search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / ipsec-tools / src / racoon / isakmp.c
blob3d719960f7757ee62ce0e019c273b5b35a14d97a
1 /* $NetBSD: isakmp.c,v 1.59 2009/09/01 09:24:21 tteras Exp $ */
2
3 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43
44 #include PATH_IPSEC_H
45
46 #include <stdlib.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <errno.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #ifdef ENABLE_HYBRID
66 #include <resolv.h>
67 #endif
68
69 #include "var.h"
70 #include "misc.h"
71 #include "vmbuf.h"
72 #include "plog.h"
73 #include "sockmisc.h"
74 #include "schedule.h"
75 #include "session.h"
76 #include "debug.h"
77
78 #include "remoteconf.h"
79 #include "localconf.h"
80 #include "grabmyaddr.h"
81 #include "admin.h"
82 #include "privsep.h"
83 #include "isakmp_var.h"
84 #include "isakmp.h"
85 #include "oakley.h"
86 #include "evt.h"
87 #include "handler.h"
88 #include "ipsec_doi.h"
89 #include "pfkey.h"
90 #include "crypto_openssl.h"
91 #include "policy.h"
92 #include "algorithm.h"
93 #include "proposal.h"
94 #include "sainfo.h"
95 #include "isakmp_ident.h"
96 #include "isakmp_agg.h"
97 #include "isakmp_base.h"
98 #include "isakmp_quick.h"
99 #include "isakmp_inf.h"
100 #include "isakmp_newg.h"
101 #ifdef ENABLE_HYBRID
102 #include "vendorid.h"
103 #include "isakmp_xauth.h"
104 #include "isakmp_unity.h"
105 #include "isakmp_cfg.h"
106 #endif
107 #ifdef ENABLE_FRAG
108 #include "isakmp_frag.h"
109 #endif
110 #include "strnames.h"
111
112 #include <fcntl.h>
113
114 #ifdef ENABLE_NATT
115 # include "nattraversal.h"
116 #endif
117 # ifdef __linux__
118 # include <linux/udp.h>
119 # include <linux/ip.h>
120 # ifndef SOL_UDP
121 # define SOL_UDP 17
122 # endif
123 # endif /* __linux__ */
124 # if defined(__NetBSD__) || defined(__FreeBSD__) || \
125 (defined(__APPLE__) && defined(__MACH__))
126 # include <netinet/in.h>
127 # include <netinet/udp.h>
128 # include <netinet/in_systm.h>
129 # include <netinet/ip.h>
130 # define SOL_UDP IPPROTO_UDP
131 # endif /* __NetBSD__ / __FreeBSD__ */
132
133 static int nostate1 __P((struct ph1handle *, vchar_t *));
134 static int nostate2 __P((struct ph2handle *, vchar_t *));
135
136 extern caddr_t val2str(const char *, size_t);
137
138 static int (*ph1exchange[][2][PHASE1ST_MAX])
139 __P((struct ph1handle *, vchar_t *)) = {
140 /* error */
141 { { 0 }, { 0 }, },
142 /* Identity Protection exchange */
143 {
144 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
145 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, nostate1,},
146 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
147 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, nostate1, },
148 },
149 /* Aggressive exchange */
150 {
151 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
152 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
153 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
154 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
155 },
156 /* Base exchange */
157 {
158 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
159 base_i3recv, base_i3send, nostate1, nostate1, nostate1, nostate1, },
160 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
161 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
162 },
163 };
164
165 static int (*ph2exchange[][2][PHASE2ST_MAX])
166 __P((struct ph2handle *, vchar_t *)) = {
167 /* error */
168 { { 0 }, { 0 }, },
169 /* Quick mode for IKE */
170 {
171 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
172 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
173 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
174 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
175 },
176 };
177
178 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
179
180 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
181 static int ph1_main __P((struct ph1handle *, vchar_t *));
182 static int quick_main __P((struct ph2handle *, vchar_t *));
183 static int isakmp_ph1begin_r __P((vchar_t *,
184 struct sockaddr *, struct sockaddr *, u_int8_t));
185 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
186 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
187 static int etypesw1 __P((int));
188 static int etypesw2 __P((int));
189 static int isakmp_ph1resend __P((struct ph1handle *));
190 static int isakmp_ph2resend __P((struct ph2handle *));
191
192 #ifdef ENABLE_FRAG
193 static int frag_handler(struct ph1handle *,
194 vchar_t *, struct sockaddr *, struct sockaddr *);
195 #endif
196
197 /*
198 * isakmp packet handler
199 */
200 static int
201 isakmp_handler(ctx, so_isakmp)
202 void *ctx;
203 int so_isakmp;
204 {
205 struct isakmp isakmp;
206 union {
207 char buf[sizeof (isakmp) + 4];
208 u_int32_t non_esp[2];
209 struct {
210 struct udphdr udp;
211 #ifdef __linux
212 struct iphdr ip;
213 #else
214 struct ip ip;
215 #endif
216 char buf[sizeof(isakmp) + 4];
217 } lbuf;
218 } x;
219 struct sockaddr_storage remote;
220 struct sockaddr_storage local;
221 unsigned int remote_len = sizeof(remote);
222 unsigned int local_len = sizeof(local);
223 int len = 0, extralen = 0;
224 vchar_t *buf = NULL, *tmpbuf = NULL;
225 int error = -1, res;
226
227 /* read message by MSG_PEEK */
228 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
229 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
230 (struct sockaddr *)&local, &local_len)) < 0) {
231 if (errno == EINTR)
232 continue;
233 plog(LLV_ERROR, LOCATION, NULL,
234 "failed to receive isakmp packet: %s\n",
235 strerror (errno));
236 goto end;
237 }
238
239 /* keep-alive packet - ignore */
240 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
241 /* Pull the keep-alive packet */
242 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
243 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
244 plog(LLV_ERROR, LOCATION, NULL,
245 "failed to receive keep alive packet: %s\n",
246 strerror (errno));
247 }
248 goto end;
249 }
250
251 /* Lucent IKE in UDP encapsulation */
252 {
253 #ifdef __linux__
254 if (ntohs(x.lbuf.udp.dest) == 501) {
255 extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ihl;
256 }
257 #else
258 if (ntohs(x.lbuf.udp.uh_dport) == 501) {
259 extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
260 }
261 #endif
262 }
263
264 #ifdef ENABLE_NATT
265 /* we don't know about portchange yet,
266 look for non-esp marker instead */
267 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
268 extralen = NON_ESP_MARKER_LEN;
269 #endif
270
271 /* now we know if there is an extra non-esp
272 marker at the beginning or not */
273 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
274
275 /* check isakmp header length, as well as sanity of header length */
276 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
277 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
278 "packet shorter than isakmp header size (%u, %u, %zu)\n",
279 len, ntohl(isakmp.len), sizeof(isakmp));
280 /* dummy receive */
281 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
282 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
283 plog(LLV_ERROR, LOCATION, NULL,
284 "failed to receive isakmp packet: %s\n",
285 strerror (errno));
286 }
287 goto end;
288 }
289
290 /* reject it if the size is tooooo big. */
291 if (ntohl(isakmp.len) > 0xffff) {
292 plog(LLV_ERROR, LOCATION, NULL,
293 "the length in the isakmp header is too big.\n");
294 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
295 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
296 plog(LLV_ERROR, LOCATION, NULL,
297 "failed to receive isakmp packet: %s\n",
298 strerror (errno));
299 }
300 goto end;
301 }
302
303 /* read real message */
304 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
305 plog(LLV_ERROR, LOCATION, NULL,
306 "failed to allocate reading buffer (%u Bytes)\n",
307 ntohl(isakmp.len) + extralen);
308 /* dummy receive */
309 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
310 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
311 plog(LLV_ERROR, LOCATION, NULL,
312 "failed to receive isakmp packet: %s\n",
313 strerror (errno));
314 }
315 goto end;
316 }
317
318 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
319 0, (struct sockaddr *)&remote, &remote_len,
320 (struct sockaddr *)&local, &local_len)) < 0) {
321 if (errno == EINTR)
322 continue;
323 plog(LLV_ERROR, LOCATION, NULL,
324 "failed to receive isakmp packet: %s\n",
325 strerror (errno));
326 goto end;
327 }
328
329 if ((buf = vmalloc(len - extralen)) == NULL) {
330 plog(LLV_ERROR, LOCATION, NULL,
331 "failed to allocate reading buffer (%u Bytes)\n",
332 (len - extralen));
333 goto end;
334 }
335
336 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
337
338 len -= extralen;
339
340 if (len != buf->l) {
341 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
342 "received invalid length (%d != %zu), why ?\n",
343 len, buf->l);
344 goto end;
345 }
346
347 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
348 plog(LLV_DEBUG, LOCATION, NULL,
349 "%d bytes message received %s\n",
350 len, saddr2str_fromto("from %s to %s",
351 (struct sockaddr *)&remote,
352 (struct sockaddr *)&local));
353 plogdump(LLV_DEBUG, buf->v, buf->l);
354
355 /* avoid packets with malicious port/address */
356 if (extract_port((struct sockaddr *)&remote) == 0) {
357 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
358 "src port == 0 (valid as UDP but not with IKE)\n");
359 goto end;
360 }
361
362 /* XXX: check sender whether to be allowed or not to accept */
363
364 /* XXX: I don't know how to check isakmp half connection attack. */
365
366 /* simply reply if the packet was processed. */
367 res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
368 if (res) {
369 plog(LLV_NOTIFY, LOCATION, NULL,
370 "the packet is retransmitted by %s (%d).\n",
371 saddr2str((struct sockaddr *)&remote), res);
372 error = 0;
373 goto end;
374 }
375
376 /* isakmp main routine */
377 if (isakmp_main(buf, (struct sockaddr *)&remote,
378 (struct sockaddr *)&local) != 0) goto end;
379
380 error = 0;
381
382 end:
383 if (tmpbuf != NULL)
384 vfree(tmpbuf);
385 if (buf != NULL)
386 vfree(buf);
387 return error;
388 }
389
390 /*
391 * main processing to handle isakmp payload
392 */
393 static int
394 isakmp_main(msg, remote, local)
395 vchar_t *msg;
396 struct sockaddr *remote, *local;
397 {
398 struct isakmp *isakmp = (struct isakmp *)msg->v;
399 isakmp_index *index = (isakmp_index *)isakmp;
400 u_int32_t msgid = isakmp->msgid;
401 struct ph1handle *iph1;
402
403 #ifdef HAVE_PRINT_ISAKMP_C
404 isakmp_printpacket(msg, remote, local, 0);
405 #endif
406
407 /* the initiator's cookie must not be zero */
408 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
409 plog(LLV_ERROR, LOCATION, remote,
410 "malformed cookie received.\n");
411 return -1;
412 }
413
414 /* Check the Major and Minor Version fields. */
415 /*
416 * XXX Is is right to check version here ?
417 * I think it may no be here because the version depends
418 * on exchange status.
419 */
420 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
421 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
422 plog(LLV_ERROR, LOCATION, remote,
423 "invalid major version %d.\n",
424 ISAKMP_GETMAJORV(isakmp->v));
425 return -1;
426 }
427 #if ISAKMP_MINOR_VERSION > 0
428 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
429 plog(LLV_ERROR, LOCATION, remote,
430 "invalid minor version %d.\n",
431 ISAKMP_GETMINORV(isakmp->v));
432 return -1;
433 }
434 #endif
435 }
436
437 /* check the Flags field. */
438 /* XXX How is the exclusive check, E and A ? */
439 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
440 plog(LLV_ERROR, LOCATION, remote,
441 "invalid flag 0x%02x.\n", isakmp->flags);
442 return -1;
443 }
444
445 /* ignore commit bit. */
446 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
447 if (isakmp->msgid == 0) {
448 isakmp_info_send_nx(isakmp, remote, local,
449 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
450 plog(LLV_ERROR, LOCATION, remote,
451 "Commit bit on phase1 forbidden.\n");
452 return -1;
453 }
454 }
455
456 iph1 = getph1byindex(index);
457 if (iph1 != NULL) {
458 /* validity check */
459 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
460 iph1->side == INITIATOR) {
461 plog(LLV_DEBUG, LOCATION, remote,
462 "malformed cookie received or "
463 "the initiator's cookies collide.\n");
464 return -1;
465 }
466
467 #ifdef ENABLE_NATT
468 /* Floating ports for NAT-T */
469 if (NATT_AVAILABLE(iph1) &&
470 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
471 ((cmpsaddr(iph1->remote, remote) != 0) ||
472 (cmpsaddr(iph1->local, local) != 0)))
473 {
474 /* prevent memory leak */
475 racoon_free(iph1->remote);
476 racoon_free(iph1->local);
477 iph1->remote = NULL;
478 iph1->local = NULL;
479
480 /* copy-in new addresses */
481 iph1->remote = dupsaddr(remote);
482 if (iph1->remote == NULL) {
483 plog(LLV_ERROR, LOCATION, iph1->remote,
484 "phase1 failed: dupsaddr failed.\n");
485 remph1(iph1);
486 delph1(iph1);
487 return -1;
488 }
489 iph1->local = dupsaddr(local);
490 if (iph1->local == NULL) {
491 plog(LLV_ERROR, LOCATION, iph1->remote,
492 "phase1 failed: dupsaddr failed.\n");
493 remph1(iph1);
494 delph1(iph1);
495 return -1;
496 }
497
498 /* set the flag to prevent further port floating
499 (FIXME: should we allow it? E.g. when the NAT gw
500 is rebooted?) */
501 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
502
503 /* print some neat info */
504 plog (LLV_INFO, LOCATION, NULL,
505 "NAT-T: ports changed to: %s\n",
506 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
507
508 natt_keepalive_add_ph1 (iph1);
509 }
510 #endif
511
512 /* must be same addresses in one stream of a phase at least. */
513 if (cmpsaddr(iph1->remote, remote) != 0) {
514 char *saddr_db, *saddr_act;
515
516 saddr_db = racoon_strdup(saddr2str(iph1->remote));
517 saddr_act = racoon_strdup(saddr2str(remote));
518 STRDUP_FATAL(saddr_db);
519 STRDUP_FATAL(saddr_act);
520
521 plog(LLV_WARNING, LOCATION, remote,
522 "remote address mismatched. db=%s, act=%s\n",
523 saddr_db, saddr_act);
524
525 racoon_free(saddr_db);
526 racoon_free(saddr_act);
527 }
528
529 /*
530 * don't check of exchange type here because other type will be
531 * with same index, for example, informational exchange.
