1 /* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56
57 #include PATH_IPSEC_H
58
59 #include "var.h"
60 #include "vmbuf.h"
61 #include "schedule.h"
62 #include "misc.h"
63 #include "plog.h"
64 #include "debug.h"
65
66 #include "localconf.h"
67 #include "remoteconf.h"
68 #include "handler.h"
69 #include "policy.h"
70 #include "proposal.h"
71 #include "isakmp_var.h"
72 #include "isakmp.h"
73 #include "isakmp_inf.h"
74 #include "isakmp_quick.h"
75 #include "oakley.h"
76 #include "ipsec_doi.h"
77 #include "crypto_openssl.h"
78 #include "pfkey.h"
79 #include "policy.h"
80 #include "algorithm.h"
81 #include "sockmisc.h"
82 #include "proposal.h"
83 #include "sainfo.h"
84 #include "admin.h"
85 #include "strnames.h"
86
87 #ifdef ENABLE_HYBRID
88 #include <resolv.h>
89 #include "isakmp_xauth.h"
90 #include "isakmp_cfg.h"
91 #endif
92
93 #ifdef ENABLE_NATT
94 #include "nattraversal.h"
95 #endif
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99 static int get_sainfo_r __P((struct ph2handle *));
100 static int get_proposal_r __P((struct ph2handle *));
101 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
102 static void quick_timeover_stub __P((struct sched *));
103 static void quick_timeover __P((struct ph2handle *));
104
105 /* called from scheduler */
106 static void
quick_timeover_stub(p)107 quick_timeover_stub(p)
108 struct sched *p;
109 {
110 quick_timeover(container_of(p, struct ph2handle, sce));
111 }
112
113 static void
quick_timeover(iph2)114 quick_timeover(iph2)
115 struct ph2handle *iph2;
116 {
117 plog(LLV_ERROR, LOCATION, NULL,
118 "%s give up to get IPsec-SA due to time up to wait.\n",
119 saddrwop2str(iph2->dst));
120
121 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
122 if (iph2->side == INITIATOR)
123 pk_sendeacquire(iph2);
124
125 remph2(iph2);
126 delph2(iph2);
127 }
128
129 /* �%%%
130 * Quick Mode
131 */
132 /*
133 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
134 */
135 int
quick_i1prep(iph2,msg)136 quick_i1prep(iph2, msg)
137 struct ph2handle *iph2;
138 vchar_t *msg; /* must be null pointer */
139 {
140 int error = ISAKMP_INTERNAL_ERROR;
141
142 /* validity check */
143 if (iph2->status != PHASE2ST_STATUS2) {
144 plog(LLV_ERROR, LOCATION, NULL,
145 "status mismatched %d.\n", iph2->status);
146 goto end;
147 }
148
149 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
150 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
151 if (iph2->ivm == NULL)
152 return 0;
153
154 iph2->status = PHASE2ST_GETSPISENT;
155
156 /* don't anything if local test mode. */
157 if (f_local) {
158 error = 0;
159 goto end;
160 }
161
162 /* send getspi message */
163 if (pk_sendgetspi(iph2) < 0)
164 goto end;
165
166 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
167
168 sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
169 quick_timeover_stub);
170
171 error = 0;
172
173 end:
174 return error;
175 }
176
177 /*
178 * send to responder
179 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
180 */
181 int
quick_i1send(iph2,msg)182 quick_i1send(iph2, msg)
183 struct ph2handle *iph2;
184 vchar_t *msg; /* must be null pointer */
185 {
186 vchar_t *body = NULL;
187 vchar_t *hash = NULL;
188 struct isakmp_gen *gen;
189 char *p;
190 int tlen;
191 int error = ISAKMP_INTERNAL_ERROR;
192 int natoa = ISAKMP_NPTYPE_NONE;
193 int pfsgroup, idci, idcr;
194 int np;
195 struct ipsecdoi_id_b *id, *id_p;
196 #ifdef ENABLE_NATT
197 vchar_t *nat_oai = NULL;
198 vchar_t *nat_oar = NULL;
199 #endif
200
201 /* validity check */
202 if (msg != NULL) {
203 plog(LLV_ERROR, LOCATION, NULL,
204 "msg has to be NULL in this function.\n");
205 goto end;
206 }
207 if (iph2->status != PHASE2ST_GETSPIDONE) {
208 plog(LLV_ERROR, LOCATION, NULL,
209 "status mismatched %d.\n", iph2->status);
210 goto end;
211 }
212
213 /* create SA payload for my proposal */
214 if (ipsecdoi_setph2proposal(iph2) < 0)
215 goto end;
216
217 /* generate NONCE value */
218 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
219 if (iph2->nonce == NULL)
220 goto end;
221
222 /*
223 * DH value calculation is kicked out into cfparse.y.
