st; + int good = 0; + + if (!p || !p->fp) { + return -1; + } + + if (!p->byteswritten) { + bzero(&st, sizeof(st)); + if (fstat(fileno(p->fp), &st) < 0) { + return -1; + } + if (st.st_size < 0) { + return -1; + } + p->byteswritten = st.st_size; + } + if (newbytes > 0) { + p->byteswritten += newbytes; + } + + if (p->byteswritten > MAX_LOG_FILESIZE_BYTES) { + // hack to delete the first 1/3 of the file: won't work on some devices because malloc(MAX_LOG_FILESIZE_BYTES) fails + char *buf = NULL; + size_t discard, saved = 0; + FILE *fp; + + // calc how much to seek into the file + discard = p->byteswritten/3; + if (discard < LOG_DISCARD_BYTES) { + discard = LOG_DISCARD_BYTES; + } + fp = fopen(p->fname, "r"); + // get a temp buffer to hold the last 2/3 of the file + buf = malloc(MAX_LOG_FILESIZE_BYTES); + // seek into the file (skipping the first 1/3 of the file) + if (fp && buf) { + if (fseeko(fp, discard, SEEK_SET) == 0) { + // try reading as much as possible.. shouldn't fill up buffer + saved = fread(buf, MAX_LOG_FILESIZE_BYTES, sizeof(*buf), fp); + // p->byteswritten may be inaccurate (e.g another stream is writing to the file) + if (saved == MAX_LOG_FILESIZE_BYTES) { + saved = 0; + } + } + } + if (fp) { + fclose(fp); + } + + p->byteswritten = 0; + (void)fpurge(p->fp); + // delete file and start appending logs again + p->fp = freopen(p->fname, "wa", p->fp); + if (p->fp == NULL) + return -1; + fprintf(p->fp, "logfile turned over due to size>%d%s\n", + (MAX_LOG_FILESIZE_MBYTES > 0)? MAX_LOG_FILESIZE_MBYTES:MAX_LOG_FILESIZE_KBYTES, + (MAX_LOG_FILESIZE_MBYTES > 0)? "MB":"KB"); + // append some of the previous logs (if successfully we buffered 2/3 of the file) + if (buf && saved) { + (void)fwrite(buf, saved, sizeof(*buf), p->fp); + } + if (buf) { + free(buf); + } + } + (void)fflush(p->fp); + return 0; +} + struct log * log_open(siz, fname) size_t siz; @@ -121,15 +200,19 @@ log_print(p, str) struct log *p; char *str; { - FILE *fp; + int bytes; if (p->fname == NULL) return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) + if (p->fp == NULL) { + p->fp = fopen(p->fname, "a"); + } + if (p->fp == NULL) return -1; - fprintf(fp, "%s", str); - fclose(fp); + bytes = fprintf(p->fp, "%s", str); + if (log_flush(p, bytes)) { + return -1; + } return 0; } @@ -138,19 +221,21 @@ int log_vprint(struct log *p, const char *fmt, ...) { va_list ap; - - FILE *fp; + int bytes; if (p->fname == NULL) return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) + if (p->fp == NULL) { + p->fp = fopen(p->fname, "a"); + } + if (p->fp == NULL) return -1; va_start(ap, fmt); - vfprintf(fp, fmt, ap); + bytes = vfprintf(p->fp, fmt, ap); va_end(ap); - - fclose(fp); + if (log_flush(p, bytes)) { + return -1; + } return 0; } @@ -158,15 +243,19 @@ log_vprint(struct log *p, const char *fmt, ...) int log_vaprint(struct log *p, const char *fmt, va_list ap) { - FILE *fp; + int bytes; if (p->fname == NULL) return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) + if (p->fp == NULL) { + p->fp = fopen(p->fname, "a"); + } + if (p->fp == NULL) return -1; - vfprintf(fp, fmt, ap); - fclose(fp); + bytes = vfprintf(p->fp, fmt, ap); + if (log_flush(p, bytes)) { + return -1; + } return 0; } @@ -178,15 +267,17 @@ int log_close(p) struct log *p; { - FILE *fp; int i, j; char ts[256]; struct tm *tm; + int bytes; if (p->fname == NULL) goto nowrite; - fp = fopen(p->fname, "a"); - if (fp == NULL) + if (p->fp == NULL) { + p->fp = fopen(p->fname, "a"); + } + if (p->fp == NULL) goto nowrite; for (i = 0; i < p->siz; i++) { @@ -194,12 +285,14 @@ log_close(p) if (p->buf[j]) { tm = localtime(&p->tbuf[j]); strftime(ts, sizeof(ts), "%B %d %T", tm); - fprintf(fp, "%s: %s\n", ts, p->buf[j]); - if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n') - fprintf(fp, "\n"); + bytes = fprintf(p->fp, "%s: %s\n", ts, p->buf[j]); + (void)log_flush(p, bytes); + if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n') { + bytes = fprintf(p->fp, "\n"); + (void)log_flush(p, bytes); + } } } - fclose(fp); nowrite: log_free(p); @@ -218,6 +311,9 @@ log_free(p) racoon_free(p->tbuf); if (p->fname) racoon_free(p->fname); + if (p->fp) { + fclose(p->fp); + } racoon_free(p); } diff --git a/ipsec-tools/racoon/logger.h b/ipsec-tools/racoon/logger.h index a5bfb3f..521cafb 100644 --- a/ipsec-tools/racoon/logger.h +++ b/ipsec-tools/racoon/logger.h @@ -37,7 +37,9 @@ struct log { int siz; char **buf; time_t *tbuf; + FILE *fp; char *fname; + off_t byteswritten; }; extern struct log *log_open __P((size_t, char *)); diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 0c16d83..84e1beb 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -82,10 +82,12 @@ #include "backupsa.h" #include "vendorid.h" -#ifdef __APPLE__ #include #include -#endif +#ifndef TARGET_OS_EMBEDDED +#include +#endif // !TARGET_OS_EMBEDDED +#include "power_mgmt.h" //#include "package_version.h" @@ -112,6 +114,7 @@ int launchedbylaunchd __P((void)); pid_t racoon_pid = 0; int print_pid = 1; /* for racoon only */ +char logFileStr[MAXPATHLEN+1]; void usage() @@ -156,7 +159,21 @@ main(ac, av) char **av; { int error; - char logFileStr[MAXPATHLEN+1]; +#ifndef TARGET_OS_EMBEDDED + char *sb_errorbuf = NULL; +#endif // !TARGET_OS_EMBEDDED + +#ifndef TARGET_OS_EMBEDDED + if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) { + if (sb_errorbuf) { + syslog(LOG_ERR, "sandbox_init failed: %s\n", sb_errorbuf); + sandbox_free_error(sb_errorbuf); + sb_errorbuf = NULL; + } else { + syslog(LOG_ERR, "sandbox_init failed\n"); + } + } +#endif // !TARGET_OS_EMBEDDED if (geteuid() != 0) { errx(1, "must be root to invoke this program."); @@ -181,15 +198,18 @@ main(ac, av) logFileStr[0] = 0; +#ifdef HAVE_OPENSSL eay_init(); +#endif + initlcconf(); initrmconf(); oakley_dhinit(); compute_vendorids(); parse(ac, av); - - #ifdef __APPLE__ + plogmtxinit(); + /* * Check IPSec plist */ @@ -241,7 +261,6 @@ skip: if (logFileStr[0]) plogset(logFileStr); else -#endif /* __APPLE__ */ if (lcconf->logfile_param) plogset(lcconf->logfile_param); @@ -249,9 +268,11 @@ skip: plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid()); plog(LLV_INFO, LOCATION, NULL, "%s\n", version); +#ifdef HAVE_OPENSSL plog(LLV_INFO, LOCATION, NULL, "@(#)" "This product linked %s (http://www.openssl.org/)" "\n", eay_version()); +#endif plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", lcconf->racoon_conf); diff --git a/ipsec-tools/racoon/misc.h b/ipsec-tools/racoon/misc.h index cb33533..c1a1319 100644 --- a/ipsec-tools/racoon/misc.h +++ b/ipsec-tools/racoon/misc.h @@ -51,13 +51,8 @@ struct timeval; extern double timedelta __P((struct timeval *, struct timeval *)); char *strdup __P((const char *)); -#if defined(__APPLE__) #define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \ TAILQ_FOREACH_REVERSE(var, head, field, headname) -#else -#define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \ - TAILQ_FOREACH_REVERSE(var, head, headname, field) -#endif #define STRDUP_FATAL(x) if (x == NULL) { \ plog(LLV_ERROR, LOCATION, NULL, "strdup failed\n"); \ diff --git a/ipsec-tools/racoon/nattraversal.c b/ipsec-tools/racoon/nattraversal.c index 4dfd089..b3290d1 100644 --- a/ipsec-tools/racoon/nattraversal.c +++ b/ipsec-tools/racoon/nattraversal.c @@ -33,12 +33,7 @@ #include #include -#ifdef __linux__ -#include -#endif -#if defined(__NetBSD__) || defined (__FreeBSD__) #include -#endif #include #include @@ -191,7 +186,6 @@ natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, if (iph1->rmconf->nat_traversal == NATT_FORCE) return verified; -#ifdef __APPLE__ /* old APPLE version sends natd payload in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { if (natd_seq == 0) { @@ -203,7 +197,6 @@ natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, flag = NAT_DETECTED_ME; } } else -#endif { if (natd_seq == 0) { natd_computed = natt_hash_addr (iph1, iph1->local); @@ -247,18 +240,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->version = version; switch (version) { -#ifndef __APPLE__ - case VENDORID_NATT_00: - case VENDORID_NATT_01: - opts->float_port = 0; /* No port floating for those drafts */ - opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT; - opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT; - opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT; - opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT; - opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE; - break; -#endif - case VENDORID_NATT_02: case VENDORID_NATT_02_N: case VENDORID_NATT_03: @@ -274,7 +255,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) case VENDORID_NATT_06: case VENDORID_NATT_07: case VENDORID_NATT_08: -#ifdef __APPLE__ case VENDORID_NATT_APPLE: opts->float_port = lcconf->port_isakmp_natt; opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT; @@ -283,7 +263,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC; opts->encaps_type = UDP_ENCAP_ESPINUDP; break; -#endif case VENDORID_NATT_RFC: opts->float_port = lcconf->port_isakmp_natt; opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC; @@ -468,9 +447,6 @@ natt_float_ports (struct ph1handle *iph1) return; if (! iph1->natt_options->float_port){ /* Drafts 00 / 01, just schedule keepalive */ -#ifndef __APPLE__ - natt_keepalive_add_ph1 (iph1); -#endif return; } @@ -487,10 +463,6 @@ natt_float_ports (struct ph1handle *iph1) iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; ike_session_ikev1_float_ports(iph1); - -#ifndef __APPLE__ - natt_keepalive_add_ph1 (iph1); -#endif } void @@ -518,133 +490,6 @@ natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) iph1->natt_flags |= NAT_ANNOUNCED; } -#ifndef __APPLE__ -/* NAT keepalive functions */ -static void -natt_keepalive_send (void *param) -{ - struct natt_ka_addrs *ka, *next = NULL; - char keepalive_packet[] = { 0xff }; - size_t len; - int s; - - for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { - next = TAILQ_NEXT(ka, chain); - - s = getsockmyaddr(ka->src); - if (s == -1) { - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); - continue; - } - plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", - saddr2str_fromto("%s->%s", ka->src, ka->dst)); - len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet), - ka->src, ka->dst, 1); - if (len == -1) - plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n", - strerror (errno)); - } - - sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); -} - -void -natt_keepalive_init (void) -{ - TAILQ_INIT(&ka_tree); - - /* To disable sending KAs set natt_ka_interval=0 */ - if (lcconf->natt_ka_interval > 0) - sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); -} - -int -natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst) -{ - struct natt_ka_addrs *ka = NULL, *new_addr; - - TAILQ_FOREACH (ka, &ka_tree, chain) { - if (cmpsaddrstrict(ka->src, src) == 0 && - cmpsaddrstrict(ka->dst, dst) == 0) { - ka->in_use++; - plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - return 0; - } - } - - plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst)); - - new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr)); - if (! new_addr) { - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - - if ((new_addr->src = dupsaddr(src)) == NULL) { - racoon_free(new_addr); - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - if ((new_addr->dst = dupsaddr(dst)) == NULL) { - racoon_free(new_addr); - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - new_addr->in_use = 1; - TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain); - - return 0; -} - -int -natt_keepalive_add_ph1 (struct ph1handle *iph1) -{ - int ret = 0; - - /* Should only the NATed host send keepalives? - If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' - to the following condition. */ - if (iph1->natt_flags & NAT_DETECTED && - ! (iph1->natt_flags & NAT_KA_QUEUED)) { - ret = natt_keepalive_add (iph1->local, iph1->remote); - if (ret == 0) - iph1->natt_flags |= NAT_KA_QUEUED; - } - - return ret; -} - -void -natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst) -{ - struct natt_ka_addrs *ka, *next = NULL; - - plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst)); - - for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { - next = TAILQ_NEXT(ka, chain); - - plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - - if (cmpsaddrstrict(ka->src, src) == 0 && - cmpsaddrstrict(ka->dst, dst) == 0 && - -- ka->in_use <= 0) { - - plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); - - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); - /* Should we break here? Every pair of addresses should - be inserted only once, but who knows :-) Lets traverse - the whole list... */ - } - } -} -#endif /* __APPLE__ */ - static struct remoteconf * natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data) { diff --git a/ipsec-tools/racoon/nattraversal.h b/ipsec-tools/racoon/nattraversal.h index 693fc40..a7c2148 100644 --- a/ipsec-tools/racoon/nattraversal.h +++ b/ipsec-tools/racoon/nattraversal.h @@ -32,10 +32,13 @@ #define _NATTRAVERSAL_H #include "vendorid.h" +#ifdef ENABLE_NATT +#ifdef ENABLE_FRAG +#include "isakmp_frag.h" +#endif /* ENABLE_NATT */ +#endif /* ENABLE_FRAG */ -#ifdef __APPLE__ #define UDP_ENCAP_ESPINUDP 2 /* to make it compile - we don't use this */ -#endif #define NAT_ANNOUNCED (1L<<0) #define NAT_DETECTED_ME (1L<<1) @@ -55,13 +58,19 @@ #ifdef ENABLE_FRAG #define PH1_NON_ESP_EXTRA_LEN(iph1) ((iph1->frag && iph1->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)) #define PH2_NON_ESP_EXTRA_LEN(iph2) ((iph2->ph1->frag && iph2->sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)) +#define PH1_FRAG_FLAGS(iph1) (NON_ESP_MARKER_USE(iph1) ? FRAG_PUT_NON_ESP_MARKER : 0) +#define PH2_FRAG_FLAGS(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? FRAG_PUT_NON_ESP_MARKER : 0) #else #define PH1_NON_ESP_EXTRA_LEN(iph1) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0) #define PH2_NON_ESP_EXTRA_LEN(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0) +#define PH1_FRAG_FLAGS(iph1) 0 +#define PH2_FRAG_FLAGS(iph2) 0 #endif #else #define PH1_NON_ESP_EXTRA_LEN(iph1) 0 #define PH2_NON_ESP_EXTRA_LEN(iph2) 0 +#define PH1_FRAG_FLAGS(iph1) 0 +#define PH2_FRAG_FLAGS(iph2) 0 #endif /* These are the values from parsing "remote {}" @@ -102,14 +111,6 @@ struct sockaddr * process_natoa_payload(vchar_t *buf); struct payload_list * isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]); -#ifndef __APPLE__ -/* NAT keepalive functions */ -void natt_keepalive_init (void); -int natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst); -int natt_keepalive_add_ph1 (struct ph1handle *iph1); -void natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst); -#endif - /* Walk through all rmconfigs and tell if NAT-T is enabled in at least one. */ int natt_enabled_in_rmconf (void); diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index 5e888c1..eefa0fb 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -38,8 +38,10 @@ #include /* XXX for subjectaltname */ #include /* XXX for subjectaltname */ +#ifdef HAVE_OPENSSL #include #include +#endif #include #include @@ -87,46 +89,61 @@ #include "sainfo.h" #include "proposal.h" #include "crypto_openssl.h" -#ifdef __APPLE__ #include "crypto_cssm.h" #if HAVE_OPENDIR #include "open_dir.h" #endif -#endif #include "dnssec.h" #include "sockmisc.h" #include "strnames.h" #include "gcmalloc.h" +#ifdef HAVE_OPENSSL #include "rsalist.h" -#ifdef __APPLE__ -#include #endif +#include #include "remoteconf.h" #include "vpn_control.h" - +#if TARGET_OS_EMBEDDED +#include +#include +#endif #ifdef HAVE_GSSAPI #include "gssapi.h" #endif +#include "vpn_control_var.h" #define OUTBOUND_SA 0 #define INBOUND_SA 1 -#ifdef __APPLE__ #define CERT_CHECKID_FROM_PEER 0 #define CERT_CHECKID_FROM_RMCONFIG 1 -#endif +#ifdef HAVE_OPENSSL #define INITDHVAL(a, s, d, t) \ do { \ - vchar_t buf; \ - buf.v = str2val((s), 16, &buf.l); \ - memset(&a, 0, sizeof(struct dhgroup)); \ - a.type = (t); \ - a.prime = vdup(&buf); \ - a.gen1 = 2; \ - a.gen2 = 0; \ - racoon_free(buf.v); \ +vchar_t buf; \ +buf.v = str2val((s), 16, &buf.l); \ +memset(&a, 0, sizeof(struct dhgroup)); \ +a.type = (t); \ +a.prime = vdup(&buf); \ +a.gen1 = 2; \ +a.gen2 = 0; \ +racoon_free(buf.v); \ } while(0); +#else /* HAVE_OPENSSL */ +#define INITDHVAL(a, s, d, t) \ +do { \ +vchar_t buf; \ +buf.v = str2val((s), 16, &buf.l); \ +memset(&a, 0, sizeof(struct dhgroup)); \ +a.desc = (d); \ +a.type = (t); \ +a.prime = vdup(&buf); \ +a.gen1 = 2; \ +a.gen2 = 0; \ +racoon_free(buf.v); \ +} while(0); +#endif /* HAVE_OPENSSL */ struct dhgroup dh_modp768; struct dhgroup dh_modp1024; @@ -141,21 +158,32 @@ struct dhgroup dh_modp8192; static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); static int get_cert_fromlocal __P((struct ph1handle *, int)); +#ifdef HAVE_OPENSSL static int get_plainrsa_fromlocal __P((struct ph1handle *, int)); -#ifdef __APPLE__ -static int oakley_check_certid __P((struct ph1handle *iph1, int)); -static int oakley_check_certid_1 __P((struct ph1handle*, int, int, void*)); -#else -static int oakley_check_certid __P((struct ph1handle *iph1)); #endif +static int oakley_check_certid __P((struct ph1handle *iph1, int)); +static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus)); static int check_typeofcertname __P((int, int)); static cert_t *save_certbuf __P((struct isakmp_gen *)); +#ifdef HAVE_OPENSSL static cert_t *save_certx509 __P((X509 *)); +#endif static int oakley_padlen __P((int, int)); -#ifdef __APPLE__ static int base64toCFData(vchar_t *, CFDataRef*); +static cert_t *oakley_appendcert_to_certchain(cert_t *, cert_t *); + +static void oakley_cert_prettyprint (vchar_t *cert) +{ + char *p = NULL; +#ifdef HAVE_OPENSSL + p = eay_get_x509text(cert); +#else + /* add new cert dump code here */ #endif + plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); + racoon_free(p); +} int oakley_get_defaultlifetime() @@ -245,10 +273,9 @@ oakley_check_dh_pub(prime, pub0) * IN: *dh, *pub, *priv, *pub_p * OUT: **gxy */ +#ifdef HAVE_OPENSSL int -oakley_dh_compute(dh, pub, priv, pub_p, gxy) - const struct dhgroup *dh; - vchar_t *pub, *priv, *pub_p, **gxy; +oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t *pub_p, vchar_t **gxy) { #ifdef ENABLE_STATS struct timeval start, end; @@ -293,12 +320,69 @@ oakley_dh_compute(dh, pub, priv, pub_p, gxy) return 0; } +#else +int +oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext dhC) +{ + + vchar_t *computed_key = NULL; + size_t computed_keylen; + size_t maxKeyLen; + +#ifdef ENABLE_STATS + struct timeval start, end; + gettimeofday(&start, NULL); +#endif + + plog(LLV_DEBUG, LOCATION, NULL, "compute DH result.\n"); + + maxKeyLen = SecDHGetMaxKeyLength(dhC); + computed_key = vmalloc(maxKeyLen); + if (computed_key == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + goto fail; + } + computed_keylen = computed_key->l; + if (SecDHComputeKey(dhC, pub_p->v + (maxKeyLen - publicKeySize), publicKeySize, + computed_key->v, &computed_keylen)) { + plog(LLV_ERROR, LOCATION, NULL, "failed to compute dh value.\n"); + goto fail; + } + +#ifdef ENABLE_STATS + gettimeofday(&end, NULL); + syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + s_attr_isakmp_group(dh->type), dh->prime->l << 3, + timedelta(&start, &end)); +#endif + + *gxy = vmalloc(maxKeyLen); + if (*gxy == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + goto fail; + } + memcpy((*gxy)->v + (maxKeyLen - computed_keylen), computed_key->v, computed_keylen); + plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); + plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); + SecDHDestroy(dhC); + vfree(computed_key); + return 0; + +fail: + SecDHDestroy(dhC); + vfree(*gxy); + vfree(computed_key); + return -1; +} + +#endif /* * generate values of DH * IN: *dh * OUT: **pub, **priv */ +#ifdef HAVE_OPENSSL int oakley_dh_generate(dh, pub, priv) const struct dhgroup *dh; @@ -345,6 +429,90 @@ oakley_dh_generate(dh, pub, priv) return 0; } +#else +int +oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySize, SecDHContext *dhC) +{ + vchar_t *public = NULL; + size_t maxKeyLen; + +#ifdef ENABLE_STATS + struct timeval start, end; + gettimeofday(&start, NULL); +#endif + + plog(LLV_DEBUG, LOCATION, NULL, "generate DH key pair.