search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / ipsec-tools / src / racoon / handler.c
blobe2e42eb934b6318ef65782193f2551bfb5eb9e3c
1 /* $NetBSD: handler.c,v 1.30 2009/09/03 09:29:07 tteras Exp $ */
2
3 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <stdlib.h>
41 #include <stdio.h>
42 #include <string.h>
43 #include <time.h>
44 #include <errno.h>
45
46 #include "var.h"
47 #include "misc.h"
48 #include "vmbuf.h"
49 #include "plog.h"
50 #include "sockmisc.h"
51 #include "debug.h"
52
53 #ifdef ENABLE_HYBRID
54 #include <resolv.h>
55 #endif
56
57 #include "schedule.h"
58 #include "grabmyaddr.h"
59 #include "algorithm.h"
60 #include "crypto_openssl.h"
61 #include "policy.h"
62 #include "proposal.h"
63 #include "isakmp_var.h"
64 #include "evt.h"
65 #include "isakmp.h"
66 #ifdef ENABLE_HYBRID
67 #include "isakmp_xauth.h"
68 #include "isakmp_cfg.h"
69 #endif
70 #include "isakmp_inf.h"
71 #include "oakley.h"
72 #include "remoteconf.h"
73 #include "localconf.h"
74 #include "handler.h"
75 #include "gcmalloc.h"
76 #include "nattraversal.h"
77
78 #include "sainfo.h"
79
80 #ifdef HAVE_GSSAPI
81 #include "gssapi.h"
82 #endif
83
84 static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
85 static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
86 static LIST_HEAD(_ctdtree_, contacted) ctdtree;
87 static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
88 static struct sched sc_sweep = SCHED_INITIALIZER();
89
90 static void del_recvdpkt __P((struct recvdpkt *));
91 static void rem_recvdpkt __P((struct recvdpkt *));
92
93 /*
94 * functions about management of the isakmp status table
95 */
96 /* %%% management phase 1 handler */
97 /*
98 * search for isakmpsa handler with isakmp index.
99 */
100
101 extern caddr_t val2str(const char *, size_t);
102
103 /*
104 * Enumerate the Phase 1 tree.
105 * If enum_func() internally return a non-zero value, this specific
106 * error value is returned. 0 is returned if everything went right.
107 *
108 * Note that it is ok for enum_func() to call insph1(). Those inserted
109 * Phase 1 will not interfere with current enumeration process.
110 */
111 int
112 enumph1(sel, enum_func, enum_arg)
113 struct ph1selector *sel;
114 int (* enum_func)(struct ph1handle *iph1, void *arg);
115 void *enum_arg;
116 {
117 struct ph1handle *p;
118 int ret;
119
120 LIST_FOREACH(p, &ph1tree, chain) {
121 if (sel != NULL) {
122 if (sel->local != NULL &&
123 cmpsaddr(sel->local, p->local) != 0)
124 continue;
125
126 if (sel->remote != NULL &&
127 cmpsaddr(sel->remote, p->remote) != 0)
128 continue;
129 }
130
131 if ((ret = enum_func(p, enum_arg)) != 0)
132 return ret;
133 }
134
135 return 0;
136 }
137
138 struct ph1handle *
139 getph1byindex(index)
140 isakmp_index *index;
141 {
142 struct ph1handle *p;
143
144 LIST_FOREACH(p, &ph1tree, chain) {
145 if (p->status >= PHASE1ST_EXPIRED)
146 continue;
147 if (memcmp(&p->index, index, sizeof(*index)) == 0)
148 return p;
149 }
150
151 return NULL;
152 }
153
154
155 /*
156 * search for isakmp handler by i_ck in index.
157 */
158 struct ph1handle *
159 getph1byindex0(index)
160 isakmp_index *index;
161 {
162 struct ph1handle *p;
163
164 LIST_FOREACH(p, &ph1tree, chain) {
165 if (p->status >= PHASE1ST_EXPIRED)
166 continue;
167 if (memcmp(&p->index, index, sizeof(cookie_t)) == 0)
168 return p;
169 }
170
171 return NULL;
172 }
173
174 /*
175 * search for isakmpsa handler by source and remote address.
176 * don't use port number to search because this function search
177 * with phase 2's destinaion.
