1 /* $NetBSD: isakmp.c,v 1.20.6.13 2008/09/25 09:34:39 vanhu Exp $ */
2
3 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43
44 #include PATH_IPSEC_H
45
46 #include <stdlib.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <errno.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #ifdef ENABLE_HYBRID
66 #include <resolv.h>
67 #endif
68
69 #include "var.h"
70 #include "misc.h"
71 #include "vmbuf.h"
72 #include "plog.h"
73 #include "sockmisc.h"
74 #include "schedule.h"
75 #include "debug.h"
76
77 #include "remoteconf.h"
78 #include "localconf.h"
79 #include "grabmyaddr.h"
80 #include "admin.h"
81 #include "privsep.h"
82 #include "isakmp_var.h"
83 #include "isakmp.h"
84 #include "oakley.h"
85 #include "evt.h"
86 #include "handler.h"
87 #include "ipsec_doi.h"
88 #include "pfkey.h"
89 #include "crypto_openssl.h"
90 #include "policy.h"
91 #include "isakmp_ident.h"
92 #include "isakmp_agg.h"
93 #include "isakmp_base.h"
94 #include "isakmp_quick.h"
95 #include "isakmp_inf.h"
96 #include "isakmp_newg.h"
97 #ifdef ENABLE_HYBRID
98 #include "vendorid.h"
99 #include "isakmp_xauth.h"
100 #include "isakmp_unity.h"
101 #include "isakmp_cfg.h"
102 #endif
103 #ifdef ENABLE_FRAG
104 #include "isakmp_frag.h"
105 #endif
106 #include "strnames.h"
107
108 #include <fcntl.h>
109
110 #ifdef ENABLE_NATT
111 # include "nattraversal.h"
112 #endif
113 # ifdef __linux__
114 # include <linux/udp.h>
115 # include <linux/ip.h>
116 # ifndef SOL_UDP
117 # define SOL_UDP 17
118 # endif
119 #if defined(__ANDROID__)
120 #include <netinet/udp.h>
121 #endif
122 # endif /* __linux__ */
123 # if defined(__NetBSD__) || defined(__FreeBSD__) || \
124 (defined(__APPLE__) && defined(__MACH__))
125 # include <netinet/in.h>
126 # include <netinet/udp.h>
127 # include <netinet/in_systm.h>
128 # include <netinet/ip.h>
129 # define SOL_UDP IPPROTO_UDP
130 # endif /* __NetBSD__ / __FreeBSD__ */
131
132 #ifdef ANDROID_CHANGES
133 #include "NetdClient.h"
134 #endif
135
136 static int nostate1 __P((struct ph1handle *, vchar_t *));
137 static int nostate2 __P((struct ph2handle *, vchar_t *));
138
139 extern caddr_t val2str(const char *, size_t);
140
141 static int (*ph1exchange[][2][PHASE1ST_MAX])
142 __P((struct ph1handle *, vchar_t *)) = {
143 /* error */
144 { {}, {}, },
145 /* Identity Protection exchange */
146 {
147 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
148 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
149 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
150 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
151 },
152 /* Aggressive exchange */
153 {
154 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
155 nostate1, nostate1, nostate1, nostate1, nostate1, },
156 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
157 nostate1, nostate1, nostate1, nostate1, nostate1, },
158 },
159 /* Base exchange */
160 {
161 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
162 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
163 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
164 nostate1, nostate1, nostate1, nostate1, nostate1, },
165 },
166 };
167
168 static int (*ph2exchange[][2][PHASE2ST_MAX])
169 __P((struct ph2handle *, vchar_t *)) = {
170 /* error */
171 { {}, {}, },
172 /* Quick mode for IKE */
173 {
174 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
175 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
176 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
177 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
178 },
179 };
180
181 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
182
183 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
184 static int ph1_main __P((struct ph1handle *, vchar_t *));
185 static int quick_main __P((struct ph2handle *, vchar_t *));
186 static int isakmp_ph1begin_r __P((vchar_t *,
187 struct sockaddr *, struct sockaddr *, u_int8_t));
188 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
189 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
190 static int etypesw1 __P((int));
191 static int etypesw2 __P((int));
192 #ifdef ENABLE_FRAG
193 static int frag_handler(struct ph1handle *,
194 vchar_t *, struct sockaddr *, struct sockaddr *);
195 #endif
196
197 /*
198 * isakmp packet handler
199 */
200 int
isakmp_handler(so_isakmp)201 isakmp_handler(so_isakmp)
202 int so_isakmp;
203 {
204 struct isakmp isakmp;
205 union {
206 char buf[sizeof (isakmp) + 4];
207 u_int32_t non_esp[2];
208 char lbuf[sizeof(struct udphdr) +
209 #ifdef __linux
210 sizeof(struct iphdr) +
211 #else
212 sizeof(struct ip) +
213 #endif
214 sizeof(isakmp) + 4];
215 } x;
216 struct sockaddr_storage remote;
217 struct sockaddr_storage local;
218 unsigned int remote_len = sizeof(remote);
219 unsigned int local_len = sizeof(local);
220 int len = 0, extralen = 0;
221 vchar_t *buf = NULL, *tmpbuf = NULL;
222 int error = -1, res;
223
224 /* read message by MSG_PEEK */
225 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
226 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
227 (struct sockaddr *)&local, &local_len)) < 0) {
228 if (errno == EINTR)
229 continue;
230 plog(LLV_ERROR, LOCATION, NULL,
231 "failed to receive isakmp packet: %s\n",
232 strerror (errno));
233 goto end;
234 }
235
236 /* keep-alive packet - ignore */
237 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
238 /* Pull the keep-alive packet */
239 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
240 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
241 plog(LLV_ERROR, LOCATION, NULL,
242 "failed to receive keep alive packet: %s\n",
243 strerror (errno));
244 }
245 goto end;
246 }
247
248 /* Lucent IKE in UDP encapsulation */
249 {
250 struct udphdr *udp;
251 #ifdef __linux__
252 struct iphdr *ip;
253
254 udp = (struct udphdr *)&x.lbuf[0];
255 if (ntohs(udp->dest) == 501) {
256 ip = (struct iphdr *)(x.lbuf + sizeof(*udp));
257 extralen += sizeof(*udp) + ip->ihl;
258 }
259 #else
260 struct ip *ip;
261
262 udp = (struct udphdr *)&x.lbuf[0];
263 if (ntohs(udp->uh_dport) == 501) {
264 ip = (struct ip *)(x.lbuf + sizeof(*udp));
265 extralen += sizeof(*udp) + ip->ip_hl;
266 }
267 #endif
268 }
269
270 #ifdef ENABLE_NATT
271 /* we don't know about portchange yet,
272 look for non-esp marker instead */
273 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
274 extralen = NON_ESP_MARKER_LEN;
275 #endif
276
277 /* now we know if there is an extra non-esp
278 marker at the beginning or not */
279 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
280
281 /* check isakmp header length, as well as sanity of header length */
282 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
283 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
284 "packet shorter than isakmp header size (%u, %u, %zu)\n",
285 len, ntohl(isakmp.len), sizeof(isakmp));
286 /* dummy receive */
287 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
288 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
289 plog(LLV_ERROR, LOCATION, NULL,
290 "failed to receive isakmp packet: %s\n",
291 strerror (errno));
292 }
293 goto end;
294 }
295
296 /* reject it if the size is tooooo big. */
297 if (ntohl(isakmp.len) > 0xffff) {
298 plog(LLV_ERROR, LOCATION, NULL,
299 "the length in the isakmp header is too big.\n");
300 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
301 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
302 plog(LLV_ERROR, LOCATION, NULL,
303 "failed to receive isakmp packet: %s\n",
304 strerror (errno));
305 }
306 goto end;
307 }
308
309 /* read real message */
310 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
311 plog(LLV_ERROR, LOCATION, NULL,
312 "failed to allocate reading buffer (%u Bytes)\n",
313 ntohl(isakmp.len) + extralen);
314 /* dummy receive */
315 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
316 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
317 plog(LLV_ERROR, LOCATION, NULL,
318 "failed to receive isakmp packet: %s\n",
319 strerror (errno));
320 }
321 goto end;
322 }
323
324 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
325 0, (struct sockaddr *)&remote, &remote_len,
326 (struct sockaddr *)&local, &local_len)) < 0) {
327 if (errno == EINTR)
328 continue;
329 plog(LLV_ERROR, LOCATION, NULL,
330 "failed to receive isakmp packet: %s\n",
331 strerror (errno));
332 goto end;
333 }
334
335 if ((buf = vmalloc(len - extralen)) == NULL) {
336 plog(LLV_ERROR, LOCATION, NULL,
337 "failed to allocate reading buffer (%u Bytes)\n",
338 (len - extralen));
339 goto end;
340 }
341
342 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
343
344 len -= extralen;
345
346 if (len != buf->l) {
347 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
348 "received invalid length (%d != %zu), why ?\n",
349 len, buf->l);
350 goto end;
351 }
352
353 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
354 plog(LLV_DEBUG, LOCATION, NULL,
355 "%d bytes message received %s\n",
356 len, saddr2str_fromto("from %s to %s",
357 (struct sockaddr *)&remote,
358 (struct sockaddr *)&local));
359 plogdump(LLV_DEBUG, buf->v, buf->l);
360
361 /* avoid packets with malicious port/address */
362 if (extract_port((struct sockaddr *)&remote) == 0) {
363 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
364 "src port == 0 (valid as UDP but not with IKE)\n");
365 goto end;
366 }
367
368 /* XXX: check sender whether to be allowed or not to accept */
369
370 /* XXX: I don't know how to check isakmp half connection attack. */
371
372 /* simply reply if the packet was processed. */
373 res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
374 if (res) {
375 plog(LLV_NOTIFY, LOCATION, NULL,
376 "the packet is retransmitted by %s (%d).\n",
377 saddr2str((struct sockaddr *)&remote), res);
378 error = 0;
379 goto end;
380 }
381
382 /* isakmp main routine */
383 if (isakmp_main(buf, (struct sockaddr *)&remote,
384 (struct sockaddr *)&local) != 0) goto end;
385
386 error = 0;
387
388 end:
389 if (tmpbuf != NULL)
390 vfree(tmpbuf);
391 if (buf != NULL)
392 vfree(buf);
393
394 return(error);
395 }
396
397 /*
398 * main processing to handle isakmp payload
399 */
400 static int
isakmp_main(msg,remote,local)401 isakmp_main(msg, remote, local)
402 vchar_t *msg;
403 struct sockaddr *remote, *local;
404 {
405 struct isakmp *isakmp = (struct isakmp *)msg->v;
406 isakmp_index *index = (isakmp_index *)isakmp;
407 u_int32_t msgid = isakmp->msgid;
408 struct ph1handle *iph1;
409
410 #ifdef HAVE_PRINT_ISAKMP_C
411 isakmp_printpacket(msg, remote, local, 0);
412 #endif
413
414 /* the initiator's cookie must not be zero */
415 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
416 plog(LLV_ERROR, LOCATION, remote,
417 "malformed cookie received.\n");
418 return -1;
419 }
420
421 /* Check the Major and Minor Version fields. */
422 /*
423 * XXX Is is right to check version here ?
424 * I think it may no be here because the version depends
425 * on exchange status.
426 */
427 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
428 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
429 plog(LLV_ERROR, LOCATION, remote,
430 "invalid major version %d.\n",
431 ISAKMP_GETMAJORV(isakmp->v));
432 return -1;
433 }
434 #if ISAKMP_MINOR_VERSION > 0
435 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
436 plog(LLV_ERROR, LOCATION, remote,
437 "invalid minor version %d.\n",
438 ISAKMP_GETMINORV(isakmp->v));
439 return -1;
440 }
441 #endif
442 }
443
444 /* check the Flags field. */
445 /* XXX How is the exclusive check, E and A ? */
446 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
447 plog(LLV_ERROR, LOCATION, remote,
448 "invalid flag 0x%02x.\n", isakmp->flags);
449 return -1;
450 }
451
452 /* ignore commit bit. */
453 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
454 if (isakmp->msgid == 0) {
455 isakmp_info_send_nx(isakmp, remote, local,
456 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
457 plog(LLV_ERROR, LOCATION, remote,
458 "Commit bit on phase1 forbidden.\n");
459 return -1;
460 }
461 }
462
463 iph1 = getph1byindex(index);
464 if (iph1 != NULL) {
465 /* validity check */
466 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
467 iph1->side == INITIATOR) {
468 plog(LLV_DEBUG, LOCATION, remote,
469 "malformed cookie received or "
470 "the initiator's cookies collide.\n");
471 return -1;
472 }
473
474 #ifdef ENABLE_NATT
475 /* Floating ports for NAT-T */
476 if (NATT_AVAILABLE(iph1) &&
477 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
478 ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
479 (cmpsaddrstrict(iph1->local, local) != 0)))
480 {
481 /* prevent memory leak */
482 racoon_free(iph1->remote);
483 racoon_free(iph1->local);
484 iph1->remote = NULL;
485 iph1->local = NULL;
486
487 /* copy-in new addresses */
488 iph1->remote = dupsaddr(remote);
489 if (iph1->remote == NULL) {
490 plog(LLV_ERROR, LOCATION, iph1->remote,
491 "phase1 failed: dupsaddr failed.\n");
492 remph1(iph1);
493 delph1(iph1);
494 return -1;
495 }
496 iph1->local = dupsaddr(local);
497 if (iph1->local == NULL) {
498 plog(LLV_ERROR, LOCATION, iph1->remote,
499 "phase1 failed: dupsaddr failed.\n");
500 remph1(iph1);
501 delph1(iph1);
502 return -1;
503 }
504
505 /* set the flag to prevent further port floating
506 (FIXME: should we allow it? E.g. when the NAT gw
507 is rebooted?) */
508 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
509
510 /* print some neat info */
511 plog (LLV_INFO, LOCATION, NULL,
512 "NAT-T: ports changed to: %s\n",
513 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
514
515 natt_keepalive_add_ph1 (iph1);
516 }
517 #endif
518
519 /* must be same addresses in one stream of a phase at least. */
520 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
521 char *saddr_db, *saddr_act;
522
523 saddr_db = racoon_strdup(saddr2str(iph1->remote));
524 saddr_act = racoon_strdup(saddr2str(remote));
525 STRDUP_FATAL(saddr_db);
526 STRDUP_FATAL(saddr_act);
527
528 plog(LLV_WARNING, LOCATION, remote,
529 "remote address mismatched. db=%s, act=%s\n",
530 saddr_db, saddr_act);
531
532 racoon_free(saddr_db);
533 racoon_free(saddr_act);
534 }
535
536 /*
537 * don't check of exchange type here because other type will be
538 * with same index, for example, informational exchange.