\n"); + *pub = NULL; + switch (dh->type) { + case OAKLEY_ATTR_GRP_TYPE_MODP: + if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) { + plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n"); + goto fail; + } + if (SecDHCreate(dh->desc, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) { + plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n"); + goto fail; + } + maxKeyLen = SecDHGetMaxKeyLength(*dhC); + public = vmalloc(maxKeyLen); + *publicKeySize = public->l; + if (public == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + goto fail; + } + if (SecDHGenerateKeypair(*dhC, public->v, publicKeySize)) { + plog(LLV_ERROR, LOCATION, NULL, "failed to generate dh key pair.\n"); + goto fail; + } + plog(LLV_DEBUG, LOCATION, NULL, "got DH key pair.\n"); + + *pub = vmalloc(maxKeyLen); + if (*pub == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + goto fail; + } + /* copy and fill with leading zeros */ + memcpy((*pub)->v + (maxKeyLen - *publicKeySize), public->v, *publicKeySize); + break; + + case OAKLEY_ATTR_GRP_TYPE_ECP: + case OAKLEY_ATTR_GRP_TYPE_EC2N: + plog(LLV_ERROR, LOCATION, NULL, + "dh type %d isn't supported.\n", dh->type); + goto fail; + default: + plog(LLV_ERROR, LOCATION, NULL, + "invalid dh type %d.\n", dh->type); + goto fail; + } + +#ifdef ENABLE_STATS + gettimeofday(&end, NULL); + syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + s_attr_isakmp_group(dh->type), dh->prime->l << 3, + timedelta(&start, &end)); +#endif + + if (oakley_check_dh_pub(dh->prime, pub) != 0) { + plog(LLV_DEBUG, LOCATION, NULL, "failed DH public key size check.\n"); + goto fail; + } + + plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); + plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); + plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); + + vfree(public); + return 0; + +fail: + SecDHDestroy(*dhC); + vfree(*pub); + vfree(public); + return -1; + +} +#endif /* * copy pre-defined dhgroup values. @@ -464,8 +632,12 @@ oakley_compute_keymat(iph2, side) /* compute sharing secret of DH when PFS */ if (iph2->approval->pfs_group && iph2->dhpub_p) { +#ifdef HAVE_OPENSSL if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub, - iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) + iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) +#else + if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, iph2->dhC) < 0) +#endif goto end; } @@ -1250,6 +1422,81 @@ end: return res; } +#if HAVE_OPENDIR +static int +oakley_verify_userid(iph1) + struct ph1handle *iph1; +{ + cert_t *p; + vchar_t *user_id; + int user_id_found = 0; + + for (p = iph1->cert_p; p; p = p->chain) { + user_id = eay_get_x509_common_name(&p->cert); + if (user_id) { + user_id_found = 1; + // the following functions will check if user_id == 0 + if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group)) { + vfree(user_id); + return 0; + } + vfree(user_id); + } + } + if (user_id_found) { + plog(LLV_ERROR, LOCATION, NULL, + "the peer is not authorized for access.\n"); + } else { + plog(LLV_ERROR, LOCATION, NULL, + "the peer is not authorized for access - user ID not found.\n"); + } + return ISAKMP_NTYPE_AUTHENTICATION_FAILED; +} +#endif /* HAVE_OPENDIR */ + +#ifdef HAVE_OPENSSL +static int +oakley_verify_x509sign(certchain, my_hash, my_sig) + cert_t *certchain; + vchar_t *my_hash; + vchar_t *my_sig; +{ + cert_t *p; + int result = -1; + + for (p = certchain; p; p = p->chain) { + if ((result = eay_check_x509sign(my_hash, + my_sig, + &p->cert)) == 0) { + break; + } + } + return result; +} +#endif +#ifdef HAVE_OPENSSL +static int +oakley_check_x509cert(certchain, capath, cafile, local) + cert_t *certchain; + char *capath; + char *cafile; + int local; +{ + cert_t *p; + int result = 0; + + for (p = certchain; p; p = p->chain) { + if ((result = eay_check_x509cert(&p->cert, + capath, + cafile, + local))) { + break; + } + } + return result; +} +#endif /* HAVE_OPENSSL */ + /* * compute each authentication method in phase 1. * OUT: @@ -1270,6 +1517,9 @@ oakley_validate_auth(iph1) #ifdef ENABLE_STATS struct timeval start, end; #endif +#if TARGET_OS_EMBEDDED + SecKeyRef publicKeyRef; +#endif #ifdef ENABLE_STATS gettimeofday(&start, NULL); @@ -1375,6 +1625,7 @@ oakley_validate_auth(iph1) return ISAKMP_INTERNAL_ERROR; } break; +#ifdef HAVE_OPENSSL case ISAKMP_GETCERT_LOCALFILE: switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: @@ -1400,6 +1651,7 @@ oakley_validate_auth(iph1) if (error) return ISAKMP_INTERNAL_ERROR; break; +#endif case ISAKMP_GETCERT_DNS: if (iph1->rmconf->peerscertfile != NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -1430,14 +1682,8 @@ oakley_validate_auth(iph1) /* compare ID payload and certificate name */ if (iph1->rmconf->verify_cert && -#ifdef __APPLE__ (error = oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) != 0) -#else - (error = oakley_check_certid(iph1)) != 0) -#endif return error; - -#ifdef __APPLE__ /* check configured peers identifier against cert IDs */ /* allows checking of specified ID against multiple ids in the cert */ @@ -1451,27 +1697,11 @@ oakley_validate_auth(iph1) #if HAVE_OPENDIR /* check cert common name against Open Directory authentication group */ if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_OPEN_DIR) { - - vchar_t *user_id = NULL; - - user_id = eay_get_x509_common_name(&iph1->cert_p->cert); - if (user_id) { - // the following functions will check if user_id == 0 - if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group) == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "the peer is not authorized for access.\n"); - vfree(user_id); - return ISAKMP_NTYPE_AUTHENTICATION_FAILED; - } - vfree(user_id); - } else { - plog(LLV_ERROR, LOCATION, NULL, - "the peer is not authorized for access - user ID not found.\n"); - return ISAKMP_NTYPE_AUTHENTICATION_FAILED; + if (oakley_verify_userid(iph1)) { + return ISAKMP_NTYPE_AUTHENTICATION_FAILED; } } #endif /* HAVE_OPENDIR */ -#endif /* __APPLE__ */ /* verify certificate */ if (iph1->rmconf->verify_cert @@ -1521,17 +1751,17 @@ oakley_validate_auth(iph1) } else hostname = CFStringCreateWithBytes(NULL, (u_int8_t *)id_spec->id->v, id_spec->id->l, kCFStringEncodingUTF8, FALSE); } - error = crypto_cssm_check_x509cert(&iph1->cert_p->cert, hostname, iph1->cert_p->status); + error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1), iph1->cert_p, hostname, &publicKeyRef); if (hostname) CFRelease(hostname); } #else /* TARGET_OS_EMBEDDED */ -#ifdef __APPLE__ if (iph1->rmconf->cert_verification == VERIFICATION_MODULE_SEC_FRAMEWORK) - error = crypto_cssm_check_x509cert(&iph1->cert_p->cert, NULL, iph1->cert_p->status); + error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1), + iph1->cert_p, + NULL); else -#endif /* __APPLE__ */ { char path[MAXPATHLEN]; char *ca; @@ -1545,9 +1775,9 @@ oakley_validate_auth(iph1) ca = NULL; } - error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT], - ca, 0); + error = oakley_check_x509cert(iph1->cert_p, + lcconf->pathinfo[LC_PATHTYPE_CERT], + ca, 0); } #endif /* TARGET_OS_EMBEDDED */ break; @@ -1602,16 +1832,24 @@ oakley_validate_auth(iph1) switch (certtype) { case ISAKMP_CERT_X509SIGN: case ISAKMP_CERT_DNS: - error = eay_check_x509sign(my_hash, - iph1->sig_p, - &iph1->cert_p->cert); +#if TARGET_OS_EMBEDDED + error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p); + if (error) + plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error)); + + CFRelease(publicKeyRef); +#else + error = oakley_verify_x509sign(iph1->cert_p, my_hash, iph1->sig_p); +#endif break; +#ifdef HAVE_OPENSSL case ISAKMP_CERT_PLAINRSA: iph1->rsa_p = rsa_try_check_rsasign(my_hash, iph1->sig_p, iph1->rsa_candidates); error = iph1->rsa_p ? 0 : -1; break; +#endif default: plog(LLV_ERROR, LOCATION, NULL, "no supported certtype %d\n", @@ -1722,6 +1960,47 @@ oakley_validate_auth(iph1) return 0; } +int +oakley_find_status_in_certchain (cert_t *certchain, cert_status_t certStatus) +{ + cert_t *p; + + for (p = certchain; p; p = p->chain) { + if (p->status == certStatus) { + return 1; + } + } + return 0; +} + +static +int +oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1, + int notify_initiator) +{ +#if TARGET_OS_EMBEDDED + int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); + int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED); + if (premature || expired) { + u_int32_t address; + u_int32_t fail_reason; + + if (iph1->remote->sa_family == AF_INET) + address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; + else + address = 0; + if (premature) { + fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE; + } else { + fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED; + } + vpncontrol_notify_ike_failed(fail_reason, notify_initiator, address, 0, NULL); + return -1; + } +#endif /* TARGET_OS_EMBEDDED */ + return 0; +} + /* get my certificate * NOTE: include certificate type. */ @@ -1736,26 +2015,18 @@ oakley_getmycert(iph1) case ISAKMP_CERT_X509SIGN: if (iph1->cert) return 0; -/* only do the local cert test on the phone */ - { if ( !(err = get_cert_fromlocal(iph1, 1))){ - if ( iph1->cert->status == CERT_STATUS_EXPIRED || iph1->cert->status == CERT_STATUS_PREMATURE){ - if (iph1->remote->sa_family == AF_INET) - address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; - else - address = 0; - vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR + iph1->cert->status, FROM_LOCAL, address, 0, NULL); + if (oakley_vpncontrol_notify_ike_failed_if_mycert_invalid(iph1, FROM_LOCAL)) { return -1; } } - } return err; - +#ifdef HAVE_OPENSSL case ISAKMP_CERT_PLAINRSA: if (iph1->rsa) return 0; return get_plainrsa_fromlocal(iph1, 1); - +#endif default: plog(LLV_ERROR, LOCATION, NULL, "Unknown certtype #%d\n", @@ -1790,19 +2061,13 @@ get_cert_fromlocal(iph1, my) certfile = iph1->rmconf->peerscertfile; certpl = &iph1->cert_p; } - -#ifdef __APPLE__ if (!certfile && iph1->rmconf->identity_in_keychain == 0) { -#else - if (!certfile) { -#endif plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n"); return 0; } switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: -#if defined(__APPLE__) if (iph1->rmconf->identity_in_keychain) { CFDataRef dataRef; @@ -1813,19 +2078,16 @@ get_cert_fromlocal(iph1, my) CFRelease(dataRef); break; } // else fall thru -#endif +#ifdef HAVE_OPENSSL case ISAKMP_CERT_DNS: /* make public file name */ getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile); cert = eay_get_x509cert(path); if (cert) { - char *p = NULL; - p = eay_get_x509text(cert); - plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); - racoon_free(p); + oakley_cert_prettyprint(cert); }; break; - +#endif default: plog(LLV_ERROR, LOCATION, NULL, "not supported certtype %d\n", @@ -1863,7 +2125,8 @@ get_cert_fromlocal(iph1, my) plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l); - + oakley_cert_prettyprint(cert); + error = 0; end: @@ -1873,6 +2136,7 @@ end: return error; } +#ifdef HAVE_OPENSSL static int get_plainrsa_fromlocal(iph1, my) struct ph1handle *iph1; @@ -1924,6 +2188,7 @@ get_plainrsa_fromlocal(iph1, my) end: return error; } +#endif /* get signature */ int @@ -1936,7 +2201,6 @@ oakley_getsign(iph1) switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: -#if defined(__APPLE__) // cert in keychain - use cssm to sign if (iph1->rmconf->identity_in_keychain) { CFDataRef dataRef; @@ -1947,7 +2211,7 @@ oakley_getsign(iph1) CFRelease(dataRef); break; } // else fall thru -#endif +#ifdef HAVE_OPENSSL case ISAKMP_CERT_DNS: if (iph1->rmconf->myprivfile == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n"); @@ -1972,6 +2236,7 @@ oakley_getsign(iph1) case ISAKMP_CERT_PLAINRSA: iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa); break; +#endif default: plog(LLV_ERROR, LOCATION, NULL, "Unknown certtype #%d\n", @@ -1996,7 +2261,64 @@ end: return error; } -#ifdef __APPLE__ +void +oakley_verify_certid(iph1) +struct ph1handle *iph1; +{ + if (iph1->rmconf->verify_cert && + oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){ + plog(LLV_DEBUG, LOCATION, NULL, + "Discarding CERT: does not match ID:\n"); + oakley_delcert(iph1->cert_p); + iph1->cert_p = NULL; + } +} + +static int +oakley_check_certid_in_certchain(certchain, idtype, idlen, id) + cert_t *certchain; + int idtype; + int idlen; + void *id; +{ + cert_t *p; + + for (p = certchain; p; p = p->chain) { + if (oakley_check_certid_1(&p->cert, idtype, idlen, id, &p->status) == 0) { + return 0; + } + } + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; +} + +cert_t * +oakley_get_peer_cert_from_certchain(iph1) + struct ph1handle * iph1; +{ + cert_t *p; + struct ipsecdoi_id_b *id_b; + int idlen; + void *peers_id; + + if (!iph1->id_p || !iph1->cert_p) { + plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); + return NULL; + } + if (!iph1->cert_p->chain) { + // no chain: simply return the only cert + return iph1->cert_p; + } + + id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; + peers_id = id_b + 1; + idlen = iph1->id_p->l - sizeof(*id_b); + for (p = iph1->cert_p; p; p = p->chain) { + if (oakley_check_certid_1(&p->cert, id_b->type, idlen, peers_id, &p->status) == 0) { + return p; + } + } + return NULL; +} /* * compare certificate name and ID value. @@ -2023,7 +2345,7 @@ oakley_check_certid(iph1, which_id) peers_id = id_b + 1; idlen = iph1->id_p->l - sizeof(*id_b); - return oakley_check_certid_1(iph1, doi_type, idlen, peers_id); + return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id); } else { /* use ID from remote configuration */ @@ -2058,19 +2380,20 @@ oakley_check_certid(iph1, which_id) peers_id = id_spec->id->v; idlen = id_spec->id->l; } - if (oakley_check_certid_1(iph1, doi_type, idlen, peers_id) == 0) + if (oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id) == 0) return 0; } - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } } static int -oakley_check_certid_1(iph1, idtype, idlen, id) - struct ph1handle *iph1; +oakley_check_certid_1(cert, idtype, idlen, id, certStatus) + vchar_t *cert; int idtype; int idlen; void *id; + cert_status_t *certStatus; { vchar_t *name = NULL; @@ -2080,30 +2403,167 @@ oakley_check_certid_1(iph1, idtype, idlen, id) switch (idtype) { case IPSECDOI_ID_DER_ASN1_DN: - name = eay_get_x509asn1subjectname(&iph1->cert_p->cert); +#if TARGET_OS_EMBEDDED + { + SecCertificateRef certificate; + CFDataRef subject; + UInt8* namePtr; + + certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + if (certificate == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "failed to get SecCertificateRef\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID; + } + return ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + subject = SecCertificateCopySubjectSequence(certificate); + if (subject == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } + CFRelease(certificate); + return ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + len = CFDataGetLength(subject); + namePtr = CFDataGetBytePtr(subject); + if (idlen != len) { + plog(LLV_ERROR, LOCATION, NULL, "Invalid ID length in phase 1.\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } + CFRelease(subject); + CFRelease(certificate); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } + error = memcmp(id, namePtr, idlen); + if (error != 0) { + plog(LLV_ERROR, LOCATION, NULL, + "ID mismatched with subjectName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectName (type %s):\n", + s_ipsecdoi_ident(idtype)); + plogdump(LLV_ERROR, namePtr, len); + plog(LLV_ERROR, LOCATION, NULL, + "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } + CFRelease(certificate); + CFRelease(subject); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } + } +#else + name = eay_get_x509asn1subjectname(cert); if (!name) { plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } if (idlen != name->l) { plog(LLV_ERROR, LOCATION, NULL, "Invalid ID length in phase 1.\n"); vfree(name); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } error = memcmp(id, name->v, idlen); - vfree(name); if (error != 0) { plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectName (type %s):\n", + s_ipsecdoi_ident(idtype)); + plogdump(LLV_ERROR, name->v, name->l); + plog(LLV_ERROR, LOCATION, NULL, + "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + vfree(name); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJNAME; + } return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } + vfree(name); +#endif return 0; + case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV6_ADDR: { - +#if TARGET_OS_EMBEDDED + CFIndex pos, count; + SecCertificateRef certificate; + CFArrayRef addresses; + + certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + if (certificate == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to get SecCertificateRef\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID; + } + return ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + addresses = SecCertificateCopyIPAddresses(certificate); + if (addresses == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + CFRelease(certificate); + return ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + count = CFArrayGetCount(addresses); + for (pos = 0; pos < count; pos++) { + + CFStringRef address; + CFIndex addressLen; + char *addressBuf, numAddress[128]; + int result; + + address = CFArrayGetValueAtIndex(addresses, pos); + addressLen = CFStringGetLength(address); + if (addressLen == 0) + continue; + addressBuf = racoon_malloc(addressLen + 1); + if (addressBuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "out of memory\n"); + return -1; + } + if (CFStringGetCString(address, addressBuf, addressLen + 1, kCFStringEncodingUTF8) == TRUE) { + result = inet_pton(idtype == IPSECDOI_ID_IPV4_ADDR ? AF_INET : AF_INET6, addressBuf, numAddress); + racoon_free(addressBuf); + if (result == 0) + continue; // wrong type or invalid address + if (memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ? + CFRelease(addresses); + CFRelease(certificate); + return 0; + } + } else + racoon_free(addressBuf); + } + plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); + plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + CFRelease(addresses); + CFRelease(certificate); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; +#else /* * Openssl returns the IPAddress as an ASN1 octet string (binary format) * followed by a trailing NULL. 5 bytes for IPv4 and 17 bytes for IPv6 @@ -2121,14 +2581,22 @@ oakley_check_certid_1(iph1, idtype, idlen, id) } for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, &altname, &type, pos, &len) !=0) { + if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) !=0) { plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectAltName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } /* it's the end condition of the loop. */ if (!altname) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid subjectAltName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } @@ -2161,253 +2629,233 @@ oakley_check_certid_1(iph1, idtype, idlen, id) /* invalid IP address length in certificate - bad or bogus certificate */ plog(LLV_ERROR, LOCATION, NULL, "invalid IP address in certificate.