178 */
179 struct ph1handle *
180 getph1(ph1hint, local, remote, flags)
181 struct ph1handle *ph1hint;
182 struct sockaddr *local, *remote;
183 int flags;
184 {
185 struct ph1handle *p;
186
187 plog(LLV_DEBUG2, LOCATION, NULL, "getph1: start\n");
188 plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str(local));
189 plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str(remote));
190
191 LIST_FOREACH(p, &ph1tree, chain) {
192 if (p->status >= PHASE1ST_DYING)
193 continue;
194
195 plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local));
196 plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote));
197
198 if ((flags & GETPH1_F_ESTABLISHED) &&
199 (p->status != PHASE1ST_ESTABLISHED)) {
200 plog(LLV_DEBUG2, LOCATION, NULL,
201 "status %d, skipping\n", p->status);
202 continue;
203 }
204
205 if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
206 continue;
207
208 if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
209 continue;
210
211 if (ph1hint != NULL) {
212 if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
213 (ph1hint->id->l != p->id->l ||
214 memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
215 plog(LLV_DEBUG2, LOCATION, NULL,
216 "local identity does match hint\n");
217 continue;
218 }
219 if (ph1hint->id_p && ph1hint->id_p->l &&
220 p->id_p && p->id_p->l &&
221 (ph1hint->id_p->l != p->id_p->l ||
222 memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
223 plog(LLV_DEBUG2, LOCATION, NULL,
224 "remote identity does match hint\n");
225 continue;
226 }
227 }
228
229 plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
230 return p;
231 }
232
233 plog(LLV_DEBUG2, LOCATION, NULL, "no match\n");
234
235 return NULL;
236 }
237
238 int
239 resolveph1rmconf(iph1)
240 struct ph1handle *iph1;
241 {
242 struct remoteconf *rmconf;
243
244 /* INITIATOR is always expected to know the exact rmconf. */
245 if (iph1->side == INITIATOR)
246 return 0;
247
248 rmconf = getrmconf_by_ph1(iph1);
249 if (rmconf == NULL)
250 return -1;
251 if (rmconf == RMCONF_ERR_MULTIPLE)
252 return 1;
253
254 if (iph1->rmconf != NULL) {
255 if (rmconf != iph1->rmconf) {
256 plog(LLV_ERROR, LOCATION, NULL,
257 "unexpected rmconf switch; killing ph1\n");
258 return -1;
259 }
260 } else {
261 iph1->rmconf = rmconf;
262 }
263
264 return 0;
265 }
266
267
268 /*
269 * move phase2s from old_iph1 to new_iph1
270 */
271 void
272 migrate_ph12(old_iph1, new_iph1)
273 struct ph1handle *old_iph1, *new_iph1;
274 {
275 struct ph2handle *p, *next;
276
277 /* Relocate phase2s to better phase1s or request a new phase1. */
278 for (p = LIST_FIRST(&old_iph1->ph2tree); p; p = next) {
279 next = LIST_NEXT(p, ph1bind);
280
281 if (p->status != PHASE2ST_ESTABLISHED)
282 continue;
283
284 unbindph12(p);
285 bindph12(new_iph1, p);
286 }
287 }
288
289 /*
290 * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
291 */
292 void migrate_dying_ph12(iph1)
293 struct ph1handle *iph1;
294 {
295 struct ph1handle *p;
296
297 LIST_FOREACH(p, &ph1tree, chain) {
298 if (p == iph1)
299 continue;
300 if (p->status < PHASE1ST_DYING)
301 continue;
302
303 if (cmpsaddr(iph1->local, p->local) == 0
304 && cmpsaddr(iph1->remote, p->remote) == 0)
305 migrate_ph12(p, iph1);
306 }
307 }
308
309
310 /*
311 * dump isakmp-sa
312 */
313 vchar_t *
314 dumpph1()
315 {
316 struct ph1handle *iph1;
317 struct ph1dump *pd;
318 int cnt = 0;
319 vchar_t *buf;
320
321 /* get length of buffer */
322 LIST_FOREACH(iph1, &ph1tree, chain)
323 cnt++;
324
325 buf = vmalloc(cnt * sizeof(struct ph1dump));
326 if (buf == NULL) {
327 plog(LLV_ERROR, LOCATION, NULL,
328 "failed to get buffer\n");
329 return NULL;
330 }
331 pd = (struct ph1dump *)buf->v;
332
333 LIST_FOREACH(iph1, &ph1tree, chain) {
334 memcpy(&pd->index, &iph1->index, sizeof(iph1->index));
335 pd->status = iph1->status;
336 pd->side = iph1->side;
337 memcpy(&pd->remote, iph1->remote, sysdep_sa_len(iph1->remote));
338 memcpy(&pd->local, iph1->local, sysdep_sa_len(iph1->local));
339 pd->version = iph1->version;
340 pd->etype = iph1->etype;
341 pd->created = iph1->created;
342 pd->ph2cnt = iph1->ph2cnt;
343 pd++;
344 }
345
346 return buf;
347 }
348
349 /*
350 * create new isakmp Phase 1 status record to handle isakmp in Phase1
351 */
352 struct ph1handle *
353 newph1()
354 {
355 struct ph1handle *iph1;
356
357 /* create new iph1 */
358 iph1 = racoon_calloc(1, sizeof(*iph1));
359 if (iph1 == NULL)
360 return NULL;
361
362 iph1->status = PHASE1ST_SPAWN;
363
364 #ifdef ENABLE_DPD
365 iph1->dpd_support = 0;
366 iph1->dpd_seq = 0;
367 iph1->dpd_fails = 0;
368 #endif
369 evt_list_init(&iph1->evt_listeners);
370
371 return iph1;
372 }
373
374 /*
375 * delete new isakmp Phase 1 status record to handle isakmp in Phase1
376 */
377 void
378 delph1(iph1)
379 struct ph1handle *iph1;
380 {
381 if (iph1 == NULL)
382 return;
383
384 /* SA down shell script hook */