532 */
533
534 /* XXX more acceptable check */
535 }
536
537 switch (isakmp->etype) {
538 case ISAKMP_ETYPE_IDENT:
539 case ISAKMP_ETYPE_AGG:
540 case ISAKMP_ETYPE_BASE:
541 /* phase 1 validity check */
542 if (isakmp->msgid != 0) {
543 plog(LLV_ERROR, LOCATION, remote,
544 "message id should be zero in phase1.\n");
545 return -1;
546 }
547
548 /* search for isakmp status record of phase 1 */
549 if (iph1 == NULL) {
550 /*
551 * the packet must be the 1st message from a initiator
552 * or the 2nd message from the responder.
553 */
554
555 /* search for phase1 handle by index without r_ck */
556 iph1 = getph1byindex0(index);
557 if (iph1 == NULL) {
558 /*it must be the 1st message from a initiator.*/
559 if (memcmp(&isakmp->r_ck, r_ck0,
560 sizeof(cookie_t)) != 0) {
561
562 plog(LLV_DEBUG, LOCATION, remote,
563 "malformed cookie received "
564 "or the spi expired.\n");
565 return -1;
566 }
567
568 /* it must be responder's 1st exchange. */
569 if (isakmp_ph1begin_r(msg, remote, local,
570 isakmp->etype) < 0)
571 return -1;
572 break;
573
574 /*NOTREACHED*/
575 }
576
577 /* it must be the 2nd message from the responder. */
578 if (iph1->side != INITIATOR) {
579 plog(LLV_DEBUG, LOCATION, remote,
580 "malformed cookie received. "
581 "it has to be as the initiator. %s\n",
582 isakmp_pindex(&iph1->index, 0));
583 return -1;
584 }
585 }
586
587 /*
588 * Don't delete phase 1 handler when the exchange type
589 * in handler is not equal to packet's one because of no
590 * authencication completed.
591 */
592 if (iph1->etype != isakmp->etype) {
593 plog(LLV_ERROR, LOCATION, iph1->remote,
594 "exchange type is mismatched: "
595 "db=%s packet=%s, ignore it.\n",
596 s_isakmp_etype(iph1->etype),
597 s_isakmp_etype(isakmp->etype));
598 return -1;
599 }
600
601 #ifdef ENABLE_FRAG
602 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
603 return frag_handler(iph1, msg, remote, local);
604 #endif
605
606 /* call main process of phase 1 */
607 if (ph1_main(iph1, msg) < 0) {
608 plog(LLV_ERROR, LOCATION, iph1->remote,
609 "phase1 negotiation failed.\n");
610 remph1(iph1);
611 delph1(iph1);
612 return -1;
613 }
614 break;
615
616 case ISAKMP_ETYPE_AUTH:
617 plog(LLV_INFO, LOCATION, remote,
618 "unsupported exchange %d received.\n",
619 isakmp->etype);
620 break;
621
622 case ISAKMP_ETYPE_INFO:
623 case ISAKMP_ETYPE_ACKINFO:
624 /*
625 * iph1 must be present for Information message.
626 * if iph1 is null then trying to get the phase1 status
627 * as the packet from responder againt initiator's 1st
628 * exchange in phase 1.
629 * NOTE: We think such informational exchange should be ignored.
630 */
631 if (iph1 == NULL) {
632 iph1 = getph1byindex0(index);
633 if (iph1 == NULL) {
634 plog(LLV_ERROR, LOCATION, remote,
635 "unknown Informational "
636 "exchange received.\n");
637 return -1;
638 }
639 if (cmpsaddr(iph1->remote, remote) != 0) {
640 plog(LLV_WARNING, LOCATION, remote,
641 "remote address mismatched. "
642 "db=%s\n",
643 saddr2str(iph1->remote));
644 }
645 }
646
647 #ifdef ENABLE_FRAG
648 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
649 return frag_handler(iph1, msg, remote, local);
650 #endif
651
652 if (isakmp_info_recv(iph1, msg) < 0)
653 return -1;
654 break;
655
656 case ISAKMP_ETYPE_QUICK:
657 {
658 struct ph2handle *iph2;
659
660 if (iph1 == NULL) {
661 isakmp_info_send_nx(isakmp, remote, local,
662 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
663 plog(LLV_ERROR, LOCATION, remote,
664 "can't start the quick mode, "
665 "there is no ISAKMP-SA, %s\n",
666 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
667 isakmp->msgid));
668 return -1;
669 }
670 #ifdef ENABLE_HYBRID
671 /* Reinit the IVM if it's still there */
672 if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
673 oakley_delivm(iph1->mode_cfg->ivm);
674 iph1->mode_cfg->ivm = NULL;
675 }
676 #endif
677 #ifdef ENABLE_FRAG
678 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
679 return frag_handler(iph1, msg, remote, local);
680 #endif
681
682 /* check status of phase 1 whether negotiated or not. */
683 if (iph1->status != PHASE1ST_ESTABLISHED &&
684 iph1->status != PHASE1ST_DYING) {
685 plog(LLV_ERROR, LOCATION, remote,
686 "can't start the quick mode, "
687 "there is no valid ISAKMP-SA, %s\n",
688 isakmp_pindex(&iph1->index, iph1->msgid));
689 return -1;
690 }
691
692 /* search isakmp phase 2 stauts record. */
693 iph2 = getph2bymsgid(iph1, msgid);
694 if (iph2 == NULL) {
695 /* it must be new negotiation as responder */
696 if (isakmp_ph2begin_r(iph1, msg) < 0)
697 return -1;
698 return 0;
699 /*NOTREACHED*/
700 }
701
702 /* commit bit. */
703 /* XXX
704 * we keep to set commit bit during negotiation.
705 * When SA is configured, bit will be reset.
706 * XXX
707 * don't initiate commit bit. should be fixed in the future.
708 */
709 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
710 iph2->flags |= ISAKMP_FLAG_C;
711
712 /* call main process of quick mode */
713 if (quick_main(iph2, msg) < 0) {
714 plog(LLV_ERROR, LOCATION, iph1->remote,
715 "phase2 negotiation failed.\n");
716 remph2(iph2);
717 delph2(iph2);
718 return -1;
719 }
720 }
721 break;
722
723 case ISAKMP_ETYPE_NEWGRP:
724 if (iph1 == NULL) {
725 plog(LLV_ERROR, LOCATION, remote,
726 "Unknown new group mode exchange, "
727 "there is no ISAKMP-SA.\n");
728 return -1;
729 }
730
731 #ifdef ENABLE_FRAG
732 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
733 return frag_handler(iph1, msg, remote, local);
734 #endif
735
736 isakmp_newgroup_r(iph1, msg);
737 break;
738
739 #ifdef ENABLE_HYBRID
740 case ISAKMP_ETYPE_CFG:
741 if (iph1 == NULL) {
742 plog(LLV_ERROR, LOCATION, NULL,
743 "mode config %d from %s, "
744 "but we have no ISAKMP-SA.\n",
745 isakmp->etype, saddr2str(remote));
746 return -1;
747 }
748
749 #ifdef ENABLE_FRAG
750 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
751 return frag_handler(iph1, msg, remote, local);
752 #endif
753
754 isakmp_cfg_r(iph1, msg);
755 break;
756 #endif
757
758 case ISAKMP_ETYPE_NONE:
759 default:
760 plog(LLV_ERROR, LOCATION, NULL,
761 "Invalid exchange type %d from %s.\n",
762 isakmp->etype, saddr2str(remote));
763 return -1;
764 }
765
766 return 0;
767 }
768
769 /*
770 * main function of phase 1.
771 */
772 static int
773 ph1_main(iph1, msg)
774 struct ph1handle *iph1;
775 vchar_t *msg;
776 {
777 int error;
778 #ifdef ENABLE_STATS
779 struct timeval start, end;
780 #endif
781
782 /* ignore a packet */
783 if (iph1->status >= PHASE1ST_ESTABLISHED)
784 return 0;
785
786 #ifdef ENABLE_STATS
787 gettimeofday(&start, NULL);
788 #endif
789 /* receive */
790 if (ph1exchange[etypesw1(iph1->etype)]
791 [iph1->side]
792 [iph1->status] == NULL) {
793 plog(LLV_ERROR, LOCATION, iph1->remote,
794 "why isn't the function defined.\n");
795 return -1;
796 }
797 error = (ph1exchange[etypesw1(iph1->etype)]
798 [iph1->side]
799 [iph1->status])(iph1, msg);
800 if (error != 0) {
801
802 /* XXX
803 * When an invalid packet is received on phase1, it should
804 * be selected to process this packet. That is to respond
805 * with a notify and delete phase 1 handler, OR not to respond
806 * and keep phase 1 handler. However, in PHASE1ST_START when
807 * acting as RESPONDER we must not keep phase 1 handler or else
808 * it will stay forever.
809 */
810
811 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
812 plog(LLV_ERROR, LOCATION, iph1->remote,
813 "failed to pre-process packet.\n");
814 return -1;
815 } else {
816 /* ignore the error and keep phase 1 handler */
817 return 0;
818 }
819 }
820
821 #ifndef ENABLE_FRAG
822 /* free resend buffer */
823 if (iph1->sendbuf == NULL) {
824 plog(LLV_ERROR, LOCATION, NULL,
825 "no buffer found as sendbuf\n");
826 return -1;
827 }
828 #endif
829
830 VPTRINIT(iph1->sendbuf);
831
832 /* turn off schedule */
833 sched_cancel(&iph1->scr);
834
835 /* send */
836 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
837 if ((ph1exchange[etypesw1(iph1->etype)]
838 [iph1->side]
839 [iph1->status])(iph1, msg) != 0) {
840 plog(LLV_ERROR, LOCATION, iph1->remote,
841 "failed to process packet.\n");
842 return -1;
843 }
844
845 #ifdef ENABLE_STATS
846 gettimeofday(&end, NULL);
847 syslog(LOG_NOTICE, "%s(%s): %8.6f",
848 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
849 timedelta(&start, &end));
850 #endif
851 if (iph1->status == PHASE1ST_ESTABLISHED) {
852
853 #ifdef ENABLE_STATS
854 gettimeofday(&iph1->end, NULL);
855 syslog(LOG_NOTICE, "%s(%s): %8.6f",
856 "phase1", s_isakmp_etype(iph1->etype),
857 timedelta(&iph1->start, &iph1->end));
858 #endif
859
860 /* save created date. */
861 (void)time(&iph1->created);
862
863 /* migrate ph2s from dying ph1s */
864 migrate_dying_ph12(iph1);
865
866 /* add to the schedule to expire, and seve back pointer. */
867 if ((iph1->rmconf->rekey == REKEY_FORCE)
868 #ifdef ENABLE_DPD
869 ||
870 (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
871 iph1->rmconf->dpd_interval)
872 #endif
873 ) {
874 sched_schedule(&iph1->sce,
875 iph1->approval->lifetime *
876 PFKEY_SOFT_LIFETIME_RATE / 100,
877 isakmp_ph1dying_stub);
878 } else {
879 sched_schedule(&iph1->sce, iph1->approval->lifetime,
880 isakmp_ph1expire_stub);
881 }
882
883 #ifdef ENABLE_HYBRID
884 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
885 switch (iph1->approval->authmethod) {
886 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
887 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
888 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
889 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
890 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
891 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
892 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
893 xauth_sendreq(iph1);
894 /* XXX Don't process INITIAL_CONTACT */
895 iph1->rmconf->ini_contact = 0;
896 break;
897 default:
898 break;
899 }
900 }
901 #endif
902 #ifdef ENABLE_DPD
903 /* Schedule the r_u_there.... */
904 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
905 isakmp_sched_r_u(iph1, 0);
906 #endif
907
908 /* INITIAL-CONTACT processing */
909 /* don't anything if local test mode. */
910 if (!f_local
911 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
912 /* send INITIAL-CONTACT */
913 isakmp_info_send_n1(iph1,
914 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
915 /* insert a node into contacted list. */
916 if (inscontacted(iph1->remote) == -1) {
917 plog(LLV_ERROR, LOCATION, iph1->remote,
918 "failed to add contacted list.\n");
919 /* ignore */
920 }
921 }
922 if (iph1->initial_contact_received)
923 isakmp_info_recv_initialcontact(iph1, NULL);
924
925 log_ph1established(iph1);
926 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
927
928 /*
929 * SA up shell script hook: do it now,except if
930 * ISAKMP mode config was requested. In the later
931 * case it is done when we receive the configuration.
932 */
933 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
934 !iph1->rmconf->mode_cfg) {
935 switch (iph1->approval->authmethod) {
936 #ifdef ENABLE_HYBRID
937 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
938 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
939 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
940 /* Unimplemeted... */
941 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
942 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
943 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
944 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
945 break;
946 #endif
947 default:
948 script_hook(iph1, SCRIPT_PHASE1_UP);
949 break;
950 }
951 }
952 }
953
954 return 0;
955 }
956
957 /*
958 * main function of quick mode.
