From 85f41bec1acc617e559a0eb4ae1c926b61c3169f Mon Sep 17 00:00:00 2001 From: Apple Date: Fri, 27 Jul 2012 18:01:22 +0000 Subject: [PATCH] ipsec-164.9.tar.gz --- entitlements.plist | 1 + ipsec-tools/Common/config.h | 7 - ipsec-tools/Common/key_debug.c | 17 +- ipsec-tools/Common/libpfkey.h | 44 +- ipsec-tools/Common/pfkey.c | 364 ++---- ipsec-tools/Common/pfkey_dump.c | 4 +- ipsec-tools/libipsec/ipsec_get_policylen.c | 12 +- ipsec-tools/libipsec/policy_parse.y | 36 +- ipsec-tools/libipsec/test-policy.c | 24 +- ipsec-tools/racoon/Sample/racoon.conf | 4 +- ipsec-tools/racoon/admin.c | 42 +- ipsec-tools/racoon/algorithm.c | 55 - ipsec-tools/racoon/backupsa.c | 2 +- ipsec-tools/racoon/cfparse.y | 509 ++++---- ipsec-tools/racoon/cftoken.l | 107 +- ipsec-tools/racoon/cftoken_proto.h | 6 +- ipsec-tools/racoon/com.apple.racoon.plist | Bin 698 -> 307 bytes .../racoon/com.apple.racoonembedded.plist | 28 - ipsec-tools/racoon/crypto_cssm.c | 210 +-- ipsec-tools/racoon/crypto_cssm.h | 5 +- ipsec-tools/racoon/crypto_openssl.c | 286 +--- ipsec-tools/racoon/crypto_openssl.h | 28 - ipsec-tools/racoon/dnssec.c | 2 +- ipsec-tools/racoon/dump.h | 2 +- ipsec-tools/racoon/evt.c | 8 +- ipsec-tools/racoon/evt.h | 2 +- ipsec-tools/racoon/getcertsbyname.c | 3 +- ipsec-tools/racoon/grabmyaddr.c | 65 +- ipsec-tools/racoon/grabmyaddr.h | 4 +- ipsec-tools/racoon/gssapi.c | 4 +- ipsec-tools/racoon/handler.c | 74 +- ipsec-tools/racoon/handler.h | 69 +- ipsec-tools/racoon/ike_session.c | 82 +- ipsec-tools/racoon/ike_session.h | 7 +- ipsec-tools/racoon/ipsec_doi.c | 126 +- ipsec-tools/racoon/ipsec_doi.h | 8 +- ipsec-tools/racoon/isakmp.c | 346 ++--- ipsec-tools/racoon/isakmp_agg.c | 18 +- ipsec-tools/racoon/isakmp_base.c | 20 +- ipsec-tools/racoon/isakmp_cfg.c | 24 +- ipsec-tools/racoon/isakmp_cfg.h | 2 +- ipsec-tools/racoon/isakmp_frag.c | 33 +- ipsec-tools/racoon/isakmp_frag.h | 2 +- ipsec-tools/racoon/isakmp_ident.c | 16 +- ipsec-tools/racoon/isakmp_inf.c | 75 +- ipsec-tools/racoon/isakmp_inf.h | 4 +- ipsec-tools/racoon/isakmp_quick.c | 71 +- ipsec-tools/racoon/isakmp_var.h | 16 +- ipsec-tools/racoon/isakmp_xauth.c | 5 +- ipsec-tools/racoon/isakmp_xauth.h | 2 +- ipsec-tools/racoon/kmpstat.c | 20 +- ipsec-tools/racoon/localconf.c | 4 +- ipsec-tools/racoon/localconf.h | 2 +- ipsec-tools/racoon/logger.c | 1 - ipsec-tools/racoon/main.c | 45 +- ipsec-tools/racoon/nattraversal.c | 46 +- ipsec-tools/racoon/nattraversal.h | 6 +- ipsec-tools/racoon/oakley.c | 316 ++--- ipsec-tools/racoon/oakley.h | 1 + ipsec-tools/racoon/pfkey.h | 2 +- ipsec-tools/racoon/pfkey_racoon.c | 230 ++-- ipsec-tools/racoon/plog.c | 4 +- ipsec-tools/racoon/plog.h | 6 +- ipsec-tools/racoon/policy.c | 50 +- ipsec-tools/racoon/privsep.c | 12 +- ipsec-tools/racoon/privsep.h | 4 +- ipsec-tools/racoon/racoon.conf.5 | 65 +- ipsec-tools/racoon/racoonctl.c | 18 +- ipsec-tools/racoon/remoteconf.c | 143 +- ipsec-tools/racoon/remoteconf.h | 15 +- ipsec-tools/racoon/sainfo.c | 48 +- ipsec-tools/racoon/schedule.c | 8 +- ipsec-tools/racoon/session.c | 12 +- ipsec-tools/racoon/sockmisc.c | 306 +++-- ipsec-tools/racoon/sockmisc.h | 34 +- ipsec-tools/racoon/throttle.c | 10 +- ipsec-tools/racoon/throttle.h | 4 +- ipsec-tools/racoon/var.h | 7 +- ipsec-tools/racoon/vendorid.c | 5 +- ipsec-tools/racoon/vpn.c | 63 +- ipsec-tools/racoon/vpn_control.c | 109 +- ipsec-tools/racoon/vpn_control_var.h | 5 +- ipsec-tools/setkey/parse.y | 73 +- ipsec-tools/setkey/setkey.c | 55 +- ipsec.xcodeproj/project.pbxproj | 1151 +++-------------- racoon.sb | 5 +- 86 files changed, 2174 insertions(+), 3592 deletions(-) delete mode 100644 ipsec-tools/racoon/com.apple.racoonembedded.plist diff --git a/entitlements.plist b/entitlements.plist index 3e9e396..f05fcbf 100644 --- a/entitlements.plist +++ b/entitlements.plist @@ -5,6 +5,7 @@ keychain-access-groups apple + com.apple.certificates com.apple.identities seatbelt-profiles diff --git a/ipsec-tools/Common/config.h b/ipsec-tools/Common/config.h index c7813f6..ce2538f 100644 --- a/ipsec-tools/Common/config.h +++ b/ipsec-tools/Common/config.h @@ -133,17 +133,10 @@ #endif #ifdef HAVE_OPENSSL -/* Define to 1 if you have the header file. */ -#define HAVE_OPENSSL_AES_H 1 /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_ENGINE_H 1 -/* Define to 1 if you have the header file. */ -#undef HAVE_OPENSSL_IDEA_H - -/* Define to 1 if you have the header file. */ -#define HAVE_OPENSSL_RC5_H 1 #endif /* Define to 1 if you have the `pam_start' function. */ diff --git a/ipsec-tools/Common/key_debug.c b/ipsec-tools/Common/key_debug.c index dca4d89..e7822a1 100644 --- a/ipsec-tools/Common/key_debug.c +++ b/ipsec-tools/Common/key_debug.c @@ -67,6 +67,7 @@ #endif /* !_KERNEL */ #include "config.h" +#include "var.h" #include "libpfkey.h" static void kdebug_sadb_prop __P((struct sadb_ext *)); @@ -80,7 +81,7 @@ static void kdebug_sadb_x_sa2 __P((struct sadb_ext *)); static void kdebug_sadb_session_id __P((struct sadb_ext *)); static void kdebug_sadb_sastat __P((struct sadb_ext *)); static void kdebug_sadb_x_policy __P((struct sadb_ext *ext)); -static void kdebug_sockaddr __P((struct sockaddr *addr)); +static void kdebug_sockaddr __P((struct sockaddr_storage *addr)); #ifdef SADB_X_EXT_NAT_T_TYPE static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext)); @@ -435,7 +436,7 @@ static void kdebug_sadb_session_id(ext) struct sadb_ext *ext; { - struct sadb_session_id *p = (__typeof__(p))ext; + struct sadb_session_id *p = ALIGNED_CAST(__typeof__(p))ext; // Wcast-align fix (void*) - sadb structs come from and aligned buffer /* sanity check */ if (ext == NULL) { @@ -452,7 +453,7 @@ static void kdebug_sadb_sastat(ext) struct sadb_ext *ext; { - struct sadb_sastat *p = (__typeof__(p))ext; + struct sadb_sastat *p = ALIGNED_CAST(__typeof__(p))ext; // Wcast-align fix (void*) - sadb structs come from and aligned buffer struct sastat *stats; int i; @@ -477,7 +478,7 @@ kdebug_sadb_x_policy(ext) struct sadb_ext *ext; { struct sadb_x_policy *xpl = (void *)ext; - struct sockaddr *addr; + struct sockaddr_storage *addr; /* sanity check */ if (ext == NULL) @@ -514,7 +515,7 @@ kdebug_sadb_x_policy(ext) addr = (void *)(xisr + 1); kdebug_sockaddr(addr); addr = (void *)((caddr_t)(void *)addr - + sysdep_sa_len(addr)); + + sysdep_sa_len((struct sockaddr *)addr)); kdebug_sockaddr(addr); } @@ -798,7 +799,7 @@ kdebug_mbuf(m0) static void kdebug_sockaddr(addr) - struct sockaddr *addr; + struct sockaddr_storage *addr; { struct sockaddr_in *sin4; #ifdef INET6 @@ -810,9 +811,9 @@ kdebug_sockaddr(addr) panic("kdebug_sockaddr: NULL pointer was passed.\n"); /* NOTE: We deal with port number as host byte order. */ - printf("sockaddr{ len=%u family=%u", sysdep_sa_len(addr), addr->sa_family); + printf("sockaddr_storage{ len=%u family=%u", sysdep_sa_len((struct sockaddr *)addr), addr->ss_family); - switch (addr->sa_family) { + switch (addr->ss_family) { case AF_INET: sin4 = (void *)addr; printf(" port=%u\n", ntohs(sin4->sin_port)); diff --git a/ipsec-tools/Common/libpfkey.h b/ipsec-tools/Common/libpfkey.h index 06d5228..1bb0f27 100644 --- a/ipsec-tools/Common/libpfkey.h +++ b/ipsec-tools/Common/libpfkey.h @@ -50,7 +50,7 @@ extern void pfkey_sadump_withports __P((struct sadb_msg *)); extern void pfkey_spdump __P((struct sadb_msg *)); extern void pfkey_spdump_withports __P((struct sadb_msg *)); -struct sockaddr; +struct sockaddr_storage; struct sadb_alg; /* Accomodate different prototypes in */ @@ -85,45 +85,45 @@ char *ipsec_dump_policy __P((ipsec_policy_t, __ipsec_const char *)); u_int pfkey_set_softrate __P((u_int, u_int)); u_int pfkey_get_softrate __P((u_int)); -int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, +int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); +int pfkey_send_update __P((int, u_int, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t, u_int16_t)); -int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, +int pfkey_send_add __P((int, u_int, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t, u_int16_t)); int pfkey_send_delete __P((int, u_int, u_int, - struct sockaddr *, struct sockaddr *, u_int32_t)); + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); int pfkey_send_delete_all __P((int, u_int, u_int, - struct sockaddr *, struct sockaddr *)); + struct sockaddr_storage *, struct sockaddr_storage *)); int pfkey_send_get __P((int, u_int, u_int, - struct sockaddr *, struct sockaddr *, u_int32_t)); + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); int pfkey_send_register __P((int, u_int)); int pfkey_recv_register __P((int)); int pfkey_set_supported __P((struct sadb_msg *, int)); int pfkey_send_flush __P((int, u_int)); int pfkey_send_dump __P((int, u_int)); int pfkey_send_promisc_toggle __P((int, int)); -int pfkey_send_spdadd __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, +int pfkey_send_spdadd __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdadd2 __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t)); -int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); -int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, +int pfkey_send_spdupdate __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdupdate2 __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t)); -int pfkey_send_spddelete __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spddelete __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); int pfkey_send_spddelete2 __P((int, u_int32_t)); int pfkey_send_spdget __P((int, u_int32_t)); -int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); +int pfkey_send_spdsetidx __P((int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t)); int pfkey_send_spdflush __P((int)); int pfkey_send_spddump __P((int)); diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index 62cb528..fe1edb7 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #ifdef HAVE_NETINET6_IPSEC # include @@ -49,7 +50,9 @@ #include #include #include +#include +#include "var.h" #include "ipsec_strerror.h" #include "libpfkey.h" @@ -58,15 +61,15 @@ static int findsupportedmap __P((int)); static int setsupportedmap __P((struct sadb_supported *)); static struct sadb_alg *findsupportedalg __P((u_int, u_int)); -static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, +static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, u_int32_t, u_int32_t, u_int32_t, u_int16_t)); static int pfkey_send_x2 __P((int, u_int, u_int, u_int, - struct sockaddr *, struct sockaddr *, u_int32_t)); + struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t)); static int pfkey_send_x3 __P((int, u_int, u_int)); -static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int, - struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, +static int pfkey_send_x4 __P((int, u_int, struct sockaddr_storage *, u_int, + struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t, char *, int, u_int32_t)); static int pfkey_send_x5 __P((int, u_int, u_int32_t)); @@ -75,7 +78,7 @@ static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int, static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int, u_int, u_int, u_int32_t, u_int16_t)); static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int, - struct sockaddr *, u_int, u_int)); + struct sockaddr_storage *, u_int, u_int)); static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int)); static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); @@ -108,8 +111,7 @@ static int supported_map[] = { }; static int -findsupportedmap(satype) - int satype; +findsupportedmap(int satype) { int i; @@ -120,8 +122,7 @@ findsupportedmap(satype) } static struct sadb_alg * -findsupportedalg(satype, alg_id) - u_int satype, alg_id; +findsupportedalg(u_int satype, u_int alg_id) { int algno; int tlen; @@ -158,8 +159,7 @@ findsupportedalg(satype, alg_id) } static int -setsupportedmap(sup) - struct sadb_supported *sup; +setsupportedmap(struct sadb_supported *sup) { struct sadb_supported **ipsup; @@ -198,10 +198,7 @@ setsupportedmap(sup) * 0: valid. */ int -ipsec_check_keylen(supported, alg_id, keylen) - u_int supported; - u_int alg_id; - u_int keylen; +ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen) { u_int satype; @@ -230,10 +227,7 @@ ipsec_check_keylen(supported, alg_id, keylen) * 0: valid. */ int -ipsec_check_keylen2(satype, alg_id, keylen) - u_int satype; - u_int alg_id; - u_int keylen; +ipsec_check_keylen2(u_int satype, u_int alg_id, u_int keylen) { struct sadb_alg *alg; @@ -261,9 +255,7 @@ ipsec_check_keylen2(satype, alg_id, keylen) * 0: valid. */ int -ipsec_get_keylen(supported, alg_id, alg0) - u_int supported, alg_id; - struct sadb_alg *alg0; +ipsec_get_keylen(u_int supported, u_int alg_id, struct sadb_alg *alg0) { struct sadb_alg *alg; u_int satype; @@ -306,8 +298,7 @@ static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; u_int -pfkey_set_softrate(type, rate) - u_int type, rate; +pfkey_set_softrate(u_int type, u_int rate) { __ipsec_errcode = EIPSEC_NO_ERROR; @@ -338,8 +329,7 @@ pfkey_set_softrate(type, rate) * ATTENTION: ~0 is returned if invalid type was passed. */ u_int -pfkey_get_softrate(type) - u_int type; +pfkey_get_softrate(u_int type) { switch (type) { case SADB_X_LIFETIME_ALLOCATIONS: @@ -362,11 +352,8 @@ pfkey_get_softrate(type) * -1 : error occured, and set errno. */ int -pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - int so; - u_int satype, mode; - struct sockaddr *src, *dst; - u_int32_t min, max, reqid, seq; +pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, + u_int32_t min, u_int32_t max, u_int32_t reqid, u_int32_t seq) { struct sadb_msg *newmsg; caddr_t ep; @@ -380,7 +367,7 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } @@ -388,7 +375,7 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) __ipsec_errcode = EIPSEC_INVAL_SPI; return -1; } - switch (src->sa_family) { + switch (src->ss_family) { case AF_INET: plen = sizeof(struct in_addr) << 3; break; @@ -404,9 +391,9 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) len = sizeof(struct sadb_msg) + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(dst)); + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)); if (min > 255 && max < (u_int)~0) { need_spirange++; @@ -492,19 +479,10 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) * -1 : error occured, and set errno. */ int -pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, port) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - u_int16_t port; +pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, + u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, + u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, + u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port) { int len; if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, @@ -526,19 +504,10 @@ pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, * -1 : error occured, and set errno. */ int -pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, port) - int so; - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - u_int16_t port; +pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, + u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, + u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, + u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port) { int len; if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, @@ -562,7 +531,7 @@ int pfkey_send_delete(so, satype, mode, src, dst, spi) int so; u_int satype, mode; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; u_int32_t spi; { int len; @@ -583,10 +552,7 @@ pfkey_send_delete(so, satype, mode, src, dst, spi) */ /*ARGSUSED*/ int -pfkey_send_delete_all(so, satype, mode, src, dst) - int so; - u_int satype, mode; - struct sockaddr *src, *dst; +pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst) { struct sadb_msg *newmsg; int len; @@ -599,11 +565,11 @@ pfkey_send_delete_all(so, satype, mode, src, dst) __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } - switch (src->sa_family) { + switch (src->ss_family) { case AF_INET: plen = sizeof(struct in_addr) << 3; break; @@ -618,9 +584,9 @@ pfkey_send_delete_all(so, satype, mode, src, dst) /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(dst)); + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)); if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { __ipsec_set_strerror(strerror(errno)); @@ -665,11 +631,7 @@ pfkey_send_delete_all(so, satype, mode, src, dst) * -1 : error occured, and set errno. */ int -pfkey_send_get(so, satype, mode, src, dst, spi) - int so; - u_int satype, mode; - struct sockaddr *src, *dst; - u_int32_t spi; +pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi) { int len; if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) @@ -685,9 +647,7 @@ pfkey_send_get(so, satype, mode, src, dst, spi) * -1 : error occured, and set errno. */ int -pfkey_send_register(so, satype) - int so; - u_int satype; +pfkey_send_register(int so, u_int satype) { int len, algno; @@ -727,8 +687,7 @@ pfkey_send_register(so, satype) * -1: error occured, and set errno. */ int -pfkey_recv_register(so) - int so; +pfkey_recv_register(int so) { pid_t pid = getpid(); struct sadb_msg *newmsg; @@ -767,9 +726,7 @@ pfkey_recv_register(so) * -1: error occured, and set errno. */ int -pfkey_set_supported(msg, tlen) - struct sadb_msg *msg; - int tlen; +pfkey_set_supported(struct sadb_msg *msg, int tlen) { struct sadb_supported *sup; caddr_t p; @@ -831,9 +788,7 @@ pfkey_set_supported(msg, tlen) * -1 : error occured, and set errno. */ int -pfkey_send_flush(so, satype) - int so; - u_int satype; +pfkey_send_flush(int so, u_int satype) { int len; @@ -850,9 +805,7 @@ pfkey_send_flush(so, satype) * -1 : error occured, and set errno. */ int -pfkey_send_dump(so, satype) - int so; - u_int satype; +pfkey_send_dump(int so, u_int satype) { int len; @@ -875,9 +828,7 @@ pfkey_send_dump(so, satype) * algorithms is. */ int -pfkey_send_promisc_toggle(so, flag) - int so; - int flag; +pfkey_send_promisc_toggle(int so, int flag) { int len; @@ -895,13 +846,8 @@ pfkey_send_promisc_toggle(so, flag) * -1 : error occured, and set errno. */ int -pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spdadd(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, + u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -921,15 +867,8 @@ pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) * -1 : error occured, and set errno. */ int -pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, - policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - u_int64_t ltime, vtime; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spdadd2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime, + caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -949,13 +888,8 @@ pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, * -1 : error occured, and set errno. */ int -pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spdupdate(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, + u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -975,15 +909,9 @@ pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) * -1 : error occured, and set errno. */ int -pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, - policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - u_int64_t ltime, vtime; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spdupdate2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, + u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime, + caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -1003,13 +931,8 @@ pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, * -1 : error occured, and set errno. */ int -pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spddelete(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, + u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -1034,9 +957,7 @@ pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) * -1 : error occured, and set errno. */ int -pfkey_send_spddelete2(so, spid) - int so; - u_int32_t spid; +pfkey_send_spddelete2(int so, u_int32_t spid) { int len; @@ -1053,9 +974,7 @@ pfkey_send_spddelete2(so, spid) * -1 : error occured, and set errno. */ int -pfkey_send_spdget(so, spid) - int so; - u_int32_t spid; +pfkey_send_spdget(int so, u_int32_t spid) { int len; @@ -1072,13 +991,8 @@ pfkey_send_spdget(so, spid) * -1 : error occured, and set errno. */ int -pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int prefs, prefd, proto; - caddr_t policy; - int policylen; - u_int32_t seq; +pfkey_send_spdsetidx(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, + u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq) { int len; @@ -1103,8 +1017,7 @@ pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) * -1 : error occured, and set errno. */ int -pfkey_send_spdflush(so) - int so; +pfkey_send_spdflush(int so) { int len; @@ -1121,8 +1034,7 @@ pfkey_send_spdflush(so) * -1 : error occured, and set errno. */ int -pfkey_send_spddump(so) - int so; +pfkey_send_spddump(int so) { int len; @@ -1135,18 +1047,10 @@ pfkey_send_spddump(so) /* sending SADB_ADD or SADB_UPDATE message to the kernel */ static int -pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq, port) - int so; - u_int type, satype, mode; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - u_int wsize; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; - u_int16_t port; +pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src, + struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, + caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags, + u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port) { struct sadb_msg *newmsg; int len; @@ -1159,11 +1063,11 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } - switch (src->sa_family) { + switch (src->ss_family) { case AF_INET: plen = sizeof(struct in_addr) << 3; break; @@ -1224,9 +1128,9 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, + sizeof(struct sadb_sa_2) + sizeof(struct sadb_x_sa2) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(dst)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)) + sizeof(struct sadb_lifetime) + sizeof(struct sadb_lifetime); @@ -1321,11 +1225,7 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, /* sending SADB_DELETE or SADB_GET message to the kernel */ /*ARGSUSED*/ static int -pfkey_send_x2(so, type, satype, mode, src, dst, spi) - int so; - u_int type, satype, mode; - struct sockaddr *src, *dst; - u_int32_t spi; +pfkey_send_x2(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi) { struct sadb_msg *newmsg; int len; @@ -1338,11 +1238,11 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } - switch (src->sa_family) { + switch (src->ss_family) { case AF_INET: plen = sizeof(struct in_addr) << 3; break; @@ -1358,9 +1258,9 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) len = sizeof(struct sadb_msg) + sizeof(struct sadb_sa_2) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(dst)); + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst)); if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { __ipsec_set_strerror(strerror(errno)); @@ -1408,9 +1308,7 @@ pfkey_send_x2(so, type, satype, mode, src, dst, spi) * to the kernel */ static int -pfkey_send_x3(so, type, satype) - int so; - u_int type, satype; +pfkey_send_x3(int so, u_int type, u_int satype) { struct sadb_msg *newmsg; int len; @@ -1470,15 +1368,8 @@ pfkey_send_x3(so, type, satype) /* sending SADB_X_SPDADD message to the kernel */ static int -pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, - ltime, vtime, policy, policylen, seq) - int so; - struct sockaddr *src, *dst; - u_int type, prefs, prefd, proto; - u_int64_t ltime, vtime; - char *policy; - int policylen; - u_int32_t seq; +pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto, + u_int64_t ltime, u_int64_t vtime, char *policy, int policylen, u_int32_t seq) { struct sadb_msg *newmsg; int len; @@ -1491,12 +1382,12 @@ pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; return -1; } - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } - switch (src->sa_family) { + switch (src->ss_family) { case AF_INET: plen = sizeof(struct in_addr) << 3; break; @@ -1515,9 +1406,9 @@ pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, /* create new sadb_msg to reply. */ len = sizeof(struct sadb_msg) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_address) - + PFKEY_ALIGN8(sysdep_sa_len(src)) + + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src)) + sizeof(struct sadb_lifetime) + policylen; @@ -1564,10 +1455,7 @@ pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ static int -pfkey_send_x5(so, type, spid) - int so; - u_int type; - u_int32_t spid; +pfkey_send_x5(int so, u_int type, u_int32_t spid) { struct sadb_msg *newmsg; struct sadb_x_policy xpl; @@ -1660,8 +1548,7 @@ pfkey_open() * -1: fail. */ void -pfkey_close(so) - int so; +pfkey_close(int so) { (void)close(so); @@ -1679,11 +1566,11 @@ pfkey_close(so) * XXX should be rewritten to pass length explicitly */ struct sadb_msg * -pfkey_recv(so) - int so; +pfkey_recv(int so) { struct sadb_msg buf, *newmsg; - int len, reallen; + ssize_t len; + int reallen; while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) { if (errno == EINTR) @@ -1737,10 +1624,7 @@ pfkey_recv(so) * -1 : fail. */ int -pfkey_send(so, msg, len) - int so; - struct sadb_msg *msg; - int len; +pfkey_send(int so, struct sadb_msg *msg, int len) { if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) { __ipsec_set_strerror(strerror(errno)); @@ -1766,9 +1650,7 @@ pfkey_send(so, msg, len) * XXX should be rewritten to obtain length explicitly */ int -pfkey_align(msg, mhp) - struct sadb_msg *msg; - caddr_t *mhp; +pfkey_align(struct sadb_msg *msg, caddr_t *mhp) { struct sadb_ext *ext; int i; @@ -1877,8 +1759,7 @@ pfkey_align(msg, mhp) * 0: valid. */ int -pfkey_check(mhp) - caddr_t *mhp; +pfkey_check(caddr_t * mhp) { struct sadb_msg *msg; @@ -2001,13 +1882,7 @@ pfkey_check(mhp) * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) - caddr_t buf; - caddr_t lim; - u_int type, satype; - u_int tlen; - u_int32_t seq; - pid_t pid; +pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen, u_int satype, u_int32_t seq, pid_t pid) { struct sadb_msg *p; u_int len; @@ -2036,12 +1911,7 @@ pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags, port) - caddr_t buf; - caddr_t lim; - u_int32_t spi, flags; - u_int wsize, auth, enc; - u_int16_t port; +pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize, u_int auth, u_int enc, u_int32_t flags, u_int16_t port) { struct sadb_sa_2 *p; u_int len; @@ -2072,19 +1942,13 @@ pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags, port) * prefixlen is in bits. */ static caddr_t -pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) - caddr_t buf; - caddr_t lim; - u_int exttype; - struct sockaddr *saddr; - u_int prefixlen; - u_int ul_proto; +pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype, struct sockaddr_storage *saddr, u_int prefixlen, u_int ul_proto) { struct sadb_address *p; u_int len; p = (void *)buf; - len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr)); + len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)saddr)); if (buf + len > lim) return NULL; @@ -2096,7 +1960,7 @@ pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) p->sadb_address_prefixlen = prefixlen; p->sadb_address_reserved = 0; - memcpy(p + 1, saddr, (size_t)sysdep_sa_len(saddr)); + memcpy(p + 1, saddr, (size_t)sysdep_sa_len((struct sockaddr *)saddr)); return(buf + len); } @@ -2106,11 +1970,7 @@ pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) * OUT: the pointer of buf + len. */ static caddr_t -pfkey_setsadbkey(buf, lim, type, key, keylen) - caddr_t buf; - caddr_t lim; - caddr_t key; - u_int type, keylen; +pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, u_int keylen) { struct sadb_key *p; u_int len; @@ -2137,11 +1997,8 @@ pfkey_setsadbkey(buf, lim, type, key, keylen) * OUT: the pointer of buf + len. */ static caddr_t -pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) - caddr_t buf; - caddr_t lim; - u_int type; - u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; +pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc, + u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime) { struct sadb_lifetime *p; u_int len; @@ -2183,11 +2040,7 @@ pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbxsa2(buf, lim, mode0, reqid) - caddr_t buf; - caddr_t lim; - u_int32_t mode0; - u_int32_t reqid; +pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid) { struct sadb_x_sa2 *p; u_int8_t mode = mode0 & 0xff; @@ -2210,11 +2063,7 @@ pfkey_setsadbxsa2(buf, lim, mode0, reqid) #ifdef SADB_X_EXT_NAT_T_TYPE static caddr_t -pfkey_set_natt_type(buf, lim, type, l_natt_type) - caddr_t buf; - caddr_t lim; - u_int type; - u_int8_t l_natt_type; +pfkey_set_natt_type(caddr_t buf, caddr_t lim, u_int type, u_int8_t l_natt_type) { struct sadb_x_nat_t_type *p; u_int len; @@ -2234,11 +2083,7 @@ pfkey_set_natt_type(buf, lim, type, l_natt_type) } static caddr_t -pfkey_set_natt_port(buf, lim, type, l_natt_port) - caddr_t buf; - caddr_t lim; - u_int type; - u_int16_t l_natt_port; +pfkey_set_natt_port(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_port) { struct sadb_x_nat_t_port *p; u_int len; @@ -2260,11 +2105,7 @@ pfkey_set_natt_port(buf, lim, type, l_natt_port) #ifdef SADB_X_EXT_NAT_T_FRAG static caddr_t -pfkey_set_natt_frag(buf, lim, type, l_natt_frag) - caddr_t buf; - caddr_t lim; - u_int type; - u_int16_t l_natt_frag; +pfkey_set_natt_frag(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_frag) { struct sadb_x_nat_t_frag *p; u_int len; @@ -2284,6 +2125,7 @@ pfkey_set_natt_frag(buf, lim, type, l_natt_frag) } #endif + static caddr_t pfkey_setsadbsession_id (caddr_t buf, caddr_t lim, @@ -2325,7 +2167,7 @@ pfkey_setsadbsastats (caddr_t buf, if (!stats || !max_stats) return NULL; - p = (__typeof__(p))buf; + p = ALIGNED_CAST(__typeof__(p))buf; // Wcast-align fix - buffer passed to here is malloc'd message buffer list_len = sizeof(*stats) * max_stats; len = sizeof(*p) + PFKEY_ALIGN8(list_len); diff --git a/ipsec-tools/Common/pfkey_dump.c b/ipsec-tools/Common/pfkey_dump.c index cf40fe9..6ee8a4b 100644 --- a/ipsec-tools/Common/pfkey_dump.c +++ b/ipsec-tools/Common/pfkey_dump.c @@ -499,7 +499,7 @@ pfkey_spdump1(m, withports) switch (sa->sa_family) { case AF_INET: case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) sport = 0; /*XXX*/ else @@ -520,7 +520,7 @@ pfkey_spdump1(m, withports) switch (sa->sa_family) { case AF_INET: case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) dport = 0; /*XXX*/ else diff --git a/ipsec-tools/libipsec/ipsec_get_policylen.c b/ipsec-tools/libipsec/ipsec_get_policylen.c index 1dca6d2..7de42e7 100644 --- a/ipsec-tools/libipsec/ipsec_get_policylen.c +++ b/ipsec-tools/libipsec/ipsec_get_policylen.c @@ -36,6 +36,7 @@ #include #include #include +#include #ifdef HAVE_NETINET6_IPSEC # include @@ -53,8 +54,13 @@ #include "ipsec_strerror.h" int -ipsec_get_policylen(policy) - ipsec_policy_t policy; +ipsec_get_policylen(ipsec_policy_t policy) { - return policy ? PFKEY_EXTLEN(policy) : -1; + u_int16_t aligned_len; + + if (policy) { + memcpy(&aligned_len, policy, sizeof(u_int16_t)); + return PFKEY_UNUNIT64(aligned_len); + } else + return -1; } diff --git a/ipsec-tools/libipsec/policy_parse.y b/ipsec-tools/libipsec/policy_parse.y index 74d1e35..7e84cc3 100644 --- a/ipsec-tools/libipsec/policy_parse.y +++ b/ipsec-tools/libipsec/policy_parse.y @@ -84,7 +84,7 @@ #include #include "config.h" - +#include "var.h" #include "ipsec_strerror.h" #include "libpfkey.h" @@ -105,17 +105,17 @@ static int offset = 0; /* offset of pbuf */ static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; static u_int32_t p_priority = 0; static long p_priority_offset = 0; -static struct sockaddr *p_src = NULL; -static struct sockaddr *p_dst = NULL; +static struct sockaddr_storage *p_src = NULL; +static struct sockaddr_storage *p_dst = NULL; struct _val; extern void yyerror __P((char *msg)); -static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf, +static struct sockaddr_storage *parse_sockaddr __P((struct _val *addrbuf, struct _val *portbuf)); static int rule_check __P((void)); static int init_x_policy __P((void)); -static int set_x_request __P((struct sockaddr *, struct sockaddr *)); -static int set_sockaddr __P((struct sockaddr *)); +static int set_x_request __P((struct sockaddr_storage *, struct sockaddr_storage *)); +static int set_sockaddr __P((struct sockaddr_storage *)); static void policy_parse_request_init __P((void)); static void *policy_parse __P((const char *, int)); @@ -390,7 +390,7 @@ yyerror(msg) return; } -static struct sockaddr * +static struct sockaddr_storage * parse_sockaddr(addrbuf, portbuf) struct _val *addrbuf; struct _val *portbuf; @@ -399,7 +399,7 @@ parse_sockaddr(addrbuf, portbuf) char *addr; char *serv = NULL; int error; - struct sockaddr *newaddr = NULL; + struct sockaddr_storage *newaddr = NULL; int addr_len; int serv_len; @@ -481,7 +481,7 @@ rule_check() return -1; } } - else if (p_src->sa_family != p_dst->sa_family) { + else if (p_src->ss_family != p_dst->ss_family) { __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; return -1; } @@ -508,7 +508,7 @@ init_x_policy() tlen = sizeof(struct sadb_x_policy); memset(pbuf, 0, tlen); - p = (struct sadb_x_policy *)pbuf; + p = ALIGNED_CAST(struct sadb_x_policy *)pbuf; p->sadb_x_policy_len = 0; /* must update later */ p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; p->sadb_x_policy_type = p_type; @@ -534,15 +534,15 @@ init_x_policy() static int set_x_request(src, dst) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; { struct sadb_x_ipsecrequest *p; int reqlen; u_int8_t *n; reqlen = sizeof(*p) - + (src ? sysdep_sa_len(src) : 0) - + (dst ? sysdep_sa_len(dst) : 0); + + (src ? sysdep_sa_len((struct sockaddr *)src) : 0) + + (dst ? sysdep_sa_len((struct sockaddr *)dst) : 0); tlen += reqlen; /* increment to total length */ n = realloc(pbuf, tlen); @@ -552,7 +552,7 @@ set_x_request(src, dst) } pbuf = n; - p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; + p = ALIGNED_CAST(struct sadb_x_ipsecrequest *)&pbuf[offset]; // Wcast-align fix - malloc'd buffer/offset 64 bit multiple p->sadb_x_ipsecrequest_len = reqlen; p->sadb_x_ipsecrequest_proto = p_protocol; p->sadb_x_ipsecrequest_mode = p_mode; @@ -569,7 +569,7 @@ set_x_request(src, dst) static int set_sockaddr(addr) - struct sockaddr *addr; + struct sockaddr_storage *addr; { if (addr == NULL) { __ipsec_errcode = EIPSEC_NO_ERROR; @@ -578,9 +578,9 @@ set_sockaddr(addr) /* tlen has already incremented */ - memcpy(&pbuf[offset], addr, sysdep_sa_len(addr)); + memcpy(&pbuf[offset], addr, sysdep_sa_len((struct sockaddr *)addr)); - offset += sysdep_sa_len(addr); + offset += sysdep_sa_len((struct sockaddr *)addr); __ipsec_errcode = EIPSEC_NO_ERROR; return 0; @@ -631,7 +631,7 @@ policy_parse(msg, msglen) } /* update total length */ - ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); + (ALIGNED_CAST(struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); __ipsec_errcode = EIPSEC_NO_ERROR; diff --git a/ipsec-tools/libipsec/test-policy.c b/ipsec-tools/libipsec/test-policy.c index ea1b2ba..d6eb599 100644 --- a/ipsec-tools/libipsec/test-policy.c +++ b/ipsec-tools/libipsec/test-policy.c @@ -247,16 +247,16 @@ test2() free(m); printf("spdsetidx()\n"); - if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spdsetidx(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, sp1, splen1, 0) < 0) errx(1, "ERROR: %s", ipsec_strerror()); m = pfkey_recv(so); free(m); printf("spdupdate()\n"); - if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spdupdate(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, sp2, splen2, 0) < 0) errx(1, "ERROR: %s", ipsec_strerror()); m = pfkey_recv(so); @@ -266,16 +266,16 @@ test2() sleep(4); printf("spddelete()\n"); - if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spddelete(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, sp1, splen1, 0) < 0) errx(1, "ERROR: %s", ipsec_strerror()); m = pfkey_recv(so); free(m); printf("spdadd()\n"); - if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spdadd(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, sp2, splen2, 0) < 0) errx(1, "ERROR: %s", ipsec_strerror()); spid = test2sub(so); @@ -296,16 +296,16 @@ test2() free(m); printf("spdadd() with lifetime's 10(s)\n"); - if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spdadd2(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, 0, 10, sp2, splen2, 0) < 0) errx(1, "ERROR: %s", ipsec_strerror()); spid = test2sub(so); /* expecting failure */ printf("spdupdate()\n"); - if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, - (struct sockaddr *)addr, 128, + if (pfkey_send_spdupdate(so, (struct sockaddr_storage *)addr, 128, + (struct sockaddr_storage *)addr, 128, 255, sp2, splen2, 0) == 0) { warnx("ERROR: expecting failure."); } diff --git a/ipsec-tools/racoon/Sample/racoon.conf b/ipsec-tools/racoon/Sample/racoon.conf index 8b01645..c484cd4 100644 --- a/ipsec-tools/racoon/Sample/racoon.conf +++ b/ipsec-tools/racoon/Sample/racoon.conf @@ -94,7 +94,7 @@ remote ::1 [8000] lifetime time 1 min; # sec,min,hour proposal { - encryption_algorithm 3des; + encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; @@ -126,7 +126,7 @@ sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; - encryption_algorithm 3des, cast128, blowfish 448, des ; + encryption_algorithm 3des, aes ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } diff --git a/ipsec-tools/racoon/admin.c b/ipsec-tools/racoon/admin.c index 6cced94..03d095c 100644 --- a/ipsec-tools/racoon/admin.c +++ b/ipsec-tools/racoon/admin.c @@ -61,6 +61,7 @@ #ifdef ENABLE_HYBRID #include #endif +#include #include "var.h" #include "misc.h" @@ -112,7 +113,7 @@ admin_handler() char *combuf = NULL; int len, error = -1; - so2 = accept(lcconf->sock_admin, (struct sockaddr *)&from, &fromlen); + so2 = accept(lcconf->sock_admin, (struct sockaddr_storage *)&from, &fromlen); if (so2 < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to accept admin command: %s\n", @@ -285,14 +286,14 @@ out2: case ADMIN_DELETE_SA: { struct ph1handle *iph1; - struct sockaddr *dst; - struct sockaddr *src; + struct sockaddr_storage *dst; + struct sockaddr_storage *src; char *loc, *rem; - src = (struct sockaddr *) + src = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->src; - dst = (struct sockaddr *) + dst = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->dst; @@ -341,10 +342,10 @@ out2: case ADMIN_DELETE_ALL_SA_DST: { struct ph1handle *iph1; - struct sockaddr *dst; + struct sockaddr_storage *dst; char *loc, *rem; - dst = (struct sockaddr *) + dst = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->dst; @@ -375,7 +376,7 @@ out2: { struct admin_com_psk *acp; char *data; - struct sockaddr *dst; + struct sockaddr_storage *dst; struct bound_addr *target; com->ac_errno = -1; @@ -412,7 +413,7 @@ out2: data = (char *)(data + acp->id_len); memcpy(key->v, data, key->l); - dst = (struct sockaddr *) + dst = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->dst; @@ -474,20 +475,20 @@ outofhere: /* FALLTHROUGH */ case ADMIN_ESTABLISH_SA: { - struct sockaddr *dst; - struct sockaddr *src; - src = (struct sockaddr *) + struct sockaddr_storage *dst; + struct sockaddr_storage *src; + src = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->src; - dst = (struct sockaddr *) + dst = (struct sockaddr_storage *) &((struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)))->dst; switch (com->ac_proto) { case ADMIN_PROTO_ISAKMP: { struct remoteconf *rmconf; - struct sockaddr *remote = NULL; - struct sockaddr *local = NULL; + struct sockaddr_storage *remote = NULL; + struct sockaddr_storage *local = NULL; u_int16_t port; com->ac_errno = -1; @@ -505,7 +506,7 @@ outofhere: if ((remote = dupsaddr(dst)) == NULL) goto out1; - switch (remote->sa_family) { + switch (remote->ss_family) { case AF_INET: ((struct sockaddr_in *)remote)->sin_port = ((struct sockaddr_in *)rmconf->remote)->sin_port; @@ -519,7 +520,7 @@ outofhere: default: plog(LLV_ERROR, LOCATION, NULL, "invalid family: %d\n", - remote->sa_family); + remote->ss_family); com->ac_errno = -1; break; } @@ -678,8 +679,13 @@ admin_init() return -1; } + if (fcntl(lcconf->sock_admin, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put admin socket in non-blocking mode\n"); + } + unlink(sunaddr.sun_path); - if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr, + if (bind(lcconf->sock_admin, (struct sockaddr_storage *)&sunaddr, sizeof(sunaddr)) != 0) { plog(LLV_ERROR, LOCATION, NULL, "bind(sockname:%s): %s\n", diff --git a/ipsec-tools/racoon/algorithm.c b/ipsec-tools/racoon/algorithm.c index 3440fc3..9ed1ef9 100644 --- a/ipsec-tools/racoon/algorithm.c +++ b/ipsec-tools/racoon/algorithm.c @@ -104,29 +104,9 @@ static struct enc_algorithm oakley_encdef[] = { { "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8, eay_des_encrypt, eay_des_decrypt, eay_des_weakkey, eay_des_keylen, }, -#ifdef HAVE_OPENSSL -#ifdef HAVE_OPENSSL_IDEA_H -{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8, - eay_idea_encrypt, eay_idea_decrypt, - eay_idea_weakkey, eay_idea_keylen, }, -#endif -{ "blowfish", algtype_blowfish, OAKLEY_ATTR_ENC_ALG_BLOWFISH, 8, - eay_bf_encrypt, eay_bf_decrypt, - eay_bf_weakkey, eay_bf_keylen, }, -#ifdef HAVE_OPENSSL_RC5_H -{ "rc5", algtype_rc5, OAKLEY_ATTR_ENC_ALG_RC5, 8, - eay_rc5_encrypt, eay_rc5_decrypt, - eay_rc5_weakkey, eay_rc5_keylen, }, -#endif -#endif { "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8, eay_3des_encrypt, eay_3des_decrypt, eay_3des_weakkey, eay_3des_keylen, }, -#ifdef HAVE_OPENSSL -{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8, - eay_cast_encrypt, eay_cast_decrypt, - eay_cast_weakkey, eay_cast_keylen, }, -#endif { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, eay_aes_encrypt, eay_aes_decrypt, eay_aes_weakkey, eay_aes_keylen, }, @@ -142,19 +122,6 @@ static struct enc_algorithm ipsec_encdef[] = { { "3des", algtype_3des, IPSECDOI_ESP_3DES, 8, NULL, NULL, NULL, eay_3des_keylen, }, -#ifdef HAVE_OPENSSL -#ifdef HAVE_OPENSSL_RC5_H -{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8, - NULL, NULL, - NULL, eay_rc5_keylen, }, -#endif -{ "cast", algtype_cast128, IPSECDOI_ESP_CAST, 8, - NULL, NULL, - NULL, eay_cast_keylen, }, -{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8, - NULL, NULL, - NULL, eay_bf_keylen, }, -#endif { "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8, NULL, NULL, NULL, eay_des_keylen, }, @@ -164,22 +131,6 @@ static struct enc_algorithm ipsec_encdef[] = { { "aes", algtype_aes, IPSECDOI_ESP_AES, 16, NULL, NULL, NULL, eay_aes_keylen, }, -#ifdef HAVE_OPENSSL -{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, - NULL, NULL, - NULL, eay_twofish_keylen, }, -#ifdef HAVE_OPENSSL_IDEA_H -{ "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, - NULL, NULL, - NULL, NULL, }, -{ "idea", algtype_idea, IPSECDOI_ESP_IDEA, 8, - NULL, NULL, - NULL, NULL, }, -#endif -{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, - NULL, NULL, - NULL, NULL, }, -#endif }; static struct hmac_algorithm ipsec_hmacdef[] = { @@ -191,12 +142,6 @@ static struct hmac_algorithm ipsec_hmacdef[] = { NULL, NULL, NULL, eay_sha1_hashlen, NULL, }, -#ifdef HAVE_OPENSSL -{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK, - NULL, NULL, - NULL, eay_kpdk_hashlen, - NULL, }, -#endif { "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE, NULL, NULL, NULL, eay_null_hashlen, diff --git a/ipsec-tools/racoon/backupsa.c b/ipsec-tools/racoon/backupsa.c index 47a3be5..180a09a 100644 --- a/ipsec-tools/racoon/backupsa.c +++ b/ipsec-tools/racoon/backupsa.c @@ -210,7 +210,7 @@ backupsa_from_file() time_t created, current; char *p, *q; u_int satype, mode; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; u_int32_t spi, reqid; caddr_t keymat; size_t keymatlen; diff --git a/ipsec-tools/racoon/cfparse.y b/ipsec-tools/racoon/cfparse.y index 5024ad1..9089a3e 100644 --- a/ipsec-tools/racoon/cfparse.y +++ b/ipsec-tools/racoon/cfparse.y @@ -85,6 +85,7 @@ #include "isakmp.h" #include "nattraversal.h" #include "isakmp_frag.h" +#include "session.h" #ifdef ENABLE_HYBRID #include "resolv.h" #include "isakmp_unity.h" @@ -98,9 +99,6 @@ #include "gssapi.h" #endif #include "vendorid.h" -#ifdef HAVE_OPENSSL -#include "rsalist.h" -#endif #include "ipsecConfigTracer.h" #include "ipsecMessageTracer.h" @@ -127,6 +125,11 @@ static int num2dhgroup[] = { OAKLEY_ATTR_GRP_DESC_MODP8192 }; +struct remote_index_val { + int prefix; + struct sockaddr_storage *addr; +}; + static struct remoteconf *cur_rmconf; static int tmpalgtype[MAXALGCLASS]; static struct sainfo *cur_sainfo; @@ -144,7 +147,7 @@ static int set_isakmp_proposal static void clean_tmpalgtype __P((void)); static int expand_isakmpspec __P((int, int, int *, int, int, time_t, int, int, int, char *, struct remoteconf *)); -static int listen_addr __P((struct sockaddr *addr, int udp_encap)); +static int listen_addr __P((struct sockaddr_storage *addr, int udp_encap)); void freeetypes (struct etypes **etypes); @@ -157,8 +160,9 @@ static int fix_lifebyte __P((u_long)); unsigned long num; vchar_t *val; struct remoteconf *rmconf; - struct sockaddr *saddr; + struct sockaddr_storage *saddr; struct sainfoalg *alg; + struct remote_index_val *rmidx; } /* privsep */ @@ -237,10 +241,11 @@ static int fix_lifebyte __P((u_long)); %type unittype_time unittype_byte %type QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id %type identifierstring -%type remote_index ike_addrinfo_port +%type ike_addrinfo_port %type algorithm %type dpd_algo_type %type idle_dir_type +%type remote_index ike_addrinfo_prefix_port %% @@ -278,7 +283,7 @@ privsep_stmt struct passwd *pw; if ((pw = getpwnam($2->v)) == NULL) { - yyerror("unknown user \"%s\"", $2->v); + racoon_yyerror("unknown user \"%s\"", $2->v); return -1; } lcconf->uid = pw->pw_uid; @@ -290,7 +295,7 @@ privsep_stmt struct group *gr; if ((gr = getgrnam($2->v)) == NULL) { - yyerror("unknown group \"%s\"", $2->v); + racoon_yyerror("unknown group \"%s\"", $2->v); return -1; } lcconf->gid = gr->gr_gid; @@ -305,7 +310,7 @@ path_statement : PATH PATHTYPE QUOTEDSTRING { if ($2 >= LC_PATHTYPE_MAX) { - yyerror("invalid path type %d", $2); + racoon_yyerror("invalid path type %d", $2); return -1; } @@ -345,7 +350,7 @@ gssenc_statement : GSS_ID_ENC GSS_ID_ENCTYPE EOS { if ($2 >= LC_GSSENC_MAX) { - yyerror("invalid GSS ID encoding %d", $2); + racoon_yyerror("invalid GSS ID encoding %d", $2); return -1; } lcconf->gss_id_enc = $2; @@ -368,7 +373,7 @@ identifier_stmt $2->l--; /* nuke '\0' */ lcconf->ident[$1] = $2; if (lcconf->ident[$1] == NULL) { - yyerror("failed to set my ident: %s", + racoon_yyerror("failed to set my ident: %s", strerror(errno)); return -1; } @@ -387,7 +392,7 @@ log_level * XXX ignore it because this specification * will be obsoleted. */ - yywarn("see racoon.conf(5), such a log specification will be obsoleted."); + racoon_yywarn("see racoon.conf(5), such a log specification will be obsoleted."); vfree($1); } | LOGLEV @@ -437,13 +442,13 @@ listen_stmt #ifdef ENABLE_NATT listen_addr ($2, 1); #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS | X_ADMIN { - yyerror("admin directive is obsoleted."); + racoon_yyerror("admin directive is obsoleted."); } PORT EOS | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER @@ -451,7 +456,7 @@ listen_stmt #ifdef ENABLE_ADMINPORT adminsock_conf($2, $3, $4, $5); #else - yywarn("admin port support not compiled in"); + racoon_yywarn("admin port support not compiled in"); #endif } EOS @@ -460,7 +465,7 @@ listen_stmt #ifdef ENABLE_ADMINPORT adminsock_conf($2, NULL, NULL, -1); #else - yywarn("admin port support not compiled in"); + racoon_yywarn("admin port support not compiled in"); #endif } EOS @@ -469,7 +474,7 @@ listen_stmt #ifdef ENABLE_ADMINPORT adminsock_path = NULL; #else - yywarn("admin port support not compiled in"); + racoon_yywarn("admin port support not compiled in"); #endif } EOS @@ -487,6 +492,29 @@ ike_addrinfo_port return -1; } ; +ike_addrinfo_prefix_port + : ADDRSTRING prefix ike_port + { + char portbuf[10]; + struct remote_index_val *new; + + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL) { + racoon_yyerror("failed to allocate remote index struct"); + vfree($1); + return -1; + } + snprintf(portbuf, sizeof(portbuf), "%ld", $3); + new->addr = str2saddr($1->v, portbuf); + vfree($1); + if (!new->addr) { + racoon_yyerror("failed to allocate sockaddr storage"); + return -1; + } + new->prefix = $2; + $$ = new; + } + ; ike_port : /* nothing */ { $$ = PORT_ISAKMP; } | PORT { $$ = $1; } @@ -505,10 +533,10 @@ modecfg_stmt #ifdef ENABLE_HYBRID if (inet_pton(AF_INET, $2->v, &isakmp_cfg_config.network4) != 1) - yyerror("bad IPv4 network address."); + racoon_yyerror("bad IPv4 network address."); vfree($2); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -517,10 +545,10 @@ modecfg_stmt #ifdef ENABLE_HYBRID if (inet_pton(AF_INET, $2->v, &isakmp_cfg_config.netmask4) != 1) - yyerror("bad IPv4 netmask address."); + racoon_yyerror("bad IPv4 netmask address."); vfree($2); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -533,7 +561,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -542,14 +570,14 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_SPLIT_DNS splitdnslist { #ifndef ENABLE_HYBRID - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -560,7 +588,7 @@ modecfg_stmt $2->v, sizeof(isakmp_cfg_config.default_domain)); vfree($2); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -569,7 +597,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -579,10 +607,10 @@ modecfg_stmt #ifdef HAVE_LIBRADIUS isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; #else /* HAVE_LIBRADIUS */ - yyerror("racoon not configured with --with-libradius"); + racoon_yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -592,10 +620,10 @@ modecfg_stmt #ifdef HAVE_LIBPAM isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; #else /* HAVE_LIBPAM */ - yyerror("racoon not configured with --with-libpam"); + racoon_yyerror("racoon not configured with --with-libpam"); #endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -605,17 +633,17 @@ modecfg_stmt #ifdef HAVE_LIBLDAP isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; #else /* HAVE_LIBLDAP */ - yyerror("racoon not configured with --with-libldap"); + racoon_yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_AUTH_GROUPS authgrouplist { #ifndef ENABLE_HYBRID - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -624,7 +652,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -634,10 +662,10 @@ modecfg_stmt #ifdef HAVE_LIBLDAP isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; #else /* HAVE_LIBLDAP */ - yyerror("racoon not configured with --with-libldap"); + racoon_yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -646,7 +674,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -655,7 +683,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -665,10 +693,10 @@ modecfg_stmt #ifdef HAVE_LIBRADIUS isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; #else /* HAVE_LIBRADIUS */ - yyerror("racoon not configured with --with-libradius"); + racoon_yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -678,10 +706,10 @@ modecfg_stmt #ifdef HAVE_LIBPAM isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; #else /* HAVE_LIBPAM */ - yyerror("racoon not configured with --with-libpam"); + racoon_yyerror("racoon not configured with --with-libpam"); #endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -689,9 +717,9 @@ modecfg_stmt { #ifdef ENABLE_HYBRID if (isakmp_cfg_resize_pool($2) != 0) - yyerror("cannot allocate memory for pool"); + racoon_yyerror("cannot allocate memory for pool"); #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -702,12 +730,12 @@ modecfg_stmt #ifndef HAVE_OPENSSL if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { - yyerror("PFS group must be 2 or 5"); + racoon_yyerror("PFS group must be 2 or 5"); return -1; } #endif #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -716,7 +744,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.save_passwd = $2; #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -725,7 +753,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.auth_throttle = $2; #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -734,7 +762,7 @@ modecfg_stmt #ifdef ENABLE_HYBRID isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -744,10 +772,10 @@ modecfg_stmt #ifdef HAVE_LIBRADIUS isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; #else /* HAVE_LIBRADIUS */ - yyerror("racoon not configured with --with-libradius"); + racoon_yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -757,10 +785,10 @@ modecfg_stmt #ifdef HAVE_LIBLDAP isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; #else /* HAVE_LIBLDAP */ - yyerror("racoon not configured with --with-libldap"); + racoon_yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS @@ -770,7 +798,7 @@ modecfg_stmt strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd)); vfree($2); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -787,14 +815,14 @@ addrdns struct isakmp_cfg_config *icc = &isakmp_cfg_config; if (icc->dns4_index > MAXNS) - yyerror("No more than %d DNS", MAXNS); + racoon_yyerror("No more than %d DNS", MAXNS); if (inet_pton(AF_INET, $1->v, &icc->dns4[icc->dns4_index++]) != 1) - yyerror("bad IPv4 DNS address."); + racoon_yyerror("bad IPv4 DNS address."); vfree($1); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } ; @@ -810,14 +838,14 @@ addrwins struct isakmp_cfg_config *icc = &isakmp_cfg_config; if (icc->nbns4_index > MAXWINS) - yyerror("No more than %d WINS", MAXWINS); + racoon_yyerror("No more than %d WINS", MAXWINS); if (inet_pton(AF_INET, $1->v, &icc->nbns4[icc->nbns4_index++]) != 1) - yyerror("bad IPv4 WINS address."); + racoon_yyerror("bad IPv4 WINS address."); vfree($1); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } ; @@ -834,18 +862,18 @@ splitnet struct unity_network network; if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) - yyerror("bad IPv4 SPLIT address."); + racoon_yyerror("bad IPv4 SPLIT address."); /* Turn $2 (the prefix) into a subnet mask */ network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; /* add the network to our list */ if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) - yyerror("Unable to allocate split network"); + racoon_yyerror("Unable to allocate split network"); vfree($1); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } ; @@ -865,11 +893,11 @@ authgroup grouplist = racoon_realloc(icc->grouplist, sizeof(char**)*(icc->groupcount+1)); if (grouplist == NULL) - yyerror("unable to allocate auth group list"); + racoon_yyerror("unable to allocate auth group list"); groupname = racoon_malloc($1->l+1); if (groupname == NULL) - yyerror("unable to allocate auth group name"); + racoon_yyerror("unable to allocate auth group name"); memcpy(groupname,$1->v,$1->l); groupname[$1->l]=0; @@ -879,7 +907,7 @@ authgroup vfree($1); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } ; @@ -898,7 +926,7 @@ splitdns { icc->splitdns_list = racoon_malloc($1->l); if(icc->splitdns_list == NULL) - yyerror("error allocating splitdns list buffer"); + racoon_yyerror("error allocating splitdns list buffer"); memcpy(icc->splitdns_list,$1->v,$1->l); icc->splitdns_len = $1->l; } @@ -907,14 +935,14 @@ splitdns int len = icc->splitdns_len + $1->l + 1; icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); if(icc->splitdns_list == NULL) - yyerror("error allocating splitdns list buffer"); + racoon_yyerror("error allocating splitdns list buffer"); icc->splitdns_list[icc->splitdns_len] = ','; memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); icc->splitdns_len = len; } vfree($1); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } ; @@ -966,7 +994,7 @@ timer_stmt #ifdef ENABLE_NATT lcconf->natt_ka_interval = $2 * $3; #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS @@ -978,7 +1006,7 @@ sainfo_statement { cur_sainfo = newsainfo(); if (cur_sainfo == NULL) { - yyerror("failed to allocate sainfo"); + racoon_yyerror("failed to allocate sainfo"); return -1; } } @@ -988,17 +1016,17 @@ sainfo_statement /* default */ if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { - yyerror("no encryption algorithm at %s", + racoon_yyerror("no encryption algorithm at %s", sainfo2str(cur_sainfo)); return -1; } if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { - yyerror("no authentication algorithm at %s", + racoon_yyerror("no authentication algorithm at %s", sainfo2str(cur_sainfo)); return -1; } if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { - yyerror("no compression algorithm at %s", + racoon_yyerror("no compression algorithm at %s", sainfo2str(cur_sainfo)); return -1; } @@ -1008,7 +1036,7 @@ sainfo_statement cur_sainfo->iddst, cur_sainfo->id_i, 0); if (check && (!check->idsrc && !cur_sainfo->idsrc)) { - yyerror("duplicated sainfo: %s", + racoon_yyerror("duplicated sainfo: %s", sainfo2str(cur_sainfo)); return -1; } @@ -1042,11 +1070,11 @@ sainfo_id : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto { char portbuf[10]; - struct sockaddr *saddr; + struct sockaddr_storage *saddr; if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { - yyerror("port number must be \"any\"."); + racoon_yyerror("port number must be \"any\"."); return -1; } @@ -1056,10 +1084,10 @@ sainfo_id if (saddr == NULL) return -1; - switch (saddr->sa_family) { + switch (saddr->ss_family) { case AF_INET: if ($5 == IPPROTO_ICMPV6) { - yyerror("upper layer protocol mismatched.