385 script_hook(iph1, SCRIPT_PHASE1_DOWN);
386 evt_list_cleanup(&iph1->evt_listeners);
387
388 #ifdef ENABLE_NATT
389 if (iph1->natt_flags & NAT_KA_QUEUED)
390 natt_keepalive_remove (iph1->local, iph1->remote);
391
392 if (iph1->natt_options) {
393 racoon_free(iph1->natt_options);
394 iph1->natt_options = NULL;
395 }
396 #endif
397
398 #ifdef ENABLE_HYBRID
399 if (iph1->mode_cfg)
400 isakmp_cfg_rmstate(iph1);
401 #endif
402
403 #ifdef ENABLE_DPD
404 sched_cancel(&iph1->dpd_r_u);
405 #endif
406 sched_cancel(&iph1->sce);
407 sched_cancel(&iph1->scr);
408
409 if (iph1->remote) {
410 racoon_free(iph1->remote);
411 iph1->remote = NULL;
412 }
413 if (iph1->local) {
414 racoon_free(iph1->local);
415 iph1->local = NULL;
416 }
417 if (iph1->approval) {
418 delisakmpsa(iph1->approval);
419 iph1->approval = NULL;
420 }
421
422 VPTRINIT(iph1->authstr);
423 VPTRINIT(iph1->sendbuf);
424 VPTRINIT(iph1->dhpriv);
425 VPTRINIT(iph1->dhpub);
426 VPTRINIT(iph1->dhpub_p);
427 VPTRINIT(iph1->dhgxy);
428 VPTRINIT(iph1->nonce);
429 VPTRINIT(iph1->nonce_p);
430 VPTRINIT(iph1->skeyid);
431 VPTRINIT(iph1->skeyid_d);
432 VPTRINIT(iph1->skeyid_a);
433 VPTRINIT(iph1->skeyid_e);
434 VPTRINIT(iph1->key);
435 VPTRINIT(iph1->hash);
436 VPTRINIT(iph1->sig);
437 VPTRINIT(iph1->sig_p);
438 VPTRINIT(iph1->cert);
439 VPTRINIT(iph1->cert_p);
440 VPTRINIT(iph1->crl_p);
441 VPTRINIT(iph1->cr_p);
442 VPTRINIT(iph1->id);
443 VPTRINIT(iph1->id_p);
444
445 if(iph1->approval != NULL)
446 delisakmpsa(iph1->approval);
447
448 if (iph1->ivm) {
449 oakley_delivm(iph1->ivm);
450 iph1->ivm = NULL;
451 }
452
453 VPTRINIT(iph1->sa);
454 VPTRINIT(iph1->sa_ret);
455
456 #ifdef HAVE_GSSAPI
457 VPTRINIT(iph1->gi_i);
458 VPTRINIT(iph1->gi_r);
459
460 gssapi_free_state(iph1);
461 #endif
462
463 racoon_free(iph1);
464 }
465
466 /*
467 * create new isakmp Phase 1 status record to handle isakmp in Phase1
468 */
469 int
470 insph1(iph1)
471 struct ph1handle *iph1;
472 {
473 /* validity check */
474 if (iph1->remote == NULL) {
475 plog(LLV_ERROR, LOCATION, NULL,
476 "invalid isakmp SA handler. no remote address.\n");
477 return -1;
478 }
479 LIST_INSERT_HEAD(&ph1tree, iph1, chain);
480
481 return 0;
482 }
483
484 void
485 remph1(iph1)
486 struct ph1handle *iph1;
487 {
488 LIST_REMOVE(iph1, chain);
489 }
490
491 /*
492 * flush isakmp-sa
493 */
494 void
495 flushph1()
496 {
497 struct ph1handle *p, *next;
498
499 for (p = LIST_FIRST(&ph1tree); p; p = next) {
500 next = LIST_NEXT(p, chain);
501
502 /* send delete information */
503 if (p->status >= PHASE1ST_ESTABLISHED)
504 isakmp_info_send_d1(p);
505
506 remph1(p);
507 delph1(p);
508 }
509 }
510
511 void
512 initph1tree()
513 {
514 LIST_INIT(&ph1tree);
515 }
516
517 /* %%% management phase 2 handler */
518
519 int
520 enumph2(sel, enum_func, enum_arg)
521 struct ph2selector *sel;
522 int (*enum_func)(struct ph2handle *ph2, void *arg);
523 void *enum_arg;
524 {
525 struct ph2handle *p;
526 int ret;
527
528 LIST_FOREACH(p, &ph2tree, chain) {
529 if (sel != NULL) {
530 if (sel->spid != 0 && sel->spid != p->spid)
531 continue;
532
533 if (sel->src != NULL &&
534 cmpsaddr(sel->src, p->src) != 0)
535 continue;
536
537 if (sel->dst != NULL &&
538 cmpsaddr(sel->dst, p->dst) != 0)
539 continue;
540 }
541
542 if ((ret = enum_func(p, enum_arg)) != 0)
543 return ret;
544 }
545
546 return 0;
547 }
548
549 /*
550 * search ph2handle with sequence number.
551 */
552 struct ph2handle *
553 getph2byseq(seq)
554 u_int32_t seq;
555 {
556 struct ph2handle *p;
557
558 LIST_FOREACH(p, &ph2tree, chain) {
559 if (p->seq == seq)
560 return p;
561 }
562
563 return NULL;
564 }
565
566 /*
567 * search ph2handle with message id.
568 */
569 struct ph2handle *
570 getph2bymsgid(iph1, msgid)
571 struct ph1handle *iph1;
572 u_int32_t msgid;
573 {
574 struct ph2handle *p;
575
576 LIST_FOREACH(p, &iph1->ph2tree, chain) {
577 if (p->msgid == msgid && p->ph1 == iph1)
578 return p;
579 }
580
581 return NULL;
582 }
583
584 /* Note that src and dst are not the selectors of the SP
585 * but the source and destination addresses used for
586 * for SA negotiation (best example is tunnel mode SA
587 * where src and dst are the endpoints). There is at most
588 * a unique match because racoon does not support bundles
589 * which makes that there is at most a single established
590 * SA for a given spid. One could say that src and dst
591 * are in fact useless ...
592 */
593 struct ph2handle *
594 getph2byid(src, dst, spid)
595 struct sockaddr *src, *dst;
596 u_int32_t spid;
597 {
598 struct ph2handle *p;
599
600 LIST_FOREACH(p, &ph2tree, chain) {
601 if (spid == p->spid &&
602 cmpsaddr(src, p->src) == 0 &&
603 cmpsaddr(dst, p->dst) == 0){
604 /* Sanity check to detect zombie handlers
605 * XXX Sould be done "somewhere" more interesting,
606 * because we have lots of getph2byxxxx(), but this one
607 * is called by pk_recvacquire(), so is the most important.