224 * because pfs group can not be negotiated, it's only to be checked
225 * acceptable.
226 */
227 /* generate KE value if need */
228 pfsgroup = iph2->proposal->pfs_group;
229 if (pfsgroup) {
230 /* DH group settting if PFS is required. */
231 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
232 plog(LLV_ERROR, LOCATION, NULL,
233 "failed to set DH value.\n");
234 goto end;
235 }
236 if (oakley_dh_generate(iph2->pfsgrp,
237 &iph2->dhpub, &iph2->dhpriv) < 0) {
238 goto end;
239 }
240 }
241
242 /* generate ID value */
243 if (ipsecdoi_setid2(iph2) < 0) {
244 plog(LLV_ERROR, LOCATION, NULL,
245 "failed to get ID.\n");
246 goto end;
247 }
248 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
249 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
250 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
251 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
252
253 /*
254 * we do not attach IDci nor IDcr, under the following condition:
255 * - all proposals are transport mode
256 * - no MIP6 or proxy
257 * - id payload suggests to encrypt all the traffic (no specific
258 * protocol type)
259 * - SA endpoints and IKE addresses for the nego are the same
260 * (iph2->src/dst)
261 */
262 id = (struct ipsecdoi_id_b *)iph2->id->v;
263 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
264 if (id->proto_id == 0 &&
265 id_p->proto_id == 0 &&
266 iph2->ph1->rmconf->support_proxy == 0 &&
267 iph2->sa_src == NULL && iph2->sa_dst == NULL &&
268 ipsecdoi_transportmode(iph2->proposal)) {
269 idci = idcr = 0;
270 } else
271 idci = idcr = 1;
272
273 #ifdef ENABLE_NATT
274 /*
275 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
276 * we should send NAT-OA
277 */
278 if (ipsecdoi_transportmode(iph2->proposal)
279 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
280 natoa = iph2->ph1->natt_options->payload_nat_oa;
281
282 nat_oai = ipsecdoi_sockaddr2id(iph2->src,
283 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
284 nat_oar = ipsecdoi_sockaddr2id(iph2->dst,
285 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
286
287 if (nat_oai == NULL || nat_oar == NULL) {
288 plog(LLV_ERROR, LOCATION, NULL,
289 "failed to generate NAT-OA payload.\n");
290 goto end;
291 }
292
293 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
294 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
295 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
296 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
297 } else {
298 natoa = ISAKMP_NPTYPE_NONE;
299 }
300 #endif
301
302 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
303 tlen = + sizeof(*gen) + iph2->sa->l
304 + sizeof(*gen) + iph2->nonce->l;
305 if (pfsgroup)
306 tlen += (sizeof(*gen) + iph2->dhpub->l);
307 if (idci)
308 tlen += sizeof(*gen) + iph2->id->l;
309 if (idcr)
310 tlen += sizeof(*gen) + iph2->id_p->l;
311 #ifdef ENABLE_NATT
312 if (natoa != ISAKMP_NPTYPE_NONE)
313 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
314 #endif
315
316 body = vmalloc(tlen);
317 if (body == NULL) {
318 plog(LLV_ERROR, LOCATION, NULL,
319 "failed to get buffer to send.\n");
320 goto end;
321 }
322
323 p = body->v;
324
325 /* add SA payload */
326 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
327
328 /* add NONCE payload */
329 if (pfsgroup)
330 np = ISAKMP_NPTYPE_KE;
331 else if (idci || idcr)
332 np = ISAKMP_NPTYPE_ID;
333 else
334 np = natoa;
335 p = set_isakmp_payload(p, iph2->nonce, np);
336
337 /* add KE payload if need. */
338 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa;
339 if (pfsgroup)
340 p = set_isakmp_payload(p, iph2->dhpub, np);
341
342 /* IDci */
343 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa;
344 if (idci)
