From d06a7ccbc5c7dbb1b65b08cfdbb7c4ec0824c666 Mon Sep 17 00:00:00 2001 From: Apple Date: Wed, 13 Jul 2016 22:45:27 +0000 Subject: [PATCH] ipsec-292.40.4.tar.gz --- ipsec-tools/Common/pfkey.c | 2 +- ipsec-tools/racoon/fsm.c | 8 +-- ipsec-tools/racoon/handler.c | 51 +++++++++++++- ipsec-tools/racoon/handler.h | 15 +++-- ipsec-tools/racoon/ike_session.c | 16 +++++ ipsec-tools/racoon/ike_session.h | 1 + ipsec-tools/racoon/ipsec_doi.c | 52 +++++++++++++-- ipsec-tools/racoon/isakmp.c | 39 +++++++++-- ipsec-tools/racoon/isakmp_inf.c | 60 ++++++++++------- ipsec-tools/racoon/isakmp_var.h | 3 +- ipsec-tools/racoon/isakmp_xauth.c | 4 +- ipsec-tools/racoon/localconf.h | 2 + ipsec-tools/racoon/oakley.c | 7 +- ipsec-tools/racoon/pfkey_racoon.c | 7 +- ipsec-tools/racoon/remoteconf.c | 24 ++++++- ipsec-tools/racoon/sockmisc.c | 2 +- ipsec-tools/racoon/vpn.c | 26 +++++--- ipsec-tools/racoon/vpn_control.c | 99 +++++++++++++++++----------- ipsec-tools/racoon/vpn_control.h | 9 ++- ipsec-tools/racoon/vpn_control_var.h | 1 + ipsec.xcodeproj/project.pbxproj | 48 +++++--------- 21 files changed, 332 insertions(+), 144 deletions(-) diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c index 409333d..2a8a765 100644 --- a/ipsec-tools/Common/pfkey.c +++ b/ipsec-tools/Common/pfkey.c @@ -1612,7 +1612,7 @@ pfkey_open() { int so; int bufsiz = 0; /* Max allowed by default */ - const unsigned long newbufk = 1536; + const unsigned long newbufk = 2176; unsigned long oldmax; size_t oldmaxsize = sizeof(oldmax); unsigned long newmax = newbufk * (1024 + 128); diff --git a/ipsec-tools/racoon/fsm.c b/ipsec-tools/racoon/fsm.c index ea5802b..8ff862c 100644 --- a/ipsec-tools/racoon/fsm.c +++ b/ipsec-tools/racoon/fsm.c @@ -247,13 +247,7 @@ fsm_ikev1_phase1_send_response(phase1_handle_t *iph1, vchar_t *msg) } if (error) { - u_int32_t address; - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else { - address = 0; - } - vpncontrol_notify_ike_failed(error, FROM_LOCAL, address, 0, NULL); + vpncontrol_notify_ike_failed(error, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL); } return error; diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c index df3380d..6fe8e46 100644 --- a/ipsec-tools/racoon/handler.c +++ b/ipsec-tools/racoon/handler.c @@ -241,10 +241,19 @@ sike_session_getph1bydstaddrwop(ike_session_t *session, struct sockaddr_storage phase1_handle_t *p = NULL; LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) { - if (FSM_STATE_IS_EXPIRED(p->status)) + if (FSM_STATE_IS_EXPIRED(p->status)) { continue; - if (cmpsaddrwop(remote, p->remote) == 0) + } + if (remote->ss_family == AF_INET && + p->nat64_prefix.length) { + struct in_addr address; + nw_nat64_extract_v4(&p->nat64_prefix, &((struct sockaddr_in6 *)p->remote)->sin6_addr, &address); + if (((struct sockaddr_in *)remote)->sin_addr.s_addr == address.s_addr) { + return p; + } + } else if (cmpsaddrwop(remote, p->remote) == 0) { return p; + } } return NULL; @@ -1568,3 +1577,41 @@ sweep_sleepwake(void) // do the ike_session last ike_session_sweep_sleepwake(); } + +uint32_t +iph1_get_remote_v4_address(phase1_handle_t *iph1) +{ + uint32_t address = 0; + if (iph1->remote->ss_family == AF_INET) { + address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; + } else if (iph1->remote->ss_family == AF_INET6 && + iph1->nat64_prefix.length) { + if (!nw_nat64_extract_v4(&iph1->nat64_prefix, &((struct sockaddr_in6 *)iph1->remote)->sin6_addr, (struct in_addr *)&address)) { + plog(ASL_LEVEL_ERR, "Failed to extract IPv4 from Phase 1 IPv6 address.\n"); + } + } else { + plog(ASL_LEVEL_ERR, "Failed to get IPv4 address for Phase 1 (family=%u, NAT64Prefix=%u)\n", + iph1->remote->ss_family, + iph1->nat64_prefix.length); + } + return address; +} + +uint32_t +iph2_get_remote_v4_address(phase2_handle_t *iph2) +{ + uint32_t address = 0; + if (iph2->dst->ss_family == AF_INET) { + address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; + } else if (iph2->dst->ss_family == AF_INET6 && + iph2->nat64_prefix.length) { + if (!nw_nat64_extract_v4(&iph2->nat64_prefix, &((struct sockaddr_in6 *)iph2->dst)->sin6_addr, (struct in_addr *)&address)) { + plog(ASL_LEVEL_ERR, "Failed to extract IPv4 from Phase 2 IPv6 address.