1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56 #ifdef ENABLE_HYBRID
57 #include <resolv.h>
58 #endif
59
60 #include PATH_IPSEC_H
61
62 #include "var.h"
63 #include "vmbuf.h"
64 #include "schedule.h"
65 #include "misc.h"
66 #include "plog.h"
67 #include "debug.h"
68
69 #include "localconf.h"
70 #include "remoteconf.h"
71 #include "handler.h"
72 #include "policy.h"
73 #include "proposal.h"
74 #include "isakmp_var.h"
75 #include "isakmp.h"
76 #include "isakmp_inf.h"
77 #include "isakmp_quick.h"
78 #include "oakley.h"
79 #include "ipsec_doi.h"
80 #include "crypto_openssl.h"
81 #include "pfkey.h"
82 #include "policy.h"
83 #include "algorithm.h"
84 #include "sockmisc.h"
85 #include "proposal.h"
86 #include "sainfo.h"
87 #include "admin.h"
88 #include "strnames.h"
89
90 /* quick mode */
91 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
92 static int get_sainfo_r __P((struct ph2handle *));
93 static int get_proposal_r __P((struct ph2handle *));
94
95 /* �%%%
96 * Quick Mode
97 */
98 /*
99 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
100 */
101 int
quick_i1prep(iph2,msg)102 quick_i1prep(iph2, msg)
103 struct ph2handle *iph2;
104 vchar_t *msg; /* must be null pointer */
105 {
106 int error = ISAKMP_INTERNAL_ERROR;
107
108 /* validity check */
109 if (iph2->status != PHASE2ST_STATUS2) {
110 plog(LLV_ERROR, LOCATION, NULL,
111 "status mismatched %d.\n", iph2->status);
112 goto end;
113 }
114
115 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
116 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
117 if (iph2->ivm == NULL)
118 return 0;
119
120 iph2->status = PHASE2ST_GETSPISENT;
121
122 /* don't anything if local test mode. */
123 if (f_local) {
124 error = 0;
125 goto end;
126 }
127
128 /* send getspi message */
129 if (pk_sendgetspi(iph2) < 0)
130 goto end;
131
132 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
133
134 iph2->sce = sched_new(lcconf->wait_ph2complete,
135 pfkey_timeover_stub, iph2);
136
137 error = 0;
138
139 end:
140 return error;
141 }
142
143 /*
144 * send to responder
145 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
146 */
147 int
quick_i1send(iph2,msg)148 quick_i1send(iph2, msg)
149 struct ph2handle *iph2;
150 vchar_t *msg; /* must be null pointer */
151 {
152 vchar_t *body = NULL;
153 vchar_t *hash = NULL;
154 struct isakmp_gen *gen;
155 char *p;
156 int tlen;
157 int error = ISAKMP_INTERNAL_ERROR;
158 int pfsgroup, idci, idcr;
159 int np;
160 struct ipsecdoi_id_b *id, *id_p;
161
162 /* validity check */
163 if (msg != NULL) {
164 plog(LLV_ERROR, LOCATION, NULL,
165 "msg has to be NULL in this function.\n");
166 goto end;
167 }
168 if (iph2->status != PHASE2ST_GETSPIDONE) {
169 plog(LLV_ERROR, LOCATION, NULL,
170 "status mismatched %d.\n", iph2->status);
171 goto end;
172 }
173
174 /* create SA payload for my proposal */
175 if (ipsecdoi_setph2proposal(iph2) < 0)
176 goto end;
177
178 /* generate NONCE value */
179 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
180 if (iph2->nonce == NULL)
181 goto end;
182
183 /*
184 * DH value calculation is kicked out into cfparse.y.
185 * because pfs group can not be negotiated, it's only to be checked
186 * acceptable.
187 */
188 /* generate KE value if need */
189 pfsgroup = iph2->proposal->pfs_group;
190 if (pfsgroup) {
191 /* DH group settting if PFS is required. */
192 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to set DH value.\n");
195 goto end;
196 }
197 if (oakley_dh_generate(iph2->pfsgrp,
198 &iph2->dhpub, &iph2->dhpriv) < 0) {
199 goto end;
200 }
201 }
202
203 /* generate ID value */
204 if (ipsecdoi_setid2(iph2) < 0) {
205 plog(LLV_ERROR, LOCATION, NULL,
206 "failed to get ID.\n");
207 goto end;
208 }
209 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
210 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
211 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
212 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
213
214 /*
215 * we do not attach IDci nor IDcr, under the following condition:
216 * - all proposals are transport mode
217 * - no MIP6 or proxy
218 * - id payload suggests to encrypt all the traffic (no specific
219 * protocol type)
220 */
221 id = (struct ipsecdoi_id_b *)iph2->id->v;
222 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
223 if (id->proto_id == 0
224 && id_p->proto_id == 0
225 && iph2->ph1->rmconf->support_proxy == 0
226 && ipsecdoi_transportmode(iph2->proposal)) {
227 idci = idcr = 0;
228 } else
229 idci = idcr = 1;
230
231 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
232 tlen = + sizeof(*gen) + iph2->sa->l
233 + sizeof(*gen) + iph2->nonce->l;
234 if (pfsgroup)
235 tlen += (sizeof(*gen) + iph2->dhpub->l);
236 if (idci)
237 tlen += sizeof(*gen) + iph2->id->l;
238 if (idcr)
239 tlen += sizeof(*gen) + iph2->id_p->l;
240
241 body = vmalloc(tlen);
242 if (body == NULL) {
243 plog(LLV_ERROR, LOCATION, NULL,
244 "failed to get buffer to send.\n");
245 goto end;
246 }
247
248 p = body->v;
249
250 /* add SA payload */
251 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
252
253 /* add NONCE payload */
254 if (pfsgroup)
255 np = ISAKMP_NPTYPE_KE;
256 else if (idci || idcr)
257 np = ISAKMP_NPTYPE_ID;
258 else
259 np = ISAKMP_NPTYPE_NONE;
260 p = set_isakmp_payload(p, iph2->nonce, np);
261
262 /* add KE payload if need. */
263 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
264 if (pfsgroup)
265 p = set_isakmp_payload(p, iph2->dhpub, np);
266
267 /* IDci */
268 np = (idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
269 if (idci)
270 p = set_isakmp_payload(p, iph2->id, np);
271
272 /* IDcr */
273 if (idcr)
274 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_NONE);
275
276 /* generate HASH(1) */
277 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
278 if (hash == NULL)
279 goto end;
280
281 /* send isakmp payload */
282 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
283 if (iph2->sendbuf == NULL)
284 goto end;
285
286 /* send the packet, add to the schedule to resend */
287 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
288 if (isakmp_ph2resend(iph2) == -1)
289 goto end;
290
291 /* change status of isakmp status entry */
292 iph2->status = PHASE2ST_MSG1SENT;
293
294 error = 0;
295
296 end:
297 if (body != NULL)
298 vfree(body);
299 if (hash != NULL)
300 vfree(hash);
301
302 return error;
303 }
304
305 /*
306 * receive from responder
307 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
308 */
309 int
quick_i2recv(iph2,msg0)310 quick_i2recv(iph2, msg0)
311 struct ph2handle *iph2;
312 vchar_t *msg0;
313 {
314 vchar_t *msg = NULL;
315 vchar_t *hbuf = NULL; /* for hash computing. */
316 vchar_t *pbuf = NULL; /* for payload parsing */
317 struct isakmp_parse_t *pa;
318 struct isakmp *isakmp = (struct isakmp *)msg0->v;
319 struct isakmp_pl_hash *hash = NULL;
320 int f_id;
321 char *p;
322 int tlen;
323 int error = ISAKMP_INTERNAL_ERROR;
324
325 /* validity check */
326 if (iph2->status != PHASE2ST_MSG1SENT) {
327 plog(LLV_ERROR, LOCATION, NULL,
328 "status mismatched %d.\n", iph2->status);
329 goto end;
330 }
331
332 /* decrypt packet */
333 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
334 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
335 "Packet wasn't encrypted.\n");
336 goto end;
337 }
338 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
339 if (msg == NULL)
340 goto end;
341
342 /* create buffer for validating HASH(2) */
343 /*
344 * ordering rule:
345 * 1. the first one must be HASH
346 * 2. the second one must be SA (added in isakmp-oakley-05!)