959 */
960 static int
961 quick_main(iph2, msg)
962 struct ph2handle *iph2;
963 vchar_t *msg;
964 {
965 struct isakmp *isakmp = (struct isakmp *)msg->v;
966 int error;
967 #ifdef ENABLE_STATS
968 struct timeval start, end;
969 #endif
970
971 /* ignore a packet */
972 if (iph2->status == PHASE2ST_ESTABLISHED
973 || iph2->status == PHASE2ST_GETSPISENT)
974 return 0;
975
976 #ifdef ENABLE_STATS
977 gettimeofday(&start, NULL);
978 #endif
979
980 /* receive */
981 if (ph2exchange[etypesw2(isakmp->etype)]
982 [iph2->side]
983 [iph2->status] == NULL) {
984 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
985 "why isn't the function defined.\n");
986 return -1;
987 }
988 error = (ph2exchange[etypesw2(isakmp->etype)]
989 [iph2->side]
990 [iph2->status])(iph2, msg);
991 if (error != 0) {
992 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
993 "failed to pre-process packet.\n");
994 if (error == ISAKMP_INTERNAL_ERROR)
995 return 0;
996 isakmp_info_send_n1(iph2->ph1, error, NULL);
997 return -1;
998 }
999
1000 /* when using commit bit, status will be reached here. */
1001 if (iph2->status == PHASE2ST_ADDSA)
1002 return 0;
1003
1004 /* free resend buffer */
1005 if (iph2->sendbuf == NULL) {
1006 plog(LLV_ERROR, LOCATION, NULL,
1007 "no buffer found as sendbuf\n");
1008 return -1;
1009 }
1010 VPTRINIT(iph2->sendbuf);
1011
1012 /* turn off schedule */
1013 sched_cancel(&iph2->scr);
1014
1015 /* send */
1016 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1017 if ((ph2exchange[etypesw2(isakmp->etype)]
1018 [iph2->side]
1019 [iph2->status])(iph2, msg) != 0) {
1020 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1021 "failed to process packet.\n");
1022 return -1;
1023 }
1024
1025 #ifdef ENABLE_STATS
1026 gettimeofday(&end, NULL);
1027 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1028 "phase2",
1029 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1030 timedelta(&start, &end));
1031 #endif
1032
1033 return 0;
1034 }
1035
1036 /* new negotiation of phase 1 for initiator */
1037 struct ph1handle *
1038 isakmp_ph1begin_i(rmconf, remote, local)
1039 struct remoteconf *rmconf;
1040 struct sockaddr *remote, *local;
1041 {
1042 struct ph1handle *iph1;
1043 #ifdef ENABLE_STATS
1044 struct timeval start, end;
1045 #endif
1046
1047 /* get new entry to isakmp status table. */
1048 iph1 = newph1();
1049 if (iph1 == NULL)
1050 return NULL;
1051
1052 iph1->status = PHASE1ST_START;
1053 iph1->rmconf = rmconf;
1054 iph1->side = INITIATOR;
1055 iph1->version = ISAKMP_VERSION_NUMBER;
1056 iph1->msgid = 0;
1057 iph1->flags = 0;
1058 iph1->ph2cnt = 0;
1059 #ifdef HAVE_GSSAPI
1060 iph1->gssapi_state = NULL;
1061 #endif
1062 #ifdef ENABLE_HYBRID
1063 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1064 delph1(iph1);
1065 return NULL;
1066 }
1067 #endif
1068 #ifdef ENABLE_FRAG
1069
1070 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1071 iph1->frag = 1;
1072 else
1073 iph1->frag = 0;
1074 iph1->frag_chain = NULL;
1075 #endif
1076 iph1->approval = NULL;
1077
1078 /* XXX copy remote address */
1079 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1080 delph1(iph1);
1081 return NULL;
1082 }
1083
1084 (void)insph1(iph1);
1085
1086 /* start phase 1 exchange */
1087 iph1->etype = rmconf->etypes->type;
1088
1089 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1090 {
1091 char *a;
1092
1093 a = racoon_strdup(saddr2str(iph1->local));
1094 STRDUP_FATAL(a);
1095
1096 plog(LLV_INFO, LOCATION, NULL,
1097 "initiate new phase 1 negotiation: %s<=>%s\n",
1098 a, saddr2str(iph1->remote));
1099 racoon_free(a);
1100 }
1101 plog(LLV_INFO, LOCATION, NULL,
1102 "begin %s mode.\n",
1103 s_isakmp_etype(iph1->etype));
1104
1105 #ifdef ENABLE_STATS
1106 gettimeofday(&iph1->start, NULL);
1107 gettimeofday(&start, NULL);
1108 #endif
1109 /* start exchange */
1110 if ((ph1exchange[etypesw1(iph1->etype)]
1111 [iph1->side]
1112 [iph1->status])(iph1, NULL) != 0) {
1113 /* failed to start phase 1 negotiation */
1114 remph1(iph1);
1115 delph1(iph1);
1116
1117 return NULL;
1118 }
1119
1120 #ifdef ENABLE_STATS
1121 gettimeofday(&end, NULL);
1122 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1123 "phase1",
1124 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1125 timedelta(&start, &end));
1126 #endif
1127
1128 return iph1;
1129 }
1130
1131 /* new negotiation of phase 1 for responder */
1132 static int
1133 isakmp_ph1begin_r(msg, remote, local, etype)
1134 vchar_t *msg;
1135 struct sockaddr *remote, *local;
1136 u_int8_t etype;
1137 {
1138 struct isakmp *isakmp = (struct isakmp *)msg->v;
1139 struct ph1handle *iph1;
1140 struct rmconfselector rmsel;
1141 #ifdef ENABLE_STATS
1142 struct timeval start, end;
1143 #endif
1144
1145 /* check if this etype is allowed */
1146 memset(&rmsel, 0, sizeof(rmsel));
1147 rmsel.remote = remote;
1148 if (enumrmconf(&rmsel, check_etypeok, (void *) (intptr_t) etype) == 0) {
1149 plog(LLV_ERROR, LOCATION, remote,
1150 "exchange %s not allowed in any applicable rmconf.\n",
1151 s_isakmp_etype(etype));
1152 return -1;
1153 }
1154
1155 /* get new entry to isakmp status table. */
1156 iph1 = newph1();
1157 if (iph1 == NULL)
1158 return -1;
1159
1160 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1161 iph1->status = PHASE1ST_START;
1162 iph1->flags = 0;
1163 iph1->side = RESPONDER;
1164 iph1->etype = etype;
1165 iph1->version = isakmp->v;
1166 iph1->msgid = 0;
1167 #ifdef HAVE_GSSAPI
1168 iph1->gssapi_state = NULL;
1169 #endif
1170 #ifdef ENABLE_HYBRID
1171 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1172 delph1(iph1);
1173 return -1;
1174 }
1175 #endif
1176 #ifdef ENABLE_FRAG
1177 iph1->frag = 0;
1178 iph1->frag_chain = NULL;
1179 #endif
1180 iph1->approval = NULL;
1181
1182 #ifdef ENABLE_NATT
1183 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1184 * We have to setup this flag now to correctly generate the first reply.
1185 * Don't know if a better check could be done for that ?
1186 */
1187 if(extract_port(local) == lcconf->port_isakmp_natt)
1188 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1189 #endif
1190
1191 /* copy remote address; remote and local always contain
1192 * port numbers so rmconf is not needed */
1193 if (copy_ph1addresses(iph1, NULL, remote, local) < 0) {
1194 delph1(iph1);
1195 return -1;
1196 }
1197 (void)insph1(iph1);
1198
1199 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1200 {
1201 char *a;
1202
1203 a = racoon_strdup(saddr2str(iph1->local));
1204 STRDUP_FATAL(a);
1205
1206 plog(LLV_INFO, LOCATION, NULL,
1207 "respond new phase 1 negotiation: %s<=>%s\n",
1208 a, saddr2str(iph1->remote));
1209 racoon_free(a);
1210 }
1211 plog(LLV_INFO, LOCATION, NULL,
1212 "begin %s mode.\n", s_isakmp_etype(etype));
1213
1214 #ifdef ENABLE_STATS
1215 gettimeofday(&iph1->start, NULL);
1216 gettimeofday(&start, NULL);
1217 #endif
1218
1219 #ifndef ENABLE_FRAG
1220
1221 /* start exchange */
1222 if ((ph1exchange[etypesw1(iph1->etype)]
1223 [iph1->side]
1224 [iph1->status])(iph1, msg) < 0
1225 || (ph1exchange[etypesw1(iph1->etype)]
1226 [iph1->side]
1227 [iph1->status])(iph1, msg) < 0) {
1228 plog(LLV_ERROR, LOCATION, remote,
1229 "failed to process packet.\n");
1230 remph1(iph1);
1231 delph1(iph1);
1232 return -1;
1233 }
1234
1235 #ifdef ENABLE_STATS
1236 gettimeofday(&end, NULL);
1237 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1238 "phase1",
1239 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1240 timedelta(&start, &end));
1241 #endif
1242
1243 return 0;
1244
1245 #else /* ENABLE_FRAG */
1246
1247 /* now that we have a phase1 handle, feed back into our
1248 * main receive function to catch fragmented packets
1249 */
1250
1251 return isakmp_main(msg, remote, local);
1252
1253 #endif /* ENABLE_FRAG */
1254
1255 }
1256
1257 /* new negotiation of phase 2 for initiator */
1258 static int
1259 isakmp_ph2begin_i(iph1, iph2)
1260 struct ph1handle *iph1;
1261 struct ph2handle *iph2;
1262 {
1263 #ifdef ENABLE_HYBRID
1264 if (xauth_check(iph1) != 0) {
1265 plog(LLV_ERROR, LOCATION, NULL,
1266 "Attempt to start phase 2 whereas Xauth failed\n");
1267 return -1;
1268 }
1269 #endif
1270
1271 /* fixup ph2 ports for this ph1 */
1272 if (extract_port(iph2->src) == 0)
1273 set_port(iph2->src, extract_port(iph1->local));
1274 if (extract_port(iph2->dst) == 0)
1275 set_port(iph2->dst, extract_port(iph1->remote));
1276
1277 /* found ISAKMP-SA. */
1278 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1279 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1280 {
1281 char *a;
1282 a = racoon_strdup(saddr2str(iph2->src));
1283 STRDUP_FATAL(a);
1284
1285 plog(LLV_INFO, LOCATION, NULL,
1286 "initiate new phase 2 negotiation: %s<=>%s\n",
1287 a, saddr2str(iph2->dst));
1288 racoon_free(a);
1289 }
1290
1291 #ifdef ENABLE_STATS
1292 gettimeofday(&iph2->start, NULL);
1293 #endif
1294 if (iph2->status != PHASE2ST_EXPIRED) /* Phase 1 is already bound (ongoing rekeying) */
1295 bindph12(iph1, iph2);
1296 iph2->status = PHASE2ST_STATUS2;
1297
1298 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1299 [iph2->side]
1300 [iph2->status])(iph2, NULL) < 0) {
1301 /* release ipsecsa handler due to internal error. */
1302 remph2(iph2);
1303 return -1;
1304 }
1305 return 0;
1306 }
1307
1308 /* new negotiation of phase 2 for responder */
1309 static int
1310 isakmp_ph2begin_r(iph1, msg)
1311 struct ph1handle *iph1;
1312 vchar_t *msg;
1313 {
1314 struct isakmp *isakmp = (struct isakmp *)msg->v;
1315 struct ph2handle *iph2 = 0;
1316 int error;
1317 #ifdef ENABLE_STATS
1318 struct timeval start, end;
1319 #endif
1320 #ifdef ENABLE_HYBRID
1321 if (xauth_check(iph1) != 0) {
1322 plog(LLV_ERROR, LOCATION, NULL,
1323 "Attempt to start phase 2 whereas Xauth failed\n");
1324 return -1;
1325 }
1326 #endif
1327
1328 iph2 = newph2();
1329 if (iph2 == NULL) {
1330 plog(LLV_ERROR, LOCATION, NULL,
1331 "failed to allocate phase2 entry.\n");
1332 return -1;
1333 }
1334
1335 iph2->side = RESPONDER;
1336 iph2->status = PHASE2ST_START;
1337 iph2->flags = isakmp->flags;
1338 iph2->msgid = isakmp->msgid;
1339 iph2->seq = pk_getseq();
1340 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1341 if (iph2->ivm == NULL) {
1342 delph2(iph2);
1343 return -1;
1344 }
1345 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1346 if (iph2->dst == NULL) {
1347 delph2(iph2);
1348 return -1;
1349 }
1350 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1351 if (iph2->src == NULL) {
1352 delph2(iph2);
1353 return -1;
1354 }
1355
1356 /* add new entry to isakmp status table */
1357 insph2(iph2);
1358 bindph12(iph1, iph2);
1359
1360 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1361 {
1362 char *a;
1363
1364 a = racoon_strdup(saddr2str(iph2->src));
1365 STRDUP_FATAL(a);
1366
1367 plog(LLV_INFO, LOCATION, NULL,
1368 "respond new phase 2 negotiation: %s<=>%s\n",
1369 a, saddr2str(iph2->dst));
1370 racoon_free(a);
1371 }
1372
1373 #ifdef ENABLE_STATS
1374 gettimeofday(&start, NULL);
1375 #endif
1376
1377 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1378 [iph2->side]
1379 [iph2->status])(iph2, msg);
1380 if (error != 0) {
1381 plog(LLV_ERROR, LOCATION, iph1->remote,
1382 "failed to pre-process packet.\n");
1383 if (error != ISAKMP_INTERNAL_ERROR)
1384 isakmp_info_send_n1(iph2->ph1, error, NULL);
1385 /*
1386 * release handler because it's wrong that ph2handle is kept
1387 * after failed to check message for responder's.