539 */
540
541 /* XXX more acceptable check */
542 }
543
544 switch (isakmp->etype) {
545 case ISAKMP_ETYPE_IDENT:
546 case ISAKMP_ETYPE_AGG:
547 case ISAKMP_ETYPE_BASE:
548 /* phase 1 validity check */
549 if (isakmp->msgid != 0) {
550 plog(LLV_ERROR, LOCATION, remote,
551 "message id should be zero in phase1.\n");
552 return -1;
553 }
554
555 /* search for isakmp status record of phase 1 */
556 if (iph1 == NULL) {
557 /*
558 * the packet must be the 1st message from a initiator
559 * or the 2nd message from the responder.
560 */
561
562 /* search for phase1 handle by index without r_ck */
563 iph1 = getph1byindex0(index);
564 if (iph1 == NULL) {
565 /*it must be the 1st message from a initiator.*/
566 if (memcmp(&isakmp->r_ck, r_ck0,
567 sizeof(cookie_t)) != 0) {
568
569 plog(LLV_DEBUG, LOCATION, remote,
570 "malformed cookie received "
571 "or the spi expired.\n");
572 return -1;
573 }
574
575 /* it must be responder's 1st exchange. */
576 if (isakmp_ph1begin_r(msg, remote, local,
577 isakmp->etype) < 0)
578 return -1;
579 break;
580
581 /*NOTREACHED*/
582 }
583
584 /* it must be the 2nd message from the responder. */
585 if (iph1->side != INITIATOR) {
586 plog(LLV_DEBUG, LOCATION, remote,
587 "malformed cookie received. "
588 "it has to be as the initiator. %s\n",
589 isakmp_pindex(&iph1->index, 0));
590 return -1;
591 }
592 }
593
594 /*
595 * Don't delete phase 1 handler when the exchange type
596 * in handler is not equal to packet's one because of no
597 * authencication completed.
598 */
599 if (iph1->etype != isakmp->etype) {
600 plog(LLV_ERROR, LOCATION, iph1->remote,
601 "exchange type is mismatched: "
602 "db=%s packet=%s, ignore it.\n",
603 s_isakmp_etype(iph1->etype),
604 s_isakmp_etype(isakmp->etype));
605 return -1;
606 }
607
608 #ifdef ENABLE_FRAG
609 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
610 return frag_handler(iph1, msg, remote, local);
611 #endif
612
613 /* call main process of phase 1 */
614 if (ph1_main(iph1, msg) < 0) {
615 plog(LLV_ERROR, LOCATION, iph1->remote,
616 "phase1 negotiation failed.\n");
617 remph1(iph1);
618 delph1(iph1);
619 return -1;
620 }
621 break;
622
623 case ISAKMP_ETYPE_AUTH:
624 plog(LLV_INFO, LOCATION, remote,
625 "unsupported exchange %d received.\n",
626 isakmp->etype);
627 break;
628
629 case ISAKMP_ETYPE_INFO:
630 case ISAKMP_ETYPE_ACKINFO:
631 /*
632 * iph1 must be present for Information message.
633 * if iph1 is null then trying to get the phase1 status
634 * as the packet from responder againt initiator's 1st
635 * exchange in phase 1.
636 * NOTE: We think such informational exchange should be ignored.
637 */
638 if (iph1 == NULL) {
639 iph1 = getph1byindex0(index);
640 if (iph1 == NULL) {
641 plog(LLV_ERROR, LOCATION, remote,
642 "unknown Informational "
643 "exchange received.\n");
644 return -1;
645 }
646 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
647 plog(LLV_WARNING, LOCATION, remote,
648 "remote address mismatched. "
649 "db=%s\n",
650 saddr2str(iph1->remote));
651 }
652 }
653
654 #ifdef ENABLE_FRAG
655 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
656 return frag_handler(iph1, msg, remote, local);
657 #endif
658
659 if (isakmp_info_recv(iph1, msg) < 0)
660 return -1;
661 break;
662
663 case ISAKMP_ETYPE_QUICK:
664 {
665 struct ph2handle *iph2;
666
667 if (iph1 == NULL) {
668 isakmp_info_send_nx(isakmp, remote, local,
669 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
670 plog(LLV_ERROR, LOCATION, remote,
671 "can't start the quick mode, "
672 "there is no ISAKMP-SA, %s\n",
673 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
674 isakmp->msgid));
675 return -1;
676 }
677 #ifdef ENABLE_HYBRID
678 /* Reinit the IVM if it's still there */
679 if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
680 oakley_delivm(iph1->mode_cfg->ivm);
681 iph1->mode_cfg->ivm = NULL;
682 }
683 #endif
684 #ifdef ENABLE_FRAG
685 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
686 return frag_handler(iph1, msg, remote, local);
687 #endif
688
689 /* check status of phase 1 whether negotiated or not. */
690 if (iph1->status != PHASE1ST_ESTABLISHED) {
691 plog(LLV_ERROR, LOCATION, remote,
692 "can't start the quick mode, "
693 "there is no valid ISAKMP-SA, %s\n",
694 isakmp_pindex(&iph1->index, iph1->msgid));
695 return -1;
696 }
697
698 /* search isakmp phase 2 stauts record. */
699 iph2 = getph2bymsgid(iph1, msgid);
700 if (iph2 == NULL) {
701 /* it must be new negotiation as responder */
702 if (isakmp_ph2begin_r(iph1, msg) < 0)
703 return -1;
704 return 0;
705 /*NOTREACHED*/
706 }
707
708 /* commit bit. */
709 /* XXX
710 * we keep to set commit bit during negotiation.
711 * When SA is configured, bit will be reset.
712 * XXX
713 * don't initiate commit bit. should be fixed in the future.
714 */
715 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
716 iph2->flags |= ISAKMP_FLAG_C;
717
718 /* call main process of quick mode */
719 if (quick_main(iph2, msg) < 0) {
720 plog(LLV_ERROR, LOCATION, iph1->remote,
721 "phase2 negotiation failed.\n");
722 unbindph12(iph2);
723 remph2(iph2);
724 delph2(iph2);
725 return -1;
726 }
727 }
728 break;
729
730 case ISAKMP_ETYPE_NEWGRP:
731 if (iph1 == NULL) {
732 plog(LLV_ERROR, LOCATION, remote,
733 "Unknown new group mode exchange, "
734 "there is no ISAKMP-SA.\n");
735 return -1;
736 }
737
738 #ifdef ENABLE_FRAG
739 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
740 return frag_handler(iph1, msg, remote, local);
741 #endif
742
743 isakmp_newgroup_r(iph1, msg);
744 break;
745
746 #ifdef ENABLE_HYBRID
747 case ISAKMP_ETYPE_CFG:
748 if (iph1 == NULL) {
749 plog(LLV_ERROR, LOCATION, NULL,
750 "mode config %d from %s, "
751 "but we have no ISAKMP-SA.\n",
752 isakmp->etype, saddr2str(remote));
753 return -1;
754 }
755
756 #ifdef ENABLE_FRAG
757 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
758 return frag_handler(iph1, msg, remote, local);
759 #endif
760
761 isakmp_cfg_r(iph1, msg);
762 break;
763 #endif
764
765 case ISAKMP_ETYPE_NONE:
766 default:
767 plog(LLV_ERROR, LOCATION, NULL,
768 "Invalid exchange type %d from %s.\n",
769 isakmp->etype, saddr2str(remote));
770 return -1;
771 }
772
773 return 0;
774 }
775
776 /*
777 * main function of phase 1.
778 */
779 static int
ph1_main(iph1,msg)780 ph1_main(iph1, msg)
781 struct ph1handle *iph1;
782 vchar_t *msg;
783 {
784 int error;
785 #ifdef ENABLE_STATS
786 struct timeval start, end;
787 #endif
788
789 /* ignore a packet */
790 if (iph1->status == PHASE1ST_ESTABLISHED)
791 return 0;
792
793 #ifdef ENABLE_STATS
794 gettimeofday(&start, NULL);
795 #endif
796 /* receive */
797 if (ph1exchange[etypesw1(iph1->etype)]
798 [iph1->side]
799 [iph1->status] == NULL) {
800 plog(LLV_ERROR, LOCATION, iph1->remote,
801 "why isn't the function defined.\n");
802 return -1;
803 }
804 error = (ph1exchange[etypesw1(iph1->etype)]
805 [iph1->side]
806 [iph1->status])(iph1, msg);
807 if (error != 0) {
808
809 /* XXX
810 * When an invalid packet is received on phase1, it should
811 * be selected to process this packet. That is to respond
812 * with a notify and delete phase 1 handler, OR not to respond
813 * and keep phase 1 handler. However, in PHASE1ST_START when
814 * acting as RESPONDER we must not keep phase 1 handler or else
815 * it will stay forever.
816 */
817
818 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
819 plog(LLV_ERROR, LOCATION, iph1->remote,
820 "failed to pre-process packet.\n");
821 return -1;
822 } else {
823 /* ignore the error and keep phase 1 handler */
824 return 0;
825 }
826 }
827
828 #ifndef ENABLE_FRAG
829 /* free resend buffer */
830 if (iph1->sendbuf == NULL) {
831 plog(LLV_ERROR, LOCATION, NULL,
832 "no buffer found as sendbuf\n");
833 return -1;
834 }
835 #endif
836
837 VPTRINIT(iph1->sendbuf);
838
839 /* turn off schedule */
840 SCHED_KILL(iph1->scr);
841
842 /* send */
843 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
844 if ((ph1exchange[etypesw1(iph1->etype)]
845 [iph1->side]
846 [iph1->status])(iph1, msg) != 0) {
847 plog(LLV_ERROR, LOCATION, iph1->remote,
848 "failed to process packet.\n");
849 return -1;
850 }
851
852 #ifdef ENABLE_STATS
853 gettimeofday(&end, NULL);
854 syslog(LOG_NOTICE, "%s(%s): %8.6f",
855 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
856 timedelta(&start, &end));
857 #endif
858 if (iph1->status == PHASE1ST_ESTABLISHED) {
859
860 #ifdef ENABLE_STATS
861 gettimeofday(&iph1->end, NULL);
862 syslog(LOG_NOTICE, "%s(%s): %8.6f",
863 "phase1", s_isakmp_etype(iph1->etype),
864 timedelta(&iph1->start, &iph1->end));
865 #endif
866
867 /* save created date. */
868 (void)time(&iph1->created);
869
870 /* add to the schedule to expire, and seve back pointer. */
871 iph1->sce = sched_new(iph1->approval->lifetime,
872 isakmp_ph1expire_stub, iph1);
873 #ifdef ENABLE_HYBRID
874 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
875 switch(AUTHMETHOD(iph1)) {
876 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
877 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
878 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
879 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
880 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
881 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
882 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
883 xauth_sendreq(iph1);
884 /* XXX Don't process INITIAL_CONTACT */
885 iph1->rmconf->ini_contact = 0;
886 break;
887 default:
888 break;
889 }
890 }
891 #endif
892 #ifdef ENABLE_DPD
893 /* Schedule the r_u_there.... */
894 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
895 isakmp_sched_r_u(iph1, 0);
896 #endif
897
898 /* INITIAL-CONTACT processing */
899 /* don't anything if local test mode. */
900 if (!f_local
901 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
902 /* send INITIAL-CONTACT */
903 isakmp_info_send_n1(iph1,
904 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
905 /* insert a node into contacted list. */
906 if (inscontacted(iph1->remote) == -1) {
907 plog(LLV_ERROR, LOCATION, iph1->remote,
908 "failed to add contacted list.\n");
909 /* ignore */
910 }
911 }
912
913 log_ph1established(iph1);
914 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
915
916 /*
917 * SA up shell script hook: do it now,except if
918 * ISAKMP mode config was requested. In the later
919 * case it is done when we receive the configuration.
920 */
921 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
922 !iph1->rmconf->mode_cfg) {
923 switch (AUTHMETHOD(iph1)) {
924 #ifdef ENABLE_HYBRID
925 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
926 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
927 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
928 /* Unimplemeted... */
929 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
930 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
931 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
932 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
933 break;
934 #endif
935 default:
936 script_hook(iph1, SCRIPT_PHASE1_UP);
937 break;
938 }
939 }
940 }
941
942 return 0;
943 }
944
945 /*
946 * main function of quick mode.