347 * 3. two IDs must be considered as IDci, then IDcr
348 */
349 pbuf = isakmp_parse(msg);
350 if (pbuf == NULL)
351 goto end;
352 pa = (struct isakmp_parse_t *)pbuf->v;
353
354 /* HASH payload is fixed postion */
355 if (pa->type != ISAKMP_NPTYPE_HASH) {
356 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
357 "received invalid next payload type %d, "
358 "expecting %d.\n",
359 pa->type, ISAKMP_NPTYPE_HASH);
360 goto end;
361 }
362 hash = (struct isakmp_pl_hash *)pa->ptr;
363 pa++;
364
365 /*
366 * this restriction was introduced in isakmp-oakley-05.
367 * we do not check this for backward compatibility.
368 * TODO: command line/config file option to enable/disable this code
369 */
370 /* HASH payload is fixed postion */
371 if (pa->type != ISAKMP_NPTYPE_SA) {
372 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
373 "received invalid next payload type %d, "
374 "expecting %d.\n",
375 pa->type, ISAKMP_NPTYPE_HASH);
376 }
377
378 /* allocate buffer for computing HASH(2) */
379 tlen = iph2->nonce->l
380 + ntohl(isakmp->len) - sizeof(*isakmp);
381 hbuf = vmalloc(tlen);
382 if (hbuf == NULL) {
383 plog(LLV_ERROR, LOCATION, NULL,
384 "failed to get hash buffer.\n");
385 goto end;
386 }
387 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
388
389 /*
390 * parse the payloads.
391 * copy non-HASH payloads into hbuf, so that we can validate HASH.
392 */
393 iph2->sa_ret = NULL;
394 f_id = 0; /* flag to use checking ID */
395 tlen = 0; /* count payload length except of HASH payload. */
396 for (; pa->type; pa++) {
397
398 /* copy to buffer for HASH */
399 /* Don't modify the payload */
400 memcpy(p, pa->ptr, pa->len);
401
402 switch (pa->type) {
403 case ISAKMP_NPTYPE_SA:
404 if (iph2->sa_ret != NULL) {
405 plog(LLV_ERROR, LOCATION, NULL,
406 "Ignored, multiple SA "
407 "isn't supported.\n");
408 break;
409 }
410 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
411 goto end;
412 break;
413
414 case ISAKMP_NPTYPE_NONCE:
415 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
416 goto end;
417 break;
418
419 case ISAKMP_NPTYPE_KE:
420 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
421 goto end;
422 break;
423
424 case ISAKMP_NPTYPE_ID:
425 {
426 vchar_t *vp;
427
428 /* check ID value */
429 if (f_id == 0) {
430 /* for IDci */
431 f_id = 1;
432 vp = iph2->id;
433 } else {
434 /* for IDcr */
435 vp = iph2->id_p;
436 }
437
438 #ifndef ANDROID_PATCHED
439 if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) {
440
441 plog(LLV_ERROR, LOCATION, NULL,
442 "mismatched ID was returned.\n");
443 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
444 goto end;
445 }
446 #endif
447 }
448 break;
449
450 case ISAKMP_NPTYPE_N:
451 isakmp_check_notify(pa->ptr, iph2->ph1);
452 break;
453
454 #ifdef ENABLE_NATT
455 case ISAKMP_NPTYPE_NATOA_DRAFT:
456 case ISAKMP_NPTYPE_NATOA_RFC:
457 /* Ignore original source/destination messages */
458 break;
459 #endif
460
461 default:
462 /* don't send information, see ident_r1recv() */
463 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
464 "ignore the packet, "
465 "received unexpecting payload type %d.\n",
466 pa->type);
467 goto end;
468 }
469
470 p += pa->len;
471
472 /* compute true length of payload. */
473 tlen += pa->len;
474 }
475
476 /* payload existency check */
477 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
478 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
479 "few isakmp message received.\n");
480 goto end;
481 }
482
483 /* Fixed buffer for calculating HASH */
484 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
485 plog(LLV_DEBUG, LOCATION, NULL,
486 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
487 hbuf->l, tlen + iph2->nonce->l);
488 /* adjust buffer length for HASH */
489 hbuf->l = iph2->nonce->l + tlen;
490
491 /* validate HASH(2) */
492 {
493 char *r_hash;
494 vchar_t *my_hash = NULL;
495 int result;
496
497 r_hash = (char *)hash + sizeof(*hash);
498
499 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
500 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
501
502 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
503 if (my_hash == NULL)
504 goto end;
505
506 result = memcmp(my_hash->v, r_hash, my_hash->l);
507 vfree(my_hash);
508
509 if (result) {
510 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
511 "HASH(2) mismatch.\n");
512 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
513 goto end;
514 }
515 }
516
517 /* validity check SA payload sent from responder */
518 if (ipsecdoi_checkph2proposal(iph2) < 0) {
519 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
520 goto end;
521 }
522
523 /* change status of isakmp status entry */
524 iph2->status = PHASE2ST_STATUS6;
525
526 error = 0;
527
528 end:
529 if (hbuf)
530 vfree(hbuf);
531 if (pbuf)
532 vfree(pbuf);
533 if (msg)
534 vfree(msg);
535
536 if (error) {
537 VPTRINIT(iph2->sa_ret);
538 VPTRINIT(iph2->nonce_p);
539 VPTRINIT(iph2->dhpub_p);
540 VPTRINIT(iph2->id);
541 VPTRINIT(iph2->id_p);
542 }
543
544 return error;
545 }
546
547 /*
548 * send to responder
549 * HDR*, HASH(3)
550 */
551 int
quick_i2send(iph2,msg0)552 quick_i2send(iph2, msg0)
553 struct ph2handle *iph2;
554 vchar_t *msg0;
555 {
556 vchar_t *msg = NULL;
557 vchar_t *buf = NULL;
558 vchar_t *hash = NULL;
559 char *p = NULL;
560 int tlen;
561 int error = ISAKMP_INTERNAL_ERROR;
562
563 /* validity check */
564 if (iph2->status != PHASE2ST_STATUS6) {
565 plog(LLV_ERROR, LOCATION, NULL,
566 "status mismatched %d.\n", iph2->status);
567 goto end;
568 }
569
570 /* generate HASH(3) */
571 {
572 vchar_t *tmp = NULL;
573
574 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
575
576 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
577 if (tmp == NULL) {
578 plog(LLV_ERROR, LOCATION, NULL,
579 "failed to get hash buffer.\n");
580 goto end;
581 }
582 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
583 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
584
585 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
586 vfree(tmp);
587
588 if (hash == NULL)
589 goto end;
590 }
591
592 /* create buffer for isakmp payload */
593 tlen = sizeof(struct isakmp)
594 + sizeof(struct isakmp_gen) + hash->l;
595 buf = vmalloc(tlen);
596 if (buf == NULL) {
597 plog(LLV_ERROR, LOCATION, NULL,
598 "failed to get buffer to send.\n");
599 goto end;
600 }
601
602 /* create isakmp header */
603 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
604 if (p == NULL)
605 goto end;
606
607 /* add HASH(3) payload */
608 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
609
610 #ifdef HAVE_PRINT_ISAKMP_C
611 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
612 #endif
613
614 /* encoding */
615 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
616 if (iph2->sendbuf == NULL)
617 goto end;
618
619 /* if there is commit bit, need resending */
620 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
621 /* send the packet, add to the schedule to resend */
622 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
623 if (isakmp_ph2resend(iph2) == -1)