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); + plogdump(LLV_ERROR, altname, len); racoon_free(altname); altname = NULL; + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } /* compare the addresses */ error = memcmp(id, altname, idlen); - racoon_free(altname); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - return 0; - } - } - case IPSECDOI_ID_FQDN: - case IPSECDOI_ID_USER_FQDN: - { - int pos; - - for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, &altname, &type, pos, &len) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectAltName\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - /* it's the end condition of the loop. */ - if (!altname) { - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - if (check_typeofcertname(idtype, type) != 0) { - /* wrong general type - skip this one */ - racoon_free(altname); - altname = NULL; - continue; - } - - if (idlen != strlen(altname)) { - /* wrong length - skip this one */ - racoon_free(altname); - altname = NULL; + if (error) continue; - } - error = memcmp(id, altname, idlen); racoon_free(altname); - if (error) { - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } return 0; - } - } - default: + } + /* failed to find a match */ plog(LLV_ERROR, LOCATION, NULL, - "Impropper ID type passed: %s.\n", - s_ipsecdoi_ident(idtype)); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - /*NOTREACHED*/ -} - -#else /* __APPLE__ */ - -/* - * compare certificate name and ID value. - */ -static int -oakley_check_certid(iph1) - struct ph1handle *iph1; -{ - struct ipsecdoi_id_b *id_b; - vchar_t *name = NULL; - char *altname = NULL; - int idlen, type; - int error; - - if (iph1->id_p == NULL || iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); + "ID mismatched with subjectAltName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); + plogdump(LLV_ERROR, altname, len); + plog(LLV_ERROR, LOCATION, NULL, + "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + racoon_free(altname); + if (certStatus && !*certStatus) + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + +#endif /* TARGET_OS_EMBEDDED */ } - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; - idlen = iph1->id_p->l - sizeof(*id_b); - - switch (id_b->type) { - case IPSECDOI_ID_DER_ASN1_DN: - name = eay_get_x509asn1subjectname(&iph1->cert_p->cert); - if (!name) { +#if TARGET_OS_EMBEDDED + case IPSECDOI_ID_FQDN: + { + CFIndex pos, count; + SecCertificateRef certificate; + CFArrayRef names; + CFStringRef name, ID; + + certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + if (certificate == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectName\n"); + "failed to get SecCertificateRef\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } - if (idlen != name->l) { + names = SecCertificateCopyDNSNames(certificate); + if (names == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "Invalid ID length in phase 1.\n"); - vfree(name); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + "failed to get subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + CFRelease(certificate); + return ISAKMP_NTYPE_INVALID_CERTIFICATE; } - error = memcmp(id_b + 1, name->v, idlen); - vfree(name); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with ASN1 SubjectName.\n"); - plogdump(LLV_DEBUG, id_b + 1, idlen); - plogdump(LLV_DEBUG, name->v, idlen); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + count = CFArrayGetCount(names); + ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8); + if (ID== NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error\n"); + CFRelease(names); + CFRelease(certificate); + } - return 0; - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV6_ADDR: - { - /* - * converting to binary from string because openssl return - * a string even if object is a binary. - * XXX fix it ! access by ASN.1 directly without. - */ - struct addrinfo hints, *res; - caddr_t a = NULL; - int pos; - - for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, - &altname, &type, pos) !=0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectAltName\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - /* it's the end condition of the loop. */ - if (!altname) { - plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; + for (pos = 0; pos < count; pos++) { + name = CFArrayGetValueAtIndex(names, pos); + if (CFStringCompare(name, ID, 0) == kCFCompareEqualTo) { + CFRelease(ID); + CFRelease(names); + CFRelease(certificate); + return 0; } - - if (check_typeofcertname(id_b->type, type) == 0) - break; - - /* next name */ - racoon_free(altname); - altname = NULL; } - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_RAW; - hints.ai_flags = AI_NUMERICHOST; - error = getaddrinfo(altname, NULL, &hints, &res); - if (error != 0) { + plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); + plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + CFRelease(ID); + CFRelease(names); + CFRelease(certificate); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } + + case IPSECDOI_ID_USER_FQDN: + { + CFIndex pos, count; + + SecCertificateRef certificate; + CFArrayRef names; + CFStringRef name, ID; + + certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); + if (certificate == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - racoon_free(altname); + "failed to get SecCertificateRef\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } - switch (res->ai_family) { - case AF_INET: - a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr; - break; -#ifdef INET6 - case AF_INET6: - a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr; - break; -#endif - default: + names = SecCertificateCopyRFC822Names(certificate); + if (names == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "family not supported: %d.\n", res->ai_family); - racoon_free(altname); - freeaddrinfo(res); + "failed to get subjectName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + CFRelease(certificate); return ISAKMP_NTYPE_INVALID_CERTIFICATE; } - error = memcmp(id_b + 1, a, idlen); - freeaddrinfo(res); - vfree(name); - if (error != 0) { + count = CFArrayGetCount(names); + ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8); + if (ID == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectAltName.\n"); - plogdump(LLV_DEBUG, id_b + 1, idlen); - plogdump(LLV_DEBUG, a, idlen); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + "memory error\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID; + } + CFRelease(names); + CFRelease(certificate); + return ISAKMP_NTYPE_INVALID_CERTIFICATE; + } + for (pos = 0; pos < count; pos++) { + name = CFArrayGetValueAtIndex(names, pos); + if (CFStringCompare(name, ID, 0) == kCFCompareEqualTo) { + CFRelease(ID); + CFRelease(names); + CFRelease(certificate); + return 0; + } } - return 0; + plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype)); + plog(LLV_ERROR, LOCATION, NULL, "ID:\n"); + plogdump(LLV_ERROR, id, idlen); + CFRelease(ID); + CFRelease(names); + CFRelease(certificate); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } +#else case IPSECDOI_ID_FQDN: case IPSECDOI_ID_USER_FQDN: { int pos; for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, - &altname, &type, pos) != 0){ + if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) != 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectAltName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } return ISAKMP_NTYPE_INVALID_CERTIFICATE; } /* it's the end condition of the loop. */ if (!altname) { plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; + "invalid subjectAltName\n"); + if (certStatus && !*certStatus) { + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + } + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } - if (check_typeofcertname(id_b->type, type) == 0) - break; + if (check_typeofcertname(idtype, type) != 0) { + /* wrong general type - skip this one */ + racoon_free(altname); + altname = NULL; + continue; + } - /* next name */ - racoon_free(altname); - altname = NULL; - } - if (idlen != strlen(altname)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ID length in phase 1.\n"); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - if (check_typeofcertname(id_b->type, type) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID type mismatched. ID: %s CERT: %s.\n", - s_ipsecdoi_ident(id_b->type), - s_ipsecdoi_ident(type)); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - error = memcmp(id_b + 1, altname, idlen); - if (error) { - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n"); - plogdump(LLV_DEBUG, id_b + 1, idlen); - plogdump(LLV_DEBUG, altname, idlen); + if (idlen != strlen(altname)) { + /* wrong length - skip this one */ + racoon_free(altname); + altname = NULL; + continue; + } + error = memcmp(id, altname, idlen); + if (error) + continue; racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + return 0; } + plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n"); + plog(LLV_ERROR, LOCATION, NULL, + "subjectAltName (expected type %s, got type %s):\n", + s_ipsecdoi_ident(idtype), + s_ipsecdoi_ident(type)); + plogdump(LLV_ERROR, altname, len); + plog(LLV_ERROR, LOCATION, NULL, + "ID:\n"); + plogdump(LLV_ERROR, id, idlen); racoon_free(altname); - return 0; + if (certStatus && !*certStatus) + *certStatus = CERT_STATUS_INVALID_SUBJALTNAME; + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } +#endif default: plog(LLV_ERROR, LOCATION, NULL, "Impropper ID type passed: %s.\n", - s_ipsecdoi_ident(id_b->type)); + s_ipsecdoi_ident(idtype)); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } + } /*NOTREACHED*/ } - -#endif /* __APPLE__ */ - +#ifdef HAVE_OPENSSL static int check_typeofcertname(doi, genid) int doi, genid; @@ -2438,6 +2886,7 @@ check_typeofcertname(doi, genid) } /*NOTREACHED*/ } +#endif /* * save certificate including certificate type. @@ -2449,9 +2898,10 @@ oakley_savecert(iph1, gen) { cert_t **c; u_int8_t type; +#ifdef HAVE_OPENSSL STACK_OF(X509) *certs=NULL; PKCS7 *p7; - +#endif type = *(u_int8_t *)(gen + 1) & 0xff; switch (type) { @@ -2482,14 +2932,11 @@ oakley_savecert(iph1, gen) return -1; } - /* XXX choice the 1th cert, ignore after the cert. */ - /* XXX should be processed. */ if (*c) { plog(LLV_WARNING, LOCATION, NULL, - "ignore 2nd CERT payload.\n"); - return 0; + "preexisting CERT payload... chaining.\n"); } - +#ifdef HAVE_OPENSSL if (type == ISAKMP_CERT_PKCS7) { u_char *bp; int i; @@ -2536,54 +2983,38 @@ oakley_savecert(iph1, gen) for (i = 0; i < sk_X509_num(certs); i++) { int len; u_char *bp; + cert_t *new; X509 *cert = sk_X509_value(certs,i); plog(LLV_DEBUG, LOCATION, NULL, "Trying PKCS#7 cert %d.\n", i); /* We'll just try each cert in turn */ - *c = save_certx509(cert); - - if (!*c) { + new = save_certx509(cert); + if (!new) { plog(LLV_ERROR, LOCATION, NULL, "Failed to get CERT buffer.\n"); continue; } - - /* Ignore cert if it doesn't match identity - * XXX If verify cert is disabled, we still just take - * the first certificate.... - */ - if(iph1->rmconf->verify_cert && - oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) { - plog(LLV_DEBUG, LOCATION, NULL, - "Discarding CERT: does not match ID.\n"); - oakley_delcert((*c)); - *c = NULL; - continue; - } - - { - char *p = eay_get_x509text(&(*c)->cert); - plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); - plog(LLV_DEBUG, LOCATION, NULL, "%s", - p ? p : "\n"); - racoon_free(p); - } - break; + *c = oakley_appendcert_to_certchain(*c, new); + plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); + plogdump(LLV_DEBUG, new->cert.v, new->cert.l); + oakley_cert_prettyprint(&new->cert); } PKCS7_free(p7); - } else { - *c = save_certbuf(gen); - if (!*c) { + } else +#endif + { + cert_t *new; + new = save_certbuf(gen); + if (!new) { plog(LLV_ERROR, LOCATION, NULL, "Failed to get CERT buffer.\n"); return -1; } - switch ((*c)->type) { + switch (new->type) { case ISAKMP_CERT_DNS: plog(LLV_WARNING, LOCATION, NULL, "CERT payload is unnecessary in DNSSEC. " @@ -2597,34 +3028,23 @@ oakley_savecert(iph1, gen) * XXX If verify cert is disabled, we still just take * the first certificate.... */ - if(iph1->rmconf->verify_cert && - oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){ - plog(LLV_DEBUG, LOCATION, NULL, - "Discarding CERT: does not match ID.\n"); - oakley_delcert((*c)); - *c = NULL; - return 0; - } - - { - char *p = eay_get_x509text(&(*c)->cert); - plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); - plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); - racoon_free(p); - } + *c = oakley_appendcert_to_certchain(*c, new); + plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); + plogdump(LLV_DEBUG, new->cert.v, new->cert.l); + oakley_cert_prettyprint(&new->cert); break; case ISAKMP_CERT_CRL: + *c = oakley_appendcert_to_certchain(*c, new); plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); + plogdump(LLV_DEBUG, new->cert.v, new->cert.l); + oakley_cert_prettyprint(&new->cert); break; case ISAKMP_CERT_X509KE: case ISAKMP_CERT_X509ATTR: case ISAKMP_CERT_ARL: default: /* XXX */ - oakley_delcert((*c)); - *c = NULL; + oakley_delcert(new); return 0; } } @@ -2642,6 +3062,7 @@ oakley_savecr(iph1, gen) { cert_t **c; u_int8_t type; + cert_t *new; type = *(u_int8_t *)(gen + 1) & 0xff; @@ -2674,15 +3095,15 @@ oakley_savecr(iph1, gen) return -1; } - *c = save_certbuf(gen); - if (!*c) { + new = save_certbuf(gen); + if (!new) { plog(LLV_ERROR, LOCATION, NULL, "Failed to get CR buffer.\n"); return -1; } - + *c = oakley_appendcert_to_certchain(*c, new); plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); + plogdump(LLV_DEBUG, new->cert.v, new->cert.l); return 0; } @@ -2722,6 +3143,7 @@ save_certbuf(gen) return new; } +#ifdef HAVE_OPENSSL static cert_t * save_certx509(cert) X509 *cert; @@ -2754,6 +3176,7 @@ save_certx509(cert) return new; } +#endif /* * get my CR. @@ -2861,7 +3284,6 @@ oakley_skeyid(iph1) case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: #endif -#ifdef __APPLE__ if (iph1->rmconf->shared_secret) { switch (iph1->rmconf->secrettype) { @@ -2882,12 +3304,16 @@ oakley_skeyid(iph1) case SECRETTYPE_USE: /* in the remote configuration */ default: - iph1->authstr = vdup(iph1->rmconf->shared_secret); + /* rmconf->shared_secret is a string and contains a NULL character that must be removed */ + iph1->authstr = vmalloc(iph1->rmconf->shared_secret->l - 1); + if (iph1->authstr == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "memory error.\n"); + break; + } + memcpy(iph1->authstr->v, iph1->rmconf->shared_secret->v, iph1->authstr->l); } - } else -#endif if (iph1->etype != ISAKMP_ETYPE_IDENT) { iph1->authstr = getpskbyname(iph1->id_p); if (iph1->authstr == NULL) { @@ -3286,13 +3712,14 @@ oakley_newcert() } new->pl = NULL; + new->chain = NULL; return new; } /* delete buffer for CERT */ void -oakley_delcert(cert) +oakley_delcert_1(cert) cert_t *cert; { if (!cert) @@ -3301,7 +3728,44 @@ oakley_delcert(cert) VPTRINIT(cert->pl); racoon_free(cert); } - + +/* delete buffer for CERT */ +void +oakley_delcert(cert) + cert_t *cert; +{ + cert_t *p, *to_delete; + + if (!cert) + return; + + for (p = cert; p;) { + to_delete = p; + p = p->chain; + oakley_delcert_1(to_delete); + } +} + +/* delete buffer for CERT */ +static cert_t * +oakley_appendcert_to_certchain(certchain, new) + cert_t *certchain; + cert_t *new; +{ + cert_t *p; + + if (!certchain) + return new; + + for (p = certchain; p; p = p->chain) { + if (!p->chain) { + p->chain = new; + return certchain; + } + } + return NULL; +} + /* * compute IV and set to ph1handle * IV = hash(g^xi | g^xr) @@ -3735,7 +4199,6 @@ oakley_padlen(len, base) return padlen; } -#ifdef __APPLE__ /* ----------------------------------------------------------------------------- The base-64 encoding packs three 8-bit bytes into four 7-bit ASCII characters. If the number of bytes in the original data isn't divisable @@ -3813,4 +4276,4 @@ static int base64toCFData(vchar_t *textin, CFDataRef *dataRef) return -1; } -#endif + diff --git a/ipsec-tools/racoon/oakley.h b/ipsec-tools/racoon/oakley.h index 7b0a601..7c7e48c 100644 --- a/ipsec-tools/racoon/oakley.h +++ b/ipsec-tools/racoon/oakley.h @@ -34,7 +34,12 @@ #ifndef _OAKLEY_H #define _OAKLEY_H +#include "config.h" + #include "vmbuf.h" +#ifndef HAVE_OPENSSL +#include +#endif /* refer to RFC 2409 */ @@ -153,6 +158,9 @@ #define MAXPADLWORD 20 struct dhgroup { +#ifndef HAVE_OPENSSL + int desc; +#endif int type; vchar_t *prime; int gen1; @@ -166,6 +174,8 @@ typedef enum cert_status { CERT_STATUS_OK = 0, CERT_STATUS_PREMATURE, CERT_STATUS_EXPIRED, + CERT_STATUS_INVALID_SUBJNAME, + CERT_STATUS_INVALID_SUBJALTNAME, CERT_STATUS_INVALID, } cert_status_t; @@ -177,6 +187,7 @@ typedef struct cert_t_tag { vchar_t cert; /* pointer to the CERT */ vchar_t *pl; /* CERT payload minus isakmp general header */ cert_status_t status; + struct cert_t_tag *chain; } cert_t; struct ph1handle; @@ -187,10 +198,13 @@ extern int oakley_get_defaultlifetime __P((void)); extern int oakley_dhinit __P((void)); extern void oakley_dhgrp_free __P((struct dhgroup *)); -extern int oakley_dh_compute __P((const struct dhgroup *, - vchar_t *, vchar_t *, vchar_t *, vchar_t **)); -extern int oakley_dh_generate __P((const struct dhgroup *, - vchar_t **, vchar_t **)); +#ifdef HAVE_OPENSSL +extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, vchar_t *, vchar_t *, vchar_t **)); +extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, vchar_t **)); +#else +extern int oakley_dh_compute __P((const struct dhgroup *, vchar_t *, size_t, vchar_t **, SecDHContext)); +extern int oakley_dh_generate __P((const struct dhgroup *, vchar_t **, size_t *, SecDHContext*)); +#endif extern int oakley_setdhgroup __P((int, struct dhgroup **)); extern vchar_t *oakley_prf __P((vchar_t *, vchar_t *, struct ph1handle *)); @@ -212,6 +226,9 @@ extern vchar_t *oakley_ph1hash_base_r __P((struct ph1handle *, int)); extern int oakley_validate_auth __P((struct ph1handle *)); extern int oakley_getmycert __P((struct ph1handle *)); extern int oakley_getsign __P((struct ph1handle *)); +extern cert_t * oakley_get_peer_cert_from_certchain __P((struct ph1handle *)); +extern int oakley_find_status_in_certchain __P((cert_t *, cert_status_t)); +extern void oakley_verify_certid __P((struct ph1handle *)); extern vchar_t *oakley_getcr __P((struct ph1handle *)); extern int oakley_checkcr __P((struct ph1handle *)); extern int oakley_needcr __P((int)); diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index ef64f60..aa10d6d 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -44,12 +44,7 @@ #include #ifdef ENABLE_NATT -# ifdef __linux__ -# include -# endif -# if defined(__NetBSD__) || defined(__FreeBSD__) -# include -# endif +#include #endif #include @@ -59,11 +54,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifndef HAVE_NETINET6_IPSEC @@ -108,6 +99,7 @@ #include "ike_session.h" #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" +#include "power_mgmt.h" #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC @@ -277,6 +269,12 @@ pfkey_handler() struct sadb_msg *msg; int len; + if (slept_at || woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "ignoring pfkey port until power-mgmt event is handled.