947 */
948 static int
quick_main(iph2,msg)949 quick_main(iph2, msg)
950 struct ph2handle *iph2;
951 vchar_t *msg;
952 {
953 struct isakmp *isakmp = (struct isakmp *)msg->v;
954 int error;
955 #ifdef ENABLE_STATS
956 struct timeval start, end;
957 #endif
958
959 /* ignore a packet */
960 if (iph2->status == PHASE2ST_ESTABLISHED
961 || iph2->status == PHASE2ST_GETSPISENT)
962 return 0;
963
964 #ifdef ENABLE_STATS
965 gettimeofday(&start, NULL);
966 #endif
967
968 /* receive */
969 if (ph2exchange[etypesw2(isakmp->etype)]
970 [iph2->side]
971 [iph2->status] == NULL) {
972 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
973 "why isn't the function defined.\n");
974 return -1;
975 }
976 error = (ph2exchange[etypesw2(isakmp->etype)]
977 [iph2->side]
978 [iph2->status])(iph2, msg);
979 if (error != 0) {
980 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
981 "failed to pre-process packet.\n");
982 if (error == ISAKMP_INTERNAL_ERROR)
983 return 0;
984 isakmp_info_send_n1(iph2->ph1, error, NULL);
985 return -1;
986 }
987
988 /* when using commit bit, status will be reached here. */
989 if (iph2->status == PHASE2ST_ADDSA)
990 return 0;
991
992 /* free resend buffer */
993 if (iph2->sendbuf == NULL) {
994 plog(LLV_ERROR, LOCATION, NULL,
995 "no buffer found as sendbuf\n");
996 return -1;
997 }
998 VPTRINIT(iph2->sendbuf);
999
1000 /* turn off schedule */
1001 SCHED_KILL(iph2->scr);
1002
1003 /* send */
1004 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1005 if ((ph2exchange[etypesw2(isakmp->etype)]
1006 [iph2->side]
1007 [iph2->status])(iph2, msg) != 0) {
1008 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1009 "failed to process packet.\n");
1010 return -1;
1011 }
1012
1013 #ifdef ENABLE_STATS
1014 gettimeofday(&end, NULL);
1015 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1016 "phase2",
1017 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1018 timedelta(&start, &end));
1019 #endif
1020
1021 return 0;
1022 }
1023
1024 /* new negotiation of phase 1 for initiator */
1025 int
isakmp_ph1begin_i(rmconf,remote,local)1026 isakmp_ph1begin_i(rmconf, remote, local)
1027 struct remoteconf *rmconf;
1028 struct sockaddr *remote, *local;
1029 {
1030 struct ph1handle *iph1;
1031 #ifdef ENABLE_STATS
1032 struct timeval start, end;
1033 #endif
1034
1035 /* get new entry to isakmp status table. */
1036 iph1 = newph1();
1037 if (iph1 == NULL)
1038 return -1;
1039
1040 iph1->status = PHASE1ST_START;
1041 iph1->rmconf = rmconf;
1042 iph1->side = INITIATOR;
1043 iph1->version = ISAKMP_VERSION_NUMBER;
1044 iph1->msgid = 0;
1045 iph1->flags = 0;
1046 iph1->ph2cnt = 0;
1047 #ifdef HAVE_GSSAPI
1048 iph1->gssapi_state = NULL;
1049 #endif
1050 #ifdef ENABLE_HYBRID
1051 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1052 delph1(iph1);
1053 return -1;
1054 }
1055 #endif
1056 #ifdef ENABLE_FRAG
1057
1058 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1059 iph1->frag = 1;
1060 else
1061 iph1->frag = 0;
1062 iph1->frag_chain = NULL;
1063 #endif
1064 iph1->approval = NULL;
1065
1066 /* XXX copy remote address */
1067 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1068 delph1(iph1);
1069 return -1;
1070 }
1071
1072 (void)insph1(iph1);
1073
1074 /* start phase 1 exchange */
1075 iph1->etype = rmconf->etypes->type;
1076
1077 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1078 {
1079 char *a;
1080
1081 a = racoon_strdup(saddr2str(iph1->local));
1082 STRDUP_FATAL(a);
1083
1084 plog(LLV_INFO, LOCATION, NULL,
1085 "initiate new phase 1 negotiation: %s<=>%s\n",
1086 a, saddr2str(iph1->remote));
1087 racoon_free(a);
1088 }
1089 plog(LLV_INFO, LOCATION, NULL,
1090 "begin %s mode.\n",
1091 s_isakmp_etype(iph1->etype));
1092
1093 #ifdef ENABLE_STATS
1094 gettimeofday(&iph1->start, NULL);
1095 gettimeofday(&start, NULL);
1096 #endif
1097 /* start exchange */
1098 if ((ph1exchange[etypesw1(iph1->etype)]
1099 [iph1->side]
1100 [iph1->status])(iph1, NULL) != 0) {
1101 /* failed to start phase 1 negotiation */
1102 remph1(iph1);
1103 delph1(iph1);
1104
1105 return -1;
1106 }
1107
1108 #ifdef ENABLE_STATS
1109 gettimeofday(&end, NULL);
1110 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1111 "phase1",
1112 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1113 timedelta(&start, &end));
1114 #endif
1115
1116 return 0;
1117 }
1118
1119 /* new negotiation of phase 1 for responder */
1120 static int
isakmp_ph1begin_r(vchar_t * msg,struct sockaddr * remote,struct sockaddr * local,u_int8_t etype)1121 isakmp_ph1begin_r(vchar_t *msg, struct sockaddr *remote,
1122 struct sockaddr *local, u_int8_t etype)
1123 {
1124 struct isakmp *isakmp = (struct isakmp *)msg->v;
1125 struct remoteconf *rmconf;
1126 struct ph1handle *iph1;
1127 struct etypes *etypeok;
1128 #ifdef ENABLE_STATS
1129 struct timeval start, end;
1130 #endif
1131
1132 /* look for my configuration */
1133 rmconf = getrmconf(remote);
1134 if (rmconf == NULL) {
1135 plog(LLV_ERROR, LOCATION, remote,
1136 "couldn't find "
1137 "configuration.\n");
1138 return -1;
1139 }
1140
1141 /* check to be acceptable exchange type */
1142 etypeok = check_etypeok(rmconf, etype);
1143 if (etypeok == NULL) {
1144 plog(LLV_ERROR, LOCATION, remote,
1145 "not acceptable %s mode\n", s_isakmp_etype(etype));
1146 return -1;
1147 }
1148
1149 /* get new entry to isakmp status table. */
1150 iph1 = newph1();
1151 if (iph1 == NULL)
1152 return -1;
1153
1154 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1155 iph1->status = PHASE1ST_START;
1156 iph1->rmconf = rmconf;
1157 iph1->flags = 0;
1158 iph1->side = RESPONDER;
1159 iph1->etype = etypeok->type;
1160 iph1->version = isakmp->v;
1161 iph1->msgid = 0;
1162 #ifdef HAVE_GSSAPI
1163 iph1->gssapi_state = NULL;
1164 #endif
1165 #ifdef ENABLE_HYBRID
1166 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1167 delph1(iph1);
1168 return -1;
1169 }
1170 #endif
1171 #ifdef ENABLE_FRAG
1172 iph1->frag = 0;
1173 iph1->frag_chain = NULL;
1174 #endif
1175 iph1->approval = NULL;
1176
1177 #ifdef ENABLE_NATT
1178 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1179 * We have to setup this flag now to correctly generate the first reply.
1180 * Don't know if a better check could be done for that ?
1181 */
1182 if(extract_port(local) == lcconf->port_isakmp_natt)
1183 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1184 #endif
1185
1186 /* copy remote address */
1187 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1188 delph1(iph1);
1189 return -1;
1190 }
1191 (void)insph1(iph1);
1192
1193 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1194 {
1195 char *a;
1196
1197 a = racoon_strdup(saddr2str(iph1->local));
1198 STRDUP_FATAL(a);
1199
1200 plog(LLV_INFO, LOCATION, NULL,
1201 "respond new phase 1 negotiation: %s<=>%s\n",
1202 a, saddr2str(iph1->remote));
1203 racoon_free(a);
1204 }
1205 plog(LLV_INFO, LOCATION, NULL,
1206 "begin %s mode.\n", s_isakmp_etype(etype));
1207
1208 #ifdef ENABLE_STATS
1209 gettimeofday(&iph1->start, NULL);
1210 gettimeofday(&start, NULL);
1211 #endif
1212
1213 #ifndef ENABLE_FRAG
1214
1215 /* start exchange */
1216 if ((ph1exchange[etypesw1(iph1->etype)]
1217 [iph1->side]
1218 [iph1->status])(iph1, msg) < 0
1219 || (ph1exchange[etypesw1(iph1->etype)]
1220 [iph1->side]
1221 [iph1->status])(iph1, msg) < 0) {
1222 plog(LLV_ERROR, LOCATION, remote,
1223 "failed to process packet.\n");
1224 remph1(iph1);
1225 delph1(iph1);
1226 return -1;
1227 }
1228
1229 #ifdef ENABLE_STATS
1230 gettimeofday(&end, NULL);
1231 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1232 "phase1",
1233 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1234 timedelta(&start, &end));
1235 #endif
1236
1237 return 0;
1238
1239 #else /* ENABLE_FRAG */
1240
1241 /* now that we have a phase1 handle, feed back into our
1242 * main receive function to catch fragmented packets
1243 */
1244
1245 return isakmp_main(msg, remote, local);
1246
1247 #endif /* ENABLE_FRAG */
1248
1249 }
1250
1251 /* new negotiation of phase 2 for initiator */
1252 static int
isakmp_ph2begin_i(iph1,iph2)1253 isakmp_ph2begin_i(iph1, iph2)
1254 struct ph1handle *iph1;
1255 struct ph2handle *iph2;
1256 {
1257 #ifdef ENABLE_HYBRID
1258 if (xauth_check(iph1) != 0) {
1259 plog(LLV_ERROR, LOCATION, NULL,
1260 "Attempt to start phase 2 whereas Xauth failed\n");
1261 return -1;
1262 }
1263 #endif
1264
1265 /* found ISAKMP-SA. */
1266 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1267 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1268 {
1269 char *a;
1270 a = racoon_strdup(saddr2str(iph2->src));
1271 STRDUP_FATAL(a);
1272
1273 plog(LLV_INFO, LOCATION, NULL,
1274 "initiate new phase 2 negotiation: %s<=>%s\n",
1275 a, saddr2str(iph2->dst));
1276 racoon_free(a);
1277 }
1278
1279 #ifdef ENABLE_STATS
1280 gettimeofday(&iph2->start, NULL);
1281 #endif
1282 /* found isakmp-sa */
1283 bindph12(iph1, iph2);
1284 iph2->status = PHASE2ST_STATUS2;
1285
1286 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1287 [iph2->side]
1288 [iph2->status])(iph2, NULL) < 0) {
1289 unbindph12(iph2);
1290 /* release ipsecsa handler due to internal error. */
1291 remph2(iph2);
1292 return -1;
1293 }
1294 return 0;
1295 }
1296
1297 /* new negotiation of phase 2 for responder */
1298 static int
isakmp_ph2begin_r(iph1,msg)1299 isakmp_ph2begin_r(iph1, msg)
1300 struct ph1handle *iph1;
1301 vchar_t *msg;
1302 {
1303 struct isakmp *isakmp = (struct isakmp *)msg->v;
1304 struct ph2handle *iph2 = 0;
1305 int error;
1306 #ifdef ENABLE_STATS
1307 struct timeval start, end;
1308 #endif
1309 #ifdef ENABLE_HYBRID
1310 if (xauth_check(iph1) != 0) {
1311 plog(LLV_ERROR, LOCATION, NULL,
1312 "Attempt to start phase 2 whereas Xauth failed\n");
1313 return -1;
1314 }
1315 #endif
1316
1317 iph2 = newph2();
1318 if (iph2 == NULL) {
1319 plog(LLV_ERROR, LOCATION, NULL,
1320 "failed to allocate phase2 entry.\n");
1321 return -1;
1322 }
1323
1324 iph2->ph1 = iph1;
1325 iph2->side = RESPONDER;
1326 iph2->status = PHASE2ST_START;
1327 iph2->flags = isakmp->flags;
1328 iph2->msgid = isakmp->msgid;
1329 iph2->seq = pk_getseq();
1330 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1331 if (iph2->ivm == NULL) {
1332 delph2(iph2);
1333 return -1;
1334 }
1335 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1336 if (iph2->dst == NULL) {
1337 delph2(iph2);
1338 return -1;
1339 }
1340 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1341 if (iph2->src == NULL) {
1342 delph2(iph2);
1343 return -1;
1344 }
1345 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
1346 if (set_port(iph2->dst, 0) == NULL ||
1347 set_port(iph2->src, 0) == NULL) {
1348 plog(LLV_ERROR, LOCATION, NULL,
1349 "invalid family: %d\n", iph2->dst->sa_family);
1350 delph2(iph2);
1351 return -1;
1352 }
1353 #endif
1354
1355 /* add new entry to isakmp status table */
1356 insph2(iph2);
1357 bindph12(iph1, iph2);
1358
1359 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1360 {
1361 char *a;
1362
1363 a = racoon_strdup(saddr2str(iph2->src));
1364 STRDUP_FATAL(a);
1365
1366 plog(LLV_INFO, LOCATION, NULL,
1367 "respond new phase 2 negotiation: %s<=>%s\n",
1368 a, saddr2str(iph2->dst));
1369 racoon_free(a);
1370 }
1371
1372 #ifdef ENABLE_STATS
1373 gettimeofday(&start, NULL);
1374 #endif
1375
1376 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1377 [iph2->side]
1378 [iph2->status])(iph2, msg);
1379 if (error != 0) {
1380 plog(LLV_ERROR, LOCATION, iph1->remote,
1381 "failed to pre-process packet.\n");
1382 if (error != ISAKMP_INTERNAL_ERROR)
1383 isakmp_info_send_n1(iph2->ph1, error, NULL);
1384 /*
1385 * release handler because it's wrong that ph2handle is kept
1386 * after failed to check message for responder's.