624 goto end;
625 } else {
626 /* send the packet */
627 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
628 goto end;
629 }
630
631 /* the sending message is added to the received-list. */
632 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
633 iph2->sendbuf, msg0) == -1) {
634 plog(LLV_ERROR , LOCATION, NULL,
635 "failed to add a response packet to the tree.\n");
636 goto end;
637 }
638
639 /* compute both of KEYMATs */
640 if (oakley_compute_keymat(iph2, INITIATOR) < 0)
641 goto end;
642
643 iph2->status = PHASE2ST_ADDSA;
644
645 /* don't anything if local test mode. */
646 if (f_local) {
647 error = 0;
648 goto end;
649 }
650
651 /* if there is commit bit don't set up SA now. */
652 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
653 iph2->status = PHASE2ST_COMMIT;
654 error = 0;
655 goto end;
656 }
657
658 /* Do UPDATE for initiator */
659 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
660 if (pk_sendupdate(iph2) < 0) {
661 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
662 goto end;
663 }
664 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
665
666 /* Do ADD for responder */
667 if (pk_sendadd(iph2) < 0) {
668 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
669 goto end;
670 }
671 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
672
673 error = 0;
674
675 end:
676 if (buf != NULL)
677 vfree(buf);
678 if (msg != NULL)
679 vfree(msg);
680 if (hash != NULL)
681 vfree(hash);
682
683 return error;
684 }
685
686 /*
687 * receive from responder
688 * HDR#*, HASH(4), notify
689 */
690 int
quick_i3recv(iph2,msg0)691 quick_i3recv(iph2, msg0)
692 struct ph2handle *iph2;
693 vchar_t *msg0;
694 {
695 vchar_t *msg = NULL;
696 vchar_t *pbuf = NULL; /* for payload parsing */
697 struct isakmp_parse_t *pa;
698 struct isakmp_pl_hash *hash = NULL;
699 vchar_t *notify = NULL;
700 int error = ISAKMP_INTERNAL_ERROR;
701
702 /* validity check */
703 if (iph2->status != PHASE2ST_COMMIT) {
704 plog(LLV_ERROR, LOCATION, NULL,
705 "status mismatched %d.\n", iph2->status);
706 goto end;
707 }
708
709 /* decrypt packet */
710 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
711 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
712 "Packet wasn't encrypted.\n");
713 goto end;
714 }
715 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
716 if (msg == NULL)
717 goto end;
718
719 /* validate the type of next payload */
720 pbuf = isakmp_parse(msg);
721 if (pbuf == NULL)
722 goto end;
723
724 for (pa = (struct isakmp_parse_t *)pbuf->v;
725 pa->type != ISAKMP_NPTYPE_NONE;
726 pa++) {
727
728 switch (pa->type) {
729 case ISAKMP_NPTYPE_HASH:
730 hash = (struct isakmp_pl_hash *)pa->ptr;
731 break;
732 case ISAKMP_NPTYPE_N:
733 if (notify != NULL) {
734 plog(LLV_WARNING, LOCATION, NULL,
735 "Ignoring multiples notifications\n");
736 break;
737 }
738 isakmp_check_notify(pa->ptr, iph2->ph1);
739 notify = vmalloc(pa->len);
740 if (notify == NULL) {
741 plog(LLV_ERROR, LOCATION, NULL,
742 "failed to get notify buffer.\n");
743 goto end;
744 }
745 memcpy(notify->v, pa->ptr, notify->l);
746 break;
747 default:
748 /* don't send information, see ident_r1recv() */
749 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
750 "ignore the packet, "
751 "received unexpecting payload type %d.\n",
752 pa->type);
753 goto end;
754 }
755 }
756
757 /* payload existency check */
758 if (hash == NULL) {
759 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
760 "few isakmp message received.\n");
761 goto end;
762 }
763
764 /* validate HASH(4) */
765 {
766 char *r_hash;
767 vchar_t *my_hash = NULL;
768 vchar_t *tmp = NULL;
769 int result;
770
771 r_hash = (char *)hash + sizeof(*hash);
772
773 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
774 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
775
776 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
777 vfree(tmp);
778 if (my_hash == NULL)
779 goto end;
780
781 result = memcmp(my_hash->v, r_hash, my_hash->l);
782 vfree(my_hash);
783
784 if (result) {
785 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
786 "HASH(4) mismatch.\n");
787 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
788 goto end;
789 }
790 }
791
792 iph2->status = PHASE2ST_ADDSA;
793 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
794
795 /* don't anything if local test mode. */
796 if (f_local) {
797 error = 0;
798 goto end;
799 }
800
801 /* Do UPDATE for initiator */
802 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
803 if (pk_sendupdate(iph2) < 0) {
804 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
805 goto end;
806 }
807 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
808
809 /* Do ADD for responder */
810 if (pk_sendadd(iph2) < 0) {
811 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
812 goto end;
813 }
814 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
815
816 error = 0;
817
818 end:
819 if (msg != NULL)
820 vfree(msg);
821 if (pbuf != NULL)
822 vfree(pbuf);
823 if (notify != NULL)
824 vfree(notify);
825
826 return error;
827 }
828
829 /*
830 * receive from initiator
831 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
832 */
833 int
quick_r1recv(iph2,msg0)834 quick_r1recv(iph2, msg0)
835 struct ph2handle *iph2;
836 vchar_t *msg0;
837 {
838 vchar_t *msg = NULL;
839 vchar_t *hbuf = NULL; /* for hash computing. */
840 vchar_t *pbuf = NULL; /* for payload parsing */
841 struct isakmp_parse_t *pa;
842 struct isakmp *isakmp = (struct isakmp *)msg0->v;
843 struct isakmp_pl_hash *hash = NULL;
844 char *p;
845 int tlen;
846 int f_id_order; /* for ID payload detection */
847 int error = ISAKMP_INTERNAL_ERROR;
848
849 /* validity check */
850 if (iph2->status != PHASE2ST_START) {
851 plog(LLV_ERROR, LOCATION, NULL,
852 "status mismatched %d.\n", iph2->status);
853 goto end;
854 }
855
856 /* decrypting */
857 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
858 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
859 "Packet wasn't encrypted.\n");
860 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
861 goto end;
862 }
863 /* decrypt packet */
864 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
865 if (msg == NULL)
866 goto end;
867
868 /* create buffer for using to validate HASH(1) */
869 /*
870 * ordering rule:
871 * 1. the first one must be HASH
872 * 2. the second one must be SA (added in isakmp-oakley-05!)
873 * 3. two IDs must be considered as IDci, then IDcr
874 */
875 pbuf = isakmp_parse(msg);
876 if (pbuf == NULL)
877 goto end;
878 pa = (struct isakmp_parse_t *)pbuf->v;
879
880 /* HASH payload is fixed postion */
881 if (pa->type != ISAKMP_NPTYPE_HASH) {
882 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
883 "received invalid next payload type %d, "
884 "expecting %d.\n",
885 pa->type, ISAKMP_NPTYPE_HASH);
886 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
887 goto end;
888 }
889 hash = (struct isakmp_pl_hash *)pa->ptr;
890 pa++;
891
892 /*
893 * this restriction was introduced in isakmp-oakley-05.
894 * we do not check this for backward compatibility.