\n"); + } + } else { + plog(ASL_LEVEL_ERR, "Failed to get IPv4 address for Phase 2 (family=%u, NAT64Prefix=%u)\n", + iph2->dst->ss_family, + iph2->nat64_prefix.length); + } + return address; +} diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h index 2b8f056..172b72a 100644 --- a/ipsec-tools/racoon/handler.h +++ b/ipsec-tools/racoon/handler.h @@ -52,6 +52,7 @@ #include #include +#include /* About address semantics in each case. * initiator(addr=I) responder(addr=R) @@ -79,9 +80,10 @@ struct phase1handle { int status; /* status of this SA */ int side; /* INITIATOR or RESPONDER */ int started_by_api; /* connection started by VPNControl API */ - - struct sockaddr_storage *remote; /* remote address to negosiate ph1 */ - struct sockaddr_storage *local; /* local address to negosiate ph1 */ + + nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */ + struct sockaddr_storage *remote; /* remote address to negotiate ph1 */ + struct sockaddr_storage *local; /* local address to negotiate ph1 */ /* XXX copy from rmconf due to anonymous configuration. * If anonymous will be forbidden, we do delete them. */ @@ -195,7 +197,8 @@ struct phase1handle { struct phase2handle { struct sockaddr_storage *src; /* my address of SA. */ struct sockaddr_storage *dst; /* peer's address of SA. */ - + nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */ + /* * copy ip address from ID payloads when ID type is ip address. * In other case, they must be null. @@ -446,4 +449,8 @@ extern void ike_session_init_recvdpkt (void); extern void sweep_sleepwake (void); +extern uint32_t iph1_get_remote_v4_address(phase1_handle_t *iph1); + +extern uint32_t iph2_get_remote_v4_address(phase2_handle_t *iph2); + #endif /* _HANDLER_H */ diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c index e40f898..184fbc8 100644 --- a/ipsec-tools/racoon/ike_session.c +++ b/ipsec-tools/racoon/ike_session.c @@ -1143,6 +1143,22 @@ ike_sessions_stopped_by_controller (struct sockaddr_storage *remote, } } +void +ike_session_purge_ph1s_by_session (ike_session_t *session) +{ + phase1_handle_t *iph1; + phase1_handle_t *next_iph1 = NULL; + + LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) { + plog(ASL_LEVEL_DEBUG, "deleteallph1 of given session: got a ph1 handler...\n"); + + vpncontrol_notify_ike_failed(VPNCTL_NTYPE_NO_PROPOSAL_CHOSEN, FROM_REMOTE, + iph1_get_remote_v4_address(iph1), 0, NULL); + + ike_session_unlink_phase1(iph1); + } +} + void ike_session_purge_ph2s_by_ph1 (phase1_handle_t *iph1) { diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h index 9fe7510..2aa1076 100644 --- a/ipsec-tools/racoon/ike_session.h +++ b/ipsec-tools/racoon/ike_session.h @@ -149,6 +149,7 @@ extern void ike_session_cleanup_other_established_ph2s (ike_sessio extern void ike_session_stopped_by_controller (ike_session_t *, const char *); extern void ike_sessions_stopped_by_controller (struct sockaddr_storage *, int, const char *); extern void ike_session_purge_ph2s_by_ph1 (phase1_handle_t *); +extern void ike_session_purge_ph1s_by_session (ike_session_t *session); extern phase1_handle_t * ike_session_get_established_ph1 (ike_session_t *); extern phase1_handle_t * ike_session_get_established_or_negoing_ph1 (ike_session_t *); extern void ike_session_update_ph2_ports (phase2_handle_t *); diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 2fc1c22..0de36fd 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -3667,6 +3667,7 @@ ipsecdoi_setid1(iph1) vchar_t *ret = NULL; struct ipsecdoi_id_b id_b; vchar_t *ident = NULL; + struct sockaddr_in v4_address; struct sockaddr_storage *ipid = NULL; /* init */ @@ -3748,6 +3749,19 @@ ipsecdoi_setid1(iph1) if (ipid == NULL) ipid = iph1->local; + { + if (ipid->ss_family == AF_INET6 && + iph1->nat64_prefix.length) { + memset(&v4_address, 0, sizeof(v4_address)); + v4_address.sin_len = sizeof(struct sockaddr_in); + v4_address.sin_family = AF_INET; + v4_address.sin_port = ((struct sockaddr_in6 *)ipid)->sin6_port; + v4_address.sin_addr.s_addr = 0; + + ipid = ALIGNED_CAST(struct sockaddr_storage *)&v4_address; + } + } + /* use IP address */ switch (ipid->ss_family) { case AF_INET: @@ -3976,8 +3990,22 @@ ipsecdoi_setid2(iph2) return -1; } - iph2->id = ipsecdoi_sockaddr2id(&sp->spidx.src, - sp->spidx.prefs, sp->spidx.ul_proto); + struct sockaddr_in local_v4_address; + struct sockaddr_storage *srcaddr = &sp->spidx.src; + u_int8_t prefs = sp->spidx.prefs; + if (sp->spidx.dst.ss_family == AF_INET6 && + iph2->nat64_prefix.length) { + memset(&local_v4_address, 0, sizeof(local_v4_address)); + local_v4_address.sin_len = sizeof(struct sockaddr_in); + local_v4_address.sin_family = AF_INET; + local_v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.src)->sin6_port; + local_v4_address.sin_addr.s_addr = 0; + + srcaddr = ALIGNED_CAST(struct sockaddr_storage *)&local_v4_address; + prefs = 32; + } + iph2->id = ipsecdoi_sockaddr2id(srcaddr, + prefs, sp->spidx.ul_proto); if (iph2->id == NULL) { plog(ASL_LEVEL_ERR, "failed to get ID for %s\n", @@ -4000,8 +4028,22 @@ ipsecdoi_setid2(iph2) s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type)); /* remote side */ - iph2->id_p = ipsecdoi_sockaddr2id(&sp->spidx.dst, - sp->spidx.prefd, sp->spidx.ul_proto); + struct sockaddr_in v4_address; + struct