\n"); + racoon_yyerror("upper layer protocol mismatched.\n"); racoon_free(saddr); return -1; } @@ -1070,7 +1098,7 @@ sainfo_id #ifdef INET6 case AF_INET6: if ($5 == IPPROTO_ICMP) { - yyerror("upper layer protocol mismatched.\n"); + racoon_yyerror("upper layer protocol mismatched.\n"); racoon_free(saddr); return -1; } @@ -1080,7 +1108,7 @@ sainfo_id break; #endif default: - yyerror("invalid family: %d", saddr->sa_family); + racoon_yyerror("invalid family: %d", saddr->ss_family); $$ = NULL; break; } @@ -1091,12 +1119,11 @@ sainfo_id | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto { char portbuf[10]; - struct sockaddr *laddr = NULL, *haddr = NULL; - char *cur = NULL; + struct sockaddr_storage *laddr = NULL, *haddr = NULL; if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { - yyerror("port number must be \"any\"."); + racoon_yyerror("port number must be \"any\"."); return -1; } @@ -1114,10 +1141,10 @@ sainfo_id } vfree($3); - switch (laddr->sa_family) { + switch (laddr->ss_family) { case AF_INET: if ($6 == IPPROTO_ICMPV6) { - yyerror("upper layer protocol mismatched.\n"); + racoon_yyerror("upper layer protocol mismatched.\n"); if (laddr) racoon_free(laddr); if (haddr) @@ -1130,7 +1157,7 @@ sainfo_id #ifdef INET6 case AF_INET6: if ($6 == IPPROTO_ICMP) { - yyerror("upper layer protocol mismatched.\n"); + racoon_yyerror("upper layer protocol mismatched.\n"); if (laddr) racoon_free(laddr); if (haddr) @@ -1142,7 +1169,7 @@ sainfo_id break; #endif default: - yyerror("invalid family: %d", laddr->sa_family); + racoon_yyerror("invalid family: %d", laddr->ss_family); $$ = NULL; break; } @@ -1158,7 +1185,7 @@ sainfo_id struct ipsecdoi_id_b *id_b; if ($1 == IDTYPE_ASN1DN) { - yyerror("id type forbidden: %d", $1); + racoon_yyerror("id type forbidden: %d", $1); $$ = NULL; return -1; } @@ -1167,11 +1194,11 @@ sainfo_id $$ = vmalloc(sizeof(*id_b) + $2->l); if ($$ == NULL) { - yyerror("failed to allocate identifier"); + racoon_yyerror("failed to allocate identifier"); return -1; } - id_b = (struct ipsecdoi_id_b *)$$->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)$$->v; id_b->type = idtype2doi($1); id_b->proto_id = 0; @@ -1192,16 +1219,16 @@ sainfo_param vchar_t *idv; if (set_identifier(&idv, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); return -1; } cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); if (cur_sainfo->id_i == NULL) { - yyerror("failed to allocate identifier"); + racoon_yyerror("failed to allocate identifier"); return -1; } - id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)cur_sainfo->id_i->v; id_b->type = idtype2doi($2); id_b->proto_id = 0; @@ -1215,11 +1242,11 @@ sainfo_param { #ifdef ENABLE_HYBRID if ((cur_sainfo->group = vdup($2)) == NULL) { - yyerror("failed to set sainfo xauth group.\n"); + racoon_yyerror("failed to set sainfo xauth group.\n"); return -1; } #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); return -1; #endif } @@ -1235,7 +1262,7 @@ sainfo_spec #ifndef HAVE_OPENSSL if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { - yyerror("PFS group must be 2 or 5"); + racoon_yyerror("PFS group must be 2 or 5"); return -1; } #endif @@ -1249,7 +1276,7 @@ sainfo_spec | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 - yyerror("byte lifetime support is deprecated"); + racoon_yyerror("byte lifetime support is deprecated"); return -1; #else cur_sainfo->lifebyte = fix_lifebyte($3 * $4); @@ -1264,12 +1291,12 @@ sainfo_spec algorithms EOS | IDENTIFIER IDENTIFIERTYPE { - yyerror("it's deprecated to specify a identifier in phase 2"); + racoon_yyerror("it's deprecated to specify a identifier in phase 2"); } EOS | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING { - yyerror("it's deprecated to specify a identifier in phase 2"); + racoon_yyerror("it's deprecated to specify a identifier in phase 2"); } EOS ; @@ -1292,13 +1319,13 @@ algorithm $$ = newsainfoalg(); if ($$ == NULL) { - yyerror("failed to get algorithm allocation"); + racoon_yyerror("failed to get algorithm allocation"); return -1; } $$->alg = algtype2doi(cur_algclass, $1); if ($$->alg == -1) { - yyerror("algorithm mismatched"); + racoon_yyerror("algorithm mismatched"); racoon_free($$); $$ = NULL; return -1; @@ -1307,14 +1334,14 @@ algorithm defklen = default_keylen(cur_algclass, $1); if (defklen == 0) { if ($2) { - yyerror("keylen not allowed"); + racoon_yyerror("keylen not allowed"); racoon_free($$); $$ = NULL; return -1; } } else { if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { - yyerror("invalid keylen %d", $2); + racoon_yyerror("invalid keylen %d", $2); racoon_free($$); $$ = NULL; return -1; @@ -1333,7 +1360,7 @@ algorithm int b = algtype2doi(cur_algclass, $1); if (a == IPSECDOI_ATTR_AUTH) a = IPSECDOI_PROTO_IPSEC_AH; - yyerror("algorithm %s not supported by the kernel (missing module?)", + racoon_yyerror("algorithm %s not supported by the kernel (missing module?)", s_ipsecdoi_trns(a, b)); racoon_free($$); $$ = NULL; @@ -1367,17 +1394,25 @@ remote_statement struct remoteconf *new; struct proposalspec *prspec; - new = copyrmconf($4); + new = copyrmconf($4->addr); if (new == NULL) { - yyerror("failed to get remoteconf for %s.", saddr2str ($4)); + racoon_yyerror("failed to get remoteconf for %s.", saddr2str((struct sockaddr *)$4)); + racoon_free($2->addr); + racoon_free($2); + racoon_free($4->addr); + racoon_free($4); return -1; } - new->remote = $2; - new->inherited_from = getrmconf_strict($4, 1); + new->remote = $2->addr; + new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); + new->inherited_from = getrmconf_strict($4->addr, 1); new->proposal = NULL; new->prhead = NULL; cur_rmconf = new; + racoon_free($2); + racoon_free($4->addr); + racoon_free($4); prspec = newprspec(); if (prspec == NULL || !cur_rmconf->inherited_from @@ -1395,12 +1430,15 @@ remote_statement new = newrmconf(); if (new == NULL) { - yyerror("failed to get new remoteconf."); + racoon_yyerror("failed to get new remoteconf."); + racoon_free($2->addr); + racoon_free($2); return -1; } - - new->remote = $2; + new->remote = $2->addr; + new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); cur_rmconf = new; + racoon_free($2); prspec = newprspec(); if (prspec == NULL) @@ -1416,7 +1454,7 @@ remote_specs_block { /* check a exchange mode */ if (cur_rmconf->etypes == NULL) { - yyerror("no exchange mode specified.\n"); + racoon_yyerror("no exchange mode specified.\n"); return -1; } @@ -1429,13 +1467,13 @@ remote_specs_block || cur_rmconf->identity_in_keychain) { if (cur_rmconf->idv) - yywarn("Both CERT and ASN1 ID " + racoon_yywarn("Both CERT and ASN1 ID " "are set. Hope this is OK.\n"); /* TODO: Preparse the DN here */ } else if (cur_rmconf->idv) { /* OK, using asn1dn without X.509. */ } else { - yyerror("ASN1 ID not specified " + racoon_yyerror("ASN1 ID not specified " "and no CERT defined!\n"); return -1; } @@ -1444,7 +1482,7 @@ remote_specs_block if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { struct genlist_entry *gpb; if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { - yyerror("peers_identifier required for specified certificate " + racoon_yyerror("peers_identifier required for specified certificate " "verification option.\n"); return -1; } @@ -1469,7 +1507,7 @@ remote_specs_block b = p->dh_group; continue; } - yyerror("DH group must be equal " + racoon_yyerror("DH group must be equal " "in all proposals " "when aggressive mode is " "used.\n"); @@ -1478,14 +1516,14 @@ remote_specs_block cur_rmconf->dh_group = b; if (cur_rmconf->dh_group == 0) { - yyerror("DH group must be set in the proposal.\n"); + racoon_yyerror("DH group must be set in the proposal.\n"); return -1; } /* DH group settting if PFS is required. */ if (oakley_setdhgroup(cur_rmconf->dh_group, &cur_rmconf->dhgrp) < 0) { - yyerror("failed to set DH value.\n"); + racoon_yyerror("failed to set DH value.\n"); return -1; } } @@ -1496,15 +1534,30 @@ remote_specs_block remote_index : ANONYMOUS ike_port { - $$ = newsaddr(sizeof(struct sockaddr)); - $$->sa_family = AF_UNSPEC; - ((struct sockaddr_in *)$$)->sin_port = htons($2); - } - | ike_addrinfo_port + + struct remote_index_val *new; + + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL) { + racoon_yyerror("failed to allocate remote index struct"); + return -1; + } + new->addr = newsaddr(sizeof(struct sockaddr_storage)); + if (new->addr == NULL) { + racoon_yyerror("failed to allocate sockaddr storage"); + racoon_free(new); + return -1; + } + new->addr->ss_family = AF_UNSPEC; + (ALIGNED_CAST(struct sockaddr_in *)new->addr)->sin_port = htons($2); + new->prefix = ~0; + $$ = new; + } + | ike_addrinfo_prefix_port { $$ = $1; if ($$ == NULL) { - yyerror("failed to allocate sockaddr"); + racoon_yyerror("failed to allocate sockaddr_storage"); return -1; } } @@ -1525,8 +1578,8 @@ remote_spec | PEERS_CERTFILE QUOTEDSTRING { #ifdef HAVE_OPENSSL - yywarn("This directive without certtype will be removed!\n"); - yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); + racoon_yywarn("This directive without certtype will be removed!\n"); + racoon_yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->peerscertfile != NULL) @@ -1535,7 +1588,7 @@ remote_spec STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($2); #else - yyerror("cert files not supported.\n"); + racoon_yyerror("cert files not supported.\n"); return -1; #endif } @@ -1551,7 +1604,7 @@ remote_spec STRDUP_FATAL(cur_rmconf->cacertfile); vfree($3); #else - yyerror("cert files not supported.\n"); + racoon_yyerror("cert files not supported.\n"); return -1; #endif @@ -1567,7 +1620,7 @@ remote_spec STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($3); #else - yyerror("cert files not supported.\n"); + racoon_yyerror("cert files not supported.\n"); return -1; #endif @@ -1575,36 +1628,14 @@ remote_spec EOS | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING { -#ifdef HAVE_OPENSSL - char path[MAXPATHLEN]; - int ret = 0; - - getpathname(path, sizeof(path), - LC_PATHTYPE_CERT, $3->v); - vfree($3); - - if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) { - yyerror("Different peers_certfile method " - "already defined: %d!\n", - cur_rmconf->getcert_method); - return -1; - } - cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; - if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) { - yyerror("Couldn't parse keyfile.\n", path); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path); -#else - yyerror("plainrsa not supported.\n"); + racoon_yyerror("plainrsa not supported.\n"); return -1; -#endif } EOS | PEERS_CERTFILE DNSSEC { if (cur_rmconf->getcert_method) { - yyerror("Different peers_certfile method already defined!\n"); + racoon_yyerror("Different peers_certfile method already defined!\n"); return -1; } cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; @@ -1629,14 +1660,14 @@ remote_spec #if HAVE_OPENDIR cur_rmconf->open_dir_auth_group = $2; #else - yyerror("Apple specific features not compiled in."); + racoon_yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | MY_IDENTIFIER IDENTIFIERTYPE identifierstring { if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); vfree($3); //%%% BUG FIX - memory leak return -1; } @@ -1647,7 +1678,7 @@ remote_spec | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring { if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); return -1; } cur_rmconf->idvtype = $2; @@ -1658,16 +1689,16 @@ remote_spec #ifdef ENABLE_HYBRID /* formerly identifier type login */ if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { - yyerror("failed to allocate xauth state\n"); + racoon_yyerror("failed to allocate xauth state\n"); return -1; } if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); return -1; } vfree($2); //%%% BUG FIX - memory leak #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } EOS @@ -1676,11 +1707,11 @@ remote_spec struct idspec *id; id = newidspec(); if (id == NULL) { - yyerror("failed to allocate idspec"); + racoon_yyerror("failed to allocate idspec"); return -1; } if (set_identifier(&id->id, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); racoon_free(id); vfree($3); //%%% BUG FIX - memory leak return -1; @@ -1695,11 +1726,11 @@ remote_spec struct idspec *id; id = newidspec(); if (id == NULL) { - yyerror("failed to allocate idspec"); + racoon_yyerror("failed to allocate idspec"); return -1; } if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { - yyerror("failed to set identifer.\n"); + racoon_yyerror("failed to set identifer.\n"); racoon_free(id); return -1; } @@ -1716,7 +1747,7 @@ remote_spec | SHARED_SECRET SECRETTYPE { if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { - yyerror("shared secret value missing.\n"); + racoon_yyerror("shared secret value missing.\n"); return -1; } cur_rmconf->secrettype = $2; @@ -1724,7 +1755,7 @@ remote_spec | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS | DH_GROUP { - yyerror("dh_group cannot be defined here."); + racoon_yyerror("dh_group cannot be defined here."); return -1; } dh_group_num EOS @@ -1736,9 +1767,9 @@ remote_spec if (libipsec_opt & LIBIPSEC_OPT_FRAG) cur_rmconf->esp_frag = $2; else - yywarn("libipsec lacks IKE frag support"); + racoon_yywarn("libipsec lacks IKE frag support"); #else - yywarn("Your kernel does not support esp_frag"); + racoon_yywarn("Your kernel does not support esp_frag"); #endif } EOS | SCRIPT QUOTEDSTRING PHASE1_UP { @@ -1768,7 +1799,7 @@ remote_spec #ifdef ENABLE_NATT cur_rmconf->nat_traversal = $2; #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL @@ -1776,7 +1807,7 @@ remote_spec #ifdef ENABLE_NATT cur_rmconf->nat_traversal = $2; #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL_MULTI_USER SWITCH @@ -1784,7 +1815,7 @@ remote_spec #ifdef ENABLE_NATT cur_rmconf->natt_multiple_user = $2; #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL_KEEPALIVE SWITCH @@ -1792,7 +1823,7 @@ remote_spec #ifdef ENABLE_NATT cur_rmconf->natt_keepalive = $2; #else - yyerror("NAT-T support not compiled in."); + racoon_yyerror("NAT-T support not compiled in."); #endif } EOS | DPD SWITCH @@ -1800,7 +1831,7 @@ remote_spec #ifdef ENABLE_DPD cur_rmconf->dpd = $2; #else - yyerror("DPD support not compiled in."); + racoon_yyerror("DPD support not compiled in."); #endif } EOS | DPD_DELAY NUMBER @@ -1808,7 +1839,7 @@ remote_spec #ifdef ENABLE_DPD cur_rmconf->dpd_interval = $2; #else - yyerror("DPD support not compiled in."); + racoon_yyerror("DPD support not compiled in."); #endif } EOS @@ -1817,7 +1848,7 @@ remote_spec #ifdef ENABLE_DPD cur_rmconf->dpd_retry = $2; #else - yyerror("DPD support not compiled in."); + racoon_yyerror("DPD support not compiled in."); #endif } EOS @@ -1826,7 +1857,7 @@ remote_spec #ifdef ENABLE_DPD cur_rmconf->dpd_maxfails = $2; #else - yyerror("DPD support not compiled in."); + racoon_yyerror("DPD support not compiled in."); #endif } EOS @@ -1835,7 +1866,7 @@ remote_spec #ifdef ENABLE_DPD cur_rmconf->dpd_algo = $2; #else - yyerror("DPD support not compiled in."); + racoon_yyerror("DPD support not compiled in."); #endif } EOS @@ -1854,10 +1885,10 @@ remote_spec | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 - yyerror("byte lifetime support is deprecated in Phase1"); + racoon_yyerror("byte lifetime support is deprecated in Phase1"); return -1; #else - yywarn("the lifetime of bytes in phase 1 " + racoon_yywarn("the lifetime of bytes in phase 1 " "will be ignored at the moment."); cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); if (cur_rmconf->prhead->lifebyte == 0) @@ -1883,7 +1914,7 @@ exchange_types struct etypes *new; new = racoon_malloc(sizeof(struct etypes)); if (new == NULL) { - yyerror("failed to allocate etypes"); + racoon_yyerror("failed to allocate etypes"); return -1; } new->type = $2; @@ -1934,27 +1965,8 @@ cert_spec ; | CERT_PLAINRSA QUOTEDSTRING { -#ifdef HAVE_OPENSSL - char path[MAXPATHLEN]; - int ret = 0; - - getpathname(path, sizeof(path), - LC_PATHTYPE_CERT, $2->v); - vfree($2); - - cur_rmconf->certtype = $1; - cur_rmconf->send_cr = FALSE; - cur_rmconf->send_cert = FALSE; - cur_rmconf->verify_cert = FALSE; - if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) { - yyerror("Couldn't parse keyfile.\n", path); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path); -#else - yyerror("plainrsa not supported.\n"); - return -1; -#endif + racoon_yyerror("plainrsa not supported.\n"); + return -1; } EOS ; @@ -1963,12 +1975,12 @@ dh_group_num { $$ = algtype2doi(algclass_isakmp_dh, $1); if ($$ == -1) { - yyerror("must be DH group"); + racoon_yyerror("must be DH group"); return -1; } #ifndef HAVE_OPENSSL if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { - yyerror("DH group must be 2 or 5"); + racoon_yyerror("DH group must be 2 or 5"); return -1; } #endif @@ -1978,13 +1990,13 @@ dh_group_num if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { $$ = num2dhgroup[$1]; } else { - yyerror("must be DH group"); + racoon_yyerror("must be DH group"); $$ = 0; return -1; } #ifndef HAVE_OPENSSL if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { - yyerror("DH group must be 2 or 5"); + racoon_yyerror("DH group must be 2 or 5"); return -1; } #endif @@ -2002,7 +2014,7 @@ isakmpproposal_specs isakmpproposal_spec : STRENGTH { - yyerror("strength directive is obsoleted."); + racoon_yyerror("strength directive is obsoleted."); } STRENGTHTYPE EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time { @@ -2012,7 +2024,7 @@ isakmpproposal_spec | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 - yyerror("byte lifetime support is deprecated"); + racoon_yyerror("byte lifetime support is deprecated"); return -1; #else cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); @@ -2029,7 +2041,7 @@ isakmpproposal_spec | GSS_ID QUOTEDSTRING { if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { - yyerror("wrong Vendor ID for gssapi_id"); + racoon_yyerror("wrong Vendor ID for gssapi_id"); return -1; } if (cur_rmconf->prhead->spspec->gssid != NULL) @@ -2046,38 +2058,23 @@ isakmpproposal_spec doi = algtype2doi($1, $2); if (doi == -1) { - yyerror("algorithm mismatched 1"); + racoon_yyerror("algorithm mismatched 1"); return -1; } switch ($1) { case algclass_isakmp_enc: /* reject suppressed algorithms */ -#ifndef HAVE_OPENSSL_RC5_H - if ($2 == algtype_rc5) { - yyerror("algorithm %s not supported", - s_attr_isakmp_enc(doi)); - return -1; - } -#endif -#ifndef HAVE_OPENSSL_IDEA_H - if ($2 == algtype_idea) { - yyerror("algorithm %s not supported", - s_attr_isakmp_enc(doi)); - return -1; - } -#endif - cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; defklen = default_keylen($1, $2); if (defklen == 0) { if ($3) { - yyerror("keylen not allowed"); + racoon_yyerror("keylen not allowed"); return -1; } } else { if ($3 && check_keylen($1, $2, $3) < 0) { - yyerror("invalid keylen %d", $3); + racoon_yyerror("invalid keylen %d", $3); return -1; } } @@ -2099,7 +2096,7 @@ isakmpproposal_spec case algtype_gssapikrb: if (cur_rmconf->prhead->spspec->vendorid != VENDORID_UNKNOWN) { - yyerror("Vendor ID mismatch " + racoon_yyerror("Vendor ID mismatch " "for auth method"); return -1; } @@ -2110,28 +2107,12 @@ isakmpproposal_spec cur_rmconf->prhead->spspec->vendorid = VENDORID_GSSAPI; break; -#ifdef HAVE_OPENSSL - case algtype_rsasig: - if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) { - if (rsa_list_count(cur_rmconf->rsa_private) == 0) { - yyerror ("Private PlainRSA key not set. " - "Use directive 'certificate_type plainrsa ...'\n"); - return -1; - } - if (rsa_list_count(cur_rmconf->rsa_public) == 0) { - yyerror ("Public PlainRSA keys not set. " - "Use directive 'peers_certfile plainrsa ...'\n"); - return -1; - } - } - break; -#endif default: break; } break; default: - yyerror("algorithm mismatched 2"); + racoon_yyerror("algorithm mismatched 2"); return -1; } } @@ -2168,7 +2149,7 @@ newprspec() new = racoon_calloc(1, sizeof(*new)); if (new == NULL) - yyerror("failed to allocate proposal"); + racoon_yyerror("failed to allocate proposal"); return new; } @@ -2194,7 +2175,7 @@ newspspec() new = racoon_calloc(1, sizeof(*new)); if (new == NULL) { - yyerror("failed to allocate spproto"); + racoon_yyerror("failed to allocate spproto"); return NULL; } @@ -2247,26 +2228,26 @@ set_isakmp_proposal(rmconf, prspec) /* mandatory check */ if (p->spspec == NULL) { - yyerror("no remote specification found: %s.\n", - saddr2str(rmconf->remote)); + racoon_yyerror("no remote specification found: %s.\n", + saddr2str((struct sockaddr *)rmconf->remote)); return -1; } for (s = p->spspec; s != NULL; s = s->next) { /* XXX need more to check */ if (s->algclass[algclass_isakmp_enc] == 0) { - yyerror("encryption algorithm required."); + racoon_yyerror("encryption algorithm required."); return -1; } if (s->algclass[algclass_isakmp_hash] == 0) { - yyerror("hash algorithm required."); + racoon_yyerror("hash algorithm required."); return -1; } if (s->algclass[algclass_isakmp_dh] == 0) { - yyerror("DH group required."); + racoon_yyerror("DH group required."); return -1; } if (s->algclass[algclass_isakmp_ameth] == 0) { - yyerror("authentication method required."); + racoon_yyerror("authentication method required."); return -1; } } @@ -2366,7 +2347,7 @@ expand_isakmpspec(prop_no, trns_no, types, || types[algclass_isakmp_ameth] == 0 || types[algclass_isakmp_hash] == 0 || types[algclass_isakmp_dh] == 0) { - yyerror("few definition of algorithm " + racoon_yyerror("few definition of algorithm " "enc=%s ameth=%s hash=%s dhgroup=%s.\n", TMPALGTYPE2STR(enc), TMPALGTYPE2STR(ameth), @@ -2379,7 +2360,7 @@ expand_isakmpspec(prop_no, trns_no, types, /* set new sa */ new = newisakmpsa(); if (new == NULL) { - yyerror("failed to allocate isakmp sa"); + racoon_yyerror("failed to allocate isakmp sa"); return -1; } new->prop_no = prop_no; @@ -2397,7 +2378,7 @@ expand_isakmpspec(prop_no, trns_no, types, if (gssid != NULL) { if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { racoon_free(new); - yyerror("failed to allocate gssid"); + racoon_yyerror("failed to allocate gssid"); return -1; } memcpy(new->gssid->v, gssid, new->gssid->l); @@ -2418,18 +2399,18 @@ expand_isakmpspec(prop_no, trns_no, types, } static int -listen_addr (struct sockaddr *addr, int udp_encap) +listen_addr (struct sockaddr_storage *addr, int udp_encap) { struct myaddrs *p; p = newmyaddr(); if (p == NULL) { - yyerror("failed to allocate myaddrs"); + racoon_yyerror("failed to allocate myaddrs"); return -1; } p->addr = addr; if (p->addr == NULL) { - yyerror("failed to copy sockaddr "); + racoon_yyerror("failed to copy sockaddr_storage "); delmyaddr(p); return -1; } @@ -2457,7 +2438,7 @@ fix_lifebyte(t) unsigned long t; { if (t < 1024) { - yyerror("byte size should be more than 1024B."); + racoon_yyerror("byte size should be more than 1024B."); return 0; } @@ -2576,7 +2557,7 @@ adminsock_conf(path, owner, group, mode_dec) uid = atoi(owner->v); isnum = !errno; if (((pw = getpwnam(owner->v)) == NULL) && !isnum) - yyerror("User \"%s\" does not exist", owner->v); + racoon_yyerror("User \"%s\" does not exist", owner->v); if (pw) adminsock_owner = pw->pw_uid; @@ -2590,7 +2571,7 @@ adminsock_conf(path, owner, group, mode_dec) gid = atoi(group->v); isnum = !errno; if (((gr = getgrnam(group->v)) == NULL) && !isnum) - yyerror("Group \"%s\" does not exist", group->v); + racoon_yyerror("Group \"%s\" does not exist", group->v); if (gr) adminsock_group = gr->gr_gid; @@ -2601,19 +2582,19 @@ adminsock_conf(path, owner, group, mode_dec) return; if (mode_dec > 777) - yyerror("Mode 0%03o is invalid", mode_dec); + racoon_yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } if (mode_dec > 77) - yyerror("Mode 0%03o is invalid", mode_dec); + racoon_yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } if (mode_dec > 7) - yyerror("Mode 0%03o is invalid", mode_dec); + racoon_yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } diff --git a/ipsec-tools/racoon/cftoken.l b/ipsec-tools/racoon/cftoken.l index b1b5f5c..f103c3f 100644 --- a/ipsec-tools/racoon/cftoken.l +++ b/ipsec-tools/racoon/cftoken.l @@ -189,7 +189,7 @@ hexstring 0x{hexdigit}+ include { YYDB; return(INCLUDE); } /* self information */ -identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); } +identifier { BEGIN S_INF; YYDB; racoon_yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); } {semi} { BEGIN S_INI; return(EOS); } /* special */ @@ -203,8 +203,8 @@ hexstring 0x{hexdigit}+ info { YYD; yylval.num = LLV_INFO; return(LOGLEV); } debug { YYD; yylval.num = LLV_DEBUG; return(LOGLEV); } debug2 { YYD; yylval.num = LLV_DEBUG2; return(LOGLEV); } -debug3 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } -debug4 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } +debug3 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } +debug4 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); } {semi} { BEGIN S_INI; return(EOS); } /* padding */ @@ -283,7 +283,7 @@ hexstring 0x{hexdigit}+ {ecl} { BEGIN S_INI; return(EOC); } pfs_group { YYD; return(PFS_GROUP); } remoteid { YYD; return(REMOTEID); } -identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } +identifier { YYD; racoon_yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } my_identifier { YYD; return(MY_IDENTIFIER); } lifetime { YYD; return(LIFETIME); } time { YYD; return(LIFETYPE_TIME); } @@ -311,7 +311,7 @@ hexstring 0x{hexdigit}+ identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); } secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); } integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); } -identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } +identifier { YYD; racoon_yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } my_identifier { YYD; return(MY_IDENTIFIER); } xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ } peers_identifier { YYD; return(PEERS_IDENTIFIER); } @@ -320,18 +320,14 @@ hexstring 0x{hexdigit}+ ca_type { YYD; return(CA_TYPE); } x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); } plain_rsa { -#ifdef HAVE_OPENSSL - YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); -#else - yyerror("plainrsa not supported."); -#endif + racoon_yyerror("plainrsa not supported."); } open_dir_auth_group { #if HAVE_OPENDIR YYD; return(OPEN_DIR_AUTH_GROUP); #else - yyerror("Apple specific features not compiled in."); + racoon_yyerror("Apple specific features not compiled in."); #endif } shared_secret { @@ -354,7 +350,7 @@ hexstring 0x{hexdigit}+ dh_group { YYD; return(DH_GROUP); } nonce_size { YYD; return(NONCE_SIZE); } generate_policy { YYD; return(GENERATE_POLICY); } -support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); } +support_mip6 { YYD; racoon_yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); } support_proxy { YYD; return(SUPPORT_PROXY); } initial_contact { YYD; return(INITIAL_CONTACT); } nat_traversal { YYD; return(NAT_TRAVERSAL); } @@ -443,7 +439,7 @@ off { YYD; yylval.num = FALSE; return(SWITCH); } yytext++; yylval.val = vmalloc(yyleng + 1); if (yylval.val == NULL) { - yyerror("vmalloc failed"); + racoon_yyerror("vmalloc failed"); return -1; } memcpy(yylval.val->v, yytext, yylval.val->l); @@ -518,28 +514,28 @@ hybrid_rsa_server { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_hybrid_rsa_s; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } hybrid_dss_server { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_hybrid_dss_s; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } hybrid_rsa_client { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_hybrid_rsa_c; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } hybrid_dss_client { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_hybrid_dss_c; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } @@ -547,35 +543,35 @@ xauth_psk_server { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_xauth_psk_s; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } xauth_psk_client { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_xauth_psk_c; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } xauth_rsa_server { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_xauth_rsa_s; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } xauth_rsa_client { #ifdef ENABLE_HYBRID YYD; yylval.num = algtype_xauth_rsa_c; return(ALGORITHMTYPE); #else - yyerror("racoon not configured with --enable-hybrid"); + racoon_yyerror("racoon not configured with --enable-hybrid"); #endif } /* identifier type */ -vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); } +vendor_id { YYD; racoon_yywarn("it is obsoleted."); return(VENDORID); } user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); } fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); } keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); } @@ -587,7 +583,7 @@ keyid_use { address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); } subnet { YYD; yylval.num = IDTYPE_SUBNET; return(IDENTIFIERTYPE); } asn1dn { YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); } -certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); } +certname { YYD; racoon_yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); } /* shared secret type */ use { @@ -606,7 +602,7 @@ keychain { yylval.num = SECRETTYPE_KEYCHAIN; return(SECRETTYPE); #else - yyerror("Apple specific features not compiled in."); + racoon_yyerror("Apple specific features not compiled in."); #endif } keychain_by_id { @@ -676,7 +672,7 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } YYD; yylval.val = vmalloc(yyleng + (yyleng & 1) + 1); if (yylval.val == NULL) { - yyerror("vmalloc failed"); + racoon_yyerror("vmalloc failed"); return -1; } @@ -701,7 +697,7 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } yylval.val = vmalloc(yyleng - 1); if (yylval.val == NULL) { - yyerror("vmalloc failed"); + racoon_yyerror("vmalloc failed"); return -1; } memcpy(yylval.val->v, &yytext[1], yylval.val->l); @@ -714,7 +710,7 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } yylval.val = vmalloc(yyleng + 1); if (yylval.val == NULL) { - yyerror("vmalloc failed"); + racoon_yyerror("vmalloc failed"); return -1; } memcpy(yylval.val->v, yytext, yylval.val->l); @@ -758,41 +754,42 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); } %% void -yyerror(char *s, ...) +yyerror(const char *msg) { - char fmt[512]; - - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n", - incstack[incstackp].path, incstack[incstackp].lineno, - yytext, s); - plogv(LLV_ERROR, LOCATION, NULL, fmt, &ap); - va_end(ap); - + plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); yyerrorcount++; } void -yywarn(char *s, ...) +yywarn(const char *msg) { - char fmt[512]; + plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg); +} - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n", - incstack[incstackp].path, incstack[incstackp].lineno, - yytext, s); - plogv(LLV_WARNING, LOCATION, NULL, fmt, &ap); - va_end(ap); +void +racoon_yyerror(const char *fmt, ...) +{ + va_list ap; + char msg[512]; + + va_start(ap, fmt); + vsnprintf(msg, sizeof(msg), fmt, ap); + va_end(ap); + + yyerror(msg); +} + +void +racoon_yywarn(const char *fmt, ...) +{ + va_list ap; + char msg[512]; + + va_start(ap, fmt); + vsnprintf(msg, sizeof(msg), fmt, ap); + va_end(ap); + + yywarn(msg); } int diff --git a/ipsec-tools/racoon/cftoken_proto.h b/ipsec-tools/racoon/cftoken_proto.h index 41cb939..a0d5d99 100644 --- a/ipsec-tools/racoon/cftoken_proto.h +++ b/ipsec-tools/racoon/cftoken_proto.h @@ -37,8 +37,10 @@ extern int yyerrorcount; extern int yylex __P((void)); -extern void yyerror __P((char *, ...)); -extern void yywarn __P((char *, ...)); +extern void yyerror __P((const char *)); +extern void yywarn __P((const char *)); +extern void racoon_yyerror __P((const char *, ...)); +extern void racoon_yywarn __P((const char *, ...)); extern int yycf_switch_buffer __P((char *)); extern int yycf_set_buffer __P((char *)); diff --git a/ipsec-tools/racoon/com.apple.racoon.plist b/ipsec-tools/racoon/com.apple.racoon.plist index 69412ba3f13c307c76d93c0fa15095e12d47195b..67e2353219d4cb6e5335962a82f6179fec97c278 100644 GIT binary patch literal 307 zcmYc)$jK}&F)+B!$i&RT%Er#Y$t5f%CJ_-@oLc0Un420eAmo~tn3R(mQk0lioS0ma znV(l29-NfNrrEJN-CTK za!5#MUS@?LV?(@vgnn6Kk$zEWo_<+DUUGh3Nl|`|UNKPLA`wxbi}Xv2i}Z_=GV}C{ z5|i`u^MZ6;I5>df$@#f@i3J5Ysd^A`4siuj+kmK)to(xF+Lrz~E7xs2bN1! literal 698 zcmZ`%%TB{E5IiSeVSH~E1cwT_sY)MGMSzGV2aaxHTC0v7*-qO2Jq}GmsNlBt?Ci`w z$n;bQR5NY3k`sIv++xIJrgAQK6PzZi(HKudpWH0o=E+CAM5W-yqBwnu)^mhM0JE|b z3}BHgP#mo{334?6maiD$y|v{d!0~ttXpcBwhEeNN=X7O(2|_oPSfI=29?oZwp_yBwD(HR zY@}%36F;di3_35*jFmINYxWPG8m3=q@dLN6v{Lrk;znf$W=&tI?YV8*jfqLOqz?AF znRu6khP|Q%7w0~sA5JRyX`nV>#MJIzRNnh@5SNzim=5p94+Of0?_H6GO*yD-3u>xC yR}$*dU68a|iNH8xLvaG#GW(!e^mh^SIxvbB7yH43H>iZ2;Q^+ diff --git a/ipsec-tools/racoon/com.apple.racoonembedded.plist b/ipsec-tools/racoon/com.apple.racoonembedded.plist deleted file mode 100644 index bf9ad81..0000000 --- a/ipsec-tools/racoon/com.apple.racoonembedded.plist +++ /dev/null @@ -1,28 +0,0 @@ - - - - - Label - com.apple.racoon - Program - /usr/sbin/racoon - RunAtLoad - - KeepAlive - - UserName - root - Sockets - - Listeners - - SockFamily - Unix - SockPathMode - 384 - SockPathName - /tmp/racoon/vpncontrol.sock - - - - diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index 6e501cf..3f0bbfa 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -32,10 +32,9 @@ #include #include #include - +#include #include #if TARGET_OS_EMBEDDED -#include #include #include #include @@ -63,11 +62,8 @@ #include "crypto_cssm.h" -#if TARGET_OS_EMBEDDED + static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef); -#else -static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef); -#endif #if !TARGET_OS_EMBEDDED static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef); @@ -77,9 +73,9 @@ static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef); static SecPolicyRef crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) { - OSStatus status; SecPolicyRef policyRef = NULL; #if !TARGET_OS_EMBEDDED + OSStatus status; CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; // get our policy object @@ -103,27 +99,14 @@ crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert) { - OSStatus status; SecCertificateRef certRef = NULL; -#if !TARGET_OS_EMBEDDED - CSSM_DATA certData; - // create cert ref - certData.Length = cert->l; - certData.Data = (uint8 *)cert->v; - status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, - &certRef); - if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - } -#else CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull); if (cert_data) { certRef = SecCertificateCreateWithData(NULL, cert_data); CFRelease(cert_data); } -#endif + if (certRef == NULL) { plog(LLV_ERROR, LOCATION, NULL, "unable to create a certRef.\n"); @@ -217,11 +200,7 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) /* * Verify cert using security framework */ -#if TARGET_OS_EMBEDDED int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef) -#else -int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname) -#endif { cert_t *p; cert_status_t certStatus = 0; @@ -281,11 +260,7 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } // evaluate cert -#if TARGET_OS_EMBEDDED status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef, publicKeyRef); -#else - status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef); -#endif while (certArrayRefNumValues) { CFRelease(certArrayRef[--certArrayRefNumValues]); @@ -306,12 +281,11 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } -#if TARGET_OS_EMBEDDED + int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature) { return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l); } -#endif /* * Encrypt a hash via CSSM using the private key in the keychain @@ -325,132 +299,16 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) SecKeyRef privateKeyRef = NULL; vchar_t *sig = NULL; -#if !TARGET_OS_EMBEDDED - CSSM_SIZE bytesEncrypted = 0; - SecCertificateRef certificateRef = NULL; - SecIdentitySearchRef idSearchRef = NULL; - SecKeychainRef keychainRef = NULL; - const CSSM_KEY *cssmKey = NULL; - CSSM_CSP_HANDLE cspHandle = nil; - CSSM_CC_HANDLE cssmContextHandle = nil; - const CSSM_ACCESS_CREDENTIALS *credentials = NULL; - CSSM_DATA clearData; - CSSM_DATA cipherData; - CSSM_DATA remData; - CSSM_CONTEXT_ATTRIBUTE newAttr; - - remData.Length = 0; - remData.Data = 0; - - if (persistentCertRef) { - // get cert from keychain - status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef); - if (status != noErr) - goto end; - - // get keychain ref where cert is contained - status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef); - if (status != noErr) - goto end; - - // get identity from the certificate - status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef); - if (status != noErr) - goto end; - - } else { - - // copy system keychain - status = CopySystemKeychain(&keychainRef); - if (status != noErr) - goto end; - - // serach for first identity in system keychain - status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef); - if (status != noErr) - goto end; - - status = SecIdentitySearchCopyNext(idSearchRef, &identityRef); - if (status != noErr) - goto end; - - // get certificate from identity - status = SecIdentityCopyCertificate(identityRef, &certificateRef); - if (status != noErr) - goto end; - } - - // get private key from identity - status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef); - if (status != noErr) - goto end; - - // get CSSM_KEY pointer from key ref - status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey); - if (status != noErr) - goto end; - - // get CSSM CSP handle - status = SecKeychainGetCSPHandle(keychainRef, &cspHandle); - if (status != noErr) - goto end; - - // create CSSM credentials to unlock private key for encryption - no UI to be used - status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT, - kSecCredentialTypeNoUI, &credentials); - if (status != noErr) - goto end; - - // create asymmetric context for encryption - status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey, - CSSM_PADDING_PKCS1, &cssmContextHandle); - if (status != noErr) - goto end; - - // add mode attribute to use private key for encryption - newAttr.AttributeType = CSSM_ATTRIBUTE_MODE; - newAttr.AttributeLength = sizeof(uint32); - newAttr.Attribute.Data = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY; - status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr); - if(status != noErr) - goto end; - - // and finally - encrypt data - clearData.Length = hash->l; - clearData.Data = (uint8 *)hash->v; - cipherData.Length = 0; - cipherData.Data = NULL; - status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted, - &remData); - if (status != noErr) - goto end; - - if (remData.Length != 0) { // something didn't go right - should be zero - status = -1; - plog(LLV_ERROR, LOCATION, NULL, - "unencrypted data remaining after encrypting hash.\n"); - goto end; - } - - // alloc buffer for result - sig = vmalloc(0); - if (sig == NULL) - goto end; - - sig->l = cipherData.Length; - sig->v = (caddr_t)cipherData.Data; - -#else CFDictionaryRef persistFind = NULL; - const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef }; - const void *values_persist[] = { kCFBooleanTrue, persistentCertRef }; - - #define SIG_BUF_SIZE 1024 + const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass}; + const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity}; + +#define SIG_BUF_SIZE 1024 /* find identity by persistent ref */ persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist, - (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL); + (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL); if (persistFind == NULL) goto end; @@ -468,9 +326,7 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) goto end; status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, hash->v, - hash->l, sig->v, &sig->l); - -#endif + hash->l, sig->v, &sig->l); end: @@ -479,19 +335,8 @@ end: if (privateKeyRef) CFRelease(privateKeyRef); -#if !TARGET_OS_EMBEDDED - if (certificateRef) - CFRelease(certificateRef); - if (keychainRef) - CFRelease(keychainRef); - if (idSearchRef) - CFRelease(idSearchRef); - if (cssmContextHandle) - CSSM_DeleteContext(cssmContextHandle); -#else if (persistFind) CFRelease(persistFind); -#endif if (status != noErr) { if (sig) { @@ -677,23 +522,13 @@ end: /* * Evaluate the trust of a cert using the policy provided */ -#if TARGET_OS_EMBEDDED static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef) -#else -static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef) - -#endif { OSStatus status; SecTrustRef trustRef = 0; SecTrustResultType evalResult; -#if TARGET_OS_EMBEDDED CFArrayRef errorStrings; -#else - CSSM_TP_APPLE_EVIDENCE_INFO *statusChain; - CFArrayRef certChain; -#endif CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, evalCertArrayNumValues, &kCFTypeArrayCallBacks); @@ -722,9 +557,6 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert case kSecTrustResultProceed: plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultProceed.\n"); break; - case kSecTrustResultConfirm: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultConfirm.\n"); - break; case kSecTrustResultDeny: plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultDeny.\n"); break; @@ -745,8 +577,6 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert break; } - -#if TARGET_OS_EMBEDDED errorStrings = SecTrustCopyProperties(trustRef); if (errorStrings) { @@ -776,29 +606,13 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert plog(LLV_ERROR, LOCATION, NULL, "-----------------------------------------------------.\n"); CFRelease(errorStrings); } - -#else - SecTrustGetResult(trustRef, &evalResult, &certChain, &statusChain); - plog(LLV_ERROR, LOCATION, NULL, "Cert status bits = 0x%x.\n", statusChain->StatusBits); - plog(LLV_ERROR, LOCATION, NULL, "Cert status NumStatusCodes = 0x%x.\n", statusChain->NumStatusCodes); - { - int i; - for (i = 0; i < statusChain->NumStatusCodes; i++) - plog(LLV_ERROR, LOCATION, NULL, "Cert status code i = 0x%x %d.\n", *(statusChain->StatusCodes + i), *(statusChain->StatusCodes + i)); - } - plog(LLV_ERROR, LOCATION, NULL, "Cert status Index = %d.