895 * TODO: command line/config file option to enable/disable this code
896 */
897 /* HASH payload is fixed postion */
898 if (pa->type != ISAKMP_NPTYPE_SA) {
899 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
900 "received invalid next payload type %d, "
901 "expecting %d.\n",
902 pa->type, ISAKMP_NPTYPE_SA);
903 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
904 }
905
906 /* allocate buffer for computing HASH(1) */
907 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
908 hbuf = vmalloc(tlen);
909 if (hbuf == NULL) {
910 plog(LLV_ERROR, LOCATION, NULL,
911 "failed to get hash buffer.\n");
912 goto end;
913 }
914 p = hbuf->v;
915
916 /*
917 * parse the payloads.
918 * copy non-HASH payloads into hbuf, so that we can validate HASH.
919 */
920 iph2->sa = NULL; /* we don't support multi SAs. */
921 iph2->nonce_p = NULL;
922 iph2->dhpub_p = NULL;
923 iph2->id_p = NULL;
924 iph2->id = NULL;
925 tlen = 0; /* count payload length except of HASH payload. */
926
927 /*
928 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
929 * illegal case, but logged. First ID payload is to be IDi2.
930 * And next ID payload is to be IDr2.
931 */
932 f_id_order = 0;
933
934 for (; pa->type; pa++) {
935
936 /* copy to buffer for HASH */
937 /* Don't modify the payload */
938 memcpy(p, pa->ptr, pa->len);
939
940 if (pa->type != ISAKMP_NPTYPE_ID)
941 f_id_order = 0;
942
943 switch (pa->type) {
944 case ISAKMP_NPTYPE_SA:
945 if (iph2->sa != NULL) {
946 plog(LLV_ERROR, LOCATION, NULL,
947 "Multi SAs isn't supported.\n");
948 goto end;
949 }
950 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
951 goto end;
952 break;
953
954 case ISAKMP_NPTYPE_NONCE:
955 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
956 goto end;
957 break;
958
959 case ISAKMP_NPTYPE_KE:
960 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
961 goto end;
962 break;
963
964 case ISAKMP_NPTYPE_ID:
965 if (iph2->id_p == NULL) {
966 /* for IDci */
967 f_id_order++;
968
969 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
970 goto end;
971
972 } else if (iph2->id == NULL) {
973 /* for IDcr */
974 if (f_id_order == 0) {
975 plog(LLV_ERROR, LOCATION, NULL,
976 "IDr2 payload is not "
977 "immediatelly followed "
978 "by IDi2. We allowed.\n");
979 /* XXX we allowed in this case. */
980 }
981
982 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
983 goto end;
984 } else {
985 plog(LLV_ERROR, LOCATION, NULL,
986 "received too many ID payloads.\n");
987 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
988 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
989 goto end;
990 }
991 break;
992
993 case ISAKMP_NPTYPE_N:
994 isakmp_check_notify(pa->ptr, iph2->ph1);
995 break;
996
997 #ifdef ENABLE_NATT
998 case ISAKMP_NPTYPE_NATOA_DRAFT:
999 case ISAKMP_NPTYPE_NATOA_RFC:
1000 /* Ignore original source/destination messages */
1001 break;
1002 #endif
1003
1004 default:
1005 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1006 "ignore the packet, "
1007 "received unexpecting payload type %d.\n",
1008 pa->type);
1009 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1010 goto end;
1011 }
1012
1013 p += pa->len;
1014
1015 /* compute true length of payload. */
1016 tlen += pa->len;
1017 }
1018
1019 /* payload existency check */
1020 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1021 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1022 "few isakmp message received.\n");
1023 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1024 goto end;
1025 }
1026
1027 if (iph2->id_p) {
1028 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1029 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1030 }
1031 if (iph2->id) {
1032 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1033 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1034 }
1035
1036 /* adjust buffer length for HASH */
1037 hbuf->l = tlen;
1038
1039 /* validate HASH(1) */
1040 {
1041 char *r_hash;
1042 vchar_t *my_hash = NULL;
1043 int result;
1044
1045 r_hash = (caddr_t)hash + sizeof(*hash);
1046
1047 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1048 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1049
1050 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1051 if (my_hash == NULL)
1052 goto end;
1053
1054 result = memcmp(my_hash->v, r_hash, my_hash->l);
1055 vfree(my_hash);
1056
1057 if (result) {
1058 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1059 "HASH(1) mismatch.\n");
1060 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1061 goto end;
1062 }
1063 }
1064
1065 /* get sainfo */
1066 error = get_sainfo_r(iph2);
1067 if (error) {
1068 plog(LLV_ERROR, LOCATION, NULL,
1069 "failed to get sainfo.\n");
1070 goto end;
1071 }
1072
1073
1074 /* check the existence of ID payload and create responder's proposal */
1075 error = get_proposal_r(iph2);
1076 switch (error) {
1077 case -2:
1078 /* generate a policy template from peer's proposal */
1079 if (set_proposal_from_proposal(iph2)) {
1080 plog(LLV_ERROR, LOCATION, NULL,
1081 "failed to generate a proposal template "
1082 "from client's proposal.\n");
1083 return ISAKMP_INTERNAL_ERROR;
1084 }
1085 /*FALLTHROUGH*/
1086 case 0:
1087 /* select single proposal or reject it. */
1088 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1089 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1090 goto end;
1091 }
1092 break;
1093 default:
1094 plog(LLV_ERROR, LOCATION, NULL,
1095 "failed to get proposal for responder.\n");
1096 goto end;
1097 }
1098
1099 /* check KE and attribute of PFS */
1100 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1101 plog(LLV_ERROR, LOCATION, NULL,
1102 "no PFS is specified, but peer sends KE.\n");
1103 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1104 goto end;
1105 }
1106 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1107 plog(LLV_ERROR, LOCATION, NULL,
1108 "PFS is specified, but peer doesn't sends KE.\n");
1109 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1110 goto end;
1111 }
1112
1113 /*
1114 * save the packet from the initiator in order to resend the
1115 * responder's first packet against this packet.
1116 */
1117 iph2->msg1 = vdup(msg0);
1118
1119 /* change status of isakmp status entry */
1120 iph2->status = PHASE2ST_STATUS2;
1121
1122 error = 0;
1123
1124 end:
1125 if (hbuf)
1126 vfree(hbuf);
1127 if (msg)
1128 vfree(msg);
1129 if (pbuf)
1130 vfree(pbuf);
1131
1132 if (error) {
1133 VPTRINIT(iph2->sa);
1134 VPTRINIT(iph2->nonce_p);
1135 VPTRINIT(iph2->dhpub_p);
1136 VPTRINIT(iph2->id);
1137 VPTRINIT(iph2->id_p);
1138 }
1139
1140 return error;
1141 }
1142
1143 /*
1144 * call pfkey_getspi.