sockaddr_storage *dstaddr = &sp->spidx.dst; + u_int8_t prefd = sp->spidx.prefd; + if (sp->spidx.dst.ss_family == AF_INET6 && + iph2->nat64_prefix.length) { + memset(&v4_address, 0, sizeof(v4_address)); + v4_address.sin_len = sizeof(struct sockaddr_in); + v4_address.sin_family = AF_INET; + v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_port; + nw_nat64_extract_v4(&iph2->nat64_prefix, &((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_addr, &v4_address.sin_addr); + + dstaddr = ALIGNED_CAST(struct sockaddr_storage *)&v4_address; + prefd = 32; + } + iph2->id_p = ipsecdoi_sockaddr2id(dstaddr, + prefd, sp->spidx.ul_proto); if (iph2->id_p == NULL) { plog(ASL_LEVEL_ERR, "failed to get ID for %s\n", @@ -4009,7 +4051,7 @@ ipsecdoi_setid2(iph2) VPTRINIT(iph2->id); return -1; } - plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "use remote ID type %s\n", + plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "use remote ID type %s\n", s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type)); return 0; diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c index 8a40905..d7d6941 100644 --- a/ipsec-tools/racoon/isakmp.c +++ b/ipsec-tools/racoon/isakmp.c @@ -715,7 +715,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka /* new negotiation of phase 1 for initiator */ int ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct sockaddr_storage *remote, - struct sockaddr_storage *local, int started_by_api) + struct sockaddr_storage *local, int started_by_api, nw_nat64_prefix_t *nat64_prefix) { phase1_handle_t *iph1; @@ -740,6 +740,9 @@ ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct socka retain_rmconf(iph1->rmconf); iph1->side = INITIATOR; iph1->started_by_api = started_by_api; + if (nat64_prefix != NULL) { + memcpy(&iph1->nat64_prefix, nat64_prefix, sizeof(*nat64_prefix)); + } iph1->version = ISAKMP_VERSION_NUMBER_IKEV1; iph1->msgid = 0; iph1->flags = 0; @@ -978,6 +981,7 @@ ikev1_ph2begin_i(phase1_handle_t *iph1, phase2_handle_t *iph2) #endif iph2->is_dying = 0; + memcpy(&iph2->nat64_prefix, &iph1->nat64_prefix, sizeof(iph2->nat64_prefix)); fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START); IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by me).\n"); @@ -1080,6 +1084,7 @@ ikev1_ph2begin_r(phase1_handle_t *iph1, vchar_t *msg) if (ike_session_link_ph2_to_ph1(iph1, iph2)) return -1; iph2->is_dying = 0; + memcpy(&iph2->nat64_prefix, &iph1->nat64_prefix, sizeof(iph2->nat64_prefix)); plog(ASL_LEVEL_DEBUG, "===\n"); { @@ -1476,7 +1481,16 @@ isakmp_open(void) /* receive my interface address on inbound packets. */ switch (p->addr->ss_family) { - case AF_INET: + case AF_INET: { + int ifindex = if_nametoindex(p->ifname); + if (ifindex != 0 && + setsockopt(p->sock, IPPROTO_IP, + IP_BOUND_IF, &ifindex, sizeof(ifindex)) < 0) { + plog(ASL_LEVEL_ERR, + "setsockopt IP_BOUND_IF (%s)\n", + strerror(errno)); + goto err_and_next; + } if (setsockopt(p->sock, IPPROTO_IP, IP_RECVDSTADDR, (const void *)&yes, sizeof(yes)) < 0) { @@ -1486,13 +1500,23 @@ isakmp_open(void) goto err_and_next; } break; + } #ifdef INET6 - case AF_INET6: + case AF_INET6: { #ifdef INET6_ADVAPI pktinfo = IPV6_RECVPKTINFO; #else pktinfo = IPV6_RECVDSTADDR; #endif + int ifindex = if_nametoindex(p->ifname); + if (ifindex != 0 && + setsockopt(p->sock, IPPROTO_IPV6, + IPV6_BOUND_IF, &ifindex, sizeof(ifindex)) < 0) { + plog(ASL_LEVEL_ERR, + "setsockopt IPV6_BOUND_IF (%s)\n", + strerror(errno)); + goto err_and_next; + } if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, (const void *)&yes, sizeof(yes)) < 0) { @@ -1502,6 +1526,7 @@ isakmp_open(void) goto err_and_next; } break; + } #endif } @@ -2084,7 +2109,7 @@ int ignore_sess_drop_policy; plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n"); /* start phase 1 negotiation as a initiator. */ - if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { + if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) { plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); } iph1->is_rekey = TRUE; @@ -2154,7 +2179,7 @@ phase1_handle_t *iph1; plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n"); /* start phase 1 negotiation as a initiator. */ - if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { + if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) { plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n"); return -1; } @@ -2368,7 +2393,7 @@ isakmp_post_acquire(phase2_handle_t *iph2) return 0; } - if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, &iph2->nat64_prefix) < 0) { plog(ASL_LEVEL_INFO, "Request for Phase 1 failed. Will try later.