608 */
609 if(p->status < PHASE2ST_ESTABLISHED &&
610 p->retry_counter == 0
611 && p->sce.func == NULL && p->scr.func == NULL) {
612 plog(LLV_DEBUG, LOCATION, NULL,
613 "Zombie ph2 found, expiring it\n");
614 isakmp_ph2expire(p);
615 }else
616 return p;
617 }
618 }
619
620 return NULL;
621 }
622
623 struct ph2handle *
624 getph2bysaddr(src, dst)
625 struct sockaddr *src, *dst;
626 {
627 struct ph2handle *p;
628
629 LIST_FOREACH(p, &ph2tree, chain) {
630 if (cmpsaddr(src, p->src) == 0 &&
631 cmpsaddr(dst, p->dst) == 0)
632 return p;
633 }
634
635 return NULL;
636 }
637
638 /*
639 * call by pk_recvexpire().
640 */
641 struct ph2handle *
642 getph2bysaidx(src, dst, proto_id, spi)
643 struct sockaddr *src, *dst;
644 u_int proto_id;
645 u_int32_t spi;
646 {
647 struct ph2handle *iph2;
648 struct saproto *pr;
649
650 LIST_FOREACH(iph2, &ph2tree, chain) {
651 if (iph2->proposal == NULL && iph2->approval == NULL)
652 continue;
653 if (iph2->approval != NULL) {
654 for (pr = iph2->approval->head; pr != NULL;
655 pr = pr->next) {
656 if (proto_id != pr->proto_id)
657 break;
658 if (spi == pr->spi || spi == pr->spi_p)
659 return iph2;
660 }
661 } else if (iph2->proposal != NULL) {
662 for (pr = iph2->proposal->head; pr != NULL;
663 pr = pr->next) {
664 if (proto_id != pr->proto_id)
665 break;
666 if (spi == pr->spi)
667 return iph2;
668 }
669 }
670 }
671
672 return NULL;
673 }
674
675 /*
676 * create new isakmp Phase 2 status record to handle isakmp in Phase2
677 */
678 struct ph2handle *
679 newph2()
680 {
681 struct ph2handle *iph2 = NULL;
682
683 /* create new iph2 */
684 iph2 = racoon_calloc(1, sizeof(*iph2));
685 if (iph2 == NULL)
686 return NULL;
687
688 iph2->status = PHASE1ST_SPAWN;
689 evt_list_init(&iph2->evt_listeners);
690
691 return iph2;
692 }
693
694 /*
695 * initialize ph2handle
696 * NOTE: don't initialize src/dst.
697 * SPI in the proposal is cleared.
698 */
699 void
700 initph2(iph2)
701 struct ph2handle *iph2;
702 {
703 evt_list_cleanup(&iph2->evt_listeners);
704 unbindph12(iph2);
705
706 sched_cancel(&iph2->sce);
707 sched_cancel(&iph2->scr);
708
709 VPTRINIT(iph2->sendbuf);
710 VPTRINIT(iph2->msg1);
711
712 /* clear spi, keep variables in the proposal */
713 if (iph2->proposal) {
714 struct saproto *pr;
715 for (pr = iph2->proposal->head; pr != NULL; pr = pr->next)
716 pr->spi = 0;
717 }
718
719 /* clear approval */
720 if (iph2->approval) {
721 flushsaprop(iph2->approval);
722 iph2->approval = NULL;
723 }
724
725 /* clear the generated policy */
726 if (iph2->spidx_gen) {
727 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
728 racoon_free(iph2->spidx_gen);
729 iph2->spidx_gen = NULL;
730 }
731
732 if (iph2->pfsgrp) {
733 oakley_dhgrp_free(iph2->pfsgrp);
734 iph2->pfsgrp = NULL;
735 }
736
737 VPTRINIT(iph2->dhpriv);
738 VPTRINIT(iph2->dhpub);
739 VPTRINIT(iph2->dhpub_p);
740 VPTRINIT(iph2->dhgxy);
741 VPTRINIT(iph2->id);
742 VPTRINIT(iph2->id_p);
743 VPTRINIT(iph2->nonce);
744 VPTRINIT(iph2->nonce_p);
745 VPTRINIT(iph2->sa);
746 VPTRINIT(iph2->sa_ret);
747
748 if (iph2->ivm) {
749 oakley_delivm(iph2->ivm);
750 iph2->ivm = NULL;
751 }
752
753 #ifdef ENABLE_NATT
754 if (iph2->natoa_src) {
755 racoon_free(iph2->natoa_src);
756 iph2->natoa_src = NULL;
757 }
758 if (iph2->natoa_dst) {
759 racoon_free(iph2->natoa_dst);
760 iph2->natoa_dst = NULL;
761 }
762 #endif
763 }
764
765 /*
766 * delete new isakmp Phase 2 status record to handle isakmp in Phase2
767 */
768 void
769 delph2(iph2)
770 struct ph2handle *iph2;
771 {
772 initph2(iph2);
773
774 if (iph2->src) {
775 racoon_free(iph2->src);
776 iph2->src = NULL;
777 }
778 if (iph2->dst) {
779 racoon_free(iph2->dst);
780 iph2->dst = NULL;
781 }
782 if (iph2->sa_src) {
783 racoon_free(iph2->sa_src);
784 iph2->sa_src = NULL;
785 }
786 if (iph2->sa_dst) {
787 racoon_free(iph2->sa_dst);
788 iph2->sa_dst = NULL;
789 }
790 #ifdef ENABLE_NATT
791 if (iph2->natoa_src) {
792 racoon_free(iph2->natoa_src);
793 iph2->natoa_src = NULL;
794 }
795 if (iph2->natoa_dst) {
796 racoon_free(iph2->natoa_dst);
797 iph2->natoa_dst = NULL;
798 }
799 #endif
800
801 if (iph2->proposal) {
802 flushsaprop(iph2->proposal);
803 iph2->proposal = NULL;
804 }
805
806 racoon_free(iph2);
807 }
808
809 /*
810 * create new isakmp Phase 2 status record to handle isakmp in Phase2