345 p = set_isakmp_payload(p, iph2->id, np);
346
347 /* IDcr */
348 if (idcr)
349 p = set_isakmp_payload(p, iph2->id_p, natoa);
350
351 #ifdef ENABLE_NATT
352 /* NAT-OA */
353 if (natoa != ISAKMP_NPTYPE_NONE) {
354 p = set_isakmp_payload(p, nat_oai, natoa);
355 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
356 }
357 #endif
358
359 /* generate HASH(1) */
360 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
361 if (hash == NULL)
362 goto end;
363
364 /* send isakmp payload */
365 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
366 if (iph2->sendbuf == NULL)
367 goto end;
368
369 /* send the packet, add to the schedule to resend */
370 if (isakmp_ph2send(iph2) == -1)
371 goto end;
372
373 /* change status of isakmp status entry */
374 iph2->status = PHASE2ST_MSG1SENT;
375
376 error = 0;
377
378 end:
379 if (body != NULL)
380 vfree(body);
381 if (hash != NULL)
382 vfree(hash);
383 #ifdef ENABLE_NATT
384 if (nat_oai != NULL)
385 vfree(nat_oai);
386 if (nat_oar != NULL)
387 vfree(nat_oar);
388 #endif
389
390 return error;
391 }
392
393 /*
394 * receive from responder
395 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
396 */
397 int
quick_i2recv(iph2,msg0)398 quick_i2recv(iph2, msg0)
399 struct ph2handle *iph2;
400 vchar_t *msg0;
401 {
402 vchar_t *msg = NULL;
403 vchar_t *hbuf = NULL; /* for hash computing. */
404 vchar_t *pbuf = NULL; /* for payload parsing */
405 vchar_t *idci = NULL;
406 vchar_t *idcr = NULL;
407 struct isakmp_parse_t *pa;
408 struct isakmp *isakmp = (struct isakmp *)msg0->v;
409 struct isakmp_pl_hash *hash = NULL;
410 char *p;
411 int tlen;
412 int error = ISAKMP_INTERNAL_ERROR;
413
414 /* validity check */
415 if (iph2->status != PHASE2ST_MSG1SENT) {
416 plog(LLV_ERROR, LOCATION, NULL,
417 "status mismatched %d.\n", iph2->status);
418 goto end;
419 }
420
421 /* decrypt packet */
422 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
423 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
424 "Packet wasn't encrypted.\n");
425 goto end;
426 }
427 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
428 if (msg == NULL)
429 goto end;
430
431 /* create buffer for validating HASH(2) */
432 /*
433 * ordering rule:
434 * 1. the first one must be HASH
435 * 2. the second one must be SA (added in isakmp-oakley-05!)
436 * 3. two IDs must be considered as IDci, then IDcr
437 */
438 pbuf = isakmp_parse(msg);
439 if (pbuf == NULL)
440 goto end;
441 pa = (struct isakmp_parse_t *)pbuf->v;
442
443 /* HASH payload is fixed postion */
444 if (pa->type != ISAKMP_NPTYPE_HASH) {
445 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
446 "received invalid next payload type %d, "
447 "expecting %d.\n",
448 pa->type, ISAKMP_NPTYPE_HASH);
449 goto end;
450 }
451 hash = (struct isakmp_pl_hash *)pa->ptr;
452 pa++;
453
454 /*
455 * this restriction was introduced in isakmp-oakley-05.
456 * we do not check this for backward compatibility.
457 * TODO: command line/config file option to enable/disable this code
458 */
459 /* HASH payload is fixed postion */
460 if (pa->type != ISAKMP_NPTYPE_SA) {
461 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
462 "received invalid next payload type %d, "
463 "expecting %d.\n",
464 pa->type, ISAKMP_NPTYPE_HASH);
465 }
466
467 /* allocate buffer for computing HASH(2) */
468 tlen = iph2->nonce->l
469 + ntohl(isakmp->len) - sizeof(*isakmp);
470 hbuf = vmalloc(tlen);
471 if (hbuf == NULL) {
472 plog(LLV_ERROR, LOCATION, NULL,
473 "failed to get hash buffer.\n");
474 goto end;
475 }
476 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
477
478 /*
479 * parse the payloads.
480 * copy non-HASH payloads into hbuf, so that we can validate HASH.