\n", statusChain->Index); - CFRelease(certChain); -#endif - + status = -1; goto end; } - -#if TARGET_OS_EMBEDDED /* get and return the public key */ *publicKeyRef = SecTrustCopyPublicKey(trustRef); -#endif end: if (cfCertRef) diff --git a/ipsec-tools/racoon/crypto_cssm.h b/ipsec-tools/racoon/crypto_cssm.h index e56a5f2..be59c91 100644 --- a/ipsec-tools/racoon/crypto_cssm.h +++ b/ipsec-tools/racoon/crypto_cssm.h @@ -33,12 +33,9 @@ #include #include -#if TARGET_OS_EMBEDDED + extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef); extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature); -#else -extern int crypto_cssm_check_x509cert(cert_t *hostcert, cert_t *certchain, CFStringRef hostname); -#endif extern SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert); extern vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash); extern vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus); diff --git a/ipsec-tools/racoon/crypto_openssl.c b/ipsec-tools/racoon/crypto_openssl.c index d93750a..e930edf 100644 --- a/ipsec-tools/racoon/crypto_openssl.c +++ b/ipsec-tools/racoon/crypto_openssl.c @@ -65,17 +65,6 @@ #include #include #include -#ifdef HAVE_OPENSSL_RC5_H -#include -#endif -#ifdef HAVE_OPENSSL_IDEA_H -#include -#endif -#if defined(HAVE_OPENSSL_AES_H) -#include -#elif defined(HAVE_OPENSSL_RIJNDAEL_H) -#include -#endif #else /* HAVE_OPENSSL */ #include #include @@ -1361,171 +1350,6 @@ eay_des_keylen(len) return kCCKeySizeDES << 3; } -#ifdef HAVE_OPENSSL_IDEA_H -/* - * IDEA-CBC - */ -vchar_t * -eay_idea_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - IDEA_KEY_SCHEDULE ks; - - idea_set_encrypt_key(key->v, &ks); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - idea_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, IDEA_ENCRYPT); - - return res; -} - -vchar_t * -eay_idea_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - IDEA_KEY_SCHEDULE ks, dks; - - idea_set_encrypt_key(key->v, &ks); - idea_set_decrypt_key(&ks, &dks); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - idea_cbc_encrypt(data->v, res->v, data->l, - &dks, iv->v, IDEA_DECRYPT); - - return res; -} - -int -eay_idea_weakkey(key) - vchar_t *key; -{ - return 0; /* XXX */ -} - -int -eay_idea_keylen(len) - int len; -{ - if (len != 0 && len != 128) - return -1; - return 128; -} -#endif - -#ifdef HAVE_OPENSSL -/* - * BLOWFISH-CBC - */ -vchar_t * -eay_bf_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, EVP_bf_cbc(), 1); -} - -vchar_t * -eay_bf_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, EVP_bf_cbc(), 0); -} - -int -eay_bf_weakkey(key) - vchar_t *key; -{ - return 0; /* XXX to be done. refer to RFC 2451 */ -} - -int -eay_bf_keylen(len) - int len; -{ - if (len == 0) - return 448; - if (len < 40 || len > 448) - return -1; - return len; -} -#endif - -#ifdef HAVE_OPENSSL_RC5_H -/* - * RC5-CBC - */ -vchar_t * -eay_rc5_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - RC5_32_KEY ks; - - /* in RFC 2451, there is information about the number of round. */ - RC5_32_set_key(&ks, key->l, key->v, 16); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - RC5_32_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, RC5_ENCRYPT); - - return res; -} - -vchar_t * -eay_rc5_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - RC5_32_KEY ks; - - /* in RFC 2451, there is information about the number of round. */ - RC5_32_set_key(&ks, key->l, key->v, 16); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - RC5_32_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, RC5_DECRYPT); - - return res; -} - -int -eay_rc5_weakkey(key) - vchar_t *key; -{ - return 0; /* No known weak keys when used with 16 rounds. */ - -} - -int -eay_rc5_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len < 40 || len > 2040) - return -1; - return len; -} -#endif - /* * 3DES-CBC */ @@ -1547,23 +1371,7 @@ int eay_3des_weakkey(key) vchar_t *key; { -#ifdef HAVE_OPENSSL -#ifdef USE_NEW_DES_API - return (DES_is_weak_key((void *)key->v) || - DES_is_weak_key((void *)(key->v + 8)) || - DES_is_weak_key((void *)(key->v + 16))); -#else - if (key->l < 24) - return 0; - - return (des_is_weak_key((void *)key->v) || - des_is_weak_key((void *)(key->v + 8)) || - des_is_weak_key((void *)(key->v + 16))); -#endif -#else /* HAVE_OPENSSL */ return 0; -#endif - } int @@ -1579,43 +1387,6 @@ eay_3des_keylen(len) return kCCKeySize3DES << 3; } -#ifdef HAVE_OPENSSL -/* - * CAST-CBC - */ -vchar_t * -eay_cast_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, EVP_cast5_cbc(), 1); -} - -vchar_t * -eay_cast_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - return evp_crypt(data, key, iv, EVP_cast5_cbc(), 0); -} - -int -eay_cast_weakkey(key) - vchar_t *key; -{ - return 0; /* No known weak keys. */ -} - -int -eay_cast_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len < 40 || len > 128) - return -1; - return len; -} -#endif - /* * AES(RIJNDAEL)-CBC */ @@ -1666,23 +1437,6 @@ eay_null_hashlen() return 0; } -#ifdef HAVE_OPENSSL -int -eay_kpdk_hashlen() -{ - return 0; -} - -int -eay_twofish_keylen(len) - int len; -{ - if (len < 0 || len > 256) - return -1; - return len; -} -#endif - int eay_null_keylen(len) int len; @@ -1735,7 +1489,7 @@ eay_hmacsha2_512_update(c, data) caddr_t c; vchar_t *data; { - CCHmacUpdate((CCHmacContext *)c, data->v, data->l); + CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l); } vchar_t * @@ -1747,7 +1501,7 @@ eay_hmacsha2_512_final(c) if ((res = vmalloc(CC_SHA512_DIGEST_LENGTH)) == 0) return NULL; - CCHmacFinal((CCHmacContext *)c, res->v); + CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v); res->l = CC_SHA512_DIGEST_LENGTH; (void)racoon_free(c); @@ -1783,7 +1537,7 @@ eay_hmacsha2_384_update(c, data) caddr_t c; vchar_t *data; { - CCHmacUpdate((CCHmacContext *)c, data->v, data->l); + CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l); } vchar_t * @@ -1795,7 +1549,7 @@ eay_hmacsha2_384_final(c) if ((res = vmalloc(CC_SHA384_DIGEST_LENGTH)) == 0) return NULL; - CCHmacFinal((CCHmacContext *)c, res->v); + CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v); res->l = CC_SHA384_DIGEST_LENGTH; (void)racoon_free(c); @@ -1831,7 +1585,7 @@ eay_hmacsha2_256_update(c, data) caddr_t c; vchar_t *data; { - CCHmacUpdate((CCHmacContext *)c, data->v, data->l); + CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l); } vchar_t * @@ -1843,7 +1597,7 @@ eay_hmacsha2_256_final(c) if ((res = vmalloc(CC_SHA256_DIGEST_LENGTH)) == 0) return NULL; - CCHmacFinal((CCHmacContext *)c, res->v); + CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v); res->l = CC_SHA256_DIGEST_LENGTH; (void)racoon_free(c); @@ -1880,7 +1634,7 @@ eay_hmacsha1_update(c, data) caddr_t c; vchar_t *data; { - CCHmacUpdate((CCHmacContext *)c, data->v, data->l); + CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l); } vchar_t * @@ -1892,7 +1646,7 @@ eay_hmacsha1_final(c) if ((res = vmalloc(CC_SHA1_DIGEST_LENGTH)) == 0) return NULL; - CCHmacFinal((CCHmacContext *)c, res->v); + CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v); res->l = CC_SHA1_DIGEST_LENGTH; (void)racoon_free(c); @@ -1928,7 +1682,7 @@ eay_hmacmd5_update(c, data) caddr_t c; vchar_t *data; { - CCHmacUpdate((CCHmacContext *)c, data->v, data->l); + CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l); } vchar_t * @@ -1940,7 +1694,7 @@ eay_hmacmd5_final(c) if ((res = vmalloc(CC_MD5_DIGEST_LENGTH)) == 0) return NULL; - CCHmacFinal((CCHmacContext *)c, res->v); + CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v); res->l = CC_MD5_DIGEST_LENGTH; (void)racoon_free(c); @@ -1967,7 +1721,7 @@ eay_sha2_512_update(c, data) caddr_t c; vchar_t *data; { - SHA512_Update((SHA512_CTX *)c, (unsigned char *) data->v, data->l); + SHA512_Update(ALIGNED_CAST(SHA512_CTX *)c, (unsigned char *) data->v, data->l); return; } @@ -1981,7 +1735,7 @@ eay_sha2_512_final(c) if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0) return(0); - SHA512_Final((unsigned char *) res->v, (SHA512_CTX *)c); + SHA512_Final((unsigned char *) res->v, ALIGNED_CAST(SHA512_CTX *)c); (void)racoon_free(c); return(res); @@ -2030,7 +1784,7 @@ eay_sha2_384_update(c, data) caddr_t c; vchar_t *data; { - SHA384_Update((SHA384_CTX *)c, (unsigned char *) data->v, data->l); + SHA384_Update(ALIGNED_CAST(SHA384_CTX *)c, (unsigned char *) data->v, data->l); return; } @@ -2044,7 +1798,7 @@ eay_sha2_384_final(c) if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0) return(0); - SHA384_Final((unsigned char *) res->v, (SHA384_CTX *)c); + SHA384_Final((unsigned char *) res->v, ALIGNED_CAST(SHA384_CTX *)c); (void)racoon_free(c); return(res); @@ -2090,7 +1844,7 @@ eay_sha2_256_update(c, data) caddr_t c; vchar_t *data; { - SHA256_Update((SHA256_CTX *)c, (unsigned char *) data->v, data->l); + SHA256_Update(ALIGNED_CAST(SHA256_CTX *)c, (unsigned char *) data->v, data->l); return; } @@ -2104,7 +1858,7 @@ eay_sha2_256_final(c) if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0) return(0); - SHA256_Final((unsigned char *) res->v, (SHA256_CTX *)c); + SHA256_Final((unsigned char *) res->v, ALIGNED_CAST(SHA256_CTX *)c); (void)racoon_free(c); return(res); @@ -2149,7 +1903,7 @@ eay_sha1_update(c, data) caddr_t c; vchar_t *data; { - SHA1_Update((SHA_CTX *)c, data->v, data->l); + SHA1_Update(ALIGNED_CAST(SHA_CTX *)c, data->v, data->l); return; } @@ -2163,7 +1917,7 @@ eay_sha1_final(c) if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0) return(0); - SHA1_Final((unsigned char *) res->v, (SHA_CTX *)c); + SHA1_Final((unsigned char *) res->v, ALIGNED_CAST(SHA_CTX *)c); (void)racoon_free(c); return(res); @@ -2207,7 +1961,7 @@ eay_md5_update(c, data) caddr_t c; vchar_t *data; { - MD5_Update((MD5_CTX *)c, data->v, data->l); + MD5_Update(ALIGNED_CAST(MD5_CTX *)c, data->v, data->l); return; } @@ -2221,7 +1975,7 @@ eay_md5_final(c) if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0) return(0); - MD5_Final((unsigned char *) res->v, (MD5_CTX *)c); + MD5_Final((unsigned char *) res->v, ALIGNED_CAST(MD5_CTX *)c); (void)racoon_free(c); return(res); diff --git a/ipsec-tools/racoon/crypto_openssl.h b/ipsec-tools/racoon/crypto_openssl.h index 0d59ec2..1bf364f 100644 --- a/ipsec-tools/racoon/crypto_openssl.h +++ b/ipsec-tools/racoon/crypto_openssl.h @@ -90,40 +90,12 @@ extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_des_weakkey __P((vchar_t *)); extern int eay_des_keylen __P((int)); -#ifdef HAVE_OPENSSL -/* IDEA */ -extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_idea_weakkey __P((vchar_t *)); -extern int eay_idea_keylen __P((int)); - -/* blowfish */ -extern vchar_t *eay_bf_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_bf_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_bf_weakkey __P((vchar_t *)); -extern int eay_bf_keylen __P((int)); - -/* RC5 */ -extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_rc5_weakkey __P((vchar_t *)); -extern int eay_rc5_keylen __P((int)); -#endif /* HAVE_OPENSSL */ - /* 3DES */ extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern int eay_3des_weakkey __P((vchar_t *)); extern int eay_3des_keylen __P((int)); -#ifdef HAVE_OPENSSL -/* CAST */ -extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_cast_weakkey __P((vchar_t *)); -extern int eay_cast_keylen __P((int)); -#endif - /* AES(RIJNDAEL) */ extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); diff --git a/ipsec-tools/racoon/dnssec.c b/ipsec-tools/racoon/dnssec.c index bd4cd00..cb0cb02 100644 --- a/ipsec-tools/racoon/dnssec.c +++ b/ipsec-tools/racoon/dnssec.c @@ -67,7 +67,7 @@ dnssec_getcert(id) int namelen; int error; - id_b = (struct ipsecdoi_id_b *)id->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v; namelen = id->l - sizeof(*id_b); name = racoon_malloc(namelen + 1); diff --git a/ipsec-tools/racoon/dump.h b/ipsec-tools/racoon/dump.h index 7473bbc..22b0645 100644 --- a/ipsec-tools/racoon/dump.h +++ b/ipsec-tools/racoon/dump.h @@ -34,6 +34,6 @@ extern int isakmp_dump_open __P((char *)); extern int isakmp_dump_close __P((void)); -extern int isakmp_dump __P((vchar_t *, struct sockaddr *, struct sockaddr *)); +extern int isakmp_dump __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *)); #endif /* _DUMP_H */ diff --git a/ipsec-tools/racoon/evt.c b/ipsec-tools/racoon/evt.c index fc65b20..790d021 100644 --- a/ipsec-tools/racoon/evt.c +++ b/ipsec-tools/racoon/evt.c @@ -55,8 +55,8 @@ int evtlist_len = 0; void evt_push(src, dst, type, optdata) - struct sockaddr *src; - struct sockaddr *dst; + struct sockaddr_storage *src; + struct sockaddr_storage *dst; int type; vchar_t *optdata; { @@ -103,9 +103,9 @@ evt_push(src, dst, type, optdata) } if (src) - memcpy(&evtdump->src, src, sysdep_sa_len(src)); + memcpy(&evtdump->src, src, sysdep_sa_len((struct sockaddr *)src)); if (dst) - memcpy(&evtdump->dst, dst, sysdep_sa_len(dst)); + memcpy(&evtdump->dst, dst, sysdep_sa_len((struct sockaddr *)dst)); evtdump->len = len; evtdump->type = type; time(&evtdump->timestamp); diff --git a/ipsec-tools/racoon/evt.h b/ipsec-tools/racoon/evt.h index 88ee366..9707da1 100644 --- a/ipsec-tools/racoon/evt.h +++ b/ipsec-tools/racoon/evt.h @@ -76,7 +76,7 @@ TAILQ_HEAD(evtlist, evt); #ifdef ENABLE_ADMINPORT struct evtdump *evt_pop(void); vchar_t *evt_dump(void); -void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *); +void evt_push(struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *); #endif #ifdef ENABLE_ADMINPORT diff --git a/ipsec-tools/racoon/getcertsbyname.c b/ipsec-tools/racoon/getcertsbyname.c index 6ce6be1..d88ece9 100644 --- a/ipsec-tools/racoon/getcertsbyname.c +++ b/ipsec-tools/racoon/getcertsbyname.c @@ -53,6 +53,7 @@ #include #endif +#include "var.h" #include "netdb_dnssec.h" /* XXX should it use ci_errno to hold errno instead of h_errno ? */ @@ -244,7 +245,7 @@ getcertsbyname(name, res) /* parse CERT RR */ eom = answer + anslen; - hp = (HEADER *)answer; + hp = ALIGNED_CAST(HEADER *)answer; qdcount = ntohs(hp->qdcount); ancount = ntohs(hp->ancount); diff --git a/ipsec-tools/racoon/grabmyaddr.c b/ipsec-tools/racoon/grabmyaddr.c index 55b62b9..66f2457 100644 --- a/ipsec-tools/racoon/grabmyaddr.c +++ b/ipsec-tools/racoon/grabmyaddr.c @@ -54,6 +54,7 @@ #include #include #endif +#include #include "var.h" #include "misc.h" @@ -131,9 +132,9 @@ find_myaddr(addr, udp_encap) if (q->udp_encap && !udp_encap || !q->udp_encap && udp_encap) continue; - if (addr->sa_family != q->addr->sa_family) + if (addr->sa_family != q->addr->ss_family) continue; - if (getnameinfo(q->addr, sysdep_sa_len(q->addr), h2, sizeof(h2), + if (getnameinfo((struct sockaddr *)q->addr, sysdep_sa_len((struct sockaddr *)q->addr), h2, sizeof(h2), NULL, 0, NI_NUMERICHOST | niflags) != 0) return NULL; if (strcmp(h1, h2) == 0) @@ -154,9 +155,6 @@ grab_myaddrs() #ifdef HAVE_GETIFADDRS struct myaddrs *p, *q; struct ifaddrs *ifa0, *ifap; -#ifdef INET6 - struct sockaddr_in6 *sin6; -#endif char addr1[NI_MAXHOST]; @@ -222,7 +220,7 @@ grab_myaddrs() p->sock = -1; p->in_use = 1; - if (getnameinfo(p->addr, p->addr->sa_len, + if (getnameinfo((struct sockaddr *)p->addr, p->addr->ss_len, addr1, sizeof(addr1), NULL, 0, NI_NUMERICHOST | niflags)) @@ -303,10 +301,15 @@ suitable_ifaddr6(ifname, ifaddr) return 0; } + if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put IPv6 socket in non-blocking mode\n"); + } + memset(&ifr6, 0, sizeof(ifr6)); strlcpy(ifr6.ifr_name, ifname, sizeof(ifr6.ifr_name)); - ifr6.ifr_addr = *(const struct sockaddr_in6 *)ifaddr; + memcpy(&ifr6.ifr_addr, ifaddr, sizeof(struct sockaddr_in6)); // Wcast-align fix - copy instread of assign with cast if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -329,32 +332,35 @@ suitable_ifaddr6(ifname, ifaddr) int update_myaddrs() -{ - char msg[BUFSIZ]; +{ + struct rtmessage { // Wcast-align fix - force alignment + struct rt_msghdr rtm; + char discard[BUFSIZ]; + } msg; + int len; - struct rt_msghdr *rtm; - len = read(lcconf->rtsock, msg, sizeof(msg)); - if (len < 0) { + while((len = read(lcconf->rtsock, &msg, sizeof(msg))) < 0) { + if (errno == EINTR) + continue; plog(LLV_ERROR, LOCATION, NULL, "read(PF_ROUTE) failed: %s\n", strerror(errno)); return 0; } - rtm = (struct rt_msghdr *)msg; - if (len < rtm->rtm_msglen) { + if (len < msg.rtm.rtm_msglen) { plog(LLV_ERROR, LOCATION, NULL, "read(PF_ROUTE) short read\n"); return 0; } - if (rtm->rtm_version != RTM_VERSION) { + if (msg.rtm.rtm_version != RTM_VERSION) { plog(LLV_ERROR, LOCATION, NULL, "routing socket version mismatch\n"); close(lcconf->rtsock); lcconf->rtsock = -1; return 0; } - switch (rtm->rtm_type) { + switch (msg.rtm.rtm_type) { case RTM_NEWADDR: case RTM_DELADDR: case RTM_DELETE: @@ -364,15 +370,15 @@ update_myaddrs() /* ignore this message silently */ return 0; default: - plog(LLV_DEBUG, LOCATION, NULL, - "msg %d not interesting\n", rtm->rtm_type); + //plog(LLV_DEBUG, LOCATION, NULL, + // "msg %d not interesting\n", msg.rtm.rtm_type); return 0; } /* XXX more filters here? */ - plog(LLV_DEBUG, LOCATION, NULL, - "caught rtm:%d, need update interface address list\n", - rtm->rtm_type); + //plog(LLV_DEBUG, LOCATION, NULL, + // "caught rtm:%d, need update interface address list\n", + // msg.rtm.rtm_type); return 1; } @@ -409,7 +415,7 @@ autoconf_myaddrsport() */ u_short getmyaddrsport(local) - struct sockaddr *local; + struct sockaddr_storage *local; { struct myaddrs *p, *bestmatch = NULL; u_short bestmatch_port = PORT_ISAKMP; @@ -424,7 +430,7 @@ getmyaddrsport(local) continue; } - switch (p->addr->sa_family) { + switch (p->addr->ss_family) { case AF_INET: if (((struct sockaddr_in *)p->addr)->sin_port == PORT_ISAKMP) { bestmatch = p; @@ -443,7 +449,7 @@ getmyaddrsport(local) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "unsupported AF %d\n", p->addr->sa_family); + "unsupported AF %d\n", p->addr->ss_family); continue; } } @@ -487,7 +493,7 @@ dupmyaddr(struct myaddrs *old) /* Copy the whole structure and set the differences. */ memcpy (new, old, sizeof (*new)); - new->addr = dupsaddr (old->addr); + new->addr = dupsaddr ((struct sockaddr *)old->addr); if (new->addr == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer for duplicate addr.\n"); @@ -542,6 +548,11 @@ initmyaddr() strerror(errno)); return -1; } + + if (fcntl(lcconf->rtsock, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put PF_ROUTE socket in non-blocking mode\n"); + } if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) { grab_myaddrs(); @@ -564,10 +575,10 @@ getsockmyaddr(my) for (p = lcconf->myaddrs; p; p = p->next) { if (p->addr == NULL) continue; - if (my->sa_family == p->addr->sa_family) { + if (my->sa_family == p->addr->ss_family) { lastresort = p; } else continue; - if (sysdep_sa_len(my) == sysdep_sa_len(p->addr) + if (sysdep_sa_len(my) == sysdep_sa_len((struct sockaddr *)p->addr) && memcmp(my, p->addr, sysdep_sa_len(my)) == 0) { break; } diff --git a/ipsec-tools/racoon/grabmyaddr.h b/ipsec-tools/racoon/grabmyaddr.h index 85a901c..4c74029 100644 --- a/ipsec-tools/racoon/grabmyaddr.h +++ b/ipsec-tools/racoon/grabmyaddr.h @@ -34,7 +34,7 @@ struct myaddrs { struct myaddrs *next; - struct sockaddr *addr; + struct sockaddr_storage *addr; int sock; int udp_encap; int in_use; @@ -45,7 +45,7 @@ extern void clear_myaddr __P((void)); extern void grab_myaddrs __P((void)); extern int update_myaddrs __P((void)); extern int autoconf_myaddrsport __P((void)); -extern u_short getmyaddrsport __P((struct sockaddr *)); +extern u_short getmyaddrsport __P((struct sockaddr_storage *)); extern struct myaddrs *newmyaddr __P((void)); extern struct myaddrs *dupmyaddr __P((struct myaddrs *)); extern void insmyaddr __P((struct myaddrs *, struct myaddrs **)); diff --git a/ipsec-tools/racoon/gssapi.c b/ipsec-tools/racoon/gssapi.c index a2cce3c..bc401cd 100644 --- a/ipsec-tools/racoon/gssapi.c +++ b/ipsec-tools/racoon/gssapi.c @@ -152,14 +152,14 @@ static int gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service) { char name[NI_MAXHOST]; - struct sockaddr *sa; + struct sockaddr_storage *sa; char* buf = NULL; gss_buffer_desc name_token; OM_uint32 min_stat, maj_stat; sa = remote ? iph1->remote : iph1->local; - if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0) + if (getnameinfo(sa, sysdep_sa_len((struct sockaddr *)sa), name, NI_MAXHOST, NULL, 0, 0) != 0) return -1; name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name); diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index f8bed5f..018087b 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -144,19 +144,19 @@ getph1byindex0(index) */ struct ph1handle * getph1byaddr(local, remote) - struct sockaddr *local, *remote; + struct sockaddr_storage *local, *remote; { struct ph1handle *p; plog(LLV_DEBUG2, LOCATION, NULL, "getph1byaddr: start\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str(local)); - plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str(remote)); + plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str((struct sockaddr *)local)); + plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str((struct sockaddr *)remote)); LIST_FOREACH(p, &ph1tree, chain) { if (p->status == PHASE1ST_EXPIRED) continue; - plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local)); - plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote)); + plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str((struct sockaddr *)p->local)); + plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str((struct sockaddr *)p->remote)); if (CMPSADDR(local, p->local) == 0 && CMPSADDR(remote, p->remote) == 0){ plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); @@ -171,7 +171,7 @@ getph1byaddr(local, remote) struct ph1handle * getph1byaddrwop(local, remote) - struct sockaddr *local, *remote; + struct sockaddr_storage *local, *remote; { struct ph1handle *p; @@ -193,7 +193,7 @@ getph1byaddrwop(local, remote) */ struct ph1handle * getph1bydstaddrwop(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { struct ph1handle *p; @@ -246,14 +246,14 @@ dumpph1() "failed to get buffer\n"); return NULL; } - pd = (struct ph1dump *)buf->v; + pd = ALIGNED_CAST(struct ph1dump *)buf->v; LIST_FOREACH(iph1, &ph1tree, chain) { memcpy(&pd->index, &iph1->index, sizeof(iph1->index)); pd->status = iph1->status; pd->side = iph1->side; - memcpy(&pd->remote, iph1->remote, sysdep_sa_len(iph1->remote)); - memcpy(&pd->local, iph1->local, sysdep_sa_len(iph1->local)); + memcpy(&pd->remote, iph1->remote, sysdep_sa_len((struct sockaddr *)iph1->remote)); + memcpy(&pd->local, iph1->local, sysdep_sa_len((struct sockaddr *)iph1->local)); pd->version = iph1->version; pd->etype = iph1->etype; pd->created = iph1->created; @@ -542,7 +542,7 @@ getph2bymsgid(iph1, msgid) struct ph2handle * getph2byid(src, dst, spid) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; u_int32_t spid; { struct ph2handle *p; @@ -572,7 +572,7 @@ getph2byid(src, dst, spid) struct ph2handle * getph2bysaddr(src, dst) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; { struct ph2handle *p; @@ -590,7 +590,7 @@ getph2bysaddr(src, dst) */ struct ph2handle * getph2bysaidx(src, dst, proto_id, spi) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; u_int proto_id; u_int32_t spi; { @@ -672,7 +672,7 @@ initph2(iph2) /* clear the generated policy */ if (iph2->spidx_gen) { - delsp_bothdir((struct policyindex *)iph2->spidx_gen); + delsp_bothdir(iph2->spidx_gen); racoon_free(iph2->spidx_gen); iph2->spidx_gen = NULL; } @@ -823,7 +823,7 @@ flushph2(int ignore_estab_or_assert_handles) */ void deleteallph2(src, dst, proto_id) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; u_int proto_id; { struct ph2handle *iph2, *next; @@ -872,7 +872,7 @@ deleteallph2(src, dst, proto_id) */ void deleteallph1(src, dst) -struct sockaddr *src, *dst; +struct sockaddr_storage *src, *dst; { struct ph1handle *iph1, *next; @@ -949,7 +949,7 @@ struct ph2handle *iph2; */ struct contacted * getcontacted(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { struct contacted *p; @@ -966,7 +966,7 @@ getcontacted(remote) */ int inscontacted(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { struct contacted *new; @@ -975,7 +975,7 @@ inscontacted(remote) if (new == NULL) return -1; - new->remote = dupsaddr(remote); + new->remote = dupsaddr((struct sockaddr *)remote); if (new->remote == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); @@ -1030,7 +1030,7 @@ get_exp_retx_interval (int num_retries, int fixed_retry_interval) */ int check_recvdpkt(remote, local, rbuf) - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; vchar_t *rbuf; { vchar_t *hash; @@ -1075,12 +1075,12 @@ check_recvdpkt(remote, local, rbuf) if (t - r->time_send < 1) { plog(LLV_WARNING, LOCATION, NULL, "the packet retransmitted in a short time from %s\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); /*XXX should it be error ? */ } /* select the socket to be sent */ - s = getsockmyaddr(r->local); + s = getsockmyaddr((struct sockaddr *)r->local); if (s == -1) return -1; @@ -1123,7 +1123,7 @@ check_recvdpkt(remote, local, rbuf) del_recvdpkt(r); plog(LLV_DEBUG, LOCATION, NULL, "deleted the retransmission packet to %s.\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); } else { r->time_send = t; r->retry_interval = get_exp_retx_interval((lcconf->retry_counter - r->retry_counter), @@ -1138,7 +1138,7 @@ check_recvdpkt(remote, local, rbuf) */ int add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; vchar_t *sbuf, *rbuf; size_t non_esp; u_int32_t frag_flags; @@ -1164,14 +1164,14 @@ add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) del_recvdpkt(new); return -1; } - new->remote = dupsaddr(remote); + new->remote = dupsaddr((struct sockaddr *)remote); if (new->remote == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); del_recvdpkt(new); return -1; } - new->local = dupsaddr(local); + new->local = dupsaddr((struct sockaddr *)local); if (new->local == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); @@ -1191,7 +1191,7 @@ add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) del_recvdpkt(new); return -1; } - *(u_int32_t *)new->sendbuf->v = 0; + *ALIGNED_CAST(u_int32_t *)new->sendbuf->v = 0; memcpy(new->sendbuf->v + non_esp, sbuf->v, sbuf->l); } else { new->sendbuf = vdup(sbuf); @@ -1296,7 +1296,7 @@ init_recvdpkt() */ int exclude_cfg_addr(addr) - const struct sockaddr *addr; + const struct sockaddr_storage *addr; { struct ph1handle *p; struct sockaddr_in *sin; @@ -1304,7 +1304,7 @@ exclude_cfg_addr(addr) LIST_FOREACH(p, &ph1tree, chain) { if ((p->mode_cfg != NULL) && (p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) && - (addr->sa_family == AF_INET)) { + (addr->ss_family == AF_INET)) { sin = (struct sockaddr_in *)addr; if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr) return 0; @@ -1355,28 +1355,30 @@ purgeph1bylogin(login) int purgephXbydstaddrwop(remote) -struct sockaddr *remote; +struct sockaddr_storage *remote; { int found = 0; struct ph1handle *p; struct ph2handle *p2; LIST_FOREACH(p2, &ph2tree, chain) { + if (p2->is_dying || p2->status == PHASE2ST_EXPIRED) { + continue; + } if (cmpsaddrwop(remote, p2->dst) == 0) { plog(LLV_WARNING, LOCATION, NULL, "in %s... purging phase2s\n", __FUNCTION__); if (p2->status == PHASE2ST_ESTABLISHED) isakmp_info_send_d2(p2); - if (p2->status < PHASE2ST_EXPIRED) { - isakmp_ph2expire(p2); - } else { - isakmp_ph2delete(p2); - } + isakmp_ph2expire(p2); found++; } } LIST_FOREACH(p, &ph1tree, chain) { + if (p->is_dying || p->status == PHASE1ST_EXPIRED) { + continue; + } if (cmpsaddrwop(remote, p->remote) == 0) { plog(LLV_WARNING, LOCATION, NULL, "in %s... purging phase1 and related phase2s\n", __FUNCTION__); @@ -1435,7 +1437,7 @@ purgephXbyspid(u_int32_t spid, #ifdef ENABLE_DPD int -ph1_force_dpd (struct sockaddr *remote) +ph1_force_dpd (struct sockaddr_storage *remote) { int status = -1; struct ph1handle *p; diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index 8c8c43e..50cebd0 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -125,8 +125,8 @@ struct ph1handle { int side; /* INITIATOR or RESPONDER */ int started_by_api; /* connection started by VPNControl API */ - struct sockaddr *remote; /* remote address to negosiate ph1 */ - struct sockaddr *local; /* local address to negosiate ph1 */ + struct sockaddr_storage *remote; /* remote address to negosiate ph1 */ + struct sockaddr_storage *local; /* local address to negosiate ph1 */ /* XXX copy from rmconf due to anonymous configuration. * If anonymous will be forbidden, we do delete them. */ @@ -179,11 +179,6 @@ struct ph1handle { cert_t *cert_p; /* peer's CERT minus general header */ cert_t *crl_p; /* peer's CRL minus general header */ cert_t *cr_p; /* peer's CR not including general */ -#ifdef HAVE_OPENSSL - RSA *rsa; /* my RSA key */ - RSA *rsa_p; /* peer's RSA key */ - struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ -#endif vchar_t *id; /* ID minus gen header */ vchar_t *id_p; /* partner's ID minus general header */ /* i.e. struct ipsecdoi_id_b*. */ @@ -272,15 +267,15 @@ struct ph1handle { #define PHASE2ST_MAX 11 struct ph2handle { - struct sockaddr *src; /* my address of SA. */ - struct sockaddr *dst; /* peer's address of SA. */ + struct sockaddr_storage *src; /* my address of SA. */ + struct sockaddr_storage *dst; /* peer's address of SA. */ /* * copy ip address from ID payloads when ID type is ip address. * In other case, they must be null. */ - struct sockaddr *src_id; - struct sockaddr *dst_id; + struct sockaddr_storage *src_id; + struct sockaddr_storage *dst_id; u_int32_t spid; /* policy id by kernel */ @@ -316,7 +311,7 @@ struct ph2handle { struct sainfo *sainfo; /* place holder of sainfo */ struct saprop *proposal; /* SA(s) proposal. */ struct saprop *approval; /* SA(s) approved. */ - caddr_t spidx_gen; /* policy from peer's proposal */ + struct policyindex * spidx_gen; /* policy from peer's proposal */ #ifndef HAVE_OPENSSL SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */ @@ -364,7 +359,7 @@ struct ph2handle { * for handling initial contact. */ struct contacted { - struct sockaddr *remote; /* remote address to negotiate ph1 */ + struct sockaddr_storage *remote; /* remote address to negotiate ph1 */ LIST_ENTRY(contacted) chain; }; @@ -372,8 +367,8 @@ struct contacted { * for checking if a packet is retransmited. */ struct recvdpkt { - struct sockaddr *remote; /* the remote address */ - struct sockaddr *local; /* the local address */ + struct sockaddr_storage *remote; /* the remote address */ + struct sockaddr_storage *local; /* the local address */ vchar_t *hash; /* hash of the received packet */ vchar_t *sendbuf; /* buffer for the response */ int retry_counter; /* how many times to send */ @@ -460,25 +455,25 @@ struct ph1dump { int ph2cnt; }; -struct sockaddr; +struct sockaddr_storage; struct ph1handle; struct ph2handle; struct policyindex; extern struct ph1handle *getph1byindex __P((isakmp_index *)); extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); -extern struct ph1handle *getph1byaddr __P((struct sockaddr *, - struct sockaddr *)); -extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *, - struct sockaddr *)); -extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *)); +extern struct ph1handle *getph1byaddr __P((struct sockaddr_storage *, + struct sockaddr_storage *)); +extern struct ph1handle *getph1byaddrwop __P((struct sockaddr_storage *, + struct sockaddr_storage *)); +extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr_storage *)); extern int islast_ph1 __P((struct ph1handle *)); struct ph1handle *ph1; #ifdef ENABLE_HYBRID struct ph1handle *getph1bylogin __P((char *)); int purgeph1bylogin __P((char *)); #endif -extern int purgephXbydstaddrwop __P((struct sockaddr *)); +extern int purgephXbydstaddrwop __P((struct sockaddr_storage *)); extern void purgephXbyspid __P((u_int32_t, int)); extern vchar_t *dumpph1 __P((void)); @@ -492,47 +487,47 @@ extern void initph1tree __P((void)); extern struct ph2handle *getph2byspidx __P((struct policyindex *)); extern struct ph2handle *getph2byspid __P((u_int32_t)); extern struct ph2handle *getph2byseq __P((u_int32_t)); -extern struct ph2handle *getph2bysaddr __P((struct sockaddr *, - struct sockaddr *)); +extern struct ph2handle *getph2bysaddr __P((struct sockaddr_storage *, + struct sockaddr_storage *)); extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); -extern struct ph2handle *getph2byid __P((struct sockaddr *, - struct sockaddr *, u_int32_t)); -extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, - struct sockaddr *, u_int, u_int32_t)); +extern struct ph2handle *getph2byid __P((struct sockaddr_storage *, + struct sockaddr_storage *, u_int32_t)); +extern struct ph2handle *getph2bysaidx __P((struct sockaddr_storage *, + struct sockaddr_storage *, u_int, u_int32_t)); extern struct ph2handle *newph2 __P((void)); extern void initph2 __P((struct ph2handle *)); extern void delph2 __P((struct ph2handle *)); extern int insph2 __P((struct ph2handle *)); extern void remph2 __P((struct ph2handle *)); extern void flushph2 __P((int)); -extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int)); -extern void deleteallph1 __P((struct sockaddr *, struct sockaddr *)); +extern void deleteallph2 __P((struct sockaddr_storage *, struct sockaddr_storage *, u_int)); +extern void deleteallph1 __P((struct sockaddr_storage *, struct sockaddr_storage *)); extern void initph2tree __P((void)); extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); extern void unbindph12 __P((struct ph2handle *)); extern void rebindph12 __P((struct ph1handle *, struct ph2handle *)); -extern struct contacted *getcontacted __P((struct sockaddr *)); -extern int inscontacted __P((struct sockaddr *)); +extern struct contacted *getcontacted __P((struct sockaddr_storage *)); +extern int inscontacted __P((struct sockaddr_storage *)); extern void clear_contacted __P((void)); extern void initctdtree __P((void)); extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval)); -extern int check_recvdpkt __P((struct sockaddr *, - struct sockaddr *, vchar_t *)); -extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, +extern int check_recvdpkt __P((struct sockaddr_storage *, + struct sockaddr_storage *, vchar_t *)); +extern int add_recvdpkt __P((struct sockaddr_storage *, struct sockaddr_storage *, vchar_t *, vchar_t *, size_t, u_int32_t)); extern void clear_recvdpkt __P((void)); extern void init_recvdpkt __P((void)); #ifdef ENABLE_HYBRID -extern int exclude_cfg_addr __P((const struct sockaddr *)); +extern int exclude_cfg_addr __P((const struct sockaddr_storage *)); #endif #ifdef ENABLE_DPD -extern int ph1_force_dpd __P((struct sockaddr *)); +extern int ph1_force_dpd __P((struct sockaddr_storage *)); #endif extern void sweep_sleepwake __P((void)); diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index e122adb..85ac941 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -47,6 +47,7 @@ #include "localconf.h" #include "remoteconf.h" #include "vpn_control.h" +#include "vpn_control_var.h" #include "proposal.h" #include "sainfo.h" #include "power_mgmt.h" @@ -62,6 +63,7 @@ } while(0); const char *ike_session_stopped_by_vpn_disconnect = "Stopped by VPN disconnect"; +const char *ike_session_stopped_by_controller_comm_lost = "Stopped by loss of controller communication"; const char *ike_session_stopped_by_flush = "Stopped by Flush"; const char *ike_session_stopped_by_idle = "Stopped by Idle"; const char *ike_session_stopped_by_xauth_timeout = "Stopped by XAUTH timeout"; @@ -107,6 +109,7 @@ free_ike_session (ike_session_t *session) gettimeofday(&session->stop_timestamp, NULL); } if (session->term_reason != ike_session_stopped_by_vpn_disconnect || + session->term_reason != ike_session_stopped_by_controller_comm_lost || session->term_reason != ike_session_stopped_by_flush || session->term_reason != ike_session_stopped_by_idle) { is_failure = FALSE; @@ -199,8 +202,8 @@ ike_session_get_rekey_lifetime (int local_spi_is_higher, u_int expiry_lifetime) // TODO: optimize this mess later ike_session_t * -ike_session_get_session (struct sockaddr *local, - struct sockaddr *remote, +ike_session_get_session (struct sockaddr_storage *local, + struct sockaddr_storage *remote, int alloc_if_absent) { ike_session_t *p; @@ -229,38 +232,38 @@ ike_session_get_session (struct sockaddr *local, bzero(&id_default, sizeof(id_default)); bzero(&id_floated_default, sizeof(id_floated_default)); bzero(&id_wop, sizeof(id_wop)); - if (local->sa_family == AF_INET) { + if (local->ss_family == AF_INET) { memcpy(&id.local, local, sizeof(struct sockaddr_in)); memcpy(&id_default.local, local, sizeof(struct sockaddr_in)); memcpy(&id_floated_default.local, local, sizeof(struct sockaddr_in)); memcpy(&id_wop.local, local, sizeof(struct sockaddr_in)); - } else if (local->sa_family == AF_INET6) { + } else if (local->ss_family == AF_INET6) { memcpy(&id.local, local, sizeof(struct sockaddr_in6)); memcpy(&id_default.local, local, sizeof(struct sockaddr_in6)); memcpy(&id_floated_default.local, local, sizeof(struct sockaddr_in6)); memcpy(&id_wop.local, local, sizeof(struct sockaddr_in6)); } - set_port((struct sockaddr *)&id_default.local, PORT_ISAKMP); - set_port((struct sockaddr *)&id_floated_default.local, PORT_ISAKMP_NATT); - set_port((struct sockaddr *)&id_wop.local, 0); - if (remote->sa_family == AF_INET) { + set_port(&id_default.local, PORT_ISAKMP); + set_port(&id_floated_default.local, PORT_ISAKMP_NATT); + set_port(&id_wop.local, 0); + if (remote->ss_family == AF_INET) { memcpy(&id.remote, remote, sizeof(struct sockaddr_in)); memcpy(&id_default.remote, remote, sizeof(struct sockaddr_in)); memcpy(&id_floated_default.remote, remote, sizeof(struct sockaddr_in)); memcpy(&id_wop.remote, remote, sizeof(struct sockaddr_in)); - } else if (remote->sa_family == AF_INET6) { + } else if (remote->ss_family == AF_INET6) { memcpy(&id.remote, remote, sizeof(struct sockaddr_in6)); memcpy(&id_default.remote, remote, sizeof(struct sockaddr_in6)); memcpy(&id_floated_default.remote, remote, sizeof(struct sockaddr_in6)); memcpy(&id_wop.remote, remote, sizeof(struct sockaddr_in6)); } - set_port((struct sockaddr *)&id_default.remote, PORT_ISAKMP); - set_port((struct sockaddr *)&id_floated_default.remote, PORT_ISAKMP_NATT); - set_port((struct sockaddr *)&id_wop.remote, 0); + set_port(&id_default.remote, PORT_ISAKMP); + set_port(&id_floated_default.remote, PORT_ISAKMP_NATT); + set_port(&id_wop.remote, 0); plog(LLV_DEBUG, LOCATION, local, "start search for IKE-Session. target %s.\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) { plog(LLV_DEBUG, LOCATION, local, @@ -279,17 +282,17 @@ ike_session_get_session (struct sockaddr *local, if (memcmp(&p->session_id, &id, sizeof(id)) == 0) { plog(LLV_DEBUG, LOCATION, local, "Pre-existing IKE-Session to %s. case 1.\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); return p; } else if (is_isakmp_remote_port && memcmp(&p->session_id, &id_default, sizeof(id_default)) == 0) { plog(LLV_DEBUG, LOCATION, local, "Pre-existing IKE-Session to %s. case 2.\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); return p; } else if (is_isakmp_remote_port && p->ports_floated && memcmp(&p->session_id, &id_floated_default, sizeof(id_floated_default)) == 0) { plog(LLV_DEBUG, LOCATION, local, "Pre-existing IKE-Session to %s. case 3.\n", - saddr2str(remote)); + saddr2str((struct sockaddr *)remote)); return p; } else if (is_isakmp_remote_port && memcmp(&p->session_id, &id_wop, sizeof(id_wop)) == 0) { best_match = p; @@ -468,8 +471,8 @@ ike_session_cleanup_xauth_timeout (void *arg) int ike_session_link_ph2_to_session (struct ph2handle *iph2) { - struct sockaddr *local; - struct sockaddr *remote; + struct sockaddr_storage *local; + struct sockaddr_storage *remote; ike_session_t *session; if (!iph2) { @@ -762,12 +765,12 @@ ike_session_update_ph2_ph1bind (struct ph2handle *iph2) void ike_session_ikev1_float_ports (struct ph1handle *iph1) { - struct sockaddr *local, *remote; + struct sockaddr_storage *local, *remote; struct ph2handle *p; if (iph1->parent_session) { - local = (struct sockaddr *)&iph1->parent_session->session_id.local; - remote = (struct sockaddr *)&iph1->parent_session->session_id.remote; + local = &iph1->parent_session->session_id.local; + remote = &iph1->parent_session->session_id.remote; set_port(local, extract_port(iph1->local)); set_port(remote, extract_port(iph1->remote)); @@ -957,8 +960,8 @@ ike_session_cleanup_other_established_ph1s (ike_session_t *session, p->is_dying = 1; //log deletion - local = racoon_strdup(saddr2str(p->local)); - remote = racoon_strdup(saddr2str(p->remote)); + local = racoon_strdup(saddr2str((struct sockaddr *)p->local)); + remote = racoon_strdup(saddr2str((struct sockaddr *)p->remote)); STRDUP_FATAL(local); STRDUP_FATAL(remote); plog(LLV_DEBUG, LOCATION, NULL, @@ -1093,7 +1096,7 @@ ike_session_stopped_by_controller (ike_session_t *session, } void -ike_sessions_stopped_by_controller (struct sockaddr *remote, +ike_sessions_stopped_by_controller (struct sockaddr_storage *remote, int withport, const char *reason) { @@ -1144,12 +1147,12 @@ ike_session_purge_ph2s_by_ph1 (struct ph1handle *iph1) void ike_session_update_ph2_ports (struct ph2handle *iph2) { - struct sockaddr *local; - struct sockaddr *remote; + struct sockaddr_storage *local; + struct sockaddr_storage *remote; if (iph2->parent_session) { - local = (struct sockaddr *)&iph2->parent_session->session_id.local; - remote = (struct sockaddr *)&iph2->parent_session->session_id.remote; + local = &iph2->parent_session->session_id.local; + remote = &iph2->parent_session->session_id.remote; set_port(iph2->src, extract_port(local)); set_port(iph2->dst, extract_port(remote)); @@ -1305,9 +1308,10 @@ ike_session_cleanup (ike_session_t *session, } // send ipsecManager a notification - if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect) { + if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect + && reason != ike_session_stopped_by_controller_comm_lost) { u_int32_t address; - if (((struct sockaddr *)&session->session_id.remote)->sa_family == AF_INET) { + if ((&session->session_id.remote)->ss_family == AF_INET) { address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr; } else { address = 0; @@ -1474,7 +1478,7 @@ ike_session_is_id_ipany (vchar_t *ext_id) } *id_ptr; /* ignore protocol and port */ - id_ptr = (struct id *)ext_id->v; + id_ptr = ALIGNED_CAST(struct id *)ext_id->v; if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR && id_ptr->addr == 0) { return 1; @@ -1500,7 +1504,7 @@ ike_session_is_id_portany (vchar_t *ext_id) } *id_ptr; /* ignore addr */ - id_ptr = (struct id *)ext_id->v; + id_ptr = ALIGNED_CAST(struct id *)ext_id->v; if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR && id_ptr->port == 0) { return 1; @@ -1522,7 +1526,7 @@ ike_session_set_id_portany (vchar_t *ext_id) } *id_ptr; /* ignore addr */ - id_ptr = (struct id *)ext_id->v; + id_ptr = ALIGNED_CAST(struct id *)ext_id->v; if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR) { id_ptr->port = 0; return; @@ -1674,6 +1678,14 @@ ike_session_get_sainfo_r (struct ph2handle *iph2) ike_session_cmp_ph2_ids(iph2, p) == 0) { plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__); iph2->sainfo = p->sainfo; + if (iph2->sainfo) { + if (link_sainfo_to_ph2(iph2->sainfo) != 0) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to link sainfo\n"); + iph2->sainfo = NULL; + return -1; + } + } if (!iph2->spid) { iph2->spid = p->spid; } else { @@ -1913,8 +1925,8 @@ ike_session_assert_session (ike_session_t *session) } int -ike_session_assert (struct sockaddr *local, - struct sockaddr *remote) +ike_session_assert (struct sockaddr_storage *local, + struct sockaddr_storage *remote) { ike_session_t *sess; diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h index bbee7e1..87a8252 100644 --- a/ipsec-tools/racoon/ike_session.h +++ b/ipsec-tools/racoon/ike_session.h @@ -121,12 +121,13 @@ typedef enum ike_session_rekey_type { } ike_session_rekey_type_t; extern const char * ike_session_stopped_by_vpn_disconnect; +extern const char * ike_session_stopped_by_controller_comm_lost; extern const char * ike_session_stopped_by_flush; extern const char * ike_session_stopped_by_sleepwake; extern const char * ike_session_stopped_by_assert; extern void ike_session_init __P((void)); -extern ike_session_t * ike_session_get_session __P((struct sockaddr *, struct sockaddr *, int)); +extern ike_session_t * ike_session_get_session __P((struct sockaddr_storage *, struct sockaddr_storage *, int)); extern u_int ike_session_get_rekey_lifetime __P((int, u_int)); extern void ike_session_update_mode __P((struct ph2handle *iph2)); extern int ike_session_link_ph1_to_session __P((struct ph1handle *)); @@ -145,7 +146,7 @@ extern void ike_session_ph2_established __P((struct ph2handle *)); extern void ike_session_cleanup_other_established_ph1s __P((ike_session_t *, struct ph1handle *)); extern void ike_session_cleanup_other_established_ph2s __P((ike_session_t *, struct ph2handle *)); extern void ike_session_stopped_by_controller __P((ike_session_t *, const char *)); -extern void ike_sessions_stopped_by_controller __P((struct sockaddr *, int, const char *)); +extern void ike_sessions_stopped_by_controller __P((struct sockaddr_storage *, int, const char *)); extern void ike_session_purge_ph2s_by_ph1 __P((struct ph1handle *)); extern struct ph1handle * ike_session_get_established_ph1 __P((ike_session_t *)); extern void ike_session_update_ph2_ports __P((struct ph2handle *)); @@ -167,7 +168,7 @@ extern void ike_session_update_natt_version __P((struct ph1handle extern int ike_session_get_natt_version __P((struct ph1handle *)); extern int ike_session_drop_rekey __P((ike_session_t *, ike_session_rekey_type_t)); extern void ike_session_sweep_sleepwake __P((void)); -extern int ike_session_assert __P((struct sockaddr *, struct sockaddr *)); +extern int ike_session_assert __P((struct sockaddr_storage *, struct sockaddr_storage *)); extern int ike_session_assert_session __P((ike_session_t *)); extern void ike_session_ph2_retransmits __P((struct ph2handle *)); extern void ike_session_ph1_retransmits __P((struct ph1handle *)); diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index d413a08..877c446 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -79,6 +79,7 @@ #include "sainfo.h" #include "proposal.h" #include "crypto_openssl.h" +#include "crypto_cssm.h" #include "strnames.h" #include "gcmalloc.h" @@ -874,9 +875,6 @@ out: /* key length must not be specified on some algorithms */ if (keylen) { if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES -#ifdef HAVE_OPENSSL_IDEA_H - || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA -#endif || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { plog(LLV_ERROR, LOCATION, NULL, "keylen must not be specified " @@ -1307,7 +1305,7 @@ get_proppair(sa, mode) int tlen; caddr_t bp; int i; - struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v; + struct ipsecdoi_sa_b *sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)sa->v; plog(LLV_DEBUG, LOCATION, NULL, "total SA len=%zu\n", sa->l); plogdump(LLV_DEBUG, sa->v, sa->l); @@ -1348,7 +1346,7 @@ get_proppair(sa, mode) if (pbuf == NULL) goto bad; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { /* check the value of next payload */ @@ -1491,7 +1489,7 @@ get_transform(prop, pair, num_p) /* check and get transform for use */ num_t = 0; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -1603,8 +1601,8 @@ get_sabyproppair(pair, iph1) ((struct isakmp_gen *)bp)->len = htons(newtlen); /* update some of values in SA header */ - ((struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype); - ((struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype); bp += sizeof(struct ipsecdoi_sa_b); /* create proposal payloads */ @@ -1824,10 +1822,10 @@ ipsecdoi_set_ld(buf) switch (buf->l) { case 2: - ld = ntohs(*(u_int16_t *)buf->v); + ld = ntohs(*ALIGNED_CAST(u_int16_t *)buf->v); break; case 4: - ld = ntohl(*(u_int32_t *)buf->v); + ld = ntohl(*ALIGNED_CAST(u_int32_t *)buf->v); break; default: plog(LLV_ERROR, LOCATION, NULL, @@ -2662,8 +2660,8 @@ ipsecdoi_setph1proposal(props) /* create SA payload */ /* not including isakmp general header */ - ((struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype); - ((struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype); + (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); (void)setph1prop(props, mysa->v + sizeof(struct ipsecdoi_sa_b)); @@ -3156,7 +3154,7 @@ ipsecdoi_setph2proposal(iph2) } /* create SA payload */ - sab = (struct ipsecdoi_sa_b *)iph2->sa->v; + sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)iph2->sa->v; sab->doi = htonl(IPSEC_DOI); sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */ @@ -3375,7 +3373,7 @@ ipsecdoi_subnetisaddr_v4( subnet, address ) if (subnet->l != (sizeof(struct in_addr)*2)) return 1; - mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr)); + mask = ALIGNED_CAST(struct in_addr*)(subnet->v + sizeof(struct in_addr)); if (mask->s_addr!=0xffffffff) return 1; @@ -3399,7 +3397,7 @@ ipsecdoi_subnetisaddr_v6( subnet, address ) if (subnet->l != (sizeof(struct in6_addr)*2)) return 1; - mask = (struct in6_addr*)(subnet->v + sizeof(struct in6_addr)); + mask = ALIGNED_CAST(struct in6_addr*)(subnet->v + sizeof(struct in6_addr)); for (i=0; i<16; i++) if(mask->s6_addr[i]!