811 */
812 int
813 insph2(iph2)
814 struct ph2handle *iph2;
815 {
816 LIST_INSERT_HEAD(&ph2tree, iph2, chain);
817
818 return 0;
819 }
820
821 void
822 remph2(iph2)
823 struct ph2handle *iph2;
824 {
825 unbindph12(iph2);
826 LIST_REMOVE(iph2, chain);
827 }
828
829 void
830 initph2tree()
831 {
832 LIST_INIT(&ph2tree);
833 }
834
835 void
836 flushph2()
837 {
838 struct ph2handle *p, *next;
839
840 plog(LLV_DEBUG2, LOCATION, NULL,
841 "flushing all ph2 handlers...\n");
842
843 for (p = LIST_FIRST(&ph2tree); p; p = next) {
844 next = LIST_NEXT(p, chain);
845
846 /* send delete information */
847 if (p->status == PHASE2ST_ESTABLISHED){
848 plog(LLV_DEBUG2, LOCATION, NULL,
849 "got a ph2 handler to flush...\n");
850 isakmp_info_send_d2(p);
851 }else{
852 plog(LLV_DEBUG2, LOCATION, NULL,
853 "skipping ph2 handler (state %d)\n", p->status);
854 }
855
856 delete_spd(p, 0);
857 remph2(p);
858 delph2(p);
859 }
860 }
861
862 /*
863 * Delete all Phase 2 handlers for this src/dst/proto. This
864 * is used during INITIAL-CONTACT processing (so no need to
865 * send a message to the peer).
866 */
867 void
868 deleteallph2(src, dst, proto_id)
869 struct sockaddr *src, *dst;
870 u_int proto_id;
871 {
872 struct ph2handle *iph2, *next;
873 struct saproto *pr;
874
875 for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) {
876 next = LIST_NEXT(iph2, chain);
877 if (iph2->proposal == NULL && iph2->approval == NULL)
878 continue;
879 if (iph2->approval != NULL) {
880 for (pr = iph2->approval->head; pr != NULL;
881 pr = pr->next) {
882 if (proto_id == pr->proto_id)
883 goto zap_it;
884 }
885 } else if (iph2->proposal != NULL) {
886 for (pr = iph2->proposal->head; pr != NULL;
887 pr = pr->next) {
888 if (proto_id == pr->proto_id)
889 goto zap_it;
890 }
891 }
892 continue;
893 zap_it:
894 remph2(iph2);
895 delph2(iph2);
896 }
897 }
898
899 /* %%% */
900 void
901 bindph12(iph1, iph2)
902 struct ph1handle *iph1;
903 struct ph2handle *iph2;
904 {
905 unbindph12(iph2);
906
907 iph2->ph1 = iph1;
908 iph1->ph2cnt++;
909 LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind);
910 }
911
912 void
913 unbindph12(iph2)
914 struct ph2handle *iph2;
915 {
916 if (iph2->ph1 != NULL) {
917 LIST_REMOVE(iph2, ph1bind);
918 iph2->ph1->ph2cnt--;
919 iph2->ph1 = NULL;
920 }
921 }
922
923 /* %%% management contacted list */
924 /*
925 * search contacted list.
926 */
927 struct contacted *
928 getcontacted(remote)
929 struct sockaddr *remote;
930 {
931 struct contacted *p;
932
933 LIST_FOREACH(p, &ctdtree, chain) {
934 if (cmpsaddr(remote, p->remote) == 0)
935 return p;
936 }
937
938 return NULL;
939 }
940
941 /*
942 * create new isakmp Phase 2 status record to handle isakmp in Phase2
943 */
944 int
945 inscontacted(remote)
946 struct sockaddr *remote;
947 {
948 struct contacted *new;
949
950 /* create new iph2 */
951 new = racoon_calloc(1, sizeof(*new));
952 if (new == NULL)
953 return -1;
954
955 new->remote = dupsaddr(remote);
956 if (new->remote == NULL) {
957 plog(LLV_ERROR, LOCATION, NULL,
958 "failed to allocate buffer.\n");
959 racoon_free(new);
960 return -1;
961 }
962
963 LIST_INSERT_HEAD(&ctdtree, new, chain);
964
965 return 0;
966 }
967
968 void
969 initctdtree()
970 {
971 LIST_INIT(&ctdtree);
972 }
973
974 /*
975 * check the response has been sent to the peer. when not, simply reply
976 * the buffered packet to the peer.
977 * OUT:
978 * 0: the packet is received at the first time.
979 * 1: the packet was processed before.
980 * 2: the packet was processed before, but the address mismatches.
981 * -1: error happened.
982 */
983 int
984 check_recvdpkt(remote, local, rbuf)
985 struct sockaddr *remote, *local;
986 vchar_t *rbuf;
987 {
988 vchar_t *hash;
989 struct recvdpkt *r;
990 struct timeval now, diff;
991 int len, s;
992
993 hash = eay_md5_one(rbuf);
994 if (!hash) {
995 plog(LLV_ERROR, LOCATION, NULL,
996 "failed to allocate buffer.\n");
997 return -1;
998 }
999
1000 LIST_FOREACH(r, &rcptree, chain) {
1001 if (memcmp(hash->v, r->hash->v, r->hash->l) == 0)
1002 break;
1003 }
1004 vfree(hash);
1005
1006 /* this is the first time to receive the packet */
1007 if (r == NULL)
1008 return 0;
1009
1010 /*
1011 * the packet was processed before, but the remote address mismatches.