\n"); + return 0; + } + /* receive pfkey message. */ len = 0; msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len); @@ -299,7 +297,13 @@ pfkey_post_handler() { struct saved_msg_elem *elem; struct saved_msg_elem *elem_tmp = NULL; - + + if (slept_at || woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); + return 0; + } + TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) { pfkey_process((struct sadb_msg *)elem->msg); TAILQ_REMOVE(&lcconf->saved_msg_queue, elem, chain); @@ -361,9 +365,6 @@ pfkey_dump_sadb(satype) continue; } - if (msg->sadb_msg_pid != pid) - continue; - /* * for multi-processor system this had to be added because the messages can * be interleaved - they won't all be dump messages @@ -374,6 +375,10 @@ pfkey_dump_sadb(satype) continue; } + // ignore dump messages that aren't racoon's + if (msg->sadb_msg_pid != pid) + continue; + ml = msg->sadb_msg_len << 3; bl = buf ? buf->l : 0; buf = vrealloc(buf, bl + ml); @@ -1149,7 +1154,6 @@ pk_sendupdate(iph2) lifebyte = 0; #endif -#ifdef __APPLE__ #ifdef ENABLE_NATT plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); if (pr->udp_encap) { @@ -1159,11 +1163,17 @@ pk_sendupdate(iph2) if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; - } - else if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - src->sa_family == AF_INET) + } else { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + src->sa_family == AF_INET) { flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + } + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } } else { memset (&natt, 0, sizeof (natt)); } @@ -1207,62 +1217,6 @@ pk_sendupdate(iph2) return -1; } #endif /* ENABLE_NATT */ -#else -#ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update_nat\n"); - if (pr->udp_encap) { - memset (&natt, 0, sizeof (natt)); - natt.type = iph2->ph1->natt_options->encaps_type; - natt.sport = extract_port (iph2->ph1->remote); - natt.dport = extract_port (iph2->ph1->local); - natt.oa = NULL; // FIXME: Here comes OA!!! - natt.frag = iph2->ph1->rmconf->esp_frag; - } else { - memset (&natt, 0, sizeof (natt)); - } - - if (pfkey_send_update_nat( - lcconf->sock_pfkey, - satype, - mode, - dst, - src, - pr->spi, - pr->reqid_in, - wsize, - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, - natt.type, natt.sport, natt.dport, natt.oa, - natt.frag) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send update_nat (%s)\n", - ipsec_strerror()); - return -1; - } -#else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); - if (pfkey_send_update( - lcconf->sock_pfkey, - satype, - mode, - dst, - src, - pr->spi, - pr->reqid_in, - wsize, - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send update (%s)\n", - ipsec_strerror()); - return -1; - } -#endif /* ENABLE_NATT */ -#endif /* __APPLE__ */ if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) continue; @@ -1420,6 +1374,9 @@ pk_recvupdate(mhp) ike_session_ph2_established(iph2); + IPSECLOGASLMSG("IPSec Phase2 established (Initiated by %s).\n", + (iph2->side == INITIATOR)? "me" : "peer"); + #ifdef ENABLE_STATS gettimeofday(&iph2->end, NULL); syslog(LOG_NOTICE, "%s(%s): %8.6f", @@ -1523,7 +1480,6 @@ pk_sendadd(iph2) lifebyte = 0; #endif -#ifdef __APPLE__ #ifdef ENABLE_NATT plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); @@ -1534,11 +1490,17 @@ pk_sendadd(iph2) if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; - } - else if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - dst->sa_family == AF_INET) + } else { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + dst->sa_family == AF_INET) { flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + } + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } } else { memset (&natt, 0, sizeof (natt)); @@ -1591,73 +1553,6 @@ pk_sendadd(iph2) return -1; } #endif /* ENABLE_NATT */ -#else /* __APPLE__ */ -#ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add_nat\n"); - - if (pr->udp_encap) { - memset (&natt, 0, sizeof (natt)); - natt.type = UDP_ENCAP_ESPINUDP; - natt.sport = extract_port (iph2->ph1->local); - natt.dport = extract_port (iph2->ph1->remote); - natt.oa = NULL; // FIXME: Here comes OA!!! - natt.frag = iph2->ph1->rmconf->esp_frag; - } else { - memset (&natt, 0, sizeof (natt)); - - /* Remove port information, that SA doesn't use it */ - set_port(src, 0); - set_port(dst, 0); - } - - if (pfkey_send_add_nat( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - pr->spi_p, - pr->reqid_out, - wsize, - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, - natt.type, natt.sport, natt.dport, natt.oa, - natt.frag) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send add_nat (%s)\n", - ipsec_strerror()); - return -1; - } -#else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); - - /* Remove port information, it is not used without NAT-T */ - set_port(src, 0); - set_port(dst, 0); - - if (pfkey_send_add( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - pr->spi_p, - pr->reqid_out, - wsize, - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send add (%s)\n", - ipsec_strerror()); - return -1; - } -#endif /* ENABLE_NATT */ -#endif /* __APPLE__ */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) continue; @@ -1847,7 +1742,7 @@ pk_recvexpire(mhp) /* allocate buffer for status management of pfkey message */ if (iph2->side == INITIATOR && !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && - !ike_session_drop_rekey(iph2->parent_session)) { + !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { initph2(iph2); @@ -2082,7 +1977,6 @@ pk_recvacquire(mhp) return -1; /* XXX should use the algorithm list from register message */ } -#ifdef __APPLE__ if (link_sainfo_to_ph2(iph2[n]->sainfo) != 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to link sainfo\n"); @@ -2090,7 +1984,6 @@ pk_recvacquire(mhp) delph2(iph2[n]); return -1; } -#endif } if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { @@ -3080,14 +2973,6 @@ addnewsp(mhp) daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -#ifdef __linux__ - /* bsd skips over per-socket policies because there will be no - * src and dst extensions in spddump messages. On Linux the only - * way to achieve the same is check for policy id. - */ - if (xpl->sadb_x_policy_id % 8 >= 3) return 0; -#endif - new = newsp(); if (new == NULL) { plog(LLV_ERROR, LOCATION, NULL, diff --git a/ipsec-tools/racoon/plog.c b/ipsec-tools/racoon/plog.c index 0bfae4c..d04aa3a 100644 --- a/ipsec-tools/racoon/plog.c +++ b/ipsec-tools/racoon/plog.c @@ -55,6 +55,8 @@ #endif #include #include +#include +#include #include "var.h" #include "misc.h" @@ -76,6 +78,7 @@ int f_foreground = 0; int print_location = 0; static struct log *logp = NULL; +static pthread_mutex_t logp_mtx = {0}; static char *logfile = NULL; static char *plog_common __P((int, const char *, const char *)); @@ -96,27 +99,27 @@ static struct plogtags { static char * plog_common(pri, fmt, func) - int pri; - const char *fmt, *func; +int pri; +const char *fmt, *func; { static char buf[800]; /* XXX shoule be allocated every time ? */ char *p; int reslen, len; - + p = buf; reslen = sizeof(buf); - + if (logfile || f_foreground) { time_t t; struct tm *tm; - + t = time(0); tm = localtime(&t); len = strftime(p, reslen, "%Y-%m-%d %T: ", tm); p += len; reslen -= len; } - + if (pri < ARRAYLEN(ptab)) { if (print_pid) len = snprintf(p, reslen, "[%d] %s: ", getpid(), ptab[pri].name); @@ -128,7 +131,7 @@ plog_common(pri, fmt, func) } else *p = '\0'; } - + if (print_location) snprintf(p, reslen, "%s: %s", func, fmt); else @@ -137,12 +140,22 @@ plog_common(pri, fmt, func) while ((p = strstr(buf,"%z")) != NULL) p[1] = 'l'; #endif - + return buf; } void -plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) +plogmtxinit (void) +{ + pthread_mutexattr_t attrs; + pthread_mutexattr_init(&attrs); + pthread_mutexattr_settype(&attrs, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&logp_mtx, &attrs); + pthread_mutexattr_destroy(&attrs); +} + +void +plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) { va_list ap; @@ -153,29 +166,33 @@ plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) void plogv(int pri, const char *func, struct sockaddr *sa, - const char *fmt, va_list *ap) + const char *fmt, va_list *ap) { char *newfmt; va_list ap_bak; - + if (pri > loglevel) return; - newfmt = plog_common(pri, fmt, func); + pthread_mutex_lock(&logp_mtx); + newfmt = plog_common(pri, fmt, func); + VA_COPY(ap_bak, ap); if (f_foreground) vprintf(newfmt, *ap); - - if (logfile) + + + if (logfile) { log_vaprint(logp, newfmt, ap_bak); - else { + } else { if (pri < ARRAYLEN(ptab)) vsyslog(ptab[pri].priority, newfmt, ap_bak); else vsyslog(LOG_ALERT, newfmt, ap_bak); } + pthread_mutex_unlock(&logp_mtx); } void @@ -215,7 +232,7 @@ plogdump(pri, data, len) buf[i++] = '\n'; buf[i] = '\0'; } - plog(pri, LOCATION, NULL, "%s", buf); + plog_func(pri, LOCATION, NULL, "%s", buf); racoon_free(buf); } @@ -223,38 +240,50 @@ plogdump(pri, data, len) void ploginit() { + pthread_mutex_lock(&logp_mtx); + if (logfile) { logp = log_open(250, logfile); if (logp == NULL) errx(1, "ERROR: failed to open log file %s.", logfile); + pthread_mutex_unlock(&logp_mtx); return; } openlog(pname, LOG_NDELAY, LOG_DAEMON); + + pthread_mutex_unlock(&logp_mtx); } void plogset(file) char *file; { + pthread_mutex_lock(&logp_mtx); if (logfile != NULL) racoon_free(logfile); logfile = racoon_strdup(file); STRDUP_FATAL(logfile); + pthread_mutex_unlock(&logp_mtx); } void plogreset(file) char *file; { - + pthread_mutex_lock(&logp_mtx); + /* if log paths equal - do nothing */ - if (logfile == NULL && file == NULL) + if (logfile == NULL && file == NULL) { + pthread_mutex_unlock(&logp_mtx); return; + } if (logfile != NULL && file != NULL) - if (!strcmp(logfile, file)) + if (!strcmp(logfile, file)) { + pthread_mutex_unlock(&logp_mtx); return; - + } + if (logfile == NULL) /* no logfile was specified - daemon was used */ closelog(); /* close it */ else { @@ -267,6 +296,8 @@ plogreset(file) if (file) plogset(file); ploginit(); + + pthread_mutex_unlock(&logp_mtx); } /* @@ -280,7 +311,6 @@ binsanitize(binstr, n) size_t n; { int p,q; - char* d; for (p = 0, q = 0; p < n; p++) { if (isgraph((int)binstr[p])) { binstr[q++] = binstr[p]; diff --git a/ipsec-tools/racoon/plog.h b/ipsec-tools/racoon/plog.h index 8b5a354..d0b3930 100644 --- a/ipsec-tools/racoon/plog.h +++ b/ipsec-tools/racoon/plog.h @@ -66,7 +66,7 @@ extern int f_foreground; extern int print_location; struct sockaddr; -extern void plog __P((int, const char *, struct sockaddr *, const char *, ...)) +extern void plog_func __P((int, const char *, struct sockaddr *, const char *, ...)) __attribute__ ((__format__ (__printf__, 4, 5))); extern void plogv __P((int, const char *, struct sockaddr *, const char *, va_list *)); @@ -76,4 +76,11 @@ extern void plogset __P((char *)); extern char* binsanitize __P((char*, size_t)); +#define plog(pri, func, sa, fmt, args...) do { \ + if (pri <= loglevel) { \ + plog_func(pri, func, sa, fmt, ##args); \ + } \ + } while(0) +extern void plogmtxinit __P((void)); + #endif /* _PLOG_H */ diff --git a/ipsec-tools/racoon/policy.c b/ipsec-tools/racoon/policy.c index d9bb5de..f090693 100644 --- a/ipsec-tools/racoon/policy.c +++ b/ipsec-tools/racoon/policy.c @@ -287,7 +287,6 @@ cmpspidxwild(a, b) if (a->dst.ss_family != b->dst.ss_family) return 1; -#ifndef __linux__ /* compare src address */ if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) { plog(LLV_ERROR, LOCATION, NULL, @@ -296,7 +295,6 @@ cmpspidxwild(a, b) a->src.ss_len, b->src.ss_len); return 1; } -#endif mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src, b->prefs); mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src, @@ -308,13 +306,11 @@ cmpspidxwild(a, b) if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) return 1; -#ifndef __linux__ /* compare dst address */ if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) { plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n"); exit(1); } -#endif mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst, b->prefd); mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst, diff --git a/ipsec-tools/racoon/power_mgmt.c b/ipsec-tools/racoon/power_mgmt.c new file mode 100644 index 0000000..e020aa6 --- /dev/null +++ b/ipsec-tools/racoon/power_mgmt.c @@ -0,0 +1,217 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#if !TARGET_OS_EMBEDDED +#include +#endif /* !TARGET_OS_EMBEDDED */ +#include + +#include "var.h" +#include "misc.h" +#include "vmbuf.h" +#include "plog.h" +#include "sockmisc.h" +#include "schedule.h" +#include "debug.h" + +#include "isakmp_var.h" +#include "isakmp.h" +#include "handler.h" + +#ifndef kIOPMAcknowledgmentOptionSystemCapabilityRequirements +IONotificationPortRef notify; +io_object_t iterator; +io_connect_t gIOPort; +CFUserNotificationRef gSleepNotification = NULL; +#endif // !kIOPMAcknowledgmentOptionSystemCapabilityRequirements + +pthread_t power_mgmt_thread; +time_t slept_at = 0; +time_t woke_at = 0; +time_t swept_at = 0; + +static int sleeping = 0; + +#ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements +#define WAKE_CAPS (kIOPMSystemPowerStateCapabilityCPU | kIOPMSystemPowerStateCapabilityNetwork) + +IOPMConnection gPMConnection = NULL; + +static void +iosleep_capabilities_notifier(void *param, IOPMConnection connection, IOPMConnectionMessageToken token, IOPMSystemPowerStateCapabilities capabilities) +{ + plog(LLV_DEBUG, LOCATION, NULL,"received power-mgmt event: capabilities %X%s%s%s%s%s", + capabilities, + capabilities & kIOPMSystemPowerStateCapabilityCPU ? " CPU" : "", + capabilities & kIOPMSystemPowerStateCapabilityVideo ? " Video" : "", + capabilities & kIOPMSystemPowerStateCapabilityAudio ? " Audio" : "", + capabilities & kIOPMSystemPowerStateCapabilityNetwork ? " Network" : "", + capabilities & kIOPMSystemPowerStateCapabilityDisk ? " Disk" : ""); + + if ((capabilities & WAKE_CAPS) != WAKE_CAPS) { + if (!sleeping) { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will sleep\n"); + sleeping = 1; + slept_at = current_time(); + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "ignored power-mgmt event: sleep(%x) while asleep\n", capabilities); + } + IOPMConnectionAcknowledgeEvent(connection, token ); + } else if ((capabilities & WAKE_CAPS) == WAKE_CAPS) { + // allow processing of packets + if (sleeping) { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will wake(%x)\n", capabilities); + sleeping = 0; + woke_at = current_time(); + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "ignored power-mgmt event: wake(%x) while not asleep\n", capabilities); + } + IOPMConnectionAcknowledgeEvent(connection, token); + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "ignored power-mgmt event: capabilities(%x)\n", capabilities); + IOPMConnectionAcknowledgeEvent(connection, token); + } +} + +#else + +static +void iosleep_notifier(void * x, io_service_t y, natural_t messageType, void *messageArgument) +{ + switch ( messageType ) { + case kIOMessageSystemWillSleep: + sleeping = 1; + slept_at = current_time(); + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will sleep\n"); + IOAllowPowerChange(gIOPort, (long)messageArgument); + break; + case kIOMessageCanSystemSleep: + IOAllowPowerChange(gIOPort, (long)messageArgument); + break; + case kIOMessageSystemWillNotSleep: + /* someone refused an idle sleep */ + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will not sleep\n"); + sleeping = 0; + slept_at = 0; + break; + case kIOMessageSystemWillPowerOn: + if (sleeping) { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will wake\n"); + sleeping = 0; + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: will power-on\n"); + } + break; + case kIOMessageSystemHasPoweredOn: + woke_at = current_time(); + if (slept_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: has woken\n"); + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: has powered-on\n"); + } + break; + default: + plog(LLV_DEBUG, LOCATION, NULL, + "received power-mgmt event: %x\n", messageType); + break; + } +} +#endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements + +void * +power_mgmt_thread_func (void *arg) +{ +#ifdef kIOPMAcknowledgmentOptionSystemCapabilityRequirements + IOReturn ret; + + ret = IOPMConnectionCreate(CFSTR("racoon power-mgmt"), + WAKE_CAPS, + &gPMConnection); + if (ret != kIOReturnSuccess) { + plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); + return NULL; + } + + ret = IOPMConnectionSetNotification(gPMConnection, NULL, iosleep_capabilities_notifier); + if (ret != kIOReturnSuccess) { + plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); + return NULL; + } + + ret = IOPMConnectionScheduleWithRunLoop(gPMConnection, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode); + if (ret != kIOReturnSuccess) { + plog(LLV_ERROR, LOCATION, NULL,"IOPMConnectionCreate failed (%d) power-mgmt thread\n", ret); + return NULL; + } +#else + if ((gIOPort = IORegisterForSystemPower(0, ¬ify, iosleep_notifier, &iterator)) == MACH_PORT_NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "IORegisterForSystemPower failed for power-mgmt thread\n"); + return NULL; + } + + CFRunLoopAddSource(CFRunLoopGetCurrent(), + IONotificationPortGetRunLoopSource(notify), + kCFRunLoopDefaultMode); +#endif // kIOPMAcknowledgmentOptionSystemCapabilityRequirements + + CFRunLoopRun(); + return NULL; +} + +int +init_power_mgmt (void) +{ + int err; + + if ((err = pthread_create(&power_mgmt_thread, NULL, power_mgmt_thread_func, NULL))) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to create power-mgmt thread: %d\n", err); + return -1; + } + + return 0; +} + +void +check_power_mgmt (void) +{ + if (slept_at && woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "handling power-mgmt event: sleep-wake\n"); + swept_at = current_time(); + sweep_sleepwake(); + slept_at = 0; + woke_at = 0; + } else if (woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "handling power-mgmt event: power-on\n"); + woke_at = 0; + } +} diff --git a/ipsec-tools/racoon/power_mgmt.h b/ipsec-tools/racoon/power_mgmt.h new file mode 100644 index 0000000..fbe7140 --- /dev/null +++ b/ipsec-tools/racoon/power_mgmt.h @@ -0,0 +1,13 @@ +#ifndef _POWER_MGMT_H +#define _POWER_MGMT_H + +#include + +extern time_t slept_at; +extern time_t woke_at; +extern time_t swept_at; + +extern int init_power_mgmt __P((void)); +extern void check_power_mgmt __P((void)); + +#endif /* _POWER_MGMT_H */ diff --git a/ipsec-tools/racoon/privsep.c b/ipsec-tools/racoon/privsep.c index d343bbf..c9f1082 100644 --- a/ipsec-tools/racoon/privsep.c +++ b/ipsec-tools/racoon/privsep.c @@ -66,6 +66,7 @@ #include "sockmisc.h" #include "privsep.h" +#ifdef HAVE_OPENSSL static int privsep_sock[2] = { -1, -1 }; static int privsep_recv(int, struct privsep_com_msg **, size_t *); @@ -75,7 +76,9 @@ static int port_check(int); static int unsafe_env(char *const *); static int unknown_name(int); static int unsafe_path(char *, int); +#endif +#ifdef HAVE_OPENSSL static int privsep_send(sock, buf, len) int sock; @@ -160,7 +163,9 @@ privsep_recv(sock, bufp, lenp) return 0; } +#endif /* HAVE_OPENSSL */ +#ifdef HAVE_OPENSSL int privsep_init(void) { @@ -696,8 +701,9 @@ out: plog(LLV_INFO, LOCATION, NULL, "privsep exit\n"); _exit(0); } +#endif /* HAVE_OPENSSL */ - +#ifdef HAVE_OPENSSL vchar_t * privsep_eay_get_pkcs1privkey(path) char *path; @@ -743,6 +749,7 @@ out: racoon_free(msg); return NULL; } +#endif /* * No prigilege separation trick here, we just open PFKEY before @@ -775,6 +782,7 @@ privsep_pfkey_close(ps) return; } +#ifdef HAVE_OPENSSL int privsep_script_exec(script, name, envp) char *script; @@ -884,7 +892,9 @@ privsep_script_exec(script, name, envp) racoon_free(msg); return 0; } +#endif +#ifdef HAVE_OPENSSL vchar_t * privsep_getpsk(str, keylen) const char *str; @@ -939,7 +949,9 @@ out: racoon_free(msg); return NULL; } +#endif +#ifdef HAVE_OPENSSL #ifdef ENABLE_HYBRID int privsep_xauth_login_system(usr, pwd) @@ -1051,6 +1063,7 @@ out: racoon_free(msg); return -1; } +#endif static int port_check(port) @@ -1065,8 +1078,9 @@ port_check(port) return 0; } -#endif +#endif /* HAVE_OPENSSL */ +#ifdef HAVE_OPENSSL static int safety_check(msg, index) struct privsep_com_msg *msg; @@ -1159,6 +1173,7 @@ unknown_name(name) return 0; } +#endif /* HAVE_OPENSSL */ #ifdef HAVE_LIBPAM int diff --git a/ipsec-tools/racoon/proposal.c b/ipsec-tools/racoon/proposal.c index 7a299e0..63ee764 100644 --- a/ipsec-tools/racoon/proposal.c +++ b/ipsec-tools/racoon/proposal.c @@ -1036,11 +1036,7 @@ set_proposal_from_policy(iph2, sp_main, sp_sub) * me +--- SA1 ---+ peer1 * me +--- SA2 --------------+ peer2 */ -#ifdef __linux__ - if (req->saidx.src.ss_family && req->saidx.dst.ss_family) { -#else if (req->saidx.src.ss_len && req->saidx.dst.ss_len) { -#endif /* check the end of ip addresses of SA */ if (iph2->side == INITIATOR) paddr = (caddr_t)&req->saidx.dst; diff --git a/ipsec-tools/racoon/prsa_par.y b/ipsec-tools/racoon/prsa_par.y index b8d3c20..61698dc 100644 --- a/ipsec-tools/racoon/prsa_par.y +++ b/ipsec-tools/racoon/prsa_par.y @@ -58,16 +58,18 @@ #include #include +#ifdef HAVE_OPENSSL #include #include - +#endif +#include "crypto_openssl.h" #include "misc.h" #include "vmbuf.h" #include "plog.h" #include "oakley.h" #include "isakmp_var.h" #include "handler.h" -#include "crypto_openssl.h" + #include "sockmisc.h" #include "rsalist.h" diff --git a/ipsec-tools/racoon/prsa_tok.l b/ipsec-tools/racoon/prsa_tok.l index 1c9288b..d9b4601 100644 --- a/ipsec-tools/racoon/prsa_tok.l +++ b/ipsec-tools/racoon/prsa_tok.l @@ -35,14 +35,13 @@ /* This file contains a tokeniser for FreeS/WAN-style ipsec.secrets RSA keys. */ +#include #include +#ifdef HAVE_OPENSSL #include #include -#ifdef __APPLE__ +#endif #include "y.tab.h" -#else -#include "prsa_par.h" -#endif extern int prsalex (void); extern int prsa_cur_lineno; diff --git a/ipsec-tools/racoon/racoon.8 b/ipsec-tools/racoon/racoon.8 index b47f8f4..b328d60 100644 --- a/ipsec-tools/racoon/racoon.8 +++ b/ipsec-tools/racoon/racoon.8 @@ -46,15 +46,21 @@ .Bk -words .Op Fl l Ar logfile .Ek -.Bk -words -.Op Fl P Ar isakmp-natt-port -.Ek -.Bk -words -.Op Fl p Ar isakmp-port -.Ek .