1387 */
1388 unbindph12(iph2);
1389 remph2(iph2);
1390 delph2(iph2);
1391 return -1;
1392 }
1393
1394 /* send */
1395 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1396 if ((ph2exchange[etypesw2(isakmp->etype)]
1397 [iph2->side]
1398 [iph2->status])(iph2, msg) < 0) {
1399 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1400 "failed to process packet.\n");
1401 /* don't release handler */
1402 return -1;
1403 }
1404 #ifdef ENABLE_STATS
1405 gettimeofday(&end, NULL);
1406 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1407 "phase2",
1408 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1409 timedelta(&start, &end));
1410 #endif
1411
1412 return 0;
1413 }
1414
1415 /*
1416 * parse ISAKMP payloads, without ISAKMP base header.
1417 */
1418 vchar_t *
isakmp_parsewoh(np0,gen,len)1419 isakmp_parsewoh(np0, gen, len)
1420 int np0;
1421 struct isakmp_gen *gen;
1422 int len;
1423 {
1424 u_char np = np0 & 0xff;
1425 int tlen, plen;
1426 vchar_t *result;
1427 struct isakmp_parse_t *p, *ep;
1428
1429 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1430
1431 /*
1432 * 5 is a magic number, but any value larger than 2 should be fine
1433 * as we do vrealloc() in the following loop.
1434 */
1435 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1436 if (result == NULL) {
1437 plog(LLV_ERROR, LOCATION, NULL,
1438 "failed to get buffer.\n");
1439 return NULL;
1440 }
1441 p = (struct isakmp_parse_t *)result->v;
1442 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1443
1444 tlen = len;
1445
1446 /* parse through general headers */
1447 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1448 if (tlen <= sizeof(struct isakmp_gen)) {
1449 /* don't send information, see isakmp_ident_r1() */
1450 plog(LLV_ERROR, LOCATION, NULL,
1451 "invalid length of payload\n");
1452 vfree(result);
1453 return NULL;
1454 }
1455
1456 plog(LLV_DEBUG, LOCATION, NULL,
1457 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1458
1459 p->type = np;
1460 p->len = ntohs(gen->len);
1461 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1462 plog(LLV_DEBUG, LOCATION, NULL,
1463 "invalid length of payload\n");
1464 vfree(result);
1465 return NULL;
1466 }
1467 p->ptr = gen;
1468 p++;
1469 if (ep <= p) {
1470 int off;
1471
1472 off = p - (struct isakmp_parse_t *)result->v;
1473 result = vrealloc(result, result->l * 2);
1474 if (result == NULL) {
1475 plog(LLV_DEBUG, LOCATION, NULL,
1476 "failed to realloc buffer.\n");
1477 vfree(result);
1478 return NULL;
1479 }
1480 ep = (struct isakmp_parse_t *)
1481 (result->v + result->l - sizeof(*ep));
1482 p = (struct isakmp_parse_t *)result->v;
1483 p += off;
1484 }
1485
1486 np = gen->np;
1487 plen = ntohs(gen->len);
1488 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1489 tlen -= plen;
1490 }
1491 p->type = ISAKMP_NPTYPE_NONE;
1492 p->len = 0;
1493 p->ptr = NULL;
1494
1495 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1496
1497 return result;
1498 }
1499
1500 /*
1501 * parse ISAKMP payloads, including ISAKMP base header.
1502 */
1503 vchar_t *
isakmp_parse(buf)1504 isakmp_parse(buf)
1505 vchar_t *buf;
1506 {
1507 struct isakmp *isakmp = (struct isakmp *)buf->v;
1508 struct isakmp_gen *gen;
1509 int tlen;
1510 vchar_t *result;
1511 u_char np;
1512
1513 np = isakmp->np;
1514 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1515 tlen = buf->l - sizeof(struct isakmp);
1516 result = isakmp_parsewoh(np, gen, tlen);
1517
1518 return result;
1519 }
1520
1521 /* %%% */
1522 int
isakmp_init()1523 isakmp_init()
1524 {
1525 /* initialize a isakmp status table */
1526 initph1tree();
1527 initph2tree();
1528 initctdtree();
1529 init_recvdpkt();
1530
1531 if (isakmp_open() < 0)
1532 goto err;
1533
1534 return(0);
1535
1536 err:
1537 isakmp_close();
1538 return(-1);
1539 }
1540
1541 /*
1542 * make strings containing i_cookie + r_cookie + msgid
1543 */
1544 const char *
isakmp_pindex(index,msgid)1545 isakmp_pindex(index, msgid)
1546 const isakmp_index *index;
1547 const u_int32_t msgid;
1548 {
1549 static char buf[64];
1550 const u_char *p;
1551 int i, j;
1552
1553 memset(buf, 0, sizeof(buf));
1554
1555 /* copy index */
1556 p = (const u_char *)index;
1557 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1558 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1559 j += 2;
1560 switch (i) {
1561 case 7:
1562 buf[j++] = ':';
1563 }
1564 }
1565
1566 if (msgid == 0)
1567 return buf;
1568
1569 /* copy msgid */
1570 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1571
1572 return buf;
1573 }
1574
1575 /* open ISAKMP sockets. */
1576 int
isakmp_open()1577 isakmp_open()
1578 {
1579 const int yes = 1;
1580 int ifnum = 0, encap_ifnum = 0;
1581 #ifdef INET6
1582 int pktinfo;
1583 #endif
1584 struct myaddrs *p;
1585
1586 for (p = lcconf->myaddrs; p; p = p->next) {
1587 if (!p->addr)
1588 continue;
1589
1590 /* warn if wildcard address - should we forbid this? */
1591 switch (p->addr->sa_family) {
1592 case AF_INET:
1593 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1594 plog(LLV_WARNING, LOCATION, NULL,
1595 "listening to wildcard address,"
1596 "broadcast IKE packet may kill you\n");
1597 break;
1598 #ifdef INET6
1599 case AF_INET6:
1600 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1601 plog(LLV_WARNING, LOCATION, NULL,
1602 "listening to wildcard address, "
1603 "broadcast IKE packet may kill you\n");
1604 break;
1605 #endif
1606 default:
1607 plog(LLV_ERROR, LOCATION, NULL,
1608 "unsupported address family %d\n",
1609 lcconf->default_af);
1610 goto err_and_next;
1611 }
1612
1613 #ifdef INET6
1614 if (p->addr->sa_family == AF_INET6 &&
1615 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
1616 p->addr)->sin6_addr))
1617 {
1618 plog(LLV_DEBUG, LOCATION, NULL,
1619 "Ignoring multicast address %s\n",
1620 saddr2str(p->addr));
1621 racoon_free(p->addr);
1622 p->addr = NULL;
1623 continue;
1624 }
1625 #endif
1626
1627 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1628 plog(LLV_ERROR, LOCATION, NULL,
1629 "socket (%s)\n", strerror(errno));
1630 goto err_and_next;
1631 }
1632 #ifdef ANDROID_CHANGES
1633 protectFromVpn(p->sock);
1634 #endif
1635
1636 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
1637 plog(LLV_WARNING, LOCATION, NULL,
1638 "failed to put socket in non-blocking mode\n");
1639
1640 /* receive my interface address on inbound packets. */
1641 switch (p->addr->sa_family) {
1642 case AF_INET:
1643 if (setsockopt(p->sock, IPPROTO_IP,
1644 #ifdef __linux__
1645 IP_PKTINFO,
1646 #else
1647 IP_RECVDSTADDR,
1648 #endif
1649 (const void *)&yes, sizeof(yes)) < 0) {
1650 plog(LLV_ERROR, LOCATION, NULL,
1651 "setsockopt IP_RECVDSTADDR (%s)\n",
1652 strerror(errno));
1653 goto err_and_next;
1654 }
1655 break;
1656 #ifdef INET6
1657 case AF_INET6:
1658 #ifdef INET6_ADVAPI
1659 #ifdef IPV6_RECVPKTINFO
1660 pktinfo = IPV6_RECVPKTINFO;
1661 #else /* old adv. API */
1662 pktinfo = IPV6_PKTINFO;
1663 #endif /* IPV6_RECVPKTINFO */
1664 #else
1665 pktinfo = IPV6_RECVDSTADDR;
1666 #endif
1667 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1668 (const void *)&yes, sizeof(yes)) < 0)
1669 {
1670 plog(LLV_ERROR, LOCATION, NULL,
1671 "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
1672 pktinfo, strerror(errno));
1673 goto err_and_next;
1674 }
1675 break;
1676 #endif
1677 }
1678
1679 #ifdef IPV6_USE_MIN_MTU
1680 if (p->addr->sa_family == AF_INET6 &&
1681 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1682 (void *)&yes, sizeof(yes)) < 0) {
1683 plog(LLV_ERROR, LOCATION, NULL,
1684 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
1685 strerror(errno));
1686 return -1;
1687 }
1688 #endif
1689
1690 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
1691 goto err_and_next;
1692
1693 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
1694 plog(LLV_ERROR, LOCATION, p->addr,
1695 "failed to bind to address %s (%s).\n",
1696 saddr2str(p->addr), strerror(errno));
1697 close(p->sock);
1698 goto err_and_next;
1699 }
1700
1701 ifnum++;
1702
1703 plog(LLV_INFO, LOCATION, NULL,
1704 "%s used as isakmp port (fd=%d)\n",
1705 saddr2str(p->addr), p->sock);
1706
1707 #ifdef ENABLE_NATT
1708 if (p->addr->sa_family == AF_INET) {
1709 int option = -1;
1710
1711
1712 if(p->udp_encap)
1713 option = UDP_ENCAP_ESPINUDP;
1714 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1715 else
1716 option = UDP_ENCAP_ESPINUDP_NON_IKE;
1717 #endif
1718 if(option != -1){
1719 if (setsockopt (p->sock, SOL_UDP,
1720 UDP_ENCAP, &option, sizeof (option)) < 0) {
1721 plog(LLV_WARNING, LOCATION, NULL,
1722 "setsockopt(%s): UDP_ENCAP %s\n",
1723 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1724 strerror(errno));
1725 goto skip_encap;
1726 }
1727 else {
1728 plog(LLV_INFO, LOCATION, NULL,
1729 "%s used for NAT-T\n",
1730 saddr2str(p->addr));
1731 encap_ifnum++;
1732 }
1733 }
1734 }
1735 skip_encap:
1736 #endif
1737 continue;
1738
1739 err_and_next:
1740 racoon_free(p->addr);
1741 p->addr = NULL;
1742 if (! lcconf->autograbaddr && lcconf->strict_address)
1743 return -1;
1744 continue;
1745 }
1746
1747 if (!ifnum) {
1748 plog(LLV_ERROR, LOCATION, NULL,
1749 "no address could be bound.\n");
1750 return -1;
1751 }
1752
1753 #ifdef ENABLE_NATT
1754 if (natt_enabled_in_rmconf() && !encap_ifnum) {
1755 plog(LLV_WARNING, LOCATION, NULL,
1756 "NAT-T is enabled in at least one remote{} section,\n");
1757 plog(LLV_WARNING, LOCATION, NULL,
1758 "but no 'isakmp_natt' address was specified!\n");
1759 }
1760 #endif
1761
1762 return 0;
1763 }
1764
1765 void
isakmp_close()1766 isakmp_close()
1767 {
1768 #ifndef ANDROID_PATCHED
1769 struct myaddrs *p, *next;
1770
1771 for (p = lcconf->myaddrs; p; p = next) {
1772 next = p->next;
1773
1774 if (!p->addr) {
1775 racoon_free(p);
1776 continue;
1777 }
1778 close(p->sock);
1779 racoon_free(p->addr);
1780 racoon_free(p);
1781 }
1782
1783 lcconf->myaddrs = NULL;
1784 #endif
1785 }
1786
1787 int
isakmp_send(iph1,sbuf)1788 isakmp_send(iph1, sbuf)
1789 struct ph1handle *iph1;
1790 vchar_t *sbuf;
1791 {
1792 int len = 0;
1793 int s;
1794 vchar_t *vbuf = NULL, swap;
1795
1796 #ifdef ENABLE_NATT
1797 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1798
1799 /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
1800 */
1801 if(extralen == NON_ESP_MARKER_LEN &&
1802 *(u_int32_t *)sbuf->v == 0)
1803 extralen = 0;
1804
1805 #ifdef ENABLE_FRAG
1806 /*
1807 * Do not add the non ESP marker for a packet that will
1808 * be fragmented. The non ESP marker should appear in
1809 * all fragment's packets, but not in the fragmented packet
1810 */
1811 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1812 extralen = 0;
1813 #endif
1814 if (extralen)
1815 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1816
1817 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1818 must added just before the packet itself. For this we must
1819 allocate a new buffer and release it at the end. */
1820 if (extralen) {
1821 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
1822 plog(LLV_ERROR, LOCATION, NULL,
1823 "vbuf allocation failed\n");
1824 return -1;
1825 }
1826 *(u_int32_t *)vbuf->v = 0;
1827 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1828 /* ensures that the modified buffer will be sent back to the caller, so
1829 * add_recvdpkt() will add the correct buffer
1830 */
1831 swap = *sbuf;
1832 *sbuf = *vbuf;
1833 *vbuf = swap;
1834 vfree(vbuf);
1835 }
1836 #endif
1837
1838 /* select the socket to be sent */
1839 s = getsockmyaddr(iph1->local);
1840 if (s == -1){
1841 return -1;
1842 }
1843
1844 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1845 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1846
1847 #ifdef ENABLE_FRAG
1848 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1849 if (isakmp_sendfrags(iph1, sbuf) == -1) {
1850 plog(LLV_ERROR, LOCATION, NULL,
1851 "isakmp_sendfrags failed\n");
1852 return -1;
1853 }
1854 } else
1855 #endif
1856 {
1857 len = sendfromto(s, sbuf->v, sbuf->l,
1858 iph1->local, iph1->remote, lcconf->count_persend);
1859
1860 if (len == -1) {
1861 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1862 return -1;
1863 }
1864 }
1865
1866 return 0;
1867 }
1868
1869 /* called from scheduler */
1870 void
isakmp_ph1resend_stub(p)1871 isakmp_ph1resend_stub(p)
1872 void *p;
1873 {
1874 struct ph1handle *iph1;
1875
1876 iph1=(struct ph1handle *)p;
1877 if(isakmp_ph1resend(iph1) < 0){
1878 if(iph1->scr != NULL){
1879 /* Should not happen...