1012 */
1013 if (cmpsaddr(remote, r->remote) != 0)
1014 return 2;
1015
1016 /*
1017 * it should not check the local address because the packet
1018 * may arrive at other interface.
1019 */
1020
1021 /* check the previous time to send */
1022 sched_get_monotonic_time(&now);
1023 timersub(&now, &r->time_send, &diff);
1024 if (diff.tv_sec == 0) {
1025 plog(LLV_WARNING, LOCATION, NULL,
1026 "the packet retransmitted in a short time from %s\n",
1027 saddr2str(remote));
1028 /*XXX should it be error ? */
1029 }
1030
1031 /* select the socket to be sent */
1032 s = myaddr_getfd(r->local);
1033 if (s == -1)
1034 return -1;
1035
1036 /* resend the packet if needed */
1037 len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
1038 r->local, r->remote, lcconf->count_persend);
1039 if (len == -1) {
1040 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1041 return -1;
1042 }
1043
1044 /* check the retry counter */
1045 r->retry_counter--;
1046 if (r->retry_counter <= 0) {
1047 rem_recvdpkt(r);
1048 del_recvdpkt(r);
1049 plog(LLV_DEBUG, LOCATION, NULL,
1050 "deleted the retransmission packet to %s.\n",
1051 saddr2str(remote));
1052 } else
1053 r->time_send = now;
1054
1055 return 1;
1056 }
1057
1058 /*
1059 * adding a hash of received packet into the received list.
1060 */
1061 int
1062 add_recvdpkt(remote, local, sbuf, rbuf)
1063 struct sockaddr *remote, *local;
1064 vchar_t *sbuf, *rbuf;
1065 {
1066 struct recvdpkt *new = NULL;
1067
1068 if (lcconf->retry_counter == 0) {
1069 /* no need to add it */
1070 return 0;
1071 }
1072
1073 new = racoon_calloc(1, sizeof(*new));
1074 if (!new) {
1075 plog(LLV_ERROR, LOCATION, NULL,
1076 "failed to allocate buffer.\n");
1077 return -1;
1078 }
1079
1080 new->hash = eay_md5_one(rbuf);
1081 if (!new->hash) {
1082 plog(LLV_ERROR, LOCATION, NULL,
1083 "failed to allocate buffer.\n");
1084 del_recvdpkt(new);
1085 return -1;
1086 }
1087 new->remote = dupsaddr(remote);
1088 if (new->remote == NULL) {
1089 plog(LLV_ERROR, LOCATION, NULL,
1090 "failed to allocate buffer.\n");
1091 del_recvdpkt(new);
1092 return -1;
1093 }
1094 new->local = dupsaddr(local);
1095 if (new->local == NULL) {
1096 plog(LLV_ERROR, LOCATION, NULL,
1097 "failed to allocate buffer.\n");
1098 del_recvdpkt(new);
1099 return -1;
1100 }
1101 new->sendbuf = vdup(sbuf);
1102 if (new->sendbuf == NULL) {
1103 plog(LLV_ERROR, LOCATION, NULL,
1104 "failed to allocate buffer.\n");
1105 del_recvdpkt(new);
1106 return -1;
1107 }
1108
1109 new->retry_counter = lcconf->retry_counter;
1110 sched_get_monotonic_time(&new->time_send);
1111
1112 LIST_INSERT_HEAD(&rcptree, new, chain);
1113
1114 return 0;
1115 }
1116
1117 void
1118 del_recvdpkt(r)
1119 struct recvdpkt *r;
1120 {
1121 if (r->remote)
1122 racoon_free(r->remote);
1123 if (r->local)
1124 racoon_free(r->local);
1125 if (r->hash)
1126 vfree(r->hash);
1127 if (r->sendbuf)
1128 vfree(r->sendbuf);
1129 racoon_free(r);
1130 }
1131
1132 void
1133 rem_recvdpkt(r)
1134 struct recvdpkt *r;
1135 {
1136 LIST_REMOVE(r, chain);
1137 }
1138
1139 static void
1140 sweep_recvdpkt(dummy)
1141 struct sched *dummy;
1142 {
1143 struct recvdpkt *r, *next;
1144 struct timeval now, diff, sweep;
1145
1146 sched_get_monotonic_time(&now);
1147
1148 /* calculate sweep time; delete entries older than this */
1149 diff.tv_sec = lcconf->retry_counter * lcconf->retry_interval;
1150 diff.tv_usec = 0;
1151 timersub(&now, &diff, &sweep);
1152
1153 for (r = LIST_FIRST(&rcptree); r; r = next) {
1154 next = LIST_NEXT(r, chain);
1155
1156 if (timercmp(&r->time_send, &sweep, <)) {
1157 rem_recvdpkt(r);
1158 del_recvdpkt(r);
1159 }
1160 }
1161
1162 sched_schedule(&sc_sweep, diff.tv_sec, sweep_recvdpkt);
1163 }
1164
1165 void
1166 init_recvdpkt()
1167 {
1168 time_t lt = lcconf->retry_counter * lcconf->retry_interval;
1169
1170 LIST_INIT(&rcptree);
1171
1172 sched_schedule(&sc_sweep, lt, sweep_recvdpkt);
1173 }
1174
1175 #ifdef ENABLE_HYBRID
1176 /*
1177 * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
1178 * This should be in isakmp_cfg.c but ph1tree being private, it must be there
1179 */
1180 int
1181 exclude_cfg_addr(addr)
1182 const struct sockaddr *addr;
1183 {
1184 struct ph1handle *p;
1185 struct sockaddr_in *sin;
1186
1187 LIST_FOREACH(p, &ph1tree, chain) {
1188 if ((p->mode_cfg != NULL) &&
1189 (p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) &&
1190 (addr->sa_family == AF_INET)) {
1191 sin = (struct sockaddr_in *)addr;
1192 if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr)
1193 return 0;
1194 }
1195 }
1196
1197 return 1;
1198 }
1199 #endif
1200
1201
1202
1203 /*
1204 * Reload conf code
1205 */
1206 static int revalidate_ph2(struct ph2handle *iph2){
1207 struct sainfoalg *alg;
1208 int found, check_level;
1209 struct sainfo *sainfo;
1210 struct saprop *approval;
1211 struct ph1handle *iph1;
1212
1213 /*
1214 * Get the new sainfo using values of the old one
1215 */
1216 if (iph2->sainfo != NULL) {
1217 iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
1218 iph2->sainfo->iddst, iph2->sainfo->id_i,
1219 NULL, iph2->sainfo->remoteid);
1220 }
1221 approval = iph2->approval;
1222 sainfo = iph2->sainfo;
1223
1224 if (sainfo == NULL) {
1225 /*
1226 * Sainfo has been removed
1227 */
1228 plog(LLV_DEBUG, LOCATION, NULL,
1229 "Reload: No sainfo for ph2\n");
1230 return 0;
1231 }
1232
1233 if (approval == NULL) {
1234 /*
1235 * XXX why do we have a NULL approval sometimes ???