=0xff) @@ -3623,7 +3621,7 @@ ipsecdoi_checkid1(iph1) struct ph1handle *iph1; { struct ipsecdoi_id_b *id_b; - struct sockaddr *sa; + struct sockaddr_storage *sa; caddr_t sa1, sa2; if (iph1->id_p == NULL) { @@ -3638,7 +3636,7 @@ ipsecdoi_checkid1(iph1) return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v; /* In main mode with pre-shared key, only address type can be used. * If NAT Traversal being used and peer is behind nat and @@ -3691,7 +3689,7 @@ ipsecdoi_checkid1(iph1) u_int16_t port; - switch (iph1->remote->sa_family) { + switch (iph1->remote->ss_family) { case AF_INET: port = ((struct sockaddr_in *)iph1->remote)->sin_port; break; @@ -3703,7 +3701,7 @@ ipsecdoi_checkid1(iph1) default: plog(LLV_ERROR, LOCATION, NULL, "invalid family: %d\n", - iph1->remote->sa_family); + iph1->remote->ss_family); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } if (ntohs(id_b->port) != port) { @@ -3719,7 +3717,9 @@ ipsecdoi_checkid1(iph1) /* compare with the ID if specified. */ if (genlist_next(iph1->rmconf->idvl_p, 0)) { vchar_t *ident0 = NULL; +#ifdef HAVE_OPENSSL vchar_t ident; +#endif struct idspec *id; struct genlist_entry *gpb; @@ -3748,9 +3748,9 @@ ipsecdoi_checkid1(iph1) #endif break; case IDTYPE_ADDRESS: - sa = (struct sockaddr *)ident0->v; + sa = ALIGNED_CAST(struct sockaddr_storage *)ident0->v; sa2 = (caddr_t)(id_b + 1); - switch (sa->sa_family) { + switch (sa->ss_family) { case AF_INET: if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in_addr)) continue; /* ID value mismatch */ @@ -3804,7 +3804,7 @@ ipsecdoi_setid1(iph1) vchar_t *ret = NULL; struct ipsecdoi_id_b id_b; vchar_t *ident = NULL; - struct sockaddr *ipid = NULL; + struct sockaddr_storage *ipid = NULL; /* init */ id_b.proto_id = 0; @@ -3883,7 +3883,7 @@ ipsecdoi_setid1(iph1) * ip address by using ike negotiation. */ if (iph1->rmconf->idv) - ipid = (struct sockaddr *)iph1->rmconf->idv->v; + ipid = ALIGNED_CAST(struct sockaddr_storage *)iph1->rmconf->idv->v; /*FALLTHROUGH*/ default: { @@ -3894,7 +3894,7 @@ ipsecdoi_setid1(iph1) ipid = iph1->local; /* use IP address */ - switch (ipid->sa_family) { + switch (ipid->ss_family) { case AF_INET: id_b.type = IPSECDOI_ID_IPV4_ADDR; l = sizeof(struct in_addr); @@ -4065,7 +4065,7 @@ set_identifier_qual(vpp, type, value, qual) break; case IDTYPE_ADDRESS: { - struct sockaddr *sa; + struct sockaddr_storage *sa; /* length is adjusted since QUOTEDSTRING teminates NULL. */ if (value->l == 0) @@ -4078,7 +4078,7 @@ set_identifier_qual(vpp, type, value, qual) return -1; } - new = vmalloc(sysdep_sa_len(sa)); + new = vmalloc(sysdep_sa_len((struct sockaddr *)sa)); if (new == NULL) { racoon_free(sa); return -1; @@ -4152,7 +4152,7 @@ ipsecdoi_setid2(iph2) return -1; } - iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src, + iph2->id = ipsecdoi_sockaddr2id(&sp->spidx.src, sp->spidx.prefs, sp->spidx.ul_proto); if (iph2->id == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -4160,8 +4160,8 @@ ipsecdoi_setid2(iph2) spidx2str(&sp->spidx)); return -1; } - if ((((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR || - ((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) && + if (((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR || + (ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) && iph2->side == RESPONDER && iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id) { @@ -4171,11 +4171,11 @@ ipsecdoi_setid2(iph2) } } plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n", - s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type)); + s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type)); plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); /* remote side */ - iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst, + iph2->id_p = ipsecdoi_sockaddr2id(&sp->spidx.dst, sp->spidx.prefd, sp->spidx.ul_proto); if (iph2->id_p == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -4186,7 +4186,7 @@ ipsecdoi_setid2(iph2) } plog(LLV_DEBUG, LOCATION, NULL, "use remote ID type %s\n", - s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type)); + s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type)); plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); return 0; @@ -4198,7 +4198,7 @@ ipsecdoi_setid2(iph2) */ vchar_t * ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) - struct sockaddr *saddr; + struct sockaddr_storage *saddr; u_int prefixlen; u_int ul_proto; { @@ -4211,7 +4211,7 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) * Q. When type is SUBNET, is it allowed to be ::1/128. * A. Yes. (consensus at bake-off) */ - switch (saddr->sa_family) { + switch (saddr->ss_family) { case AF_INET: len1 = sizeof(struct in_addr); if (prefixlen == (sizeof(struct in_addr) << 3)) { @@ -4240,7 +4240,7 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d.\n", saddr->sa_family); + "invalid family: %d.\n", saddr->ss_family); return NULL; } @@ -4255,16 +4255,16 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) memset(new->v, 0, new->l); /* set the part of header. */ - ((struct ipsecdoi_id_b *)new->v)->type = type; + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type; /* set ul_proto and port */ /* * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY. */ - ((struct ipsecdoi_id_b *)new->v)->proto_id = + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id = ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto; - ((struct ipsecdoi_id_b *)new->v)->port = + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port = port == IPSEC_PORT_ANY ? 0 : port; memcpy(new->v + sizeof(struct ipsecdoi_id_b), sa, len1); @@ -4290,19 +4290,19 @@ ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) vchar_t * ipsecdoi_sockrange2id(laddr, haddr, ul_proto) - struct sockaddr *laddr, *haddr; + struct sockaddr_storage *laddr, *haddr; u_int ul_proto; { vchar_t *new; int type, len1, len2; u_short port; - if (laddr->sa_family != haddr->sa_family) { + if (laddr->ss_family != haddr->ss_family) { plog(LLV_ERROR, LOCATION, NULL, "Address family mismatch\n"); return NULL; } - switch (laddr->sa_family) { + switch (laddr->ss_family) { case AF_INET: type = IPSECDOI_ID_IPV4_ADDR_RANGE; len1 = sizeof(struct in_addr); @@ -4317,7 +4317,7 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d.\n", laddr->sa_family); + "invalid family: %d.\n", laddr->ss_family); return NULL; } @@ -4331,17 +4331,17 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) memset(new->v, 0, new->l); /* set the part of header. */ - ((struct ipsecdoi_id_b *)new->v)->type = type; + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type; /* set ul_proto and port */ /* * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY. */ - ((struct ipsecdoi_id_b *)new->v)->proto_id = + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id = ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto; port = ((struct sockaddr_in *)(laddr))->sin_port; - ((struct ipsecdoi_id_b *)new->v)->port = + (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port = port == IPSEC_PORT_ANY ? 0 : port; memcpy(new->v + sizeof(struct ipsecdoi_id_b), (caddr_t)&((struct sockaddr_in *)(laddr))->sin_addr, @@ -4354,18 +4354,18 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_proto) /* - * create sockaddr structure from ID payload (buf). + * create sockaddr_storage structure from ID payload (buf). * buffers (saddr, prefixlen, ul_proto) must be allocated. * see, RFC2407 4.6.2.1 */ int ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) vchar_t *buf; - struct sockaddr *saddr; + struct sockaddr_storage *saddr; u_int8_t *prefixlen; u_int16_t *ul_proto; { - struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v; + struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v; u_int plen = 0; /* @@ -4378,8 +4378,8 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) switch (id_b->type) { case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV4_ADDR_SUBNET: - saddr->sa_len = sizeof(struct sockaddr_in); - saddr->sa_family = AF_INET; + saddr->ss_len = sizeof(struct sockaddr_in); + saddr->ss_family = AF_INET; ((struct sockaddr_in *)saddr)->sin_port = (id_b->port == 0 ? IPSEC_PORT_ANY @@ -4390,8 +4390,8 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: case IPSECDOI_ID_IPV6_ADDR_SUBNET: - saddr->sa_len = sizeof(struct sockaddr_in6); - saddr->sa_family = AF_INET6; + saddr->ss_len = sizeof(struct sockaddr_in6); + saddr->ss_family = AF_INET6; ((struct sockaddr_in6 *)saddr)->sin6_port = (id_b->port == 0 ? IPSEC_PORT_ANY @@ -4490,7 +4490,7 @@ ipsecdoi_id2str(id) int len = 0; char *dat; static char buf[BUFLEN]; - struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v; + struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v; struct sockaddr_storage saddr; u_int plen = 0; @@ -4501,8 +4501,8 @@ ipsecdoi_id2str(id) case IPSECDOI_ID_IPV4_ADDR_SUBNET: case IPSECDOI_ID_IPV4_ADDR_RANGE: - ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in); - ((struct sockaddr *)&saddr)->sa_family = AF_INET; + saddr.ss_len = sizeof(struct sockaddr_in); + saddr.ss_family = AF_INET; ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, id->v + sizeof(*id_b), sizeof(struct in_addr)); @@ -4511,14 +4511,14 @@ ipsecdoi_id2str(id) case IPSECDOI_ID_IPV6_ADDR: case IPSECDOI_ID_IPV6_ADDR_SUBNET: case IPSECDOI_ID_IPV6_ADDR_RANGE: - ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6); - ((struct sockaddr *)&saddr)->sa_family = AF_INET6; + saddr.ss_len = sizeof(struct sockaddr_in6); + saddr.ss_family = AF_INET6; ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, id->v + sizeof(*id_b), sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&saddr)->sin6_scope_id = (IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr) - ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id + ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id : 0); break; #endif @@ -4593,8 +4593,8 @@ ipsecdoi_id2str(id) len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr)); - ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in); - ((struct sockaddr *)&saddr)->sa_family = AF_INET; + saddr.ss_len = sizeof(struct sockaddr_in); + saddr.ss_family = AF_INET; ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, id->v + sizeof(*id_b) + sizeof(struct in_addr), @@ -4611,15 +4611,15 @@ ipsecdoi_id2str(id) len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr)); - ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6); - ((struct sockaddr *)&saddr)->sa_family = AF_INET6; + saddr.ss_len = sizeof(struct sockaddr_in6); + saddr.ss_family = AF_INET6; ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, id->v + sizeof(*id_b) + sizeof(struct in6_addr), sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&saddr)->sin6_scope_id = (IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr) - ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id + ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id : 0); if (len >= 0) { diff --git a/ipsec-tools/racoon/ipsec_doi.h b/ipsec-tools/racoon/ipsec_doi.h index 37f7657..e795a6a 100644 --- a/ipsec-tools/racoon/ipsec_doi.h +++ b/ipsec-tools/racoon/ipsec_doi.h @@ -229,12 +229,12 @@ extern int ipsecdoi_setid1 __P((struct ph1handle *)); extern int set_identifier __P((vchar_t **, int, vchar_t *)); extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int)); extern int ipsecdoi_setid2 __P((struct ph2handle *)); -extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); -extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, +extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr_storage *, u_int, u_int)); +extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr_storage *, u_int8_t *, u_int16_t *)); extern char *ipsecdoi_id2str __P((const vchar_t *)); -extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *, - struct sockaddr *, u_int)); +extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr_storage *, + struct sockaddr_storage *, u_int)); extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index 36bd7d0..16eabb3 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -178,18 +178,18 @@ static int (*ph2exchange[][2][PHASE2ST_MAX]) static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ -static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); +static int isakmp_main __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *)); static int ph1_main __P((struct ph1handle *, vchar_t *)); static int quick_main __P((struct ph2handle *, vchar_t *)); static int isakmp_ph1begin_r __P((vchar_t *, - struct sockaddr *, struct sockaddr *, u_int8_t)); + struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t)); static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); static int etypesw1 __P((int)); static int etypesw2 __P((int)); #ifdef ENABLE_FRAG static int frag_handler(struct ph1handle *, - vchar_t *, struct sockaddr *, struct sockaddr *); + vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); #endif /* @@ -201,6 +201,7 @@ isakmp_handler(so_isakmp) { struct isakmp isakmp; union { + u_int64_t force_align; // Wcast-align fix - force alignment char buf[sizeof (isakmp) + 4]; u_int32_t non_esp[2]; char lbuf[sizeof(struct udphdr) + @@ -211,7 +212,8 @@ isakmp_handler(so_isakmp) struct sockaddr_storage local; unsigned int remote_len = sizeof(remote); unsigned int local_len = sizeof(local); - int len = 0, extralen = 0; + ssize_t len = 0; + int extralen = 0; u_short port; vchar_t *buf = NULL, *tmpbuf = NULL; int error = -1; @@ -224,8 +226,7 @@ isakmp_handler(so_isakmp) /* read message by MSG_PEEK */ while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), - MSG_PEEK, (struct sockaddr *)&remote, &remote_len, - (struct sockaddr *)&local, &local_len)) < 0) { + MSG_PEEK, &remote, &remote_len, &local, &local_len)) < 0) { if (errno == EINTR) continue; plog(LLV_ERROR, LOCATION, NULL, @@ -251,9 +252,9 @@ isakmp_handler(so_isakmp) struct udphdr *udp; struct ip *ip; - udp = (struct udphdr *)&x.lbuf[0]; + udp = ALIGNED_CAST(struct udphdr *)&x.lbuf[0]; if (ntohs(udp->uh_dport) == 501) { - ip = (struct ip *)(x.lbuf + sizeof(*udp)); + ip = ALIGNED_CAST(struct ip *)(x.lbuf + sizeof(*udp)); extralen += sizeof(*udp) + ip->ip_hl; } } @@ -271,7 +272,7 @@ isakmp_handler(so_isakmp) /* check isakmp header length, as well as sanity of header length */ if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, + plog(LLV_ERROR, LOCATION, &remote, "packet shorter than isakmp header size (%u, %u, %zu)\n", len, ntohl(isakmp.len), sizeof(isakmp)); /* dummy receive */ @@ -314,8 +315,7 @@ isakmp_handler(so_isakmp) } while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l, - 0, (struct sockaddr *)&remote, &remote_len, - (struct sockaddr *)&local, &local_len)) < 0) { + 0, &remote, &remote_len, &local, &local_len)) < 0) { if (errno == EINTR) continue; plog(LLV_ERROR, LOCATION, NULL, @@ -343,8 +343,7 @@ isakmp_handler(so_isakmp) len -= extralen; if (len != buf->l) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, - "received invalid length (%d != %zu), why ?\n", + plog(LLV_ERROR, LOCATION, &remote, "received invalid length (%d != %zu), why ?\n", len, buf->l); goto end; } @@ -373,7 +372,7 @@ isakmp_handler(so_isakmp) goto end; } if (port == 0) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, + plog(LLV_ERROR, LOCATION, &remote, "src port == 0 (valid as UDP but not with IKE)\n"); goto end; } @@ -383,8 +382,7 @@ isakmp_handler(so_isakmp) /* XXX: I don't know how to check isakmp half connection attack. */ /* simply reply if the packet was processed. */ - if (check_recvdpkt((struct sockaddr *)&remote, - (struct sockaddr *)&local, buf)) { + if (check_recvdpkt(&remote, &local, buf)) { IPSECLOGASLMSG("Received retransmitted packet from %s.\n", saddr2str((struct sockaddr *)&remote)); @@ -396,8 +394,7 @@ isakmp_handler(so_isakmp) } /* isakmp main routine */ - if (isakmp_main(buf, (struct sockaddr *)&remote, - (struct sockaddr *)&local) != 0) goto end; + if (isakmp_main(buf, &remote, &local) != 0) goto end; error = 0; @@ -416,7 +413,7 @@ end: static int isakmp_main(msg, remote, local) vchar_t *msg; - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; { struct isakmp *isakmp = (struct isakmp *)msg->v; isakmp_index *index = (isakmp_index *)isakmp; @@ -505,7 +502,7 @@ isakmp_main(msg, remote, local) iph1->local = NULL; /* copy-in new addresses */ - iph1->remote = dupsaddr(remote); + iph1->remote = dupsaddr((struct sockaddr *)remote); if (iph1->remote == NULL) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, @@ -517,7 +514,7 @@ isakmp_main(msg, remote, local) delph1(iph1); return -1; } - iph1->local = dupsaddr(local); + iph1->local = dupsaddr((struct sockaddr *)local); if (iph1->local == NULL) { IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, @@ -538,15 +535,15 @@ isakmp_main(msg, remote, local) /* print some neat info */ plog (LLV_INFO, LOCATION, NULL, "NAT-T: ports changed to: %s\n", - saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); + saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local)); } #endif /* must be same addresses in one stream of a phase at least. */ if (cmpsaddrstrict(iph1->remote, remote) != 0) { char *saddr_db, *saddr_act; - saddr_db = racoon_strdup(saddr2str(iph1->remote)); - saddr_act = racoon_strdup(saddr2str(remote)); + saddr_db = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); + saddr_act = racoon_strdup(saddr2str((struct sockaddr *)remote)); STRDUP_FATAL(saddr_db); STRDUP_FATAL(saddr_act); @@ -686,7 +683,7 @@ isakmp_main(msg, remote, local) plog(LLV_WARNING, LOCATION, remote, "remote address mismatched. " "db=%s\n", - saddr2str(iph1->remote)); + saddr2str((struct sockaddr *)iph1->remote)); } } @@ -804,14 +801,14 @@ isakmp_main(msg, remote, local) plog(LLV_ERROR, LOCATION, NULL, "mode config %d from %s, " "but we have no ISAKMP-SA.\n", - isakmp->etype, saddr2str(remote)); + isakmp->etype, saddr2str((struct sockaddr *)remote)); return -1; } if (iph1->status != PHASE1ST_ESTABLISHED) { plog(LLV_ERROR, LOCATION, NULL, "mode config %d from %s, " "but ISAKMP-SA %s isn't established.\n", - isakmp->etype, saddr2str(remote), + isakmp->etype, saddr2str((struct sockaddr *)remote), isakmp_pindex(&iph1->index, iph1->msgid)); return -1; } @@ -828,7 +825,7 @@ isakmp_main(msg, remote, local) default: plog(LLV_ERROR, LOCATION, NULL, "Invalid exchange type %d from %s.\n", - isakmp->etype, saddr2str(remote)); + isakmp->etype, saddr2str((struct sockaddr *)remote)); return -1; } @@ -936,7 +933,7 @@ ph1_main(iph1, msg) #ifdef ENABLE_VPNCONTROL_PORT if (iph1->side == RESPONDER && - iph1->local->sa_family == AF_INET) { + iph1->local->ss_family == AF_INET) { struct redirect *addr; @@ -1163,7 +1160,7 @@ quick_main(iph2, msg) int isakmp_ph1begin_i(rmconf, remote, local, started_by_api) struct remoteconf *rmconf; - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; int started_by_api; { struct ph1handle *iph1; @@ -1243,12 +1240,12 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) { char *a; - a = racoon_strdup(saddr2str(iph1->local)); + a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); plog(LLV_INFO, LOCATION, NULL, "initiate new phase 1 negotiation: %s<=>%s\n", - a, saddr2str(iph1->remote)); + a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } plog(LLV_INFO, LOCATION, NULL, @@ -1292,7 +1289,7 @@ isakmp_ph1begin_i(rmconf, remote, local, started_by_api) static int isakmp_ph1begin_r(msg, remote, local, etype) vchar_t *msg; - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; u_int8_t etype; { struct isakmp *isakmp = (struct isakmp *)msg->v; @@ -1386,12 +1383,12 @@ isakmp_ph1begin_r(msg, remote, local, etype) { char *a; - a = racoon_strdup(saddr2str(iph1->local)); + a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); STRDUP_FATAL(a); plog(LLV_INFO, LOCATION, NULL, "respond new phase 1 negotiation: %s<=>%s\n", - a, saddr2str(iph1->remote)); + a, saddr2str((struct sockaddr *)iph1->remote)); racoon_free(a); } plog(LLV_INFO, LOCATION, NULL, @@ -1464,12 +1461,12 @@ isakmp_ph2begin_i(iph1, iph2) plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); { char *a; - a = racoon_strdup(saddr2str(iph2->src)); + a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); plog(LLV_INFO, LOCATION, NULL, "initiate new phase 2 negotiation: %s<=>%s\n", - a, saddr2str(iph2->dst)); + a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); } @@ -1542,12 +1539,12 @@ isakmp_ph2begin_r(iph1, msg) delph2(iph2); return -1; } - iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ + iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); /* XXX should be considered */ if (iph2->dst == NULL) { delph2(iph2); return -1; } - switch (iph2->dst->sa_family) { + switch (iph2->dst->ss_family) { case AF_INET: #ifndef ENABLE_NATT ((struct sockaddr_in *)iph2->dst)->sin_port = 0; @@ -1562,17 +1559,17 @@ isakmp_ph2begin_r(iph1, msg) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->dst->sa_family); + "invalid family: %d\n", iph2->dst->ss_family); delph2(iph2); return -1; } - iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ + iph2->src = dupsaddr((struct sockaddr *)iph1->local); /* XXX should be considered */ if (iph2->src == NULL) { delph2(iph2); return -1; } - switch (iph2->src->sa_family) { + switch (iph2->src->ss_family) { case AF_INET: #ifndef ENABLE_NATT ((struct sockaddr_in *)iph2->src)->sin_port = 0; @@ -1587,7 +1584,7 @@ isakmp_ph2begin_r(iph1, msg) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->src->sa_family); + "invalid family: %d\n", iph2->src->ss_family); delph2(iph2); return -1; } @@ -1607,12 +1604,12 @@ isakmp_ph2begin_r(iph1, msg) { char *a; - a = racoon_strdup(saddr2str(iph2->src)); + a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); STRDUP_FATAL(a); plog(LLV_INFO, LOCATION, NULL, "respond new phase 2 negotiation: %s<=>%s\n", - a, saddr2str(iph2->dst)); + a, saddr2str((struct sockaddr *)iph2->dst)); racoon_free(a); } @@ -1691,9 +1688,10 @@ isakmp_parsewoh(np0, gen, len) plog(LLV_ERROR, LOCATION, NULL, "failed to get buffer.\n"); return NULL; - } - p = (struct isakmp_parse_t *)result->v; - ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); + } + // Wcast-align fix (void*) - result = aligned buffer of struct isakmp_parse_t + p = ALIGNED_CAST(struct isakmp_parse_t *)result->v; + ep = ALIGNED_CAST(struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); tlen = len; @@ -1723,7 +1721,7 @@ isakmp_parsewoh(np0, gen, len) if (ep <= p) { int off; - off = p - (struct isakmp_parse_t *)result->v; + off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v; result = vrealloc(result, result->l * 2); if (result == NULL) { plog(LLV_DEBUG, LOCATION, NULL, @@ -1731,9 +1729,9 @@ isakmp_parsewoh(np0, gen, len) vfree(result); return NULL; } - ep = (struct isakmp_parse_t *) + ep = ALIGNED_CAST(struct isakmp_parse_t *) (result->v + result->l - sizeof(*ep)); - p = (struct isakmp_parse_t *)result->v; + p = ALIGNED_CAST(struct isakmp_parse_t *)result->v; p += off; } @@ -1860,7 +1858,7 @@ isakmp_open(int *tentative_failures) } /* warn if wildcard address - should we forbid this? */ - switch (p->addr->sa_family) { + switch (p->addr->ss_family) { case AF_INET: if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) plog(LLV_WARNING, LOCATION, NULL, @@ -1883,31 +1881,31 @@ isakmp_open(int *tentative_failures) } #ifdef INET6 - if (p->addr->sa_family == AF_INET6 && + if (p->addr->ss_family == AF_INET6 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) p->addr)->sin6_addr)) { plog(LLV_DEBUG, LOCATION, NULL, "Ignoring multicast address %s\n", - saddr2str(p->addr)); + saddr2str((struct sockaddr *)p->addr)); racoon_free(p->addr); p->addr = NULL; continue; } #endif - if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) { + if ((p->sock = socket(p->addr->ss_family, SOCK_DGRAM, 0)) < 0) { plog(LLV_ERROR, LOCATION, NULL, "socket (%s)\n", strerror(errno)); goto err_and_next; } if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) - plog(LLV_WARNING, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "failed to put socket in non-blocking mode\n"); /* receive my interface address on inbound packets. */ - switch (p->addr->sa_family) { + switch (p->addr->ss_family) { case AF_INET: if (setsockopt(p->sock, IPPROTO_IP, IP_RECVDSTADDR, @@ -1938,7 +1936,7 @@ isakmp_open(int *tentative_failures) } #ifdef IPV6_USE_MIN_MTU - if (p->addr->sa_family == AF_INET6 && + if (p->addr->ss_family == AF_INET6 && setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, (void *)&yes, sizeof(yes)) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -1948,7 +1946,7 @@ isakmp_open(int *tentative_failures) } #endif - if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0) + if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0) goto err_and_next; if (extract_port(p->addr) == PORT_ISAKMP) { @@ -1960,14 +1958,14 @@ isakmp_open(int *tentative_failures) } } - if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) { + if (bind(p->sock, (struct sockaddr *)p->addr, sysdep_sa_len((struct sockaddr *)p->addr)) < 0) { int tmp_errno = errno; plog(LLV_ERROR, LOCATION, p->addr, "failed to bind to address %s (%s).\n", - saddr2str(p->addr), strerror(tmp_errno)); + saddr2str((struct sockaddr *)p->addr), strerror(tmp_errno)); #ifdef INET6 // if bind failed b/c of a tentative v6 address, try again later - if (tmp_errno == EADDRNOTAVAIL && p->addr->sa_family == AF_INET6) { + if (tmp_errno == EADDRNOTAVAIL && p->addr->ss_family == AF_INET6) { struct in6_ifreq ifr6; bzero(&ifr6, sizeof(ifr6)); @@ -1982,7 +1980,7 @@ isakmp_open(int *tentative_failures) // address may have been tentantive... invalidate sock but leave address around for another try later plog(LLV_ERROR, LOCATION, p->addr, "failed to bind to address %s: because interface address is/was not ready (flags %x).\n", - saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6); + saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); close(p->sock); p->sock = -1; if (tentative_failures) { @@ -1992,12 +1990,12 @@ isakmp_open(int *tentative_failures) } else { plog(LLV_ERROR, LOCATION, p->addr, "failed to bind to address %s: because of interface address error, flags %x.\n", - saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6); + saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); } } else { plog(LLV_ERROR, LOCATION, p->addr, "failed to bind to address %s: can't read interface address flags.\n", - saddr2str(p->addr)); + saddr2str((struct sockaddr *)p->addr)); } } #endif @@ -2012,7 +2010,7 @@ isakmp_open(int *tentative_failures) plog(LLV_INFO, LOCATION, NULL, "%s used as isakmp port (fd=%d)\n", - saddr2str(p->addr), p->sock); + saddr2str((struct sockaddr *)p->addr), p->sock); continue; err_and_next: @@ -2120,14 +2118,14 @@ isakmp_send(iph1, sbuf) "vbuf allocation failed\n"); return -1; } - *(u_int32_t *)vbuf->v = 0; + *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); sbuf = vbuf; } #endif /* select the socket to be sent */ - s = getsockmyaddr(iph1->local); + s = getsockmyaddr((struct sockaddr *)iph1->local); if (s == -1){ if ( vbuf != NULL ) vfree(vbuf); @@ -2135,7 +2133,7 @@ isakmp_send(iph1, sbuf) } plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, - saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); + saddr2str_fromto("from %s to %s", (struct sockaddr *)iph1->local, (struct sockaddr *)iph1->remote)); #ifdef ENABLE_FRAG if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { @@ -2373,8 +2371,8 @@ isakmp_ph1expire(iph1) #endif if(iph1->status != PHASE1ST_EXPIRED){ - src = racoon_strdup(saddr2str(iph1->local)); - dst = racoon_strdup(saddr2str(iph1->remote)); + src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); + dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2425,8 +2423,8 @@ int ignore_sess_drop_policy; return; } - src = racoon_strdup(saddr2str(iph1->local)); - dst = racoon_strdup(saddr2str(iph1->remote)); + src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); + dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2474,7 +2472,7 @@ int ignore_sess_drop_policy; } else { plog(LLV_ERROR, LOCATION, NULL, "Phase1 rekey failed: no configuration found for %s.\n", - saddrwop2str(iph1->remote)); + saddrwop2str((struct sockaddr *)iph1->remote)); } } @@ -2488,14 +2486,14 @@ struct ph1handle *iph1; // this code path is meant for floated ph1 rekeys that are failing on the first message if (iph1->sce != NULL || iph1->sce_rekey != NULL || - (iph1->status != PHASE1ST_MSG1SENT || (iph1->natt_flags & NAT_PORTS_CHANGED == 0)) || + (iph1->status != PHASE1ST_MSG1SENT || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) || (extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) || iph1->is_dying) { return -1; } - src = racoon_strdup(saddr2str(iph1->local)); - dst = racoon_strdup(saddr2str(iph1->remote)); + src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); + dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2542,7 +2540,7 @@ struct ph1handle *iph1; } else { plog(LLV_ERROR, LOCATION, NULL, "Phase1 rekey retry failed: no configuration found for %s.\n", - saddrwop2str(iph1->remote)); + saddrwop2str((struct sockaddr *)iph1->remote)); return -1; } return 0; @@ -2578,8 +2576,8 @@ isakmp_ph1delete(iph1) /* don't re-negosiation when the phase 1 SA expires. */ - src = racoon_strdup(saddr2str(iph1->local)); - dst = racoon_strdup(saddr2str(iph1->remote)); + src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); + dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2622,8 +2620,8 @@ isakmp_ph2expire(iph2) SCHED_KILL(iph2->sce); - src = racoon_strdup(saddrwop2str(iph2->src)); - dst = racoon_strdup(saddrwop2str(iph2->dst)); + src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src)); + dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2670,8 +2668,8 @@ isakmp_ph2delete(iph2) SCHED_KILL(iph2->sce); - src = racoon_strdup(saddrwop2str(iph2->src)); - dst = racoon_strdup(saddrwop2str(iph2->dst)); + src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src)); + dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -2708,7 +2706,7 @@ isakmp_post_acquire(iph2) if (rmconf == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no configuration found for %s.\n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); return -1; } @@ -2717,7 +2715,7 @@ isakmp_post_acquire(iph2) plog(LLV_DEBUG, LOCATION, NULL, "because of passive mode, " "ignore the acquire message for %s.\n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); return 0; } @@ -2754,7 +2752,7 @@ isakmp_post_acquire(iph2) plog(LLV_INFO, LOCATION, NULL, "IPsec-SA request for %s queued " "due to no phase1 found.\n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); // exit if there is another ph1 that is established (with a pending rekey timer) if (ike_session_has_negoing_ph1(iph2->parent_session)) { @@ -2893,16 +2891,16 @@ isakmp_chkph1there(iph2) /* found isakmp-sa */ plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local)); - plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote)); + plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local)); + plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote)); plog(LLV_DEBUG2, LOCATION, NULL, "before:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); + plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); set_port(iph2->src, extract_port(iph1->local)); set_port(iph2->dst, extract_port(iph1->remote)); plog(LLV_DEBUG2, LOCATION, NULL, "After:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); + plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); /* begin quick mode */ if (isakmp_ph2begin_i(iph1, iph2)) { @@ -3035,8 +3033,8 @@ isakmp_add_attr_l(buf0, type, val) int isakmp_newcookie(place, remote, local) caddr_t place; - struct sockaddr *remote; - struct sockaddr *local; + struct sockaddr_storage *remote; + struct sockaddr_storage *local; { vchar_t *buf = NULL, *buf2 = NULL; char *p; @@ -3048,13 +3046,13 @@ isakmp_newcookie(place, remote, local) u_short port; - if (remote->sa_family != local->sa_family) { + if (remote->ss_family != local->ss_family) { plog(LLV_ERROR, LOCATION, NULL, "address family mismatch, remote:%d local:%d\n", - remote->sa_family, local->sa_family); + remote->ss_family, local->ss_family); goto end; } - switch (remote->sa_family) { + switch (remote->ss_family) { case AF_INET: alen = sizeof(struct in_addr); sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; @@ -3069,7 +3067,7 @@ isakmp_newcookie(place, remote, local) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", remote->sa_family); + "invalid family: %d\n", remote->ss_family); goto end; } blen = (alen + sizeof(u_short)) * 2 @@ -3307,7 +3305,7 @@ getname(ap) addr.sin_len = sizeof(struct sockaddr_in); addr.sin_family = AF_INET; memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); - if (getnameinfo((struct sockaddr *)&addr, sizeof(addr), + if (getnameinfo(&addr, sizeof(addr), ntop_buf, sizeof(ntop_buf), NULL, 0, NI_NUMERICHOST | niflags)) strlcpy(ntop_buf, "?", sizeof(ntop_buf)); @@ -3331,7 +3329,7 @@ getname6(ap) addr.sin6_len = sizeof(struct sockaddr_in6); addr.sin6_family = AF_INET6; memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); - if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len, + if (getnameinfo(&addr, addr.sin6_len, ntop_buf, sizeof(ntop_buf), NULL, 0, NI_NUMERICHOST | niflags)) strlcpy(ntop_buf, "?", sizeof(ntop_buf)); @@ -3356,8 +3354,8 @@ safeputchar(c) void isakmp_printpacket(msg, from, my, decoded) vchar_t *msg; - struct sockaddr *from; - struct sockaddr *my; + struct sockaddr_storage *from; + struct sockaddr_storage *my; int decoded; { #ifdef YIPS_DEBUG @@ -3380,7 +3378,7 @@ isakmp_printpacket(msg, from, my, decoded) printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); if (from) { - if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf), + if (getnameinfo(from, sysdep_sa_len((struct sockaddr *)from), hostbuf, sizeof(hostbuf), portbuf, sizeof(portbuf), NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { strlcpy(hostbuf, "?", sizeof(hostbuf)); @@ -3391,7 +3389,7 @@ isakmp_printpacket(msg, from, my, decoded) printf("?"); printf(" -> "); if (my) { - if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf), + if (getnameinfo(my, sysdep_sa_len((struct sockaddr *)my), hostbuf, sizeof(hostbuf), portbuf, sizeof(portbuf), NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { strlcpy(hostbuf, "?", sizeof(hostbuf)); @@ -3435,12 +3433,12 @@ int copy_ph1addresses(iph1, rmconf, remote, local) struct ph1handle *iph1; struct remoteconf *rmconf; - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; { u_short *port = NULL; /* address portion must be grabbed from real remote address "remote" */ - iph1->remote = dupsaddr(remote); + iph1->remote = dupsaddr((struct sockaddr *)remote); if (iph1->remote == NULL) { delph1(iph1); return -1; @@ -3453,7 +3451,7 @@ copy_ph1addresses(iph1, rmconf, remote, local) * if remote has port # (in case of responder - from recvfrom(2)) * respect content of "remote". */ - switch (iph1->remote->sa_family) { + switch (iph1->remote->ss_family) { case AF_INET: port = &((struct sockaddr_in *)iph1->remote)->sin_port; if (*port) @@ -3476,21 +3474,21 @@ copy_ph1addresses(iph1, rmconf, remote, local) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); + "invalid family: %d\n", iph1->remote->ss_family); delph1(iph1); return -1; } if (local == NULL) - iph1->local = getlocaladdr(iph1->remote); + iph1->local = getlocaladdr((struct sockaddr *)iph1->remote); else - iph1->local = dupsaddr(local); + iph1->local = dupsaddr((struct sockaddr *)local); if (iph1->local == NULL) { delph1(iph1); return -1; } port = NULL; - switch (iph1->local->sa_family) { + switch (iph1->local->ss_family) { case AF_INET: port = &((struct sockaddr_in *)iph1->local)->sin_port; if (*port) @@ -3513,7 +3511,7 @@ copy_ph1addresses(iph1, rmconf, remote, local) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->local->sa_family); + "invalid family: %d\n", iph1->local->ss_family); delph1(iph1); return -1; } @@ -3553,8 +3551,8 @@ log_ph1established(iph1) { char *src, *dst; - src = racoon_strdup(saddr2str(iph1->local)); - dst = racoon_strdup(saddr2str(iph1->remote)); + src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); + dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); STRDUP_FATAL(src); STRDUP_FATAL(dst); @@ -3650,10 +3648,11 @@ int frag_handler(iph1, msg, remote, local) struct ph1handle *iph1; vchar_t *msg; - struct sockaddr *remote; - struct sockaddr *local; + struct sockaddr_storage *remote; + struct sockaddr_storage *local; { vchar_t *newmsg; + int result; if (isakmp_frag_extract(iph1, msg) == 1) { if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { @@ -3663,18 +3662,20 @@ frag_handler(iph1, msg, remote, local) } /* simply reply if the packet was processed. */ - if (check_recvdpkt((struct sockaddr *)remote, - (struct sockaddr *)local, newmsg) > 0) { + if (check_recvdpkt(remote, local, newmsg) > 0) { IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n", saddr2str((struct sockaddr *)remote)); plog(LLV_NOTIFY, LOCATION, NULL, "the reassembled packet is retransmitted by %s.\n", saddr2str((struct sockaddr *)remote)); + vfree(newmsg); return 0; } - return isakmp_main(newmsg, remote, local); + result = isakmp_main(newmsg, remote, local); + vfree(newmsg); + return result; } return 0; @@ -3838,7 +3839,7 @@ purge_remote(iph1) vchar_t *buf = NULL; struct sadb_msg *msg, *next, *end; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; caddr_t mhp[SADB_EXT_MAX + 1]; u_int proto_id; struct ph2handle *iph2; @@ -3864,13 +3865,13 @@ purge_remote(iph1) return; } - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); + msg = ALIGNED_CAST(struct sadb_msg *)buf->v; + end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l); while (msg < end) { if ((msg->sadb_msg_len << 3) < sizeof(*msg)) break; - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); + next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); if (msg->sadb_msg_type != SADB_DUMP) { msg = next; continue; @@ -3883,15 +3884,15 @@ purge_remote(iph1) continue; } - sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); + sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); if (!sa || !mhp[SADB_EXT_ADDRESS_SRC] || !mhp[SADB_EXT_ADDRESS_DST]) { msg = next; continue; } - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && sa->sadb_sa_state != SADB_SASTATE_MATURE && @@ -3991,31 +3992,34 @@ delete_spd(iph2) /* Delete the SPD entry if we generated it */ if (iph2->generated_spidx) { - struct policyindex spidx; + union { + u_int64_t force_align; // Wcast-align fix - force alignment + struct policyindex spidx; + } u; struct sockaddr_storage addr; u_int8_t pref; - struct sockaddr *src = iph2->src; - struct sockaddr *dst = iph2->dst; + struct sockaddr_storage *src = iph2->src; + struct sockaddr_storage *dst = iph2->dst; int error; int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ plog(LLV_INFO, LOCATION, NULL, "generated policy, deleting it.\n"); - memset(&spidx, 0, sizeof(spidx)); - iph2->spidx_gen = (caddr_t )&spidx; + memset(&u.spidx, 0, sizeof(u.spidx)); + iph2->spidx_gen = &u.spidx; /* make inbound policy */ iph2->src = dst; iph2->dst = src; - spidx.dir = IPSEC_DIR_INBOUND; - spidx.ul_proto = 0; + u.spidx.dir = IPSEC_DIR_INBOUND; + u.spidx.ul_proto = 0; /* * Note: code from get_proposal_r */ -#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type +#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type /* * make destination address in spidx from either ID payload @@ -4027,9 +4031,8 @@ delete_spd(iph2) || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a destination address of a policy */ - error = ipsecdoi_id2sockaddr(iph2->id, - (struct sockaddr *)&spidx.dst, - &spidx.prefd, &spidx.ul_proto); + error = ipsecdoi_id2sockaddr(iph2->id, &u.spidx.dst, + &u.spidx.prefd, &u.spidx.ul_proto); if (error) goto purge; @@ -4042,8 +4045,7 @@ delete_spd(iph2) */ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { if ((error = - setscopeid((struct sockaddr *)&spidx.dst, - iph2->src)) != 0) + setscopeid(&u.spidx.dst, iph2->src)) != 0) goto purge; } #endif @@ -4065,20 +4067,20 @@ delete_spd(iph2) * DESTINATION address of the key to search the * SPD because the direction of policy is inbound. */ - memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); - switch (spidx.dst.ss_family) { + memcpy(&u.spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src)); + switch (u.spidx.dst.ss_family) { case AF_INET: - spidx.prefd = + u.spidx.prefd = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefd = + u.spidx.prefd = sizeof(struct in6_addr) << 3; break; #endif default: - spidx.prefd = 0; + u.spidx.prefd = 0; break; } } @@ -4090,9 +4092,8 @@ delete_spd(iph2) || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a source address of inbound SA */ - error = ipsecdoi_id2sockaddr(iph2->id_p, - (struct sockaddr *)&spidx.src, - &spidx.prefs, &spidx.ul_proto); + error = ipsecdoi_id2sockaddr(iph2->id_p, &u.spidx.src, + &u.spidx.prefs, &u.spidx.ul_proto); if (error) goto purge; @@ -4103,8 +4104,7 @@ delete_spd(iph2) */ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { error = - setscopeid((struct sockaddr *)&spidx.src, - iph2->dst); + setscopeid(&u.spidx.src, iph2->dst); if (error) goto purge; } @@ -4112,11 +4112,11 @@ delete_spd(iph2) /* make id[src,dst] if both ID types are IP address and same */ if (_XIDT(iph2->id_p) == idi2type - && spidx.dst.ss_family == spidx.src.ss_family) { + && u.spidx.dst.ss_family == u.spidx.src.ss_family) { iph2->src_id = - dupsaddr((struct sockaddr *)&spidx.dst); + dupsaddr((struct sockaddr *)&u.spidx.dst); iph2->dst_id = - dupsaddr((struct sockaddr *)&spidx.src); + dupsaddr((struct sockaddr *)&u.spidx.src); } } else { @@ -4127,20 +4127,20 @@ delete_spd(iph2) "OR because ID type is not address.\n"); /* see above comment. */ - memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); - switch (spidx.src.ss_family) { + memcpy(&u.spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst)); + switch (u.spidx.src.ss_family) { case AF_INET: - spidx.prefs = + u.spidx.prefs = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefs = + u.spidx.prefs = sizeof(struct in6_addr) << 3; break; #endif default: - spidx.prefs = 0; + u.spidx.prefs = 0; break; } } @@ -4150,20 +4150,20 @@ delete_spd(iph2) plog(LLV_DEBUG, LOCATION, NULL, "get a src address from ID payload " "%s prefixlen=%u ul_proto=%u\n", - saddr2str((struct sockaddr *)&spidx.src), - spidx.prefs, spidx.ul_proto); + saddr2str((struct sockaddr *)&u.spidx.src), + u.spidx.prefs, u.spidx.ul_proto); plog(LLV_DEBUG, LOCATION, NULL, "get dst address from ID payload " "%s prefixlen=%u ul_proto=%u\n", - saddr2str((struct sockaddr *)&spidx.dst), - spidx.prefd, spidx.ul_proto); + saddr2str((struct sockaddr *)&u.spidx.dst), + u.spidx.prefd, u.spidx.ul_proto); /* * convert the ul_proto if it is 0 * because 0 in ID payload means a wild card. */ - if (spidx.ul_proto == 0) - spidx.ul_proto = IPSEC_ULPROTO_ANY; + if (u.spidx.ul_proto == 0) + u.spidx.ul_proto = IPSEC_ULPROTO_ANY; #undef _XIDT @@ -4181,7 +4181,7 @@ delete_spd(iph2) #ifdef HAVE_POLICY_FWD /* make forward policy if required */ if (tunnel_mode_prop(iph2->approval)) { - spidx.dir = IPSEC_DIR_FWD; + u.spidx.dir = IPSEC_DIR_FWD; if (pk_sendspddelete(iph2) < 0) { plog(LLV_ERROR, LOCATION, NULL, "pfkey spddelete(forward) failed.\n"); @@ -4195,13 +4195,13 @@ delete_spd(iph2) /* make outbound policy */ iph2->src = src; iph2->dst = dst; - spidx.dir = IPSEC_DIR_OUTBOUND; - addr = spidx.src; - spidx.src = spidx.dst; - spidx.dst = addr; - pref = spidx.prefs; - spidx.prefs = spidx.prefd; - spidx.prefd = pref; + u.spidx.dir = IPSEC_DIR_OUTBOUND; + addr = u.spidx.src; + u.spidx.src = u.spidx.dst; + u.spidx.dst = addr; + pref = u.spidx.prefs; + u.spidx.prefs = u.spidx.prefd; + u.spidx.prefd = pref; if (pk_sendspddelete(iph2) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -4218,7 +4218,7 @@ purge: #ifdef INET6 u_int32_t setscopeid(sp_addr0, sa_addr0) - struct sockaddr *sp_addr0, *sa_addr0; + struct sockaddr_storage *sp_addr0, *sa_addr0; { struct sockaddr_in6 *sp_addr, *sa_addr; diff --git a/ipsec-tools/racoon/isakmp_agg.c b/ipsec-tools/racoon/isakmp_agg.c index 2b29675..993ac28 100644 --- a/ipsec-tools/racoon/isakmp_agg.c +++ b/ipsec-tools/racoon/isakmp_agg.c @@ -384,10 +384,6 @@ agg_i2recv(iph1, msg) int error = -1; int vid_numeric; int ptype; -#ifdef ENABLE_HYBRID - vchar_t *unity_vid; - vchar_t *xauth_vid; -#endif #ifdef HAVE_GSSAPI vchar_t *gsstoken = NULL; #endif @@ -418,7 +414,7 @@ agg_i2recv(iph1, msg) "failed to parse msg"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; iph1->pl_hash = NULL; @@ -881,13 +877,13 @@ agg_i2send(iph1, msg) plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } /* old Apple version sends natd payloads in the wrong order */ @@ -1000,7 +996,7 @@ agg_r1recv(iph1, msg) "failed to parse msg"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { @@ -1341,13 +1337,13 @@ agg_r1send(iph1, msg) plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } } @@ -1690,7 +1686,7 @@ agg_r2recv(iph1, msg0) iph1->pl_hash = NULL; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { diff --git a/ipsec-tools/racoon/isakmp_base.c b/ipsec-tools/racoon/isakmp_base.c index 1fc93e2..45e42ee 100644 --- a/ipsec-tools/racoon/isakmp_base.c +++ b/ipsec-tools/racoon/isakmp_base.c @@ -303,10 +303,6 @@ base_i2recv(iph1, msg) vchar_t *satmp = NULL; int error = -1; int vid_numeric; -#ifdef ENABLE_HYBRID - vchar_t *unity_vid; - vchar_t *xauth_vid; -#endif /* validity check */ if (iph1->status != PHASE1ST_MSG1SENT) { @@ -319,7 +315,7 @@ base_i2recv(iph1, msg) pbuf = isakmp_parse(msg); if (pbuf == NULL) goto end; - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { @@ -577,13 +573,13 @@ base_i2send(iph1, msg) plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } @@ -662,7 +658,7 @@ base_i3recv(iph1, msg) if (pbuf == NULL) goto end; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -876,7 +872,7 @@ base_r1recv(iph1, msg) pbuf = isakmp_parse(msg); if (pbuf == NULL) goto end; - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* check the position of SA payload */ if (pa->type != ISAKMP_NPTYPE_SA) { @@ -1202,7 +1198,7 @@ base_r2recv(iph1, msg) iph1->pl_hash = NULL; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -1465,13 +1461,13 @@ base_r2send(iph1, msg) plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index f71c012..81c03d8 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -904,7 +904,6 @@ isakmp_cfg_net(iph1, attr) { int type; int confsource; - in_addr_t addr4; type = ntohs(attr->type); @@ -1271,14 +1270,14 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) goto end; } - iph2->dst = dupsaddr(iph1->remote); + iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); if (iph2->dst == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to duplicate remote address"); delph2(iph2); goto end; } - iph2->src = dupsaddr(iph1->local); + iph2->src = dupsaddr((struct sockaddr *)iph1->local); if (iph2->src == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to duplicate local address"); @@ -1286,7 +1285,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) goto end; } - switch (iph1->remote->sa_family) { + switch (iph1->remote->ss_family) { case AF_INET: #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) ((struct sockaddr_in *)iph2->dst)->sin_port = 0; @@ -1303,7 +1302,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); + "invalid family: %d\n", iph1->remote->ss_family); delph2(iph2); goto end; } @@ -1840,11 +1839,10 @@ isakmp_cfg_radius_common(radius_state, port) int isakmp_cfg_accounting_system(port, raddr, usr, inout) int port; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; char *usr; int inout; { - int error = 0; struct utmpx ut; char term[_UTX_LINESIZE]; char addr[NI_MAXHOST]; @@ -1863,7 +1861,7 @@ isakmp_cfg_accounting_system(port, raddr, usr, inout) strlcpy(ut.ut_line, term, sizeof(ut.ut_line)); - GETNAMEINFO_NULL(raddr, addr); + GETNAMEINFO_NULL((struct sockaddr *)raddr, addr); strlcpy(ut.ut_host, addr, sizeof(ut.ut_host)); ut.ut_pid = getpid(); @@ -1932,7 +1930,7 @@ isakmp_cfg_getconfig(iph1) len = sizeof(*attrpl) + sizeof(*attr) * attrcount; if (iph1->started_by_api) { - if (iph1->remote->sa_family == AF_INET) { + if (iph1->remote->ss_family == AF_INET) { struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; u_int32_t address; @@ -2006,7 +2004,7 @@ isakmp_cfg_getaddr4(attr, ip) return; } - addr = (in_addr_t *)(attr + 1); + addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t ip->s_addr = *addr; return; @@ -2031,7 +2029,7 @@ isakmp_cfg_appendaddr4(attr, ip, num, max) return; } - addr = (in_addr_t *)(attr + 1); + addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t ip->s_addr = *addr; (*num)++; @@ -2104,8 +2102,6 @@ isakmp_cfg_setenv(iph1, envp, envc) char defdom[MAXPATHLEN + 1]; int cidr, tmp; char cidrstr[4]; - int i, p; - int test; plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); @@ -2334,7 +2330,9 @@ isakmp_cfg_init(cold) int cold; { int i; +#if 0 int error; +#endif isakmp_cfg_config.network4 = (in_addr_t)0x00000000; isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000; diff --git a/ipsec-tools/racoon/isakmp_cfg.h b/ipsec-tools/racoon/isakmp_cfg.h index e206f39..7890665 100644 --- a/ipsec-tools/racoon/isakmp_cfg.h +++ b/ipsec-tools/racoon/isakmp_cfg.h @@ -222,4 +222,4 @@ int isakmp_cfg_accounting_pam(int, int); void cleanup_pam(int); #endif -int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int); +int isakmp_cfg_accounting_system(int, struct sockaddr_storage *, char *, int); diff --git a/ipsec-tools/racoon/isakmp_frag.c b/ipsec-tools/racoon/isakmp_frag.c index 304e825..a42ab4e 100644 --- a/ipsec-tools/racoon/isakmp_frag.c +++ b/ipsec-tools/racoon/isakmp_frag.c @@ -82,6 +82,7 @@ #include "nattraversal.h" #include "grabmyaddr.h" #include "localconf.h" +#include "crypto_openssl.h" int isakmp_sendfrags(iph1, buf) @@ -96,7 +97,6 @@ isakmp_sendfrags(iph1, buf) size_t max_datalen; size_t fraglen; vchar_t *frag; - unsigned int trailer; unsigned int fragnum = 0; size_t len; int etype; @@ -110,7 +110,7 @@ isakmp_sendfrags(iph1, buf) /* select the socket to be sent */ - s = getsockmyaddr(iph1->local); + s = getsockmyaddr((struct sockaddr *)iph1->local); if (s == -1){ return -1; } @@ -176,7 +176,7 @@ isakmp_sendfrags(iph1, buf) vfree(frag); return -1; } - *(u_int32_t *)vbuf->v = 0; // non-esp marker + *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; // non-esp marker memcpy(vbuf->v + extralen, frag->v, frag->l); vfree(frag); frag = vbuf; @@ -209,7 +209,7 @@ vendorid_frag_cap(gen) int *hp; int hashlen_bytes = eay_md5_hashlen() >> 3; - hp = (int *)(gen + 1); + hp = ALIGNED_CAST(int *)(gen + 1); return ntohl(hp[hashlen_bytes / sizeof(*hp)]); } @@ -223,7 +223,6 @@ isakmp_frag_extract(iph1, msg) struct isakmp_frag *frag; struct isakmp_frag_item *item; vchar_t *buf; - size_t len; int last_frag = 0; char *data; int i; @@ -408,7 +407,7 @@ isakmp_frag_addcap(buf, cap) vchar_t *buf; int cap; { - int *capp; + int val, *capp; size_t len; int hashlen_bytes = eay_md5_hashlen() >> 3; @@ -420,13 +419,14 @@ isakmp_frag_addcap(buf, cap) "Cannot allocate memory\n"); return NULL; } - capp = (int *)(buf->v + len); - *capp = htonl(0); - } - - capp = (int *)(buf->v + hashlen_bytes); - *capp |= htonl(cap); - + val = 0; + memcpy(buf->v + len, &val, sizeof(val)); // Wcast_lign fix - copy instead of assign for unaligned move + } + capp = (int *)(void*)(buf->v + hashlen_bytes); // Wcast_lign fix - copy instead of assign for unaligned move + memcpy(&val, capp, sizeof(val)); + val |= htonl(cap); + memcpy(capp, &val, sizeof(val)); + return buf; } @@ -434,8 +434,8 @@ int sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) int s; vchar_t *buf; - struct sockaddr *local; - struct sockaddr *remote; + struct sockaddr_storage *local; + struct sockaddr_storage *remote; int count_persend; u_int32_t frag_flags; { @@ -448,7 +448,6 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) size_t