1388 */
1389 remph2(iph2);
1390 delph2(iph2);
1391 return -1;
1392 }
1393
1394 /* send */
1395 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1396 if ((ph2exchange[etypesw2(isakmp->etype)]
1397 [iph2->side]
1398 [iph2->status])(iph2, msg) < 0) {
1399 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1400 "failed to process packet.\n");
1401 /* don't release handler */
1402 return -1;
1403 }
1404 #ifdef ENABLE_STATS
1405 gettimeofday(&end, NULL);
1406 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1407 "phase2",
1408 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1409 timedelta(&start, &end));
1410 #endif
1411
1412 return 0;
1413 }
1414
1415 /*
1416 * parse ISAKMP payloads, without ISAKMP base header.
1417 */
1418 vchar_t *
1419 isakmp_parsewoh(np0, gen, len)
1420 int np0;
1421 struct isakmp_gen *gen;
1422 int len;
1423 {
1424 u_char np = np0 & 0xff;
1425 int tlen, plen;
1426 vchar_t *result;
1427 struct isakmp_parse_t *p, *ep;
1428
1429 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1430
1431 /*
1432 * 5 is a magic number, but any value larger than 2 should be fine
1433 * as we do vrealloc() in the following loop.
1434 */
1435 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1436 if (result == NULL) {
1437 plog(LLV_ERROR, LOCATION, NULL,
1438 "failed to get buffer.\n");
1439 return NULL;
1440 }
1441 p = (struct isakmp_parse_t *)result->v;
1442 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1443
1444 tlen = len;
1445
1446 /* parse through general headers */
1447 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1448 if (tlen <= sizeof(struct isakmp_gen)) {
1449 /* don't send information, see isakmp_ident_r1() */
1450 plog(LLV_ERROR, LOCATION, NULL,
1451 "invalid length of payload\n");
1452 vfree(result);
1453 return NULL;
1454 }
1455
1456 plog(LLV_DEBUG, LOCATION, NULL,
1457 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1458
1459 p->type = np;
1460 p->len = ntohs(gen->len);
1461 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1462 plog(LLV_DEBUG, LOCATION, NULL,
1463 "invalid length of payload\n");
1464 vfree(result);
1465 return NULL;
1466 }
1467 p->ptr = gen;
1468 p++;
1469 if (ep <= p) {
1470 int off;
1471
1472 off = p - (struct isakmp_parse_t *)result->v;
1473 result = vrealloc(result, result->l * 2);
1474 if (result == NULL) {
1475 plog(LLV_DEBUG, LOCATION, NULL,
1476 "failed to realloc buffer.\n");
1477 vfree(result);
1478 return NULL;
1479 }
1480 ep = (struct isakmp_parse_t *)
1481 (result->v + result->l - sizeof(*ep));
1482 p = (struct isakmp_parse_t *)result->v;
1483 p += off;
1484 }
1485
1486 np = gen->np;
1487 plen = ntohs(gen->len);
1488 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1489 tlen -= plen;
1490 }
1491 p->type = ISAKMP_NPTYPE_NONE;
1492 p->len = 0;
1493 p->ptr = NULL;
1494
1495 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1496
1497 return result;
1498 }
1499
1500 /*
1501 * parse ISAKMP payloads, including ISAKMP base header.
1502 */
1503 vchar_t *
1504 isakmp_parse(buf)
1505 vchar_t *buf;
1506 {
1507 struct isakmp *isakmp = (struct isakmp *)buf->v;
1508 struct isakmp_gen *gen;
1509 int tlen;
1510 vchar_t *result;
1511 u_char np;
1512
1513 np = isakmp->np;
1514 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1515 tlen = buf->l - sizeof(struct isakmp);
1516 result = isakmp_parsewoh(np, gen, tlen);
1517
1518 return result;
1519 }
1520
1521 /* %%% */
1522 int
1523 isakmp_init()
1524 {
1525 /* initialize a isakmp status table */
1526 initph1tree();
1527 initph2tree();
1528 initctdtree();
1529 init_recvdpkt();
1530
1531 return 0;
1532 }
1533
1534 /*
1535 * make strings containing i_cookie + r_cookie + msgid
1536 */
1537 const char *
1538 isakmp_pindex(index, msgid)
1539 const isakmp_index *index;
1540 const u_int32_t msgid;
1541 {
1542 static char buf[64];
1543 const u_char *p;
1544 int i, j;
1545
1546 memset(buf, 0, sizeof(buf));
1547
1548 /* copy index */
1549 p = (const u_char *)index;
1550 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1551 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1552 j += 2;
1553 switch (i) {
1554 case 7:
1555 buf[j++] = ':';
1556 }
1557 }
1558
1559 if (msgid == 0)
1560 return buf;
1561
1562 /* copy msgid */
1563 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1564
1565 return buf;
1566 }
1567
1568 /* open ISAKMP sockets. */
1569 int
1570 isakmp_open(struct sockaddr *addr, int udp_encap)
1571 {
1572 const int yes = 1;
1573 int ifnum = 0, encap_ifnum = 0, fd;
1574 struct sockaddr_in *sin = (struct sockaddr_in *) addr;
1575 #ifdef INET6
1576 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) addr;
1577 int pktinfo;
1578 #endif
1579 #ifdef ENABLE_NATT
1580 int option = -1;
1581 #endif
1582
1583 /* warn if wildcard address - should we forbid this? */
1584 switch (addr->sa_family) {
1585 case AF_INET:
1586 if (sin->sin_addr.s_addr == 0)
1587 plog(LLV_WARNING, LOCATION, NULL,
1588 "listening to wildcard address,"
1589 "broadcast IKE packet may kill you\n");
1590 break;
1591 #ifdef INET6
1592 case AF_INET6:
1593 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
1594 plog(LLV_DEBUG, LOCATION, NULL,
1595 "ignoring multicast address %s\n",
1596 saddr2str(addr));
1597 return -1;
1598 }
1599
1600 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1601 plog(LLV_WARNING, LOCATION, NULL,
1602 "listening to wildcard address, "
1603 "broadcast IKE packet may kill you\n");
1604 break;
1605 #endif
1606 default:
1607 plog(LLV_ERROR, LOCATION, NULL,
1608 "unsupported address family %d\n",
1609 addr->sa_family);
1610 return -1;
1611 }
1612
1613 if ((fd = privsep_socket(addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1614 plog(LLV_ERROR, LOCATION, NULL,
1615 "socket(%s)\n", strerror(errno));
1616 return -1;
1617 }
1618 close_on_exec(fd);
1619 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
1620 plog(LLV_WARNING, LOCATION, NULL,
1621 "failed to put socket in non-blocking mode\n");
1622
1623 /* receive my interface address on inbound packets. */
1624 switch (addr->sa_family) {
1625 case AF_INET:
1626 if (setsockopt(fd, IPPROTO_IP,
1627 #ifdef __linux__
1628 IP_PKTINFO,
1629 #else
1630 IP_RECVDSTADDR,
1631 #endif
1632 (const void *) &yes, sizeof(yes)) < 0) {
1633 plog(LLV_ERROR, LOCATION, NULL,
1634 "setsockopt IP_RECVDSTADDR (%s)\n",
1635 strerror(errno));
1636 goto err;
1637 }
1638
1639 #ifdef ENABLE_NATT
1640 if (udp_encap)
1641 option = UDP_ENCAP_ESPINUDP;
1642 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1643 else
1644 option = UDP_ENCAP_ESPINUDP_NON_IKE;
1645 #endif
1646 if (option == -1)
1647 break;
1648
1649 if (setsockopt(fd, SOL_UDP,
1650 UDP_ENCAP, &option,
1651 sizeof(option)) < 0) {
1652 plog(LLV_WARNING, LOCATION, NULL,
1653 "setsockopt(%s): UDP_ENCAP %s\n",
1654 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1655 strerror(errno));
1656 } else {
1657 plog(LLV_INFO, LOCATION, NULL,
1658 "%s used for NAT-T\n",
1659 saddr2str(addr));
1660 }
1661 #endif
1662 break;
1663
1664 #ifdef INET6
1665 case AF_INET6:
1666 #if defined(INET6_ADVAPI)
1667 #ifdef IPV6_RECVPKTINFO
1668 pktinfo = IPV6_RECVPKTINFO;
1669 #else /* old adv. API */
1670 pktinfo = IPV6_PKTINFO;
1671 #endif /* IPV6_RECVPKTINFO */
1672 #else
1673 pktinfo = IPV6_RECVDSTADDR;
1674 #endif
1675 if (setsockopt(fd, IPPROTO_IPV6, pktinfo,
1676 (const void *) &yes, sizeof(yes)) < 0) {
1677 plog(LLV_ERROR, LOCATION, NULL,
1678 "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
1679 pktinfo, strerror(errno));
1680 goto err;
1681 }
1682
1683 #ifdef IPV6_USE_MIN_MTU
1684 if (setsockopt(fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1685 (void *) &yes, sizeof(yes)) < 0) {
1686 plog(LLV_ERROR, LOCATION, NULL,
1687 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
1688 strerror(errno));
1689 goto err;
1690 }
1691 #endif
1692 break;
1693 #endif
1694 }
1695
1696 if (setsockopt(fd, SOL_SOCKET,
1697 #ifdef __linux__
1698 SO_REUSEADDR,
1699 #else
1700 SO_REUSEPORT,
1701 #endif
1702 (void *) &yes, sizeof(yes)) < 0) {
1703 plog(LLV_ERROR, LOCATION, NULL,
1704 "failed to set REUSE flag on %s (%s).\n",
1705 saddr2str(addr), strerror(errno));
1706 goto err;
1707 }
1708
1709 if (setsockopt_bypass(fd, addr->sa_family) < 0)
1710 goto err;
1711
1712 if (privsep_bind(fd, addr, sysdep_sa_len(addr)) < 0) {
1713 plog(LLV_ERROR, LOCATION, addr,
1714 "failed to bind to address %s (%s).\n",
1715 saddr2str(addr), strerror(errno));
1716 goto err;
1717 }
1718
1719 plog(LLV_INFO, LOCATION, NULL,
1720 "%s used as isakmp port (fd=%d)\n",
1721 saddr2str(addr), fd);
1722
1723 monitor_fd(fd, isakmp_handler, NULL);
1724 return fd;
1725
1726 err:
1727 close(fd);
1728 return -1;
1729 }
1730
1731 void
1732 isakmp_close(int fd)
1733 {
1734 unmonitor_fd(fd);
1735 close(fd);
1736 }
1737
1738 int
1739 isakmp_send(iph1, sbuf)
1740 struct ph1handle *iph1;
1741 vchar_t *sbuf;
1742 {
1743 int len = 0;
1744 int s;
1745 vchar_t *vbuf = NULL, swap;
1746
1747 #ifdef ENABLE_NATT
1748 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1749
1750 /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
1751 */
1752 if(extralen == NON_ESP_MARKER_LEN &&
1753 *(u_int32_t *)sbuf->v == 0)
1754 extralen = 0;
1755
1756 #ifdef ENABLE_FRAG
1757 /*
1758 * Do not add the non ESP marker for a packet that will
1759 * be fragmented. The non ESP marker should appear in
1760 * all fragment's packets, but not in the fragmented packet
1761 */
1762 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1763 extralen = 0;
1764 #endif
1765 if (extralen)
1766 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1767
1768 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1769 must added just before the packet itself. For this we must
1770 allocate a new buffer and release it at the end. */
1771 if (extralen) {
1772 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
1773 plog(LLV_ERROR, LOCATION, NULL,
1774 "vbuf allocation failed\n");
1775 return -1;
1776 }
1777 *(u_int32_t *)vbuf->v = 0;
1778 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1779 /* ensures that the modified buffer will be sent back to the caller, so
1780 * add_recvdpkt() will add the correct buffer
1781 */
1782 swap = *sbuf;
1783 *sbuf = *vbuf;
1784 *vbuf = swap;
1785 vfree(vbuf);
1786 }
1787 #endif
1788
1789 /* select the socket to be sent */
1790 s = myaddr_getfd(iph1->local);
1791 if (s == -1)
1792 return -1;
1793
1794 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1795 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1796
1797 #ifdef ENABLE_FRAG
1798 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1799 if (isakmp_sendfrags(iph1, sbuf) == -1) {
1800 plog(LLV_ERROR, LOCATION, NULL,
1801 "isakmp_sendfrags failed\n");
1802 return -1;
1803 }
1804 } else
1805 #endif
1806 {
1807 len = sendfromto(s, sbuf->v, sbuf->l,
1808 iph1->local, iph1->remote, lcconf->count_persend);
1809
1810 if (len == -1) {
1811 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1812 return -1;
1813 }
1814 }
1815
1816 return 0;
1817 }
1818
1819 /* called from scheduler */
1820 static void
1821 isakmp_ph1resend_stub(p)
1822 struct sched *p;
1823 {
1824 struct ph1handle *iph1 = container_of(p, struct ph1handle, scr);
1825
1826 if (isakmp_ph1resend(iph1) < 0) {
1827 remph1(iph1);
1828 delph1(iph1);
1829 }
1830 }
1831
1832 static int
1833 isakmp_ph1resend(iph1)
1834 struct ph1handle *iph1;
1835 {
1836 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
1837 */
1838 if (iph1->retry_counter <= 0) {
1839 plog(LLV_ERROR, LOCATION, NULL,
1840 "phase1 negotiation failed due to time up. %s\n",
1841 isakmp_pindex(&iph1->index, iph1->msgid));
1842 evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1843
1844 return -1;
1845 }
1846
1847 if (isakmp_send(iph1, iph1->sendbuf) < 0){
1848 plog(LLV_ERROR, LOCATION, NULL,
1849 "phase1 negotiation failed due to send error. %s\n",
1850 isakmp_pindex(&iph1->index, iph1->msgid));