1145 */
1146 int
quick_r1prep(iph2,msg)1147 quick_r1prep(iph2, msg)
1148 struct ph2handle *iph2;
1149 vchar_t *msg;
1150 {
1151 int error = ISAKMP_INTERNAL_ERROR;
1152
1153 /* validity check */
1154 if (iph2->status != PHASE2ST_STATUS2) {
1155 plog(LLV_ERROR, LOCATION, NULL,
1156 "status mismatched %d.\n", iph2->status);
1157 goto end;
1158 }
1159
1160 iph2->status = PHASE2ST_GETSPISENT;
1161
1162 /* send getspi message */
1163 if (pk_sendgetspi(iph2) < 0)
1164 goto end;
1165
1166 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1167
1168 iph2->sce = sched_new(lcconf->wait_ph2complete,
1169 pfkey_timeover_stub, iph2);
1170
1171 error = 0;
1172
1173 end:
1174 return error;
1175 }
1176
1177 /*
1178 * send to initiator
1179 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
1180 */
1181 int
quick_r2send(iph2,msg)1182 quick_r2send(iph2, msg)
1183 struct ph2handle *iph2;
1184 vchar_t *msg;
1185 {
1186 vchar_t *body = NULL;
1187 vchar_t *hash = NULL;
1188 struct isakmp_gen *gen;
1189 char *p;
1190 int tlen;
1191 int error = ISAKMP_INTERNAL_ERROR;
1192 int pfsgroup;
1193 u_int8_t *np_p = NULL;
1194
1195 /* validity check */
1196 if (msg != NULL) {
1197 plog(LLV_ERROR, LOCATION, NULL,
1198 "msg has to be NULL in this function.\n");
1199 goto end;
1200 }
1201 if (iph2->status != PHASE2ST_GETSPIDONE) {
1202 plog(LLV_ERROR, LOCATION, NULL,
1203 "status mismatched %d.\n", iph2->status);
1204 goto end;
1205 }
1206
1207 /* update responders SPI */
1208 if (ipsecdoi_updatespi(iph2) < 0) {
1209 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1210 goto end;
1211 }
1212
1213 /* generate NONCE value */
1214 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1215 if (iph2->nonce == NULL)
1216 goto end;
1217
1218 /* generate KE value if need */
1219 pfsgroup = iph2->approval->pfs_group;
1220 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1221 /* DH group settting if PFS is required. */
1222 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1223 plog(LLV_ERROR, LOCATION, NULL,
1224 "failed to set DH value.\n");
1225 goto end;
1226 }
1227 /* generate DH public value */
1228 if (oakley_dh_generate(iph2->pfsgrp,
1229 &iph2->dhpub, &iph2->dhpriv) < 0) {
1230 goto end;
1231 }
1232 }
1233
1234 /* create SA;NONCE payload, and KE and ID if need */
1235 tlen = sizeof(*gen) + iph2->sa_ret->l
1236 + sizeof(*gen) + iph2->nonce->l;
1237 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1238 tlen += (sizeof(*gen) + iph2->dhpub->l);
1239 if (iph2->id_p != NULL)
1240 tlen += (sizeof(*gen) + iph2->id_p->l
1241 + sizeof(*gen) + iph2->id->l);
1242
1243 body = vmalloc(tlen);
1244 if (body == NULL) {
1245 plog(LLV_ERROR, LOCATION, NULL,
1246 "failed to get buffer to send.\n");
1247 goto end;
1248 }
1249 p = body->v;
1250
1251 /* make SA payload */
1252 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1253
1254 /* add NONCE payload */
1255 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1256 p = set_isakmp_payload(p, iph2->nonce,
1257 (iph2->dhpub_p != NULL && pfsgroup != 0)
1258 ? ISAKMP_NPTYPE_KE
1259 : (iph2->id_p != NULL
1260 ? ISAKMP_NPTYPE_ID
1261 : ISAKMP_NPTYPE_NONE));
1262
1263 /* add KE payload if need. */
1264 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1265 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1266 p = set_isakmp_payload(p, iph2->dhpub,
1267 (iph2->id_p == NULL)
1268 ? ISAKMP_NPTYPE_NONE
1269 : ISAKMP_NPTYPE_ID);
1270 }
1271
1272 /* add ID payloads received. */
1273 if (iph2->id_p != NULL) {
1274 /* IDci */
1275 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1276 /* IDcr */
1277 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1278 p = set_isakmp_payload(p, iph2->id, ISAKMP_NPTYPE_NONE);
1279 }
1280
1281 /* add a RESPONDER-LIFETIME notify payload if needed */
1282 {
1283 vchar_t *data = NULL;
1284 struct saprop *pp = iph2->approval;
1285 struct saproto *pr;
1286
1287 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1288 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1289 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1290 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1291 if (!data)
1292 goto end;
1293 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1294 (caddr_t)&v, sizeof(v));
1295 if (!data)
1296 goto end;
1297 }
1298 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1299 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1300 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1301 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1302 if (!data)
1303 goto end;
1304 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1305 (caddr_t)&v, sizeof(v));
1306 if (!data)
1307 goto end;
1308 }
1309
1310 /*
1311 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1312 * in the case of SA bundle ?
1313 */
1314 if (data) {
1315 for (pr = pp->head; pr; pr = pr->next) {
1316 body = isakmp_add_pl_n(body, &np_p,
1317 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1318 if (!body) {
1319 vfree(data);
1320 return error; /* XXX */
1321 }
1322 }
1323 vfree(data);
1324 }
1325 }
1326
1327 /* generate HASH(2) */
1328 {
1329 vchar_t *tmp;
1330
1331 tmp = vmalloc(iph2->nonce_p->l + body->l);
1332 if (tmp == NULL) {
1333 plog(LLV_ERROR, LOCATION, NULL,
1334 "failed to get hash buffer.\n");
1335 goto end;
1336 }
1337 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1338 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1339
1340 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1341 vfree(tmp);
1342
1343 if (hash == NULL)
1344 goto end;
1345 }
1346
1347 /* send isakmp payload */
1348 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1349 if (iph2->sendbuf == NULL)
1350 goto end;
1351
1352 /* send the packet, add to the schedule to resend */
1353 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1354 if (isakmp_ph2resend(iph2) == -1)
1355 goto end;
1356
1357 /* the sending message is added to the received-list. */
1358 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
1359 plog(LLV_ERROR , LOCATION, NULL,
1360 "failed to add a response packet to the tree.\n");
1361 goto end;
1362 }
1363
1364 /* change status of isakmp status entry */
1365 iph2->status = PHASE2ST_MSG1SENT;
1366
1367 error = 0;
1368
1369 end:
1370 if (body != NULL)
1371 vfree(body);
1372 if (hash != NULL)
1373 vfree(hash);
1374
1375 return error;
1376 }
1377
1378 /*
1379 * receive from initiator
1380 * HDR*, HASH(3)
1381 */
1382 int
quick_r3recv(iph2,msg0)1383 quick_r3recv(iph2, msg0)
1384 struct ph2handle *iph2;
1385 vchar_t *msg0;
1386 {
1387 vchar_t *msg = NULL;
1388 vchar_t *pbuf = NULL; /* for payload parsing */
1389 struct isakmp_parse_t *pa;
1390 struct isakmp_pl_hash *hash = NULL;
1391 int error = ISAKMP_INTERNAL_ERROR;
1392
1393 /* validity check */
1394 if (iph2->status != PHASE2ST_MSG1SENT) {
1395 plog(LLV_ERROR, LOCATION, NULL,
1396 "status mismatched %d.\n", iph2->status);
1397 goto end;
1398 }
1399
1400 /* decrypt packet */
1401 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1402 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1403 "Packet wasn't encrypted.\n");
1404 goto end;
1405 }
1406 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1407 if (msg == NULL)
1408 goto end;
1409
1410 /* validate the type of next payload */
1411 pbuf = isakmp_parse(msg);
1412 if (pbuf == NULL)
1413 goto end;
1414
1415 for (pa = (struct isakmp_parse_t *)pbuf->v;
1416 pa->type != ISAKMP_NPTYPE_NONE;
1417 pa++) {
1418
1419 switch (pa->type) {
1420 case ISAKMP_NPTYPE_HASH:
1421 hash = (struct isakmp_pl_hash *)pa->ptr;
1422 break;
1423 case ISAKMP_NPTYPE_N:
1424 isakmp_check_notify(pa->ptr, iph2->ph1);
1425 break;
1426 default:
1427 /* don't send information, see ident_r1recv() */
1428 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1429 "ignore the packet, "
1430 "received unexpecting payload type %d.\n",
1431 pa->type);
1432 goto end;