1880 */
1881 sched_kill(iph1->scr);
1882 iph1->scr=NULL;
1883 }
1884
1885 remph1(iph1);
1886 delph1(iph1);
1887 }
1888 }
1889
1890 int
isakmp_ph1resend(iph1)1891 isakmp_ph1resend(iph1)
1892 struct ph1handle *iph1;
1893 {
1894 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
1895 */
1896 if (iph1->retry_counter <= 0) {
1897 plog(LLV_ERROR, LOCATION, NULL,
1898 "phase1 negotiation failed due to time up. %s\n",
1899 isakmp_pindex(&iph1->index, iph1->msgid));
1900 EVT_PUSH(iph1->local, iph1->remote,
1901 EVTT_PEER_NO_RESPONSE, NULL);
1902
1903 return -1;
1904 }
1905
1906 if (isakmp_send(iph1, iph1->sendbuf) < 0){
1907 plog(LLV_ERROR, LOCATION, NULL,
1908 "phase1 negotiation failed due to send error. %s\n",
1909 isakmp_pindex(&iph1->index, iph1->msgid));
1910 EVT_PUSH(iph1->local, iph1->remote,
1911 EVTT_PEER_NO_RESPONSE, NULL);
1912 return -1;
1913 }
1914
1915 plog(LLV_DEBUG, LOCATION, NULL,
1916 "resend phase1 packet %s\n",
1917 isakmp_pindex(&iph1->index, iph1->msgid));
1918
1919 iph1->retry_counter--;
1920
1921 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1922 isakmp_ph1resend_stub, iph1);
1923
1924 return 0;
1925 }
1926
1927 /* called from scheduler */
1928 void
isakmp_ph2resend_stub(p)1929 isakmp_ph2resend_stub(p)
1930 void *p;
1931 {
1932 struct ph2handle *iph2;
1933
1934 iph2=(struct ph2handle *)p;
1935
1936 if(isakmp_ph2resend(iph2) < 0){
1937 unbindph12(iph2);
1938 remph2(iph2);
1939 delph2(iph2);
1940 }
1941 }
1942
1943 int
isakmp_ph2resend(iph2)1944 isakmp_ph2resend(iph2)
1945 struct ph2handle *iph2;
1946 {
1947 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
1948 */
1949 if (iph2->ph1->status == PHASE1ST_EXPIRED){
1950 plog(LLV_ERROR, LOCATION, NULL,
1951 "phase2 negotiation failed due to phase1 expired. %s\n",
1952 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1953 return -1;
1954 }
1955
1956 if (iph2->retry_counter <= 0) {
1957 plog(LLV_ERROR, LOCATION, NULL,
1958 "phase2 negotiation failed due to time up. %s\n",
1959 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1960 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1961 unbindph12(iph2);
1962 return -1;
1963 }
1964
1965 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
1966 plog(LLV_ERROR, LOCATION, NULL,
1967 "phase2 negotiation failed due to send error. %s\n",
1968 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1969 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1970
1971 return -1;
1972 }
1973
1974 plog(LLV_DEBUG, LOCATION, NULL,
1975 "resend phase2 packet %s\n",
1976 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1977
1978 iph2->retry_counter--;
1979
1980 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1981 isakmp_ph2resend_stub, iph2);
1982
1983 return 0;
1984 }
1985
1986 /* called from scheduler */
1987 void
isakmp_ph1expire_stub(p)1988 isakmp_ph1expire_stub(p)
1989 void *p;
1990 {
1991
1992 isakmp_ph1expire((struct ph1handle *)p);
1993 }
1994
1995 void
isakmp_ph1expire(iph1)1996 isakmp_ph1expire(iph1)
1997 struct ph1handle *iph1;
1998 {
1999 char *src, *dst;
2000
2001 SCHED_KILL(iph1->sce);
2002
2003 if(iph1->status != PHASE1ST_EXPIRED){
2004 src = racoon_strdup(saddr2str(iph1->local));
2005 dst = racoon_strdup(saddr2str(iph1->remote));
2006 STRDUP_FATAL(src);
2007 STRDUP_FATAL(dst);
2008
2009 plog(LLV_INFO, LOCATION, NULL,
2010 "ISAKMP-SA expired %s-%s spi:%s\n",
2011 src, dst,
2012 isakmp_pindex(&iph1->index, 0));
2013 racoon_free(src);
2014 racoon_free(dst);
2015 iph1->status = PHASE1ST_EXPIRED;
2016 }
2017
2018 /*
2019 * the phase1 deletion is postponed until there is no phase2.
2020 */
2021 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2022 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
2023 return;
2024 }
2025
2026 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2027 }
2028
2029 /* called from scheduler */
2030 void
isakmp_ph1delete_stub(p)2031 isakmp_ph1delete_stub(p)
2032 void *p;
2033 {
2034
2035 isakmp_ph1delete((struct ph1handle *)p);
2036 }
2037
2038 void
isakmp_ph1delete(iph1)2039 isakmp_ph1delete(iph1)
2040 struct ph1handle *iph1;
2041 {
2042 char *src, *dst;
2043
2044 SCHED_KILL(iph1->sce);
2045
2046 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2047 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2048 return;
2049 }
2050
2051 /* don't re-negosiation when the phase 1 SA expires. */
2052
2053 src = racoon_strdup(saddr2str(iph1->local));
2054 dst = racoon_strdup(saddr2str(iph1->remote));
2055 STRDUP_FATAL(src);
2056 STRDUP_FATAL(dst);
2057
2058 plog(LLV_INFO, LOCATION, NULL,
2059 "ISAKMP-SA deleted %s-%s spi:%s\n",
2060 src, dst, isakmp_pindex(&iph1->index, 0));
2061 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
2062 racoon_free(src);
2063 racoon_free(dst);
2064
2065 remph1(iph1);
2066 delph1(iph1);
2067
2068 return;
2069 }
2070
2071 /* called from scheduler.
2072 * this function will call only isakmp_ph2delete().
2073 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2074 * by something cause. That's why this function is called after phase 2 SA
2075 * expires in the userland.
2076 */
2077 void
isakmp_ph2expire_stub(p)2078 isakmp_ph2expire_stub(p)
2079 void *p;
2080 {
2081
2082 isakmp_ph2expire((struct ph2handle *)p);
2083 }
2084
2085 void
isakmp_ph2expire(iph2)2086 isakmp_ph2expire(iph2)
2087 struct ph2handle *iph2;
2088 {
2089 char *src, *dst;
2090
2091 SCHED_KILL(iph2->sce);
2092
2093 src = racoon_strdup(saddrwop2str(iph2->src));
2094 dst = racoon_strdup(saddrwop2str(iph2->dst));
2095 STRDUP_FATAL(src);
2096 STRDUP_FATAL(dst);
2097
2098 plog(LLV_INFO, LOCATION, NULL,
2099 "phase2 sa expired %s-%s\n", src, dst);
2100 racoon_free(src);
2101 racoon_free(dst);
2102
2103 iph2->status = PHASE2ST_EXPIRED;
2104
2105 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
2106
2107 return;
2108 }
2109
2110 /* called from scheduler */
2111 void
isakmp_ph2delete_stub(p)2112 isakmp_ph2delete_stub(p)
2113 void *p;
2114 {
2115
2116 isakmp_ph2delete((struct ph2handle *)p);
2117 }
2118
2119 void
isakmp_ph2delete(iph2)2120 isakmp_ph2delete(iph2)
2121 struct ph2handle *iph2;
2122 {
2123 char *src, *dst;
2124
2125 SCHED_KILL(iph2->sce);
2126
2127 src = racoon_strdup(saddrwop2str(iph2->src));
2128 dst = racoon_strdup(saddrwop2str(iph2->dst));
2129 STRDUP_FATAL(src);
2130 STRDUP_FATAL(dst);
2131
2132 plog(LLV_INFO, LOCATION, NULL,
2133 "phase2 sa deleted %s-%s\n", src, dst);
2134 racoon_free(src);
2135 racoon_free(dst);
2136
2137 unbindph12(iph2);
2138 remph2(iph2);
2139 delph2(iph2);
2140
2141 return;
2142 }
2143
2144 /* �%%%
2145 * Interface between PF_KEYv2 and ISAKMP
2146 */
2147 /*
2148 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2149 * if phase1 has been finished, begin phase2.
2150 */
2151 int
isakmp_post_acquire(iph2)2152 isakmp_post_acquire(iph2)
2153 struct ph2handle *iph2;
2154 {
2155 struct remoteconf *rmconf;
2156 struct ph1handle *iph1 = NULL;
2157
2158 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
2159
2160 /* search appropreate configuration with masking port. */
2161 rmconf = getrmconf(iph2->dst);
2162 if (rmconf == NULL) {
2163 plog(LLV_ERROR, LOCATION, NULL,
2164 "no configuration found for %s.\n",
2165 saddrwop2str(iph2->dst));
2166 return -1;
2167 }
2168
2169 /* if passive mode, ignore the acquire message */
2170 if (rmconf->passive) {
2171 plog(LLV_DEBUG, LOCATION, NULL,
2172 "because of passive mode, "
2173 "ignore the acquire message for %s.\n",
2174 saddrwop2str(iph2->dst));
2175 return 0;
2176 }
2177
2178 /*
2179 * Search isakmp status table by address and port
2180 * If NAT-T is in use, consider null ports as a
2181 * wildcard and use IKE ports instead.
2182 */
2183 #ifdef ENABLE_NATT
2184 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2185 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2186 set_port(iph2->src, extract_port(iph1->local));
2187 set_port(iph2->dst, extract_port(iph1->remote));
2188 }
2189 } else {
2190 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2191 }
2192 #else
2193 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2194 #endif
2195
2196 /* no ISAKMP-SA found. */
2197 if (iph1 == NULL) {
2198 struct sched *sc;
2199
2200 iph2->retry_checkph1 = lcconf->retry_checkph1;
2201 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2202 plog(LLV_INFO, LOCATION, NULL,
2203 "IPsec-SA request for %s queued "
2204 "due to no phase1 found.\n",
2205 saddrwop2str(iph2->dst));
2206
2207 /* start phase 1 negotiation as a initiator. */
2208 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
2209 SCHED_KILL(sc);
2210 return -1;
2211 }
2212
2213 return 0;
2214 /*NOTREACHED*/
2215 }
2216
2217 /* found ISAKMP-SA, but on negotiation. */
2218 if (iph1->status != PHASE1ST_ESTABLISHED) {
2219 iph2->retry_checkph1 = lcconf->retry_checkph1;
2220 sched_new(1, isakmp_chkph1there_stub, iph2);
2221 plog(LLV_INFO, LOCATION, iph2->dst,
2222 "request for establishing IPsec-SA was queued "
2223 "due to no phase1 found.\n");
2224 return 0;
2225 /*NOTREACHED*/
2226 }
2227
2228 /* found established ISAKMP-SA */
2229 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2230
2231 /* found ISAKMP-SA. */
2232 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2233
2234 /* begin quick mode */
2235 if (isakmp_ph2begin_i(iph1, iph2))
2236 return -1;
2237
2238 return 0;
2239 }
2240
2241 /*
2242 * receive GETSPI from kernel.
2243 */
2244 int
isakmp_post_getspi(iph2)2245 isakmp_post_getspi(iph2)
2246 struct ph2handle *iph2;
2247 {
2248 #ifdef ENABLE_STATS
2249 struct timeval start, end;
2250 #endif
2251
2252 /* don't process it because there is no suitable phase1-sa. */
2253 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
2254 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2255 "the negotiation is stopped, "
2256 "because there is no suitable ISAKMP-SA.\n");
2257 return -1;
2258 }
2259
2260 #ifdef ENABLE_STATS
2261 gettimeofday(&start, NULL);
2262 #endif
2263 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2264 [iph2->side]
2265 [iph2->status])(iph2, NULL) != 0)
2266 return -1;
2267 #ifdef ENABLE_STATS
2268 gettimeofday(&end, NULL);
2269 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2270 "phase2",
2271 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2272 timedelta(&start, &end));
2273 #endif
2274
2275 return 0;
2276 }
2277
2278 /* called by scheduler */
2279 void
isakmp_chkph1there_stub(p)2280 isakmp_chkph1there_stub(p)
2281 void *p;
2282 {
2283 isakmp_chkph1there((struct ph2handle *)p);
2284 }
2285
2286 void
isakmp_chkph1there(iph2)2287 isakmp_chkph1there(iph2)
2288 struct ph2handle *iph2;
2289 {
2290 struct ph1handle *iph1;
2291
2292 iph2->retry_checkph1--;
2293 if (iph2->retry_checkph1 < 0) {
2294 plog(LLV_ERROR, LOCATION, iph2->dst,
2295 "phase2 negotiation failed "
2296 "due to time up waiting for phase1. %s\n",
2297 sadbsecas2str(iph2->dst, iph2->src,
2298 iph2->satype, 0, 0));
2299 plog(LLV_INFO, LOCATION, NULL,
2300 "delete phase 2 handler.\n");
2301
2302 /* send acquire to kernel as error */
2303 pk_sendeacquire(iph2);
2304
2305 unbindph12(iph2);
2306 remph2(iph2);
2307 delph2(iph2);
2308
2309 return;
2310 }
2311
2312 /*
2313 * Search isakmp status table by address and port
2314 * If NAT-T is in use, consider null ports as a
2315 * wildcard and use IKE ports instead.