1851 evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1852 return -1;
1853 }
1854
1855 plog(LLV_DEBUG, LOCATION, NULL,
1856 "resend phase1 packet %s\n",
1857 isakmp_pindex(&iph1->index, iph1->msgid));
1858
1859 iph1->retry_counter--;
1860
1861 sched_schedule(&iph1->scr, lcconf->retry_interval,
1862 isakmp_ph1resend_stub);
1863
1864 return 0;
1865 }
1866
1867 int
1868 isakmp_ph1send(iph1)
1869 struct ph1handle *iph1;
1870 {
1871 iph1->retry_counter = lcconf->retry_counter;
1872 return isakmp_ph1resend(iph1);
1873 }
1874
1875 /* called from scheduler */
1876 static void
1877 isakmp_ph2resend_stub(p)
1878 struct sched *p;
1879 {
1880 struct ph2handle *iph2 = container_of(p, struct ph2handle, scr);
1881
1882 if (isakmp_ph2resend(iph2) < 0) {
1883 remph2(iph2);
1884 delph2(iph2);
1885 }
1886 }
1887
1888 static int
1889 isakmp_ph2resend(iph2)
1890 struct ph2handle *iph2;
1891 {
1892 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
1893 */
1894 if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
1895 plog(LLV_ERROR, LOCATION, NULL,
1896 "phase2 negotiation failed due to phase1 expired. %s\n",
1897 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1898 return -1;
1899 }
1900
1901 if (iph2->retry_counter <= 0) {
1902 plog(LLV_ERROR, LOCATION, NULL,
1903 "phase2 negotiation failed due to time up. %s\n",
1904 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1905 evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1906 unbindph12(iph2);
1907 return -1;
1908 }
1909
1910 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
1911 plog(LLV_ERROR, LOCATION, NULL,
1912 "phase2 negotiation failed due to send error. %s\n",
1913 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1914 evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1915 return -1;
1916 }
1917
1918 plog(LLV_DEBUG, LOCATION, NULL,
1919 "resend phase2 packet %s\n",
1920 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1921
1922 iph2->retry_counter--;
1923
1924 sched_schedule(&iph2->scr, lcconf->retry_interval,
1925 isakmp_ph2resend_stub);
1926
1927 return 0;
1928 }
1929
1930 int
1931 isakmp_ph2send(iph2)
1932 struct ph2handle *iph2;
1933 {
1934 iph2->retry_counter = lcconf->retry_counter;
1935 return isakmp_ph2resend(iph2);
1936 }
1937
1938 /* called from scheduler */
1939 void
1940 isakmp_ph1dying_stub(p)
1941 struct sched *p;
1942 {
1943
1944 isakmp_ph1dying(container_of(p, struct ph1handle, sce));
1945 }
1946
1947 void
1948 isakmp_ph1dying(iph1)
1949 struct ph1handle *iph1;
1950 {
1951 struct ph1handle *new_iph1;
1952 struct ph2handle *p;
1953 struct remoteconf *rmconf;
1954
1955 if (iph1->status >= PHASE1ST_DYING)
1956 return;
1957
1958 /* Going away in after a while... */
1959 iph1->status = PHASE1ST_DYING;
1960
1961 /* Any fresh phase1s? */
1962 new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
1963 if (new_iph1 == NULL) {
1964 LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
1965 if (p->status != PHASE2ST_ESTABLISHED)
1966 continue;
1967
1968 plog(LLV_INFO, LOCATION, NULL,
1969 "renegotiating phase1 to %s due to "
1970 "active phase2\n",
1971 saddrwop2str(iph1->remote));
1972
1973 if (iph1->side == INITIATOR)
1974 isakmp_ph1begin_i(iph1->rmconf, iph1->remote,
1975 iph1->local);
1976
1977 break;
1978 }
1979 } else {
1980 migrate_ph12(iph1, new_iph1);
1981 }
1982
1983 /* Schedule for expiration */
1984 sched_schedule(&iph1->sce, iph1->approval->lifetime *
1985 (100 - PFKEY_SOFT_LIFETIME_RATE) / 100,
1986 isakmp_ph1expire_stub);
1987 }
1988
1989 /* called from scheduler */
1990 void
1991 isakmp_ph1expire_stub(p)
1992 struct sched *p;
1993 {
1994 isakmp_ph1expire(container_of(p, struct ph1handle, sce));
1995 }
1996
1997 void
1998 isakmp_ph1expire(iph1)
1999 struct ph1handle *iph1;
2000 {
2001 char *src, *dst;
2002
2003 if (iph1->status < PHASE1ST_EXPIRED) {
2004 src = racoon_strdup(saddr2str(iph1->local));
2005 dst = racoon_strdup(saddr2str(iph1->remote));
2006 STRDUP_FATAL(src);
2007 STRDUP_FATAL(dst);
2008
2009 plog(LLV_INFO, LOCATION, NULL,
2010 "ISAKMP-SA expired %s-%s spi:%s\n",
2011 src, dst,
2012 isakmp_pindex(&iph1->index, 0));
2013 racoon_free(src);
2014 racoon_free(dst);
2015 iph1->status = PHASE1ST_EXPIRED;
2016 }
2017
2018 sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
2019 }
2020
2021 /* called from scheduler */
2022 void
2023 isakmp_ph1delete_stub(p)
2024 struct sched *p;
2025 {
2026
2027 isakmp_ph1delete(container_of(p, struct ph1handle, sce));
2028 }
2029
2030 void
2031 isakmp_ph1delete(iph1)
2032 struct ph1handle *iph1;
2033 {
2034 struct ph2handle *p, *next;
2035 struct ph1handle *new_iph1;
2036 char *src, *dst;
2037
2038 /* Migrate established phase2s. Any fresh phase1s? */
2039 new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
2040 if (new_iph1 != NULL)
2041 migrate_ph12(iph1, new_iph1);
2042
2043 /* Discard any left phase2s */
2044 for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) {
2045 next = LIST_NEXT(p, ph1bind);
2046 if (p->status >= PHASE2ST_ESTABLISHED)
2047 unbindph12(p);
2048 }
2049
2050 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2051 sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
2052 return;
2053 }
2054
2055 /* don't re-negosiation when the phase 1 SA expires. */
2056
2057 src = racoon_strdup(saddr2str(iph1->local));
2058 dst = racoon_strdup(saddr2str(iph1->remote));
2059 STRDUP_FATAL(src);
2060 STRDUP_FATAL(dst);
2061
2062 plog(LLV_INFO, LOCATION, NULL,
2063 "ISAKMP-SA deleted %s-%s spi:%s\n",
2064 src, dst, isakmp_pindex(&iph1->index, 0));
2065 evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
2066 racoon_free(src);
2067 racoon_free(dst);
2068
2069 remph1(iph1);
2070 delph1(iph1);
2071 }
2072
2073 /* called from scheduler.
2074 * this function will call only isakmp_ph2delete().
2075 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2076 * by something cause. That's why this function is called after phase 2 SA
2077 * expires in the userland.
2078 */
2079 void
2080 isakmp_ph2expire_stub(p)
2081 struct sched *p;
2082 {
2083
2084 isakmp_ph2expire(container_of(p, struct ph2handle, sce));
2085 }
2086
2087 void
2088 isakmp_ph2expire(iph2)
2089 struct ph2handle *iph2;
2090 {
2091 char *src, *dst;
2092
2093 src = racoon_strdup(saddrwop2str(iph2->src));
2094 dst = racoon_strdup(saddrwop2str(iph2->dst));
2095 STRDUP_FATAL(src);
2096 STRDUP_FATAL(dst);
2097
2098 plog(LLV_INFO, LOCATION, NULL,
2099 "phase2 sa expired %s-%s\n", src, dst);
2100 racoon_free(src);
2101 racoon_free(dst);
2102
2103 iph2->status = PHASE2ST_EXPIRED;
2104 sched_schedule(&iph2->sce, 1, isakmp_ph2delete_stub);
2105 }
2106
2107 /* called from scheduler */
2108 void
2109 isakmp_ph2delete_stub(p)
2110 struct sched *p;
2111 {
2112
2113 isakmp_ph2delete(container_of(p, struct ph2handle, sce));
2114 }
2115
2116 void
2117 isakmp_ph2delete(iph2)
2118 struct ph2handle *iph2;
2119 {
2120 char *src, *dst;
2121
2122 src = racoon_strdup(saddrwop2str(iph2->src));
2123 dst = racoon_strdup(saddrwop2str(iph2->dst));
2124 STRDUP_FATAL(src);
2125 STRDUP_FATAL(dst);
2126
2127 plog(LLV_INFO, LOCATION, NULL,
2128 "phase2 sa deleted %s-%s\n", src, dst);
2129 racoon_free(src);
2130 racoon_free(dst);
2131
2132 remph2(iph2);
2133 delph2(iph2);
2134
2135 return;
2136 }
2137
2138 /* \f%%%
2139 * Interface between PF_KEYv2 and ISAKMP
2140 */
2141 /*
2142 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2143 * if phase1 has been finished, begin phase2.
2144 */
2145 int
2146 isakmp_post_acquire(iph2, iph1hint)
2147 struct ph2handle *iph2;
2148 struct ph1handle *iph1hint;
2149 {
2150 struct remoteconf *rmconf;
2151 struct ph1handle *iph1 = NULL;
2152
2153 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
2154
2155 /* Search appropriate configuration with masking port. Note that
2156 * we always use iph2->dst, and not iph2->sa_dst.
2157 *
2158 * XXX One possible need for using iph2->sa_dst if not NULL would
2159 * be for selecting a remote configuration based on a stable
2160 * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
2161 * as iph2->dst hint). This scenario would require additional changes,
2162 * so no need to bother yet. --arno */
2163
2164 if (iph1hint == NULL || iph1hint->rmconf == NULL) {
2165 rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
2166 if (rmconf == NULL) {
2167 plog(LLV_ERROR, LOCATION, NULL,
2168 "no configuration found for %s.\n",
2169 saddrwop2str(iph2->dst));
2170 return -1;
2171 }
2172 } else {
2173 rmconf = iph1hint->rmconf;
2174 }
2175
2176 /* if passive mode, ignore the acquire message */
2177 if (rmconf->passive) {
2178 plog(LLV_DEBUG, LOCATION, NULL,
2179 "because of passive mode, "
2180 "ignore the acquire message for %s.\n",
2181 saddrwop2str(iph2->dst));
2182 return 0;
2183 }
2184
2185 /*
2186 * XXX Searching by IP addresses + ports might fail on
2187 * some cases, we should use the ISAKMP identity to search
2188 * matching ISAKMP.
2189 */
2190 iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
2191
2192 /* no ISAKMP-SA found. */
2193 if (iph1 == NULL) {
2194 iph2->retry_checkph1 = lcconf->retry_checkph1;
2195 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2196 plog(LLV_INFO, LOCATION, NULL,
2197 "IPsec-SA request for %s queued "
2198 "due to no phase1 found.\n",
2199 saddrwop2str(iph2->dst));
2200
2201 /* start phase 1 negotiation as a initiator. */
2202 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) {
2203 sched_cancel(&iph2->sce);
2204 return -1;
2205 }
2206
2207 return 0;
2208 /*NOTREACHED*/
2209 }
2210
2211 /* found ISAKMP-SA, but on negotiation. */
2212 if (iph1->status < PHASE1ST_ESTABLISHED) {
2213 iph2->retry_checkph1 = lcconf->retry_checkph1;
2214 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2215 plog(LLV_INFO, LOCATION, iph2->dst,
2216 "request for establishing IPsec-SA was queued "
2217 "due to no phase1 found.\n");
2218 return 0;
2219 /*NOTREACHED*/
2220 }
2221
2222 /* found established ISAKMP-SA */
2223 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2224
2225 /* found ISAKMP-SA. */
2226 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2227
2228 /* begin quick mode */
2229 if (isakmp_ph2begin_i(iph1, iph2))
2230 return -1;
2231
2232 return 0;
2233 }
2234
2235 int
2236 isakmp_get_sainfo(iph2, sp_out, sp_in)
2237 struct ph2handle *iph2;
2238 struct secpolicy *sp_out, *sp_in;
2239 {
2240 struct remoteconf *conf;
2241 int remoteid = 0;
2242
2243 plog(LLV_DEBUG, LOCATION, NULL,
2244 "new acquire %s\n", spidx2str(&sp_out->spidx));
2245
2246 /* get sainfo */
2247 {
2248 vchar_t *idsrc, *iddst;
2249
2250 idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
2251 sp_out->spidx.prefs, sp_out->spidx.ul_proto);
2252 if (idsrc == NULL) {
2253 plog(LLV_ERROR, LOCATION, NULL,
2254 "failed to get ID for %s\n",
2255 spidx2str(&sp_out->spidx));
2256 return -1;
2257 }
2258 iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
2259 sp_out->spidx.prefd, sp_out->spidx.ul_proto);
2260 if (iddst == NULL) {
2261 plog(LLV_ERROR, LOCATION, NULL,
2262 "failed to get ID for %s\n",
2263 spidx2str(&sp_out->spidx));
2264 vfree(idsrc);
2265 return -1;
2266 }
2267
2268 conf = getrmconf(iph2->dst, 0);
2269 if (conf != NULL)
2270 remoteid = conf->ph1id;
2271 else
2272 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
2273
2274 iph2->sainfo = getsainfo(idsrc, iddst, NULL, NULL, remoteid);
2275 vfree(idsrc);
2276 vfree(iddst);
2277 if (iph2->sainfo == NULL) {
2278 plog(LLV_ERROR, LOCATION, NULL,
2279 "failed to get sainfo.\n");
2280 return -1;
2281 /* XXX should use the algorithm list from register message */
2282 }
2283
2284 plog(LLV_DEBUG, LOCATION, NULL,
2285 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2286 }
2287
2288 if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
2289 plog(LLV_ERROR, LOCATION, NULL,
2290 "failed to create saprop.\n");
2291 return -1;
2292 }
2293
2294 return 0;
2295 }
2296
2297
2298 /*
2299 * receive GETSPI from kernel.