1236 */
1237 plog(LLV_DEBUG, LOCATION, NULL,
1238 "No approval found !\n");
1239 return 0;
1240 }
1241
1242 /*
1243 * Don't care about proposals, should we do something ?
1244 * We have to keep iph2->proposal valid at least for initiator,
1245 * for pk_sendgetspi()
1246 */
1247
1248 plog(LLV_DEBUG, LOCATION, NULL, "active single bundle:\n");
1249 printsaprop0(LLV_DEBUG, approval);
1250
1251 /*
1252 * Validate approval against sainfo
1253 * Note: we must have an updated ph1->rmconf before doing that,
1254 * we'll set check_level to EXACT if we don't have a ph1
1255 * XXX try tu find the new remote section to get the new check level ?
1256 * XXX lifebyte
1257 */
1258 if (iph2->ph1 != NULL)
1259 iph1=iph2->ph1;
1260 else
1261 iph1=getph1byaddr(iph2->src, iph2->dst, 0);
1262
1263 if(iph1 != NULL && iph1->rmconf != NULL) {
1264 check_level = iph1->rmconf->pcheck_level;
1265 } else {
1266 if(iph1 != NULL)
1267 plog(LLV_DEBUG, LOCATION, NULL, "No phase1 rmconf found !\n");
1268 else
1269 plog(LLV_DEBUG, LOCATION, NULL, "No phase1 found !\n");
1270 check_level = PROP_CHECK_EXACT;
1271 }
1272
1273 switch (check_level) {
1274 case PROP_CHECK_OBEY:
1275 plog(LLV_DEBUG, LOCATION, NULL,
1276 "Reload: OBEY for ph2, ok\n");
1277 return 1;
1278 break;
1279
1280 case PROP_CHECK_STRICT:
1281 /* FALLTHROUGH */
1282 case PROP_CHECK_CLAIM:
1283 if (sainfo->lifetime < approval->lifetime) {
1284 plog(LLV_DEBUG, LOCATION, NULL,
1285 "Reload: lifetime mismatch\n");
1286 return 0;
1287 }
1288
1289 #if 0
1290 /* Lifebyte is deprecated, just ignore it
1291 */
1292 if (sainfo->lifebyte < approval->lifebyte) {
1293 plog(LLV_DEBUG, LOCATION, NULL,
1294 "Reload: lifebyte mismatch\n");
1295 return 0;
1296 }
1297 #endif
1298
1299 if (sainfo->pfs_group &&
1300 sainfo->pfs_group != approval->pfs_group) {
1301 plog(LLV_DEBUG, LOCATION, NULL,
1302 "Reload: PFS group mismatch\n");
1303 return 0;
1304 }
1305 break;
1306
1307 case PROP_CHECK_EXACT:
1308 if (sainfo->lifetime != approval->lifetime ||
1309 #if 0
1310 /* Lifebyte is deprecated, just ignore it
1311 */
1312 sainfo->lifebyte != approval->lifebyte ||
1313 #endif
1314 sainfo->pfs_group != iph2->approval->pfs_group) {
1315 plog(LLV_DEBUG, LOCATION, NULL,
1316 "Reload: lifetime | pfs mismatch\n");
1317 return 0;
1318 }
1319 break;
1320
1321 default:
1322 plog(LLV_DEBUG, LOCATION, NULL,
1323 "Reload: Shouldn't be here !\n");
1324 return 0;
1325 break;
1326 }
1327
1328 for (alg = sainfo->algs[algclass_ipsec_auth]; alg; alg = alg->next) {
1329 if (alg->alg == approval->head->head->authtype)
1330 break;
1331 }
1332 if (alg == NULL) {
1333 plog(LLV_DEBUG, LOCATION, NULL,
1334 "Reload: alg == NULL (auth)\n");
1335 return 0;
1336 }
1337
1338 found = 0;
1339 for (alg = sainfo->algs[algclass_ipsec_enc];
1340 (found == 0 && alg != NULL); alg = alg->next) {
1341 plog(LLV_DEBUG, LOCATION, NULL,
1342 "Reload: next ph2 enc alg...\n");
1343
1344 if (alg->alg != approval->head->head->trns_id){
1345 plog(LLV_DEBUG, LOCATION, NULL,
1346 "Reload: encmode mismatch (%d / %d)\n",
1347 alg->alg, approval->head->head->trns_id);
1348 continue;
1349 }
1350
1351 switch (check_level){
1352 /* PROP_CHECK_STRICT cannot happen here */
1353 case PROP_CHECK_EXACT:
1354 if (alg->encklen != approval->head->head->encklen) {
1355 plog(LLV_DEBUG, LOCATION, NULL,
1356 "Reload: enclen mismatch\n");
1357 continue;
1358 }
1359 break;
1360
1361 case PROP_CHECK_CLAIM:
1362 /* FALLTHROUGH */
1363 case PROP_CHECK_STRICT:
1364 if (alg->encklen > approval->head->head->encklen) {
1365 plog(LLV_DEBUG, LOCATION, NULL,
1366 "Reload: enclen mismatch\n");
1367 continue;