2316 */
2317 #ifdef ENABLE_NATT
2318 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2319 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
2320 if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
2321 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
2322 }
2323 } else {
2324 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
2325 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2326 if(iph1 != NULL)
2327 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
2328 }
2329 #else
2330 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2331 #endif
2332
2333 /* XXX Even if ph1 as responder is there, should we not start
2334 * phase 2 negotiation ? */
2335 if (iph1 != NULL
2336 && iph1->status == PHASE1ST_ESTABLISHED) {
2337 /* found isakmp-sa */
2338
2339 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
2340 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
2341 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
2342 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
2343 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2344 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2345 set_port(iph2->src, extract_port(iph1->local));
2346 set_port(iph2->dst, extract_port(iph1->remote));
2347 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
2348 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2349 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2350
2351 /* begin quick mode */
2352 (void)isakmp_ph2begin_i(iph1, iph2);
2353 return;
2354 }
2355
2356 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
2357
2358 /* no isakmp-sa found */
2359 sched_new(1, isakmp_chkph1there_stub, iph2);
2360
2361 return;
2362 }
2363
2364 /* copy variable data into ALLOCATED buffer. */
2365 caddr_t
isakmp_set_attr_v(buf,type,val,len)2366 isakmp_set_attr_v(buf, type, val, len)
2367 caddr_t buf;
2368 int type;
2369 caddr_t val;
2370 int len;
2371 {
2372 struct isakmp_data *data;
2373
2374 data = (struct isakmp_data *)buf;
2375 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2376 data->lorv = htons((u_int16_t)len);
2377 memcpy(data + 1, val, len);
2378
2379 return buf + sizeof(*data) + len;
2380 }
2381
2382 /* copy fixed length data into ALLOCATED buffer. */
2383 caddr_t
isakmp_set_attr_l(buf,type,val)2384 isakmp_set_attr_l(buf, type, val)
2385 caddr_t buf;
2386 int type;
2387 u_int32_t val;
2388 {
2389 struct isakmp_data *data;
2390
2391 data = (struct isakmp_data *)buf;
2392 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2393 data->lorv = htons((u_int16_t)val);
2394
2395 return buf + sizeof(*data);
2396 }
2397
2398 /* add a variable data attribute to the buffer by reallocating it. */
2399 vchar_t *
isakmp_add_attr_v(buf0,type,val,len)2400 isakmp_add_attr_v(buf0, type, val, len)
2401 vchar_t *buf0;
2402 int type;
2403 caddr_t val;
2404 int len;
2405 {
2406 vchar_t *buf = NULL;
2407 struct isakmp_data *data;
2408 int tlen;
2409 int oldlen = 0;
2410
2411 tlen = sizeof(*data) + len;
2412
2413 if (buf0) {
2414 oldlen = buf0->l;
2415 buf = vrealloc(buf0, oldlen + tlen);
2416 } else
2417 buf = vmalloc(tlen);
2418 if (!buf) {
2419 plog(LLV_ERROR, LOCATION, NULL,
2420 "failed to get a attribute buffer.\n");
2421 return NULL;
2422 }
2423
2424 data = (struct isakmp_data *)(buf->v + oldlen);
2425 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2426 data->lorv = htons((u_int16_t)len);
2427 memcpy(data + 1, val, len);
2428
2429 return buf;
2430 }
2431
2432 /* add a fixed data attribute to the buffer by reallocating it. */
2433 vchar_t *
isakmp_add_attr_l(buf0,type,val)2434 isakmp_add_attr_l(buf0, type, val)
2435 vchar_t *buf0;
2436 int type;
2437 u_int32_t val;
2438 {
2439 vchar_t *buf = NULL;
2440 struct isakmp_data *data;
2441 int tlen;
2442 int oldlen = 0;
2443
2444 tlen = sizeof(*data);
2445
2446 if (buf0) {
2447 oldlen = buf0->l;
2448 buf = vrealloc(buf0, oldlen + tlen);
2449 } else
2450 buf = vmalloc(tlen);
2451 if (!buf) {
2452 plog(LLV_ERROR, LOCATION, NULL,
2453 "failed to get a attribute buffer.\n");
2454 return NULL;
2455 }
2456
2457 data = (struct isakmp_data *)(buf->v + oldlen);
2458 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2459 data->lorv = htons((u_int16_t)val);
2460
2461 return buf;
2462 }
2463
2464 /*
2465 * calculate cookie and set.
2466 */
2467 int
isakmp_newcookie(place,remote,local)2468 isakmp_newcookie(place, remote, local)
2469 caddr_t place;
2470 struct sockaddr *remote;
2471 struct sockaddr *local;
2472 {
2473 vchar_t *buf = NULL, *buf2 = NULL;
2474 char *p;
2475 int blen;
2476 int alen;
2477 caddr_t sa1, sa2;
2478 time_t t;
2479 int error = -1;
2480 u_short port;
2481
2482
2483 if (remote->sa_family != local->sa_family) {
2484 plog(LLV_ERROR, LOCATION, NULL,
2485 "address family mismatch, remote:%d local:%d\n",
2486 remote->sa_family, local->sa_family);
2487 goto end;
2488 }
2489 switch (remote->sa_family) {
2490 case AF_INET:
2491 alen = sizeof(struct in_addr);
2492 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2493 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2494 break;
2495 #ifdef INET6
2496 case AF_INET6:
2497 alen = sizeof(struct in6_addr);
2498 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2499 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2500 break;
2501 #endif
2502 default:
2503 plog(LLV_ERROR, LOCATION, NULL,
2504 "invalid family: %d\n", remote->sa_family);
2505 goto end;
2506 }
2507 blen = (alen + sizeof(u_short)) * 2
2508 + sizeof(time_t) + lcconf->secret_size;
2509 buf = vmalloc(blen);
2510 if (buf == NULL) {
2511 plog(LLV_ERROR, LOCATION, NULL,
2512 "failed to get a cookie.\n");
2513 goto end;
2514 }
2515 p = buf->v;
2516
2517 /* copy my address */
2518 memcpy(p, sa1, alen);
2519 p += alen;
2520 port = ((struct sockaddr_in *)remote)->sin_port;
2521 memcpy(p, &port, sizeof(u_short));
2522 p += sizeof(u_short);
2523
2524 /* copy target address */
2525 memcpy(p, sa2, alen);
2526 p += alen;
2527 port = ((struct sockaddr_in *)local)->sin_port;
2528 memcpy(p, &port, sizeof(u_short));
2529 p += sizeof(u_short);
2530
2531 /* copy time */
2532 t = time(0);
2533 memcpy(p, (caddr_t)&t, sizeof(t));
2534 p += sizeof(t);
2535
2536 /* copy random value */
2537 buf2 = eay_set_random(lcconf->secret_size);
2538 if (buf2 == NULL)
2539 goto end;
2540 memcpy(p, buf2->v, lcconf->secret_size);
2541 p += lcconf->secret_size;
2542 vfree(buf2);
2543
2544 buf2 = eay_sha1_one(buf);
2545 memcpy(place, buf2->v, sizeof(cookie_t));
2546
2547 sa1 = val2str(place, sizeof (cookie_t));
2548 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2549 racoon_free(sa1);
2550
2551 error = 0;
2552 end:
2553 if (buf != NULL)
2554 vfree(buf);
2555 if (buf2 != NULL)
2556 vfree(buf2);
2557 return error;
2558 }
2559
2560 /*
2561 * save partner's(payload) data into phhandle.
2562 */
2563 int
isakmp_p2ph(buf,gen)2564 isakmp_p2ph(buf, gen)
2565 vchar_t **buf;
2566 struct isakmp_gen *gen;
2567 {
2568 /* XXX to be checked in each functions for logging. */
2569 if (*buf) {
2570 plog(LLV_WARNING, LOCATION, NULL,
2571 "ignore this payload, same payload type exist.\n");
2572 return -1;
2573 }
2574
2575 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2576 if (*buf == NULL) {
2577 plog(LLV_ERROR, LOCATION, NULL,
2578 "failed to get buffer.\n");
2579 return -1;
2580 }
2581 memcpy((*buf)->v, gen + 1, (*buf)->l);
2582
2583 return 0;
2584 }
2585
2586 u_int32_t
isakmp_newmsgid2(iph1)2587 isakmp_newmsgid2(iph1)
2588 struct ph1handle *iph1;
2589 {
2590 u_int32_t msgid2;
2591
2592 do {
2593 msgid2 = eay_random();
2594 } while (getph2bymsgid(iph1, msgid2));
2595
2596 return msgid2;
2597 }
2598
2599 /*
2600 * set values into allocated buffer of isakmp header for phase 1
2601 */
2602 static caddr_t
set_isakmp_header(vbuf,iph1,nptype,etype,flags,msgid)2603 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2604 vchar_t *vbuf;
2605 struct ph1handle *iph1;
2606 int nptype;
2607 u_int8_t etype;
2608 u_int8_t flags;
2609 u_int32_t msgid;
2610 {
2611 struct isakmp *isakmp;
2612
2613 if (vbuf->l < sizeof(*isakmp))
2614 return NULL;
2615
2616 isakmp = (struct isakmp *)vbuf->v;
2617
2618 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2619 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2620 isakmp->np = nptype;
2621 isakmp->v = iph1->version;
2622 isakmp->etype = etype;
2623 isakmp->flags = flags;
2624 isakmp->msgid = msgid;
2625 isakmp->len = htonl(vbuf->l);
2626
2627 return vbuf->v + sizeof(*isakmp);
2628 }
2629
2630 /*
2631 * set values into allocated buffer of isakmp header for phase 1
2632 */
2633 caddr_t
set_isakmp_header1(vbuf,iph1,nptype)2634 set_isakmp_header1(vbuf, iph1, nptype)
2635 vchar_t *vbuf;
2636 struct ph1handle *iph1;
2637 int nptype;
2638 {
2639 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2640 }
2641
2642 /*
2643 * set values into allocated buffer of isakmp header for phase 2
2644 */
2645 caddr_t
set_isakmp_header2(vbuf,iph2,nptype)2646 set_isakmp_header2(vbuf, iph2, nptype)
2647 vchar_t *vbuf;
2648 struct ph2handle *iph2;
2649 int nptype;
2650 {
2651 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2652 }
2653
2654 /*
2655 * set values into allocated buffer of isakmp payload.
2656 */
2657 caddr_t
set_isakmp_payload(buf,src,nptype)2658 set_isakmp_payload(buf, src, nptype)
2659 caddr_t buf;
2660 vchar_t *src;
2661 int nptype;
2662 {
2663 struct isakmp_gen *gen;
2664 caddr_t p = buf;
2665
2666 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2667 src->l, nptype);
2668
2669 gen = (struct isakmp_gen *)p;
2670 gen->np = nptype;
2671 gen->len = htons(sizeof(*gen) + src->l);
2672 p += sizeof(*gen);
2673 memcpy(p, src->v, src->l);
2674 p += src->l;
2675
2676 return p;
2677 }
2678
2679 static int
etypesw1(etype)2680 etypesw1(etype)
2681 int etype;
2682 {
2683 switch (etype) {
2684 case ISAKMP_ETYPE_IDENT:
2685 return 1;
2686 case ISAKMP_ETYPE_AGG:
2687 return 2;
2688 case ISAKMP_ETYPE_BASE:
2689 return 3;
2690 default:
2691 return 0;
2692 }
2693 /*NOTREACHED*/
2694 }
2695
2696 static int
etypesw2(etype)2697 etypesw2(etype)
2698 int etype;
2699 {
2700 switch (etype) {
2701 case ISAKMP_ETYPE_QUICK:
2702 return 1;
2703 default:
2704 return 0;
2705 }
2706 /*NOTREACHED*/
2707 }
2708
2709 #ifdef HAVE_PRINT_ISAKMP_C
2710 /* for print-isakmp.c */
2711 char *snapend;
2712 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2713
2714 char *getname __P((const u_char *));
2715 #ifdef INET6
2716 char *getname6 __P((const u_char *));
2717 #endif
2718 int safeputchar __P((int));
2719
2720 /*
2721 * Return a name for the IP address pointed to by ap. This address
2722 * is assumed to be in network byte order.
2723 */
2724 char *
getname(ap)2725 getname(ap)
2726 const u_char *ap;
2727 {
2728 struct sockaddr_in addr;
2729 static char ntop_buf[NI_MAXHOST];
2730
2731 memset(&addr, 0, sizeof(addr));
2732 #ifndef __linux__
2733 addr.sin_len = sizeof(struct sockaddr_in);
2734 #endif
2735 addr.sin_family = AF_INET;
2736 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2737 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2738 ntop_buf, sizeof(ntop_buf), NULL, 0,
2739 NI_NUMERICHOST | niflags))
2740 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2741
2742 return ntop_buf;
2743 }
2744
2745 #ifdef INET6
2746 /*
2747 * Return a name for the IP6 address pointed to by ap. This address
2748 * is assumed to be in network byte order.