\n"); } @@ -2519,7 +2544,7 @@ isakmp_chkph1there(iph2) struct remoteconf *rmconf = getrmconf(iph2->dst); /* start phase 1 negotiation as a initiator. */ if (rmconf) { - if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { + if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, iph1 != NULL ? &iph1->nat64_prefix : NULL) < 0) { plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); } } else if (rmconf == NULL) { diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c index f90ac07..ea0e34b 100644 --- a/ipsec-tools/racoon/isakmp_inf.c +++ b/ipsec-tools/racoon/isakmp_inf.c @@ -198,6 +198,7 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) u_int8_t np; int encrypted; int flag = 0; + int disconnect = 0; plog(ASL_LEVEL_DEBUG, "receive Information.\n"); @@ -348,6 +349,7 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) (iph1->side == RESPONDER && iph1->status == IKEV1_STATE_AGG_R_MSG3RCVD))) { break; } + /*FALLTHRU*/ case ISAKMP_ETYPE_IDENT: if (!FSM_STATE_IS_ESTABLISHED(iph1->status) && ((iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_IDENT_I_MSG5SENT @@ -357,9 +359,16 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) } /*FALLTHRU*/ default: + if ((np == ISAKMP_NPTYPE_NONE) && + !FSM_STATE_IS_ESTABLISHED(iph1->status) && + (iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_AGG_I_MSG1SENT))) { + // proposal rejected by peer, terminate now. + disconnect = 1; + } + plog(ASL_LEVEL_ERR, - "%s message must be encrypted\n", - s_isakmp_nptype(np)); + "%s message must be encrypted, status 0x%x, side %d\n", + s_isakmp_nptype(np), iph1->status, iph1->side); error = 0; goto end; } @@ -379,6 +388,16 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0) /* Handled above */ break; case ISAKMP_NPTYPE_N: + if ((ntohs(((struct isakmp_pl_n *)pa->ptr)->type) == ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN) && + !FSM_STATE_IS_ESTABLISHED(iph1->status) && + (iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_AGG_I_MSG1SENT))) { + // proposal rejected by peer, terminate now. + disconnect = 1; + plog(ASL_LEVEL_ERR, + "%s message with %s notification receveid, status 0x%x, side %d\n", + s_isakmp_nptype(np), s_isakmp_notify_msg(ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN), iph1->status, iph1->side); + break; + } error = isakmp_info_recv_n(iph1, (struct isakmp_pl_n *)pa->ptr, msgid, encrypted); @@ -424,6 +443,17 @@ end: vfree(msg); if (pbuf != NULL) vfree(pbuf); + if (disconnect) { + ike_session_t *session = NULL; + + if (session = iph1->parent_session) { + gettimeofday(&session->stop_timestamp, NULL); + if (!session->term_reason) { + session->term_reason = ike_session_stopped_by_peer; + } + ike_session_purge_ph1s_by_session(session); + } + } return error; } @@ -556,15 +586,11 @@ isakmp_info_recv_n(phase1_handle_t *iph1, struct isakmp_pl_n *notify, u_int32_t static void isakmp_info_vpncontrol_notify_ike_failed (phase1_handle_t *iph1, int isakmp_info_initiator, int type, vchar_t *data) { - u_int32_t address; + u_int32_t address = iph1_get_remote_v4_address(iph1); u_int32_t fail_reason; /* notify the API that we have received the delete */ - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; - else - address = 0; - + if (isakmp_info_initiator == FROM_REMOTE) { int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED); @@ -1839,11 +1865,6 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted "LOAD-BALANCE notification ignored - we are not the initiator.\n"); return 0; } - if (iph1->remote->ss_family != AF_INET) { - plog(ASL_LEVEL_DEBUG, - "LOAD-BALANCE notification ignored - only supported for IPv4.\n"); - return 0; - } if (!encrypted) { plog(ASL_LEVEL_DEBUG, "LOAD-BALANCE notification ignored - not protected.\n"); @@ -1853,9 +1874,10 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted plog(ASL_LEVEL_DEBUG, "Invalid length of payload\n"); return -1; - } + } + vpncontrol_notify_ike_failed(ISAKMP_NTYPE_LOAD_BALANCE, FROM_REMOTE, - ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 4, (u_int8_t*)(&(n->address))); + iph1_get_remote_v4_address(iph1), 4, (u_int8_t*)(&(n->address))); plog(ASL_LEVEL_NOTICE, "Received LOAD_BALANCE notification.