481 */
482 iph2->sa_ret = NULL;
483 tlen = 0; /* count payload length except of HASH payload. */
484 for (; pa->type; pa++) {
485
486 /* copy to buffer for HASH */
487 /* Don't modify the payload */
488 memcpy(p, pa->ptr, pa->len);
489
490 switch (pa->type) {
491 case ISAKMP_NPTYPE_SA:
492 if (iph2->sa_ret != NULL) {
493 plog(LLV_ERROR, LOCATION, NULL,
494 "Ignored, multiple SA "
495 "isn't supported.\n");
496 break;
497 }
498 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
499 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
500 "duplicate ISAKMP_NPTYPE_SA.\n");
501 goto end;
502 }
503 break;
504
505 case ISAKMP_NPTYPE_NONCE:
506 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
507 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
508 "duplicate ISAKMP_NPTYPE_NONCE.\n");
509 goto end;
510 }
511 break;
512
513 case ISAKMP_NPTYPE_KE:
514 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
515 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
516 "duplicate ISAKMP_NPTYPE_KE.\n");
517 goto end;
518 }
519 break;
520
521 case ISAKMP_NPTYPE_ID:
522 if (idci == NULL) {
523 if (isakmp_p2ph(&idci, pa->ptr) < 0)
524 goto end;
525 } else if (idcr == NULL) {
526 if (isakmp_p2ph(&idcr, pa->ptr) < 0)
527 goto end;
528 } else {
529 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
530 "too many ISAKMP_NPTYPE_ID payloads.\n");
531 goto end;
532 }
533 break;
534
535 case ISAKMP_NPTYPE_N:
536 ph2_recv_n(iph2, pa->ptr);
537 break;
538
539 #ifdef ENABLE_NATT
540 case ISAKMP_NPTYPE_NATOA_DRAFT:
541 case ISAKMP_NPTYPE_NATOA_RFC:
542 {
543 struct sockaddr_storage addr;
544 struct sockaddr *daddr;
545 u_int8_t prefix;
546 u_int16_t ul_proto;
547 vchar_t *vp = NULL;
548
549 if (isakmp_p2ph(&vp, pa->ptr) < 0)
550 goto end;
551
552 error = ipsecdoi_id2sockaddr(vp,
553 (struct sockaddr *) &addr,
554 &prefix, &ul_proto);
555
556 vfree(vp);
557
558 if (error)
559 goto end;
560
561 daddr = dupsaddr((struct sockaddr *) &addr);
562 if (daddr == NULL)
563 goto end;
564
565 if (iph2->natoa_src == NULL)
566 iph2->natoa_src = daddr;
567 else if (iph2->natoa_dst == NULL)
568 iph2->natoa_dst = daddr;
569 else {
570 racoon_free(daddr);
571 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
572 "too many ISAKMP_NPTYPE_NATOA payloads.\n");
573 goto end;
574 }
575 }
576 break;
577 #endif
578
579 default:
580 /* don't send information, see ident_r1recv() */
581 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
582 "ignore the packet, "
583 "received unexpecting payload type %d.\n",
584 pa->type);
585 goto end;
586 }
587
588 p += pa->len;
589
590 /* compute true length of payload. */
591 tlen += pa->len;
592 }
593
594 /* payload existency check */
595 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
596 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
597 "few isakmp message received.\n");
598 goto end;
599 }
600
601 #ifndef ANDROID_PATCHED
602 /* identity check */
603 if (idci != NULL) {
604 struct sockaddr_storage proposed_addr, got_addr;
605 u_int8_t proposed_prefix, got_prefix;
606 u_int16_t proposed_ulproto, got_ulproto;
607
608 error = ipsecdoi_id2sockaddr(iph2->id,
609 (struct sockaddr *) &proposed_addr,
610 &proposed_prefix, &proposed_ulproto);
611 if (error)
612 goto end;
613
614 error = ipsecdoi_id2sockaddr(idci,
615 (struct sockaddr *) &got_addr,
616 &got_prefix, &got_ulproto);
617 if (error)
618 goto end;
619
620 if (proposed_prefix != got_prefix
621 || proposed_ulproto != got_ulproto) {
622 plog(LLV_DEBUG, LOCATION, NULL,
623 "IDci prefix/ulproto does not match proposal.\n");
624 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
625 goto end;
626 }
627 #ifdef ENABLE_NATT
628 set_port(iph2->natoa_src,
629 extract_port((struct sockaddr *) &proposed_addr));
630 #endif
631
632 if (cmpsaddr((struct sockaddr *) &proposed_addr,
633 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
634 plog(LLV_DEBUG, LOCATION, NULL,
635 "IDci matches proposal.\n");
636 #ifdef ENABLE_NATT
637 } else if (iph2->natoa_src != NULL
638 && cmpsaddr(iph2->natoa_src,
639 (struct sockaddr *) &got_addr) == 0) {