2749 */
2750 char *
getname6(ap)2751 getname6(ap)
2752 const u_char *ap;
2753 {
2754 struct sockaddr_in6 addr;
2755 static char ntop_buf[NI_MAXHOST];
2756
2757 memset(&addr, 0, sizeof(addr));
2758 addr.sin6_len = sizeof(struct sockaddr_in6);
2759 addr.sin6_family = AF_INET6;
2760 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2761 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2762 ntop_buf, sizeof(ntop_buf), NULL, 0,
2763 NI_NUMERICHOST | niflags))
2764 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2765
2766 return ntop_buf;
2767 }
2768 #endif /* INET6 */
2769
2770 int
safeputchar(c)2771 safeputchar(c)
2772 int c;
2773 {
2774 unsigned char ch;
2775
2776 ch = (unsigned char)(c & 0xff);
2777 if (c < 0x80 && isprint(c))
2778 return printf("%c", c & 0xff);
2779 else
2780 return printf("\\%03o", c & 0xff);
2781 }
2782
2783 void
isakmp_printpacket(msg,from,my,decoded)2784 isakmp_printpacket(msg, from, my, decoded)
2785 vchar_t *msg;
2786 struct sockaddr *from;
2787 struct sockaddr *my;
2788 int decoded;
2789 {
2790 #ifdef YIPS_DEBUG
2791 struct timeval tv;
2792 int s;
2793 char hostbuf[NI_MAXHOST];
2794 char portbuf[NI_MAXSERV];
2795 struct isakmp *isakmp;
2796 vchar_t *buf;
2797 #endif
2798
2799 if (loglevel < LLV_DEBUG)
2800 return;
2801
2802 #ifdef YIPS_DEBUG
2803 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2804
2805 gettimeofday(&tv, NULL);
2806 s = tv.tv_sec % 3600;
2807 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2808
2809 if (from) {
2810 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2811 portbuf, sizeof(portbuf),
2812 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2813 strlcpy(hostbuf, "?", sizeof(hostbuf));
2814 strlcpy(portbuf, "?", sizeof(portbuf));
2815 }
2816 printf("%s:%s", hostbuf, portbuf);
2817 } else
2818 printf("?");
2819 printf(" -> ");
2820 if (my) {
2821 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2822 portbuf, sizeof(portbuf),
2823 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2824 strlcpy(hostbuf, "?", sizeof(hostbuf));
2825 strlcpy(portbuf, "?", sizeof(portbuf));
2826 }
2827 printf("%s:%s", hostbuf, portbuf);
2828 } else
2829 printf("?");
2830 printf(": ");
2831
2832 buf = vdup(msg);
2833 if (!buf) {
2834 printf("(malloc fail)\n");
2835 return;
2836 }
2837 if (decoded) {
2838 isakmp = (struct isakmp *)buf->v;
2839 if (isakmp->flags & ISAKMP_FLAG_E) {
2840 #if 0
2841 int pad;
2842 pad = *(u_char *)(buf->v + buf->l - 1);
2843 if (buf->l < pad && 2 < vflag)
2844 printf("(wrong padding)");
2845 #endif
2846 isakmp->flags &= ~ISAKMP_FLAG_E;
2847 }
2848 }
2849
2850 snapend = buf->v + buf->l;
2851 isakmp_print(buf->v, buf->l, NULL);
2852 vfree(buf);
2853 printf("\n");
2854 fflush(stdout);
2855
2856 return;
2857 #endif
2858 }
2859 #endif /*HAVE_PRINT_ISAKMP_C*/
2860
2861 int
copy_ph1addresses(iph1,rmconf,remote,local)2862 copy_ph1addresses(iph1, rmconf, remote, local)
2863 struct ph1handle *iph1;
2864 struct remoteconf *rmconf;
2865 struct sockaddr *remote, *local;
2866 {
2867 u_int16_t port;
2868
2869 /* address portion must be grabbed from real remote address "remote" */
2870 iph1->remote = dupsaddr(remote);
2871 if (iph1->remote == NULL)
2872 return -1;
2873
2874 /*
2875 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2876 * - if remote.conf specifies port #, use that
2877 * - if remote.conf does not, use 500
2878 * if remote has port # (in case of responder - from recvfrom(2))
2879 * respect content of "remote".
2880 */
2881 if (extract_port(iph1->remote) == 0) {
2882 port = extract_port(rmconf->remote);
2883 if (port == 0)
2884 port = PORT_ISAKMP;
2885 set_port(iph1->remote, port);
2886 }
2887
2888 if (local == NULL)
2889 iph1->local = getlocaladdr(iph1->remote);
2890 else
2891 iph1->local = dupsaddr(local);
2892 if (iph1->local == NULL)
2893 return -1;
2894
2895 if (extract_port(iph1->local) == 0)
2896 set_port(iph1->local, PORT_ISAKMP);
2897
2898 #ifdef ENABLE_NATT
2899 if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
2900 plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2901 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2902 }
2903 #endif
2904
2905 return 0;
2906 }
2907
2908 static int
nostate1(iph1,msg)2909 nostate1(iph1, msg)
2910 struct ph1handle *iph1;
2911 vchar_t *msg;
2912 {
2913 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2914 iph1->status);
2915 return -1;
2916 }
2917
2918 static int
nostate2(iph2,msg)2919 nostate2(iph2, msg)
2920 struct ph2handle *iph2;
2921 vchar_t *msg;
2922 {
2923 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2924 iph2->status);
2925 return -1;
2926 }
2927
2928 void
log_ph1established(iph1)2929 log_ph1established(iph1)
2930 const struct ph1handle *iph1;
2931 {
2932 char *src, *dst;
2933
2934 src = racoon_strdup(saddr2str(iph1->local));
2935 dst = racoon_strdup(saddr2str(iph1->remote));
2936 STRDUP_FATAL(src);
2937 STRDUP_FATAL(dst);
2938
2939 plog(LLV_INFO, LOCATION, NULL,
2940 "ISAKMP-SA established %s-%s spi:%s\n",
2941 src, dst,
2942 isakmp_pindex(&iph1->index, 0));
2943
2944 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
2945 if(!iph1->rmconf->mode_cfg) {
2946 EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
2947 }
2948
2949 racoon_free(src);
2950 racoon_free(dst);
2951
2952 return;
2953 }
2954
2955 struct payload_list *
isakmp_plist_append(struct payload_list * plist,vchar_t * payload,int payload_type)2956 isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
2957 {
2958 if (! plist) {
2959 plist = racoon_malloc (sizeof (struct payload_list));
2960 plist->prev = NULL;
2961 }
2962 else {
2963 plist->next = racoon_malloc (sizeof (struct payload_list));
2964 plist->next->prev = plist;
2965 plist = plist->next;
2966 }
2967
2968 plist->next = NULL;
2969 plist->payload = payload;
2970 plist->payload_type = payload_type;
2971
2972 return plist;
2973 }
2974
2975 vchar_t *
isakmp_plist_set_all(struct payload_list ** plist,struct ph1handle * iph1)2976 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
2977 {
2978 struct payload_list *ptr = *plist, *first;
2979 size_t tlen = sizeof (struct isakmp), n = 0;
2980 vchar_t *buf = NULL;
2981 char *p;
2982
2983 /* Seek to the first item. */
2984 while (ptr->prev) ptr = ptr->prev;
2985 first = ptr;
2986
2987 /* Compute the whole length. */
2988 while (ptr) {
2989 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
2990 ptr = ptr->next;
2991 }
2992
2993 buf = vmalloc(tlen);
2994 if (buf == NULL) {
2995 plog(LLV_ERROR, LOCATION, NULL,
2996 "failed to get buffer to send.\n");
2997 goto end;
2998 }
2999
3000 ptr = first;
3001
3002 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3003 if (p == NULL)
3004 goto end;
3005
3006 while (ptr)
3007 {
3008 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3009 first = ptr;
3010 ptr = ptr->next;
3011 racoon_free (first);
3012 /* ptr->prev = NULL; first = NULL; ... omitted. */
3013 n++;
3014 }
3015
3016 *plist = NULL;
3017
3018 return buf;
3019 end:
3020 if (buf != NULL)
3021 vfree(buf);
3022 return NULL;
3023 }
3024
3025 #ifdef ENABLE_FRAG
3026 int
frag_handler(iph1,msg,remote,local)3027 frag_handler(iph1, msg, remote, local)
3028 struct ph1handle *iph1;
3029 vchar_t *msg;
3030 struct sockaddr *remote;
3031 struct sockaddr *local;
3032 {
3033 vchar_t *newmsg;
3034
3035 if (isakmp_frag_extract(iph1, msg) == 1) {
3036 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3037 plog(LLV_ERROR, LOCATION, remote,
3038 "Packet reassembly failed\n");
3039 return -1;
3040 }
3041 return isakmp_main(newmsg, remote, local);
3042 }
3043
3044 return 0;
3045 }
3046 #endif
3047
3048 void
script_hook(iph1,script)3049 script_hook(iph1, script)
3050 struct ph1handle *iph1;
3051 int script;
3052 {
3053 #define IP_MAX 40
3054 #define PORT_MAX 6
3055 char addrstr[IP_MAX];
3056 char portstr[PORT_MAX];
3057 char **envp = NULL;
3058 int envc = 1;
3059 struct sockaddr_in *sin;
3060 char **c;
3061
3062 if (iph1 == NULL ||
3063 iph1->rmconf == NULL ||
3064 iph1->rmconf->script[script] == NULL)
3065 return;
3066
3067 #ifdef ENABLE_HYBRID
3068 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3069 #endif
3070
3071 /* local address */
3072 sin = (struct sockaddr_in *)iph1->local;
3073 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3074 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3075
3076 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3077 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3078 goto out;
3079 }
3080
3081 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3082 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3083 goto out;
3084 }
3085
3086 /* Peer address */
3087 if (iph1->remote != NULL) {
3088 sin = (struct sockaddr_in *)iph1->remote;
3089 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3090 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3091
3092 if (script_env_append(&envp, &envc,
3093 "REMOTE_ADDR", addrstr) != 0) {
3094 plog(LLV_ERROR, LOCATION, NULL,
3095 "Cannot set REMOTE_ADDR\n");
3096 goto out;
3097 }
3098
3099 if (script_env_append(&envp, &envc,
3100 "REMOTE_PORT", portstr) != 0) {
3101 plog(LLV_ERROR, LOCATION, NULL,
3102 "Cannot set REMOTEL_PORT\n");
3103 goto out;
3104 }
3105 }
3106
3107 if (privsep_script_exec(iph1->rmconf->script[script]->v,
3108 script, envp) != 0)
3109 plog(LLV_ERROR, LOCATION, NULL,
3110 "Script %s execution failed\n", script_names[script]);
3111
3112 out:
3113 for (c = envp; *c; c++)
3114 racoon_free(*c);
3115
3116 racoon_free(envp);
3117
3118 return;
3119 }
3120
3121 int
script_env_append(envp,envc,name,value)3122 script_env_append(envp, envc, name, value)
3123 char ***envp;
3124 int *envc;
3125 char *name;
3126 char *value;
3127 {
3128 char *envitem;
3129 char **newenvp;
3130 int newenvc;
3131
3132 if (value == NULL) {
3133 value = "";
3134 }
3135
3136 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3137 if (envitem == NULL) {
3138 plog(LLV_ERROR, LOCATION, NULL,
3139 "Cannot allocate memory: %s\n", strerror(errno));
3140 return -1;
3141 }
3142 sprintf(envitem, "%s=%s", name, value);
3143
3144 newenvc = (*envc) + 1;
3145 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3146 if (newenvp == NULL) {
3147 plog(LLV_ERROR, LOCATION, NULL,
3148 "Cannot allocate memory: %s\n", strerror(errno));
3149 racoon_free(envitem);
3150 return -1;
3151 }
3152
3153 newenvp[newenvc - 2] = envitem;
3154 newenvp[newenvc - 1] = NULL;
3155
3156 *envp = newenvp;
3157 *envc = newenvc;
3158 return 0;
3159 }
3160
3161 int
script_exec(script,name,envp)3162 script_exec(script, name, envp)
3163 char *script;
3164 int name;
3165 char *const envp[];
3166 {
3167 char *argv[] = { NULL, NULL, NULL };
3168
3169 argv[0] = script;
3170 argv[1] = script_names[name];
3171 argv[2] = NULL;
3172
3173 switch (fork()) {
3174 case 0:
3175 execve(argv[0], argv, envp);
3176 plog(LLV_ERROR, LOCATION, NULL,
3177 "execve(\"%s\") failed: %s\n",
3178 argv[0], strerror(errno));
3179 _exit(1);
3180 break;
3181 case -1:
3182 plog(LLV_ERROR, LOCATION, NULL,
3183 "Cannot fork: %s\n", strerror(errno));
3184 return -1;
3185 break;
3186 default:
3187 break;
3188 }
3189 return 0;
3190
3191 }
3192
3193 void
purge_remote(iph1)3194 purge_remote(iph1)
3195 struct ph1handle *iph1;
3196 {
3197 vchar_t *buf = NULL;
3198 struct sadb_msg *msg, *next, *end;
3199 struct sadb_sa *sa;
3200 struct sockaddr *src, *dst;
3201 caddr_t mhp[SADB_EXT_MAX + 1];
3202 u_int proto_id;
3203 struct ph2handle *iph2;
3204 struct ph1handle *new_iph1;
3205
3206 plog(LLV_INFO, LOCATION, NULL,
3207 "purging ISAKMP-SA spi=%s.\n",
3208 isakmp_pindex(&(iph1->index), iph1->msgid));
3209
3210 /* Mark as expired. */
3211 iph1->status = PHASE1ST_EXPIRED;
3212
3213 /* Check if we have another, still valid, phase1 SA. */
3214 new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
3215
3216 /*
3217 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3218 * Keep all others phase2 SAs.