\" .Sh DESCRIPTION .Nm +is used to setup and maintain an IPSec tunnel or transport channel, +between two devices, over which network traffic is conveyed securely. +This security is made possible by cryptographic keys and operations +on both devices. +.\" +.Nm +relies on a standardized network protocol (IKE) to automatically +negotiate and manage the cryptographic keys (e.g. security +associations) that are necessary for the +IPSec tunnel or transport channel to function. +.\" +.Nm speaks the IKE .Pq ISAKMP/Oakley key management protocol, @@ -104,15 +110,6 @@ Use .Ar logfile as the logging file instead of .Xr syslogd 8 . -.It Fl P Ar isakmp-natt-port -Use -.Ar isakmp-natt-port -for NAT-Traversal port-floating. -The default is 4500. -.It Fl p Ar isakmp-port -Listen to the ISAKMP key exchange on port -.Ar isakmp-port -instead of the default port number, 500. .It Fl v This flag causes the packet dump be more verbose, with higher debugging level. diff --git a/ipsec-tools/racoon/racoon.conf.5 b/ipsec-tools/racoon/racoon.conf.5 index 3b3ff5b..ace2edf 100644 --- a/ipsec-tools/racoon/racoon.conf.5 +++ b/ipsec-tools/racoon/racoon.conf.5 @@ -227,6 +227,17 @@ it is treated as an absolute path. Otherwise, it is treated as a relative path to the VARRUN directory specified at compilation time. Default is .Pa racoon.pid . +.It Ic path logfile Ar file ; +Specifies a file to which logs generated by +.Xr racoon 8 +are stored. +When the file's size exceeds 200KB, +.Xr racoon 8 +will trim the logfile by dropping the oldest events. +If path starts with +.Pa / +it is treated as an absolute path. Otherwise, it is treated as a relative +path to the VARRUN directory specified at compilation time. .El .\" .Ss File Inclusion diff --git a/ipsec-tools/racoon/racoonctl.c b/ipsec-tools/racoon/racoonctl.c index 9f5f77a..687075c 100644 --- a/ipsec-tools/racoon/racoonctl.c +++ b/ipsec-tools/racoon/racoonctl.c @@ -41,11 +41,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #include @@ -276,13 +272,6 @@ main(ac, av) (racoonctl_interface < RACOONCTL_INTERFACE)) errx(1, "Incompatible racoonctl interface"); -#ifdef __linux__ - /* - * Disable GNU extensions that will prevent racoonct vc -u login - * from working (GNU getopt(3) does not like options after vc) - */ - setenv("POSIXLY_CORRECT", "1", 0); -#endif while ((c = getopt(ac, av, "lds:")) != -1) { switch(c) { case 'l': diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index c9eb64a..3a4519e 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -80,7 +80,9 @@ #include "nattraversal.h" #include "isakmp_frag.h" #include "genlist.h" +#ifdef HAVE_OPENSSL #include "rsalist.h" +#endif static TAILQ_HEAD(_rmtree, remoteconf) rmtree; @@ -152,11 +154,9 @@ getrmconf_strict(remote, allow_anon) } TAILQ_FOREACH(p, &rmtree, chain) { -#ifdef __APPLE__ if (p->to_delete || p->to_remove) { continue; } -#endif if ((remote->sa_family == AF_UNSPEC && remote->sa_family == p->remote->sa_family) || (!withport && cmpsaddrwop(remote, p->remote) == 0) @@ -230,7 +230,6 @@ getrmconf(remote) return getrmconf_strict(remote, 1); } -#ifdef __APPLE__ int link_rmconf_to_ph1 (struct remoteconf *new) { @@ -265,7 +264,6 @@ unlink_rmconf_from_ph1 (struct remoteconf *old) } return(0); } -#endif struct remoteconf * newrmconf() @@ -306,18 +304,16 @@ newrmconf() new->gen_policy = FALSE; new->retry_counter = lcconf->retry_counter; new->retry_interval = lcconf->retry_interval; -#ifdef __APPLE__ new->nat_traversal = NATT_ON; new->natt_multiple_user = FALSE; new->natt_keepalive = TRUE; new->to_remove = FALSE; new->to_delete = FALSE; new->linked_to_ph1 = 0; -#else - new->nat_traversal = NATT_OFF; -#endif +#ifdef HAVE_OPENSSL new->rsa_private = genlist_init(); new->rsa_public = genlist_init(); +#endif new->idv = NULL; new->key = NULL; @@ -440,12 +436,10 @@ void delrmconf(rmconf) struct remoteconf *rmconf; { -#ifdef __APPLE__ if (rmconf->linked_to_ph1) { rmconf->to_delete = TRUE; return; } -#endif if (rmconf->remote) racoon_free(rmconf->remote); #ifdef ENABLE_HYBRID @@ -474,18 +468,18 @@ delrmconf(rmconf) racoon_free(rmconf->cacertfile); if (rmconf->prhead) proposalspec_free(rmconf->prhead); +#ifdef HAVE_OPENSSL if (rmconf->rsa_private) genlist_free(rmconf->rsa_private, rsa_key_free); if (rmconf->rsa_public) genlist_free(rmconf->rsa_public, rsa_key_free); -#ifdef __APPLE__ +#endif if (rmconf->shared_secret) vfree(rmconf->shared_secret); if (rmconf->keychainCertRef) vfree(rmconf->keychainCertRef); if (rmconf->open_dir_auth_group) vfree(rmconf->open_dir_auth_group); -#endif racoon_free(rmconf); } @@ -550,12 +544,10 @@ void remrmconf(rmconf) struct remoteconf *rmconf; { -#ifdef __APPLE__ if (rmconf->linked_to_ph1) { rmconf->to_remove = TRUE; return; } -#endif TAILQ_REMOVE(&rmtree, rmconf, chain); } @@ -733,10 +725,8 @@ dump_rmconf_single (struct remoteconf *p, void *data) plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n", p->nat_traversal == NATT_FORCE ? "force" : s_switch (p->nat_traversal)); -#ifdef __APPLE__ plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n", s_switch (p->natt_multiple_user)); -#endif plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n", p->nonce_size); plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n", @@ -860,6 +850,7 @@ dupisakmpsa(struct isakmpsa *sa) } +#ifdef HAVE_OPENSSL void rsa_key_free(void *entry) { @@ -873,3 +864,4 @@ rsa_key_free(void *entry) RSA_free(key->rsa); free(key); } +#endif \ No newline at end of file diff --git a/ipsec-tools/racoon/remoteconf.h b/ipsec-tools/racoon/remoteconf.h index f01b227..10d97c8 100644 --- a/ipsec-tools/racoon/remoteconf.h +++ b/ipsec-tools/racoon/remoteconf.h @@ -42,9 +42,7 @@ #include "isakmp_var.h" #include "isakmp_xauth.h" #endif -#ifdef __APPLE__ #include -#endif #include "algorithm.h" @@ -110,13 +108,11 @@ struct remoteconf { vchar_t *key; /* my pre-shared key */ struct genlist *idvl_p; /* peer's identifiers list */ -#ifdef __APPLE__ int identity_in_keychain; /* cert and private key is in the keychain */ vchar_t *keychainCertRef; /* peristant keychain ref for cert */ int secrettype; /* type of secret [use, key, keychain] */ vchar_t *shared_secret; /* shared secret */ vchar_t *open_dir_auth_group; /* group to be used to authorize user */ -#endif int certtype; /* certificate type if need */ char *mycertfile; /* file name of my certificate */ @@ -129,10 +125,8 @@ struct remoteconf { int send_cert; /* send to CERT or not */ int send_cr; /* send to CR or not */ int verify_cert; /* verify a CERT strictly */ -#ifdef __APPLE__ int cert_verification; /* openssl or security framework */ int cert_verification_option; /* nothing, peers identifier, or open_dir */ -#endif int verify_identifier; /* vefify the peer's identifier */ int nonce_size; /* the number of bytes of nonce */ int passive; /* never initiate */ @@ -147,10 +141,8 @@ struct remoteconf { int ini_contact; /* initial contact */ int pcheck_level; /* level of propocl checking */ int nat_traversal; /* NAT-Traversal */ -#ifdef __APPLE__ int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */ int natt_keepalive; /* do we need to send natt keep alive */ -#endif vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */ int dh_group; /* use it when only aggressive mode */ struct dhgroup *dhgrp; /* use it when only aggressive mode */ @@ -177,20 +169,18 @@ struct remoteconf { from which this one was inherited */ struct proposalspec *prhead; - +#ifdef HAVE_OPENSSL struct genlist *rsa_private, /* lists of PlainRSA keys to use */ *rsa_public; +#endif #ifdef ENABLE_HYBRID struct xauth_rmconf *xauth; #endif int initiate_ph1rekey; - -#ifdef __APPLE__ int to_remove; int to_delete; int linked_to_ph1; -#endif TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ }; @@ -229,10 +219,8 @@ extern struct remoteconf *getrmconf __P((struct sockaddr *)); extern struct remoteconf *getrmconf_strict __P((struct sockaddr *remote, int allow_anon)); -#ifdef __APPLE__ extern int link_rmconf_to_ph1 __P((struct remoteconf *)); extern int unlink_rmconf_from_ph1 __P((struct remoteconf *)); -#endif extern int no_remote_configs __P((int)); extern struct remoteconf *copyrmconf __P((struct sockaddr *)); extern struct remoteconf *newrmconf __P((void)); diff --git a/ipsec-tools/racoon/sainfo.c b/ipsec-tools/racoon/sainfo.c index 2c3619b..02bbb28 100644 --- a/ipsec-tools/racoon/sainfo.c +++ b/ipsec-tools/racoon/sainfo.c @@ -104,11 +104,9 @@ getsainfo(src, dst, peer, use_nat_addr) pass = 2; again: LIST_FOREACH(s, &sitree, chain) { -#ifdef __APPLE__ if (s->to_delete || s->to_remove) { continue; } -#endif /* __APPLE__ */ if (s->idsrc != NULL) { plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n"); plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); @@ -159,21 +157,6 @@ getsainfo(src, dst, peer, use_nat_addr) return anonymous; } -#ifdef __APPLE__ -int -link_sainfo_to_ph2 (struct sainfo *new) -{ - if (!new) { - return(-1); - } - if (new->to_delete || - new->to_remove) { - return(-1); - } - new->linked_to_ph2++; - return(0); -} - /* * return matching entry. * no matching entry found and if there is anonymous entry, return it. @@ -229,6 +212,20 @@ getsainfo_by_dst_id(dst, peer) return anonymous; } +int +link_sainfo_to_ph2 (struct sainfo *new) +{ + if (!new) { + return(-1); + } + if (new->to_delete || + new->to_remove) { + return(-1); + } + new->linked_to_ph2++; + return(0); +} + int unlink_sainfo_from_ph2 (struct sainfo *old) { @@ -249,7 +246,6 @@ unlink_sainfo_from_ph2 (struct sainfo *old) } return(0); } -#endif struct sainfo * newsainfo() @@ -262,11 +258,9 @@ newsainfo() new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX; -#ifdef __APPLE__ new->to_remove = FALSE; new->to_delete = FALSE; new->linked_to_ph2 = 0; -#endif return new; } @@ -277,12 +271,10 @@ delsainfo(si) { int i; -#ifdef __APPLE__ if (si->linked_to_ph2) { si->to_delete = TRUE; return; } -#endif for (i = 0; i < MAXALGCLASS; i++) delsainfoalg(si->algs[i]); @@ -311,12 +303,10 @@ void remsainfo(si) struct sainfo *si; { -#ifdef __APPLE__ if (si->linked_to_ph2) { si->to_remove = TRUE; return; } -#endif LIST_REMOVE(si, chain); } diff --git a/ipsec-tools/racoon/sainfo.h b/ipsec-tools/racoon/sainfo.h index ad18996..7b29d2d 100644 --- a/ipsec-tools/racoon/sainfo.h +++ b/ipsec-tools/racoon/sainfo.h @@ -56,11 +56,9 @@ struct sainfo { vchar_t *id_i; /* identifier of the authorized initiator */ struct sainfoalg *algs[MAXALGCLASS]; int dynamic; /* created through vpn control socket */ -#ifdef __APPLE__ int to_remove; int to_delete; int linked_to_ph2; -#endif LIST_ENTRY(sainfo) chain; }; @@ -73,11 +71,9 @@ struct sainfoalg { extern struct sainfo *getsainfo __P((const vchar_t *, const vchar_t *, const vchar_t *, int)); -#ifdef __APPLE__ extern struct sainfo *getsainfo_by_dst_id __P((const vchar_t *, const vchar_t *)); extern int link_sainfo_to_ph2 __P((struct sainfo *)); extern int unlink_sainfo_from_ph2 __P((struct sainfo *)); -#endif extern struct sainfo *newsainfo __P((void)); extern void delsainfo __P((struct sainfo *)); extern void inssainfo __P((struct sainfo *)); diff --git a/ipsec-tools/racoon/schedule.c b/ipsec-tools/racoon/schedule.c index fe82c30..50b1865 100644 --- a/ipsec-tools/racoon/schedule.c +++ b/ipsec-tools/racoon/schedule.c @@ -50,6 +50,7 @@ #include "schedule.h" #include "var.h" #include "gcmalloc.h" +#include "power_mgmt.h" #if !defined(__LP64__) // year 2038 problem and fix for 32-bit only @@ -73,7 +74,6 @@ static time_t deltaY2038; static TAILQ_HEAD(_schedtree, sched) sctree; static void sched_add __P((struct sched *)); -static time_t current_time __P((void)); /* * schedule handler @@ -87,6 +87,12 @@ schedular() time_t now, delta; struct sched *p, *next = NULL; + if (slept_at || woke_at) { + plog(LLV_DEBUG, LOCATION, NULL, + "ignoring schedular until power-mgmt event is handled.\n"); + return NULL; + } + now = current_time(); for (p = TAILQ_FIRST(&sctree); p; p = next) { @@ -180,7 +186,7 @@ sched_add(sc) * if defined FIXY2038PROBLEM, base time is the time when called sched_init(). * Otherwise, conform to time(3). */ -static time_t +time_t current_time() { time_t n; diff --git a/ipsec-tools/racoon/schedule.h b/ipsec-tools/racoon/schedule.h index e7e7477..72c0105 100644 --- a/ipsec-tools/racoon/schedule.h +++ b/ipsec-tools/racoon/schedule.h @@ -83,5 +83,6 @@ void sched_kill __P((struct sched *)); int sched_dump __P((caddr_t *, int *)); void sched_init __P((void)); void sched_scrub_param __P((void *)); +time_t current_time __P((void)); #endif /* _SCHEDULE_H */ diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index 64a4668..8f15109 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -70,9 +70,7 @@ #include #include -#if __APPLE__ #include -#endif #include "libpfkey.h" @@ -107,16 +105,18 @@ #include "algorithm.h" /* XXX ??? */ #include "sainfo.h" +#include "power_mgmt.h" extern pid_t racoon_pid; +extern char logFileStr[]; extern int launchedbylaunchd(void); static void close_session __P((void)); static void check_rtsock __P((void *)); static void initfds __P((void)); static void init_signal __P((void)); -static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int)))); +static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int, siginfo_t *, void *)))); static void check_sigreq __P((void)); static void check_flushsa_stub __P((void *)); static void check_flushsa __P((void)); @@ -131,25 +131,38 @@ static int dying = 0; static struct sched *check_rtsock_sched = NULL; int terminated = 0; +#define HANDLE_TENTATIVE_INTF_FAILURES() do { \ + if (tentative_failures) { \ + plog(LLV_ERROR, LOCATION, NULL, \ + "detected tentative interface/address issues: will retry later.\n"); \ + if (check_rtsock_sched == NULL) { \ + /* only schedule if not already done */ \ + check_rtsock_sched = sched_new(5, check_rtsock, NULL); \ + } \ + } \ + } while(0) + static void reinit_socks (void) { + int tentative_failures; + isakmp_close(); close(lcconf->rtsock); initmyaddr(); - if (isakmp_open() < 0) { + if (isakmp_open(&tentative_failures) < 0) { plog(LLV_ERROR2, LOCATION, NULL, "failed to reopen isakmp sockets\n"); } initfds(); + HANDLE_TENTATIVE_INTF_FAILURES(); } -#ifdef __APPLE__ static int64_t racoon_keepalive = -1; /* * This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly) - * launched on demand and for requires a keepalive on dirty/failure exits. + * launched on demand and for requires a keepalive on dirty/failure exits. * The launchd plist can't be used for this because RunOnLoad is required to have keepalive on a failure exit. */ int64_t @@ -171,7 +184,6 @@ launchd_update_racoon_keepalive (Boolean enabled) } return racoon_keepalive; } -#endif // __APPLE__ int session(void) @@ -183,22 +195,25 @@ session(void) char pid_file[MAXPATHLEN]; FILE *fp; int i, update_fds; + int tentative_failures; /* initialize schedular */ sched_init(); + /* needs to be called after schedular */ + if (init_power_mgmt() < 0) { + errx(1, "failed to initialize power-mgmt."); + } + initmyaddr(); -#ifndef __APPLE__ - if (isakmp_init() < 0) { -#else - if (isakmp_init(false) < 0) { -#endif /* __APPLE__ */ + if (isakmp_init(false, &tentative_failures) < 0) { plog(LLV_ERROR2, LOCATION, NULL, "failed to initialize isakmp"); exit(1); } - + HANDLE_TENTATIVE_INTF_FAILURES(); + #ifdef ENABLE_ADMINPORT if (admin_init() < 0) { plog(LLV_ERROR2, LOCATION, NULL, @@ -218,18 +233,14 @@ session(void) init_signal(); initfds(); -#ifndef __APPLE__ -#ifdef ENABLE_NATT - natt_keepalive_init (); -#endif -#endif - +#ifdef HAVE_OPENSSL if (privsep_init() != 0) { plog(LLV_ERROR2, LOCATION, NULL, "failed to initialize privsep"); exit(1); } - +#endif + for (i = 0; i <= NSIG; i++) sigreq[i] = 0; @@ -260,12 +271,10 @@ session(void) } } -#ifdef __APPLE__ #if !TARGET_OS_EMBEDDED // enable keepalive for recovery (from crashes and bad exits... after init) (void)launchd_update_racoon_keepalive(true); #endif // !TARGET_OS_EMBEDDED -#endif // __APPLE__ while (1) { if (!TAILQ_EMPTY(&lcconf->saved_msg_queue)) @@ -277,6 +286,8 @@ session(void) */ check_sigreq(); + check_power_mgmt(); + /* scheduling */ timeout = schedular(); // Workaround: make sure timeout is playing nice @@ -292,7 +303,7 @@ session(void) timeout->tv_sec = 1; } } - + if (dying) rfds = maskdying; else @@ -304,8 +315,8 @@ session(void) continue; default: plog(LLV_ERROR2, LOCATION, NULL, - "failed select (%s) nfds %d\n", - strerror(errno), nfds); + "failed select (%s) nfds %d\n", + strerror(errno), nfds); reinit_socks(); update_fds = 0; continue; @@ -344,13 +355,17 @@ session(void) for (p = lcconf->myaddrs; p; p = p->next) { if (!p->addr) continue; - if (FD_ISSET(p->sock, &rfds)) + if ((p->sock != -1) && + (FD_ISSET(p->sock, &rfds))) if ((error = isakmp_handler(p->sock)) == -2) break; } if (error == -2) { + plog(LLV_ERROR2, LOCATION, NULL, + "failed to process isakmp port\n"); reinit_socks(); update_fds = 0; + continue; } if (FD_ISSET(lcconf->sock_pfkey, &rfds)) @@ -359,7 +374,7 @@ session(void) if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) { if (update_myaddrs() && lcconf->autograbaddr) if (check_rtsock_sched == NULL) /* only schedule if not already done */ - check_rtsock_sched = sched_new(5, check_rtsock, NULL); + check_rtsock_sched = sched_new(1, check_rtsock, NULL); // initfds(); //%%% BUG FIX - not needed here } if (update_fds) { @@ -380,12 +395,10 @@ close_session() close_sockets(); backupsa_clean(); -#ifdef __APPLE__ #if !TARGET_OS_EMBEDDED // a clean exit, so disable launchd keepalive (void)launchd_update_racoon_keepalive(false); #endif // !TARGET_OS_EMBEDDED -#endif // __APPLE__ plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n"); exit(0); @@ -395,16 +408,18 @@ static void check_rtsock(p) void *p; { + int tentative_failures; check_rtsock_sched = NULL; grab_myaddrs(); isakmp_close_unused(); autoconf_myaddrsport(); - isakmp_open(); + isakmp_open(&tentative_failures); /* initialize socket list again */ initfds(); + HANDLE_TENTATIVE_INTF_FAILURES(); } static void @@ -506,9 +521,17 @@ static int signals[] = { * main loop in session(). */ RETSIGTYPE -signal_handler(sig) +signal_handler(sig, sigi, ctx) int sig; + siginfo_t *sigi; + void *ctx; { +#if 0 + plog(LLV_DEBUG, LOCATION, NULL, + "%s received signal %d from pid %d uid %d\n\n", + __FUNCTION__, sig, sigi->si_pid, sigi->si_uid); +#endif + /* Do not just set it to 1, because we may miss some signals by just setting * values to 0/1 */ @@ -522,6 +545,7 @@ static void check_sigreq() { int sig; + int tentative_failures; /* * XXX We are not able to tell if we got @@ -574,6 +598,14 @@ check_sigreq() if ( terminated ) break; + /* + * if we got a HUP... try graceful teardown of sessions before we close and reopen sockets... + * so that info-deletes notifications can make it to the peer. + */ + if (sig == SIGHUP) { + flushph2(true); + flushph1(true); + } /* Save old configuration, load new one... */ isakmp_close(); close(lcconf->rtsock); @@ -582,16 +614,13 @@ check_sigreq() "configuration read failed\n"); exit(1); } - if (lcconf->logfile_param == NULL) + if (lcconf->logfile_param == NULL && logFileStr[0] == 0) plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); initmyaddr(); isakmp_cleanup(); -#ifdef __APPLE__ - isakmp_init(true); -#else - isakmp_init(); -#endif /* __APPLE__ */ + isakmp_init(true, &tentative_failures); + HANDLE_TENTATIVE_INTF_FAILURES(); initfds(); #if TARGET_OS_EMBEDDED if (no_remote_configs(TRUE)) { @@ -704,15 +733,6 @@ check_flushsa() return; } -#if !TARGET_OS_EMBEDDED - // abort exit if policies/config/control state is still there - if (vpn_control_connected() || - policies_installed() || - !no_remote_configs(FALSE)) { - return; - } -#endif - close_session(); #if !TARGET_OS_EMBEDDED if (lcconf->vt) @@ -770,13 +790,13 @@ init_signal() static int set_signal(sig, func) int sig; - RETSIGTYPE (*func) __P((int)); + RETSIGTYPE (*func) __P((int, siginfo_t *, void *)); { struct sigaction sa; memset((caddr_t)&sa, 0, sizeof(sa)); sa.sa_handler = func; - sa.sa_flags = SA_RESTART; + sa.sa_flags = SA_RESTART | SA_SIGINFO; if (sigemptyset(&sa.sa_mask) < 0) return -1; diff --git a/ipsec-tools/racoon/session.h b/ipsec-tools/racoon/session.h index f410be9..3ee56c2 100644 --- a/ipsec-tools/racoon/session.h +++ b/ipsec-tools/racoon/session.h @@ -35,7 +35,7 @@ #include "handler.h" extern int session __P((void)); -extern RETSIGTYPE signal_handler __P((int)); +extern RETSIGTYPE signal_handler __P((int, siginfo_t *, void *)); extern void check_auto_exit __P((void)); #endif /* _SESSION_H */ diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c index 98d0a69..aec6279 100644 --- a/ipsec-tools/racoon/sockmisc.c +++ b/ipsec-tools/racoon/sockmisc.c @@ -93,16 +93,9 @@ cmpsaddrwop(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; -#ifdef __linux__ - if (addr1->sa_family != addr2->sa_family) - return 1; -#else if (addr1->sa_len != addr2->sa_len || addr1->sa_family != addr2->sa_family) return 1; - -#endif /* __linux__ */ - switch (addr1->sa_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; @@ -147,16 +140,10 @@ cmpsaddrwild(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; -#ifdef __linux__ - if (addr1->sa_family != addr2->sa_family) - return 1; -#else if (addr1->sa_len != addr2->sa_len || addr1->sa_family != addr2->sa_family) return 1; -#endif /* __linux__ */ - switch (addr1->sa_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; @@ -212,16 +199,10 @@ cmpsaddrstrict(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; -#ifdef __linux__ - if (addr1->sa_family != addr2->sa_family) - return 1; -#else if (addr1->sa_len != addr2->sa_len || addr1->sa_family != addr2->sa_family) return 1; -#endif /* __linux__ */ - switch (addr1->sa_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; @@ -378,9 +359,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) sin6 = (struct sockaddr_in6 *)to; memset(sin6, 0, sizeof(*sin6)); sin6->sin6_family = AF_INET6; -#ifndef __linux__ sin6->sin6_len = sizeof(*sin6); -#endif memcpy(&sin6->sin6_addr, &pi->ipi6_addr, sizeof(sin6->sin6_addr)); /* XXX other cases, such as site-local? */ @@ -394,24 +373,6 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) continue; } #endif -#ifdef __linux__ - if (ss.ss_family == AF_INET - && cm->cmsg_level == IPPROTO_IP - && cm->cmsg_type == IP_PKTINFO - && otolen >= sizeof(sin)) { - struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm)); - *tolen = sizeof(*sin); - sin = (struct sockaddr_in *)to; - memset(sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, &pi->ipi_addr, - sizeof(sin->sin_addr)); - sin->sin_port = - ((struct sockaddr_in *)&ss)->sin_port; - otolen = -1; /* "to" already set */ - continue; - } -#endif #if defined(INET6) && defined(IPV6_RECVDSTADDR) if (ss.ss_family == AF_INET6 && cm->cmsg_level == IPPROTO_IPV6 @@ -430,7 +391,6 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) continue; } #endif -#ifndef __linux__ if (ss.ss_family == AF_INET && cm->cmsg_level == IPPROTO_IP && cm->cmsg_type == IP_RECVDSTADDR @@ -446,7 +406,6 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) otolen = -1; /* "to" already set */ continue; } -#endif } return len; @@ -462,7 +421,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) struct sockaddr *dst; { struct sockaddr_storage ss; - u_int len; + int len; int i; if (src->sa_family != dst->sa_family) { @@ -553,7 +512,12 @@ sendfromto(s, buf, buflen, src, dst, cnt) if (len < 0) { plog(LLV_ERROR, LOCATION, NULL, "sendmsg (%s)\n", strerror(errno)); - return -1; + if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) { + return -1; + } + // treat these failures like + // packet loss, in case the network interface is flaky + len = 0; } plog(LLV_DEBUG, LOCATION, NULL, "%d times of %d bytes message will be sent " @@ -565,64 +529,6 @@ sendfromto(s, buf, buflen, src, dst, cnt) return len; } #endif -#ifdef __linux__ - case AF_INET: - { - struct msghdr m; - struct cmsghdr *cm; - struct iovec iov[2]; - u_char cmsgbuf[256]; - struct in_pktinfo *pi; - int ifindex = 0; - struct sockaddr_in src6, dst6; - - memcpy(&src6, src, sizeof(src6)); - memcpy(&dst6, dst, sizeof(dst6)); - - memset(&m, 0, sizeof(m)); - m.msg_name = (caddr_t)&dst6; - m.msg_namelen = sizeof(dst6); - iov[0].iov_base = (char *)buf; - iov[0].iov_len = buflen; - m.msg_iov = iov; - m.msg_iovlen = 1; - - memset(cmsgbuf, 0, sizeof(cmsgbuf)); - cm = (struct cmsghdr *)cmsgbuf; - m.msg_control = (caddr_t)cm; - m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); - - cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - cm->cmsg_level = IPPROTO_IP; - cm->cmsg_type = IP_PKTINFO; - pi = (struct in_pktinfo *)CMSG_DATA(cm); - memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr)); - pi->ipi_ifindex = ifindex; - - plog(LLV_DEBUG, LOCATION, NULL, - "src4 %s\n", - saddr2str((struct sockaddr *)&src6)); - plog(LLV_DEBUG, LOCATION, NULL, - "dst4 %s\n", - saddr2str((struct sockaddr *)&dst6)); - - for (i = 0; i < cnt; i++) { - len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/); - if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "sendmsg (%s)\n", strerror(errno)); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "%d times of %d bytes message will be sent " - "to %s\n", - i + 1, len, saddr2str(dst)); - } - plogdump(LLV_DEBUG, (char *)buf, buflen); - - return len; - } -#endif /* __linux__ */ default: { int needclose = 0; @@ -647,11 +553,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) return -1; } if (setsockopt(sendsock, SOL_SOCKET, -#ifdef __linux__ - SO_REUSEADDR, -#else SO_REUSEPORT, -#endif (void *)&yes, sizeof(yes)) < 0) { plog(LLV_ERROR, LOCATION, NULL, "setsockopt SO_REUSEPORT (%s)\n", @@ -689,9 +591,15 @@ sendfromto(s, buf, buflen, src, dst, cnt) if (len < 0) { plog(LLV_ERROR, LOCATION, NULL, "sendto (%s)\n", strerror(errno)); - if (needclose) - close(sendsock); - return len; + if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) { + if (needclose) + close(sendsock); + return -1; + } + plog(LLV_ERROR, LOCATION, NULL, + "treating socket error (%s) like packet loss\n", strerror(errno)); + // else treat these failures like a packet loss + len = 0; } plog(LLV_DEBUG, LOCATION, NULL, "%d times of %d bytes message will be sent " @@ -783,16 +691,8 @@ newsaddr(len) "%s\n", strerror(errno)); goto out; } - -#ifdef __linux__ - if (len == sizeof (struct sockaddr_in6)) - new->sa_family = AF_INET6; - else - new->sa_family = AF_INET; -#else /* initial */ new->sa_len = len; -#endif out: return new; } @@ -822,8 +722,10 @@ saddr2str(saddr) static char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST], port[NI_MAXSERV]; - if (saddr == NULL) - return NULL; + if (saddr == NULL) { + buf[0] = '\0'; + return buf; + } if (saddr->sa_family == AF_UNSPEC) snprintf (buf, sizeof(buf), "%s", "anonymous"); @@ -842,9 +744,11 @@ saddrwop2str(saddr) static char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST]; - if (saddr == NULL) - return NULL; - + if (saddr == NULL) { + buf[0] = '\0'; + return buf; + } + GETNAMEINFO_NULL(saddr, addr); snprintf(buf, sizeof(buf), "%s", addr); @@ -857,9 +761,11 @@ naddrwop2str(const struct netaddr *naddr) static char buf[NI_MAXHOST + 10]; static const struct sockaddr sa_any; /* this is initialized to all zeros */ - if (naddr == NULL) - return NULL; - + if (naddr == NULL) { + buf[0] = '\0'; + return buf; + } + if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0) snprintf(buf, sizeof(buf), "%s", "any"); else { @@ -898,15 +804,27 @@ saddr2str_fromto(format, saddr, daddr) static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100]; char *src, *dst; - src = racoon_strdup(saddr2str(saddr)); - dst = racoon_strdup(saddr2str(daddr)); - STRDUP_FATAL(src); - STRDUP_FATAL(dst); + if (saddr) { + src = racoon_strdup(saddr2str(saddr)); + STRDUP_FATAL(src); + } else { + src = NULL; + } + if (daddr) { + dst = racoon_strdup(saddr2str(daddr)); + STRDUP_FATAL(dst); + } else { + dst = NULL; + } /* WARNING: Be careful about the format string! Don't ever pass in something that a user can modify!!! */ - snprintf (buf, sizeof(buf), format, src, dst); - racoon_free (src); - racoon_free (dst); + snprintf (buf, sizeof(buf), format, src? src:"[null]", dst? dst:"[null]"); + if (src) { + racoon_free (src); + } + if (dst) { + racoon_free (dst); + } return buf; } diff --git a/ipsec-tools/racoon/vendorid.c b/ipsec-tools/racoon/vendorid.c index 7a12f5f..f2aec4a 100644 --- a/ipsec-tools/racoon/vendorid.c +++ b/ipsec-tools/racoon/vendorid.c @@ -67,9 +67,7 @@ static struct vendor_id all_vendor_ids[] = { { VENDORID_NATT_06 , "draft-ietf-ipsec-nat-t-ike-06" }, { VENDORID_NATT_07 , "draft-ietf-ipsec-nat-t-ike-07" }, { VENDORID_NATT_08 , "draft-ietf-ipsec-nat-t-ike-08" }, -#ifdef __APPLE__ { VENDORID_NATT_APPLE , "draft-ietf-ipsec-nat-t-ike" }, -#endif { VENDORID_NATT_RFC , "RFC 3947" }, { VENDORID_XAUTH , "draft-ietf-ipsra-isakmp-xauth-06.txt" }, { VENDORID_UNITY , "CISCO-UNITY" }, @@ -232,7 +230,8 @@ check_vendorid(struct isakmp_gen *gen) return current->id; unknown: - plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID\n"); + plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID:\n"); + plogdump(LLV_DEBUG, (char *)(gen + 1), vidlen); return (VENDORID_UNKNOWN); } diff --git a/ipsec-tools/racoon/vendorid.h b/ipsec-tools/racoon/vendorid.h index d3ecf67..d66ef73 100644 --- a/ipsec-tools/racoon/vendorid.h +++ b/ipsec-tools/racoon/vendorid.h @@ -61,7 +61,6 @@ #define VENDORID_NATT_07 12 #define VENDORID_NATT_08 13 -#ifdef __APPLE__ #define VENDORID_NATT_APPLE 14 #define VENDORID_NATT_RFC 15 /* Hybrid auth */ @@ -71,16 +70,6 @@ #define VENDORID_FRAG 18 /* Dead Peer Detection */ #define VENDORID_DPD 19 -#else /* __APPLE__ */ -#define VENDORID_NATT_RFC 14 -/* Hybrid auth */ -#define VENDORID_XAUTH 15 -#define VENDORID_UNITY 16 -/* IKE fragmentation */ -#define VENDORID_FRAG 17 -/* Dead Peer Detection */ -#define VENDORID_DPD 18 -#endif /* __APPLE__ */ #define VENDORID_NATT_FIRST VENDORID_NATT_00 #define VENDORID_NATT_LAST VENDORID_NATT_RFC diff --git a/ipsec-tools/racoon/vmbuf.h b/ipsec-tools/racoon/vmbuf.h index 9bc6943..0254d7c 100644 --- a/ipsec-tools/racoon/vmbuf.h +++ b/ipsec-tools/racoon/vmbuf.h @@ -60,10 +60,8 @@ do { \ } \ } while(0); -#if defined(__APPLE__) && defined(__MACH__) /* vfree is already defined in Apple's system libraries */ #define vfree vmbuf_free -#endif extern vchar_t *vmalloc __P((size_t)); extern vchar_t *vrealloc __P((vchar_t *, size_t)); diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index 4e6e8d2..34753ff 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -58,11 +58,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifndef HAVE_NETINET6_IPSEC @@ -118,12 +114,13 @@ #include "vpn_control_var.h" #include "strnames.h" #include "ike_session.h" +#include "ipsecMessageTracer.h" static int vpn_get_ph2pfs(struct ph1handle *); int -vpn_connect(struct bound_addr *srv) +vpn_connect(struct bound_addr *srv, int oper) { int error = -1; struct sockaddr *dst; @@ -192,8 +189,11 @@ vpn_connect(struct bound_addr *srv) "accept a request to establish IKE-SA: " "%s\n", saddrwop2str(remote)); + IPSECLOGASLMSG("IPSec connecting to server %s\n", + saddrwop2str(remote)); + /* begin ident mode */ - if (isakmp_ph1begin_i(rmconf, remote, local, 1) < 0) + if (isakmp_ph1begin_i(rmconf, remote, local, oper) < 0) goto out1; error = 0; @@ -220,7 +220,11 @@ vpn_disconnect(struct bound_addr *srv) saddr.sin_addr.s_addr = srv->address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - ike_sessions_stopped_by_controller(&saddr, + + IPSECLOGASLMSG("IPSec disconnecting from server %s\n", + saddrwop2str(&saddr)); + + ike_sessions_stopped_by_controller(&saddr, 0, ike_session_stopped_by_vpn_disconnect); if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) { @@ -478,6 +482,8 @@ vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, memcpy(cptr, iph1->mode_cfg->attr_list->v, iph1->mode_cfg->attr_list->l); *msg_size = msize; + IPSECLOGASLMSG("IPSec Network Configuration established.\n"); + return 0; } @@ -556,9 +562,22 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) VPTRINIT(iph1->xauth_awaiting_userinput_msg); ike_session_stop_xauth_timer(iph1); + IPSECLOGASLMSG("IPSec Extended Authentication sent.\n"); + end: if (payload) vfree(payload); return error; } +int +vpn_assert(struct sockaddr *src_addr, struct sockaddr *dst_addr) +{ + if (ike_session_assert(src_addr, dst_addr)) { + plog(LLV_ERROR, LOCATION, NULL, + "cannot assert - no matching session.\n"); + return -1; + } + + return 0; +} diff --git a/ipsec-tools/racoon/vpn.h b/ipsec-tools/racoon/vpn.h index ff8274b..7cab472 100644 --- a/ipsec-tools/racoon/vpn.h +++ b/ipsec-tools/racoon/vpn.h @@ -49,5 +49,4 @@ * SUCH DAMAGE. */ - -int vpn_connect __P((struct bound_addr *)); +int vpn_connect __P((struct bound_addr *, int)); diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index cc81603..3a6f7fa 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -103,6 +103,7 @@ #include "isakmp_inf.h" #include "session.h" #include "gcmalloc.h" +#include "isakmp_cfg.h" #ifdef ENABLE_VPNCONTROL_PORT char *vpncontrolsock_path = VPNCONTROLSOCK_PATH; @@ -420,7 +421,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { /* start the connection */ - error = vpn_connect(addr); + error = vpn_connect(addr, VPN_STARTED_BY_API); break; } } @@ -490,6 +491,55 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) } break; + case VPNCTL_CMD_ASSERT: + { + struct vpnctl_cmd_assert *pkt = (struct vpnctl_cmd_assert *)combuf; +// struct bound_addr *addr; +// struct bound_addr *t_addr; + struct sockaddr_in saddr; + struct sockaddr_in daddr; + + plog(LLV_DEBUG, LOCATION, NULL, + "received assert command on vpn control socket.\n"); + plogdump(LLV_DEBUG2, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr)); +// LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { +// if (pkt->dst_address == addr->address) { + bzero(&saddr, sizeof(saddr)); + saddr.sin_len = sizeof(saddr); + saddr.sin_addr.s_addr = pkt->src_address; + saddr.sin_port = 0; + saddr.sin_family = AF_INET; + bzero(&daddr, sizeof(daddr)); + daddr.sin_len = sizeof(daddr); + daddr.sin_addr.s_addr = pkt->dst_address; + daddr.sin_port = 0; + daddr.sin_family = AF_INET; + + error = vpn_assert((struct sockaddr *)&saddr, (struct sockaddr *)&daddr); + break; +// } +// } + } + break; + + case VPNCTL_CMD_RECONNECT: + { + struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf; + struct bound_addr *addr; + struct bound_addr *t_addr; + + plog(LLV_DEBUG, LOCATION, NULL, + "received reconnect command on vpn control socket.\n"); + LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { + if (pkt->address == addr->address) { + /* start the connection */ + error = vpn_connect(addr, VPN_RESTARTED_BY_API); + break; + } + } + } + break; + default: plog(LLV_ERROR, LOCATION, NULL, "invalid command: %d\n", ntohs(hdr->msg_type)); @@ -645,7 +695,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 plog(LLV_DEBUG, LOCATION, NULL, "sending vpn_control phase change status\n"); - if (iph1 && !start && iph1->mode_cfg) { + if (iph1 && !start && iph1->mode_cfg && iph1->mode_cfg->xauth.status != XAUTHST_OK) { if (vpn_get_config(iph1, &msg, &msg_size) == 1) return 0; /* mode config not finished yet */ } else { @@ -700,6 +750,84 @@ end: return 0; } +static int +vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) +{ + struct vpnctl_status_peer_resp msg; + struct vpnctl_socket_elem *sock_elem; + struct bound_addr *bound_addr; + size_t tlen; + int rc = -1; + + bzero(&msg, sizeof(msg)); + msg.hdr.msg_type = htons(VPNCTL_STATUS_PEER_RESP); + msg.hdr.cookie = msg.hdr.reserved = msg.hdr.result = 0; + msg.hdr.len = htons(sizeof(msg) - sizeof(msg.hdr)); + msg.address = address; + msg.ike_code = notify_code; + plog(LLV_DEBUG, LOCATION, NULL, + "sending vpn_control status (peer response) message - code=%d addr=%x.