2300 */
2301 int
2302 isakmp_post_getspi(iph2)
2303 struct ph2handle *iph2;
2304 {
2305 #ifdef ENABLE_STATS
2306 struct timeval start, end;
2307 #endif
2308
2309 /* don't process it because there is no suitable phase1-sa. */
2310 if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
2311 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2312 "the negotiation is stopped, "
2313 "because there is no suitable ISAKMP-SA.\n");
2314 return -1;
2315 }
2316
2317 #ifdef ENABLE_STATS
2318 gettimeofday(&start, NULL);
2319 #endif
2320 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2321 [iph2->side]
2322 [iph2->status])(iph2, NULL) != 0)
2323 return -1;
2324 #ifdef ENABLE_STATS
2325 gettimeofday(&end, NULL);
2326 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2327 "phase2",
2328 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2329 timedelta(&start, &end));
2330 #endif
2331
2332 return 0;
2333 }
2334
2335 /* called by scheduler */
2336 void
2337 isakmp_chkph1there_stub(p)
2338 struct sched *p;
2339 {
2340 isakmp_chkph1there(container_of(p, struct ph2handle, sce));
2341 }
2342
2343 void
2344 isakmp_chkph1there(iph2)
2345 struct ph2handle *iph2;
2346 {
2347 struct ph1handle *iph1;
2348
2349 iph2->retry_checkph1--;
2350 if (iph2->retry_checkph1 < 0) {
2351 plog(LLV_ERROR, LOCATION, iph2->dst,
2352 "phase2 negotiation failed "
2353 "due to time up waiting for phase1. %s\n",
2354 sadbsecas2str(iph2->dst, iph2->src,
2355 iph2->satype, 0, 0));
2356 plog(LLV_INFO, LOCATION, NULL,
2357 "delete phase 2 handler.\n");
2358
2359 /* send acquire to kernel as error */
2360 pk_sendeacquire(iph2);
2361
2362 remph2(iph2);
2363 delph2(iph2);
2364
2365 return;
2366 }
2367
2368 /* Search isakmp status table by address and port */
2369 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2370
2371 /* XXX Even if ph1 as responder is there, should we not start
2372 * phase 2 negotiation ? */
2373 if (iph1 != NULL
2374 && iph1->status == PHASE1ST_ESTABLISHED) {
2375 /* found isakmp-sa */
2376
2377 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
2378 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
2379 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
2380 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
2381 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2382 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2383 set_port(iph2->src, extract_port(iph1->local));
2384 set_port(iph2->dst, extract_port(iph1->remote));
2385 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
2386 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2387 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2388
2389 /* begin quick mode */
2390 (void)isakmp_ph2begin_i(iph1, iph2);
2391 return;
2392 }
2393
2394 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
2395
2396 /* no isakmp-sa found */
2397 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2398
2399 return;
2400 }
2401
2402 /* copy variable data into ALLOCATED buffer. */
2403 caddr_t
2404 isakmp_set_attr_v(buf, type, val, len)
2405 caddr_t buf;
2406 int type;
2407 caddr_t val;
2408 int len;
2409 {
2410 struct isakmp_data *data;
2411
2412 data = (struct isakmp_data *)buf;
2413 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2414 data->lorv = htons((u_int16_t)len);
2415 memcpy(data + 1, val, len);
2416
2417 return buf + sizeof(*data) + len;
2418 }
2419
2420 /* copy fixed length data into ALLOCATED buffer. */
2421 caddr_t
2422 isakmp_set_attr_l(buf, type, val)
2423 caddr_t buf;
2424 int type;
2425 u_int32_t val;
2426 {
2427 struct isakmp_data *data;
2428
2429 data = (struct isakmp_data *)buf;
2430 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2431 data->lorv = htons((u_int16_t)val);
2432
2433 return buf + sizeof(*data);
2434 }
2435
2436 /* add a variable data attribute to the buffer by reallocating it. */
2437 vchar_t *
2438 isakmp_add_attr_v(buf0, type, val, len)
2439 vchar_t *buf0;
2440 int type;
2441 caddr_t val;
2442 int len;
2443 {
2444 vchar_t *buf = NULL;
2445 struct isakmp_data *data;
2446 int tlen;
2447 int oldlen = 0;
2448
2449 tlen = sizeof(*data) + len;
2450
2451 if (buf0) {
2452 oldlen = buf0->l;
2453 buf = vrealloc(buf0, oldlen + tlen);
2454 } else
2455 buf = vmalloc(tlen);
2456 if (!buf) {
2457 plog(LLV_ERROR, LOCATION, NULL,
2458 "failed to get a attribute buffer.\n");
2459 return NULL;
2460 }
2461
2462 data = (struct isakmp_data *)(buf->v + oldlen);
2463 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2464 data->lorv = htons((u_int16_t)len);
2465 memcpy(data + 1, val, len);
2466
2467 return buf;
2468 }
2469
2470 /* add a fixed data attribute to the buffer by reallocating it. */
2471 vchar_t *
2472 isakmp_add_attr_l(buf0, type, val)
2473 vchar_t *buf0;
2474 int type;
2475 u_int32_t val;
2476 {
2477 vchar_t *buf = NULL;
2478 struct isakmp_data *data;
2479 int tlen;
2480 int oldlen = 0;
2481
2482 tlen = sizeof(*data);
2483
2484 if (buf0) {
2485 oldlen = buf0->l;
2486 buf = vrealloc(buf0, oldlen + tlen);
2487 } else
2488 buf = vmalloc(tlen);
2489 if (!buf) {
2490 plog(LLV_ERROR, LOCATION, NULL,
2491 "failed to get a attribute buffer.\n");
2492 return NULL;
2493 }
2494
2495 data = (struct isakmp_data *)(buf->v + oldlen);
2496 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2497 data->lorv = htons((u_int16_t)val);
2498
2499 return buf;
2500 }
2501
2502 /*
2503 * calculate cookie and set.
2504 */
2505 int
2506 isakmp_newcookie(place, remote, local)
2507 caddr_t place;
2508 struct sockaddr *remote;
2509 struct sockaddr *local;
2510 {
2511 vchar_t *buf = NULL, *buf2 = NULL;
2512 char *p;
2513 int blen;
2514 int alen;
2515 caddr_t sa1, sa2;
2516 time_t t;
2517 int error = -1;
2518 u_short port;
2519
2520
2521 if (remote->sa_family != local->sa_family) {
2522 plog(LLV_ERROR, LOCATION, NULL,
2523 "address family mismatch, remote:%d local:%d\n",
2524 remote->sa_family, local->sa_family);
2525 goto end;
2526 }
2527 switch (remote->sa_family) {
2528 case AF_INET:
2529 alen = sizeof(struct in_addr);
2530 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2531 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2532 break;
2533 #ifdef INET6
2534 case AF_INET6:
2535 alen = sizeof(struct in6_addr);
2536 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2537 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2538 break;
2539 #endif
2540 default:
2541 plog(LLV_ERROR, LOCATION, NULL,
2542 "invalid family: %d\n", remote->sa_family);
2543 goto end;
2544 }
2545 blen = (alen + sizeof(u_short)) * 2
2546 + sizeof(time_t) + lcconf->secret_size;
2547 buf = vmalloc(blen);
2548 if (buf == NULL) {
2549 plog(LLV_ERROR, LOCATION, NULL,
2550 "failed to get a cookie.\n");
2551 goto end;
2552 }
2553 p = buf->v;
2554
2555 /* copy my address */
2556 memcpy(p, sa1, alen);
2557 p += alen;
2558 port = ((struct sockaddr_in *)remote)->sin_port;
2559 memcpy(p, &port, sizeof(u_short));
2560 p += sizeof(u_short);
2561
2562 /* copy target address */
2563 memcpy(p, sa2, alen);
2564 p += alen;
2565 port = ((struct sockaddr_in *)local)->sin_port;
2566 memcpy(p, &port, sizeof(u_short));
2567 p += sizeof(u_short);
2568
2569 /* copy time */
2570 t = time(0);
2571 memcpy(p, (caddr_t)&t, sizeof(t));
2572 p += sizeof(t);
2573
2574 /* copy random value */
2575 buf2 = eay_set_random(lcconf->secret_size);
2576 if (buf2 == NULL)
2577 goto end;
2578 memcpy(p, buf2->v, lcconf->secret_size);
2579 p += lcconf->secret_size;
2580 vfree(buf2);
2581
2582 buf2 = eay_sha1_one(buf);
2583 memcpy(place, buf2->v, sizeof(cookie_t));
2584
2585 sa1 = val2str(place, sizeof (cookie_t));
2586 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2587 racoon_free(sa1);
2588
2589 error = 0;
2590 end:
2591 if (buf != NULL)
2592 vfree(buf);
2593 if (buf2 != NULL)
2594 vfree(buf2);
2595 return error;
2596 }
2597
2598 /*
2599 * save partner's(payload) data into phhandle.
2600 */
2601 int
2602 isakmp_p2ph(buf, gen)
2603 vchar_t **buf;
2604 struct isakmp_gen *gen;
2605 {
2606 /* XXX to be checked in each functions for logging. */
2607 if (*buf) {
2608 plog(LLV_WARNING, LOCATION, NULL,
2609 "ignore this payload, same payload type exist.\n");
2610 return -1;
2611 }
2612
2613 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2614 if (*buf == NULL) {
2615 plog(LLV_ERROR, LOCATION, NULL,
2616 "failed to get buffer.\n");
2617 return -1;
2618 }
2619 memcpy((*buf)->v, gen + 1, (*buf)->l);
2620
2621 return 0;
2622 }
2623
2624 u_int32_t
2625 isakmp_newmsgid2(iph1)
2626 struct ph1handle *iph1;
2627 {
2628 u_int32_t msgid2;
2629
2630 do {
2631 msgid2 = eay_random();
2632 } while (getph2bymsgid(iph1, msgid2));
2633
2634 return msgid2;
2635 }
2636
2637 /*
2638 * set values into allocated buffer of isakmp header for phase 1
2639 */
2640 static caddr_t
2641 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2642 vchar_t *vbuf;
2643 struct ph1handle *iph1;
2644 int nptype;
2645 u_int8_t etype;
2646 u_int8_t flags;
2647 u_int32_t msgid;
2648 {
2649 struct isakmp *isakmp;
2650
2651 if (vbuf->l < sizeof(*isakmp))
2652 return NULL;
2653
2654 isakmp = (struct isakmp *)vbuf->v;
2655
2656 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2657 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2658 isakmp->np = nptype;
2659 isakmp->v = iph1->version;
2660 isakmp->etype = etype;
2661 isakmp->flags = flags;
2662 isakmp->msgid = msgid;
2663 isakmp->len = htonl(vbuf->l);
2664
2665 return vbuf->v + sizeof(*isakmp);
2666 }
2667
2668 /*
2669 * set values into allocated buffer of isakmp header for phase 1
2670 */
2671 caddr_t
2672 set_isakmp_header1(vbuf, iph1, nptype)
2673 vchar_t *vbuf;
2674 struct ph1handle *iph1;
2675 int nptype;
2676 {
2677 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2678 }
2679
2680 /*
2681 * set values into allocated buffer of isakmp header for phase 2
2682 */
2683 caddr_t
2684 set_isakmp_header2(vbuf, iph2, nptype)
2685 vchar_t *vbuf;
2686 struct ph2handle *iph2;
2687 int nptype;
2688 {
2689 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2690 }
2691
2692 /*
2693 * set values into allocated buffer of isakmp payload.
2694 */
2695 caddr_t
2696 set_isakmp_payload(buf, src, nptype)
2697 caddr_t buf;
2698 vchar_t *src;
2699 int nptype;
2700 {
2701 struct isakmp_gen *gen;
2702 caddr_t p = buf;
2703
2704 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2705 src->l, nptype);
2706
2707 gen = (struct isakmp_gen *)p;
2708 gen->np = nptype;
2709 gen->len = htons(sizeof(*gen) + src->l);
2710 p += sizeof(*gen);
2711 memcpy(p, src->v, src->l);
2712 p += src->l;
2713
2714 return p;
2715 }
2716
2717 static int
2718 etypesw1(etype)
2719 int etype;
2720 {
2721 switch (etype) {
2722 case ISAKMP_ETYPE_IDENT:
2723 return 1;
2724 case ISAKMP_ETYPE_AGG:
2725 return 2;
2726 case ISAKMP_ETYPE_BASE:
2727 return 3;
2728 default:
2729 return 0;
2730 }
2731 /*NOTREACHED*/
2732 }
2733
2734 static int
2735 etypesw2(etype)
2736 int etype;
2737 {
2738 switch (etype) {
2739 case ISAKMP_ETYPE_QUICK:
2740 return 1;
2741 default:
2742 return 0;
2743 }
2744 /*NOTREACHED*/
2745 }
2746
2747 #ifdef HAVE_PRINT_ISAKMP_C
2748 /* for print-isakmp.c */
2749 char *snapend;
2750 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2751
2752 char *getname __P((const u_char *));
2753 #ifdef INET6
2754 char *getname6 __P((const u_char *));
2755 #endif
2756 int safeputchar __P((int));
2757
2758 /*
2759 * Return a name for the IP address pointed to by ap. This address
2760 * is assumed to be in network byte order.
2761 */
2762 char *
2763 getname(ap)
2764 const u_char *ap;
2765 {
2766 struct sockaddr_in addr;
2767 static char ntop_buf[NI_MAXHOST];
2768
2769 memset(&addr, 0, sizeof(addr));
2770 #ifndef __linux__
2771 addr.sin_len = sizeof(struct sockaddr_in);
2772 #endif
2773 addr.sin_family = AF_INET;
2774 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2775 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2776 ntop_buf, sizeof(ntop_buf), NULL, 0,
2777 NI_NUMERICHOST | niflags))
2778 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2779
2780 return ntop_buf;
2781 }
2782
2783 #ifdef INET6
2784 /*
2785 * Return a name for the IP6 address pointed to by ap. This address
2786 * is assumed to be in network byte order.