\n"); @@ -2011,18 +2033,12 @@ isakmp_info_send_r_u(void *arg) } if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) { - u_int32_t address; - IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT, CONSTSTR("DPD maximum retransmits"), CONSTSTR("maxed-out of DPD requests without receiving an ack")); - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else - address = 0; - (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, address, 0, NULL); + (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL); purge_remote(iph1); plog(ASL_LEVEL_DEBUG, diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h index d3d60a5..8a4993d 100644 --- a/ipsec-tools/racoon/isakmp_var.h +++ b/ipsec-tools/racoon/isakmp_var.h @@ -35,6 +35,7 @@ #include "vmbuf.h" #include "racoon_types.h" #include +#include #define PORT_ISAKMP 500 #define PORT_ISAKMP_NATT 4500 @@ -62,7 +63,7 @@ struct isakmp_pl_nonce; /* XXX */ extern void isakmp_handler (int); extern int ikev1_ph1begin_i (ike_session_t *session, struct remoteconf *, struct sockaddr_storage *, - struct sockaddr_storage *, int); + struct sockaddr_storage *, int, nw_nat64_prefix_t *); extern int get_sainfo_r (phase2_handle_t *); extern int get_proposal_r (phase2_handle_t *); diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c index ab4855f..d2e8d02 100644 --- a/ipsec-tools/racoon/isakmp_xauth.c +++ b/ipsec-tools/racoon/isakmp_xauth.c @@ -816,9 +816,9 @@ isakmp_xauth_set(iph1, attr) CONSTSTR("Xauth Failed (status not ok)")); plog(ASL_LEVEL_ERR, "Xauth authentication failed\n"); - + vpncontrol_notify_ike_failed(VPNCTL_NTYPE_AUTHENTICATION_FAILED, FROM_LOCAL, - ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 0, NULL); + iph1_get_remote_v4_address(iph1), 0, NULL); iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h index c2284da..e1489cc 100644 --- a/ipsec-tools/racoon/localconf.h +++ b/ipsec-tools/racoon/localconf.h @@ -36,6 +36,7 @@ #include #endif #include +#include #include "vmbuf.h" #include "ipsec_doi.h" @@ -83,6 +84,7 @@ struct vpnctl_socket_elem { struct bound_addr { LIST_ENTRY(bound_addr) chain; u_int32_t address; + nw_nat64_prefix_t nat64_prefix; vchar_t *user_id; vchar_t *user_pw; vchar_t *version; /* our version string - if present */ diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index 6fbd832..dc9f4fe 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -1626,19 +1626,14 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, in int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE); int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED); if (premature || expired) { - u_int32_t address; u_int32_t fail_reason; - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr; - else - address = 0; if (premature) { fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE; } else { fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED; } - vpncontrol_notify_ike_failed(fail_reason, notify_initiator, address, 0, NULL); + vpncontrol_notify_ike_failed(fail_reason, notify_initiator, iph1_get_remote_v4_address(iph1), 0, NULL); return -1; } #endif /* TARGET_OS_EMBEDDED */ diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 63c61dd..009acf0 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -1618,12 +1618,6 @@ pk_recvadd(mhp) #ifdef ENABLE_VPNCONTROL_PORT { - u_int32_t address; - - if (iph2->dst->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; - else - address = 0; vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2); } #endif @@ -1904,6 +1898,7 @@ pk_recvacquire(mhp) iph2->satype = msg->sadb_msg_satype; iph2->seq = msg->sadb_msg_seq; + vpncontrol_set_nat64_prefix(&iph2->nat64_prefix); /* set end addresses of SA */ // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index aea9b0b..3fca302 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -80,6 +80,7 @@ #include "nattraversal.h" #include "isakmp_frag.h" #include "genlist.h" +#include "vpn_control_var.h" static TAILQ_HEAD(_rmtree, remoteconf) rmtree; @@ -244,7 +245,28 @@ struct remoteconf * getrmconf(remote) struct sockaddr_storage *remote; { - return getrmconf_strict(remote, 1); + struct remoteconf *rmconf = getrmconf_strict(remote, 1); + if (rmconf != NULL) { + return rmconf; + } + if (remote->ss_family == AF_INET6) { + struct sockaddr_in v4dst; + v4dst.sin_family = AF_INET; + v4dst.sin_len = sizeof(struct sockaddr_in); + v4dst.sin_port = 0; + + nw_nat64_prefix_t nat64_prefix; + if (vpncontrol_set_nat64_prefix(&nat64_prefix)) { + nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr); + + rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst); + if (rmconf != NULL) { + return rmconf; + } + } + } + + return NULL; } struct remoteconf * diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c index 33222c5..2bb1bef 100644 --- a/ipsec-tools/racoon/sockmisc.c +++ b/ipsec-tools/racoon/sockmisc.c @@ -363,7 +363,7 @@ struct sockaddr_storage * getlocaladdr(struct sockaddr *remote) { struct sockaddr_storage *local; - u_int local_len = sizeof(struct sockaddr); + u_int local_len = sizeof(struct sockaddr_storage); int s; /* for dummy connection */ /* allocate buffer */ diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c index 29f6aef..0548429 100644 --- a/ipsec-tools/racoon/vpn.c +++ b/ipsec-tools/racoon/vpn.c @@ -132,7 +132,7 @@ vpn_connect(struct bound_addr *srv, int oper) goto out; ((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in); ((struct sockaddr_in *)(dst))->sin_family = AF_INET; - ((struct