max_datalen; size_t fraglen; vchar_t *frag; - unsigned int trailer; unsigned int fragnum = 0; size_t len; #ifdef ENABLE_NATT @@ -519,7 +518,7 @@ sendfragsfromto(s, buf, local, remote, count_persend, frag_flags) vfree(frag); return -1; } - *(u_int32_t *)vbuf->v = 0; // non-esp marker + *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; // non-esp marker memcpy(vbuf->v + extralen, frag->v, frag->l); vfree(frag); frag = vbuf; diff --git a/ipsec-tools/racoon/isakmp_frag.h b/ipsec-tools/racoon/isakmp_frag.h index 9d6a208..f6c920a 100644 --- a/ipsec-tools/racoon/isakmp_frag.h +++ b/ipsec-tools/racoon/isakmp_frag.h @@ -62,6 +62,6 @@ unsigned int vendorid_frag_cap(struct isakmp_gen *); int isakmp_frag_extract(struct ph1handle *, vchar_t *); vchar_t *isakmp_frag_reassembly(struct ph1handle *); vchar_t *isakmp_frag_addcap(vchar_t *, int); -int sendfragsfromto(int s, vchar_t *, struct sockaddr *, struct sockaddr *, int, u_int32_t); +int sendfragsfromto(int s, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t); #endif /* _ISAKMP_FRAG_H */ diff --git a/ipsec-tools/racoon/isakmp_ident.c b/ipsec-tools/racoon/isakmp_ident.c index 09aa685..53dfc01 100644 --- a/ipsec-tools/racoon/isakmp_ident.c +++ b/ipsec-tools/racoon/isakmp_ident.c @@ -307,7 +307,7 @@ ident_i2recv(iph1, msg) "failed to parse msg"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* SA payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_SA) { @@ -563,7 +563,7 @@ ident_i3recv(iph1, msg) goto end; } - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -922,7 +922,7 @@ ident_i4recv(iph1, msg0) iph1->pl_hash = NULL; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -1145,7 +1145,7 @@ ident_r1recv(iph1, msg) "failed to parse msg"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* check the position of SA payload */ if (pa->type != ISAKMP_NPTYPE_SA) { @@ -1474,7 +1474,7 @@ ident_r2recv(iph1, msg) goto end; } - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { switch (pa->type) { @@ -1786,7 +1786,7 @@ ident_r3recv(iph1, msg0) iph1->pl_hash = NULL; - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -2182,13 +2182,13 @@ ident_ir2mx(iph1) { if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); goto end; } if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); + "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); goto end; } diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index e3c9afa..e1f078a 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -122,7 +122,7 @@ static int isakmp_info_recv_r_u_ack __P((struct ph1handle *, static int isakmp_info_recv_lb __P((struct ph1handle *, struct isakmp_pl_lb *lb, int)); #endif -static void purge_isakmp_spi __P((int, isakmp_index *, size_t)); +//static void purge_isakmp_spi __P((int, isakmp_index *, size_t)); static void info_recv_initialcontact __P((struct ph1handle *)); static int @@ -198,7 +198,7 @@ isakmp_info_recv(iph1, msg0) int error = -1; struct isakmp *isakmp; struct isakmp_gen *gen; - struct isakmp_parse_t *pa, *pap; + struct isakmp_parse_t *pa; void *p; vchar_t *hash, *payload; struct isakmp_gen *nd; @@ -373,7 +373,7 @@ isakmp_info_recv(iph1, msg0) } error = 0; - for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) { + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type; pa++) { // Wcast-align fix (void*) - aligned buffer of aligned (unpacked) structs switch (pa->type) { case ISAKMP_NPTYPE_HASH: /* Handled above */ @@ -438,7 +438,6 @@ isakmp_info_recv_n(iph1, notify, msgid, encrypted) int encrypted; { u_int type; - vchar_t *pbuf; vchar_t *ndata; char *nraw; size_t l; @@ -569,7 +568,7 @@ isakmp_info_vpncontrol_notify_ike_failed (struct ph1handle *iph1, u_int32_t fail_reason; /* notify the API that we have received the delete */ - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; else address = 0; @@ -626,10 +625,7 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) int encrypted; { int tlen, num_spi; - vchar_t *pbuf; - int protected = 0; struct ph1handle *del_ph1; - struct ph2handle *iph2; union { u_int32_t spi32; u_int16_t spi16[2]; @@ -725,7 +721,7 @@ isakmp_info_recv_d(iph1, delete, msgid, encrypted) EVT_PUSH(iph1->local, iph1->remote, EVTT_PEER_DELETE, NULL); purge_ipsec_spi(iph1->remote, delete->proto_id, - (u_int32_t *)(delete + 1), num_spi); + ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi); // Wcast-align fix (void*) - delete payload is aligned break; case IPSECDOI_PROTO_IPCOMP: @@ -922,7 +918,7 @@ isakmp_info_send_d2(iph2) int isakmp_info_send_nx(isakmp, remote, local, type, data) struct isakmp *isakmp; - struct sockaddr *remote, *local; + struct sockaddr_storage *remote, *local; int type; vchar_t *data; { @@ -1176,7 +1172,7 @@ isakmp_info_send_n2(iph2, type, data) n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ n->spi_size = pr->spisize; n->type = htons(type); - *(u_int32_t *)(n + 1) = pr->spi; + memcpy(n + 1, &pr->spi, sizeof(u_int32_t)); // Wcast-align fix - copy instead of assign if (data) memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); @@ -1225,21 +1221,21 @@ isakmp_info_send_common(iph1, payload, np, flags) goto end; } - iph2->dst = dupsaddr(iph1->remote); + iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); if (iph2->dst == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to duplicate remote address"); delph2(iph2); goto end; } - iph2->src = dupsaddr(iph1->local); + iph2->src = dupsaddr((struct sockaddr *)iph1->local); if (iph2->src == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to duplicate local address"); delph2(iph2); goto end; } - switch (iph1->remote->sa_family) { + switch (iph1->remote->ss_family) { case AF_INET: #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) ((struct sockaddr_in *)iph2->dst)->sin_port = 0; @@ -1256,7 +1252,7 @@ isakmp_info_send_common(iph1, payload, np, flags) #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); + "invalid family: %d\n", iph1->remote->ss_family); delph2(iph2); goto end; } @@ -1445,7 +1441,7 @@ isakmp_add_pl_n(buf0, np_p, type, pr, data) n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ n->spi_size = pr->spisize; n->type = htons(type); - *(u_int32_t *)(n + 1) = pr->spi; /* XXX */ + memcpy(n + 1, &pr->spi, sizeof(u_int32_t)); // Wcast-align fix - copy instead of assign with cast if (data) memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); @@ -1455,6 +1451,7 @@ isakmp_add_pl_n(buf0, np_p, type, pr, data) return buf; } +#if 0 static void purge_isakmp_spi(proto, spi, n) int proto; @@ -1481,12 +1478,12 @@ purge_isakmp_spi(proto, spi, n) iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); } } - +#endif void purge_ipsec_spi(dst0, proto, spi, n) - struct sockaddr *dst0; + struct sockaddr_storage *dst0; int proto; u_int32_t *spi; /*network byteorder*/ size_t n; @@ -1495,7 +1492,7 @@ purge_ipsec_spi(dst0, proto, spi, n) struct sadb_msg *msg, *next, *end; struct sadb_sa *sa; struct sadb_lifetime *lt; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; struct ph2handle *iph2; u_int64_t created; size_t i; @@ -1503,7 +1500,7 @@ purge_ipsec_spi(dst0, proto, spi, n) plog(LLV_DEBUG2, LOCATION, NULL, "purge_ipsec_spi:\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0)); + plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str((struct sockaddr *)dst0)); plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0])); plog(LLV_DEBUG2, LOCATION, NULL, "num SPI: %d\n", n); @@ -1514,13 +1511,13 @@ purge_ipsec_spi(dst0, proto, spi, n) return; } - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); + msg = ALIGNED_CAST(struct sadb_msg *)buf->v; + end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l); while (msg < end) { if ((msg->sadb_msg_len << 3) < sizeof(*msg)) break; - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); + next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); if (msg->sadb_msg_type != SADB_DUMP) { msg = next; continue; @@ -1533,16 +1530,16 @@ purge_ipsec_spi(dst0, proto, spi, n) continue; } - sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); + sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); // Wcast-align fix (void*) - buffer of pointers to aligned structs if (!sa || !mhp[SADB_EXT_ADDRESS_SRC] || !mhp[SADB_EXT_ADDRESS_DST]) { msg = next; continue; } - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; + src = ALIGNED_CAST(struct sockaddr_storage*)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); // Wcast-align fix (void*) - buffer of pointers to aligned structs + dst = ALIGNED_CAST(struct sockaddr_storage*)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + lt = ALIGNED_CAST(struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) created = lt->sadb_lifetime_addtime; else @@ -1553,8 +1550,8 @@ purge_ipsec_spi(dst0, proto, spi, n) msg = next; continue; } - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src)); + plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst)); @@ -1563,7 +1560,7 @@ purge_ipsec_spi(dst0, proto, spi, n) /* don't delete inbound SAs at the moment */ /* XXX should we remove SAs with opposite direction as well? */ if (CMPSADDR2(dst0, dst)) { - plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str((struct sockaddr *)dst)); msg = next; continue; } @@ -1620,7 +1617,7 @@ info_recv_initialcontact(iph1) vchar_t *buf = NULL; struct sadb_msg *msg, *next, *end; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; caddr_t mhp[SADB_EXT_MAX + 1]; int proto_id, i; struct ph2handle *iph2; @@ -1693,13 +1690,13 @@ info_recv_initialcontact(iph1) return; } - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); + msg = ALIGNED_CAST(struct sadb_msg *)buf->v; + end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l); while (msg < end) { if ((msg->sadb_msg_len << 3) < sizeof(*msg)) break; - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); + next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); if (msg->sadb_msg_type != SADB_DUMP) { msg = next; continue; @@ -1718,9 +1715,9 @@ info_recv_initialcontact(iph1) msg = next; continue; } - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; // Wcast-align fix (void*) - buffer of pointers to aligned structs + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); if (sa->sadb_sa_state != SADB_SASTATE_MATURE && sa->sadb_sa_state != SADB_SASTATE_DYING) { @@ -1912,7 +1909,7 @@ isakmp_info_recv_lb(iph1, n, encrypted) "LOAD-BALANCE notification ignored - we are not the initiator.\n"); return 0; } - if (iph1->remote->sa_family != AF_INET) { + if (iph1->remote->ss_family != AF_INET) { plog(LLV_DEBUG, LOCATION, NULL, "LOAD-BALANCE notification ignored - only supported for IPv4.\n"); return 0; @@ -2100,7 +2097,7 @@ isakmp_info_send_r_u(arg) CONSTSTR("maxed-out of DPD requests without receiving an ack")); EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL); - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; else address = 0; diff --git a/ipsec-tools/racoon/isakmp_inf.h b/ipsec-tools/racoon/isakmp_inf.h index 50cd2f9..32f85cf 100644 --- a/ipsec-tools/racoon/isakmp_inf.h +++ b/ipsec-tools/racoon/isakmp_inf.h @@ -41,7 +41,7 @@ extern int isakmp_info_recv __P((struct ph1handle *, vchar_t *)); extern int isakmp_info_send_d1 __P((struct ph1handle *)); extern int isakmp_info_send_d2 __P((struct ph2handle *)); extern int isakmp_info_send_nx __P((struct isakmp *, - struct sockaddr *, struct sockaddr *, int, vchar_t *)); + struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *)); extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *)); extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *)); extern int isakmp_info_send_common __P((struct ph1handle *, @@ -60,7 +60,7 @@ extern void isakmp_reschedule_info_monitor_if_pending __P((struct ph1handle *, c extern void isakmp_info_send_r_u __P((void *)); #endif -extern void purge_ipsec_spi __P((struct sockaddr *, int, u_int32_t *, size_t)); +extern void purge_ipsec_spi __P((struct sockaddr_storage *, int, u_int32_t *, size_t)); extern int tunnel_mode_prop __P((struct saprop *)); #endif /* _ISAKMP_INF_H */ diff --git a/ipsec-tools/racoon/isakmp_quick.c b/ipsec-tools/racoon/isakmp_quick.c index a734abb..e0cba14 100644 --- a/ipsec-tools/racoon/isakmp_quick.c +++ b/ipsec-tools/racoon/isakmp_quick.c @@ -252,8 +252,8 @@ quick_i1send(iph2, msg) * - id payload suggests to encrypt all the traffic (no specific * protocol type) */ - id = (struct ipsecdoi_id_b *)iph2->id->v; - id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; + id = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v; + id_p = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v; if (id->proto_id == 0 && id_p->proto_id == 0 && iph2->ph1->rmconf->support_proxy == 0 @@ -411,8 +411,8 @@ quick_i2recv(iph2, msg0) char *p; int tlen; int error = ISAKMP_INTERNAL_ERROR; - struct sockaddr *natoa_i = NULL; - struct sockaddr *natoa_r = NULL; + struct sockaddr_storage *natoa_i = NULL; + struct sockaddr_storage *natoa_r = NULL; /* validity check */ if (iph2->status != PHASE2ST_MSG1SENT) { @@ -447,7 +447,7 @@ quick_i2recv(iph2, msg0) "failed to parse msg"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_HASH) { @@ -551,7 +551,7 @@ quick_i2recv(iph2, msg0) * RFC 2407 says that the protocol and port fields should be ignored * if they are zero, therefore they need to be checked individually. */ - struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v; + struct ipsecdoi_id_b *id_ptr = ALIGNED_CAST(struct ipsecdoi_id_b *)vp->v; struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr; if (id_ptr->type != idp_ptr->b.type @@ -621,7 +621,7 @@ quick_i2recv(iph2, msg0) case ISAKMP_NPTYPE_NATOA_RFC: { vchar_t *vp = NULL; - struct sockaddr *daddr; + struct sockaddr_storage *daddr; isakmp_p2ph(&vp, pa->ptr); @@ -631,11 +631,11 @@ quick_i2recv(iph2, msg0) if (natoa_i == NULL) { natoa_i = daddr; plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n", - saddr2str(natoa_i)); + saddr2str((struct sockaddr *)natoa_i)); } else if (natoa_r == NULL) { natoa_r = daddr; plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n", - saddr2str(natoa_r)); + saddr2str((struct sockaddr *)natoa_r)); } else { racoon_free(daddr); } @@ -974,7 +974,7 @@ quick_i3recv(iph2, msg0) goto end; } - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -1113,8 +1113,8 @@ quick_r1recv(iph2, msg0) int tlen; int f_id_order; /* for ID payload detection */ int error = ISAKMP_INTERNAL_ERROR; - struct sockaddr *natoa_i = NULL; - struct sockaddr *natoa_r = NULL; + struct sockaddr_storage *natoa_i = NULL; + struct sockaddr_storage *natoa_r = NULL; /* validity check */ if (iph2->status != PHASE2ST_START) { @@ -1151,7 +1151,7 @@ quick_r1recv(iph2, msg0) "failed to parse msg\n"); goto end; } - pa = (struct isakmp_parse_t *)pbuf->v; + pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; /* HASH payload is fixed postion */ if (pa->type != ISAKMP_NPTYPE_HASH) { @@ -1296,7 +1296,7 @@ quick_r1recv(iph2, msg0) case ISAKMP_NPTYPE_NATOA_RFC: { vchar_t *vp = NULL; - struct sockaddr *daddr; + struct sockaddr_storage *daddr; isakmp_p2ph(&vp, pa->ptr); @@ -1306,11 +1306,11 @@ quick_r1recv(iph2, msg0) if (natoa_i == NULL) { natoa_i = daddr; plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n", - saddr2str(natoa_i)); + saddr2str((struct sockaddr *)natoa_i)); } else if (natoa_r == NULL) { natoa_r = daddr; plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n", - saddr2str(natoa_r)); + saddr2str((struct sockaddr *)natoa_r)); } else { racoon_free(daddr); } @@ -1856,7 +1856,7 @@ quick_r3recv(iph2, msg0) goto end; } - for (pa = (struct isakmp_parse_t *)pbuf->v; + for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; pa++) { @@ -2142,8 +2142,8 @@ quick_r3prep(iph2, msg0) struct policyindex *spidx; struct sockaddr_storage addr; u_int8_t pref; - struct sockaddr *src = iph2->src; - struct sockaddr *dst = iph2->dst; + struct sockaddr_storage *src = iph2->src; + struct sockaddr_storage *dst = iph2->dst; /* make inbound policy */ iph2->src = dst; @@ -2156,7 +2156,7 @@ quick_r3prep(iph2, msg0) plog(LLV_DEBUG, LOCATION, NULL, "pfkey spdupdate2(inbound) sent.\n"); - spidx = (struct policyindex *)iph2->spidx_gen; + spidx = iph2->spidx_gen; #ifdef HAVE_POLICY_FWD /* make forward policy if required */ if (tunnel_mode_prop(iph2->approval)) { @@ -2191,7 +2191,7 @@ quick_r3prep(iph2, msg0) "pfkey spdupdate2(outbound) sent.\n"); /* spidx_gen is unnecessary any more */ - delsp_bothdir((struct policyindex *)iph2->spidx_gen); + delsp_bothdir(iph2->spidx_gen); racoon_free(iph2->spidx_gen); iph2->spidx_gen = NULL; iph2->generated_spidx=1; @@ -2291,7 +2291,7 @@ get_sainfo_r(iph2) struct sainfo *anonymous = NULL; if (iph2->id == NULL) { - switch (iph2->src->sa_family) { + switch (iph2->src->ss_family) { case AF_INET: prefixlen = sizeof(struct in_addr) << 3; break; @@ -2300,7 +2300,7 @@ get_sainfo_r(iph2) break; default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->src->sa_family); + "invalid family: %d\n", iph2->src->ss_family); goto end; } idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen, @@ -2315,7 +2315,7 @@ get_sainfo_r(iph2) } if (iph2->id_p == NULL) { - switch (iph2->dst->sa_family) { + switch (iph2->dst->ss_family) { case AF_INET: prefixlen = sizeof(struct in_addr) << 3; break; @@ -2324,7 +2324,7 @@ get_sainfo_r(iph2) break; default: plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->dst->sa_family); + "invalid family: %d\n", iph2->dst->ss_family); goto end; } iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen, @@ -2468,8 +2468,7 @@ get_proposal_r_remote(iph2, ignore_id) memset(&spidx, 0, sizeof(spidx)); -#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type - +#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type /* make a spidx; a key to search SPD */ spidx.dir = IPSEC_DIR_INBOUND; spidx.ul_proto = 0; @@ -2487,8 +2486,7 @@ get_proposal_r_remote(iph2, ignore_id) || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a destination address of a policy */ - error = ipsecdoi_id2sockaddr(iph2->id, - (struct sockaddr *)&spidx.dst, + error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst, &spidx.prefd, &spidx.ul_proto); if (error) return error; @@ -2501,8 +2499,7 @@ get_proposal_r_remote(iph2, ignore_id) * because rcoon is responder. */ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { - error = setscopeid((struct sockaddr *)&spidx.dst, - iph2->src); + error = setscopeid(&spidx.dst, iph2->src); if (error) return error; } @@ -2525,7 +2522,7 @@ get_proposal_r_remote(iph2, ignore_id) * of the key to search the SPD because the direction of policy * is inbound. */ - memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); + memcpy(&spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src)); switch (spidx.dst.ss_family) { case AF_INET: { @@ -2553,8 +2550,7 @@ get_proposal_r_remote(iph2, ignore_id) || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { /* get a source address of inbound SA */ - error = ipsecdoi_id2sockaddr(iph2->id_p, - (struct sockaddr *)&spidx.src, + error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src, &spidx.prefs, &spidx.ul_proto); if (error) return error; @@ -2565,8 +2561,7 @@ get_proposal_r_remote(iph2, ignore_id) * for more detail, see above of this function. */ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { - error = setscopeid((struct sockaddr *)&spidx.src, - iph2->dst); + error = setscopeid(&spidx.src, iph2->dst); if (error) return error; } @@ -2597,7 +2592,7 @@ get_proposal_r_remote(iph2, ignore_id) "OR because ID type is not address.\n"); /* see above comment. */ - memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); + memcpy(&spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst)); switch (spidx.src.ss_family) { case AF_INET: { @@ -2650,7 +2645,7 @@ get_proposal_r_remote(iph2, ignore_id) "no policy found, " "try to generate the policy : %s\n", spidx2str(&spidx)); - iph2->spidx_gen = racoon_malloc(sizeof(spidx)); + iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx)); if (!iph2->spidx_gen) { plog(LLV_ERROR, LOCATION, NULL, "buffer allocation failed.\n"); diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h index 8310fcc..6e75240 100644 --- a/ipsec-tools/racoon/isakmp_var.h +++ b/ipsec-tools/racoon/isakmp_var.h @@ -50,7 +50,7 @@ typedef struct { /* i_cookie + r_cookie */ struct isakmp_gen; struct sched; -struct sockaddr; +struct sockaddr_storage; struct ph1handle; struct ph2handle; struct remoteconf; @@ -60,8 +60,8 @@ struct isakmp_pl_ke; /* XXX */ struct isakmp_pl_nonce; /* XXX */ extern int isakmp_handler __P((int)); -extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *, - struct sockaddr *, int)); +extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr_storage *, + struct sockaddr_storage *, int)); extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int)); extern vchar_t *isakmp_parse __P((vchar_t *)); @@ -102,7 +102,7 @@ extern caddr_t isakmp_set_attr_l __P((caddr_t, int, u_int32_t)); extern vchar_t *isakmp_add_attr_v __P((vchar_t *, int, caddr_t, int)); extern vchar_t *isakmp_add_attr_l __P((vchar_t *, int, u_int32_t)); -extern int isakmp_newcookie __P((caddr_t, struct sockaddr *, struct sockaddr *)); +extern int isakmp_newcookie __P((caddr_t, struct sockaddr_storage *, struct sockaddr_storage *)); extern int isakmp_p2ph __P((vchar_t **, struct isakmp_gen *)); @@ -119,12 +119,12 @@ extern vchar_t *isakmp_plist_append_initial_contact __P((struct ph1handle *, struct payload_list *)); #ifdef HAVE_PRINT_ISAKMP_C -extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *, - struct sockaddr *, int)); +extern void isakmp_printpacket __P((vchar_t *, struct sockaddr_storage *, + struct sockaddr_storage *, int)); #endif extern int copy_ph1addresses __P(( struct ph1handle *, - struct remoteconf *, struct sockaddr *, struct sockaddr *)); + struct remoteconf *, struct sockaddr_storage *, struct sockaddr_storage *)); extern void log_ph1established __P((const struct ph1handle *)); extern void script_hook __P((struct ph1handle *, int)); @@ -134,6 +134,6 @@ extern int script_exec __P((char *, int, char * const *)); void purge_remote __P((struct ph1handle *)); void delete_spd __P((struct ph2handle *)); #ifdef INET6 -u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *)); +u_int32_t setscopeid __P((struct sockaddr_storage *, struct sockaddr_storage *)); #endif #endif /* _ISAKMP_VAR_H */ diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c index 63e9290..955a062 100644 --- a/ipsec-tools/racoon/isakmp_xauth.c +++ b/ipsec-tools/racoon/isakmp_xauth.c @@ -322,7 +322,7 @@ xauth_attr_reply(iph1, attr, id) if (throttle_delay > 0) { char *str; - str = saddrwop2str(iph1->remote); + str = saddrwop2str((struct sockaddr *)iph1->remote); plog(LLV_ERROR, LOCATION, NULL, "Throttling in action for %s: delay %lds\n", @@ -644,7 +644,7 @@ PAM_conv(msg_count, msg, rsp, dontcare) int xauth_login_pam(port, raddr, usr, pwd) int port; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; char *usr; char *pwd; { @@ -1588,7 +1588,6 @@ isakmp_xauth_set(iph1, attr) { int type; vchar_t *buffer = NULL; - char *data; struct xauth_state *xst; size_t dlen = 0; char* mraw = NULL; diff --git a/ipsec-tools/racoon/isakmp_xauth.h b/ipsec-tools/racoon/isakmp_xauth.h index 5898062..f12dbb7 100644 --- a/ipsec-tools/racoon/isakmp_xauth.h +++ b/ipsec-tools/racoon/isakmp_xauth.h @@ -118,7 +118,7 @@ int xauth_radius_init(void); #endif #ifdef HAVE_LIBPAM -int xauth_login_pam(int, struct sockaddr *, char *, char *); +int xauth_login_pam(int, struct sockaddr_storage *, char *, char *); #endif #ifdef HAVE_LIBLDAP diff --git a/ipsec-tools/racoon/kmpstat.c b/ipsec-tools/racoon/kmpstat.c index 21497ea..65ca9e3 100644 --- a/ipsec-tools/racoon/kmpstat.c +++ b/ipsec-tools/racoon/kmpstat.c @@ -98,18 +98,21 @@ u_int32_t loglevel = 0; int com_init() { - struct sockaddr_un name; - - memset(&name, 0, sizeof(name)); - name.sun_family = AF_UNIX; - snprintf(name.sun_path, sizeof(name.sun_path), + union { // Wcast-align fix - force alignment of sockaddr_un + struct sockaddr_storage ss; + struct sockaddr_un name; + } u; + + memset(&u, 0, sizeof(struct sockaddr_un)); + u.name.sun_family = AF_UNIX; + snprintf(u.name.sun_path, sizeof(u.name.sun_path), "%s", adminsock_path); so = socket(AF_UNIX, SOCK_STREAM, 0); if (so < 0) return -1; - if (connect(so, (struct sockaddr *)&name, sizeof(name)) < 0) { + if (connect(so, (struct sockaddr *)&u.ss, sizeof(struct sockaddr_un)) < 0) { (void)close(so); return -1; } @@ -136,8 +139,7 @@ int com_recv(combufp) vchar_t **combufp; { - struct admin_com h, *com; - caddr_t buf; + struct admin_com h; int len; int l = 0; caddr_t p; @@ -186,7 +188,7 @@ bad1: * Dumb plog functions (used by sockmisc.c) */ void -plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) +plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...) { va_list ap; diff --git a/ipsec-tools/racoon/localconf.c b/ipsec-tools/racoon/localconf.c index 5a1af09..8552ffd 100644 --- a/ipsec-tools/racoon/localconf.c +++ b/ipsec-tools/racoon/localconf.c @@ -330,14 +330,14 @@ end: */ vchar_t * getpskbyaddr(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { vchar_t *key = NULL; char addr[NI_MAXHOST], port[NI_MAXSERV]; plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by addr.\n"); - GETNAMEINFO(remote, addr, port); + GETNAMEINFO((struct sockaddr *)remote, addr, port); #ifdef HAVE_OPENSSL key = privsep_getpsk(addr, strlen(addr)); diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index a21f5b6..4313515 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -173,7 +173,7 @@ extern struct localconf *lcconf; extern void initlcconf __P((void)); extern void flushlcconf __P((void)); extern vchar_t *getpskbyname __P((vchar_t *)); -extern vchar_t *getpskbyaddr __P((struct sockaddr *)); +extern vchar_t *getpskbyaddr __P((struct sockaddr_storage *)); #if HAVE_KEYCHAIN extern vchar_t *getpskfromkeychain __P((const char *, u_int8_t, int, vchar_t *)); #endif diff --git a/ipsec-tools/racoon/logger.c b/ipsec-tools/racoon/logger.c index 5d307b8..054871e 100644 --- a/ipsec-tools/racoon/logger.c +++ b/ipsec-tools/racoon/logger.c @@ -67,7 +67,6 @@ static int log_flush (struct log *p, int newbytes) { struct stat st; - int good = 0; if (!p || !p->fp) { return -1; diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 84e1beb..7b4f049 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -110,16 +110,19 @@ static void restore_params __P((void)); static void save_params __P((void)); static void saverestore_params __P((int)); static void cleanup_pidfile __P((void)); +#if 0 // int launchedbylaunchd __P((void)); +#endif pid_t racoon_pid = 0; +int launchdlaunched = 0; int print_pid = 1; /* for racoon only */ char logFileStr[MAXPATHLEN+1]; void usage() { - printf("usage: racoon [-BdFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n", + printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n", #ifdef INET6 "46", #else @@ -134,6 +137,7 @@ usage() printf(" -B: install SA to the kernel from the file " "specified by the configuration file.\n"); printf(" -d: debug level, more -d will generate more debug message.\n"); + printf(" -D: started by LaunchD (implies daemon mode).\n"); printf(" -C: dump parsed config file.\n"); printf(" -L: include location in debug messages\n"); printf(" -F: run in foreground, do not become daemon.\n"); @@ -266,7 +270,7 @@ skip: ploginit(); - plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid()); + plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); plog(LLV_INFO, LOCATION, NULL, "%s\n", version); #ifdef HAVE_OPENSSL plog(LLV_INFO, LOCATION, NULL, "@(#)" @@ -344,7 +348,7 @@ skip: if (f_foreground) close(0); else { - if ( !exec_done && launchedbylaunchd() ){ + if ( !exec_done && launchdlaunched ){ plog(LLV_INFO, LOCATION, NULL, "racoon launched by launchd.\n"); exec_done = 1; @@ -411,23 +415,14 @@ skip: exit(0); } - +#if 0 // int launchedbylaunchd(){ - int launchdlaunched = 1; launch_data_t checkin_response = NULL; - launch_data_t checkin_request = NULL; - - /* check in with launchd */ - if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "launch_data_new_string fails.\n"); - launchdlaunched = 0; - goto done; - } - if ((checkin_response = launch_msg(checkin_request)) == NULL) { + + if ((checkin_response = launch_socket_service_check_in()) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "launch_msg fails.\n"); + "launch_socket_service_check_in fails.\n"); launchdlaunched = 0; goto done; } @@ -437,15 +432,14 @@ launchedbylaunchd(){ launchdlaunched = 0; goto done; } - + launchdlaunched = 1; done: /* clean up before we leave */ - if ( checkin_request ) - launch_data_free(checkin_request); if ( checkin_response ) launch_data_free(checkin_response); return launchdlaunched; } +#endif static void cleanup_pidfile() @@ -491,7 +485,7 @@ parse(ac, av) plogset("/tmp/racoon.log"); #endif - while ((c = getopt(ac, av, "dLFp:P:a:f:l:vsZBCx" + while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx" #ifdef YYDEBUG "y" #endif @@ -503,10 +497,21 @@ parse(ac, av) case 'd': loglevel++; break; + case 'D': + if (f_foreground) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } + launchdlaunched = 1; + break; case 'L': print_location = 1; break; case 'F': + if (launchdlaunched) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } printf("Foreground mode.\n"); f_foreground = 1; break; diff --git a/ipsec-tools/racoon/nattraversal.c b/ipsec-tools/racoon/nattraversal.c index b3290d1..1f08eb9 100644 --- a/ipsec-tools/racoon/nattraversal.c +++ b/ipsec-tools/racoon/nattraversal.c @@ -63,15 +63,13 @@ #include "ike_session.h" struct natt_ka_addrs { - struct sockaddr *src; - struct sockaddr *dst; + struct sockaddr_storage *src; + struct sockaddr_storage *dst; unsigned in_use; TAILQ_ENTRY(natt_ka_addrs) chain; }; -static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree; - /* * check if the given vid is NAT-T. */ @@ -116,7 +114,7 @@ natt_vendorid (int vid) } vchar_t * -natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) +natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr) { vchar_t *natd; vchar_t *buf; @@ -125,21 +123,21 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) size_t buf_size, addr_size; plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n", - saddr2str(addr), iph1->approval->hashtype, + saddr2str((struct sockaddr *)addr), iph1->approval->hashtype, (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); - if (addr->sa_family == AF_INET) { + if (addr->ss_family == AF_INET) { addr_size = sizeof (struct in_addr); /* IPv4 address */ addr_ptr = &((struct sockaddr_in *)addr)->sin_addr; addr_port = &((struct sockaddr_in *)addr)->sin_port; } - else if (addr->sa_family == AF_INET6) { + else if (addr->ss_family == AF_INET6) { addr_size = sizeof (struct in6_addr); /* IPv6 address */ addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr; addr_port = &((struct sockaddr_in6 *)addr)->sin6_port; } else { - plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family); + plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->ss_family); return NULL; } @@ -290,8 +288,8 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa vchar_t *i; vchar_t *r; u_int8_t *p; - struct sockaddr *i_addr; - struct sockaddr *r_addr; + struct sockaddr_storage *i_addr; + struct sockaddr_storage *r_addr; size_t i_size; size_t r_size; @@ -315,7 +313,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa r_addr = iph2->src; } - switch (i_addr->sa_family) { + switch (i_addr->ss_family) { case AF_INET: i_size = sizeof(in_addr_t); break; @@ -326,11 +324,11 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid address family: %d\n", i_addr->sa_family); + "invalid address family: %d\n", i_addr->ss_family); return -1; } - switch (r_addr->sa_family) { + switch (r_addr->ss_family) { case AF_INET: r_size = sizeof(in_addr_t); break; @@ -341,7 +339,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa #endif default: plog(LLV_ERROR, LOCATION, NULL, - "invalid address family: %d\n", r_addr->sa_family); + "invalid address family: %d\n", r_addr->ss_family); return -1; } @@ -362,7 +360,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa /* copy src address */ p = (__typeof__(p))i->v; - switch (i_addr->sa_family) { + switch (i_addr->ss_family) { case AF_INET: *p = IPSECDOI_ID_IPV4_ADDR; bcopy(&(((struct sockaddr_in *)i_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), i_size); @@ -378,7 +376,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa /* copy dst address */ p = (__typeof__(p))r->v; - switch (r_addr->sa_family) { + switch (r_addr->ss_family) { case AF_INET: *p = IPSECDOI_ID_IPV4_ADDR; bcopy(&(((struct sockaddr_in *)r_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), r_size); @@ -396,11 +394,11 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa return natoa_type; } -struct sockaddr * +struct sockaddr_storage * process_natoa_payload(vchar_t *buf) { - struct sockaddr *saddr = NULL; - struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v; + struct sockaddr_storage *saddr = NULL; + struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v; switch (id_b->type) { case IPSECDOI_ID_IPV4_ADDR: @@ -410,8 +408,8 @@ process_natoa_payload(vchar_t *buf) "error allocating addr for NAT-OA payload\n"); return NULL; } - saddr->sa_len = sizeof(struct sockaddr_in); - saddr->sa_family = AF_INET; + saddr->ss_len = sizeof(struct sockaddr_in); + saddr->ss_family = AF_INET; ((struct sockaddr_in *)saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)saddr)->sin_addr, buf->v + sizeof(*id_b), sizeof(struct in_addr)); @@ -424,8 +422,8 @@ process_natoa_payload(vchar_t *buf) "error allocating addr for NAT-OA payload\n"); return NULL; } - saddr->sa_len = sizeof(struct sockaddr_in6); - saddr->sa_family = AF_INET6; + saddr->ss_len = sizeof(struct sockaddr_in6); + saddr->ss_family = AF_INET6; ((struct sockaddr_in6 *)saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr, buf->v + sizeof(*id_b), sizeof(struct in6_addr)); diff --git a/ipsec-tools/racoon/nattraversal.h b/ipsec-tools/racoon/nattraversal.h index a7c2148..986ca47 100644 --- a/ipsec-tools/racoon/nattraversal.h +++ b/ipsec-tools/racoon/nattraversal.h @@ -94,19 +94,19 @@ struct ph2natt { u_int8_t type; u_int16_t sport; u_int16_t dport; - struct sockaddr *oa; + struct sockaddr_storage *oa; u_int16_t frag; }; int natt_vendorid (int vid); -vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr); +vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr); int natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, int natd_seq); int natt_udp_encap (int encmode); int natt_fill_options (struct ph1natt_options *opts, int version); void natt_float_ports (struct ph1handle *iph1); void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric); int create_natoa_payloads(struct ph2handle *iph2, vchar_t **, vchar_t **); -struct sockaddr * process_natoa_payload(vchar_t *buf); +struct sockaddr_storage * process_natoa_payload(vchar_t *buf); struct payload_list * isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]); diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index eefa0fb..0bd8958 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -97,9 +97,6 @@ #include "sockmisc.h" #include "strnames.h" #include "gcmalloc.h" -#ifdef HAVE_OPENSSL -#include "rsalist.h" -#endif #include #include "remoteconf.h" #include "vpn_control.h" @@ -158,9 +155,6 @@ struct dhgroup dh_modp8192; static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); static int get_cert_fromlocal __P((struct ph1handle *, int)); -#ifdef HAVE_OPENSSL -static int get_plainrsa_fromlocal __P((struct ph1handle *, int)); -#endif static int oakley_check_certid __P((struct ph1handle *iph1, int)); static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus)); static int check_typeofcertname __P((int, int)); @@ -445,11 +439,12 @@ oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySiz *pub = NULL; switch (dh->type) { case OAKLEY_ATTR_GRP_TYPE_MODP: +#define SECDH_MODP_GENERATOR OAKLEY_ATTR_GRP_DESC_MODP1024 if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) { plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n"); goto fail; } - if (SecDHCreate(dh->desc, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) { + if (SecDHCreate(SECDH_MODP_GENERATOR, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) { plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n"); goto fail; } @@ -870,59 +865,6 @@ end: return error; } -#if notyet -/* - * NOTE: Must terminate by NULL. - */ -vchar_t * -oakley_compute_hashx(struct ph1handle *iph1, ...) -{ - vchar_t *buf, *res; - vchar_t *s; - caddr_t p; - int len; - - va_list ap; - - /* get buffer length */ - va_start(ap, iph1); - len = 0; - while ((s = va_arg(ap, vchar_t *)) != NULL) { - len += s->l - } - va_end(ap); - - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - return NULL; - } - - /* set buffer */ - va_start(ap, iph1); - p = buf->v; - while ((s = va_arg(ap, char *)) != NULL) { - memcpy(p, s->v, s->l); - p += s->l; - } - va_end(ap); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(iph1->skeyid_a, buf, iph1); - vfree(buf); - if (res == NULL) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - - return res; -} -#endif /* * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) @@ -1454,26 +1396,6 @@ oakley_verify_userid(iph1) } #endif /* HAVE_OPENDIR */ -#ifdef HAVE_OPENSSL -static int -oakley_verify_x509sign(certchain, my_hash, my_sig) - cert_t *certchain; - vchar_t *my_hash; - vchar_t *my_sig; -{ - cert_t *p; - int result = -1; - - for (p = certchain; p; p = p->chain) { - if ((result = eay_check_x509sign(my_hash, - my_sig, - &p->cert)) == 0) { - break; - } - } - return result; -} -#endif #ifdef HAVE_OPENSSL static int oakley_check_x509cert(certchain, capath, cafile, local) @@ -1517,9 +1439,7 @@ oakley_validate_auth(iph1) #ifdef ENABLE_STATS struct timeval start, end; #endif -#if TARGET_OS_EMBEDDED SecKeyRef publicKeyRef; -#endif #ifdef ENABLE_STATS gettimeofday(&start, NULL); @@ -1644,9 +1564,6 @@ oakley_validate_auth(iph1) error = get_cert_fromlocal(iph1, 0); break; - case ISAKMP_CERT_PLAINRSA: - error = get_plainrsa_fromlocal(iph1, 0); - break; } if (error) return ISAKMP_INTERNAL_ERROR; @@ -1719,8 +1636,6 @@ oakley_validate_auth(iph1) #endif switch (certtype) { case ISAKMP_CERT_X509SIGN: - -#if TARGET_OS_EMBEDDED { /* use ID from remote configuration */ /* check each ID in list */ @@ -1732,9 +1647,9 @@ oakley_validate_auth(iph1) if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { id_spec = genlist_next(iph1->rmconf->idvl_p, &gpb); /* expect only one id */ if (id_spec->idtype == IDTYPE_ADDRESS) { - switch (((struct sockaddr *)(id_spec->id->v))->sa_family) { + switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) { case AF_INET: - peers_id = inet_ntoa(((struct sockaddr_in *)(id_spec->id->v))->sin_addr); + peers_id = inet_ntoa((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr); hostname = CFStringCreateWithCString(NULL, peers_id, kCFStringEncodingUTF8); break; #ifdef INET6 @@ -1755,32 +1670,7 @@ oakley_validate_auth(iph1) if (hostname) CFRelease(hostname); } - -#else /* TARGET_OS_EMBEDDED */ - if (iph1->rmconf->cert_verification == VERIFICATION_MODULE_SEC_FRAMEWORK) - error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1), - iph1->cert_p, - NULL); - else - { - char path[MAXPATHLEN]; - char *ca; - - if (iph1->rmconf->cacertfile != NULL) { - getpathname(path, sizeof(path), - LC_PATHTYPE_CERT, - iph1->rmconf->cacertfile); - ca = path; - } else { - ca = NULL; - } - - error = oakley_check_x509cert(iph1->cert_p, - lcconf->pathinfo[LC_PATHTYPE_CERT], - ca, 0); - } -#endif /* TARGET_OS_EMBEDDED */ - break; + break; default: plog(LLV_ERROR, LOCATION, NULL, @@ -1832,24 +1722,15 @@ oakley_validate_auth(iph1) switch (certtype) { case ISAKMP_CERT_X509SIGN: case ISAKMP_CERT_DNS: -#if TARGET_OS_EMBEDDED + if (publicKeyRef == NULL) + plog(LLV_ERROR, LOCATION, NULL, "@@@@@@ publicKeyRef is NULL\n"); error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p); if (error) plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error)); CFRelease(publicKeyRef); -#else - error = oakley_verify_x509sign(iph1->cert_p, my_hash, iph1->sig_p); -#endif break; -#ifdef HAVE_OPENSSL - case ISAKMP_CERT_PLAINRSA: - iph1->rsa_p = rsa_try_check_rsasign(my_hash, - iph1->sig_p, iph1->rsa_candidates); - error = iph1->rsa_p ? 0 : -1; - break; -#endif default: plog(LLV_ERROR, LOCATION, NULL, "no supported certtype %d\n", @@ -1985,7 +1866,7 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1, u_int32_t address; u_int32_t fail_reason; - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; else address = 0; @@ -2009,7 +1890,6 @@ oakley_getmycert(iph1) struct ph1handle *iph1; { int err; - u_int32_t address; switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: @@ -2021,12 +1901,7 @@ oakley_getmycert(iph1) } } return err; -#ifdef HAVE_OPENSSL - case ISAKMP_CERT_PLAINRSA: - if (iph1->rsa) - return 0; - return get_plainrsa_fromlocal(iph1, 1); -#endif + default: plog(LLV_ERROR, LOCATION, NULL, "Unknown certtype #%d\n", @@ -2047,7 +1922,9 @@ get_cert_fromlocal(iph1, my) struct ph1handle *iph1; int my; { +#ifdef HAVE_OPENSSL char path[MAXPATHLEN]; +#endif vchar_t *cert = NULL; cert_t **certpl; char *certfile; @@ -2136,66 +2013,15 @@ end: return error; } -#ifdef HAVE_OPENSSL -static int -get_plainrsa_fromlocal(iph1, my) - struct ph1handle *iph1; - int my; -{ - char path[MAXPATHLEN]; - vchar_t *cert = NULL; - char *certfile; - int error = -1; - - iph1->rsa_candidates = rsa_lookup_keys(iph1, my); - if (!iph1->rsa_candidates || - rsa_list_count(iph1->rsa_candidates) == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "%s RSA key not found for %s\n", - my ? "Private" : "Public", - saddr2str_fromto("%s <-> %s", - iph1->local, iph1->remote)); - goto end; - } - - if (my && rsa_list_count(iph1->rsa_candidates) > 1) { - plog(LLV_WARNING, LOCATION, NULL, - "More than one (=%lu) private " - "PlainRSA key found for %s\n", - rsa_list_count(iph1->rsa_candidates), - saddr2str_fromto("%s <-> %s", - iph1->local, iph1->remote)); - plog(LLV_WARNING, LOCATION, NULL, - "This may have unpredictable results, " - "i.e. wrong key could be used!\n"); - plog(LLV_WARNING, LOCATION, NULL, - "Consider using only one single private " - "key for all peers...\n"); - } - if (my) { - iph1->rsa = ((struct rsa_key *) - genlist_next(iph1->rsa_candidates, NULL))->rsa; - - genlist_free(iph1->rsa_candidates, NULL); - iph1->rsa_candidates = NULL; - - if (iph1->rsa == NULL) - goto end; - } - - error = 0; - -end: - return error; -} -#endif /* get signature */ int oakley_getsign(iph1) struct ph1handle *iph1; { +#ifdef HAVE_OPENSSL char path[MAXPATHLEN]; +#endif vchar_t *privkey = NULL; int error = -1; @@ -2211,32 +2037,6 @@ oakley_getsign(iph1) CFRelease(dataRef); break; } // else fall thru -#ifdef HAVE_OPENSSL - case ISAKMP_CERT_DNS: - if (iph1->rmconf->myprivfile == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n"); - goto end; - } - - /* make private file name */ - getpathname(path, sizeof(path), - LC_PATHTYPE_CERT, - iph1->rmconf->myprivfile); - privkey = privsep_eay_get_pkcs1privkey(path); - if (privkey == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get private key.\n"); - goto end; - } - plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n"); - plogdump(LLV_DEBUG2, privkey->v, privkey->l); - - iph1->sig = eay_get_x509sign(iph1->hash, privkey); - break; - case ISAKMP_CERT_PLAINRSA: - iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa); - break; -#endif default: plog(LLV_ERROR, LOCATION, NULL, "Unknown certtype #%d\n", @@ -2309,7 +2109,7 @@ oakley_get_peer_cert_from_certchain(iph1) return iph1->cert_p; } - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v; peers_id = id_b + 1; idlen = iph1->id_p->l - sizeof(*id_b); for (p = iph1->cert_p; p; p = p->chain) { @@ -2340,7 +2140,7 @@ oakley_check_certid(iph1, which_id) plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; + id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v; doi_type = id_b->type; peers_id = id_b + 1; idlen = iph1->id_p->l - sizeof(*id_b); @@ -2355,17 +2155,17 @@ oakley_check_certid(iph1, which_id) for (id_spec = genlist_next (iph1->rmconf->idvl_p, &gpb); id_spec; id_spec = genlist_next (0, &gpb)) { if (id_spec->idtype == IDTYPE_ADDRESS) { - switch (((struct sockaddr *)(id_spec->id->v))->sa_family) { + switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) { case AF_INET: doi_type = IPSECDOI_ID_IPV4_ADDR; idlen = sizeof(struct in_addr); - peers_id = &(((struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr); + peers_id = &((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr); break; #ifdef INET6 case AF_INET6: doi_type = IPSECDOI_ID_IPV6_ADDR; idlen = sizeof(struct in6_addr); - peers_id = &(((struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr); + peers_id = &((ALIGNED_CAST(struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr); break; #endif default: @@ -2396,11 +2196,15 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) cert_status_t *certStatus; { - vchar_t *name = NULL; - char *altname = NULL; - int type, len; + int len; int error; +#if !TARGET_OS_EMBEDDED + int type; + vchar_t *name = NULL; + char *altname = NULL; +#endif + switch (idtype) { case IPSECDOI_ID_DER_ASN1_DN: #if TARGET_OS_EMBEDDED @@ -2455,6 +2259,8 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) CFRelease(subject); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } + CFRelease(certificate); + CFRelease(subject); } #else name = eay_get_x509asn1subjectname(cert); @@ -2503,6 +2309,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) CFIndex pos, count; SecCertificateRef certificate; CFArrayRef addresses; +#define ADDRESS_BUF_SIZE 64 certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert); if (certificate == NULL) { @@ -2534,17 +2341,19 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus) addressLen = CFStringGetLength(address); if (addressLen == 0) continue; - addressBuf = racoon_malloc(addressLen + 1); + addressBuf = racoon_malloc(ADDRESS_BUF_SIZE); if (addressBuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, "out of memory\n"); + CFRelease(addresses); + CFRelease(certificate); return -1; } - if (CFStringGetCString(address, addressBuf, addressLen + 1, kCFStringEncodingUTF8) == TRUE) { + if (CFStringGetCString(address, addressBuf, ADDRESS_BUF_SIZE, kCFStringEncodingUTF8) == TRUE) { result = inet_pton(idtype == IPSECDOI_ID_IPV4_ADDR ? AF_INET : AF_INET6, addressBuf, numAddress); racoon_free(addressBuf); if (result == 0) continue; // wrong type or invalid address - if (memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ? + if (!memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ? CFRelease(addresses); CFRelease(certificate); return 0; @@ -3261,6 +3070,61 @@ oakley_needcr(type) /*NOTREACHED*/ } +vchar_t * +oakley_getpskall(iph1) +struct ph1handle *iph1; +{ + vchar_t *secret = NULL; + + if (iph1->rmconf->shared_secret) { + + switch (iph1->rmconf->secrettype) { + case SECRETTYPE_KEY: + /* in psk file - use KEY from remote configuration to locate it */ + secret = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1); + break; +#if HAVE_KEYCHAIN + case SECRETTYPE_KEYCHAIN: + /* in the system keychain */ + secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, NULL); + break; + case SECRETTYPE_KEYCHAIN_BY_ID: + /* in the system keychain - use peer id */ + secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p); + break; +#endif // HAVE_KEYCHAIN + case SECRETTYPE_USE: + /* in the remote configuration */ + default: + /* rmconf->shared_secret is a string and contains a NULL character that must be removed */ + secret = vmalloc(iph1->rmconf->shared_secret->l - 1); + if (secret == NULL) { + plog(LLV_ERROR, LOCATION, iph1->remote, "memory error.\n"); + goto end; + } + memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l); + } + } else { + secret = getpskbyname(iph1->id_p); + if (!secret) { + if (iph1->rmconf->verify_identifier) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "couldn't find the Hybrid pskey.\n"); + goto end; + } + } + } + if (!secret) { + plog(LLV_NOTIFY, LOCATION, iph1->remote, + "couldn't find the Hybrid pskey, " + "try to get one by the peer's address.\n"); + secret = getpskbyaddr(iph1->remote); + } + +end: + return secret; +} + /* * compute SKEYID * see seciton 5. Exchanges in RFC 2409 @@ -3300,7 +3164,7 @@ oakley_skeyid(iph1) /* in the system keychain - use peer id */ iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p); break; -#endif HAVE_KEYCHAIN +#endif // HAVE_KEYCHAIN case SECRETTYPE_USE: /* in the remote configuration */ default: @@ -3338,7 +3202,7 @@ oakley_skeyid(iph1) if (iph1->authstr == NULL) { plog(LLV_ERROR, LOCATION, iph1->remote, "couldn't find the pskey for %s.