2787 */
2788 char *
2789 getname6(ap)
2790 const u_char *ap;
2791 {
2792 struct sockaddr_in6 addr;
2793 static char ntop_buf[NI_MAXHOST];
2794
2795 memset(&addr, 0, sizeof(addr));
2796 addr.sin6_len = sizeof(struct sockaddr_in6);
2797 addr.sin6_family = AF_INET6;
2798 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2799 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2800 ntop_buf, sizeof(ntop_buf), NULL, 0,
2801 NI_NUMERICHOST | niflags))
2802 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2803
2804 return ntop_buf;
2805 }
2806 #endif /* INET6 */
2807
2808 int
2809 safeputchar(c)
2810 int c;
2811 {
2812 unsigned char ch;
2813
2814 ch = (unsigned char)(c & 0xff);
2815 if (c < 0x80 && isprint(c))
2816 return printf("%c", c & 0xff);
2817 else
2818 return printf("\\%03o", c & 0xff);
2819 }
2820
2821 void
2822 isakmp_printpacket(msg, from, my, decoded)
2823 vchar_t *msg;
2824 struct sockaddr *from;
2825 struct sockaddr *my;
2826 int decoded;
2827 {
2828 #ifdef YIPS_DEBUG
2829 struct timeval tv;
2830 int s;
2831 char hostbuf[NI_MAXHOST];
2832 char portbuf[NI_MAXSERV];
2833 struct isakmp *isakmp;
2834 vchar_t *buf;
2835 #endif
2836
2837 if (loglevel < LLV_DEBUG)
2838 return;
2839
2840 #ifdef YIPS_DEBUG
2841 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2842
2843 gettimeofday(&tv, NULL);
2844 s = tv.tv_sec % 3600;
2845 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2846
2847 if (from) {
2848 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2849 portbuf, sizeof(portbuf),
2850 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2851 strlcpy(hostbuf, "?", sizeof(hostbuf));
2852 strlcpy(portbuf, "?", sizeof(portbuf));
2853 }
2854 printf("%s:%s", hostbuf, portbuf);
2855 } else
2856 printf("?");
2857 printf(" -> ");
2858 if (my) {
2859 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2860 portbuf, sizeof(portbuf),
2861 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2862 strlcpy(hostbuf, "?", sizeof(hostbuf));
2863 strlcpy(portbuf, "?", sizeof(portbuf));
2864 }
2865 printf("%s:%s", hostbuf, portbuf);
2866 } else
2867 printf("?");
2868 printf(": ");
2869
2870 buf = vdup(msg);
2871 if (!buf) {
2872 printf("(malloc fail)\n");
2873 return;
2874 }
2875 if (decoded) {
2876 isakmp = (struct isakmp *)buf->v;
2877 if (isakmp->flags & ISAKMP_FLAG_E) {
2878 #if 0
2879 int pad;
2880 pad = *(u_char *)(buf->v + buf->l - 1);
2881 if (buf->l < pad && 2 < vflag)
2882 printf("(wrong padding)");
2883 #endif
2884 isakmp->flags &= ~ISAKMP_FLAG_E;
2885 }
2886 }
2887
2888 snapend = buf->v + buf->l;
2889 isakmp_print(buf->v, buf->l, NULL);
2890 vfree(buf);
2891 printf("\n");
2892 fflush(stdout);
2893
2894 return;
2895 #endif
2896 }
2897 #endif /*HAVE_PRINT_ISAKMP_C*/
2898
2899 int
2900 copy_ph1addresses(iph1, rmconf, remote, local)
2901 struct ph1handle *iph1;
2902 struct remoteconf *rmconf;
2903 struct sockaddr *remote, *local;
2904 {
2905 u_int16_t port;
2906
2907 /* address portion must be grabbed from real remote address "remote" */
2908 iph1->remote = dupsaddr(remote);
2909 if (iph1->remote == NULL)
2910 return -1;
2911
2912 /*
2913 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2914 * - if remote.conf specifies port #, use that
2915 * - if remote.conf does not, use 500
2916 * if remote has port # (in case of responder - from recvfrom(2))
2917 * respect content of "remote".
2918 */
2919 if (extract_port(iph1->remote) == 0) {
2920 port = 0;
2921 if (rmconf != NULL)
2922 port = extract_port(rmconf->remote);
2923 if (port == 0)
2924 port = PORT_ISAKMP;
2925 set_port(iph1->remote, port);
2926 }
2927
2928 if (local == NULL)
2929 iph1->local = getlocaladdr(iph1->remote);
2930 else
2931 iph1->local = dupsaddr(local);
2932 if (iph1->local == NULL)
2933 return -1;
2934
2935 if (extract_port(iph1->local) == 0) {
2936 port = myaddr_getsport(iph1->local);
2937 if (port == 0)
2938 port = PORT_ISAKMP;
2939 set_port(iph1->local, PORT_ISAKMP);
2940 }
2941
2942 #ifdef ENABLE_NATT
2943 if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
2944 plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2945 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2946 }
2947 #endif
2948
2949 return 0;
2950 }
2951
2952 static int
2953 nostate1(iph1, msg)
2954 struct ph1handle *iph1;
2955 vchar_t *msg;
2956 {
2957 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2958 iph1->status);
2959 return -1;
2960 }
2961
2962 static int
2963 nostate2(iph2, msg)
2964 struct ph2handle *iph2;
2965 vchar_t *msg;
2966 {
2967 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2968 iph2->status);
2969 return -1;
2970 }
2971
2972 void
2973 log_ph1established(iph1)
2974 const struct ph1handle *iph1;
2975 {
2976 char *src, *dst;
2977
2978 src = racoon_strdup(saddr2str(iph1->local));
2979 dst = racoon_strdup(saddr2str(iph1->remote));
2980 STRDUP_FATAL(src);
2981 STRDUP_FATAL(dst);
2982
2983 plog(LLV_INFO, LOCATION, NULL,
2984 "ISAKMP-SA established %s-%s spi:%s\n",
2985 src, dst,
2986 isakmp_pindex(&iph1->index, 0));
2987
2988 evt_phase1(iph1, EVT_PHASE1_UP, NULL);
2989 if(!iph1->rmconf->mode_cfg)
2990 evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
2991
2992 racoon_free(src);
2993 racoon_free(dst);
2994
2995 return;
2996 }
2997
2998 struct payload_list *
2999 isakmp_plist_append_full (struct payload_list *plist, vchar_t *payload,
3000 u_int8_t payload_type, u_int8_t free_payload)
3001 {
3002 if (! plist) {
3003 plist = racoon_malloc (sizeof (struct payload_list));
3004 plist->prev = NULL;
3005 }
3006 else {
3007 plist->next = racoon_malloc (sizeof (struct payload_list));
3008 plist->next->prev = plist;
3009 plist = plist->next;
3010 }
3011
3012 plist->next = NULL;
3013 plist->payload = payload;
3014 plist->payload_type = payload_type;
3015 plist->free_payload = free_payload;
3016
3017 return plist;
3018 }
3019
3020 vchar_t *
3021 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
3022 {
3023 struct payload_list *ptr = *plist, *first;
3024 size_t tlen = sizeof (struct isakmp), n = 0;
3025 vchar_t *buf = NULL;
3026 char *p;
3027
3028 /* Seek to the first item. */
3029 while (ptr->prev) ptr = ptr->prev;
3030 first = ptr;
3031
3032 /* Compute the whole length. */
3033 while (ptr) {
3034 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3035 ptr = ptr->next;
3036 }
3037
3038 buf = vmalloc(tlen);
3039 if (buf == NULL) {
3040 plog(LLV_ERROR, LOCATION, NULL,
3041 "failed to get buffer to send.\n");
3042 goto end;
3043 }
3044
3045 ptr = first;
3046
3047 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3048 if (p == NULL)
3049 goto end;
3050
3051 while (ptr)
3052 {
3053 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3054 first = ptr;
3055 ptr = ptr->next;
3056 if (first->free_payload)
3057 vfree(first->payload);
3058 racoon_free (first);
3059 /* ptr->prev = NULL; first = NULL; ... omitted. */
3060 n++;
3061 }
3062
3063 *plist = NULL;
3064
3065 return buf;
3066 end:
3067 if (buf != NULL)
3068 vfree(buf);
3069 return NULL;
3070 }
3071
3072 #ifdef ENABLE_FRAG
3073 int
3074 frag_handler(iph1, msg, remote, local)
3075 struct ph1handle *iph1;
3076 vchar_t *msg;
3077 struct sockaddr *remote;
3078 struct sockaddr *local;
3079 {
3080 vchar_t *newmsg;
3081
3082 if (isakmp_frag_extract(iph1, msg) == 1) {
3083 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3084 plog(LLV_ERROR, LOCATION, remote,
3085 "Packet reassembly failed\n");
3086 return -1;
3087 }
3088 return isakmp_main(newmsg, remote, local);
3089 }
3090
3091 return 0;
3092 }
3093 #endif
3094
3095 void
3096 script_hook(iph1, script)
3097 struct ph1handle *iph1;
3098 int script;
3099 {
3100 #define IP_MAX 40
3101 #define PORT_MAX 6
3102 char addrstr[IP_MAX];
3103 char portstr[PORT_MAX];
3104 char **envp = NULL;
3105 int envc = 1;
3106 char **c;
3107
3108 if (iph1 == NULL ||
3109 iph1->rmconf == NULL ||
3110 iph1->rmconf->script[script] == NULL)
3111 return;
3112
3113 #ifdef ENABLE_HYBRID
3114 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3115 #endif
3116
3117 /* local address */
3118 GETNAMEINFO(iph1->local, addrstr, portstr);
3119
3120 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3121 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3122 goto out;
3123 }
3124
3125 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3126 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3127 goto out;
3128 }
3129
3130 /* Peer address */
3131 if (iph1->remote != NULL) {
3132 GETNAMEINFO(iph1->remote, addrstr, portstr);
3133
3134 if (script_env_append(&envp, &envc,
3135 "REMOTE_ADDR", addrstr) != 0) {
3136 plog(LLV_ERROR, LOCATION, NULL,
3137 "Cannot set REMOTE_ADDR\n");
3138 goto out;
3139 }
3140
3141 if (script_env_append(&envp, &envc,
3142 "REMOTE_PORT", portstr) != 0) {
3143 plog(LLV_ERROR, LOCATION, NULL,
3144 "Cannot set REMOTEL_PORT\n");
3145 goto out;
3146 }
3147 }
3148
3149 /* Peer identity. */
3150 if (iph1->id_p != NULL) {
3151 if (script_env_append(&envp, &envc, "REMOTE_ID",
3152 ipsecdoi_id2str(iph1->id_p)) != 0) {
3153 plog(LLV_ERROR, LOCATION, NULL,
3154 "Cannot set REMOTE_ID\n");
3155 goto out;
3156 }
3157 }
3158
3159 if (privsep_script_exec(iph1->rmconf->script[script]->v,
3160 script, envp) != 0)
3161 plog(LLV_ERROR, LOCATION, NULL,
3162 "Script %s execution failed\n", script_names[script]);
3163
3164 out:
3165 for (c = envp; *c; c++)
3166 racoon_free(*c);
3167
3168 racoon_free(envp);
3169
3170 return;
3171 }
3172
3173 int
3174 script_env_append(envp, envc, name, value)
3175 char ***envp;
3176 int *envc;
3177 char *name;
3178 char *value;
3179 {
3180 char *envitem;
3181 char **newenvp;
3182 int newenvc;
3183
3184 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3185 if (envitem == NULL) {
3186 plog(LLV_ERROR, LOCATION, NULL,
3187 "Cannot allocate memory: %s\n", strerror(errno));
3188 return -1;
3189 }
3190 sprintf(envitem, "%s=%s", name, value);
3191
3192 newenvc = (*envc) + 1;
3193 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3194 if (newenvp == NULL) {
3195 plog(LLV_ERROR, LOCATION, NULL,
3196 "Cannot allocate memory: %s\n", strerror(errno));
3197 racoon_free(envitem);
3198 return -1;
3199 }
3200
3201 newenvp[newenvc - 2] = envitem;
3202 newenvp[newenvc - 1] = NULL;
3203
3204 *envp = newenvp;
3205 *envc = newenvc;
3206 return 0;
3207 }
3208
3209 int
3210 script_exec(script, name, envp)
3211 char *script;
3212 int name;
3213 char *const envp[];
3214 {
3215 char *argv[] = { NULL, NULL, NULL };
3216
3217 argv[0] = script;
3218 argv[1] = script_names[name];
3219 argv[2] = NULL;
3220
3221 switch (fork()) {
3222 case 0:
3223 execve(argv[0], argv, envp);
3224 plog(LLV_ERROR, LOCATION, NULL,
3225 "execve(\"%s\") failed: %s\n",
3226 argv[0], strerror(errno));
3227 _exit(1);
3228 break;
3229 case -1:
3230 plog(LLV_ERROR, LOCATION, NULL,
3231 "Cannot fork: %s\n", strerror(errno));
3232 return -1;
3233 break;
3234 default:
3235 break;
3236 }
3237 return 0;
3238
3239 }
3240
3241 void
3242 purge_remote(iph1)
3243 struct ph1handle *iph1;
3244 {
3245 vchar_t *buf = NULL;
3246 struct sadb_msg *msg, *next, *end;
3247 struct sadb_sa *sa;
3248 struct sockaddr *src, *dst;
3249 caddr_t mhp[SADB_EXT_MAX + 1];
3250 u_int proto_id;
3251 struct ph2handle *iph2;
3252 struct ph1handle *new_iph1;
3253
3254 plog(LLV_INFO, LOCATION, NULL,
3255 "purging ISAKMP-SA spi=%s.\n",
3256 isakmp_pindex(&(iph1->index), iph1->msgid));
3257
3258 /* Mark as expired. */
3259 iph1->status = PHASE1ST_EXPIRED;
3260
3261 /* Check if we have another, still valid, phase1 SA. */
3262 new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
3263
3264 /*
3265 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3266 * Keep all others phase2 SAs.