640 plog(LLV_DEBUG, LOCATION, NULL,
641 "IDci matches NAT-OAi.\n");
642 #endif
643 } else {
644 plog(LLV_ERROR, LOCATION, NULL,
645 "mismatched IDci was returned.\n");
646 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
647 goto end;
648 }
649 }
650 if (idcr != NULL) {
651 struct sockaddr_storage proposed_addr, got_addr;
652 u_int8_t proposed_prefix, got_prefix;
653 u_int16_t proposed_ulproto, got_ulproto;
654
655 error = ipsecdoi_id2sockaddr(iph2->id_p,
656 (struct sockaddr *) &proposed_addr,
657 &proposed_prefix, &proposed_ulproto);
658 if (error)
659 goto end;
660
661 error = ipsecdoi_id2sockaddr(idcr,
662 (struct sockaddr *) &got_addr,
663 &got_prefix, &got_ulproto);
664 if (error)
665 goto end;
666
667 if (proposed_prefix != got_prefix
668 || proposed_ulproto != got_ulproto) {
669 plog(LLV_DEBUG, LOCATION, NULL,
670 "IDcr prefix/ulproto does not match proposal.\n");
671 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
672 goto end;
673 }
674
675 #ifdef ENABLE_NATT
676 set_port(iph2->natoa_dst,
677 extract_port((struct sockaddr *) &proposed_addr));
678 #endif
679
680 if (cmpsaddr((struct sockaddr *) &proposed_addr,
681 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
682 plog(LLV_DEBUG, LOCATION, NULL,
683 "IDcr matches proposal.\n");
684 #ifdef ENABLE_NATT
685 } else if (iph2->natoa_dst != NULL
686 && cmpsaddr(iph2->natoa_dst,
687 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
688 plog(LLV_DEBUG, LOCATION, NULL,
689 "IDcr matches NAT-OAr.\n");
690 #endif
691 } else {
692 plog(LLV_ERROR, LOCATION, NULL,
693 "mismatched IDcr was returned.\n");
694 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
695 goto end;
696 }
697 }
698 #endif
699
700 /* Fixed buffer for calculating HASH */
701 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
702 plog(LLV_DEBUG, LOCATION, NULL,
703 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
704 hbuf->l, tlen + iph2->nonce->l);
705 /* adjust buffer length for HASH */
706 hbuf->l = iph2->nonce->l + tlen;
707
708 /* validate HASH(2) */
709 {
710 char *r_hash;
711 vchar_t *my_hash = NULL;
712 int result;
713
714 r_hash = (char *)hash + sizeof(*hash);
715
716 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
717 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
718
719 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
720 if (my_hash == NULL)
721 goto end;
722
723 result = memcmp(my_hash->v, r_hash, my_hash->l);
724 vfree(my_hash);
725
726 if (result) {
727 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
728 "HASH(2) mismatch.\n");
729 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
730 goto end;
731 }
732 }
733
734 /* validity check SA payload sent from responder */
735 if (ipsecdoi_checkph2proposal(iph2) < 0) {
736 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
737 "proposal check failed.\n");
738 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
739 goto end;
740 }
741
742 /* change status of isakmp status entry */
743 iph2->status = PHASE2ST_STATUS6;
744
745 error = 0;
746
747 end:
748 if (hbuf)
749 vfree(hbuf);
750 if (pbuf)
751 vfree(pbuf);
752 if (msg)
753 vfree(msg);
754 if (idci)
755 vfree(idci);
756 if (idcr)
757 vfree(idcr);
758
759 if (error) {
760 VPTRINIT(iph2->sa_ret);
761 VPTRINIT(iph2->nonce_p);
762 VPTRINIT(iph2->dhpub_p);
763 VPTRINIT(iph2->id);
764 VPTRINIT(iph2->id_p);
765 #ifdef ENABLE_NATT
766 if (iph2->natoa_src) {
767 racoon_free(iph2->natoa_src);
768 iph2->natoa_src = NULL;
769 }
770 if (iph2->natoa_dst) {
771 racoon_free(iph2->natoa_dst);
772 iph2->natoa_dst = NULL;
773 }
774 #endif
775 }
776
777 return error;
778 }
779
780 /*
781 * send to responder
782 * HDR*, HASH(3)
783 */
784 int
quick_i2send(iph2,msg0)785 quick_i2send(iph2, msg0)
786 struct ph2handle *iph2;
787 vchar_t *msg0;
788 {
789 vchar_t *msg = NULL;
790 vchar_t *buf = NULL;
791 vchar_t *hash = NULL;
792 char *p = NULL;
793 int tlen;
794 int error = ISAKMP_INTERNAL_ERROR;
795
796 /* validity check */
797 if (iph2->status != PHASE2ST_STATUS6) {
798 plog(LLV_ERROR, LOCATION, NULL,
799 "status mismatched %d.\n", iph2->status);