\n", - saddrwop2str(iph1->remote)); + saddrwop2str((struct sockaddr *)iph1->remote)); goto end; } } diff --git a/ipsec-tools/racoon/oakley.h b/ipsec-tools/racoon/oakley.h index 7c7e48c..c900382 100644 --- a/ipsec-tools/racoon/oakley.h +++ b/ipsec-tools/racoon/oakley.h @@ -236,6 +236,7 @@ struct isakmp_gen; extern int oakley_savecert __P((struct ph1handle *, struct isakmp_gen *)); extern int oakley_savecr __P((struct ph1handle *, struct isakmp_gen *)); +extern vchar_t * oakley_getpskall __P((struct ph1handle *)); extern int oakley_skeyid __P((struct ph1handle *)); extern int oakley_skeyid_dae __P((struct ph1handle *)); diff --git a/ipsec-tools/racoon/pfkey.h b/ipsec-tools/racoon/pfkey.h index f434b80..f4b5419 100644 --- a/ipsec-tools/racoon/pfkey.h +++ b/ipsec-tools/racoon/pfkey.h @@ -75,6 +75,6 @@ extern int pfkey_convertfromipsecdoi __P(( u_int, u_int, u_int, u_int *, u_int *, u_int *, u_int *, u_int *)); extern u_int32_t pk_getseq __P((void)); extern const char *sadbsecas2str - __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int)); + __P((struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t, int)); #endif /* _PFKEY_H */ diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index aa10d6d..88ec5f7 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -129,7 +129,7 @@ static int pk_recvspdget __P((caddr_t *)); static int pk_recvspddump __P((caddr_t *)); static int pk_recvspdflush __P((caddr_t *)); static int pk_recvgetsastat __P((caddr_t *)); -static struct sadb_msg *pk_recv __P((int, int *)); +static struct sadb_msg *pk_recv __P((int, ssize_t *)); static int (*pkrecvf[]) __P((caddr_t *)) = { NULL, @@ -195,9 +195,9 @@ pfkey_process(msg) caddr_t mhp[SADB_EXT_MAX + 1]; int error = -1; - plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", - s_pfkey_type(msg->sadb_msg_type)); - plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); + //plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", + // s_pfkey_type(msg->sadb_msg_type)); + //plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); /* validity check */ if (msg->sadb_msg_errno) { @@ -231,7 +231,7 @@ pfkey_process(msg) ipsec_strerror()); goto end; } - msg = (struct sadb_msg *)mhp[0]; + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer /* safety check */ if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { @@ -267,7 +267,7 @@ int pfkey_handler() { struct sadb_msg *msg; - int len; + ssize_t len; if (slept_at || woke_at) { plog(LLV_DEBUG, LOCATION, NULL, @@ -286,6 +286,8 @@ pfkey_handler() return -1; } else { /* short message - msg not ready */ + plog(LLV_ERROR, LOCATION, NULL, + "recv short message from pfkey\n"); return 0; } } @@ -301,7 +303,7 @@ pfkey_post_handler() if (slept_at || woke_at) { plog(LLV_DEBUG, LOCATION, NULL, "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); - return 0; + return; } TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) { @@ -338,7 +340,7 @@ pfkey_dump_sadb(satype) pid_t pid = getpid(); struct sadb_msg *msg = NULL; size_t bl, ml; - int len; + ssize_t len; if ((s = privsep_pfkey_open()) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -858,7 +860,7 @@ pfkey_timeover(iph2) { plog(LLV_ERROR, LOCATION, NULL, "%s give up to get IPsec-SA due to time up to wait.\n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); SCHED_KILL(iph2->sce); /* If initiator side, send error to kernel by SADB_ACQUIRE. */ @@ -883,7 +885,7 @@ int pk_sendgetspi(iph2) struct ph2handle *iph2; { - struct sockaddr *src = NULL, *dst = NULL; + struct sockaddr_storage *src = NULL, *dst = NULL; u_int satype, mode; struct saprop *pp; struct saproto *pr; @@ -967,7 +969,7 @@ pk_recvgetspi(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct ph2handle *iph2; - struct sockaddr *dst; + struct sockaddr_storage *dst; int proto_id; int allspiok, notfound; struct saprop *pp; @@ -980,9 +982,9 @@ pk_recvgetspi(mhp) "inappropriate sadb getspi message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { @@ -1022,7 +1024,7 @@ pk_recvgetspi(mhp) if (!ike_session_update_ph2_ph1bind(iph2)) { plog(LLV_ERROR, LOCATION, NULL, "can't proceed with getspi for %s. no suitable ISAKMP-SA found \n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); unbindph12(iph2); remph2(iph2); delph2(iph2); @@ -1054,7 +1056,7 @@ pk_recvgetspi(mhp) if (notfound) { plog(LLV_ERROR, LOCATION, NULL, "get spi for unknown address %s\n", - saddrwop2str(iph2->dst)); + saddrwop2str((struct sockaddr *)iph2->dst)); unbindph12(iph2); remph2(iph2); delph2(iph2); @@ -1086,7 +1088,7 @@ pk_sendupdate(iph2) struct ph2handle *iph2; { struct saproto *pr; - struct sockaddr *src = NULL, *dst = NULL; + struct sockaddr_storage *src = NULL, *dst = NULL; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int satype, mode; u_int64_t lifebyte = 0; @@ -1166,7 +1168,7 @@ pk_sendupdate(iph2) } else { if (iph2->ph1->rmconf->natt_multiple_user == TRUE && mode == IPSEC_MODE_TRANSPORT && - src->sa_family == AF_INET) { + src->ss_family == AF_INET) { flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { @@ -1227,7 +1229,7 @@ pk_sendupdate(iph2) * But it is impossible because there is not key in the * information from the kernel. */ - if (backupsa_to_file(satype, mode, dst, src, + if (backupsa_to_file(satype, mode, (struct sockaddr *)dst, (struct sockaddr *)src, pr->spi, pr->reqid_in, 4, pr->keymat->v, e_type, e_keylen, a_type, a_keylen, flags, @@ -1254,7 +1256,7 @@ pk_recvupdate(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; struct ph2handle *iph2; u_int proto_id, encmode, sa_mode; int incomplete = 0; @@ -1273,14 +1275,14 @@ pk_recvupdate(mhp) "inappropriate sadb update message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; sa_mode = mhp[SADB_X_EXT_SA2] == NULL ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { @@ -1412,7 +1414,7 @@ pk_sendadd(iph2) struct ph2handle *iph2; { struct saproto *pr; - struct sockaddr *src = NULL, *dst = NULL; + struct sockaddr_storage *src = NULL, *dst = NULL; u_int e_type, e_keylen, a_type, a_keylen, flags; u_int satype, mode; u_int64_t lifebyte = 0; @@ -1493,7 +1495,7 @@ pk_sendadd(iph2) } else { if (iph2->ph1->rmconf->natt_multiple_user == TRUE && mode == IPSEC_MODE_TRANSPORT && - dst->sa_family == AF_INET) { + dst->ss_family == AF_INET) { flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { @@ -1562,7 +1564,7 @@ pk_sendadd(iph2) * But it is impossible because there is not key in the * information from the kernel. */ - if (backupsa_to_file(satype, mode, src, dst, + if (backupsa_to_file(satype, mode, (struct sockaddr *)src, (struct sockaddr *)dst, pr->spi_p, pr->reqid_out, 4, pr->keymat_p->v, e_type, e_keylen, a_type, a_keylen, flags, @@ -1589,7 +1591,7 @@ pk_recvadd(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; struct ph2handle *iph2; u_int sa_mode; @@ -1606,14 +1608,14 @@ pk_recvadd(mhp) "inappropriate sadb add message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; sa_mode = mhp[SADB_X_EXT_SA2] == NULL ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { @@ -1650,7 +1652,7 @@ pk_recvadd(mhp) { u_int32_t address; - if (iph2->dst->sa_family == AF_INET) + if (iph2->dst->ss_family == AF_INET) address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; else address = 0; @@ -1668,7 +1670,7 @@ pk_recvexpire(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; struct ph2handle *iph2; u_int proto_id, sa_mode; @@ -1683,14 +1685,14 @@ pk_recvexpire(mhp) "inappropriate sadb expire message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); sa_mode = mhp[SADB_X_EXT_SA2] == NULL ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { @@ -1783,7 +1785,7 @@ pk_recvacquire(mhp) struct secpolicy *sp_out = NULL, *sp_in = NULL; #define MAXNESTEDSA 5 /* XXX */ struct ph2handle *iph2[MAXNESTEDSA]; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; int n; /* # of phase 2 handler */ /* ignore this message because of local test mode. */ @@ -1799,10 +1801,10 @@ pk_recvacquire(mhp) "inappropriate sadb acquire message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); /* ignore if type is not IPSEC_POLICY_IPSEC */ if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { @@ -1813,18 +1815,18 @@ pk_recvacquire(mhp) /* ignore it if src is multicast address */ { - struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - if ((sa->sa_family == AF_INET + if ((sa->ss_family == AF_INET && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr))) #ifdef INET6 - || (sa->sa_family == AF_INET6 + || (sa->ss_family == AF_INET6 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr)) #endif ) { plog(LLV_DEBUG, LOCATION, NULL, "ignore due to multicast address: %s.\n", - saddrwop2str(sa)); + saddrwop2str((struct sockaddr *)sa)); return 0; } } @@ -1839,7 +1841,8 @@ pk_recvacquire(mhp) * than one in the policy, so kernel will drop them; * => therefore this acquire is not for us! --Aidas */ - struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); struct myaddrs *p; int do_listen = 0; for (p = lcconf->myaddrs; p; p = p->next) { @@ -1852,7 +1855,7 @@ pk_recvacquire(mhp) if (!do_listen) { plog(LLV_DEBUG, LOCATION, NULL, "ignore because do not listen on source address : %s.\n", - saddrwop2str(sa)); + saddrwop2str((struct sockaddr *)sa)); return 0; } } @@ -1930,12 +1933,13 @@ pk_recvacquire(mhp) iph2[n]->status = PHASE2ST_STATUS2; /* set end addresses of SA */ - iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); + // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + iph2[n]->dst = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); if (iph2[n]->dst == NULL) { delph2(iph2[n]); return -1; } - iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); + iph2[n]->src = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); if (iph2[n]->src == NULL) { delph2(iph2[n]); return -1; @@ -1948,7 +1952,7 @@ pk_recvacquire(mhp) { vchar_t *idsrc, *iddst; - idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, + idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src, sp_out->spidx.prefs, sp_out->spidx.ul_proto); if (idsrc == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -1957,7 +1961,7 @@ pk_recvacquire(mhp) delph2(iph2[n]); return -1; } - iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, + iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst, sp_out->spidx.prefd, sp_out->spidx.ul_proto); if (iddst == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -2030,7 +2034,7 @@ pk_recvdelete(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; struct ph2handle *iph2 = NULL; u_int proto_id; @@ -2046,10 +2050,10 @@ pk_recvdelete(mhp) "inappropriate sadb delete message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; + src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); + dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); /* the message has to be processed or not ? */ if (msg->sadb_msg_pid == getpid()) { @@ -2068,8 +2072,8 @@ pk_recvdelete(mhp) } plog(LLV_DEBUG2, LOCATION, NULL, "SADB delete message: proto-id %d\n", proto_id); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src)); + plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst)); if (!sa) { deleteallph2(src, dst, proto_id); @@ -2131,7 +2135,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) int *policylen0, type; struct ph2handle *iph2; { - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; + struct policyindex *spidx = iph2->spidx_gen; struct sadb_x_policy *xpl; struct sadb_x_ipsecrequest *xisr; struct saproto *pr; @@ -2146,8 +2150,8 @@ getsadbpolicy(policy0, policylen0, type, iph2) for (pr = iph2->approval->head; pr; pr = pr->next) { xisrlen = sizeof(*xisr); if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { - xisrlen += (sysdep_sa_len(iph2->src) - + sysdep_sa_len(iph2->dst)); + xisrlen += (sysdep_sa_len((struct sockaddr *)iph2->src) + + sysdep_sa_len((struct sockaddr *)iph2->dst)); } policylen += PFKEY_ALIGN8(xisrlen); @@ -2162,7 +2166,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) return -1; } - xpl = (struct sadb_x_policy *)policy; + xpl = ALIGNED_CAST(struct sadb_x_policy *)policy; xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen); xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC; @@ -2208,8 +2212,8 @@ getsadbpolicy(policy0, policylen0, type, iph2) if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { int src_len, dst_len; - src_len = sysdep_sa_len(iph2->src); - dst_len = sysdep_sa_len(iph2->dst); + src_len = sysdep_sa_len((struct sockaddr *)iph2->src); + dst_len = sysdep_sa_len((struct sockaddr *)iph2->dst); xisrlen += src_len + dst_len; memcpy(p, iph2->src, src_len); @@ -2239,7 +2243,7 @@ int pk_sendspdupdate2(iph2) struct ph2handle *iph2; { - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; + struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; int policylen = 0; u_int64_t ltime, vtime; @@ -2255,9 +2259,9 @@ pk_sendspdupdate2(iph2) if (pfkey_send_spdupdate2( lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, + &spidx->src, spidx->prefs, - (struct sockaddr *)&spidx->dst, + &spidx->dst, spidx->prefd, spidx->ul_proto, ltime, vtime, @@ -2294,9 +2298,9 @@ pk_recvspdupdate(mhp) "inappropriate sadb spdupdate message passed.\n"); return -1; } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; #ifdef HAVE_PFKEY_POLICY_PRIORITY KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, @@ -2340,7 +2344,7 @@ int pk_sendspdadd2(iph2) struct ph2handle *iph2; { - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; + struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; int policylen = 0; u_int64_t ltime, vtime; @@ -2356,9 +2360,9 @@ pk_sendspdadd2(iph2) if (pfkey_send_spdadd2( lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, + &spidx->src, spidx->prefs, - (struct sockaddr *)&spidx->dst, + &spidx->dst, spidx->prefd, spidx->ul_proto, ltime, vtime, @@ -2395,9 +2399,9 @@ pk_recvspdadd(mhp) "inappropriate sadb spdadd message passed.\n"); return -1; } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; #ifdef HAVE_PFKEY_POLICY_PRIORITY KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, @@ -2441,7 +2445,7 @@ int pk_sendspddelete(iph2) struct ph2handle *iph2; { - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; + struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; int policylen; @@ -2453,9 +2457,9 @@ pk_sendspddelete(iph2) if (pfkey_send_spddelete( lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, + &spidx->src, spidx->prefs, - (struct sockaddr *)&spidx->dst, + &spidx->dst, spidx->prefd, spidx->ul_proto, policy, policylen, 0) < 0) { @@ -2491,9 +2495,9 @@ pk_recvspddelete(mhp) "inappropriate sadb spddelete message passed.\n"); return -1; } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; #ifdef HAVE_PFKEY_POLICY_PRIORITY KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, @@ -2548,9 +2552,9 @@ pk_recvspdexpire(mhp) "inappropriate sadb spdexpire message passed.\n"); return -1; } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; #ifdef HAVE_PFKEY_POLICY_PRIORITY KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, @@ -2617,11 +2621,11 @@ pk_recvspddump(mhp) "inappropriate sadb spddump message passed.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; if (saddr == NULL || daddr == NULL || xpl == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -2820,9 +2824,9 @@ caddr_t *mhp; "inappropriate sadb getsastat response.\n"); return -1; } - msg = (struct sadb_msg *)mhp[0]; - session_id = (ike_session_t *)mhp[SADB_EXT_SESSION_ID]; - stat_resp = (struct sadb_sastat *)mhp[SADB_EXT_SASTAT]; + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to structs in an aligned buffer + session_id = ALIGNED_CAST(struct sadb_session_id *)mhp[SADB_EXT_SESSION_ID]; + stat_resp = ALIGNED_CAST(struct sadb_sastat *)mhp[SADB_EXT_SASTAT]; /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { @@ -2840,7 +2844,7 @@ caddr_t *mhp; s_pfkey_type(msg->sadb_msg_type)); return -1; } - session = (__typeof__(session))session_id->sadb_session_id_v[0]; + session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0]; if (!stat_resp->sadb_sastat_list_len) { plog(LLV_DEBUG, LOCATION, NULL, @@ -2878,9 +2882,9 @@ pk_checkalg(class, calg, keylen) sup = SADB_EXT_SUPPORTED_AUTH; break; case IPSECDOI_PROTO_IPCOMP: - plog(LLV_DEBUG, LOCATION, NULL, - "compression algorithm can not be checked " - "because sadb message doesn't support it.\n"); + //plog(LLV_DEBUG, LOCATION, NULL, + // "compression algorithm can not be checked " + // "because sadb message doesn't support it.\n"); return 0; default: plog(LLV_ERROR, LOCATION, NULL, @@ -2918,7 +2922,7 @@ pk_checkalg(class, calg, keylen) static struct sadb_msg * pk_recv(so, lenp) int so; - int *lenp; + ssize_t *lenp; { struct sadb_msg *newmsg; int reallen = 0; @@ -2933,7 +2937,13 @@ pk_recv(so, lenp) if ((newmsg = racoon_calloc(1, reallen)) == NULL) return NULL; - *lenp = recv(so, (caddr_t)newmsg, reallen, 0); + while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { + if (errno == EINTR) + continue; + plog(LLV_ERROR, LOCATION, NULL, + "failed to recv pfkey message: %s\n", strerror(errno)); + break; + } if (*lenp < 0) { racoon_free(newmsg); return NULL; /*fatal*/ @@ -2969,9 +2979,9 @@ addnewsp(mhp) return -1; } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; new = newsp(); if (new == NULL) { @@ -3100,7 +3110,7 @@ addnewsp(mhp) "becoming tlen < 0\n"); } - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr + xisr = ALIGNED_CAST(struct sadb_x_ipsecrequest *)((caddr_t)xisr + xisr->sadb_x_ipsecrequest_len); } } @@ -3138,7 +3148,7 @@ addnewsp(mhp) /* proto/mode/src->dst spi */ const char * sadbsecas2str(src, dst, proto, spi, mode) - struct sockaddr *src, *dst; + struct sockaddr_storage *src, *dst; int proto; u_int32_t spi; int mode; @@ -3169,13 +3179,13 @@ sadbsecas2str(src, dst, proto, spi, mode) p += i; blen -= i; - i = snprintf(p, blen, "%s->", saddr2str(src)); + i = snprintf(p, blen, "%s->", saddr2str((struct sockaddr *)src)); if (i < 0 || i >= blen) return NULL; p += i; blen -= i; - i = snprintf(p, blen, "%s ", saddr2str(dst)); + i = snprintf(p, blen, "%s ", saddr2str((struct sockaddr *)dst)); if (i < 0 || i >= blen) return NULL; p += i; diff --git a/ipsec-tools/racoon/plog.c b/ipsec-tools/racoon/plog.c index d04aa3a..7e1bae8 100644 --- a/ipsec-tools/racoon/plog.c +++ b/ipsec-tools/racoon/plog.c @@ -155,7 +155,7 @@ plogmtxinit (void) } void -plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) +plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...) { va_list ap; @@ -165,7 +165,7 @@ plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) } void -plogv(int pri, const char *func, struct sockaddr *sa, +plogv(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, va_list *ap) { char *newfmt; diff --git a/ipsec-tools/racoon/plog.h b/ipsec-tools/racoon/plog.h index d0b3930..49e1154 100644 --- a/ipsec-tools/racoon/plog.h +++ b/ipsec-tools/racoon/plog.h @@ -65,10 +65,10 @@ extern u_int32_t loglevel; extern int f_foreground; extern int print_location; -struct sockaddr; -extern void plog_func __P((int, const char *, struct sockaddr *, const char *, ...)) +struct sockaddr_storage; +extern void plog_func __P((int, const char *, struct sockaddr_storage *, const char *, ...)) __attribute__ ((__format__ (__printf__, 4, 5))); -extern void plogv __P((int, const char *, struct sockaddr *, +extern void plogv __P((int, const char *, struct sockaddr_storage *, const char *, va_list *)); extern void plogdump __P((int, void *, size_t)); extern void ploginit __P((void)); diff --git a/ipsec-tools/racoon/policy.c b/ipsec-tools/racoon/policy.c index f090693..e27a817 100644 --- a/ipsec-tools/racoon/policy.c +++ b/ipsec-tools/racoon/policy.c @@ -111,8 +111,8 @@ getsp_r(spidx, iph2) // for tunnel mode: verify the outer ip addresses match the phase2's addresses if (spidx->dir == IPSEC_DIR_INBOUND) { // TODO: look out for wildcards - if (!cmpsaddrwop(iph2->dst, (struct sockaddr *)&isr->saidx.src) && - !cmpsaddrwop(iph2->src, (struct sockaddr *)&isr->saidx.dst)) { + if (!cmpsaddrwop(iph2->dst, &isr->saidx.src) && + !cmpsaddrwop(iph2->src, &isr->saidx.dst)) { plog(LLV_DEBUG2, LOCATION, NULL, "%s, inbound policy outer addresses matched phase2's addresses\n", __FUNCTION__); return p; @@ -121,8 +121,8 @@ getsp_r(spidx, iph2) } } else if (spidx->dir == IPSEC_DIR_OUTBOUND) { // TODO: look out for wildcards - if (!cmpsaddrwop(iph2->src, (struct sockaddr *)&isr->saidx.src) && - !cmpsaddrwop(iph2->dst, (struct sockaddr *)&isr->saidx.dst)) { + if (!cmpsaddrwop(iph2->src, &isr->saidx.src) && + !cmpsaddrwop(iph2->dst, &isr->saidx.dst)) { plog(LLV_DEBUG2, LOCATION, NULL, "%s, outbound policy outer addresses matched phase2's addresses\n", __FUNCTION__); return p; @@ -136,11 +136,11 @@ getsp_r(spidx, iph2) plog(LLV_DEBUG2, LOCATION, NULL, "%s, policy outer addresses matched phase2's addresses: dir %d\n", __FUNCTION__, spidx->dir); plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", - saddr2str(iph2->src)); + saddr2str((struct sockaddr *)iph2->src)); plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", saddr2str((struct sockaddr *)&isr->saidx.src)); plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", - saddr2str(iph2->dst)); + saddr2str((struct sockaddr *)iph2->dst)); plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", saddr2str((struct sockaddr *)&isr->saidx.dst)); } @@ -191,16 +191,16 @@ getsp_r(spidx, iph2) plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", saddr2str(iph2->src)); plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", - saddr2str((struct sockaddr *)&spidx->src)); - if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src) + saddr2str(&spidx->src)); + if (cmpsaddrwop(iph2->src, &spidx->src) || spidx->prefs != prefixlen) return NULL; plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", saddr2str(iph2->dst)); plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", - saddr2str((struct sockaddr *)&spidx->dst)); - if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst) + saddr2str(&spidx->dst)); + if (cmpsaddrwop(iph2->dst, &spidx->dst) || spidx->prefd != prefixlen) return NULL; @@ -239,8 +239,8 @@ int cmpspidxstrict(a, b) struct policyindex *a, *b; { - plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b)); + //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); + //plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b)); /* XXX don't check direction now, but it's to be checked carefully. */ if (a->dir != b->dir @@ -249,11 +249,9 @@ cmpspidxstrict(a, b) || a->ul_proto != b->ul_proto) return 1; - if (cmpsaddrstrict((struct sockaddr *)&a->src, - (struct sockaddr *)&b->src)) + if (cmpsaddrstrict(&a->src, &b->src)) return 1; - if (cmpsaddrstrict((struct sockaddr *)&a->dst, - (struct sockaddr *)&b->dst)) + if (cmpsaddrstrict(&a->dst, &b->dst)) return 1; return 0; @@ -271,8 +269,8 @@ cmpspidxwild(a, b) { struct sockaddr_storage sa1, sa2; - plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b)); + //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); + //plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b)); if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir)) return 1; @@ -295,15 +293,13 @@ cmpspidxwild(a, b) a->src.ss_len, b->src.ss_len); return 1; } - mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src, - b->prefs); - mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src, - b->prefs); + mask_sockaddr(&sa1, &a->src, b->prefs); + mask_sockaddr(&sa2, &b->src, b->prefs); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", a, b->prefs, saddr2str((struct sockaddr *)&sa1)); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", b, b->prefs, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) + if (cmpsaddrwild(&sa1, &sa2)) return 1; /* compare dst address */ @@ -311,15 +307,13 @@ cmpspidxwild(a, b) plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n"); exit(1); } - mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst, - b->prefd); - mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst, - b->prefd); + mask_sockaddr(&sa1, &a->dst, b->prefd); + mask_sockaddr(&sa2, &b->dst, b->prefd); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", a, b->prefd, saddr2str((struct sockaddr *)&sa1)); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", b, b->prefd, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) + if (cmpsaddrwild(&sa1, &sa2)) return 1; return 0; diff --git a/ipsec-tools/racoon/privsep.c b/ipsec-tools/racoon/privsep.c index c9f1082..81ec7b8 100644 --- a/ipsec-tools/racoon/privsep.c +++ b/ipsec-tools/racoon/privsep.c @@ -512,7 +512,7 @@ privsep_init(void) int pool_size; int port; int inout; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; if (safety_check(combuf, 0) != 0) break; @@ -524,7 +524,7 @@ privsep_init(void) break; memcpy(&port, bufs[0], sizeof(port)); - raddr = (struct sockaddr *)bufs[1]; + raddr = (struct sockaddr_storage *)bufs[1]; bufs[2][combuf->bufs.buflen[2] - 1] = '\0'; memcpy(&inout, bufs[3], sizeof(port)); @@ -609,7 +609,7 @@ privsep_init(void) case PRIVSEP_XAUTH_LOGIN_PAM: { int port; int pool_size; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; if (safety_check(combuf, 0) != 0) break; @@ -624,7 +624,7 @@ privsep_init(void) memcpy(&port, bufs[0], sizeof(port)); memcpy(&pool_size, bufs[1], sizeof(pool_size)); - raddr = (struct sockaddr *)bufs[2]; + raddr = (struct sockaddr_storage *)bufs[2]; bufs[3][combuf->bufs.buflen[3] - 1] = '\0'; bufs[4][combuf->bufs.buflen[4] - 1] = '\0'; @@ -1001,7 +1001,7 @@ privsep_xauth_login_system(usr, pwd) int privsep_accounting_system(port, raddr, usr, inout) int port; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; char *usr; int inout; { @@ -1238,7 +1238,7 @@ out: int privsep_xauth_login_pam(port, raddr, usr, pwd) int port; - struct sockaddr *raddr; + struct sockaddr_storage *raddr; char *usr; char *pwd; { diff --git a/ipsec-tools/racoon/privsep.h b/ipsec-tools/racoon/privsep.h index 0fa4363..05c9279 100644 --- a/ipsec-tools/racoon/privsep.h +++ b/ipsec-tools/racoon/privsep.h @@ -65,8 +65,8 @@ vchar_t *privsep_getpsk __P((const char *, const int)); int privsep_xauth_login_system __P((char *, char *)); #ifdef HAVE_LIBPAM int privsep_accounting_pam __P((int, int)); -int privsep_xauth_login_pam __P((int, struct sockaddr *, char *, char *)); +int privsep_xauth_login_pam __P((int, struct sockaddr_storage *, char *, char *)); void privsep_cleanup_pam __P((int)); #endif -int privsep_accounting_system __P((int, struct sockaddr *, char *, int)); +int privsep_accounting_system __P((int, struct sockaddr_storage *, char *, int)); #endif /* _PRIVSEP_H */ diff --git a/ipsec-tools/racoon/racoon.conf.5 b/ipsec-tools/racoon/racoon.conf.5 index ace2edf..a9172e3 100644 --- a/ipsec-tools/racoon/racoon.conf.5 +++ b/ipsec-tools/racoon/racoon.conf.5 @@ -341,36 +341,6 @@ This directive tells racoon to not listen on the admin socket. .El .El .\" -.Ss Miscellaneous Global Parameters -.Bl -tag -width Ds -compact -.It Ic gss_id_enc Ar enctype ; -Older versions of -.Xr racoon 8 -used ISO-Latin-1 as the encoding of the GSS-API identifier attribute. -For interoperability with Microsoft Windows' GSS-API authentication -scheme, the default encoding has been changed to UTF-16LE. -The -.Ic gss_id_enc -parameter allows -.Xr racoon 8 -to be configured to use the old encoding for compatibility with existing -.Xr racoon 8 -installations. -The following are valid values for -.Ar enctype : -.Pp -.Bl -tag -width Ds -compact -.It Ic utf-16le -Use UTF-16LE to encode the GSS-API identifier attribute. -This is the default encoding. -This encoding is compatible with Microsoft Windows. -.It Ic latin1 -Use ISO-Latin-1 to encode the GSS-API identifier attribute. -This is the encoding used by older versions of -.Xr racoon 8 . -.El -.El -.\" .Ss Remote Nodes Specifications .Bl -tag -width Ds -compact .It Xo @@ -844,8 +814,7 @@ Specifies the encryption algorithm used for the phase 1 negotiation. This directive must be defined. .Ar algorithm is one of following: -.Ic des, 3des, blowfish, cast128, aes, camellia -.\".Ic rc5 , idea +.Ic des, 3des, aes for Oakley. For other transforms, this statement should not be used. .\" @@ -862,9 +831,8 @@ Defines the authentication method used for the phase 1 negotiation. This directive must be defined. .Ar type is one of: -.Ic pre_shared_key , rsasig -(for plain RSA authentication), -.Ic gssapi_krb , hybrid_rsa_server , +.Ic pre_shared_key, +.Ic hybrid_rsa_server , .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server or .Ic xauth_psk_client . @@ -874,10 +842,8 @@ Defines the group used for the Diffie-Hellman exponentiations. This directive must be defined. .Ar group is one of following: -.Ic modp768 , modp1024 , modp1536 , -.Ic modp2048 , modp3072 , modp4096 , -.Ic modp6144 , modp8192 . -Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. +.Ic modp1024 , modp1536 . +Or you can define 2 or 5 as the DH group number. When you want to use aggressive mode, you must define the same DH group in each proposal. .It Ic lifetime time Ar number Ar timeunit ; @@ -887,17 +853,6 @@ Refer to the description of the directive defined in the .Ic remote directive. -.It Ic gss_id Ar string ; -Defines the GSS-API endpoint name, to be included as an attribute in the SA, -if the -.Ic gssapi_krb -authentication method is used. -If this is not defined, the default value of -.Ql host/hostname -is used, where hostname is the value returned by the -.Xr hostname 1 -command. -.El .El .El .\" @@ -971,10 +926,8 @@ If you do not require PFS then you can omit this directive. Any proposal will be accepted if you do not specify one. .Ar group is one of following: -.Ic modp768 , modp1024 , modp1536 , -.Ic modp2048 , modp3072 , modp4096 , -.Ic modp6144 , modp8192 . -Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. +.Ic modp1024 , modp1536 . +Or you can define 2 or 5 as the DH group number. .\" .It Ic lifetime time Ar number Ar timeunit ; define how long an IPsec-SA will be used, in timeunits. @@ -1025,9 +978,7 @@ Note that the kernel may not support the algorithm you have specified. .Bl -tag -width Ds -compact .It Ic encryption_algorithm Ar algorithms ; .Ic des , 3des , des_iv64 , des_iv32 , -.Ic rc5 , rc4 , idea , 3idea , -.Ic cast128 , blowfish , null_enc , -.Ic twofish , rijndael , aes , camellia +.Ic null_enc ,rijndael , aes .Pq used with ESP .\" .It Ic authentication_algorithm Ar algorithms ; diff --git a/ipsec-tools/racoon/racoonctl.c b/ipsec-tools/racoon/racoonctl.c index 687075c..661f85e 100644 --- a/ipsec-tools/racoon/racoonctl.c +++ b/ipsec-tools/racoon/racoonctl.c @@ -838,7 +838,7 @@ f_vpnc(ac, av) char *inet = "inet"; char *srcaddr; struct addrinfo hints, *res; - struct sockaddr *src; + struct sockaddr_storage *src; char *idx; if (ac < 1) @@ -904,7 +904,7 @@ f_vpntest(ac, av) char *inet = "inet"; char *srcaddr; struct addrinfo hints, *res; - struct sockaddr *src; + struct sockaddr_storage *src; char *idx; if (ac < 1) @@ -1087,7 +1087,7 @@ get_comindexes(family, ac, av) struct admin_com_indexes *ci; char *p_name = NULL, *p_port = NULL; char *p_prefs = NULL, *p_prefd = NULL; - struct sockaddr *src = NULL, *dst = NULL; + struct sockaddr_storage *src = NULL, *dst = NULL; int ulproto; if (ac != 2 && ac != 3) { @@ -1307,7 +1307,7 @@ char *header3 = while (len-- > 0) { /* source address */ if (long_format >= 2) { - GETNAMEINFO((struct sockaddr *)&pd->local, _addr1_, _addr2_); + GETNAMEINFO((struct sockaddr_storage *)&pd->local, _addr1_, _addr2_); switch (long_format) { case 0: break; @@ -1323,7 +1323,7 @@ char *header3 = } /* destination address */ - GETNAMEINFO((struct sockaddr *)&pd->remote, _addr1_, _addr2_); + GETNAMEINFO((struct sockaddr_storage *)&pd->remote, _addr1_, _addr2_); switch (long_format) { case 0: case 1: @@ -1375,7 +1375,7 @@ dump_internal(buf, tlen) int tlen; { struct ph2handle *iph2; - struct sockaddr *addr; + struct sockaddr_storage *addr; /* short header; @@ -1398,7 +1398,7 @@ char *long_h1 = while (tlen > 0) { iph2 = (struct ph2handle *)buf; - addr = (struct sockaddr *)(++iph2); + addr = (struct sockaddr_storage *)(++iph2); GETNAMEINFO(addr, _addr1_, _addr2_); printf("%s ", long_format ? @@ -1514,12 +1514,12 @@ print_evt(buf, len) else printf("%s : ", evtmsg[i].msg); - if ((srcstr = saddr2str((struct sockaddr *)&evtdump->src)) == NULL) + if ((srcstr = saddr2str((struct sockaddr_storage *)&evtdump->src)) == NULL) printf("unknown"); else printf("%s", srcstr); printf(" -> "); - if ((dststr = saddr2str((struct sockaddr *)&evtdump->dst)) == NULL) + if ((dststr = saddr2str((struct sockaddr_storage *)&evtdump->dst)) == NULL) printf("unknown"); else printf("%s", dststr); diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 3a4519e..0a0d277 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -80,9 +80,6 @@ #include "nattraversal.h" #include "isakmp_frag.h" #include "genlist.h" -#ifdef HAVE_OPENSSL -#include "rsalist.h" -#endif static TAILQ_HEAD(_rmtree, remoteconf) rmtree; @@ -102,12 +99,16 @@ char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" }; */ struct remoteconf * getrmconf_strict(remote, allow_anon) - struct sockaddr *remote; + struct sockaddr_storage *remote; int allow_anon; { struct remoteconf *p; struct remoteconf *p_withport_besteffort = NULL; + struct remoteconf *p_with_prefix = NULL; + struct remoteconf *p_with_prefix_besteffort = NULL; + int last_prefix = 0; struct remoteconf *anon = NULL; + int withport; char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST], port[NI_MAXSERV]; @@ -123,7 +124,7 @@ getrmconf_strict(remote, allow_anon) * In an ideal world, we would be able to have remote conf with * port, and the port could be a wildcard. That test could be used. */ - switch (remote->sa_family) { + switch (remote->ss_family) { case AF_INET: if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY) withport = 1; @@ -139,14 +140,14 @@ getrmconf_strict(remote, allow_anon) default: plog(LLV_ERROR2, LOCATION, NULL, - "invalid ip address family: %d\n", remote->sa_family); + "invalid ip address family: %d\n", remote->ss_family); return NULL; } - if (remote->sa_family == AF_UNSPEC) + if (remote->ss_family == AF_UNSPEC) snprintf (buf, sizeof(buf), "%s", "anonymous"); else { - GETNAMEINFO(remote, addr, port); + GETNAMEINFO((struct sockaddr *)remote, addr, port); snprintf(buf, sizeof(buf), "%s%s%s%s", addr, withport ? "[" : "", withport ? port : "", @@ -157,20 +158,40 @@ getrmconf_strict(remote, allow_anon) if (p->to_delete || p->to_remove) { continue; } - if ((remote->sa_family == AF_UNSPEC - && remote->sa_family == p->remote->sa_family) - || (!withport && cmpsaddrwop(remote, p->remote) == 0) - || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + + if (remote->ss_family == AF_UNSPEC + && remote->ss_family == p->remote->ss_family) { + plog(LLV_DEBUG, LOCATION, NULL, + "configuration found for %s.\n", buf); return p; - } else if (withport && cmpsaddrwop(remote, p->remote) == 0) { - // for withport: save the pointer for the best-effort search - p_withport_besteffort = p; - } + } + if (p->remote_prefix == 0) { + if ((!withport && cmpsaddrwop(remote, p->remote) == 0) + || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { + plog(LLV_DEBUG, LOCATION, NULL, + "configuration found for %s.\n", buf); + return p; + } else if (withport && cmpsaddrwop(remote, p->remote) == 0) { + // for withport: save the pointer for the best-effort search + p_withport_besteffort = p; + } + } else { + if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) + || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) { + if (p->remote_prefix >= last_prefix) { + p_with_prefix = p; + last_prefix = p->remote_prefix; + } + } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) { + if (p->remote_prefix >= last_prefix) { + p_with_prefix_besteffort = p; + last_prefix = p->remote_prefix; + } + } + } /* save the pointer to the anonymous configuration */ - if (p->remote->sa_family == AF_UNSPEC) + if (p->remote->ss_family == AF_UNSPEC) anon = p; } @@ -179,7 +200,16 @@ getrmconf_strict(remote, allow_anon) "configuration found for %s.\n", buf); return p_withport_besteffort; } - + if (p_with_prefix) { + plog(LLV_DEBUG, LOCATION, NULL, + "configuration found for %s.\n", buf); + return p_with_prefix; + } + if (p_with_prefix_besteffort) { + plog(LLV_DEBUG, LOCATION, NULL, + "configuration found for %s.\n", buf); + return p_with_prefix_besteffort; + } if (allow_anon && anon != NULL) { plog(LLV_DEBUG, LOCATION, NULL, "anonymous configuration selected for %s.\n", buf); @@ -205,12 +235,12 @@ no_remote_configs(ignore_anonymous) TAILQ_FOREACH(p, &rmtree, chain) { if (ignore_anonymous) { - if (p->remote->sa_family == AF_UNSPEC) /* anonymous */ + if (p->remote->ss_family == AF_UNSPEC) /* anonymous */ continue; } #if !TARGET_OS_EMBEDDED // ignore the default btmm ipv6 config thats always present in racoon.conf - if (p->remote->sa_family == AF_INET6 && + if (p->remote->ss_family == AF_INET6 && p->idvtype == IDTYPE_USERFQDN && p->idv != NULL && p->idv->l == default_idv_len && @@ -225,7 +255,7 @@ no_remote_configs(ignore_anonymous) struct remoteconf * getrmconf(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { return getrmconf_strict(remote, 1); } @@ -284,7 +314,7 @@ newrmconf() new->idvl_p = genlist_init(); new->nonce_size = DEFAULT_NONCE_SIZE; new->passive = FALSE; - new->ike_frag = FALSE; + new->ike_frag = ISAKMP_FRAG_FORCE; new->esp_frag = IP_MAXPACKET; new->ini_contact = TRUE; new->mode_cfg = FALSE; @@ -310,10 +340,6 @@ newrmconf() new->to_remove = FALSE; new->to_delete = FALSE; new->linked_to_ph1 = 0; -#ifdef HAVE_OPENSSL - new->rsa_private = genlist_init(); - new->rsa_public = genlist_init(); -#endif new->idv = NULL; new->key = NULL; @@ -335,7 +361,7 @@ newrmconf() struct remoteconf * copyrmconf(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { struct remoteconf *new, *old; @@ -343,7 +369,7 @@ copyrmconf(remote) if (old == NULL) { plog (LLV_ERROR, LOCATION, NULL, "Remote configuration for '%s' not found!\n", - saddr2str (remote)); + saddr2str((struct sockaddr *)remote)); return NULL; } @@ -378,15 +404,34 @@ duprmconf (rmconf) struct remoteconf *rmconf; { struct remoteconf *new; + int i; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) return NULL; memcpy (new, rmconf, sizeof (*new)); - // FIXME: We should duplicate the proposal as well. + // FIXME: We should duplicate remote, proposal, etc. // This is now handled in the cfparse.y // new->proposal = ...; - + + // zero-out pointers + new->remote = NULL; + new->keychainCertRef = NULL; /* peristant keychain ref for cert */ + new->shared_secret = NULL; /* shared secret */ + new->open_dir_auth_group = NULL; /* group to be used to authorize user */ + new->proposal = NULL; + new->cacertfile = NULL; + for (i = 0; i <= SCRIPT_MAX; i++) + new->script[i] = NULL; + new->to_remove = FALSE; + new->to_delete = FALSE; + new->linked_to_ph1 = 0; + new->idv = NULL; + new->key = NULL; +#ifdef ENABLE_HYBRID + new->xauth = NULL; +#endif + /* duplicate dynamic structures */ if (new->etypes) new->etypes=dupetypes(new->etypes); @@ -468,12 +513,6 @@ delrmconf(rmconf) racoon_free(rmconf->cacertfile); if (rmconf->prhead) proposalspec_free(rmconf->prhead); -#ifdef HAVE_OPENSSL - if (rmconf->rsa_private) - genlist_free(rmconf->rsa_private, rsa_key_free); - if (rmconf->rsa_public) - genlist_free(rmconf->rsa_public, rsa_key_free); -#endif if (rmconf->shared_secret) vfree(rmconf->shared_secret); if (rmconf->keychainCertRef) @@ -670,10 +709,14 @@ dump_rmconf_single (struct remoteconf *p, void *data) char buf[1024], *pbuf; pbuf = buf; - pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote)); + if (p->remote_prefix) + pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", + saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix)); + else + pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote)); if (p->inherited_from) pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s", - saddr2str(p->inherited_from->remote)); + saddr2str((struct sockaddr *)p->inherited_from->remote)); plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type "); @@ -747,7 +790,7 @@ dump_rmconf_single (struct remoteconf *p, void *data) plog(LLV_INFO, LOCATION, NULL, "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n", prop->prop_no, prop->trns_no, - saddr2str(prop->rmconf->remote)); + saddr2str((struct sockaddr *)prop->rmconf->remote)); plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n"); plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n", (long)prop->lifetime); @@ -795,10 +838,7 @@ script_path_add(path) { char *script_dir; vchar_t *new_path; - vchar_t *new_storage; - vchar_t **sp; size_t len; - size_t size; script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT]; @@ -850,18 +890,3 @@ dupisakmpsa(struct isakmpsa *sa) } -#ifdef HAVE_OPENSSL -void -rsa_key_free(void *entry) -{ - struct rsa_key *key = (struct rsa_key *)entry; - - if (key->src) - free(key->src); - if (key->dst) - free(key->dst); - if (key->rsa) - RSA_free(key->rsa); - free(key); -} -#endif \ No newline at end of file diff --git a/ipsec-tools/racoon/remoteconf.h b/ipsec-tools/racoon/remoteconf.h index 10d97c8..f1b556a 100644 --- a/ipsec-tools/racoon/remoteconf.h +++ b/ipsec-tools/racoon/remoteconf.h @@ -66,7 +66,7 @@ struct secprotospec { int encmode; /* for ipsec */ int vendorid; /* for isakmp */ char *gssid; - struct sockaddr *remote; + struct sockaddr_storage *remote; int algclass[MAXALGCLASS]; struct secprotospec *next; /* the tail is the most prefiered. */ @@ -94,7 +94,8 @@ enum { extern char *script_names[SCRIPT_MAX + 1]; struct remoteconf { - struct sockaddr *remote; /* remote IP address */ + struct sockaddr_storage *remote; /* remote IP address */ + int remote_prefix; /* allows subnet for remote address */ /* if family is AF_UNSPEC, that is * for anonymous configuration. */ @@ -169,10 +170,6 @@ struct remoteconf { from which this one was inherited */ struct proposalspec *prhead; -#ifdef HAVE_OPENSSL - struct genlist *rsa_private, /* lists of PlainRSA keys to use */ - *rsa_public; -#endif #ifdef ENABLE_HYBRID struct xauth_rmconf *xauth; @@ -215,14 +212,14 @@ struct idspec { typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data); -extern struct remoteconf *getrmconf __P((struct sockaddr *)); +extern struct remoteconf *getrmconf __P((struct sockaddr_storage *)); extern struct remoteconf *getrmconf_strict - __P((struct sockaddr *remote, int allow_anon)); + __P((struct sockaddr_storage *remote, int allow_anon)); extern int link_rmconf_to_ph1 __P((struct remoteconf *)); extern int unlink_rmconf_from_ph1 __P((struct remoteconf *)); extern int no_remote_configs __P((int)); -extern struct remoteconf *copyrmconf __P((struct sockaddr *)); +extern struct remoteconf *copyrmconf __P((struct sockaddr_storage *)); extern struct remoteconf *newrmconf __P((void)); extern struct remoteconf *duprmconf __P((struct remoteconf *)); extern void delrmconf __P((struct remoteconf *)); diff --git a/ipsec-tools/racoon/sainfo.c b/ipsec-tools/racoon/sainfo.c index 02bbb28..0f8c888 100644 --- a/ipsec-tools/racoon/sainfo.c +++ b/ipsec-tools/racoon/sainfo.c @@ -90,16 +90,16 @@ getsainfo(src, dst, peer, use_nat_addr) if (use_nat_addr && lcconf->ext_nat_id == NULL) return NULL; - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - src id:\n"); - if (src != NULL) - plogdump(LLV_DEBUG2, src->v, src->l); - else - plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - dst id:\n"); - if (dst != NULL) - plogdump(LLV_DEBUG2, dst->v, dst->l); - else - plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); + //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - src id:\n"); + //if (src != NULL) + // plogdump(LLV_DEBUG2, src->v, src->l); + //else + // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); + //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - dst id:\n"); + //if (dst != NULL) + // plogdump(LLV_DEBUG2, dst->v, dst->l); + //else + // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n"); if (peer == NULL) pass = 2; again: @@ -107,13 +107,13 @@ getsainfo(src, dst, peer, use_nat_addr) if (s->to_delete || s->to_remove) { continue; } - if (s->idsrc != NULL) { - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n"); - plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); - plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); - } else { - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id = anonymous\n"); - } + //if (s->idsrc != NULL) { + // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n"); + // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); + // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); + //} else { + // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id = anonymous\n"); + //} if (s->id_i != NULL) { if (pass == 2) continue; @@ -180,13 +180,13 @@ getsainfo_by_dst_id(dst, peer) if (s->to_delete || s->to_remove) { continue; } - if (s->idsrc != NULL) { - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id - src & dst:\n"); - plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); - plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); - } else { - plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id = anonymous\n"); - } + //if (s->idsrc != NULL) { + // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id - src & dst:\n"); + // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l); + // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l); + //} else { + // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id = anonymous\n"); + //} if (s->id_i != NULL) { plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id_i:\n"); plogdump(LLV_DEBUG2, s->id_i->v, s->id_i->l); diff --git a/ipsec-tools/racoon/schedule.c b/ipsec-tools/racoon/schedule.c index 50b1865..f2e4c37 100644 --- a/ipsec-tools/racoon/schedule.c +++ b/ipsec-tools/racoon/schedule.c @@ -239,7 +239,7 @@ sched_dump(buf, len) caddr_t *buf; int *len; { - caddr_t new; + struct scheddump *new; struct sched *p; struct scheddump *dst; int cnt = 0; @@ -257,10 +257,10 @@ sched_dump(buf, len) *len = cnt * sizeof(*dst); - new = racoon_malloc(*len); + new = (struct scheddump *)racoon_malloc(*len); if (new == NULL) return -1; - dst = (struct scheddump *)new; + dst = new; p = TAILQ_FIRST(&sctree); while (p) { @@ -275,7 +275,7 @@ sched_dump(buf, len) dst++; } - *buf = new; + *buf = (caddr_t)new; return 0; } diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index 5bfbaba..f2a1bc6 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -111,7 +111,7 @@ extern pid_t racoon_pid; extern char logFileStr[]; -extern int launchedbylaunchd(void); +extern int launchdlaunched; static void close_session __P((void)); static void check_rtsock __P((void *)); static void initfds __P((void)); @@ -168,7 +168,7 @@ static int64_t racoon_keepalive = -1; int64_t launchd_update_racoon_keepalive (Boolean enabled) { - if (launchedbylaunchd()) { + if (launchdlaunched) { vproc_t vp = vprocmgr_lookup_vproc("com.apple.racoon"); if (vp) { int64_t val = (__typeof__(val))enabled; @@ -700,15 +700,15 @@ check_flushsa() return; } - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); + msg = ALIGNED_CAST(struct sadb_msg *)buf->v; + end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l); /* counting SA except of dead one. */ n = 0; while (msg < end) { if (PFKEY_UNUNIT64(msg->sadb_msg_len) < sizeof(*msg)) break; - next = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); + next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); // Wcast-align fix (void*) - aligned buffer + multiple of 64 if (msg->sadb_msg_type != SADB_DUMP) { msg = next; continue; @@ -721,7 +721,7 @@ check_flushsa() continue; } - sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); + sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); // Wcast-align fix (void*) - mhp contains pointers to aligned structs if (!sa) { msg = next; continue; diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c index aec6279..9deb6ab 100644 --- a/ipsec-tools/racoon/sockmisc.c +++ b/ipsec-tools/racoon/sockmisc.c @@ -55,6 +55,7 @@ #ifdef HAVE_UNISTD_H #include #endif +#include #include "var.h" #include "misc.h" @@ -83,8 +84,8 @@ const int niflags = 0; */ int cmpsaddrwop(addr1, addr2) - const struct sockaddr *addr1; - const struct sockaddr *addr2; + const struct sockaddr_storage *addr1; + const struct sockaddr_storage *addr2; { caddr_t sa1, sa2; @@ -93,10 +94,10 @@ cmpsaddrwop(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) + if (addr1->ss_len != addr2->ss_len + || addr1->ss_family != addr2->ss_family) return 1; - switch (addr1->sa_family) { + switch (addr1->ss_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; @@ -121,6 +122,63 @@ cmpsaddrwop(addr1, addr2) return 0; } +/* + * compare two sockaddr without port number using prefix. + * OUT: 0: equal. + * 1: not equal. + */ +int +cmpsaddrwop_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix) +{ + u_int32_t mask; + int i; + + if (addr1 == 0 && addr2 == 0) + return 0; + if (addr1 == 0 || addr2 == 0) + return 1; + + if (addr1->ss_len != addr2->ss_len + || addr1->ss_family != addr2->ss_family) + return 1; + switch (addr1->ss_family) { + case AF_INET: + mask = ~0; + mask <<= 32-prefix; + if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) != + (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask))) + return 1; + break; +#ifdef INET6 + case AF_INET6: + for (i = 0; i < 4; i++) { + if (prefix >= 32) { + mask = ~0; + prefix -= 32; + } else if (prefix == 0) + mask = 0; + else { + mask = ~0; + mask <<= 32-prefix; + prefix = 0; + } + if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) != + (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask))) + return 1; + } + if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != + ((struct sockaddr_in6 *)addr2)->sin6_scope_id) + return 1; + break; +#endif + default: + return 1; + } + + return 0; +} + + /* * compare two sockaddr with port, taking care wildcard. * addr1 is a subject address, addr2 is in a database entry. @@ -129,8 +187,8 @@ cmpsaddrwop(addr1, addr2) */ int cmpsaddrwild(addr1, addr2) - const struct sockaddr *addr1; - const struct sockaddr *addr2; + const struct sockaddr_storage *addr1; + const struct sockaddr_storage *addr2; { caddr_t sa1, sa2; u_short port1, port2; @@ -140,11 +198,11 @@ cmpsaddrwild(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) + if (addr1->ss_len != addr2->ss_len + || addr1->ss_family != addr2->ss_family) return 1; - switch (addr1->sa_family) { + switch (addr1->ss_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; @@ -188,8 +246,8 @@ cmpsaddrwild(addr1, addr2) */ int cmpsaddrstrict(addr1, addr2) - const struct sockaddr *addr1; - const struct sockaddr *addr2; + const struct sockaddr_storage *addr1; + const struct sockaddr_storage *addr2; { caddr_t sa1, sa2; u_short port1, port2; @@ -199,11 +257,11 @@ cmpsaddrstrict(addr1, addr2) if (addr1 == 0 || addr2 == 0) return 1; - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) + if (addr1->ss_len != addr2->ss_len + || addr1->ss_family != addr2->ss_family) return 1; - switch (addr1->sa_family) { + switch (addr1->ss_family) { case AF_INET: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; @@ -236,13 +294,80 @@ cmpsaddrstrict(addr1, addr2) return 0; } +/* + * compare two sockaddr with strict match on port using prefix. + * OUT: 0: equal. + * 1: not equal. + */ +int +cmpsaddrstrict_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix) +{ + u_short port1, port2; + u_int32_t mask; + int i; + + if (addr1 == 0 && addr2 == 0) + return 0; + if (addr1 == 0 || addr2 == 0) + return 1; + + if (addr1->ss_len != addr2->ss_len + || addr1->ss_family != addr2->ss_family) + return 1; + + switch (addr1->ss_family) { + case AF_INET: + port1 = ((struct sockaddr_in *)addr1)->sin_port; + port2 = ((struct sockaddr_in *)addr2)->sin_port; + if (port1 != port2) + return 1; + mask = ~0; + mask <<= 32-prefix; + if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) != + (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask))) + return 1; + break; +#ifdef INET6 + case AF_INET6: + port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; + port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; + if (port1 != port2) + return 1; + for (i = 0; i < 4; i++) { + if (prefix >= 32) { + mask = ~0; + prefix -= 32; + } else if (prefix == 0) + mask = 0; + else { + mask = ~0; + mask <<= 32-prefix; + prefix = 0; + } + if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) != + (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask))) + return 1; + } + if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != + ((struct sockaddr_in6 *)addr2)->sin6_scope_id) + return 1; + break; +#endif + default: + return 1; + } + + return 0; +} + + /* get local address against the destination. */ -struct sockaddr * +struct sockaddr_storage * getlocaladdr(remote) struct sockaddr *remote; { - struct sockaddr *local; - u_int local_len = sizeof(struct sockaddr_storage); + struct sockaddr_storage *local; + u_int local_len = sizeof(struct sockaddr); int s; /* for dummy connection */ /* allocate buffer */ @@ -259,6 +384,11 @@ getlocaladdr(remote) goto err; } + if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put localaddr socket in non-blocking mode\n"); + } + setsockopt_bypass(s, remote->sa_family); if (connect(s, remote, sysdep_sa_len(remote)) < 0) { @@ -268,7 +398,7 @@ getlocaladdr(remote) goto err; } - if (getsockname(s, local, &local_len) < 0) { + if (getsockname(s, (struct sockaddr *)local, &local_len) < 0) { plog(LLV_ERROR, LOCATION, NULL, "getsockname (%s)\n", strerror(errno)); close(s); @@ -294,18 +424,18 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) void *buf; size_t buflen; int flags; - struct sockaddr *from; + struct sockaddr_storage *from; socklen_t *fromlen; - struct sockaddr *to; + struct sockaddr_storage *to; u_int *tolen; { int otolen; - u_int len; + ssize_t len; struct sockaddr_storage ss; struct msghdr m; struct cmsghdr *cm, *cm_prev; struct iovec iov[2]; - u_char cmsgbuf[256]; + u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment #if defined(INET6) && defined(INET6_ADVAPI) struct in6_pktinfo *pi; #endif /*INET6_ADVAPI*/ @@ -331,12 +461,15 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) cm = (struct cmsghdr *)cmsgbuf; m.msg_control = (caddr_t)cm; m.msg_controllen = sizeof(cmsgbuf); - if ((len = recvmsg(s, &m, flags)) < 0) { + while ((len = recvmsg(s, &m, flags)) < 0) { + if (errno == EINTR) + continue; plog(LLV_ERROR, LOCATION, NULL, "recvmsg (%s)\n", strerror(errno)); return -1; - } else if (len == 0) { - return 0; + } + if (len == 0) { + return 0; } *fromlen = m.msg_namelen; @@ -354,7 +487,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) && cm->cmsg_level == IPPROTO_IPV6 && cm->cmsg_type == IPV6_PKTINFO && otolen >= sizeof(*sin6)) { - pi = (struct in6_pktinfo *)(CMSG_DATA(cm)); + pi = ALIGNED_CAST(struct in6_pktinfo *)(CMSG_DATA(cm)); *tolen = sizeof(*sin6); sin6 = (struct sockaddr_in6 *)to; memset(sin6, 0, sizeof(*sin6)); @@ -417,14 +550,14 @@ sendfromto(s, buf, buflen, src, dst, cnt) int s, cnt; const void *buf; size_t buflen; - struct sockaddr *src; - struct sockaddr *dst; + struct sockaddr_storage *src; + struct sockaddr_storage *dst; { struct sockaddr_storage ss; int len; int i; - if (src->sa_family != dst->sa_family) { + if (src->ss_family != dst->ss_family) { plog(LLV_ERROR, LOCATION, NULL, "address family mismatch\n"); return -1; @@ -440,25 +573,24 @@ sendfromto(s, buf, buflen, src, dst, cnt) plog(LLV_DEBUG, LOCATION, NULL, "sockname %s\n", saddr2str((struct sockaddr *)&ss)); plog(LLV_DEBUG, LOCATION, NULL, - "send packet from %s\n", saddr2str(src)); + "send packet from %s\n", saddr2str((struct sockaddr *)src)); plog(LLV_DEBUG, LOCATION, NULL, - "send packet to %s\n", saddr2str(dst)); + "send packet to %s\n", saddr2str((struct sockaddr *)dst)); - if (src->sa_family != ss.ss_family) { + if (src->ss_family != ss.ss_family) { plog(LLV_ERROR, LOCATION, NULL, "address family mismatch\n"); return -1; } - switch (src->sa_family) { + switch (src->ss_family) { #if defined(INET6) && defined(INET6_ADVAPI) -// XXX: This block wasn't compiled on Linux - does it work? case AF_INET6: { struct msghdr m; struct cmsghdr *cm; struct iovec iov[2]; - u_char cmsgbuf[256]; + u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment struct in6_pktinfo *pi; int ifindex; struct sockaddr_in6 src6, dst6; @@ -494,7 +626,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); cm->cmsg_level = IPPROTO_IPV6; cm->cmsg_type = IPV6_PKTINFO; - pi = (struct in6_pktinfo *)CMSG_DATA(cm); + pi = ALIGNED_CAST(struct in6_pktinfo *)CMSG_DATA(cm); memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr)); pi->ipi6_ifindex = ifindex; @@ -522,7 +654,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) plog(LLV_DEBUG, LOCATION, NULL, "%d times of %d bytes message will be sent " "to %s\n", - i + 1, len, saddr2str(dst)); + i + 1, len, saddr2str((struct sockaddr *)dst)); } plogdump(LLV_DEBUG, (char *)buf, buflen); @@ -534,7 +666,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) int needclose = 0; int sendsock; - if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) { + if (ss.ss_family == src->ss_family && memcmp(&ss, src, sysdep_sa_len((struct sockaddr *)src)) == 0) { sendsock = s; needclose = 0; } else { @@ -546,12 +678,16 @@ sendfromto(s, buf, buflen, src, dst, cnt) * Better approach is to prepare bind'ed udp sockets for * each of the interface addresses. */ - sendsock = socket(src->sa_family, SOCK_DGRAM, 0); + sendsock = socket(src->ss_family, SOCK_DGRAM, 0); if (sendsock < 0) { plog(LLV_ERROR, LOCATION, NULL, "socket (%s)\n", strerror(errno)); return -1; } + if (fcntl(sendsock, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put sendsock socket in non-blocking mode\n"); + } if (setsockopt(sendsock, SOL_SOCKET, SO_REUSEPORT, (void *)&yes, sizeof(yes)) < 0) { @@ -562,7 +698,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) return -1; } #ifdef IPV6_USE_MIN_MTU - if (src->sa_family == AF_INET6 && + if (src->ss_family == AF_INET6 && setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, (void *)&yes, sizeof(yes)) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -572,12 +708,12 @@ sendfromto(s, buf, buflen, src, dst, cnt) return -1; } #endif - if (setsockopt_bypass(sendsock, src->sa_family) < 0) { + if (setsockopt_bypass(sendsock, src->ss_family) < 0) { close(sendsock); return -1; } - if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len(src)) < 0) { + if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len((struct sockaddr *)src)) < 0) { plog(LLV_ERROR, LOCATION, NULL, "bind 1 (%s)\n", strerror(errno)); close(sendsock); @@ -587,7 +723,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) } for (i = 0; i < cnt; i++) { - len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst)); + len = sendto(sendsock, buf, buflen, 0, (struct sockaddr *)dst, sysdep_sa_len((struct sockaddr *)dst)); if (len < 0) { plog(LLV_ERROR, LOCATION, NULL, "sendto (%s)\n", strerror(errno)); @@ -604,7 +740,7 @@ sendfromto(s, buf, buflen, src, dst, cnt) plog(LLV_DEBUG, LOCATION, NULL, "%d times of %d bytes message will be sent " "to %s\n", - i + 1, len, saddr2str(dst)); + i + 1, len, saddr2str((struct sockaddr *)dst)); } plogdump(LLV_DEBUG, (char *)buf, buflen); @@ -680,11 +816,11 @@ setsockopt_bypass(so, family) return 0; } -struct sockaddr * +struct sockaddr_storage * newsaddr(len) int len; { - struct sockaddr *new; + struct sockaddr_storage *new; if ((new = racoon_calloc(1, len)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -692,16 +828,16 @@ newsaddr(len) goto out; } /* initial */ - new->sa_len = len; + new->ss_len = len; out: return new; } -struct sockaddr * +struct sockaddr_storage * dupsaddr(src) struct sockaddr *src; { - struct sockaddr *dst; + struct sockaddr_storage *dst; dst = racoon_calloc(1, sysdep_sa_len(src)); if (dst == NULL) { @@ -737,6 +873,30 @@ saddr2str(saddr) return buf; } +char * +saddr2str_with_prefix(saddr, prefix) +const struct sockaddr *saddr; +int prefix; +{ + static char buf[NI_MAXHOST + NI_MAXSERV + 10]; + char addr[NI_MAXHOST], port[NI_MAXSERV]; + + if (saddr == NULL) { + buf[0] = '\0'; + return buf; + } + + if (saddr->sa_family == AF_UNSPEC) + snprintf (buf, sizeof(buf), "%s", "anonymous"); + else { + GETNAMEINFO(saddr, addr, port); + snprintf(buf, sizeof(buf), "%s/%d[%s]", addr, prefix, port); + } + + return buf; +} + + char * saddrwop2str(saddr) const struct sockaddr *saddr; @@ -769,7 +929,7 @@ naddrwop2str(const struct netaddr *naddr) if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0) snprintf(buf, sizeof(buf), "%s", "any"); else { - snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa)); + snprintf(buf, sizeof(buf), "%s", saddrwop2str((struct sockaddr *)&naddr->sa.sa)); snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix); } return buf; @@ -829,13 +989,13 @@ saddr2str_fromto(format, saddr, daddr) return buf; } -struct sockaddr * +struct sockaddr_storage * str2saddr(host, port) char *host; char *port; { struct addrinfo hints, *res; - struct sockaddr *saddr; + struct sockaddr_storage *saddr; int error; memset(&hints, 0, sizeof(hints)); @@ -857,7 +1017,7 @@ str2saddr(host, port) "taking the first one\n", host, port ? "," : "", port ? port : ""); } - saddr = racoon_malloc(res->ai_addrlen); + saddr = newsaddr(sizeof(*saddr)); if (saddr == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); @@ -872,14 +1032,14 @@ str2saddr(host, port) void mask_sockaddr(a, b, l) - struct sockaddr *a; - const struct sockaddr *b; + struct sockaddr_storage *a; + const struct sockaddr_storage *b; size_t l; { size_t i; u_int8_t *p, alen; - switch (b->sa_family) { + switch (b->ss_family) { case AF_INET: alen = sizeof(struct in_addr); p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr; @@ -892,17 +1052,17 @@ mask_sockaddr(a, b, l) #endif default: plog(LLV_ERROR2, LOCATION, NULL, - "invalid address family: %d\n", b->sa_family); + "invalid address family: %d\n", b->ss_family); exit(1); } if ((alen << 3) < l) { plog(LLV_ERROR2, LOCATION, NULL, - "unexpected inconsistency: %d %zu\n", b->sa_family, l); + "unexpected inconsistency: %d %zu\n", b->ss_family, l); exit(1); } - memcpy(a, b, sysdep_sa_len(b)); + memcpy(a, b, sysdep_sa_len((struct sockaddr *)b)); p[l / 8] &= (0xff00 >> (l % 8)) & 0xff; for (i = l / 8 + 1; i < alen; i++) p[i] = 0x00; @@ -920,10 +1080,10 @@ mask_sockaddr(a, b, l) * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any) */ int -naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) +naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr) { static const struct netaddr naddr_any; /* initialized to all-zeros */ - struct sockaddr sa; + struct sockaddr_storage sa; u_int16_t naddr_port, saddr_port; int port_score; @@ -939,7 +1099,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) return 0; /* If families don't match we really can't do much... */ - if (naddr->sa.sa.sa_family != saddr->sa_family) + if (naddr->sa.sa.ss_family != saddr->ss_family) return -1; /* If port check fail don't bother to check addresses. */ @@ -957,8 +1117,8 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) if (loglevel >= LLV_DEBUG) { /* debug only */ char *a1, *a2, *a3; a1 = racoon_strdup(naddrwop2str(naddr)); - a2 = racoon_strdup(saddrwop2str(saddr)); - a3 = racoon_strdup(saddrwop2str(&sa)); + a2 = racoon_strdup(saddrwop2str((struct sockaddr *)saddr)); + a3 = racoon_strdup(saddrwop2str((struct sockaddr *)&sa)); STRDUP_FATAL(a1); STRDUP_FATAL(a2); STRDUP_FATAL(a3); @@ -975,16 +1135,16 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) return -1; } -/* Some usefull functions for sockaddr port manipulations. */ +/* Some usefull functions for sockaddr_storage port manipulations. */ u_int16_t -extract_port (const struct sockaddr *addr) +extract_port (const struct sockaddr_storage *addr) { u_int16_t port = -1; if (!addr) return port; - switch (addr->sa_family) { + switch (addr->ss_family) { case AF_INET: port = ((struct sockaddr_in *)addr)->sin_port; break; @@ -992,7 +1152,7 @@ extract_port (const struct sockaddr *addr) port = ((struct sockaddr_in6 *)addr)->sin6_port; break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family); + plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family); break; } @@ -1000,14 +1160,14 @@ extract_port (const struct sockaddr *addr) } u_int16_t * -get_port_ptr (struct sockaddr *addr) +get_port_ptr (struct sockaddr_storage *addr) { u_int16_t *port_ptr; if (!addr) return NULL; - switch (addr->sa_family) { + switch (addr->ss_family) { case AF_INET: port_ptr = &(((struct sockaddr_in *)addr)->sin_port); break; @@ -1015,7 +1175,7 @@ get_port_ptr (struct sockaddr *addr) port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port); break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family); + plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family); return NULL; break; } @@ -1024,7 +1184,7 @@ get_port_ptr (struct sockaddr *addr) } u_int16_t * -set_port (struct sockaddr *addr, u_int16_t new_port) +set_port (struct sockaddr_storage *addr, u_int16_t new_port) { u_int16_t *port_ptr; diff --git a/ipsec-tools/racoon/sockmisc.h b/ipsec-tools/racoon/sockmisc.h index 5c940d6..557d345 100644 --- a/ipsec-tools/racoon/sockmisc.h +++ b/ipsec-tools/racoon/sockmisc.h @@ -34,7 +34,7 @@ struct netaddr { union { - struct sockaddr sa; + struct sockaddr_storage sa; struct sockaddr_in sin; struct sockaddr_in6 sin6; } sa; @@ -43,9 +43,12 @@ struct netaddr { extern const int niflags; -extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *)); -extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *)); -extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *)); +extern int cmpsaddrwop __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); +extern int cmpsaddrwop_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int); + +extern int cmpsaddrwild __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); +extern int cmpsaddrstrict __P((const struct sockaddr_storage *, const struct sockaddr_storage *)); +extern int cmpsaddrstrict_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int); #ifdef ENABLE_NATT #define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2)) @@ -55,35 +58,36 @@ extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *) #define CMPSADDR2(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2)) #endif -extern struct sockaddr *getlocaladdr __P((struct sockaddr *)); +extern struct sockaddr_storage *getlocaladdr __P((struct sockaddr *)); extern int recvfromto __P((int, void *, size_t, int, - struct sockaddr *, socklen_t *, struct sockaddr *, unsigned int *)); + struct sockaddr_storage *, socklen_t *, struct sockaddr_storage *, unsigned int *)); extern int sendfromto __P((int, const void *, size_t, - struct sockaddr *, struct sockaddr *, int)); + struct sockaddr_storage *, struct sockaddr_storage *, int)); extern int setsockopt_bypass __P((int, int)); -extern struct sockaddr *newsaddr __P((int)); -extern struct sockaddr *dupsaddr __P((struct sockaddr *)); +extern struct sockaddr_storage *newsaddr __P((int)); +extern struct sockaddr_storage *dupsaddr __P((struct sockaddr *)); extern char *saddr2str __P((const struct sockaddr *)); +extern char *saddr2str_with_prefix __P((const struct sockaddr *, int)); extern char *saddrwop2str __P((const struct sockaddr *)); extern char *saddr2str_fromto __P((const char *format, const struct sockaddr *saddr, const struct sockaddr *daddr)); -extern struct sockaddr *str2saddr __P((char *, char *)); -extern void mask_sockaddr __P((struct sockaddr *, const struct sockaddr *, +extern struct sockaddr_storage *str2saddr __P((char *, char *)); +extern void mask_sockaddr __P((struct sockaddr_storage *, const struct sockaddr_storage *, size_t)); /* struct netaddr functions */ extern char *naddrwop2str __P((const struct netaddr *naddr)); extern char *naddrwop2str_fromto __P((const char *format, const struct netaddr *saddr, const struct netaddr *daddr)); -extern int naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr); +extern int naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr); /* Some usefull functions for sockaddr port manipulations. */ -extern u_int16_t extract_port __P((const struct sockaddr *addr)); -extern u_int16_t *set_port __P((struct sockaddr *addr, u_int16_t new_port)); -extern u_int16_t *get_port_ptr __P((struct sockaddr *addr)); +extern u_int16_t extract_port __P((const struct sockaddr_storage *addr)); +extern u_int16_t *set_port __P((struct sockaddr_storage *addr, u_int16_t new_port)); +extern u_int16_t *get_port_ptr __P((struct sockaddr_storage *addr)); #endif /* _SOCKMISC_H */ diff --git a/ipsec-tools/racoon/throttle.c b/ipsec-tools/racoon/throttle.c index 3a5dcb4..753470f 100644 --- a/ipsec-tools/racoon/throttle.c +++ b/ipsec-tools/racoon/throttle.c @@ -70,20 +70,20 @@ struct throttle_list throttle_list = TAILQ_HEAD_INITIALIZER(throttle_list); struct throttle_entry * throttle_add(addr) - struct sockaddr *addr; + struct sockaddr_storage *addr; { struct throttle_entry *te; size_t len; len = sizeof(*te) - sizeof(struct sockaddr_storage) - + sysdep_sa_len(addr); + + sysdep_sa_len((struct sockaddr *)addr); if ((te = racoon_malloc(len)) == NULL) return NULL; te->penalty = time(NULL) + isakmp_cfg_config.auth_throttle; - memcpy(&te->host, addr, sysdep_sa_len(addr)); + memcpy(&te->host, addr, sysdep_sa_len((struct sockaddr *)addr)); TAILQ_INSERT_HEAD(&throttle_list, te, next); return te; @@ -91,7 +91,7 @@ throttle_add(addr) int throttle_host(addr, authfail) - struct sockaddr *addr; + struct sockaddr_storage *addr; int authfail; { struct throttle_entry *te; @@ -114,7 +114,7 @@ restart: goto restart; } - if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) { + if (cmpsaddrwop(addr, (struct sockaddr_storage *)&te->host) == 0) { found = 1; break; } diff --git a/ipsec-tools/racoon/throttle.h b/ipsec-tools/racoon/throttle.h index 4de4970..1dda58a 100644 --- a/ipsec-tools/racoon/throttle.h +++ b/ipsec-tools/racoon/throttle.h @@ -43,7 +43,7 @@ TAILQ_HEAD(throttle_list, throttle_entry); #define THROTTLE_PENALTY 1 #define THROTTLE_PENALTY_MAX 10 -struct throttle_entry *throttle_add(struct sockaddr *); -int throttle_host(struct sockaddr *, int); +struct throttle_entry *throttle_add(struct sockaddr_storage *); +int throttle_host(struct sockaddr_storage *, int); #endif /* _THROTTLE_H */ diff --git a/ipsec-tools/racoon/var.h b/ipsec-tools/racoon/var.h index b9418a1..8437413 100644 --- a/ipsec-tools/racoon/var.h +++ b/ipsec-tools/racoon/var.h @@ -76,7 +76,7 @@ #define GETNAMEINFO(x, y, z) \ do { \ - if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), (z), sizeof(z), \ + if (getnameinfo((x), sysdep_sa_len((struct sockaddr *)x), (y), sizeof(y), (z), sizeof(z), \ NIFLAGS) != 0) { \ if (y != NULL) \ strlcpy((y), "(invalid)", sizeof(y)); \ @@ -87,7 +87,7 @@ do { \ #define GETNAMEINFO_NULL(x, y) \ do { \ - if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), NULL, 0, \ + if (getnameinfo((x), sysdep_sa_len((struct sockaddr *)x), (y), sizeof(y), NULL, 0, \ NIFLAGS) != 0) { \ if (y != NULL) \ strlcpy((y), "(invalid)", sizeof(y)); \ @@ -102,6 +102,9 @@ do { \ #include "gcmalloc.h" +/* For casting away alignment warnings when casting a ptr to a known aligned buffer */ +#define ALIGNED_CAST(type) (type)(void *) + #endif /*!defined(_VAR_H_)*/ #endif /* _VAR_H */ diff --git a/ipsec-tools/racoon/vendorid.c b/ipsec-tools/racoon/vendorid.c index f2aec4a..8e3f43a 100644 --- a/ipsec-tools/racoon/vendorid.c +++ b/ipsec-tools/racoon/vendorid.c @@ -120,7 +120,6 @@ static struct vendor_id * lookup_vendor_id_by_hash (const char *hash) { int i; - unsigned char *h = (unsigned char *)hash; for (i = 0; i < NUMVENDORIDS; i++) if (strncmp(all_vendor_ids[i].hash->v, hash, @@ -173,7 +172,6 @@ vchar_t * set_vendorid(int vendorid) { struct vendor_id *current; - vchar_t vid, *new; if (vendorid == VENDORID_UNKNOWN) { /* @@ -205,8 +203,7 @@ set_vendorid(int vendorid) int check_vendorid(struct isakmp_gen *gen) { - vchar_t vid, *vidhash; - int i, vidlen; + int vidlen; struct vendor_id *current; if (gen == NULL) diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index 34753ff..df085de 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -123,13 +123,13 @@ int vpn_connect(struct bound_addr *srv, int oper) { int error = -1; - struct sockaddr *dst; + struct sockaddr_storage *dst; struct remoteconf *rmconf; - struct sockaddr *remote = NULL; - struct sockaddr *local = NULL; + struct sockaddr_storage *remote = NULL; + struct sockaddr_storage *local = NULL; u_int16_t port; - dst = racoon_calloc(1, sizeof(struct sockaddr)); // this should come from the bound_addr parameter + dst = racoon_calloc(1, sizeof(struct sockaddr_storage)); // this should come from the bound_addr parameter if (dst == NULL) goto out; ((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in); @@ -140,7 +140,7 @@ vpn_connect(struct bound_addr *srv, int oper) /* * Find the source address */ - if ((local = getlocaladdr(dst)) == NULL) { + if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "cannot get local address\n"); goto out1; @@ -151,18 +151,18 @@ vpn_connect(struct bound_addr *srv, int oper) if (rmconf == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no configuration found " - "for %s\n", saddrwop2str(dst)); + "for %s\n", saddrwop2str((struct sockaddr *)dst)); goto out1; } /* get remote IP address and port number. */ - if ((remote = dupsaddr(dst)) == NULL) { + if ((remote = dupsaddr((struct sockaddr *)dst)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to duplicate address\n"); goto out1; } - switch (remote->sa_family) { + switch (remote->ss_family) { case AF_INET: ((struct sockaddr_in *)remote)->sin_port = ((struct sockaddr_in *)rmconf->remote)->sin_port; @@ -176,7 +176,7 @@ vpn_connect(struct bound_addr *srv, int oper) default: plog(LLV_ERROR, LOCATION, NULL, "invalid family: %d\n", - remote->sa_family); + remote->ss_family); goto out1; break; } @@ -187,10 +187,10 @@ vpn_connect(struct bound_addr *srv, int oper) plog(LLV_INFO, LOCATION, NULL, "accept a request to establish IKE-SA: " - "%s\n", saddrwop2str(remote)); + "%s\n", saddrwop2str((struct sockaddr *)remote)); IPSECLOGASLMSG("IPSec connecting to server %s\n", - saddrwop2str(remote)); + saddrwop2str((struct sockaddr *)remote)); /* begin ident mode */ if (isakmp_ph1begin_i(rmconf, remote, local, oper) < 0) @@ -211,23 +211,26 @@ out: } int -vpn_disconnect(struct bound_addr *srv) +vpn_disconnect(struct bound_addr *srv, const char *reason) { - struct sockaddr_in saddr; + union { // Wcast-align fix - force alignment + struct sockaddr_storage ss; + struct sockaddr_in saddr; + } u; - bzero(&saddr, sizeof(saddr)); - saddr.sin_len = sizeof(saddr); - saddr.sin_addr.s_addr = srv->address; - saddr.sin_port = 0; - saddr.sin_family = AF_INET; + bzero(&u.saddr, sizeof(u.saddr)); + u.saddr.sin_len = sizeof(u.saddr); + u.saddr.sin_addr.s_addr = srv->address; + u.saddr.sin_port = 0; + u.saddr.sin_family = AF_INET; IPSECLOGASLMSG("IPSec disconnecting from server %s\n", - saddrwop2str(&saddr)); + saddrwop2str((struct sockaddr *)&u.ss)); - ike_sessions_stopped_by_controller(&saddr, + ike_sessions_stopped_by_controller(&u.ss, 0, - ike_session_stopped_by_vpn_disconnect); - if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) { + reason); + if (purgephXbydstaddrwop(&u.ss) > 0) { return 0; } else { return -1; @@ -260,7 +263,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) saddr.sin_addr.s_addr = addr->address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - ph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr)); + ph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr)); if (ph1 == NULL) { plog(LLV_ERROR, LOCATION, NULL, "cannot start phase2 - no phase1 found.\n"); @@ -302,7 +305,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) goto fail; } - id_ptr = (struct id *)new_sainfo->idsrc->v; + id_ptr = ALIGNED_CAST(struct id *)new_sainfo->idsrc->v; if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF) id_ptr->type = IPSECDOI_ID_IPV4_ADDR; else { @@ -313,7 +316,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) id_ptr->port = selector_ptr->src_tunnel_port; id_ptr->proto_id = selector_ptr->ul_protocol; - id_ptr = (struct id *)new_sainfo->iddst->v; + id_ptr = ALIGNED_CAST(struct id *)new_sainfo->iddst->v; if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF) id_ptr->type = IPSECDOI_ID_IPV4_ADDR; else { @@ -411,7 +414,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) plog(LLV_ERROR, LOCATION, NULL,"duplicated sainfo: %s\n", sainfo2str(new_sainfo)); goto fail; } - plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo)); + //plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo)); inssainfo(new_sainfo); new_sainfo = NULL; } @@ -421,7 +424,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) fail: if (new_sainfo) delsainfo(new_sainfo); - flushsainfo_dynamic(addr); + flushsainfo_dynamic((u_int32_t)addr->address); return -1; } @@ -452,7 +455,7 @@ vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, if (iph1->mode_cfg->attr_list == NULL) return 1; /* haven't received configuration yet */ - myaddr = find_myaddr(iph1->local, 0); + myaddr = find_myaddr((struct sockaddr *)iph1->local, 0); if (myaddr == NULL) { plog(LLV_ERROR, LOCATION, NULL, "unable to find address structure.\n"); @@ -508,7 +511,7 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) saddr.sin_addr.s_addr = address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - iph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr)); + iph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr)); if (iph1 == NULL) { plog(LLV_ERROR, LOCATION, NULL, "cannot reply to xauth request - no ph1 found.\n"); @@ -571,7 +574,7 @@ end: } int -vpn_assert(struct sockaddr *src_addr, struct sockaddr *dst_addr) +vpn_assert(struct sockaddr_storage *src_addr, struct sockaddr_storage *dst_addr) { if (ike_session_assert(src_addr, dst_addr)) { plog(LLV_ERROR, LOCATION, NULL, diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index 3a6f7fa..da31d76 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -79,6 +79,8 @@ #include #endif #include +#include +#include #include "var.h" #include "misc.h" @@ -104,6 +106,7 @@ #include "session.h" #include "gcmalloc.h" #include "isakmp_cfg.h" +#include "sainfo.h" #ifdef ENABLE_VPNCONTROL_PORT char *vpncontrolsock_path = VPNCONTROLSOCK_PATH; @@ -124,7 +127,6 @@ int checklaunchd() { launch_data_t checkin_response = NULL; - launch_data_t checkin_request = NULL; launch_data_t sockets_dict, listening_fd_array; launch_data_t listening_fd; struct sockaddr_storage fdsockaddr; @@ -136,14 +138,9 @@ checklaunchd() int fd; /* check in with launchd */ - if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) { + if ((checkin_response = launch_socket_service_check_in()) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to launch_data_new_string.\n"); - goto done; - } - if ((checkin_response = launch_msg(checkin_request)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to launch_msg.\n"); + "failed to launch_socket_service_check_in.\n"); goto done; } if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) { @@ -172,12 +169,12 @@ checklaunchd() for (i = 0; i < listenerct; i++) { listening_fd = launch_data_array_get_index(listening_fd_array, i); fd = launch_data_get_fd( listening_fd ); - if ( getsockname( fd , (struct sockaddr*)&fdsockaddr, &fdsockaddrlen)){ + if ( getsockname( fd , (struct sockaddr *)&fdsockaddr, &fdsockaddrlen)){ continue; } /* Is this the VPN control socket? */ - if ( (((struct sockaddr*)&fdsockaddr)->sa_family) == AF_UNIX && + if ( fdsockaddr.ss_family == AF_UNIX && (!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path)))) { plog(LLV_INFO, LOCATION, NULL, @@ -194,8 +191,6 @@ checklaunchd() } done: - if (checkin_request) - launch_data_free(checkin_request); if (checkin_response) launch_data_free(checkin_response); return(returnval); @@ -239,7 +234,7 @@ vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) { struct vpnctl_hdr hdr; char *combuf = NULL; - int len; + ssize_t len; /* get buffer length */ while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) { @@ -252,6 +247,8 @@ vpncontrol_comm_handler(struct vpnctl_socket_elem *elem) if (len == 0) { plog(LLV_DEBUG, LOCATION, NULL, "vpn_control socket closed by peer.\n"); + /* kill all related connections */ + vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost); vpncontrol_close_comm(elem); return -1; } @@ -292,13 +289,13 @@ static int vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) { u_int16_t error = 0; - struct vpnctl_hdr *hdr = (struct vpnctl_hdr *)combuf; + struct vpnctl_hdr *hdr = ALIGNED_CAST(struct vpnctl_hdr *)combuf; switch (ntohs(hdr->msg_type)) { case VPNCTL_CMD_BIND: { - struct vpnctl_cmd_bind *pkt = (struct vpnctl_cmd_bind *)combuf; + struct vpnctl_cmd_bind *pkt = ALIGNED_CAST(struct vpnctl_cmd_bind *)combuf; struct bound_addr *addr; plog(LLV_DEBUG, LOCATION, NULL, @@ -328,7 +325,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_UNBIND: { - struct vpnctl_cmd_unbind *pkt = (struct vpnctl_cmd_unbind *)combuf; + struct vpnctl_cmd_unbind *pkt = ALIGNED_CAST(struct vpnctl_cmd_unbind *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; @@ -349,7 +346,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_REDIRECT: { - struct vpnctl_cmd_redirect *redirect_msg = (struct vpnctl_cmd_redirect *)combuf; + struct vpnctl_cmd_redirect *redirect_msg = ALIGNED_CAST(struct vpnctl_cmd_redirect *)combuf; struct redirect *raddr; struct redirect *t_raddr; int found = 0; @@ -392,7 +389,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_XAUTH_INFO: { - struct vpnctl_cmd_xauth_info *pkt = (struct vpnctl_cmd_xauth_info *)combuf; + struct vpnctl_cmd_xauth_info *pkt = ALIGNED_CAST(struct vpnctl_cmd_xauth_info *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; void *attr_list; @@ -412,7 +409,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_CONNECT: { - struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf; + struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; @@ -430,7 +427,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_DISCONNECT: { - struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf; + struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; @@ -439,7 +436,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { if (pkt->address == addr->address) { /* stop the connection */ - error = vpn_disconnect(addr); + error = vpn_disconnect(addr, ike_session_stopped_by_vpn_disconnect); break; } } @@ -448,7 +445,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_START_PH2: { - struct vpnctl_cmd_start_ph2 *pkt = (struct vpnctl_cmd_start_ph2 *)combuf; + struct vpnctl_cmd_start_ph2 *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_ph2 *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; @@ -467,7 +464,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_START_DPD: { - struct vpnctl_cmd_start_dpd *pkt = (struct vpnctl_cmd_start_dpd *)combuf; + struct vpnctl_cmd_start_dpd *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_dpd *)combuf; struct bound_addr *srv; struct bound_addr *t_addr; @@ -475,16 +472,19 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) "received start_dpd command on vpn control socket.\n"); LIST_FOREACH_SAFE(srv, &elem->bound_addresses, chain, t_addr) { if (pkt->address == srv->address) { - struct sockaddr_in daddr; + union { // Wcast-align fix - force alignment + struct sockaddr_storage ss; + struct sockaddr_in addr_in; + } daddr; - bzero(&daddr, sizeof(daddr)); - daddr.sin_len = sizeof(daddr); - daddr.sin_addr.s_addr = srv->address; - daddr.sin_port = 0; - daddr.sin_family = AF_INET; + bzero(&daddr, sizeof(struct sockaddr_in)); + daddr.addr_in.sin_len = sizeof(struct sockaddr_in); + daddr.addr_in.sin_addr.s_addr = srv->address; + daddr.addr_in.sin_port = 0; + daddr.addr_in.sin_family = AF_INET; /* start the dpd */ - error = ph1_force_dpd(&daddr); + error = ph1_force_dpd(&daddr.ss); break; } } @@ -493,7 +493,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_ASSERT: { - struct vpnctl_cmd_assert *pkt = (struct vpnctl_cmd_assert *)combuf; + struct vpnctl_cmd_assert *pkt = ALIGNED_CAST(struct vpnctl_cmd_assert *)combuf; // struct bound_addr *addr; // struct bound_addr *t_addr; struct sockaddr_in saddr; @@ -515,7 +515,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) daddr.sin_port = 0; daddr.sin_family = AF_INET; - error = vpn_assert((struct sockaddr *)&saddr, (struct sockaddr *)&daddr); + error = vpn_assert((struct sockaddr_storage *)&saddr, (struct sockaddr_storage *)&daddr); break; // } // } @@ -524,7 +524,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) case VPNCTL_CMD_RECONNECT: { - struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf; + struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf; struct bound_addr *addr; struct bound_addr *t_addr; @@ -559,7 +559,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) static int vpncontrol_reply(int so, char *combuf) { - size_t tlen; + ssize_t tlen; tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0); if (tlen < 0) { @@ -577,7 +577,8 @@ vpncontrol_notify_need_authinfo(struct ph1handle *iph1, void* attr_list, size_t struct vpnctl_status_need_authinfo *msg = NULL; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; - size_t tlen, msg_size; + size_t msg_size; + ssize_t tlen; u_int32_t address; void *ptr; @@ -595,7 +596,7 @@ vpncontrol_notify_need_authinfo(struct ph1handle *iph1, void* attr_list, size_t } msg->hdr.flags = 0; - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; else goto end; // for now @@ -640,7 +641,8 @@ vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t ad struct vpnctl_status_failed *msg = NULL; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; - size_t tlen, len; + size_t len; + ssize_t tlen; len = sizeof(struct vpnctl_status_failed) + data_len; @@ -689,7 +691,8 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 struct vpnctl_status_phase_change *msg; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; - size_t tlen, msg_size; + ssize_t tlen; + size_t msg_size; u_int32_t address; plog(LLV_DEBUG, LOCATION, NULL, @@ -709,7 +712,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 return -1; } if (iph1) { - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; else goto end; // for now @@ -717,7 +720,7 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1 (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) : VPNCTL_STATUS_PH1_ESTABLISHED); } else { - if (iph2->dst->sa_family == AF_INET) + if (iph2->dst->ss_family == AF_INET) address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; else goto end; // for now @@ -756,7 +759,7 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) struct vpnctl_status_peer_resp msg; struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; - size_t tlen; + ssize_t tlen; int rc = -1; bzero(&msg, sizeof(msg)); @@ -794,7 +797,7 @@ vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, struct ph1handle *iph1) int rc; if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) { - if (iph1->remote->sa_family == AF_INET) + if (iph1->remote->ss_family == AF_INET) address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; else address = 0; @@ -815,7 +818,7 @@ vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, struct ph2handle *iph2) int rc; if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) { - if (iph2->dst->sa_family == AF_INET) + if (iph2->dst->ss_family == AF_INET) address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; else address = 0; @@ -854,6 +857,11 @@ vpncontrol_init() return -1; } + if (fcntl(lcconf->sock_vpncontrol, F_SETFL, O_NONBLOCK) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to put VPN-Control socket in non-blocking mode\n"); + } + unlink(sunaddr.sun_path); if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) != 0) { @@ -895,6 +903,21 @@ vpncontrol_init() } } +void +vpncontrol_disconnect_all(struct vpnctl_socket_elem *elem, const char *reason) +{ + struct bound_addr *addr; + struct bound_addr *t_addr; + + plog(LLV_DEBUG, LOCATION, NULL, + "received disconnect all command.\n"); + + LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { + /* stop any connections */ + vpn_disconnect(addr, reason); + } +} + void vpncontrol_close() diff --git a/ipsec-tools/racoon/vpn_control_var.h b/ipsec-tools/racoon/vpn_control_var.h index 5db8ff7..3935810 100644 --- a/ipsec-tools/racoon/vpn_control_var.h +++ b/ipsec-tools/racoon/vpn_control_var.h @@ -70,11 +70,12 @@ extern int vpncontrol_init __P((void)); extern void vpncontrol_close __P((void)); extern int vpn_control_connected __P((void)); extern int vpn_connect __P((struct bound_addr *, int)); -extern int vpn_disconnect __P((struct bound_addr *)); +extern int vpn_disconnect __P((struct bound_addr *, const char *)); +extern void vpncontrol_disconnect_all __P((struct vpnctl_socket_elem *, const char *)); extern int vpn_start_ph2 __P((struct bound_addr *, struct vpnctl_cmd_start_ph2 *)); extern int vpncontrol_notify_need_authinfo __P((struct ph1handle *, void*, size_t)); extern int vpncontrol_notify_peer_resp_ph1 __P((u_int16_t, struct ph1handle*)); extern int vpncontrol_notify_peer_resp_ph2 __P((u_int16_t, struct ph2handle*)); -extern int vpn_assert __P((struct sockaddr *, struct sockaddr *)); +extern int vpn_assert __P((struct sockaddr_storage *, struct sockaddr_storage *)); #endif /* _VPN_CONTROL_VAR_H */ diff --git a/ipsec-tools/setkey/parse.y b/ipsec-tools/setkey/parse.y index 6578a54..cfc4171 100644 --- a/ipsec-tools/setkey/parse.y +++ b/ipsec-tools/setkey/parse.y @@ -56,6 +56,7 @@ #include #include +#include "var.h" #include "libpfkey.h" #include "vchar.h" #include "extern.h" @@ -862,7 +863,10 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) int dplen; { struct sadb_msg *msg; - char buf[BUFSIZ]; + union { // Wcast-align fix - force alignment + u_int64_t force_align; + char buf[BUFSIZ]; + } u_buf; int l, l0; struct sadb_address m_addr; struct addrinfo *s, *d; @@ -876,7 +880,7 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) int saved_level, saved_id = 0; #endif - msg = (struct sadb_msg *)buf; + msg = (struct sadb_msg *)&u_buf; if (!srcs || !dsts) return -1; @@ -885,8 +889,8 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0); l = sizeof(struct sadb_msg); - sp = (struct sadb_x_policy*) (buf + l); - memcpy(buf + l, policy->buf, policy->len); + sp = ALIGNED_CAST(struct sadb_x_policy*)(u_buf.buf + l); + memcpy(u_buf.buf + l, policy->buf, policy->len); l += policy->len; l0 = l; @@ -924,7 +928,7 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) (splen >= 0 ? splen : plen); m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), (caddr_t)sa, salen); /* set dst */ @@ -938,12 +942,12 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) (dplen >= 0 ? dplen : plen); m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), sa, salen); msg->sadb_msg_len = PFKEY_UNIT64(l); - sendkeymsg(buf, l); + sendkeymsg(u_buf.buf, l); #ifdef HAVE_POLICY_FWD /* create extra call for FWD policy */ @@ -989,20 +993,23 @@ setkeymsg_spdaddr_tag(type, tag, policy) vchar_t *policy; { struct sadb_msg *msg; - char buf[BUFSIZ]; + union { // Wcast-align fix - force alignment + u_int64_t force_align; + char buf[BUFSIZ]; + } u_buf; int l, l0; #ifdef SADB_X_EXT_TAG struct sadb_x_tag m_tag; #endif int n; - msg = (struct sadb_msg *)buf; + msg = (struct sadb_msg *)&u_buf; /* fix up length afterwards */ setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0); l = sizeof(struct sadb_msg); - memcpy(buf + l, policy->buf, policy->len); + memcpy(u_buf.buf + l, policy->buf, policy->len); l += policy->len; l0 = l; @@ -1021,7 +1028,7 @@ setkeymsg_spdaddr_tag(type, tag, policy) msg->sadb_msg_len = PFKEY_UNIT64(l); - sendkeymsg(buf, l); + sendkeymsg(u_buf.buf, l); return 0; } @@ -1036,7 +1043,10 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) int no_spi; { struct sadb_msg *msg; - char buf[BUFSIZ]; + union { // Wcast-align fix - force alignment + u_int64_t force_align; + char buf[BUFSIZ]; + } u_buf; int l, l0, len; struct sadb_sa m_sa; struct sadb_x_sa2 m_sa2; @@ -1047,7 +1057,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) struct sockaddr *sa; int salen; - msg = (struct sadb_msg *)buf; + msg = (struct sadb_msg *)&u_buf; if (!srcs || !dsts) return -1; @@ -1067,7 +1077,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) m_sa.sadb_sa_encrypt = p_alg_enc; m_sa.sadb_sa_flags = p_ext; - memcpy(buf + l, &m_sa, len); + memcpy(u_buf.buf + l, &m_sa, len); l += len; len = sizeof(struct sadb_x_sa2); @@ -1076,7 +1086,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) m_sa2.sadb_x_sa2_mode = p_mode; m_sa2.sadb_x_sa2_reqid = p_reqid; - memcpy(buf + l, &m_sa2, len); + memcpy(u_buf.buf + l, &m_sa2, len); l += len; } @@ -1114,7 +1124,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), sa, salen); /* set dst */ @@ -1127,12 +1137,12 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), sa, salen); msg->sadb_msg_len = PFKEY_UNIT64(l); - sendkeymsg(buf, l); + sendkeymsg(u_buf.buf, l); n++; } @@ -1147,7 +1157,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) #ifdef SADB_X_EXT_NAT_T_TYPE static u_int16_t get_port (struct addrinfo *addr) { - struct sockaddr *s = addr->ai_addr; + struct sockaddr_storage *s = addr->ai_addr; u_int16_t port = 0; switch (s->sa_family) { @@ -1181,7 +1191,10 @@ setkeymsg_add(type, satype, srcs, dsts) struct addrinfo *dsts; { struct sadb_msg *msg; - char buf[BUFSIZ]; + union { // Wcast-align fix - force alignment + u_int64_t force_align; + char buf[BUFSIZ]; + } u_buf; int l, l0, len; struct sadb_sa m_sa; struct sadb_x_sa2 m_sa2; @@ -1192,7 +1205,7 @@ setkeymsg_add(type, satype, srcs, dsts) struct sockaddr *sa; int salen; - msg = (struct sadb_msg *)buf; + msg = (struct sadb_msg *)&u_buf; if (!srcs || !dsts) return -1; @@ -1215,7 +1228,7 @@ setkeymsg_add(type, satype, srcs, dsts) m.key.sadb_key_bits = p_key_enc_len * 8; m.key.sadb_key_reserved = 0; - setvarbuf(buf, &l, &m.ext, sizeof(m.key), + setvarbuf(u_buf.buf, &l, &m.ext, sizeof(m.key), p_key_enc, p_key_enc_len); } @@ -1233,7 +1246,7 @@ setkeymsg_add(type, satype, srcs, dsts) m.key.sadb_key_bits = p_key_auth_len * 8; m.key.sadb_key_reserved = 0; - setvarbuf(buf, &l, &m.ext, sizeof(m.key), + setvarbuf(u_buf.buf, &l, &m.ext, sizeof(m.key), p_key_auth, p_key_auth_len); } @@ -1249,7 +1262,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_lt.sadb_lifetime_addtime = p_lt_hard; m_lt.sadb_lifetime_usetime = 0; - memcpy(buf + l, &m_lt, slen); + memcpy(u_buf.buf + l, &m_lt, slen); l += slen; } @@ -1265,7 +1278,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_lt.sadb_lifetime_addtime = p_lt_soft; m_lt.sadb_lifetime_usetime = 0; - memcpy(buf + l, &m_lt, slen); + memcpy(u_buf.buf + l, &m_lt, slen); l += slen; } @@ -1279,7 +1292,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_sa.sadb_sa_encrypt = p_alg_enc; m_sa.sadb_sa_flags = p_ext; - memcpy(buf + l, &m_sa, len); + memcpy(u_buf.buf + l, &m_sa, len); l += len; len = sizeof(struct sadb_x_sa2); @@ -1288,7 +1301,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_sa2.sadb_x_sa2_mode = p_mode; m_sa2.sadb_x_sa2_reqid = p_reqid; - memcpy(buf + l, &m_sa2, len); + memcpy(u_buf.buf + l, &m_sa2, len); l += len; #ifdef SADB_X_EXT_NAT_T_TYPE @@ -1366,7 +1379,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), sa, salen); /* set dst */ @@ -1379,7 +1392,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_addr.sadb_address_prefixlen = plen; m_addr.sadb_address_reserved = 0; - setvarbuf(buf, &l, (struct sadb_ext *)&m_addr, + setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr, sizeof(m_addr), sa, salen); #ifdef SADB_X_EXT_NAT_T_TYPE @@ -1408,7 +1421,7 @@ setkeymsg_add(type, satype, srcs, dsts) #endif msg->sadb_msg_len = PFKEY_UNIT64(l); - sendkeymsg(buf, l); + sendkeymsg(u_buf.buf, l); n++; } diff --git a/ipsec-tools/setkey/setkey.c b/ipsec-tools/setkey/setkey.c index f99f03c..a301b69 100644 --- a/ipsec-tools/setkey/setkey.c +++ b/ipsec-tools/setkey/setkey.c @@ -66,6 +66,7 @@ #endif #include "config.h" +#include "var.h" #include "libpfkey.h" //#include "package_version.h" #define extern /* so that variables in extern.h are not extern... */ @@ -401,7 +402,10 @@ void promisc() { struct sadb_msg msg; - u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ + union { // Wcast-align fix - force alignment + u_int64_t force_align; + u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ + } u_buf; ssize_t l; msg.sadb_msg_version = PF_KEY_V2; @@ -421,7 +425,7 @@ promisc() while (1) { struct sadb_msg *base; - if ((l = recv(so, rbuf, sizeof(*base), MSG_PEEK)) < 0) { + if ((l = recv(so, u_buf.rbuf, sizeof(*base), MSG_PEEK)) < 0) { err(1, "recv"); /*NOTREACHED*/ } @@ -429,8 +433,8 @@ promisc() if (l != sizeof(*base)) continue; - base = (struct sadb_msg *)rbuf; - if ((l = recv(so, rbuf, PFKEY_UNUNIT64(base->sadb_msg_len), + base = (struct sadb_msg *)&u_buf; + if ((l = recv(so, u_buf.rbuf, PFKEY_UNUNIT64(base->sadb_msg_len), 0)) < 0) { err(1, "recv"); /*NOTREACHED*/ @@ -441,7 +445,7 @@ promisc() for (i = 0; i < l; i++) { if (i % 16 == 0) printf("%08x: ", i); - printf("%02x ", rbuf[i] & 0xff); + printf("%02x ", u_buf.rbuf[i] & 0xff); if (i % 16 == 15) printf("\n"); } @@ -468,7 +472,10 @@ sendkeymsg(buf, len) char *buf; size_t len; { - u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ + union { // Wcast-align fix - force alignment + u_int64_t force_align; + u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */ + } u_buf; ssize_t l; struct sadb_msg *msg; @@ -490,7 +497,7 @@ sendkeymsg(buf, len) shortdump_hdr(); again: if (f_verbose) { - kdebug_sadb((struct sadb_msg *)buf); + kdebug_sadb(ALIGNED_CAST(struct sadb_msg *)buf); // Wcast-align fix - aligned message buffer printf("\n"); } if (f_hexdump) { @@ -511,9 +518,9 @@ again: goto end; } - msg = (struct sadb_msg *)rbuf; + msg = (struct sadb_msg *)&u_buf; do { - if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) { + if ((l = recv(so, u_buf.rbuf, sizeof(u_buf.rbuf), 0)) < 0) { perror("recv"); goto end; } @@ -524,7 +531,7 @@ again: } if (f_verbose) { - kdebug_sadb((struct sadb_msg *)rbuf); + kdebug_sadb((struct sadb_msg *)&u_buf); printf("\n"); } if (postproc(msg, l) < 0) @@ -597,7 +604,7 @@ postproc(msg, len) struct sadb_sa *sa; pfkey_align(msg, mhp); pfkey_check(mhp); - if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { + if ((sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { // Wcast-align (void*) - buffer of pointers to aligned structs in malloc'd buffer if (sa->sadb_sa_state == SADB_SASTATE_DEAD) break; } @@ -611,8 +618,8 @@ postproc(msg, len) else pfkey_sadump(msg); } - msg = (struct sadb_msg *)((caddr_t)msg + - PFKEY_UNUNIT64(msg->sadb_msg_len)); + msg = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + + PFKEY_UNUNIT64(msg->sadb_msg_len)); // Wcast-align fix (void*) - aligned msg buffer passed into function if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); printf("\n"); @@ -632,7 +639,7 @@ postproc(msg, len) else pfkey_spdump(msg); if (msg->sadb_msg_seq == 0) break; - msg = (struct sadb_msg *)((caddr_t)msg + + msg = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + // Wcast-align fix (void*) - aligned msg buffer passed into function PFKEY_UNUNIT64(msg->sadb_msg_len)); if (f_verbose) { kdebug_sadb((struct sadb_msg *)msg); @@ -723,12 +730,12 @@ fileproc(filename) ep = rbuf + l; while (p < ep) { - msg = (struct sadb_msg *)p; + msg = ALIGNED_CAST(struct sadb_msg *)p; len = PFKEY_UNUNIT64(msg->sadb_msg_len); postproc(msg, len); p += len; } - + return (0); } @@ -795,15 +802,15 @@ shortdump(msg) printf(" %-3s", STR_OR_ID(msg->sadb_msg_satype, satype)); - if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { + if ((sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { printf(" %-1s", STR_OR_ID(sa->sadb_sa_state, sastate)); printf(" %08x", (u_int32_t)ntohl(sa->sadb_sa_spi)); } else printf("%-1s %-8s", "?", "?"); - lts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT]; - lth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD]; - ltc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT]; + lts = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT]; + lth = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD]; + ltc = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT]; if (lts && lth && ltc) { if (ltc->sadb_lifetime_addtime == 0) t = (u_long)0; @@ -826,11 +833,11 @@ shortdump(msg) printf(" "); - if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) { + if ((saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) { if (saddr->sadb_address_proto) printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto)); - s = (struct sockaddr *)(saddr + 1); - getnameinfo(s, sysdep_sa_len(s), buf, sizeof(buf), + s = (struct sockaddr *)(saddr + 1); + getnameinfo(s, sysdep_sa_len((struct sockaddr *)s), buf, sizeof(buf), pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV); if (strcmp(pbuf, "0") != 0) printf("%s[%s]", buf, pbuf); @@ -841,7 +848,7 @@ shortdump(msg) printf(" -> "); - if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) { + if ((saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) { if (saddr->sadb_address_proto) printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto)); diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 75b86e1..9f7530d 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -11,15 +11,10 @@ isa = PBXAggregateTarget; buildConfigurationList = 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */; buildPhases = ( - 72265DD80F818ED700730A7D /* CopyFiles */, - BAA6806112B17CF900ACF6D3 /* CopyFiles */, ); dependencies = ( - 25D3DDE30989AFDE0025F703 /* PBXTargetDependency */, - 25D3DDE50989AFE50025F703 /* PBXTargetDependency */, - 25D3DDE70989AFE90025F703 /* PBXTargetDependency */, - 254347D109DCBAF8007943DE /* PBXTargetDependency */, - 25DE3DB609EC27B900147420 /* PBXTargetDependency */, + 815C35FB152520C000502220 /* PBXTargetDependency */, + 815C35F9152520BC00502220 /* PBXTargetDependency */, ); name = "IPSec (Aggregate)"; productName = "IPSec (Aggregate)"; @@ -38,6 +33,32 @@ name = "IPSec Embedded (Aggregate)"; productName = "IPSec (Aggregate) Embedded"; }; + 815C35E61525201900502220 /* Project_base */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */; + buildPhases = ( + 815C35FC152522A900502220 /* CopyFiles */, + 815C35FD152522AC00502220 /* CopyFiles */, + ); + dependencies = ( + 815C35F11525208900502220 /* PBXTargetDependency */, + ); + name = Project_base; + productName = Project_base; + }; + 815C35EB1525203F00502220 /* Project_executables */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */; + buildPhases = ( + ); + dependencies = ( + 815C35F71525209800502220 /* PBXTargetDependency */, + 815C35F51525209400502220 /* PBXTargetDependency */, + 815C35F31525209000502220 /* PBXTargetDependency */, + ); + name = Project_executables; + productName = Project_executables; + }; /* End PBXAggregateTarget section */ /* Begin PBXBuildFile section */ @@ -61,51 +82,16 @@ 2543476409DCB396007943DE /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; 2543476709DCB400007943DE /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; 2543476909DCB420007943DE /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 2543477109DCB492007943DE /* plainrsa-gen.