3267 */
3268 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3269 if (buf == NULL) {
3270 plog(LLV_DEBUG, LOCATION, NULL,
3271 "pfkey_dump_sadb returned nothing.\n");
3272 return;
3273 }
3274
3275 msg = (struct sadb_msg *)buf->v;
3276 end = (struct sadb_msg *)(buf->v + buf->l);
3277
3278 while (msg < end) {
3279 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3280 break;
3281 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3282 if (msg->sadb_msg_type != SADB_DUMP) {
3283 msg = next;
3284 continue;
3285 }
3286
3287 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3288 plog(LLV_ERROR, LOCATION, NULL,
3289 "pfkey_check (%s)\n", ipsec_strerror());
3290 msg = next;
3291 continue;
3292 }
3293
3294 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3295 if (!sa ||
3296 !mhp[SADB_EXT_ADDRESS_SRC] ||
3297 !mhp[SADB_EXT_ADDRESS_DST]) {
3298 msg = next;
3299 continue;
3300 }
3301 pk_fixup_sa_addresses(mhp);
3302 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3303 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3304
3305 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3306 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3307 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3308 msg = next;
3309 continue;
3310 }
3311
3312 /*
3313 * check in/outbound SAs.
3314 * Select only SAs where src == local and dst == remote (outgoing)
3315 * or src == remote and dst == local (incoming).
3316 */
3317 if ((cmpsaddr(iph1->local, src) ||
3318 cmpsaddr(iph1->remote, dst)) &&
3319 (cmpsaddr(iph1->local, dst) ||
3320 cmpsaddr(iph1->remote, src))) {
3321 msg = next;
3322 continue;
3323 }
3324
3325 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3326 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3327
3328 /* Check if there is another valid ISAKMP-SA */
3329 if (new_iph1 != NULL) {
3330
3331 if (iph2 == NULL) {
3332 /* No handler... still send a pfkey_delete message, but log this !*/
3333 plog(LLV_INFO, LOCATION, NULL,
3334 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3335 ntohl(sa->sadb_sa_spi));
3336 }else{
3337
3338 /*
3339 * If we have a new ph1, do not purge IPsec-SAs binded
3340 * to a different ISAKMP-SA
3341 */
3342 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3343 msg = next;
3344 continue;
3345 }
3346
3347 /* If the ph2handle is established, do not purge IPsec-SA */
3348 if (iph2->status == PHASE2ST_ESTABLISHED ||
3349 iph2->status == PHASE2ST_EXPIRED) {
3350
3351 plog(LLV_INFO, LOCATION, NULL,
3352 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3353 ntohl(sa->sadb_sa_spi),
3354 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3355 msg = next;
3356 continue;
3357 }
3358 }
3359 }
3360
3361
3362 pfkey_send_delete(lcconf->sock_pfkey,
3363 msg->sadb_msg_satype,
3364 IPSEC_MODE_ANY,
3365 src, dst, sa->sadb_sa_spi);
3366
3367 /* delete a relative phase 2 handle. */
3368 if (iph2 != NULL) {
3369 delete_spd(iph2, 0);
3370 remph2(iph2);
3371 delph2(iph2);
3372 }
3373
3374 plog(LLV_INFO, LOCATION, NULL,
3375 "purged IPsec-SA spi=%u.\n",
3376 ntohl(sa->sadb_sa_spi));
3377
3378 msg = next;
3379 }
3380
3381 if (buf)
3382 vfree(buf);
3383
3384 /* Mark the phase1 handler as EXPIRED */
3385 plog(LLV_INFO, LOCATION, NULL,
3386 "purged ISAKMP-SA spi=%s.\n",
3387 isakmp_pindex(&(iph1->index), iph1->msgid));
3388
3389 sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
3390 }
3391
3392 void
3393 delete_spd(iph2, created)
3394 struct ph2handle *iph2;
3395 u_int64_t created;
3396 {
3397 struct policyindex spidx;
3398 struct sockaddr_storage addr;
3399 u_int8_t pref;
3400 struct sockaddr *src;
3401 struct sockaddr *dst;
3402 int error;
3403 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3404
3405 if (iph2 == NULL)
3406 return;
3407
3408 /* Delete the SPD entry if we generated it
3409 */
3410 if (! iph2->generated_spidx )
3411 return;
3412
3413 src = iph2->src;
3414 dst = iph2->dst;
3415
3416 plog(LLV_INFO, LOCATION, NULL,
3417 "generated policy, deleting it.\n");
3418
3419 memset(&spidx, 0, sizeof(spidx));
3420 iph2->spidx_gen = (caddr_t )&spidx;
3421
3422 /* make inbound policy */
3423 iph2->src = dst;
3424 iph2->dst = src;
3425 spidx.dir = IPSEC_DIR_INBOUND;
3426 spidx.ul_proto = 0;
3427
3428 /*
3429 * Note: code from get_proposal_r
3430 */
3431
3432 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3433
3434 /*
3435 * make destination address in spidx from either ID payload
3436 * or phase 1 address into a address in spidx.
3437 */
3438 if (iph2->id != NULL
3439 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3440 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3441 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3442 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3443 /* get a destination address of a policy */
3444 error = ipsecdoi_id2sockaddr(iph2->id,
3445 (struct sockaddr *)&spidx.dst,
3446 &spidx.prefd, &spidx.ul_proto);
3447 if (error)
3448 goto purge;
3449
3450 #ifdef INET6
3451 /*
3452 * get scopeid from the SA address.
3453 * note that the phase 1 source address is used as
3454 * a destination address to search for a inbound
3455 * policy entry because rcoon is responder.
3456 */
3457 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3458 if ((error =
3459 setscopeid((struct sockaddr *)&spidx.dst,
3460 iph2->src)) != 0)
3461 goto purge;
3462 }
3463 #endif
3464
3465 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3466 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3467 idi2type = _XIDT(iph2->id);
3468
3469 } else {
3470
3471 plog(LLV_DEBUG, LOCATION, NULL,
3472 "get a destination address of SP index "
3473 "from phase1 address "
3474 "due to no ID payloads found "
3475 "OR because ID type is not address.\n");
3476
3477 /*
3478 * copy the SOURCE address of IKE into the
3479 * DESTINATION address of the key to search the
3480 * SPD because the direction of policy is inbound.
3481 */
3482 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3483 switch (spidx.dst.ss_family) {
3484 case AF_INET:
3485 spidx.prefd =
3486 sizeof(struct in_addr) << 3;
3487 break;
3488 #ifdef INET6
3489 case AF_INET6:
3490 spidx.prefd =
3491 sizeof(struct in6_addr) << 3;
3492 break;
3493 #endif
3494 default:
3495 spidx.prefd = 0;
3496 break;
3497 }
3498 }
3499
3500 /* make source address in spidx */
3501 if (iph2->id_p != NULL
3502 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3503 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3504 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3505 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3506 /* get a source address of inbound SA */
3507 error = ipsecdoi_id2sockaddr(iph2->id_p,
3508 (struct sockaddr *)&spidx.src,
3509 &spidx.prefs, &spidx.ul_proto);
3510 if (error)
3511 goto purge;
3512
3513 #ifdef INET6
3514 /*
3515 * get scopeid from the SA address.
3516 * for more detail, see above of this function.
3517 */
3518 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3519 error =
3520 setscopeid((struct sockaddr *)&spidx.src,
3521 iph2->dst);
3522 if (error)
3523 goto purge;
3524 }
3525 #endif
3526
3527 /* make sa_[src,dst] if both ID types are IP address and same */
3528 if (_XIDT(iph2->id_p) == idi2type
3529 && spidx.dst.ss_family == spidx.src.ss_family) {
3530 iph2->sa_src =
3531 dupsaddr((struct sockaddr *)&spidx.dst);
3532 if (iph2->sa_src == NULL) {
3533 plog(LLV_ERROR, LOCATION, NULL,
3534 "allocation failed\n");
3535 goto purge;
3536 }
3537 iph2->sa_dst =
3538 dupsaddr((struct sockaddr *)&spidx.src);
3539 if (iph2->sa_dst == NULL) {
3540 plog(LLV_ERROR, LOCATION, NULL,
3541 "allocation failed\n");
3542 goto purge;
3543 }
3544 }
3545
3546 } else {
3547 plog(LLV_DEBUG, LOCATION, NULL,
3548 "get a source address of SP index "
3549 "from phase1 address "
3550 "due to no ID payloads found "
3551 "OR because ID type is not address.\n");
3552
3553 /* see above comment. */
3554 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3555 switch (spidx.src.ss_family) {
3556 case AF_INET:
3557 spidx.prefs =
3558 sizeof(struct in_addr) << 3;
3559 break;
3560 #ifdef INET6
3561 case AF_INET6:
3562 spidx.prefs =
3563 sizeof(struct in6_addr) << 3;
3564 break;
3565 #endif
3566 default:
3567 spidx.prefs = 0;
3568 break;
3569 }
3570 }
3571
3572 #undef _XIDT
3573
3574 plog(LLV_DEBUG, LOCATION, NULL,
3575 "get a src address from ID payload "
3576 "%s prefixlen=%u ul_proto=%u\n",
3577 saddr2str((struct sockaddr *)&spidx.src),
3578 spidx.prefs, spidx.ul_proto);
3579 plog(LLV_DEBUG, LOCATION, NULL,
3580 "get dst address from ID payload "
3581 "%s prefixlen=%u ul_proto=%u\n",
3582 saddr2str((struct sockaddr *)&spidx.dst),
3583 spidx.prefd, spidx.ul_proto);
3584
3585 /*
3586 * convert the ul_proto if it is 0
3587 * because 0 in ID payload means a wild card.
3588 */
3589 if (spidx.ul_proto == 0)
3590 spidx.ul_proto = IPSEC_ULPROTO_ANY;
3591
3592 #undef _XIDT
3593
3594 /* Check if the generated SPD has the same timestamp as the SA.
3595 * If timestamps are different, this means that the SPD entry has been
3596 * refreshed by another SA, and should NOT be deleted with the current SA.
3597 */
3598 if( created ){
3599 struct secpolicy *p;
3600
3601 p = getsp(&spidx);
3602 if(p != NULL){
3603 /* just do no test if p is NULL, because this probably just means
3604 * that the policy has already be deleted for some reason.
3605 */
3606 if(p->spidx.created != created)
3607 goto purge;
3608 }
3609 }
3610
3611 /* End of code from get_proposal_r
3612 */
3613
3614 if (pk_sendspddelete(iph2) < 0) {
3615 plog(LLV_ERROR, LOCATION, NULL,
3616 "pfkey spddelete(inbound) failed.\n");
3617 }else{
3618 plog(LLV_DEBUG, LOCATION, NULL,
3619 "pfkey spddelete(inbound) sent.\n");
3620 }
3621
3622 #ifdef HAVE_POLICY_FWD
3623 /* make forward policy if required */
3624 if (tunnel_mode_prop(iph2->approval)) {
3625 spidx.dir = IPSEC_DIR_FWD;
3626 if (pk_sendspddelete(iph2) < 0) {
3627 plog(LLV_ERROR, LOCATION, NULL,
3628 "pfkey spddelete(forward) failed.\n");
3629 }else{
3630 plog(LLV_DEBUG, LOCATION, NULL,
3631 "pfkey spddelete(forward) sent.\n");
3632 }
3633 }
3634 #endif
3635
3636 /* make outbound policy */
3637 iph2->src = src;
3638 iph2->dst = dst;
3639 spidx.dir = IPSEC_DIR_OUTBOUND;
3640 addr = spidx.src;
3641 spidx.src = spidx.dst;
3642 spidx.dst = addr;
3643 pref = spidx.prefs;
3644 spidx.prefs = spidx.prefd;
3645 spidx.prefd = pref;
3646
3647 if (pk_sendspddelete(iph2) < 0) {
3648 plog(LLV_ERROR, LOCATION, NULL,
3649 "pfkey spddelete(outbound) failed.\n");
3650 }else{
3651 plog(LLV_DEBUG, LOCATION, NULL,
3652 "pfkey spddelete(outbound) sent.\n");
3653 }
3654 purge:
3655 iph2->spidx_gen=NULL;
3656 }
3657
3658
3659 #ifdef INET6
3660 u_int32_t
3661 setscopeid(sp_addr0, sa_addr0)
3662 struct sockaddr *sp_addr0, *sa_addr0;
3663 {
3664 struct sockaddr_in6 *sp_addr, *sa_addr;
3665
3666 sp_addr = (struct sockaddr_in6 *)sp_addr0;
3667 sa_addr = (struct sockaddr_in6 *)sa_addr0;
3668
3669 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3670 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3671 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3672 return 0;
3673
3674 /* this check should not be here ? */
3675 if (sa_addr->sin6_family != AF_INET6) {
3676 plog(LLV_ERROR, LOCATION, NULL,
3677 "can't get scope ID: family mismatch\n");
3678 return -1;
3679 }
3680
3681 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3682 plog(LLV_ERROR, LOCATION, NULL,
3683 "scope ID is not supported except of lladdr.\n");
3684 return -1;
3685 }
3686
3687 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3688
3689 return 0;
3690 }
3691 #endif
NetBSD on the FriendlyARM MINI2440