1433 }
1434 }
1435
1436 /* payload existency check */
1437 if (hash == NULL) {
1438 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1439 "few isakmp message received.\n");
1440 goto end;
1441 }
1442
1443 /* validate HASH(3) */
1444 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1445 {
1446 char *r_hash;
1447 vchar_t *my_hash = NULL;
1448 vchar_t *tmp = NULL;
1449 int result;
1450
1451 r_hash = (char *)hash + sizeof(*hash);
1452
1453 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1454 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1455
1456 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1457 if (tmp == NULL) {
1458 plog(LLV_ERROR, LOCATION, NULL,
1459 "failed to get hash buffer.\n");
1460 goto end;
1461 }
1462 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1463 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1464
1465 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1466 vfree(tmp);
1467 if (my_hash == NULL)
1468 goto end;
1469
1470 result = memcmp(my_hash->v, r_hash, my_hash->l);
1471 vfree(my_hash);
1472
1473 if (result) {
1474 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1475 "HASH(3) mismatch.\n");
1476 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1477 goto end;
1478 }
1479 }
1480
1481 /* if there is commit bit, don't set up SA now. */
1482 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1483 iph2->status = PHASE2ST_COMMIT;
1484 } else
1485 iph2->status = PHASE2ST_STATUS6;
1486
1487 error = 0;
1488
1489 end:
1490 if (pbuf != NULL)
1491 vfree(pbuf);
1492 if (msg != NULL)
1493 vfree(msg);
1494
1495 return error;
1496 }
1497
1498 /*
1499 * send to initiator
1500 * HDR#*, HASH(4), notify
1501 */
1502 int
quick_r3send(iph2,msg0)1503 quick_r3send(iph2, msg0)
1504 struct ph2handle *iph2;
1505 vchar_t *msg0;
1506 {
1507 vchar_t *buf = NULL;
1508 vchar_t *myhash = NULL;
1509 struct isakmp_pl_n *n;
1510 vchar_t *notify = NULL;
1511 char *p;
1512 int tlen;
1513 int error = ISAKMP_INTERNAL_ERROR;
1514
1515 /* validity check */
1516 if (iph2->status != PHASE2ST_COMMIT) {
1517 plog(LLV_ERROR, LOCATION, NULL,
1518 "status mismatched %d.\n", iph2->status);
1519 goto end;
1520 }
1521
1522 /* generate HASH(4) */
1523 /* XXX What can I do in the case of multiple different SA */
1524 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1525
1526 /* XXX What should I do if there are multiple SAs ? */
1527 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1528 notify = vmalloc(tlen);
1529 if (notify == NULL) {
1530 plog(LLV_ERROR, LOCATION, NULL,
1531 "failed to get notify buffer.\n");
1532 goto end;
1533 }
1534 n = (struct isakmp_pl_n *)notify->v;
1535 n->h.np = ISAKMP_NPTYPE_NONE;
1536 n->h.len = htons(tlen);
1537 n->doi = htonl(IPSEC_DOI);
1538 n->proto_id = iph2->approval->head->proto_id;
1539 n->spi_size = sizeof(iph2->approval->head->spisize);
1540 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1541 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1542
1543 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1544 if (myhash == NULL)
1545 goto end;
1546
1547 /* create buffer for isakmp payload */
1548 tlen = sizeof(struct isakmp)
1549 + sizeof(struct isakmp_gen) + myhash->l
1550 + notify->l;
1551 buf = vmalloc(tlen);
1552 if (buf == NULL) {
1553 plog(LLV_ERROR, LOCATION, NULL,
1554 "failed to get buffer to send.\n");
1555 goto end;
1556 }
1557
1558 /* create isakmp header */
1559 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1560 if (p == NULL)
1561 goto end;
1562
1563 /* add HASH(4) payload */
1564 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1565
1566 /* add notify payload */
1567 memcpy(p, notify->v, notify->l);
1568
1569 #ifdef HAVE_PRINT_ISAKMP_C
1570 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1571 #endif
1572
1573 /* encoding */
1574 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1575 if (iph2->sendbuf == NULL)
1576 goto end;
1577
1578 /* send the packet */
1579 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1580 goto end;
1581
1582 /* the sending message is added to the received-list. */
1583 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
1584 plog(LLV_ERROR , LOCATION, NULL,
1585 "failed to add a response packet to the tree.\n");
1586 goto end;
1587 }
1588
1589 iph2->status = PHASE2ST_COMMIT;
1590
1591 error = 0;
1592
1593 end:
1594 if (buf != NULL)
1595 vfree(buf);
1596 if (myhash != NULL)
1597 vfree(myhash);
1598 if (notify != NULL)
1599 vfree(notify);
1600
1601 return error;
1602 }
1603
1604 int
tunnel_mode_prop(p)1605 tunnel_mode_prop(p)
1606 struct saprop *p;
1607 {
1608 struct saproto *pr;
1609
1610 for (pr = p->head; pr; pr = pr->next)
1611 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
1612 return 1;
1613 return 0;
1614 }
1615
1616 /*
1617 * set SA to kernel.
1618 */
1619 int
quick_r3prep(iph2,msg0)1620 quick_r3prep(iph2, msg0)
1621 struct ph2handle *iph2;
1622 vchar_t *msg0;
1623 {
1624 int error = ISAKMP_INTERNAL_ERROR;
1625
1626 /* validity check */
1627 if (iph2->status != PHASE2ST_STATUS6) {
1628 plog(LLV_ERROR, LOCATION, NULL,
1629 "status mismatched %d.\n", iph2->status);
1630 goto end;
1631 }
1632
1633 /* compute both of KEYMATs */
1634 if (oakley_compute_keymat(iph2, RESPONDER) < 0)
1635 goto end;
1636
1637 iph2->status = PHASE2ST_ADDSA;
1638 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1639
1640 /* don't anything if local test mode. */
1641 if (f_local) {
1642 error = 0;
1643 goto end;
1644 }
1645
1646 /* Do UPDATE as responder */
1647 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1648 if (pk_sendupdate(iph2) < 0) {
1649 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1650 goto end;
1651 }
1652 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1653
1654 /* Do ADD for responder */
1655 if (pk_sendadd(iph2) < 0) {
1656 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1657 goto end;
1658 }
1659 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1660
1661 /*
1662 * set policies into SPD if the policy is generated
1663 * from peer's policy.
1664 */
1665 if (iph2->spidx_gen) {
1666
1667 struct policyindex *spidx;
1668 struct sockaddr_storage addr;
1669 u_int8_t pref;
1670 struct sockaddr *src = iph2->src;
1671 struct sockaddr *dst = iph2->dst;
1672
1673 /* make inbound policy */
1674 iph2->src = dst;
1675 iph2->dst = src;
1676 if (pk_sendspdupdate2(iph2) < 0) {
1677 plog(LLV_ERROR, LOCATION, NULL,
1678 "pfkey spdupdate2(inbound) failed.\n");
1679 goto end;
1680 }
1681 plog(LLV_DEBUG, LOCATION, NULL,
1682 "pfkey spdupdate2(inbound) sent.\n");
1683
1684 spidx = (struct policyindex *)iph2->spidx_gen;
1685 #ifdef HAVE_POLICY_FWD
1686 /* make forward policy if required */
1687 if (tunnel_mode_prop(iph2->approval)) {
1688 spidx->dir = IPSEC_DIR_FWD;
1689 if (pk_sendspdupdate2(iph2) < 0) {
1690 plog(LLV_ERROR, LOCATION, NULL,
1691 "pfkey spdupdate2(forward) failed.\n");
1692 goto end;
1693 }
1694 plog(LLV_DEBUG, LOCATION, NULL,
1695 "pfkey spdupdate2(forward) sent.\n");
1696 }
1697 #endif
1698
1699 /* make outbound policy */
1700 iph2->src = src;
1701 iph2->dst = dst;
1702 spidx->dir = IPSEC_DIR_OUTBOUND;
1703 addr = spidx->src;
1704 spidx->src = spidx->dst;
1705 spidx->dst = addr;
1706 pref = spidx->prefs;
1707 spidx->prefs = spidx->prefd;
1708 spidx->prefd = pref;
1709
1710 if (pk_sendspdupdate2(iph2) < 0) {
1711 plog(LLV_ERROR, LOCATION, NULL,
1712 "pfkey spdupdate2(outbound) failed.\n");
1713 goto end;
1714 }
1715 plog(LLV_DEBUG, LOCATION, NULL,
1716 "pfkey spdupdate2(outbound) sent.\n");
1717
1718 /* spidx_gen is unnecessary any more */
1719 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
1720 racoon_free(iph2->spidx_gen);
1721 iph2->spidx_gen = NULL;
1722 iph2->generated_spidx=1;
1723 }
1724
1725 error = 0;
1726
1727 end:
1728 return error;
1729 }
1730
1731 /*
1732 * create HASH, body (SA, NONCE) payload with isakmp header.