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FC0988657000D15623 /* plainrsa-gen.c */; }; - 2543478A09DCB49C007943DE /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; - 2543478C09DCB4A6007943DE /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; }; - 254347A909DCB6C8007943DE /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 254347AB09DCB6D6007943DE /* str2val.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591D0988657000D15623 /* str2val.c */; }; - 254347B809DCB84D007943DE /* test-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 252DF9610989B4EE00E5B678 /* test-policy.c */; }; - 254347C809DCBA1B007943DE /* test-pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 254347C709DCBA1B007943DE /* test-pfkey.c */; }; 258CF2CB0A19197400166B38 /* setkey.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F258890988648C00D15623 /* setkey.8 */; }; 258CF2CD0A1919A800166B38 /* ipsec_set_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9540989B4EE00E5B678 /* ipsec_set_policy.3 */; }; 258CF2CE0A1919AF00166B38 /* ipsec_strerror.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9550989B4EE00E5B678 /* ipsec_strerror.3 */; }; 258CF2D20A191A0600166B38 /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; }; - 258CF2D40A191A5000166B38 /* plainrsa-gen.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F258FB0988657000D15623 /* plainrsa-gen.8 */; }; 258CF2E10A191A9200166B38 /* racoon.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F259090988657000D15623 /* racoon.8 */; }; 258CF2E40A191AD500166B38 /* racoon.conf.5 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590A0988657000D15623 /* racoon.conf.5 */; }; - 25BC48740A0BC7B000A181A0 /* eaytest.c in Sources */ = {isa = PBXBuildFile; fileRef = 25BC48730A0BC7B000A181A0 /* eaytest.c */; }; - 25BE7E0109E5D3F4009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 25BE7E1209E5D550009B6B84 /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; }; - 25BE7E1309E5D555009B6B84 /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; }; - 25BE7E1B09E5D5D9009B6B84 /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; - 25BE7E2E09E5D709009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 25BE7E3809E5D80E009B6B84 /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; }; - 25BE7E3E09E5D906009B6B84 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; - 25BE7E4009E5D92C009B6B84 /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; }; - 25BE7E5709E5DC4D009B6B84 /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; - 25BE7E5A09E5DCBD009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 25BE7E5E09E5DCF5009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 25BE7E6009E5DD04009B6B84 /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; - 25BE7E6309E5DD38009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 25BE7E7609E5DDBA009B6B84 /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; }; - 25BE7E7709E5DDBE009B6B84 /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; }; - 25BE7E7F09E5DE4C009B6B84 /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; }; - 25BE7E8209E5DE8D009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; - 25BE7E8809E5E499009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; - 25BE7E8A09E5E4A6009B6B84 /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; }; - 25BE7E8E09E5E5BE009B6B84 /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; }; - 25BE7E9009E5E61F009B6B84 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; }; - 25BE7E9209E5E635009B6B84 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 25DC9EC909DB0FBB00C89F86 /* rsalist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259100988657000D15623 /* rsalist.c */; }; 25DC9ED409DB16F300C89F86 /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; }; 25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; }; 25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; }; - 25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 25E08C9A09D9E64A001A11CF /* rsaparse.o */; }; 25DE2DE90A8BD40E0010A46D /* vpn_control.c in Sources */ = {isa = PBXBuildFile; fileRef = 25DE2DE60A8BD40E0010A46D /* vpn_control.c */; }; - 25E08C9E09D9E681001A11CF /* prsa_par.y in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBA809D8B727002DC960 /* prsa_par.y */; }; - 25E08C9F09D9E682001A11CF /* prsa_tok.l in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBAA09D8B727002DC960 /* prsa_tok.l */; }; 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; }; 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; }; 25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87609D87A770042CC7F /* libiconv.dylib */; }; @@ -117,8 +103,6 @@ 25F258900988648C00D15623 /* parse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258870988648C00D15623 /* parse.y */; }; 25F258910988648C00D15623 /* setkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588A0988648C00D15623 /* setkey.c */; }; 25F258940988648C00D15623 /* token.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588D0988648C00D15623 /* token.l */; }; - 25F258A80988651000D15623 /* rijndael-alg-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A10988651000D15623 /* rijndael-alg-fst.c */; }; - 25F258A90988651000D15623 /* rijndael-api-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A30988651000D15623 /* rijndael-api-fst.c */; }; 25F259280988657000D15623 /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; }; 25F259290988657000D15623 /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; 25F2592A0988657000D15623 /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; }; @@ -161,10 +145,7 @@ 25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; }; 25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; }; 25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; }; - 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; 72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; }; - 812530C00D3FE9DC006BDF4F /* rijndael-alg-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A10988651000D15623 /* rijndael-alg-fst.c */; }; - 812530C10D3FE9DC006BDF4F /* rijndael-api-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A30988651000D15623 /* rijndael-api-fst.c */; }; 812530C20D3FE9DC006BDF4F /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; }; 812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; 812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; }; @@ -229,6 +210,8 @@ 8125311E0D3FEA33006BDF4F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; }; 812531220D3FEA33006BDF4F /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; }; 812A64ED0D4AA082004CB7EB /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 812A64EC0D4AA082004CB7EB /* Security.framework */; }; + 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; + 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; 8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103A0D5BE18800C7B441 /* racoon.conf */; }; 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8176A6B80D45661700BC5251 /* libldap.dylib */; }; 817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; }; @@ -288,7 +271,6 @@ BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; }; BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; }; - BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; }; /* End PBXBuildFile section */ /* Begin PBXContainerItemProxy section */ @@ -313,89 +295,61 @@ remoteGlobalIDString = 2537A1A709E4864800D0ECDA; remoteInfo = libipsec; }; - 254347D009DCBAF8007943DE /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2543476E09DCB477007943DE; - remoteInfo = "plainrsa-gen"; - }; - 25BE7E0309E5D3FE009B6B84 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; - }; - 25BE7E2F09E5D710009B6B84 /* PBXContainerItemProxy */ = { + 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; + remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; + remoteInfo = "racoon arm"; }; - 25BE7E5B09E5DCC5009B6B84 /* PBXContainerItemProxy */ = { + 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; + remoteGlobalIDString = 812531120D3FEA33006BDF4F; + remoteInfo = "racoonctl arm"; }; - 25BE7E7B09E5DE28009B6B84 /* PBXContainerItemProxy */ = { + 815C35F01525208900502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 2537A1A709E4864800D0ECDA; remoteInfo = libipsec; }; - 25D3DDE20989AFDE0025F703 /* PBXContainerItemProxy */ = { + 815C35F21525209000502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 25F258040987FBFA00D15623; remoteInfo = racoon; }; - 25D3DDE40989AFE50025F703 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 25F258090987FC1500D15623; - remoteInfo = setkey; - }; - 25D3DDE60989AFE90025F703 /* PBXContainerItemProxy */ = { + 815C35F41525209400502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; remoteGlobalIDString = 25F2580E0987FC3400D15623; remoteInfo = racoonctl; }; - 25DE3DB509EC27B900147420 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 23D2D790087071FC00C51098 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 2537A1A709E4864800D0ECDA; - remoteInfo = libipsec; - }; - 25E08CE909D9F0A2001A11CF /* PBXContainerItemProxy */ = { + 815C35F61525209800502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 25E08C9909D9E64A001A11CF; - remoteInfo = rsaparse; + remoteGlobalIDString = 25F258090987FC1500D15623; + remoteInfo = setkey; }; - 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = { + 815C35F8152520BC00502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F; - remoteInfo = "racoon arm"; + remoteGlobalIDString = 815C35E61525201900502220; + remoteInfo = Project_base; }; - 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */ = { + 815C35FA152520C000502220 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 23D2D790087071FC00C51098 /* Project object */; proxyType = 1; - remoteGlobalIDString = 812531120D3FEA33006BDF4F; - remoteInfo = "racoonctl arm"; + remoteGlobalIDString = 815C35EB1525203F00502220; + remoteInfo = Project_executables; }; 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; @@ -461,16 +415,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - 258CF2D60A191A6E00166B38 /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /usr/share/man/man8; - dstSubfolderSpec = 0; - files = ( - 258CF2D40A191A5000166B38 /* plainrsa-gen.8 in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; 258CF2E20A191AB000166B38 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -502,16 +446,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - 72265DD80F818ED700730A7D /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /usr/local/OpenSourceVersions/; - dstSubfolderSpec = 0; - files = ( - 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; 724A38A20E3676FB00F6B25F /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -583,6 +517,26 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + 815C35FC152522A900502220 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/OpenSourceVersions/; + dstSubfolderSpec = 0; + files = ( + 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 815C35FD152522AC00502220 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/OpenSourceLicenses; + dstSubfolderSpec = 0; + files = ( + 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; 81DDFDA30D622C1700C5CB87 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -635,16 +589,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - BAA6806112B17CF900ACF6D3 /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /usr/local/OpenSourceLicenses; - dstSubfolderSpec = 0; - files = ( - BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; /* End PBXCopyFilesBuildPhase section */ /* Begin PBXFileReference section */ @@ -658,21 +602,13 @@ 252DF9600989B4EE00E5B678 /* policy_token.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; name = policy_token.l; path = libipsec/policy_token.l; sourceTree = ""; }; 252DF9610989B4EE00E5B678 /* test-policy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = "test-policy.c"; path = "libipsec/test-policy.c"; sourceTree = ""; }; 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libipsec.A.dylib; sourceTree = BUILT_PRODUCTS_DIR; }; - 2543476F09DCB477007943DE /* plainrsa-gen */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "plainrsa-gen"; sourceTree = BUILT_PRODUCTS_DIR; }; - 2543479309DCB57E007943DE /* eaytest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = eaytest; sourceTree = BUILT_PRODUCTS_DIR; }; - 254347B609DCB839007943DE /* test-policy */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "test-policy"; sourceTree = BUILT_PRODUCTS_DIR; }; - 254347C509DCBA07007943DE /* test-pfkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "test-pfkey"; sourceTree = BUILT_PRODUCTS_DIR; }; 254347C709DCBA1B007943DE /* test-pfkey.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "test-pfkey.c"; sourceTree = ""; }; - 2589CBA809D8B727002DC960 /* prsa_par.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; path = prsa_par.y; sourceTree = ""; }; - 2589CBAA09D8B727002DC960 /* prsa_tok.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; path = prsa_tok.l; sourceTree = ""; }; - 25BC48730A0BC7B000A181A0 /* eaytest.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = eaytest.c; sourceTree = ""; }; 25D9499F09A6AAD700CA0F24 /* config.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = config.h; path = Common/config.h; sourceTree = ""; }; 25D949A109A6AAD700CA0F24 /* libpfkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = libpfkey.h; path = Common/libpfkey.h; sourceTree = ""; }; 25D949A209A6AAD700CA0F24 /* pfkey.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey.c; path = Common/pfkey.c; sourceTree = ""; }; 25DE2DE50A8BD40E0010A46D /* vpn_control_var.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vpn_control_var.h; sourceTree = ""; }; 25DE2DE60A8BD40E0010A46D /* vpn_control.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = vpn_control.c; sourceTree = ""; }; 25DE2DE70A8BD40E0010A46D /* vpn_control.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vpn_control.h; sourceTree = ""; }; - 25E08C9A09D9E64A001A11CF /* rsaparse.o */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.objfile"; includeInIndex = 0; path = rsaparse.o; sourceTree = BUILT_PRODUCTS_DIR; }; 25EAE83109D875790042CC7F /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = /System/Library/Frameworks/Security.framework; sourceTree = ""; }; 25EAE83709D875BF0042CC7F /* DirectoryService.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = DirectoryService.framework; path = /System/Library/Frameworks/DirectoryService.framework; sourceTree = ""; }; 25EAE84709D879700042CC7F /* libssl.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libssl.dylib; path = /usr/lib/libssl.dylib; sourceTree = ""; }; @@ -782,8 +718,6 @@ 25F258F60988657000D15623 /* open_dir.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = open_dir.h; sourceTree = ""; }; 25F258F80988657000D15623 /* pfkey_racoon.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = pfkey_racoon.c; sourceTree = ""; }; 25F258F90988657000D15623 /* pfkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = pfkey.h; sourceTree = ""; }; - 25F258FB0988657000D15623 /* plainrsa-gen.8 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = "plainrsa-gen.8"; sourceTree = ""; }; - 25F258FC0988657000D15623 /* plainrsa-gen.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "plainrsa-gen.c"; sourceTree = ""; }; 25F258FD0988657000D15623 /* plog.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = plog.c; sourceTree = ""; }; 25F258FE0988657000D15623 /* plog.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = plog.h; sourceTree = ""; }; 25F258FF0988657000D15623 /* policy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = policy.c; sourceTree = ""; }; @@ -799,8 +733,6 @@ 25F2590D0988657000D15623 /* racoonctl.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = racoonctl.h; sourceTree = ""; }; 25F2590E0988657000D15623 /* remoteconf.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = remoteconf.c; sourceTree = ""; }; 25F2590F0988657000D15623 /* remoteconf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = remoteconf.h; sourceTree = ""; }; - 25F259100988657000D15623 /* rsalist.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = rsalist.c; sourceTree = ""; }; - 25F259110988657000D15623 /* rsalist.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = rsalist.h; sourceTree = ""; }; 25F259120988657000D15623 /* safefile.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = safefile.c; sourceTree = ""; }; 25F259130988657000D15623 /* safefile.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = safefile.h; sourceTree = ""; }; 25F259140988657000D15623 /* sainfo.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = sainfo.c; sourceTree = ""; }; @@ -870,49 +802,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 2543476D09DCB477007943DE /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 25BE7E8209E5DE8D009B6B84 /* libipsec.A.dylib in Frameworks */, - 25BE7E7609E5DDBA009B6B84 /* libssl.dylib in Frameworks */, - 25BE7E7709E5DDBE009B6B84 /* libcrypto.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 2543479109DCB57E007943DE /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 25BE7E2E09E5D709009B6B84 /* libipsec.A.dylib in Frameworks */, - 25BE7E1209E5D550009B6B84 /* libssl.dylib in Frameworks */, - 25BE7E1309E5D555009B6B84 /* libcrypto.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 254347B409DCB839007943DE /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 25BE7E0109E5D3F4009B6B84 /* libipsec.A.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 254347C309DCBA07007943DE /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 25BE7E5A09E5DCBD009B6B84 /* libipsec.A.dylib in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 25E08C9809D9E64A001A11CF /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; 25F258030987FBFA00D15623 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -927,7 +816,6 @@ 81C387890D4524F600975D5E /* libgssapi_krb5.dylib in Frameworks */, 81C3877A0D4524E700975D5E /* libpam.dylib in Frameworks */, 25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */, - 25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */, 8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */, 81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */, BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */, @@ -1011,11 +899,6 @@ 25F258050987FBFA00D15623 /* racoon */, 25F2580A0987FC1500D15623 /* setkey */, 25F2580F0987FC3400D15623 /* racoonctl */, - 25E08C9A09D9E64A001A11CF /* rsaparse.o */, - 2543476F09DCB477007943DE /* plainrsa-gen */, - 2543479309DCB57E007943DE /* eaytest */, - 254347B609DCB839007943DE /* test-policy */, - 254347C509DCBA07007943DE /* test-pfkey */, 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */, 8125310A0D3FE9DC006BDF4F /* racoon */, 812531290D3FEA33006BDF4F /* racoonctl */, @@ -1122,8 +1005,6 @@ BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */, BA6F109A0EA1DEC200546773 /* ike_session.c */, BA6F10940EA1D67700546773 /* ike_session.h */, - 2589CBA809D8B727002DC960 /* prsa_par.y */, - 2589CBAA09D8B727002DC960 /* prsa_tok.l */, 25F258AB0988657000D15623 /* admin_var.h */, 25F258AC0988657000D15623 /* admin.c */, 25F258AD0988657000D15623 /* admin.h */, @@ -1148,7 +1029,6 @@ 25F258BE0988657000D15623 /* dnssec.c */, 25F258BF0988657000D15623 /* dnssec.h */, 25F258C00988657000D15623 /* dump.h */, - 25BC48730A0BC7B000A181A0 /* eaytest.c */, 25F258C20988657000D15623 /* evt.c */, 25F258C30988657000D15623 /* evt.h */, 25F258C40988657000D15623 /* gcmalloc.h */, @@ -1204,8 +1084,6 @@ 25F258F60988657000D15623 /* open_dir.h */, 25F258F80988657000D15623 /* pfkey_racoon.c */, 25F258F90988657000D15623 /* pfkey.h */, - 25F258FB0988657000D15623 /* plainrsa-gen.8 */, - 25F258FC0988657000D15623 /* plainrsa-gen.c */, 25F258FD0988657000D15623 /* plog.c */, 25F258FE0988657000D15623 /* plog.h */, 25F258FF0988657000D15623 /* policy.c */, @@ -1223,8 +1101,6 @@ 25F2590D0988657000D15623 /* racoonctl.h */, 25F2590E0988657000D15623 /* remoteconf.c */, 25F2590F0988657000D15623 /* remoteconf.h */, - 25F259100988657000D15623 /* rsalist.c */, - 25F259110988657000D15623 /* rsalist.h */, 25F259120988657000D15623 /* safefile.c */, 25F259130988657000D15623 /* safefile.h */, 25F259140988657000D15623 /* sainfo.c */, @@ -1356,92 +1232,6 @@ productReference = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; productType = "com.apple.product-type.library.dynamic"; }; - 2543476E09DCB477007943DE /* plainrsa-gen */ = { - isa = PBXNativeTarget; - buildConfigurationList = 2543478609DCB494007943DE /* Build configuration list for PBXNativeTarget "plainrsa-gen" */; - buildPhases = ( - 2543476C09DCB477007943DE /* Sources */, - 2543476D09DCB477007943DE /* Frameworks */, - 258CF2D60A191A6E00166B38 /* CopyFiles */, - 258CF3220A19439000166B38 /* ShellScript */, - ); - buildRules = ( - ); - dependencies = ( - 25BE7E7C09E5DE28009B6B84 /* PBXTargetDependency */, - ); - name = "plainrsa-gen"; - productName = "plainrsa-gen"; - productReference = 2543476F09DCB477007943DE /* plainrsa-gen */; - productType = "com.apple.product-type.tool"; - }; - 2543479209DCB57E007943DE /* eaytest */ = { - isa = PBXNativeTarget; - buildConfigurationList = 2543479909DCB596007943DE /* Build configuration list for PBXNativeTarget "eaytest" */; - buildPhases = ( - 2543479009DCB57E007943DE /* Sources */, - 2543479109DCB57E007943DE /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - 25BE7E3009E5D710009B6B84 /* PBXTargetDependency */, - ); - name = eaytest; - productName = eaytest; - productReference = 2543479309DCB57E007943DE /* eaytest */; - productType = "com.apple.product-type.tool"; - }; - 254347B509DCB839007943DE /* test-policy */ = { - isa = PBXNativeTarget; - buildConfigurationList = 254347BD09DCB851007943DE /* Build configuration list for PBXNativeTarget "test-policy" */; - buildPhases = ( - 254347B309DCB839007943DE /* Sources */, - 254347B409DCB839007943DE /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - 25BE7E0409E5D3FE009B6B84 /* PBXTargetDependency */, - ); - name = "test-policy"; - productName = "test-policy"; - productReference = 254347B609DCB839007943DE /* test-policy */; - productType = "com.apple.product-type.tool"; - }; - 254347C409DCBA07007943DE /* test-pfkey */ = { - isa = PBXNativeTarget; - buildConfigurationList = 254347C909DCBA1B007943DE /* Build configuration list for PBXNativeTarget "test-pfkey" */; - buildPhases = ( - 254347C209DCBA07007943DE /* Sources */, - 254347C309DCBA07007943DE /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - 25BE7E5C09E5DCC5009B6B84 /* PBXTargetDependency */, - ); - name = "test-pfkey"; - productName = "test-pfkey"; - productReference = 254347C509DCBA07007943DE /* test-pfkey */; - productType = "com.apple.product-type.tool"; - }; - 25E08C9909D9E64A001A11CF /* rsaparse */ = { - isa = PBXNativeTarget; - buildConfigurationList = 25E08CA209D9E6A4001A11CF /* Build configuration list for PBXNativeTarget "rsaparse" */; - buildPhases = ( - 25E08C9709D9E64A001A11CF /* Sources */, - 25E08C9809D9E64A001A11CF /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = rsaparse; - productName = rsaparse; - productReference = 25E08C9A09D9E64A001A11CF /* rsaparse.o */; - productType = "com.apple.product-type.objfile"; - }; 25F258040987FBFA00D15623 /* racoon */ = { isa = PBXNativeTarget; buildConfigurationList = 25D3DABC098952B20025F703 /* Build configuration list for PBXNativeTarget "racoon" */; @@ -1458,7 +1248,6 @@ buildRules = ( ); dependencies = ( - 25E08CEA09D9F0A2001A11CF /* PBXTargetDependency */, 2537A1C909E49D1400D0ECDA /* PBXTargetDependency */, ); name = racoon; @@ -1606,14 +1395,11 @@ projectRoot = ""; targets = ( 23B20D2F0871D62A00A3B0FC /* IPSec (Aggregate) */, + 815C35E61525201900502220 /* Project_base */, + 815C35EB1525203F00502220 /* Project_executables */, 25F258040987FBFA00D15623 /* racoon */, 25F2580E0987FC3400D15623 /* racoonctl */, 25F258090987FC1500D15623 /* setkey */, - 25E08C9909D9E64A001A11CF /* rsaparse */, - 2543476E09DCB477007943DE /* plainrsa-gen */, - 2543479209DCB57E007943DE /* eaytest */, - 254347B509DCB839007943DE /* test-policy */, - 254347C409DCBA07007943DE /* test-pfkey */, 2537A1A709E4864800D0ECDA /* libipsec */, 812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */, 812530BA0D3FE9DC006BDF4F /* racoon Embedded */, @@ -1664,19 +1450,6 @@ shellPath = /bin/sh; shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/setkey.8"; }; - 258CF3220A19439000166B38 /* ShellScript */ = { - isa = PBXShellScriptBuildPhase; - buildActionMask = 8; - files = ( - ); - inputPaths = ( - ); - outputPaths = ( - ); - runOnlyForDeploymentPostprocessing = 1; - shellPath = /bin/sh; - shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/plainrsa-gen.8"; - }; 258CF3240A1943DE00166B38 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 8; @@ -1757,71 +1530,10 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 2543476C09DCB477007943DE /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 2543477109DCB492007943DE /* plainrsa-gen.c in Sources */, - 2543478A09DCB49C007943DE /* plog.c in Sources */, - 2543478C09DCB4A6007943DE /* logger.c in Sources */, - 25BE7E7F09E5DE4C009B6B84 /* pfkey_dump.c in Sources */, - 25BE7E8809E5E499009B6B84 /* pfkey.c in Sources */, - 25BE7E8A09E5E4A6009B6B84 /* key_debug.c in Sources */, - 25BE7E8E09E5E5BE009B6B84 /* crypto_openssl.c in Sources */, - 25BE7E9009E5E61F009B6B84 /* misc.c in Sources */, - 25BE7E9209E5E635009B6B84 /* vmbuf.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 2543479009DCB57E007943DE /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 254347A909DCB6C8007943DE /* vmbuf.c in Sources */, - 254347AB09DCB6D6007943DE /* str2val.c in Sources */, - 25BE7E1B09E5D5D9009B6B84 /* plog.c in Sources */, - 25BE7E3809E5D80E009B6B84 /* crypto_openssl.c in Sources */, - 25BE7E3E09E5D906009B6B84 /* misc.c in Sources */, - 25BE7E4009E5D92C009B6B84 /* logger.c in Sources */, - 25BC48740A0BC7B000A181A0 /* eaytest.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 254347B309DCB839007943DE /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 254347B809DCB84D007943DE /* test-policy.c in Sources */, - 25BE7E6309E5DD38009B6B84 /* pfkey.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 254347C209DCBA07007943DE /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 254347C809DCBA1B007943DE /* test-pfkey.c in Sources */, - 25BE7E5709E5DC4D009B6B84 /* pfkey_dump.c in Sources */, - 25BE7E5E09E5DCF5009B6B84 /* pfkey.c in Sources */, - 25BE7E6009E5DD04009B6B84 /* key_debug.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 25E08C9709D9E64A001A11CF /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 25E08C9E09D9E681001A11CF /* prsa_par.y in Sources */, - 25E08C9F09D9E682001A11CF /* prsa_tok.l in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 25F258020987FBFA00D15623 /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - 25F258A80988651000D15623 /* rijndael-alg-fst.c in Sources */, - 25F258A90988651000D15623 /* rijndael-api-fst.c in Sources */, 25F259280988657000D15623 /* admin.c in Sources */, 25F259290988657000D15623 /* algorithm.c in Sources */, 25F2592A0988657000D15623 /* backupsa.c in Sources */, @@ -1869,7 +1581,6 @@ 25F259630988657000D15623 /* vmbuf.c in Sources */, 25078AE509D37570005F3F63 /* nattraversal.c in Sources */, 25EAE8C609D87B990042CC7F /* pfkey.c in Sources */, - 25DC9EC909DB0FBB00C89F86 /* rsalist.c in Sources */, 25DC9ED409DB16F300C89F86 /* isakmp_cfg.c in Sources */, 25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */, 25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */, @@ -1916,8 +1627,6 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - 812530C00D3FE9DC006BDF4F /* rijndael-alg-fst.c in Sources */, - 812530C10D3FE9DC006BDF4F /* rijndael-api-fst.c in Sources */, 812530C20D3FE9DC006BDF4F /* admin.c in Sources */, 812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */, 812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */, @@ -2036,65 +1745,45 @@ target = 2537A1A709E4864800D0ECDA /* libipsec */; targetProxy = 2537A1CC09E49D5C00D0ECDA /* PBXContainerItemProxy */; }; - 254347D109DCBAF8007943DE /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2543476E09DCB477007943DE /* plainrsa-gen */; - targetProxy = 254347D009DCBAF8007943DE /* PBXContainerItemProxy */; - }; - 25BE7E0409E5D3FE009B6B84 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 25BE7E0309E5D3FE009B6B84 /* PBXContainerItemProxy */; - }; - 25BE7E3009E5D710009B6B84 /* PBXTargetDependency */ = { + 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 25BE7E2F09E5D710009B6B84 /* PBXContainerItemProxy */; + target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; + targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; }; - 25BE7E5C09E5DCC5009B6B84 /* PBXTargetDependency */ = { + 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 25BE7E5B09E5DCC5009B6B84 /* PBXContainerItemProxy */; + target = 812531120D3FEA33006BDF4F /* racoonctl Embedded */; + targetProxy = 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */; }; - 25BE7E7C09E5DE28009B6B84 /* PBXTargetDependency */ = { + 815C35F11525208900502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 25BE7E7B09E5DE28009B6B84 /* PBXContainerItemProxy */; + targetProxy = 815C35F01525208900502220 /* PBXContainerItemProxy */; }; - 25D3DDE30989AFDE0025F703 /* PBXTargetDependency */ = { + 815C35F31525209000502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 25F258040987FBFA00D15623 /* racoon */; - targetProxy = 25D3DDE20989AFDE0025F703 /* PBXContainerItemProxy */; + targetProxy = 815C35F21525209000502220 /* PBXContainerItemProxy */; }; - 25D3DDE50989AFE50025F703 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 25F258090987FC1500D15623 /* setkey */; - targetProxy = 25D3DDE40989AFE50025F703 /* PBXContainerItemProxy */; - }; - 25D3DDE70989AFE90025F703 /* PBXTargetDependency */ = { + 815C35F51525209400502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 25F2580E0987FC3400D15623 /* racoonctl */; - targetProxy = 25D3DDE60989AFE90025F703 /* PBXContainerItemProxy */; - }; - 25DE3DB609EC27B900147420 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 2537A1A709E4864800D0ECDA /* libipsec */; - targetProxy = 25DE3DB509EC27B900147420 /* PBXContainerItemProxy */; + targetProxy = 815C35F41525209400502220 /* PBXContainerItemProxy */; }; - 25E08CEA09D9F0A2001A11CF /* PBXTargetDependency */ = { + 815C35F71525209800502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 25E08C9909D9E64A001A11CF /* rsaparse */; - targetProxy = 25E08CE909D9F0A2001A11CF /* PBXContainerItemProxy */; + target = 25F258090987FC1500D15623 /* setkey */; + targetProxy = 815C35F61525209800502220 /* PBXContainerItemProxy */; }; - 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = { + 815C35F9152520BC00502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */; - targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */; + target = 815C35E61525201900502220 /* Project_base */; + targetProxy = 815C35F8152520BC00502220 /* PBXContainerItemProxy */; }; - 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */ = { + 815C35FB152520C000502220 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = 812531120D3FEA33006BDF4F /* racoonctl Embedded */; - targetProxy = 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */; + target = 815C35EB1525203F00502220 /* Project_executables */; + targetProxy = 815C35FA152520C000502220 /* PBXContainerItemProxy */; }; 81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = { isa = PBXTargetDependency; @@ -2125,10 +1814,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - i386, - x86_64, - ); + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -2154,7 +1840,6 @@ PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; - VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -2166,10 +1851,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - i386, - x86_64, - ); + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -2192,7 +1874,6 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -2204,10 +1885,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - i386, - x86_64, - ); + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; DYLIB_CURRENT_VERSION = 300; @@ -2229,332 +1907,15 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "i386 x86_64"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; name = Default; }; - 2543478709DCB494007943DE /* Development */ = { + 25D3DAB9098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = YES; - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - PREBINDING = NO; - PRODUCT_NAME = "plainrsa-gen"; - SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Development; - }; - 2543478809DCB494007943DE /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = YES; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - PREBINDING = NO; - PRODUCT_NAME = "plainrsa-gen"; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 2543478909DCB494007943DE /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_GROUP = wheel; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; - INSTALL_PATH = /usr/sbin; - PREBINDING = NO; - PRODUCT_NAME = "plainrsa-gen"; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Default; - }; - 2543479A09DCB596007943DE /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = NO; - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - INSTALL_GROUP = "$(inherited)"; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = "$(inherited)"; - INSTALL_PATH = ""; - OTHER_CFLAGS = ( - "$(OTHER_CFLAGS)", - "-DEAYDEBUG", - "-DNOUSE_PLOG", - ); - PREBINDING = NO; - PRODUCT_NAME = eaytest; - SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Development; - }; - 2543479B09DCB596007943DE /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = YES; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - INSTALL_GROUP = "$(inherited)"; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = "$(inherited)"; - INSTALL_PATH = ""; - OTHER_CFLAGS = ( - "$(OTHER_CFLAGS)", - "-DEAYDEBUG", - "-DNOUSE_PLOG", - ); - PREBINDING = NO; - PRODUCT_NAME = eaytest; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 2543479C09DCB596007943DE /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = YES; - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_MODEL_TUNING = G5; - INSTALL_GROUP = "$(inherited)"; - INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = "$(inherited)"; - INSTALL_PATH = ""; - OTHER_CFLAGS = ( - "$(OTHER_CFLAGS)", - "-DEAYDEBUG", - "-DNOUSE_PLOG", - ); - PREBINDING = NO; - PRODUCT_NAME = eaytest; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Default; - }; - 254347BE09DCB851007943DE /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = NO; - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-policy"; - SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Development; - }; - 254347BF09DCB851007943DE /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = YES; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-policy"; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 254347C009DCB851007943DE /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1", - "$(inherited)", - ); - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-policy"; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Default; - }; - 254347CA09DCBA1B007943DE /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = NO; - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1"; - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-pfkey"; - SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Development; - }; - 254347CB09DCBA1B007943DE /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = YES; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1"; - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-pfkey"; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 254347CC09DCBA1B007943DE /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - GCC_ENABLE_FIX_AND_CONTINUE = YES; - GCC_MODEL_TUNING = G5; - GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1"; - INSTALL_MODE_FLAG = 555; - INSTALL_PATH = "$(HOME)/bin"; - PREBINDING = NO; - PRODUCT_NAME = "test-pfkey"; - SKIP_INSTALL = YES; - STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; - ZERO_LINK = NO; - }; - name = Default; - }; - 25D3DAB9098952B20025F703 /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); + ARCHS = ""; COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2562,7 +1923,6 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2574,10 +1934,7 @@ 25D3DABA098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - i386, - x86_64, - ); + ARCHS = ""; COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2585,7 +1942,6 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2597,10 +1953,8 @@ 25D3DABB098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - i386, - x86_64, - ); + ARCHS = ""; + "ARCHS[arch=*]" = ""; COPY_PHASE_STRIP = NO; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; @@ -2608,7 +1962,6 @@ PRODUCT_NAME = "IPSec (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2623,10 +1976,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -2662,7 +2012,6 @@ PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2679,10 +2028,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -2716,7 +2062,6 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2732,10 +2077,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; DSTROOT = "/tmp/$(PROJECT_NAME).dst"; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -2769,7 +2111,6 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2782,10 +2123,8 @@ 25D3DAC1098952B20025F703 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - x86_64, - i386, - ); + ALTERNATE_PERMISSIONS_FILES = ""; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -2811,7 +2150,6 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2824,10 +2162,8 @@ 25D3DAC2098952B20025F703 /* Deployment */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - x86_64, - i386, - ); + ALTERNATE_PERMISSIONS_FILES = ""; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -2854,7 +2190,6 @@ SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2866,10 +2201,8 @@ 25D3DAC3098952B20025F703 /* Default */ = { isa = XCBuildConfiguration; buildSettings = { - ARCHS = ( - x86_64, - i386, - ); + ALTERNATE_PERMISSIONS_FILES = ""; + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -2894,7 +2227,6 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "i386 x86_64"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2909,10 +2241,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = NO; GCC_MODEL_TUNING = G5; @@ -2935,7 +2264,6 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2950,10 +2278,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; @@ -2976,7 +2301,6 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2991,10 +2315,7 @@ ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; - ARCHS = ( - x86_64, - i386, - ); + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -3016,7 +2337,6 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "x86_64 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3030,13 +2350,7 @@ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; - ARCHS = ( - armv6, - i386, - armv7, - x86_64, - ); - VALID_ARCHS = "armv6 x86_64 i386 armv7"; + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; }; name = Development; }; @@ -3045,13 +2359,7 @@ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; - ARCHS = ( - armv6, - i386, - armv7, - x86_64, - ); - VALID_ARCHS = "armv6 x86_64 i386 armv7"; + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; }; name = Deployment; }; @@ -3060,76 +2368,7 @@ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ADDITIONAL_SDKS = ""; - ARCHS = ( - armv6, - i386, - armv7, - x86_64, - ); - VALID_ARCHS = "armv6 armv7 x86_64 i386"; - }; - name = Default; - }; - 25E08CA309D9E6A4001A11CF /* Development */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = NO; - GCC_DYNAMIC_NO_PIC = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = YES; - GCC_MODEL_TUNING = G5; - GCC_OPTIMIZATION_LEVEL = 0; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - VALID_ARCHS = "i386 x86_64"; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; - }; - name = Development; - }; - 25E08CA409D9E6A4001A11CF /* Deployment */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - x86_64, - i386, - ); - COPY_PHASE_STRIP = NO; - GCC_ENABLE_FIX_AND_CONTINUE = NO; - GCC_GENERATE_DEBUGGING_SYMBOLS = NO; - GCC_MODEL_TUNING = G5; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - VALID_ARCHS = "i386 x86_64"; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; - ZERO_LINK = NO; - }; - name = Deployment; - }; - 25E08CA509D9E6A4001A11CF /* Default */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = ( - i386, - x86_64, - ); - COPY_PHASE_STRIP = NO; - GCC_MODEL_TUNING = G5; - INSTALL_PATH = ""; - LEXFLAGS = "$(LEXFLAGS) -Pprsa"; - PREBINDING = NO; - PRODUCT_NAME = rsaparse; - SKIP_INSTALL = NO; - VALID_ARCHS = "i386 x86_64"; - YACCFLAGS = "$(YACCFLAGS) -pprsa"; + ARCHS = "$(ARCHS_STANDARD_32_BIT)"; }; name = Default; }; @@ -3138,7 +2377,6 @@ buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3148,7 +2386,6 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3162,7 +2399,6 @@ buildSettings = { ADDITIONAL_SDKS = ""; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3184,8 +2420,8 @@ isa = XCBuildConfiguration; buildSettings = { ADDITIONAL_SDKS = ""; - ARCHS = ( - armv6, + ARCHS = ""; + "ARCHS[arch=*]" = ( armv7, ); COPY_PHASE_STRIP = NO; @@ -3195,7 +2431,6 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -3212,7 +2447,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; @@ -3257,11 +2491,11 @@ PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); YACCFLAGS = "$(YACCFLAGS) -d"; YACC_GENERATE_DEBUGGING_DIRECTIVES = NO; @@ -3276,7 +2510,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; @@ -3319,11 +2552,11 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); YACCFLAGS = "$(YACCFLAGS) -d"; }; @@ -3337,7 +2570,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; @@ -3380,11 +2612,11 @@ PREBINDING = NO; PRODUCT_NAME = racoon; SECTORDER_FLAGS = ""; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); YACCFLAGS = "$(YACCFLAGS) -d"; }; @@ -3398,7 +2630,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3423,11 +2654,11 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); }; name = Development; @@ -3440,7 +2671,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = YES; @@ -3465,11 +2695,11 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); }; name = Deployment; @@ -3482,7 +2712,6 @@ ALTERNATE_MODE = "$(inherited)"; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -3506,28 +2735,73 @@ PRODUCT_NAME = racoonctl; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 i386"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); }; name = Default; }; + 815C35E81525201900502220 /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + TARGETED_DEVICE_FAMILY = ""; + }; + name = Development; + }; + 815C35E91525201900502220 /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + TARGETED_DEVICE_FAMILY = ""; + }; + name = Deployment; + }; + 815C35EA1525201900502220 /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + TARGETED_DEVICE_FAMILY = ""; + }; + name = Default; + }; + 815C35ED1525203F00502220 /* Development */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Development; + }; + 815C35EE1525203F00502220 /* Deployment */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Deployment; + }; + 815C35EF1525203F00502220 /* Default */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Default; + }; 81DDFDA70D622C1700C5CB87 /* Development */ = { isa = XCBuildConfiguration; baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; GCC_PREPROCESSOR_DEFINITIONS = ( - "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", + "HAVE_CONFIG_H=1", "$(GCC_PREPROCESSOR_DEFINITIONS)", ); HEADER_SEARCH_PATHS = ( @@ -3548,11 +2822,11 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); YACCFLAGS = ""; }; @@ -3563,7 +2837,6 @@ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = YES; @@ -3592,11 +2865,11 @@ SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 armv7"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); }; name = Deployment; @@ -3606,7 +2879,6 @@ baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */; buildSettings = { ARCHS = ( - armv6, armv7, ); GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -3633,11 +2905,11 @@ PRODUCT_NAME = setkey; SECTORDER_FLAGS = ""; STRIP_INSTALLED_PRODUCT = YES; - VALID_ARCHS = "armv6 armv7 "; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", "-Wno-unknown-pragmas", + "-Wcast-align", ); }; name = Default; @@ -3650,7 +2922,6 @@ ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3678,7 +2949,7 @@ PREBINDING = NO; PRODUCT_NAME = ipsec.A; SKIP_INSTALL = YES; - VALID_ARCHS = "armv6 armv7"; + WARNING_CFLAGS = "-Wcast-align"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -3692,7 +2963,6 @@ ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3717,7 +2987,7 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "armv6 armv7"; + WARNING_CFLAGS = "-Wcast-align"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -3731,7 +3001,6 @@ ALTERNATE_MODE = ""; ALTERNATE_OWNER = "$(inherited)"; ARCHS = ( - armv6, armv7, ); COPY_PHASE_STRIP = NO; @@ -3755,7 +3024,7 @@ LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PREBINDING = NO; PRODUCT_NAME = ipsec.A; - VALID_ARCHS = "armv6 i386"; + WARNING_CFLAGS = "-Wcast-align"; YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec"; ZERO_LINK = YES; }; @@ -3774,46 +3043,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Deployment; }; - 2543478609DCB494007943DE /* Build configuration list for PBXNativeTarget "plainrsa-gen" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 2543478709DCB494007943DE /* Development */, - 2543478809DCB494007943DE /* Deployment */, - 2543478909DCB494007943DE /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; - 2543479909DCB596007943DE /* Build configuration list for PBXNativeTarget "eaytest" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 2543479A09DCB596007943DE /* Development */, - 2543479B09DCB596007943DE /* Deployment */, - 2543479C09DCB596007943DE /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; - 254347BD09DCB851007943DE /* Build configuration list for PBXNativeTarget "test-policy" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 254347BE09DCB851007943DE /* Development */, - 254347BF09DCB851007943DE /* Deployment */, - 254347C009DCB851007943DE /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; - 254347C909DCBA1B007943DE /* Build configuration list for PBXNativeTarget "test-pfkey" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 254347CA09DCBA1B007943DE /* Development */, - 254347CB09DCBA1B007943DE /* Deployment */, - 254347CC09DCBA1B007943DE /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -3864,16 +3093,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Deployment; }; - 25E08CA209D9E6A4001A11CF /* Build configuration list for PBXNativeTarget "rsaparse" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 25E08CA309D9E6A4001A11CF /* Development */, - 25E08CA409D9E6A4001A11CF /* Deployment */, - 25E08CA509D9E6A4001A11CF /* Default */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Deployment; - }; 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -3904,6 +3123,26 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Deployment; }; + 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 815C35E81525201900502220 /* Development */, + 815C35E91525201900502220 /* Deployment */, + 815C35EA1525201900502220 /* Default */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Deployment; + }; + 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 815C35ED1525203F00502220 /* Development */, + 815C35EE1525203F00502220 /* Deployment */, + 815C35EF1525203F00502220 /* Default */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Deployment; + }; 81DDFDA60D622C1700C5CB87 /* Build configuration list for PBXNativeTarget "setkey Embedded" */ = { isa = XCConfigurationList; buildConfigurations = ( diff --git a/racoon.sb b/racoon.sb index 88b9a92..1d1e972 100644 --- a/racoon.sb +++ b/racoon.sb @@ -1,6 +1,9 @@ ;; OriginatingProject: ipsec (version 1) (deny default) + +(import "system.sb") + (allow system-socket sysctl-read sysctl-write) (allow ipc-posix* (ipc-posix-name "com.apple.securityd")) @@ -97,7 +100,5 @@ (allow mach-lookup (global-name "com.apple.securityd") (global-name "com.apple.bsd.dirhelper") - (global-name "com.apple.system.DirectoryService.libinfo_v1") - (global-name "com.apple.system.DirectoryService.membership_v1") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center")) -- 2.45.2