3219 */
3220 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3221 if (buf == NULL) {
3222 plog(LLV_DEBUG, LOCATION, NULL,
3223 "pfkey_dump_sadb returned nothing.\n");
3224 return;
3225 }
3226
3227 msg = (struct sadb_msg *)buf->v;
3228 end = (struct sadb_msg *)(buf->v + buf->l);
3229
3230 while (msg < end) {
3231 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3232 break;
3233 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3234 if (msg->sadb_msg_type != SADB_DUMP) {
3235 msg = next;
3236 continue;
3237 }
3238
3239 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3240 plog(LLV_ERROR, LOCATION, NULL,
3241 "pfkey_check (%s)\n", ipsec_strerror());
3242 msg = next;
3243 continue;
3244 }
3245
3246 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3247 if (!sa ||
3248 !mhp[SADB_EXT_ADDRESS_SRC] ||
3249 !mhp[SADB_EXT_ADDRESS_DST]) {
3250 msg = next;
3251 continue;
3252 }
3253 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3254 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3255
3256 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3257 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3258 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3259 msg = next;
3260 continue;
3261 }
3262
3263 /*
3264 * check in/outbound SAs.
3265 * Select only SAs where src == local and dst == remote (outgoing)
3266 * or src == remote and dst == local (incoming).
3267 */
3268 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
3269 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
3270 msg = next;
3271 continue;
3272 }
3273
3274 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3275 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3276
3277 /* Check if there is another valid ISAKMP-SA */
3278 if (new_iph1 != NULL) {
3279
3280 if (iph2 == NULL) {
3281 /* No handler... still send a pfkey_delete message, but log this !*/
3282 plog(LLV_INFO, LOCATION, NULL,
3283 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3284 ntohl(sa->sadb_sa_spi));
3285 }else{
3286
3287 /*
3288 * If we have a new ph1, do not purge IPsec-SAs binded
3289 * to a different ISAKMP-SA
3290 */
3291 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3292 msg = next;
3293 continue;
3294 }
3295
3296 /* If the ph2handle is established, do not purge IPsec-SA */
3297 if (iph2->status == PHASE2ST_ESTABLISHED ||
3298 iph2->status == PHASE2ST_EXPIRED) {
3299
3300 plog(LLV_INFO, LOCATION, NULL,
3301 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3302 ntohl(sa->sadb_sa_spi),
3303 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3304 msg = next;
3305 continue;
3306 }
3307 }
3308 }
3309
3310
3311 pfkey_send_delete(lcconf->sock_pfkey,
3312 msg->sadb_msg_satype,
3313 IPSEC_MODE_ANY,
3314 src, dst, sa->sadb_sa_spi);
3315
3316 /* delete a relative phase 2 handle. */
3317 if (iph2 != NULL) {
3318 delete_spd(iph2, 0);
3319 unbindph12(iph2);
3320 remph2(iph2);
3321 delph2(iph2);
3322 }
3323
3324 plog(LLV_INFO, LOCATION, NULL,
3325 "purged IPsec-SA spi=%u.\n",
3326 ntohl(sa->sadb_sa_spi));
3327
3328 msg = next;
3329 }
3330
3331 if (buf)
3332 vfree(buf);
3333
3334 /* Mark the phase1 handler as EXPIRED */
3335 plog(LLV_INFO, LOCATION, NULL,
3336 "purged ISAKMP-SA spi=%s.\n",
3337 isakmp_pindex(&(iph1->index), iph1->msgid));
3338
3339 SCHED_KILL(iph1->sce);
3340
3341 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
3342 }
3343
3344 void
delete_spd(iph2,created)3345 delete_spd(iph2, created)
3346 struct ph2handle *iph2;
3347 u_int64_t created;
3348 {
3349 struct policyindex spidx;
3350 struct sockaddr_storage addr;
3351 u_int8_t pref;
3352 struct sockaddr *src;
3353 struct sockaddr *dst;
3354 int error;
3355 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3356
3357 if (iph2 == NULL)
3358 return;
3359
3360 /* Delete the SPD entry if we generated it
3361 */
3362 if (! iph2->generated_spidx )
3363 return;
3364
3365 src = iph2->src;
3366 dst = iph2->dst;
3367
3368 plog(LLV_INFO, LOCATION, NULL,
3369 "generated policy, deleting it.\n");
3370
3371 memset(&spidx, 0, sizeof(spidx));
3372 iph2->spidx_gen = (caddr_t )&spidx;
3373
3374 /* make inbound policy */
3375 iph2->src = dst;
3376 iph2->dst = src;
3377 spidx.dir = IPSEC_DIR_INBOUND;
3378 spidx.ul_proto = 0;
3379
3380 /*
3381 * Note: code from get_proposal_r
3382 */
3383
3384 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3385
3386 /*
3387 * make destination address in spidx from either ID payload
3388 * or phase 1 address into a address in spidx.
3389 */
3390 if (iph2->id != NULL
3391 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3392 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3393 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3394 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3395 /* get a destination address of a policy */
3396 error = ipsecdoi_id2sockaddr(iph2->id,
3397 (struct sockaddr *)&spidx.dst,
3398 &spidx.prefd, &spidx.ul_proto);
3399 if (error)
3400 goto purge;
3401
3402 #ifdef INET6
3403 /*
3404 * get scopeid from the SA address.
3405 * note that the phase 1 source address is used as
3406 * a destination address to search for a inbound
3407 * policy entry because rcoon is responder.
3408 */
3409 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3410 if ((error =
3411 setscopeid((struct sockaddr *)&spidx.dst,
3412 iph2->src)) != 0)
3413 goto purge;
3414 }
3415 #endif
3416
3417 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3418 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3419 idi2type = _XIDT(iph2->id);
3420
3421 } else {
3422
3423 plog(LLV_DEBUG, LOCATION, NULL,
3424 "get a destination address of SP index "
3425 "from phase1 address "
3426 "due to no ID payloads found "
3427 "OR because ID type is not address.\n");
3428
3429 /*
3430 * copy the SOURCE address of IKE into the
3431 * DESTINATION address of the key to search the
3432 * SPD because the direction of policy is inbound.
3433 */
3434 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3435 switch (spidx.dst.ss_family) {
3436 case AF_INET:
3437 spidx.prefd =
3438 sizeof(struct in_addr) << 3;
3439 break;
3440 #ifdef INET6
3441 case AF_INET6:
3442 spidx.prefd =
3443 sizeof(struct in6_addr) << 3;
3444 break;
3445 #endif
3446 default:
3447 spidx.prefd = 0;
3448 break;
3449 }
3450 }
3451
3452 /* make source address in spidx */
3453 if (iph2->id_p != NULL
3454 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3455 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3456 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3457 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3458 /* get a source address of inbound SA */
3459 error = ipsecdoi_id2sockaddr(iph2->id_p,
3460 (struct sockaddr *)&spidx.src,
3461 &spidx.prefs, &spidx.ul_proto);
3462 if (error)
3463 goto purge;
3464
3465 #ifdef INET6
3466 /*
3467 * get scopeid from the SA address.
3468 * for more detail, see above of this function.
3469 */
3470 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3471 error =
3472 setscopeid((struct sockaddr *)&spidx.src,
3473 iph2->dst);
3474 if (error)
3475 goto purge;
3476 }
3477 #endif
3478
3479 /* make id[src,dst] if both ID types are IP address and same */
3480 if (_XIDT(iph2->id_p) == idi2type
3481 && spidx.dst.ss_family == spidx.src.ss_family) {
3482 iph2->src_id =
3483 dupsaddr((struct sockaddr *)&spidx.dst);
3484 if (iph2->src_id == NULL) {
3485 plog(LLV_ERROR, LOCATION, NULL,
3486 "allocation failed\n");
3487 goto purge;
3488 }
3489 iph2->dst_id =
3490 dupsaddr((struct sockaddr *)&spidx.src);
3491 if (iph2->dst_id == NULL) {
3492 plog(LLV_ERROR, LOCATION, NULL,
3493 "allocation failed\n");
3494 goto purge;
3495 }
3496 }
3497
3498 } else {
3499 plog(LLV_DEBUG, LOCATION, NULL,
3500 "get a source address of SP index "
3501 "from phase1 address "
3502 "due to no ID payloads found "
3503 "OR because ID type is not address.\n");
3504
3505 /* see above comment. */
3506 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3507 switch (spidx.src.ss_family) {
3508 case AF_INET:
3509 spidx.prefs =
3510 sizeof(struct in_addr) << 3;
3511 break;
3512 #ifdef INET6
3513 case AF_INET6:
3514 spidx.prefs =
3515 sizeof(struct in6_addr) << 3;
3516 break;
3517 #endif
3518 default:
3519 spidx.prefs = 0;
3520 break;
3521 }
3522 }
3523
3524 #undef _XIDT
3525
3526 plog(LLV_DEBUG, LOCATION, NULL,
3527 "get a src address from ID payload "
3528 "%s prefixlen=%u ul_proto=%u\n",
3529 saddr2str((struct sockaddr *)&spidx.src),
3530 spidx.prefs, spidx.ul_proto);
3531 plog(LLV_DEBUG, LOCATION, NULL,
3532 "get dst address from ID payload "
3533 "%s prefixlen=%u ul_proto=%u\n",
3534 saddr2str((struct sockaddr *)&spidx.dst),
3535 spidx.prefd, spidx.ul_proto);
3536
3537 /*
3538 * convert the ul_proto if it is 0
3539 * because 0 in ID payload means a wild card.
3540 */
3541 if (spidx.ul_proto == 0)
3542 spidx.ul_proto = IPSEC_ULPROTO_ANY;
3543
3544 #undef _XIDT
3545
3546 /* Check if the generated SPD has the same timestamp as the SA.
3547 * If timestamps are different, this means that the SPD entry has been
3548 * refreshed by another SA, and should NOT be deleted with the current SA.
3549 */
3550 if( created ){
3551 struct secpolicy *p;
3552
3553 p = getsp(&spidx);
3554 if(p != NULL){
3555 /* just do no test if p is NULL, because this probably just means
3556 * that the policy has already be deleted for some reason.
3557 */
3558 if(p->spidx.created != created)
3559 goto purge;
3560 }
3561 }
3562
3563 /* End of code from get_proposal_r
3564 */
3565
3566 if (pk_sendspddelete(iph2) < 0) {
3567 plog(LLV_ERROR, LOCATION, NULL,
3568 "pfkey spddelete(inbound) failed.\n");
3569 }else{
3570 plog(LLV_DEBUG, LOCATION, NULL,
3571 "pfkey spddelete(inbound) sent.\n");
3572 }
3573
3574 #ifdef HAVE_POLICY_FWD
3575 /* make forward policy if required */
3576 if (tunnel_mode_prop(iph2->approval)) {
3577 spidx.dir = IPSEC_DIR_FWD;
3578 if (pk_sendspddelete(iph2) < 0) {
3579 plog(LLV_ERROR, LOCATION, NULL,
3580 "pfkey spddelete(forward) failed.\n");
3581 }else{
3582 plog(LLV_DEBUG, LOCATION, NULL,
3583 "pfkey spddelete(forward) sent.\n");
3584 }
3585 }
3586 #endif
3587
3588 /* make outbound policy */
3589 iph2->src = src;
3590 iph2->dst = dst;
3591 spidx.dir = IPSEC_DIR_OUTBOUND;
3592 addr = spidx.src;
3593 spidx.src = spidx.dst;
3594 spidx.dst = addr;
3595 pref = spidx.prefs;
3596 spidx.prefs = spidx.prefd;
3597 spidx.prefd = pref;
3598
3599 if (pk_sendspddelete(iph2) < 0) {
3600 plog(LLV_ERROR, LOCATION, NULL,
3601 "pfkey spddelete(outbound) failed.\n");
3602 }else{
3603 plog(LLV_DEBUG, LOCATION, NULL,
3604 "pfkey spddelete(outbound) sent.\n");
3605 }
3606 purge:
3607 iph2->spidx_gen=NULL;
3608 }
3609
3610
3611 #ifdef INET6
3612 u_int32_t
setscopeid(sp_addr0,sa_addr0)3613 setscopeid(sp_addr0, sa_addr0)
3614 struct sockaddr *sp_addr0, *sa_addr0;
3615 {
3616 struct sockaddr_in6 *sp_addr, *sa_addr;
3617
3618 sp_addr = (struct sockaddr_in6 *)sp_addr0;
3619 sa_addr = (struct sockaddr_in6 *)sa_addr0;
3620
3621 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3622 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3623 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3624 return 0;
3625
3626 /* this check should not be here ? */
3627 if (sa_addr->sin6_family != AF_INET6) {
3628 plog(LLV_ERROR, LOCATION, NULL,
3629 "can't get scope ID: family mismatch\n");
3630 return -1;
3631 }
3632
3633 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3634 plog(LLV_ERROR, LOCATION, NULL,
3635 "scope ID is not supported except of lladdr.\n");
3636 return -1;
3637 }
3638
3639 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3640
3641 return 0;
3642 }
3643 #endif
3644