1733 */
1734 static vchar_t *
quick_ir1mx(iph2,body,hash)1735 quick_ir1mx(iph2, body, hash)
1736 struct ph2handle *iph2;
1737 vchar_t *body, *hash;
1738 {
1739 struct isakmp *isakmp;
1740 vchar_t *buf = NULL, *new = NULL;
1741 char *p;
1742 int tlen;
1743 struct isakmp_gen *gen;
1744 int error = ISAKMP_INTERNAL_ERROR;
1745
1746 /* create buffer for isakmp payload */
1747 tlen = sizeof(*isakmp)
1748 + sizeof(*gen) + hash->l
1749 + body->l;
1750 buf = vmalloc(tlen);
1751 if (buf == NULL) {
1752 plog(LLV_ERROR, LOCATION, NULL,
1753 "failed to get buffer to send.\n");
1754 goto end;
1755 }
1756
1757 /* re-set encryption flag, for serurity. */
1758 iph2->flags |= ISAKMP_FLAG_E;
1759
1760 /* set isakmp header */
1761 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1762 if (p == NULL)
1763 goto end;
1764
1765 /* add HASH payload */
1766 /* XXX is next type always SA ? */
1767 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
1768
1769 /* add body payload */
1770 memcpy(p, body->v, body->l);
1771
1772 #ifdef HAVE_PRINT_ISAKMP_C
1773 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1774 #endif
1775
1776 /* encoding */
1777 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1778
1779 if (new == NULL)
1780 goto end;
1781
1782 vfree(buf);
1783
1784 buf = new;
1785
1786 error = 0;
1787
1788 end:
1789 if (error && buf != NULL) {
1790 vfree(buf);
1791 buf = NULL;
1792 }
1793
1794 return buf;
1795 }
1796
1797 /*
1798 * get remote's sainfo.
1799 * NOTE: this function is for responder.
1800 */
1801 static int
get_sainfo_r(iph2)1802 get_sainfo_r(iph2)
1803 struct ph2handle *iph2;
1804 {
1805 vchar_t *idsrc = NULL, *iddst = NULL;
1806 int prefixlen;
1807 int error = ISAKMP_INTERNAL_ERROR;
1808 int remoteid = 0;
1809
1810 if (iph2->id == NULL) {
1811 switch (iph2->src->sa_family) {
1812 case AF_INET:
1813 prefixlen = sizeof(struct in_addr) << 3;
1814 break;
1815 case AF_INET6:
1816 prefixlen = sizeof(struct in6_addr) << 3;
1817 break;
1818 default:
1819 plog(LLV_ERROR, LOCATION, NULL,
1820 "invalid family: %d\n", iph2->src->sa_family);
1821 goto end;
1822 }
1823 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
1824 IPSEC_ULPROTO_ANY);
1825 } else {
1826 idsrc = vdup(iph2->id);
1827 }
1828 if (idsrc == NULL) {
1829 plog(LLV_ERROR, LOCATION, NULL,
1830 "failed to set ID for source.\n");
1831 goto end;
1832 }
1833
1834 if (iph2->id_p == NULL) {
1835 switch (iph2->dst->sa_family) {
1836 case AF_INET:
1837 prefixlen = sizeof(struct in_addr) << 3;
1838 break;
1839 case AF_INET6:
1840 prefixlen = sizeof(struct in6_addr) << 3;
1841 break;
1842 default:
1843 plog(LLV_ERROR, LOCATION, NULL,
1844 "invalid family: %d\n", iph2->dst->sa_family);
1845 goto end;
1846 }
1847 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
1848 IPSEC_ULPROTO_ANY);
1849 } else {
1850 iddst = vdup(iph2->id_p);
1851 }
1852 if (iddst == NULL) {
1853 plog(LLV_ERROR, LOCATION, NULL,
1854 "failed to set ID for destination.\n");
1855 goto end;
1856 }
1857
1858 {
1859 struct remoteconf *conf;
1860 conf = getrmconf(iph2->dst);
1861 if (conf != NULL)
1862 remoteid=conf->ph1id;
1863 else{
1864 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
1865 remoteid=0;
1866 }
1867
1868 }
1869
1870 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, remoteid);
1871 if (iph2->sainfo == NULL) {
1872 plog(LLV_ERROR, LOCATION, NULL,
1873 "failed to get sainfo.\n");
1874 goto end;
1875 }
1876
1877 #ifdef ENABLE_HYBRID
1878 /* xauth group inclusion check */
1879 if (iph2->sainfo->group != NULL)
1880 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
1881 goto end;
1882 #endif
1883
1884 plog(LLV_DEBUG, LOCATION, NULL,
1885 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
1886
1887 error = 0;
1888 end:
1889 if (idsrc)
1890 vfree(idsrc);
1891 if (iddst)
1892 vfree(iddst);
1893
1894 return error;
1895 }
1896
1897 /*
1898 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
1899 * are IP address and same address family.
1900 * Then get remote's policy from SPD copied from kernel.
1901 * If the type of ID payload is address or subnet type, then the index is
1902 * made from the payload. If there is no ID payload, or the type of ID
1903 * payload is NOT address type, then the index is made from the address
1904 * pair of phase 1.
1905 * NOTE: This function is only for responder.
1906 */
1907 static int
get_proposal_r(iph2)1908 get_proposal_r(iph2)
1909 struct ph2handle *iph2;
1910 {
1911 struct policyindex spidx;
1912 struct secpolicy *sp_in, *sp_out;
1913 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
1914 int error = ISAKMP_INTERNAL_ERROR;
1915
1916 /* check the existence of ID payload */
1917 if ((iph2->id_p != NULL && iph2->id == NULL)
1918 || (iph2->id_p == NULL && iph2->id != NULL)) {
1919 plog(LLV_ERROR, LOCATION, NULL,
1920 "Both IDs wasn't found in payload.\n");
1921 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1922 }
1923
1924 /* make sure if id[src,dst] is null. */
1925 if (iph2->src_id || iph2->dst_id) {
1926 plog(LLV_ERROR, LOCATION, NULL,
1927 "Why do ID[src,dst] exist already.\n");
1928 return ISAKMP_INTERNAL_ERROR;
1929 }
1930
1931 memset(&spidx, 0, sizeof(spidx));
1932
1933 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
1934
1935 /* make a spidx; a key to search SPD */
1936 spidx.dir = IPSEC_DIR_INBOUND;
1937 spidx.ul_proto = 0;
1938
1939 /*
1940 * make destination address in spidx from either ID payload
1941 * or phase 1 address into a address in spidx.
1942 */
1943 if (iph2->id != NULL
1944 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
1945 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
1946 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
1947 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
1948 /* get a destination address of a policy */
1949 error = ipsecdoi_id2sockaddr(iph2->id,
1950 (struct sockaddr *)&spidx.dst,
1951 &spidx.prefd, &spidx.ul_proto);
1952 if (error)
1953 return error;
1954
1955 #ifdef INET6
1956 /*
1957 * get scopeid from the SA address.
1958 * note that the phase 1 source address is used as
1959 * a destination address to search for a inbound policy entry
1960 * because rcoon is responder.