\n", notify_code, address); + + LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { + LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { + if (bound_addr->address == 0xFFFFFFFF || + bound_addr->address == address) { + tlen = send(sock_elem->sock, &msg, sizeof(msg), 0); + if (tlen < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "unable to send vpn_control status (peer response): %s\n", strerror(errno)); + } else { + rc = 0; + } + break; + } + } + } + + return rc; +} + +int +vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, struct ph1handle *iph1) +{ + u_int32_t address; + int rc; + + if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) { + if (iph1->remote->sa_family == AF_INET) + address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; + else + address = 0; + } else { + return 0; + } + + if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) { + iph1->parent_session->controller_awaiting_peer_resp = 0; + } + return rc; +} + +int +vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, struct ph2handle *iph2) +{ + u_int32_t address; + int rc; + + if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) { + if (iph2->dst->sa_family == AF_INET) + address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; + else + address = 0; + } else { + return 0; + } + + if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) { + iph2->parent_session->controller_awaiting_peer_resp = 0; + } + return rc; +} int vpncontrol_init() diff --git a/ipsec-tools/racoon/vpn_control.h b/ipsec-tools/racoon/vpn_control.h index 7f52515..5144465 100644 --- a/ipsec-tools/racoon/vpn_control.h +++ b/ipsec-tools/racoon/vpn_control.h @@ -81,6 +81,8 @@ extern mode_t vpncontrolsock_mode; #define VPNCTL_CMD_START_PH2 0x0013 #define VPNCTL_CMD_XAUTH_INFO 0x0014 #define VPNCTL_CMD_START_DPD 0x0015 +#define VPNCTL_CMD_ASSERT 0x0016 +#define VPNCTL_CMD_RECONNECT 0x0017 #define VPNCTL_STATUS_IKE_FAILED 0x8001 #define VPNCTL_STATUS_PH1_START_US 0x8011 #define VPNCTL_STATUS_PH1_START_PEER 0x8012 @@ -89,6 +91,7 @@ extern mode_t vpncontrolsock_mode; #define VPNCTL_STATUS_PH2_ESTABLISHED 0x8022 #define VPNCTL_STATUS_NEED_AUTHINFO 0x8101 #define VPNCTL_STATUS_NEED_REAUTHINFO 0x8102 +#define VPNCTL_STATUS_PEER_RESP 0x8103 /* * Flags @@ -232,6 +235,13 @@ struct vpnctl_cmd_start_ph2 { /* array of struct vpnctl_algo */ }; +/* assert connection (after network change) */ +struct vpnctl_cmd_assert { + struct vpnctl_hdr hdr; + u_int32_t src_address; + u_int32_t dst_address; +}; + /* set xauth info */ struct vpnctl_cmd_xauth_info { struct vpnctl_hdr hdr; @@ -290,9 +300,12 @@ struct vpnctl_cmd_start_dpd { #define VPNCTL_NTYPE_PEER_DEAD 50001 /* detected by DPD */ #define VPNCTL_NTYPE_PH1_DELETE 50002 /* received a delete payload leaving no PH1 SA for the remote address */ #define VPNCTL_NTYPE_IDLE_TIMEOUT 50003 -#define VPNCTL_NTYPE_PH1_DELETE_CERT_ERROR VPNCTL_NTYPE_IDLE_TIMEOUT /* used for offsetting cert errors */ -#define VPNCTL_NTYPE_PH1_DELETE_CERT_PREMATURE 50004 /* received a delete payload & there was a cert verification error leaving no PH1 SA for the remote address */ -#define VPNCTL_NTYPE_PH1_DELETE_CERT_EXPIRED 50005 /* received a delete payload & there was a cert verification error leaving no PH1 SA for the remote address */ +#define VPNCTL_NTYPE_LOCAL_CERT_PREMATURE 50004 /* certificate is premature */ +#define VPNCTL_NTYPE_LOCAL_CERT_EXPIRED 50005 /* certificate has expired */ +#define VPNCTL_NTYPE_PEER_CERT_PREMATURE 50006 /* peer's certificate is premature */ +#define VPNCTL_NTYPE_PEER_CERT_EXPIRED 50007 /* peer's certificate has expired */ +#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME 50008 /* peer's certificate has an invalid subjname */ +#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME 50009 /* peer's certificate has an invalid subjaltname */ #define VPNCTL_NTYPE_INTERNAL_ERROR -1 @@ -340,5 +353,10 @@ struct vpnctl_status_failed { u_int8_t data[0]; }; +struct vpnctl_status_peer_resp { + struct vpnctl_hdr hdr; + u_int32_t address; + u_int16_t ike_code; +}; #endif /* _VPN_CONTROL_H */ diff --git a/ipsec-tools/racoon/vpn_control_var.h b/ipsec-tools/racoon/vpn_control_var.h index 79cf667..5db8ff7 100644 --- a/ipsec-tools/racoon/vpn_control_var.h +++ b/ipsec-tools/racoon/vpn_control_var.h @@ -56,6 +56,12 @@ #include "vpn_control.h" +enum { + VPN_STARTED_BY_API = 1, + VPN_STARTED_BY_ADMIN, + VPN_RESTARTED_BY_API, +}; + extern int vpncontrol_handler __P((void)); extern int vpncontrol_comm_handler __P((struct vpnctl_socket_elem *)); extern int vpncontrol_notify_ike_failed __P((u_int16_t, u_int16_t, u_int32_t, u_int16_t, u_int8_t*)); @@ -63,9 +69,12 @@ extern int vpncontrol_notify_phase_change __P((int, u_int16_t, struct ph1handle* extern int vpncontrol_init __P((void)); extern void vpncontrol_close __P((void)); extern int vpn_control_connected __P((void)); -extern int vpn_connect __P((struct bound_addr *)); +extern int vpn_connect __P((struct bound_addr *, int)); extern int vpn_disconnect __P((struct bound_addr *)); extern int vpn_start_ph2 __P((struct bound_addr *, struct vpnctl_cmd_start_ph2 *)); extern int vpncontrol_notify_need_authinfo __P((struct ph1handle *, void*, size_t)); +extern int vpncontrol_notify_peer_resp_ph1 __P((u_int16_t, struct ph1handle*)); +extern int vpncontrol_notify_peer_resp_ph2 __P((u_int16_t, struct ph2handle*)); +extern int vpn_assert __P((struct sockaddr *, struct sockaddr *)); #endif /* _VPN_CONTROL_VAR_H */ diff --git a/ipsec-tools/setkey/parse.y b/ipsec-tools/setkey/parse.y index 6b99dea..6578a54 100644 --- a/ipsec-tools/setkey/parse.y +++ b/ipsec-tools/setkey/parse.y @@ -40,11 +40,7 @@ #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #ifdef HAVE_NETINET6_IPSEC # include #else diff --git a/ipsec-tools/setkey/setkey.c b/ipsec-tools/setkey/setkey.c index 0cb3a85..f99f03c 100644 --- a/ipsec-tools/setkey/setkey.c +++ b/ipsec-tools/setkey/setkey.c @@ -41,11 +41,7 @@ #include #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #ifdef HAVE_NETINET6_IPSEC # include #else diff --git a/ipsec-tools/setkey/test-pfkey.c b/ipsec-tools/setkey/test-pfkey.c index fb80000..857cbb7 100644 --- a/ipsec-tools/setkey/test-pfkey.c +++ b/ipsec-tools/setkey/test-pfkey.c @@ -34,17 +34,10 @@ #include #include #include -#ifdef __APPLE__ #include #include #include #include -#else -#include -#include -#include -#include -#endif #include #include diff --git a/ipsec-tools/setkey/token.l b/ipsec-tools/setkey/token.l index a890d95..5d76543 100644 --- a/ipsec-tools/setkey/token.l +++ b/ipsec-tools/setkey/token.l @@ -39,11 +39,7 @@ #include #include #include -#ifdef __APPLE__ #include -#else -#include -#endif #include #ifdef HAVE_NETINET6_IPSEC # include @@ -59,11 +55,7 @@ #include #include "vchar.h" -#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) -#include "parse.h" -#else #include "y.tab.h" -#endif #include "extern.h" diff --git a/ipsec.plist b/ipsec.plist index 2b0ea9c..aa53f4e 100644 --- a/ipsec.plist +++ b/ipsec.plist @@ -1,29 +1,72 @@ -( - { - "OpenSourceModifications" = ( - "Several security updates, memory leak fixes from 0.7.1 (ported by Les Aug/08)", - ); - OpenSourceProject = racoon; - OpenSourceVersion = "0.6.7"; - OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools"; - OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src"; - }, - { - OpenSourceProject = libipsec; - OpenSourceVersion = "0.6.5"; - OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools"; - OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src"; - }, - { - OpenSourceProject = setkey; - OpenSourceVersion = "0.6.5"; - OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools"; - OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src"; - }, - { - OpenSourceProject = racoonctl; - OpenSourceVersion = "0.6.5"; - OpenSourceWebsiteURL = "http://www.sourceforge.net/projects/ipsec-tools"; - OpenSourceURL = "http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src"; - }, -) \ No newline at end of file + + + + OpenSourceProject + racoon + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.7 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceModifications + + Several select security updates, memory leak fixes from 0.7.2 + + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + OpenSourceProject + libipsec + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.5 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + OpenSourceProject + setkey + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.5 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + OpenSourceProject + racoonctl + OpenSourceImportDate + 2002-04-01 + OpenSourceVersion + Original version number unavailable, but later based on 0.6.5 + OpenSourceWebsiteURL + http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src + OpenSourceSCM + cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -A -P src/crypto/dist/ipsec-tools/src + OpenSourceLicense + BSD + OpenSourceLicenseFile + ipsec.txt + + + diff --git a/ipsec.txt b/ipsec.txt new file mode 100644 index 0000000..6115d16 --- /dev/null +++ b/ipsec.txt @@ -0,0 +1,150 @@ +1) + Majority of the code in libipsec, racoon, racoonctl, and setkey is distributed under the following WIDE license: + + Copyright (C) 1995-2003 WIDE Project. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the project nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +2) + Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license): + + Copyright (C) 2004-2006 Emmanuel Dreyfus + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the project nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +3) + Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license): + + Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. + Contributed by: Michal Ludvig , SUSE Labs + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the project nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +3) + Parts of the code in racoon is distributed under the following license (in addition to the aforementioned WIDE license): + + Copyright 2000 Wasabi Systems, Inc. + All rights reserved. + + This software was written by Frank van der Linden of Wasabi Systems + for Zembu Labs, Inc. http://www.zembu.com/ + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of Wasabi Systems, Inc. may not be used to endorse + or promote products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +4) + Parts of the Rijndael code in racoon was done by Vincent Rijmen, Antoon Bosselaers + and Paulo Barreto is in the public domain and distributed + with the following license: + + @version 2.4 + + Optimised ANSI C code for the Rijndael cipher (now AES) + + @author Vincent Rijmen + @author Antoon Bosselaers + @author Paulo Barreto + + This code is hereby placed in the public domain. + + THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 57d9478..75b86e1 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -12,6 +12,7 @@ buildConfigurationList = 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */; buildPhases = ( 72265DD80F818ED700730A7D /* CopyFiles */, + BAA6806112B17CF900ACF6D3 /* CopyFiles */, ); dependencies = ( 25D3DDE30989AFDE0025F703 /* PBXTargetDependency */, @@ -32,7 +33,6 @@ 812531110D3FEA28006BDF4F /* PBXTargetDependency */, 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */, 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */, - 81DDFDDB0D622C5100C5CB87 /* PBXTargetDependency */, 81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */, ); name = "IPSec Embedded (Aggregate)"; @@ -209,7 +209,6 @@ 812530EB0D3FE9DC006BDF4F /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; 812530EC0D3FE9DC006BDF4F /* nattraversal.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F00988657000D15623 /* nattraversal.c */; }; 812530ED0D3FE9DC006BDF4F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 812530EE0D3FE9DC006BDF4F /* rsalist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259100988657000D15623 /* rsalist.c */; }; 812530EF0D3FE9DC006BDF4F /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; }; 812530F00D3FE9DC006BDF4F /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; }; 812530F10D3FE9DC006BDF4F /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; }; @@ -233,7 +232,6 @@ 8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103A0D5BE18800C7B441 /* racoon.conf */; }; 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8176A6B80D45661700BC5251 /* libldap.dylib */; }; 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 817FFC4F0D6134AD004A8DD8 /* rsaparse.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 25E08C9A09D9E64A001A11CF /* rsaparse.o */; }; 817FFC5A0D613729004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; 818710410D5BE22B00C7B441 /* psk.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103D0D5BE1CF00C7B441 /* psk.txt */; }; 818710420D5BE22F00C7B441 /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103B0D5BE1B400C7B441 /* racoon.conf */; }; @@ -269,21 +267,28 @@ 81DDFDC50D622C2700C5CB87 /* ipsec_strerror.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9550989B4EE00E5B678 /* ipsec_strerror.3 */; }; 81DDFDC60D622C2700C5CB87 /* ipsec_get_policylen.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */; }; 81DDFDC70D622C2700C5CB87 /* ipsec_dump_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */; }; - 81DDFDD00D622C3500C5CB87 /* prsa_par.y in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBA809D8B727002DC960 /* prsa_par.y */; }; - 81DDFDD10D622C3500C5CB87 /* prsa_tok.l in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBAA09D8B727002DC960 /* prsa_tok.l */; }; 81EDB0690B5D8D9600840BC7 /* ipsec_get_policylen.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */; }; 81EDB06A0B5D8D9A00840BC7 /* ipsec_dump_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */; }; 834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; 8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; }; + BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; + BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; }; + BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; }; + BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; }; BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; }; BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; }; BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; }; BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; }; BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; }; BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; }; + BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; }; + BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; }; BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; + BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; + BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; + BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; /* End PBXBuildFile section */ /* Begin PBXContainerItemProxy section */ @@ -399,13 +404,6 @@ remoteGlobalIDString = 81DDFDB80D622C2700C5CB87; remoteInfo = "libipsec Embedded"; }; - 81DDFDDA0D622C5100C5CB87 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 81DDFDCE0D622C3500C5CB87; - remoteInfo = "rsaparse Embedded"; - }; 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; @@ -413,13 +411,6 @@ remoteGlobalIDString = 81DDFDB80D622C2700C5CB87; remoteInfo = "libipsec Embedded"; }; - 81DDFDE00D622D2A00C5CB87 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 81DDFDCE0D622C3500C5CB87; - remoteInfo = "rsaparse Embedded"; - }; 81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; @@ -494,7 +485,7 @@ isa = PBXCopyFilesBuildPhase; buildActionMask = 8; dstPath = usr/share/man/man5; - dstSubfolderSpec = 16; + dstSubfolderSpec = 0; files = ( 258CF2E40A191AD500166B38 /* racoon.conf.5 in CopyFiles */, ); @@ -624,6 +615,36 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + BA64A930114EFDFD00F3574C /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/Sandbox/Profiles; + dstSubfolderSpec = 0; + files = ( + BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BA64A932114EFE4400F3574C /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/share/sandbox/profiles/embedded/builtin; + dstSubfolderSpec = 0; + files = ( + BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BAA6806112B17CF900ACF6D3 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/OpenSourceLicenses; + dstSubfolderSpec = 0; + files = ( + BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; /* End PBXCopyFilesBuildPhase section */ /* Begin PBXFileReference section */ @@ -820,10 +841,12 @@ 81CA08910CE3BC870055C0AF /* vpn.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = vpn.c; sourceTree = ""; }; 81DDFDAA0D622C1700C5CB87 /* setkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = setkey; sourceTree = BUILT_PRODUCTS_DIR; }; 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libipsec.A.dylib; sourceTree = BUILT_PRODUCTS_DIR; }; - 81DDFDD70D622C3500C5CB87 /* rsaparse.o */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.objfile"; includeInIndex = 0; path = rsaparse.o; sourceTree = BUILT_PRODUCTS_DIR; }; 81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_dump_policy.3; path = libipsec/ipsec_dump_policy.3; sourceTree = ""; }; 81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_get_policylen.3; path = libipsec/ipsec_get_policylen.3; sourceTree = ""; }; 8D5B16230E5F7E9300E72675 /* libresolv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libresolv.dylib; path = /usr/lib/libresolv.dylib; sourceTree = ""; }; + BA485FA1109C1ECA00545E19 /* power_mgmt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = power_mgmt.c; sourceTree = ""; }; + BA485FA6109C243900545E19 /* power_mgmt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = power_mgmt.h; sourceTree = ""; }; + BA48611B109C2BBA00545E19 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecConfigTracer.c; sourceTree = ""; }; BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecSessionTracer.c; sourceTree = ""; }; BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsecPolicyTracer.c; sourceTree = ""; }; @@ -832,8 +855,10 @@ BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsecSessionTracer.h; sourceTree = ""; }; BA5B6F380EC1A03C003774E7 /* ipsecPolicyTracer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsecPolicyTracer.h; sourceTree = ""; }; BA5B6F4F0EC1A136003774E7 /* vpn.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vpn.h; sourceTree = ""; }; + BA64A933114EFE5C00F3574C /* racoon.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = racoon.sb; sourceTree = ""; }; BA6F10940EA1D67700546773 /* ike_session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ike_session.h; sourceTree = ""; }; BA6F109A0EA1DEC200546773 /* ike_session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ike_session.c; sourceTree = ""; }; + BACBF18B10290AE000BBFC85 /* ipsec.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ipsec.txt; sourceTree = ""; }; C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenSDK.xcconfig; path = AppleInternal/XcodeConfig/AspenSDK.xcconfig; sourceTree = DEVELOPER_DIR; }; /* End PBXFileReference section */ @@ -905,6 +930,7 @@ 25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */, 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */, 81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */, + BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -928,7 +954,6 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - 817FFC4F0D6134AD004A8DD8 /* rsaparse.o in Frameworks */, 8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */, 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */, 812530F80D3FE9DC006BDF4F /* libiconv.dylib in Frameworks */, @@ -936,6 +961,7 @@ 812A64ED0D4AA082004CB7EB /* Security.framework in Frameworks */, 81C964590DA2CBEF00257BC8 /* SystemConfiguration.framework in Frameworks */, 81C9645E0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */, + BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -962,19 +988,14 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 81DDFDD20D622C3500C5CB87 /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; /* End PBXFrameworksBuildPhase section */ /* Begin PBXGroup section */ 23D2D78C087071FC00C51098 = { isa = PBXGroup; children = ( + BA64A933114EFE5C00F3574C /* racoon.sb */, + BACBF18B10290AE000BBFC85 /* ipsec.txt */, 72265DDB0F818F9300730A7D /* ipsec.plist */, C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */, 25E5E82D0981A61900F2834C /* ipsec-tools */, @@ -1000,7 +1021,6 @@ 812531290D3FEA33006BDF4F /* racoonctl */, 81DDFDAA0D622C1700C5CB87 /* setkey */, 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */, - 81DDFDD70D622C3500C5CB87 /* rsaparse.o */, ); name = Products; sourceTree = ""; @@ -1046,6 +1066,7 @@ 25EAE83109D875790042CC7F /* Security.framework */, 25EAE83709D875BF0042CC7F /* DirectoryService.framework */, 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */, + BA48611B109C2BBA00545E19 /* IOKit.framework */, ); name = Frameworks; sourceTree = ""; @@ -1189,6 +1210,8 @@ 25F258FE0988657000D15623 /* plog.h */, 25F258FF0988657000D15623 /* policy.c */, 25F259000988657000D15623 /* policy.h */, + BA485FA1109C1ECA00545E19 /* power_mgmt.c */, + BA485FA6109C243900545E19 /* power_mgmt.h */, 25F259010988657000D15623 /* privsep.c */, 25F259020988657000D15623 /* privsep.h */, 25F259030988657000D15623 /* proposal.c */, @@ -1429,6 +1452,7 @@ 724A38A20E3676FB00F6B25F /* CopyFiles */, 258CF2F80A191B3900166B38 /* CopyFiles */, 258CF2FA0A191B3900166B38 /* CopyFiles */, + BA64A930114EFDFD00F3574C /* CopyFiles */, 258CF31B0A1941A200166B38 /* ShellScript */, ); buildRules = ( @@ -1491,6 +1515,7 @@ 812530FF0D3FE9DC006BDF4F /* CopyFiles */, 812531020D3FE9DC006BDF4F /* CopyFiles */, 725F453B0E36A15C005BB55C /* CopyFiles */, + BA64A932114EFE4400F3574C /* CopyFiles */, 812531040D3FE9DC006BDF4F /* ShellScript */, 834072BB0EDCC5C400B6CCE8 /* CopyFiles */, ); @@ -1498,7 +1523,6 @@ ); dependencies = ( 81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */, - 81DDFDE10D622D2A00C5CB87 /* PBXTargetDependency */, ); name = "racoon Embedded"; productName = racoon; @@ -1561,22 +1585,6 @@ productReference = 81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */; productType = "com.apple.product-type.library.dynamic"; }; - 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */ = { - isa = PBXNativeTarget; - buildConfigurationList = 81DDFDD30D622C3500C5CB87 /* Build configuration list for PBXNativeTarget "rsaparse Embedded" */; - buildPhases = ( - 81DDFDCF0D622C3500C5CB87 /* Sources */, - 81DDFDD20D622C3500C5CB87 /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = "rsaparse Embedded"; - productName = rsaparse; - productReference = 81DDFDD70D622C3500C5CB87 /* rsaparse.o */; - productType = "com.apple.product-type.objfile"; - }; /* End PBXNativeTarget section */ /* Begin PBXProject section */ @@ -1584,7 +1592,14 @@ isa = PBXProject; buildConfigurationList = 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */; compatibilityVersion = "Xcode 3.0"; + developmentRegion = English; hasScannedForEncodings = 0; + knownRegions = ( + English, + Japanese, + French, + German, + ); mainGroup = 23D2D78C087071FC00C51098; productRefGroup = 23D2D79C087074CC00C51098 /* Products */; projectDirPath = ""; @@ -1605,7 +1620,6 @@ 812531120D3FEA33006BDF4F /* racoonctl Embedded */, 81DDFD970D622C1700C5CB87 /* setkey Embedded */, 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */, - 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */, ); }; /* End PBXProject section */ @@ -1825,6 +1839,7 @@ 25F259370988657000D15623 /* ipsec_doi.c in Sources */, 25F259380988657000D15623 /* isakmp_agg.c in Sources */, 25F259390988657000D15623 /* isakmp_base.c in Sources */, + BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */, 25F2593C0988657000D15623 /* isakmp_ident.c in Sources */, 25F2593D0988657000D15623 /* isakmp_inf.c in Sources */, 25F2593E0988657000D15623 /* isakmp_newg.c in Sources */, @@ -1863,6 +1878,7 @@ BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */, BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */, BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, + BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1919,6 +1935,7 @@ 812530CF0D3FE9DC006BDF4F /* ipsec_doi.c in Sources */, 812530D00D3FE9DC006BDF4F /* isakmp_agg.c in Sources */, 812530D10D3FE9DC006BDF4F /* isakmp_base.c in Sources */, + BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */, 812530D20D3FE9DC006BDF4F /* isakmp_ident.c in Sources */, 812530D30D3FE9DC006BDF4F /* isakmp_inf.c in Sources */, 812530D40D3FE9DC006BDF4F /* isakmp_newg.c in Sources */, @@ -1947,7 +1964,6 @@ 812530EB0D3FE9DC006BDF4F /* vmbuf.c in Sources */, 812530EC0D3FE9DC006BDF4F /* nattraversal.c in Sources */, 812530ED0D3FE9DC006BDF4F /* pfkey.c in Sources */, - 812530EE0D3FE9DC006BDF4F /* rsalist.c in Sources */, 812530EF0D3FE9DC006BDF4F /* isakmp_cfg.c in Sources */, 812530F00D3FE9DC006BDF4F /* isakmp_unity.c in Sources */, 812530F10D3FE9DC006BDF4F /* isakmp_xauth.c in Sources */, @@ -1956,6 +1972,7 @@ BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */, BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */, BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */, + BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -2001,15 +2018,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 81DDFDCF0D622C3500C5CB87 /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 81DDFDD00D622C3500C5CB87 /* prsa_par.y in Sources */, - 81DDFDD10D622C3500C5CB87 /* prsa_tok.l in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; /* End PBXSourcesBuildPhase section */ /* Begin PBXTargetDependency section */ @@ -2093,21 +2101,11 @@ target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */; }; - 81DDFDDB0D622C5100C5CB87 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */; - targetProxy = 81DDFDDA0D622C5100C5CB87 /* PBXContainerItemProxy */; - }; 81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; targetProxy = 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */; }; - 81DDFDE10D622D2A00C5CB87 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 81DDFDCE0D622C3500C5CB87 /* rsaparse Embedded */; - targetProxy = 81DDFDE00D622D2A00C5CB87 /* PBXContainerItemProxy */; - }; 81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */; @@ -2129,8 +2127,6 @@ ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( i386, - ppc, - ppc64, x86_64, ); COPY_PHASE_STRIP = NO; @@ -2158,7 +2154,7 @@ PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; - VALID_ARCHS = "ppc64 i386 x86_64 ppc"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -2172,8 +2168,6 @@ ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( i386, - ppc, - ppc64, x86_64, ); COPY_PHASE_STRIP = NO; @@ -2198,7 +2192,7 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "ppc64 i386 x86_64 ppc"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -2211,10 +2205,7 @@ ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, i386, - ppc, - ppc64, x86_64, ); COPY_PHASE_STRIP = NO; @@ -2238,7 +2229,7 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "armv6 ppc64 i386 x86_64 ppc"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -2248,7 +2239,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2268,7 +2259,7 @@ PREBINDING = NO; PRODUCT_NAME = "plainrsa-gen"; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Development; @@ -2277,7 +2268,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = YES; @@ -2295,7 +2286,7 @@ PREBINDING = NO; PRODUCT_NAME = "plainrsa-gen"; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Deployment; @@ -2304,7 +2295,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); GCC_ENABLE_FIX_AND_CONTINUE = YES; @@ -2320,7 +2311,7 @@ PREBINDING = NO; PRODUCT_NAME = "plainrsa-gen"; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Default; @@ -2329,7 +2320,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2350,7 +2341,7 @@ PREBINDING = NO; PRODUCT_NAME = eaytest; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Development; @@ -2359,7 +2350,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = YES; @@ -2379,7 +2370,7 @@ PRODUCT_NAME = eaytest; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Deployment; @@ -2388,8 +2379,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); COPY_PHASE_STRIP = YES; GCC_ENABLE_FIX_AND_CONTINUE = YES; @@ -2407,7 +2398,7 @@ PRODUCT_NAME = eaytest; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Default; @@ -2416,8 +2407,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); COPY_PHASE_STRIP = NO; GCC_DYNAMIC_NO_PIC = NO; @@ -2434,7 +2425,7 @@ PREBINDING = NO; PRODUCT_NAME = "test-policy"; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Development; @@ -2443,8 +2434,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); COPY_PHASE_STRIP = YES; GCC_ENABLE_FIX_AND_CONTINUE = NO; @@ -2460,7 +2451,7 @@ PRODUCT_NAME = "test-policy"; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Deployment; @@ -2469,8 +2460,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_MODEL_TUNING = G5; @@ -2484,7 +2475,7 @@ PRODUCT_NAME = "test-policy"; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Default; @@ -2493,8 +2484,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); COPY_PHASE_STRIP = NO; GCC_DYNAMIC_NO_PIC = NO; @@ -2508,7 +2499,7 @@ PREBINDING = NO; PRODUCT_NAME = "test-pfkey"; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Development; @@ -2517,8 +2508,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); COPY_PHASE_STRIP = YES; GCC_ENABLE_FIX_AND_CONTINUE = NO; @@ -2531,7 +2522,7 @@ PRODUCT_NAME = "test-pfkey"; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Deployment; @@ -2540,8 +2531,8 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, i386, + x86_64, ); GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_MODEL_TUNING = G5; @@ -2552,7 +2543,7 @@ PRODUCT_NAME = "test-pfkey"; SKIP_INSTALL = YES; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; ZERO_LINK = NO; }; name = Default; @@ -2560,6 +2551,10 @@ 25D3DAB9098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = ( + i386, + x86_64, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2567,7 +2562,7 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "ppc64 ppc7400 ppc970 i386 x86_64 ppc"; + VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2579,6 +2574,10 @@ 25D3DABA098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = ( + i386, + x86_64, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2586,6 +2585,7 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2597,6 +2597,10 @@ 25D3DABB098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = ( + i386, + x86_64, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2604,6 +2608,7 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2619,7 +2624,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2657,7 +2662,7 @@ PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2675,7 +2680,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2711,7 +2716,7 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2728,7 +2733,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2764,7 +2769,7 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2778,14 +2783,14 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -2806,7 +2811,7 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "armv6 i386 ppc x86_64"; + VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2820,14 +2825,14 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -2849,7 +2854,7 @@ SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 i386 ppc x86_64"; + VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2862,14 +2867,13 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( + x86_64, i386, - ppc, - armv6, ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -2890,7 +2894,7 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 i386 ppc x86_64"; + VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2906,7 +2910,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -2931,7 +2935,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2947,7 +2951,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = YES; @@ -2972,7 +2976,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2988,7 +2992,7 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - ppc, + x86_64, i386, ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -3012,7 +3016,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386 ppc"; + VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3023,46 +3027,46 @@ }; 25D3DACD098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( armv6, i386, - ppc64, - arm, + armv7, x86_64, - ppc, ); + VALID_ARCHS = "armv6 x86_64 i386 armv7"; }; name = Development; }; 25D3DACE098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( armv6, i386, - ppc64, - arm, + armv7, x86_64, - ppc, ); + VALID_ARCHS = "armv6 x86_64 i386 armv7"; }; name = Deployment; }; 25D3DACF098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; + baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( armv6, i386, - ppc64, - arm, + armv7, x86_64, - ppc, ); + VALID_ARCHS = "armv6 armv7 x86_64 i386"; }; name = Default; }; @@ -3070,7 +3074,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -3083,7 +3087,7 @@ PREBINDING = NO; PRODUCT_NAME = rsaparse; SKIP_INSTALL = NO; - VALID_ARCHS = "i386 ppc x86_64 armv6"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -pprsa"; }; name = Development; @@ -3092,7 +3096,7 @@ isa = XCBuildConfiguration; buildSettings = { ARCHS = ( - ppc, + x86_64, i386, ); COPY_PHASE_STRIP = NO; @@ -3104,7 +3108,7 @@ PREBINDING = NO; PRODUCT_NAME = rsaparse; SKIP_INSTALL = NO; - VALID_ARCHS = "i386 ppc x86_64 armv6"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -pprsa"; ZERO_LINK = NO; }; @@ -3115,8 +3119,7 @@ buildSettings = { ARCHS = ( i386, - ppc, - armv6, + x86_64, ); COPY_PHASE_STRIP = NO; GCC_MODEL_TUNING = G5; @@ -3125,7 +3128,7 @@ PREBINDING = NO; PRODUCT_NAME = rsaparse; SKIP_INSTALL = NO; - VALID_ARCHS = "i386 ppc x86_64 armv6"; + VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -pprsa"; }; name = Default; @@ -3134,6 +3137,10 @@ isa = XCBuildConfiguration; buildSettings = { ADDITIONAL_SDKS = ""; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -3141,6 +3148,7 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3153,6 +3161,10 @@ isa = XCBuildConfiguration; buildSettings = { ADDITIONAL_SDKS = ""; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -3172,6 +3184,10 @@ isa = XCBuildConfiguration; buildSettings = { ADDITIONAL_SDKS = ""; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -3179,6 +3195,7 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3194,6 +3211,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; @@ -3230,12 +3251,13 @@ OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\""; OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; - OTHER_LDFLAGS = "-lcrypto"; + OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3253,6 +3275,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; @@ -3288,11 +3314,12 @@ OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\""; OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; - OTHER_LDFLAGS = "-lcrypto"; + OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3309,6 +3336,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = "-"; COPY_PHASE_STRIP = NO; @@ -3344,11 +3375,12 @@ OTHER_CFLAGS_QUOTED_2 = "-DADMINPORTDIR=\\\"/var/run\\\""; OTHER_CFLAGS_QUOTED_3 = "-DPATHRACOON=\\\"/usr/sbin/racoon\\\""; OTHER_CPLUSPLUSFLAGS = "$(OTHER_CFLAGS)"; - OTHER_LDFLAGS = "-lcrypto"; + OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3365,6 +3397,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -3387,6 +3423,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3402,6 +3439,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -3424,6 +3465,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3439,6 +3481,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -3460,6 +3506,7 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; + VALID_ARCHS = "armv6 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3472,6 +3519,10 @@ isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -3497,6 +3548,7 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3510,11 +3562,15 @@ isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -3536,6 +3592,7 @@ SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; STRIP_INSTALLED_PRODUCT = YES; + VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3548,10 +3605,14 @@ isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { + ARCHS = ( + armv6, + armv7, + ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -3572,6 +3633,7 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; + VALID_ARCHS = "armv6 armv7 "; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3587,6 +3649,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -3612,6 +3678,7 @@ PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; + VALID_ARCHS = "armv6 armv7"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -3624,6 +3691,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -3646,6 +3717,7 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; + VALID_ARCHS = "armv6 armv7"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -3658,6 +3730,10 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; + ARCHS = ( + armv6, + armv7, + ); COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -3679,62 +3755,12 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; + VALID_ARCHS = "armv6 i386"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; name = Default; }; - 81DDFDD40D622C3500C5CB87 /* Development */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; - }; - name = Development; - }; - 81DDFDD50D622C3500C5CB87 /* Deployment */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - COPY_PHASE_STRIP = NO; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 81DDFDD60D622C3500C5CB87 /* Default */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; - buildSettings = { - COPY_PHASE_STRIP = NO; - GCC_MODEL_TUNING = G5; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; - }; - name = Default; - }; /* End XCBuildConfiguration section */ /* Begin XCConfigurationList section */ @@ -3898,16 +3924,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Deployment; }; - 81DDFDD30D622C3500C5CB87 /* Build configuration list for PBXNativeTarget "rsaparse Embedded" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 81DDFDD40D622C3500C5CB87 /* Development */, - 81DDFDD50D622C3500C5CB87 /* Deployment */, - 81DDFDD60D622C3500C5CB87 /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; /* End XCConfigurationList section */ }; rootObject = 23D2D790087071FC00C51098 /* Project object */; diff --git a/racoon.sb b/racoon.sb new file mode 100644 index 0000000..88b9a92 --- /dev/null +++ b/racoon.sb @@ -0,0 +1,103 @@ +;; OriginatingProject: ipsec +(version 1) +(deny default) +(allow system-socket sysctl-read sysctl-write) + +(allow ipc-posix* (ipc-posix-name "com.apple.securityd")) +(allow ipc-posix-shm + (ipc-posix-name "apple.shm.notification_center") + (ipc-posix-name "com.apple.AppleDatabaseChanged")) + +(allow file-read* file-ioctl + (subpath "/private/etc/master.passwd") + (subpath "/private/var/run/racoon") + (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist") + (subpath "/private/etc/racoon")) + +(allow file-read* + (subpath "/Library/Managed\ Preferences") + (subpath "/Library/Preferences") + (subpath "/private/var/root") + (literal "/private/var/db/mds/messages/se_SecurityMessages")) + +(allow file-write* + (literal "/private/var/run/racoon.sock") + (literal "/private/var/run/racoon.pid")) + +(allow file* + (literal "/var/log/racoon.log") + (literal "/private/var/log/racoon.log")) + +(allow iokit-open (iokit-user-client-class "RootDomainUserClient")) + +(allow network-outbound (subpath "/private/var/tmp/launchd")) +(allow network* + (local udp "*:500" "*:4500") + (remote udp "*:*") + (literal "/private/var/run/racoon.sock")) + +(allow file* + (literal "/Library/Keychains/System.keychain") + (literal "/private/var/db/mds/system/mdsObject.db") + (literal "/private/var/db/mds/system/mds.lock") + (literal "/private/var/db/mds/system/mdsDirectory.db")) + +(allow mach-lookup + (global-name "com.apple.SecurityServer") + (global-name "com.apple.ocspd")) + +;;;;;; Common system sandbox rules +;;;;;; +;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved. +;;;;;; +;;;;;; WARNING: The sandbox rules in this file currently constitute +;;;;;; Apple System Private Interface and are subject to change at any time and +;;;;;; without notice. The contents of this file are also auto-generated and +;;;;;; not user editable; it may be overwritten at any time. + +;;; Allow read access to standard system paths. + +(allow file-read* + (require-all (file-mode #o0004) + (require-any (subpath "/System") + (subpath "/usr/lib") + (subpath "/usr/sbin") + (subpath "/usr/share")))) + +(allow file-read-metadata + (literal "/etc") + (literal "/tmp") + (literal "/var")) + +;;; Allow access to standard special files. + +(allow file-read* + (literal "/private/var/db/timezone/localtime") + (literal "/dev/random") + (literal "/dev/urandom")) + +(allow file-read* + file-write-data + (literal "/dev/null") + (literal "/dev/zero")) + +(allow file-read* + file-write-data + file-ioctl + (literal "/dev/aes_0") + (literal "/dev/sha1_0") + (literal "/dev/dtracehelper")) + +(allow network-outbound + (literal "/private/var/run/asl_input") + (literal "/private/var/run/syslog")) + +;;; Allow IPC to standard system agents. + +(allow mach-lookup + (global-name "com.apple.securityd") + (global-name "com.apple.bsd.dirhelper") + (global-name "com.apple.system.DirectoryService.libinfo_v1") + (global-name "com.apple.system.DirectoryService.membership_v1") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center")) -- 2.45.2