1368 }
1369 break;
1370
1371 default:
1372 plog(LLV_ERROR, LOCATION, NULL,
1373 "unexpected check_level\n");
1374 continue;
1375 break;
1376 }
1377 found = 1;
1378 }
1379
1380 if (!found){
1381 plog(LLV_DEBUG, LOCATION, NULL,
1382 "Reload: No valid enc\n");
1383 return 0;
1384 }
1385
1386 /*
1387 * XXX comp
1388 */
1389 plog(LLV_DEBUG, LOCATION, NULL,
1390 "Reload: ph2 check ok\n");
1391
1392 return 1;
1393 }
1394
1395
1396 static void
1397 remove_ph2(struct ph2handle *iph2)
1398 {
1399 u_int32_t spis[2];
1400
1401 if(iph2 == NULL)
1402 return;
1403
1404 plog(LLV_DEBUG, LOCATION, NULL,
1405 "Deleting a Ph2...\n");
1406
1407 if (iph2->status == PHASE2ST_ESTABLISHED)
1408 isakmp_info_send_d2(iph2);
1409
1410 if(iph2->approval != NULL && iph2->approval->head != NULL){
1411 spis[0]=iph2->approval->head->spi;
1412 spis[1]=iph2->approval->head->spi_p;
1413
1414 /* purge_ipsec_spi() will do all the work:
1415 * - delete SPIs in kernel
1416 * - delete generated SPD
1417 * - unbind / rem / del ph2
1418 */
1419 purge_ipsec_spi(iph2->dst, iph2->approval->head->proto_id,
1420 spis, 2);
1421 }else{
1422 remph2(iph2);
1423 delph2(iph2);
1424 }
1425 }
1426
1427 static void remove_ph1(struct ph1handle *iph1){
1428 struct ph2handle *iph2, *iph2_next;
1429
1430 if(iph1 == NULL)
1431 return;
1432
1433 plog(LLV_DEBUG, LOCATION, NULL,
1434 "Removing PH1...\n");
1435
1436 if (iph1->status == PHASE1ST_ESTABLISHED ||
1437 iph1->status == PHASE1ST_DYING) {
1438 for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
1439 iph2_next = LIST_NEXT(iph2, chain);
1440 remove_ph2(iph2);
1441 }
1442 isakmp_info_send_d1(iph1);
1443 }
1444 iph1->status = PHASE1ST_EXPIRED;
1445 sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
1446 }
1447
1448
1449 static int revalidate_ph1tree_rmconf(void)
1450 {
1451 struct ph1handle *p, *next;
1452
1453 for (p = LIST_FIRST(&ph1tree); p; p = next) {
1454 next = LIST_NEXT(p, chain);
1455
1456 if (p->status >= PHASE1ST_EXPIRED)
1457 continue;
1458 if (p->rmconf == NULL)
1459 continue;
1460
1461 p->rmconf = getrmconf_by_ph1(p);
1462 if (p->rmconf == NULL || p->rmconf == RMCONF_ERR_MULTIPLE)
1463 remove_ph1(p);
1464 }
1465
1466 return 1;
1467 }
1468
1469 static int revalidate_ph2tree(void){
1470 struct ph2handle *p, *next;
1471
1472 for (p = LIST_FIRST(&ph2tree); p; p = next) {
1473 next = LIST_NEXT(p, chain);
1474
1475 if (p->status == PHASE2ST_EXPIRED)
1476 continue;
1477
1478 if(!revalidate_ph2(p)){
1479 plog(LLV_DEBUG, LOCATION, NULL,
1480 "PH2 not validated, removing it\n");
1481 remove_ph2(p);
1482 }
1483 }
1484
1485 return 1;
1486 }
1487
1488 int
1489 revalidate_ph12(void)
1490 {
1491
1492 revalidate_ph1tree_rmconf();
1493 revalidate_ph2tree();
1494
1495 return 1;
1496 }
1497
1498 #ifdef ENABLE_HYBRID
1499 struct ph1handle *
1500 getph1bylogin(login)
1501 char *login;
1502 {
1503 struct ph1handle *p;
1504
1505 LIST_FOREACH(p, &ph1tree, chain) {
1506 if (p->mode_cfg == NULL)
1507 continue;
1508 if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0)
1509 return p;
1510 }
1511
1512 return NULL;
1513 }
1514
1515 int
1516 purgeph1bylogin(login)
1517 char *login;
1518 {
1519 struct ph1handle *p;
1520 int found = 0;
1521
1522 LIST_FOREACH(p, &ph1tree, chain) {
1523 if (p->mode_cfg == NULL)
1524 continue;
1525 if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) {
1526 if (p->status >= PHASE1ST_EXPIRED)
1527 continue;
1528
1529 if (p->status >= PHASE1ST_ESTABLISHED)
1530 isakmp_info_send_d1(p);
1531 purge_remote(p);
1532 found++;
1533 }
1534 }
1535
1536 return found;
1537 }
1538 #endif
NetBSD on the FriendlyARM MINI2440