sockaddr_in *)(dst))->sin_port = 500; + ((struct sockaddr_in *)(dst))->sin_port = PORT_ISAKMP; ((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address; /* find appropreate configuration */ @@ -156,7 +156,15 @@ vpn_connect(struct bound_addr *srv, int oper) plog(ASL_LEVEL_ERR, "cannot get local address\n"); goto out1; } - + + if (srv->nat64_prefix.length > 0) { + memset(dst, 0, sizeof(*dst)); + ((struct sockaddr_in6 *)(dst))->sin6_len = sizeof(struct sockaddr_in6); + ((struct sockaddr_in6 *)(dst))->sin6_family = AF_INET6; + ((struct sockaddr_in6 *)(dst))->sin6_port = PORT_ISAKMP; + nw_nat64_synthesize_v6(&srv->nat64_prefix, (struct in_addr *)&srv->address, &((struct sockaddr_in6 *)(dst))->sin6_addr); + } + /* get remote IP address and port number. */ if ((remote = dupsaddr(dst)) == NULL) { plog(ASL_LEVEL_ERR, @@ -193,7 +201,7 @@ vpn_connect(struct bound_addr *srv, int oper) IPSECLOGASLMSG("IPSec connecting to server %s\n", saddrwop2str((struct sockaddr *)remote)); - if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0) + if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper, &srv->nat64_prefix) < 0) goto out1; error = 0; @@ -262,7 +270,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt) saddr.sin_addr.s_addr = addr->address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - ph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr)); + ph1 = ike_session_getph1bydstaddrwop(NULL, ALIGNED_CAST(struct sockaddr_storage *)(&saddr)); if (ph1 == NULL) { plog(ASL_LEVEL_ERR, "Cannot start Phase 2 - no Phase 1 found.\n"); @@ -445,11 +453,11 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s *msg = NULL; msize = 0; - if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) { + /*if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) { plog(ASL_LEVEL_ERR, "IPv6 not supported for mode config.\n"); return -1; - } + }*/ if (iph1->mode_cfg->attr_list == NULL) return 1; /* haven't received configuration yet */ @@ -474,7 +482,9 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s (*msg)->hdr.flags = htons(VPNCTL_FLAG_MODECFG_USED); params = (struct vpnctl_modecfg_params *)(*msg + 1); - params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr; + if (((struct sockaddr_in *)iph1->local)->sin_family == AF_INET) { + params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr; + } params->outer_remote_port = htons(0); params->outer_local_port = htons(0); ifname_len = strlen(myaddr->ifname); @@ -509,7 +519,7 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len) saddr.sin_addr.s_addr = address; saddr.sin_port = 0; saddr.sin_family = AF_INET; - iph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr)); + iph1 = ike_session_getph1bydstaddrwop(NULL, ALIGNED_CAST(struct sockaddr_storage *)(&saddr)); if (iph1 == NULL) { plog(ASL_LEVEL_ERR, "Cannot reply to xauth request - no ph1 found.\n"); diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c index c26b310..35be491 100644 --- a/ipsec-tools/racoon/vpn_control.c +++ b/ipsec-tools/racoon/vpn_control.c @@ -445,7 +445,21 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) } } break; - + + case VPNCTL_CMD_SET_NAT64_PREFIX: + { + struct vpnctl_cmd_set_nat64_prefix *pkt = ALIGNED_CAST(struct vpnctl_cmd_set_nat64_prefix *)combuf; + struct bound_addr *addr; + struct bound_addr *t_addr; + + plog(ASL_LEVEL_DEBUG, + "received set v6 prefix of len %u command on vpn control socket, adding to all addresses.\n", pkt->nat64_prefix.length); + LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) { + memcpy(&addr->nat64_prefix, &pkt->nat64_prefix, sizeof(addr->nat64_prefix)); + } + } + break; + case VPNCTL_CMD_CONNECT: { struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf; @@ -550,7 +564,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf) daddr.sin_port = 0; daddr.sin_family = AF_INET; - error = vpn_assert((struct sockaddr_storage *)&saddr, (struct sockaddr_storage *)&daddr); + error = vpn_assert(ALIGNED_CAST(struct sockaddr_storage *)&saddr, ALIGNED_CAST(struct sockaddr_storage *)&daddr); break; // } // } @@ -606,6 +620,23 @@ vpncontrol_reply(int so, char *combuf) return 0; } +bool +vpncontrol_set_nat64_prefix(nw_nat64_prefix_t *prefix) +{ + struct vpnctl_socket_elem *sock_elem; + struct bound_addr *bound_addr; + + LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { + LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { + if (bound_addr->nat64_prefix.length != 0) { + memcpy(prefix, &bound_addr->nat64_prefix, sizeof(*prefix)); + return true; + } + } + } + return false; +} + int vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len) { @@ -630,11 +661,11 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a return -1; } msg->hdr.flags = 0; - - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else - goto end; // for now + + address = iph1_get_remote_v4_address(iph1); + if (address == 0) { + goto end; + } msg->hdr.cookie = msg->hdr.reserved = msg->hdr.result = 0; msg->hdr.len = htons((msg_size) - sizeof(struct vpnctl_hdr)); @@ -643,7 +674,7 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a } else { msg->hdr.msg_type = htons(VPNCTL_STATUS_NEED_REAUTHINFO); } - msg->address = address; + msg->address = iph1_get_remote_v4_address(iph1); ptr = msg + 1; memcpy(ptr, attr_list, attr_len); @@ -767,19 +798,21 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, return -1; } if (iph1) { - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else - goto end; // for now + address = iph1_get_remote_v4_address(iph1); + if (address == 0) { + plog(ASL_LEVEL_ERR, "bad address for ph1 status change.\n"); + goto end; + } msg->hdr.msg_type = htons(start ? (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) : VPNCTL_STATUS_PH1_ESTABLISHED); // TODO: indicate version } else { - if (iph2->dst->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; - else - goto end; // for now + address = iph2_get_remote_v4_address(iph2); + if (address == 0) { + plog(ASL_LEVEL_ERR, "bad address for ph2 status change.\n"); + goto end; + } msg->hdr.msg_type = htons(start ? VPNCTL_STATUS_PH2_START : VPNCTL_STATUS_PH2_ESTABLISHED); // TODO: indicate version } @@ -851,43 +884,29 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address) int vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, phase1_handle_t *iph1) { - u_int32_t address; - int rc; - if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) { - if (iph1->remote->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr; - else - address = 0; + int rc; + if ((rc = vpncontrol_notify_peer_resp(notify_code, iph1_get_remote_v4_address(iph1))) == 0) { + iph1->parent_session->controller_awaiting_peer_resp = 0; + } + return rc; } else { return 0; } - - if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) { - iph1->parent_session->controller_awaiting_peer_resp = 0; - } - return rc; } int vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, phase2_handle_t *iph2) { - u_int32_t address; - int rc; - if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) { - if (iph2->dst->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; - else - address = 0; + int rc; + if ((rc = vpncontrol_notify_peer_resp(notify_code, iph2_get_remote_v4_address(iph2))) == 0) { + iph2->parent_session->controller_awaiting_peer_resp = 0; + } + return rc; } else { return 0; } - - if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) { - iph2->parent_session->controller_awaiting_peer_resp = 0; - } - return rc; } int diff --git a/ipsec-tools/racoon/vpn_control.h b/ipsec-tools/racoon/vpn_control.h index 54144e5..33c18a2 100644 --- a/ipsec-tools/racoon/vpn_control.h +++ b/ipsec-tools/racoon/vpn_control.h @@ -56,6 +56,7 @@ #include "algorithm_types.h" #include +#include #define VPNCONTROLSOCK_PATH ADMINPORTDIR "/vpncontrol.sock" @@ -83,6 +84,7 @@ extern mode_t vpncontrolsock_mode; #define VPNCTL_CMD_START_DPD 0x0015 #define VPNCTL_CMD_ASSERT 0x0016 #define VPNCTL_CMD_RECONNECT 0x0017 +#define VPNCTL_CMD_SET_NAT64_PREFIX 0x0018 #define VPNCTL_STATUS_IKE_FAILED 0x8001 #define VPNCTL_STATUS_PH1_START_US 0x8011 #define VPNCTL_STATUS_PH1_START_PEER 0x8012 @@ -201,11 +203,16 @@ struct vpnctl_cmd_unbind { /* connect to specified address */ -struct vpnctl_cmd_connect{ +struct vpnctl_cmd_connect { struct vpnctl_hdr hdr; u_int32_t address; }; +struct vpnctl_cmd_set_nat64_prefix { + struct vpnctl_hdr hdr; + nw_nat64_prefix_t nat64_prefix; +}; + struct vpnctl_sa_selector { u_int32_t src_tunnel_address; u_int32_t src_tunnel_mask; diff --git a/ipsec-tools/racoon/vpn_control_var.h b/ipsec-tools/racoon/vpn_control_var.h index e5b681c..ee9b47f 100644 --- a/ipsec-tools/racoon/vpn_control_var.h +++ b/ipsec-tools/racoon/vpn_control_var.h @@ -79,5 +79,6 @@ extern int vpncontrol_notify_need_authinfo (phase1_handle_t *, void*, size_t); extern int vpncontrol_notify_peer_resp_ph1 (u_int16_t, phase1_handle_t*); extern int vpncontrol_notify_peer_resp_ph2 (u_int16_t, phase2_handle_t*); extern int vpn_assert (struct sockaddr_storage *, struct sockaddr_storage *); +extern bool vpncontrol_set_nat64_prefix(nw_nat64_prefix_t *prefix); #endif /* _VPN_CONTROL_VAR_H */ diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 1aa91c1..44cb4da 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -1560,7 +1560,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; @@ -1580,7 +1579,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; @@ -1595,7 +1593,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; @@ -1613,7 +1610,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; @@ -1627,7 +1623,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_64_BIT)"; COPY_PHASE_STRIP = NO; CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)"; @@ -1644,7 +1639,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; @@ -1729,7 +1723,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LEXFLAGS = ""; OTHER_CFLAGS = ( @@ -1744,6 +1737,7 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = macosx.internal; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; WARNING_CFLAGS = ( @@ -1786,7 +1780,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; OTHER_CFLAGS = ( "$(OTHER_CFLAGS_QUOTED_1)", @@ -1800,6 +1793,7 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = macosx.internal; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( "-Wmost", @@ -1840,7 +1834,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; OTHER_CFLAGS = ( "$(OTHER_CFLAGS_QUOTED_1)", @@ -1854,6 +1847,7 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = macosx.internal; SECTORDER_FLAGS = ""; WARNING_CFLAGS = ( "-Wmost", @@ -1884,7 +1878,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -1922,7 +1915,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -1959,7 +1951,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -2019,6 +2010,7 @@ buildSettings = { ARCHS = "$(ARCHS_STANDARD_64_BIT)"; PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx.internal; }; name = Development; }; @@ -2027,6 +2019,7 @@ buildSettings = { ARCHS = "$(ARCHS_STANDARD_64_BIT)"; PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx.internal; }; name = Deployment; }; @@ -2035,6 +2028,7 @@ buildSettings = { ARCHS = "$(ARCHS_STANDARD_64_BIT)"; PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx.internal; }; name = Default; }; @@ -2087,6 +2081,7 @@ isa = XCBuildConfiguration; buildSettings = { PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; }; name = Development; }; @@ -2094,6 +2089,7 @@ isa = XCBuildConfiguration; buildSettings = { PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; }; name = Deployment; }; @@ -2101,6 +2097,7 @@ isa = XCBuildConfiguration; buildSettings = { PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; }; name = Default; }; @@ -2121,6 +2118,7 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2146,6 +2144,7 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2171,6 +2170,7 @@ PRODUCT_NAME = "IPSec Embedded (Aggregate)"; SECTORDER_FLAGS = ""; SKIP_INSTALL = NO; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2184,8 +2184,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2207,7 +2205,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LEXFLAGS = ""; OTHER_CFLAGS = ( @@ -2223,8 +2220,10 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = iphoneos.internal; SECTORDER_FLAGS = ""; SKIP_INSTALL = YES; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2241,8 +2240,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2264,7 +2261,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; OTHER_CFLAGS = ( "$(OTHER_CFLAGS_QUOTED_1)", @@ -2279,7 +2275,9 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = iphoneos.internal; SECTORDER_FLAGS = ""; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2295,8 +2293,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = "$(inherited)"; - ALTERNATE_OWNER = "$(inherited)"; - ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2318,7 +2314,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; OTHER_CFLAGS = ( "$(OTHER_CFLAGS_QUOTED_1)", @@ -2333,7 +2328,9 @@ OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; PRODUCT_NAME = racoon; + SDKROOT = iphoneos.internal; SECTORDER_FLAGS = ""; + SUPPORTED_PLATFORMS = "iphonesimulator iphoneos"; WARNING_CFLAGS = ( "-Wmost", "-Wno-four-char-constants", @@ -2365,7 +2362,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -2406,7 +2402,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -2446,7 +2441,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/sbin; LIBRARY_SEARCH_PATHS = ""; MACH_O_TYPE = mh_execute; @@ -2471,7 +2465,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2493,7 +2486,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; @@ -2509,7 +2501,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2529,7 +2520,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; @@ -2544,7 +2534,6 @@ buildSettings = { ALTERNATE_GROUP = "$(inherited)"; ALTERNATE_MODE = ""; - ALTERNATE_OWNER = "$(inherited)"; ARCHS = "$(ARCHS_STANDARD_32_BIT)"; CODE_SIGN_IDENTITY = ""; COPY_PHASE_STRIP = NO; @@ -2563,7 +2552,6 @@ ); INSTALL_GROUP = wheel; INSTALL_MODE_FLAG = 555; - INSTALL_OWNER = root; INSTALL_PATH = /usr/lib; LEXFLAGS = "$(LEXFLAGS) -P__libipsec"; PRODUCT_NAME = ipsec.A; -- 2.47.2