1961 */
1962 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
1963 error = setscopeid((struct sockaddr *)&spidx.dst,
1964 iph2->src);
1965 if (error)
1966 return error;
1967 }
1968 #endif
1969
1970 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
1971 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
1972 idi2type = _XIDT(iph2->id);
1973
1974 } else {
1975
1976 plog(LLV_DEBUG, LOCATION, NULL,
1977 "get a destination address of SP index "
1978 "from phase1 address "
1979 "due to no ID payloads found "
1980 "OR because ID type is not address.\n");
1981
1982 /*
1983 * copy the SOURCE address of IKE into the DESTINATION address
1984 * of the key to search the SPD because the direction of policy
1985 * is inbound.
1986 */
1987 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
1988 switch (spidx.dst.ss_family) {
1989 case AF_INET:
1990 spidx.prefd = sizeof(struct in_addr) << 3;
1991 break;
1992 #ifdef INET6
1993 case AF_INET6:
1994 spidx.prefd = sizeof(struct in6_addr) << 3;
1995 break;
1996 #endif
1997 default:
1998 spidx.prefd = 0;
1999 break;
2000 }
2001 }
2002
2003 /* make source address in spidx */
2004 if (iph2->id_p != NULL
2005 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2006 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2007 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2008 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2009 /* get a source address of inbound SA */
2010 error = ipsecdoi_id2sockaddr(iph2->id_p,
2011 (struct sockaddr *)&spidx.src,
2012 &spidx.prefs, &spidx.ul_proto);
2013 if (error)
2014 return error;
2015
2016 #ifdef INET6
2017 /*
2018 * get scopeid from the SA address.
2019 * for more detail, see above of this function.
2020 */
2021 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2022 error = setscopeid((struct sockaddr *)&spidx.src,
2023 iph2->dst);
2024 if (error)
2025 return error;
2026 }
2027 #endif
2028
2029 /* make id[src,dst] if both ID types are IP address and same */
2030 if (_XIDT(iph2->id_p) == idi2type
2031 && spidx.dst.ss_family == spidx.src.ss_family) {
2032 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2033 if (iph2->src_id == NULL) {
2034 plog(LLV_ERROR, LOCATION, NULL,
2035 "buffer allocation failed.\n");
2036 return ISAKMP_INTERNAL_ERROR;
2037 }
2038 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2039 if (iph2->dst_id == NULL) {
2040 plog(LLV_ERROR, LOCATION, NULL,
2041 "buffer allocation failed.\n");
2042 return ISAKMP_INTERNAL_ERROR;
2043 }
2044 }
2045
2046 } else {
2047 plog(LLV_DEBUG, LOCATION, NULL,
2048 "get a source address of SP index "
2049 "from phase1 address "
2050 "due to no ID payloads found "
2051 "OR because ID type is not address.\n");
2052
2053 /* see above comment. */
2054 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2055 switch (spidx.src.ss_family) {
2056 case AF_INET:
2057 spidx.prefs = sizeof(struct in_addr) << 3;
2058 break;
2059 #ifdef INET6
2060 case AF_INET6:
2061 spidx.prefs = sizeof(struct in6_addr) << 3;
2062 break;
2063 #endif
2064 default:
2065 spidx.prefs = 0;
2066 break;
2067 }
2068 }
2069
2070 #undef _XIDT
2071
2072 plog(LLV_DEBUG, LOCATION, NULL,
2073 "get a src address from ID payload "
2074 "%s prefixlen=%u ul_proto=%u\n",
2075 saddr2str((struct sockaddr *)&spidx.src),
2076 spidx.prefs, spidx.ul_proto);
2077 plog(LLV_DEBUG, LOCATION, NULL,
2078 "get dst address from ID payload "
2079 "%s prefixlen=%u ul_proto=%u\n",
2080 saddr2str((struct sockaddr *)&spidx.dst),
2081 spidx.prefd, spidx.ul_proto);
2082
2083 /*
2084 * convert the ul_proto if it is 0
2085 * because 0 in ID payload means a wild card.
2086 */
2087 if (spidx.ul_proto == 0)
2088 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2089
2090 #ifdef HAVE_SECCTX
2091 /*
2092 * Need to use security context in spidx to ensure the correct
2093 * policy is selected. The only way to get the security context
2094 * is to look into the proposal sent by peer ahead of time.
2095 */
2096 if (get_security_context(iph2->sa, &spidx)) {
2097 plog(LLV_ERROR, LOCATION, NULL,
2098 "error occurred trying to get security context.\n");
2099 return ISAKMP_INTERNAL_ERROR;
2100 }
2101 #endif /* HAVE_SECCTX */
2102
2103 /* get inbound policy */
2104 sp_in = getsp_r(&spidx);
2105 if (sp_in == NULL) {
2106 if (iph2->ph1->rmconf->gen_policy) {
2107 plog(LLV_INFO, LOCATION, NULL,
2108 "no policy found, "
2109 "try to generate the policy : %s\n",
2110 spidx2str(&spidx));
2111 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2112 if (!iph2->spidx_gen) {
2113 plog(LLV_ERROR, LOCATION, NULL,
2114 "buffer allocation failed.\n");
2115 return ISAKMP_INTERNAL_ERROR;
2116 }
2117 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2118 return -2; /* special value */
2119 }
2120 plog(LLV_ERROR, LOCATION, NULL,
2121 "no policy found: %s\n", spidx2str(&spidx));
2122 return ISAKMP_INTERNAL_ERROR;
2123 }
2124 /* Refresh existing generated policies
2125 */
2126 if (iph2->ph1->rmconf->gen_policy) {
2127 plog(LLV_INFO, LOCATION, NULL,
2128 "Update the generated policy : %s\n",
2129 spidx2str(&spidx));
2130 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2131 if (!iph2->spidx_gen) {
2132 plog(LLV_ERROR, LOCATION, NULL,
2133 "buffer allocation failed.\n");
2134 return ISAKMP_INTERNAL_ERROR;
2135 }
2136 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2137 }
2138
2139 /* get outbound policy */
2140 {
2141 struct sockaddr_storage addr;
2142 u_int8_t pref;
2143
2144 spidx.dir = IPSEC_DIR_OUTBOUND;
2145 addr = spidx.src;
2146 spidx.src = spidx.dst;
2147 spidx.dst = addr;
2148 pref = spidx.prefs;
2149 spidx.prefs = spidx.prefd;
2150 spidx.prefd = pref;
2151
2152 sp_out = getsp_r(&spidx);
2153 if (!sp_out) {
2154 plog(LLV_WARNING, LOCATION, NULL,
2155 "no outbound policy found: %s\n",
2156 spidx2str(&spidx));
2157 }
2158 }
2159
2160 plog(LLV_DEBUG, LOCATION, NULL,
2161 "suitable SP found:%s\n", spidx2str(&spidx));
2162
2163 /*
2164 * In the responder side, the inbound policy should be using IPsec.
2165 * outbound policy is not checked currently.
2166 */
2167 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2168 plog(LLV_ERROR, LOCATION, NULL,
2169 "policy found, but no IPsec required: %s\n",
2170 spidx2str(&spidx));
2171 return ISAKMP_INTERNAL_ERROR;
2172 }
2173
2174 /* set new proposal derived from a policy into the iph2->proposal. */
2175 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2176 plog(LLV_ERROR, LOCATION, NULL,
2177 "failed to create saprop.\n");
2178 return ISAKMP_INTERNAL_ERROR;
2179 }
2180
2181 #ifdef HAVE_SECCTX
2182 if (spidx.sec_ctx.ctx_str) {
2183 set_secctx_in_proposal(iph2, spidx);
2184 }
2185 #endif /* HAVE_SECCTX */
2186
2187 return 0;
2188 }
2189
2190