800 goto end;
801 }
802
803 /* generate HASH(3) */
804 {
805 vchar_t *tmp = NULL;
806
807 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
808
809 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
810 if (tmp == NULL) {
811 plog(LLV_ERROR, LOCATION, NULL,
812 "failed to get hash buffer.\n");
813 goto end;
814 }
815 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
816 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
817
818 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
819 vfree(tmp);
820
821 if (hash == NULL)
822 goto end;
823 }
824
825 /* create buffer for isakmp payload */
826 tlen = sizeof(struct isakmp)
827 + sizeof(struct isakmp_gen) + hash->l;
828 buf = vmalloc(tlen);
829 if (buf == NULL) {
830 plog(LLV_ERROR, LOCATION, NULL,
831 "failed to get buffer to send.\n");
832 goto end;
833 }
834
835 /* create isakmp header */
836 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
837 if (p == NULL)
838 goto end;
839
840 /* add HASH(3) payload */
841 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
842
843 #ifdef HAVE_PRINT_ISAKMP_C
844 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
845 #endif
846
847 /* encoding */
848 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
849 if (iph2->sendbuf == NULL)
850 goto end;
851
852 /* if there is commit bit, need resending */
853 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
854 /* send the packet, add to the schedule to resend */
855 if (isakmp_ph2send(iph2) == -1)
856 goto end;
857 } else {
858 /* send the packet */
859 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
860 goto end;
861 }
862
863 /* the sending message is added to the received-list. */
864 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
865 iph2->sendbuf, msg0) == -1) {
866 plog(LLV_ERROR , LOCATION, NULL,
867 "failed to add a response packet to the tree.\n");
868 goto end;
869 }
870
871 /* compute both of KEYMATs */
872 if (oakley_compute_keymat(iph2, INITIATOR) < 0)
873 goto end;
874
875 iph2->status = PHASE2ST_ADDSA;
876
877 /* don't anything if local test mode. */
878 if (f_local) {
879 error = 0;
880 goto end;
881 }
882
883 /* if there is commit bit don't set up SA now. */
884 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
885 iph2->status = PHASE2ST_COMMIT;
886 error = 0;
887 goto end;
888 }
889
890 /* Do UPDATE for initiator */
891 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
892 if (pk_sendupdate(iph2) < 0) {
893 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
894 goto end;
895 }
896 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
897
898 /* Do ADD for responder */
899 if (pk_sendadd(iph2) < 0) {
900 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
901 goto end;
902 }
903 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
904
905 error = 0;
906
907 end:
908 if (buf != NULL)
909 vfree(buf);
910 if (msg != NULL)
911 vfree(msg);
912 if (hash != NULL)
913 vfree(hash);
914
915 return error;
916 }
917
918 /*
919 * receive from responder
920 * HDR#*, HASH(4), notify
921 */
922 int
quick_i3recv(iph2,msg0)923 quick_i3recv(iph2, msg0)
924 struct ph2handle *iph2;
925 vchar_t *msg0;
926 {
927 vchar_t *msg = NULL;
928 vchar_t *pbuf = NULL; /* for payload parsing */
929 struct isakmp_parse_t *pa;
930 struct isakmp_pl_hash *hash = NULL;
931 vchar_t *notify = NULL;
932 int error = ISAKMP_INTERNAL_ERROR;
933
934 /* validity check */
935 if (iph2->status != PHASE2ST_COMMIT) {
936 plog(LLV_ERROR, LOCATION, NULL,
937 "status mismatched %d.\n", iph2->status);
938 goto end;
939 }
940
941 /* decrypt packet */
942 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
943 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
944 "Packet wasn't encrypted.\n");
945 goto end;
946 }
947 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
948 if (msg == NULL)
949 goto end;
950
951 /* validate the type of next payload */
952 pbuf = isakmp_parse(msg);
953 if (pbuf == NULL)
954 goto end;
955
956 for (pa = (struct isakmp_parse_t *)pbuf->v;
957 pa->type != ISAKMP_NPTYPE_NONE;
958 pa++) {
959
960 switch (pa->type) {
961 case ISAKMP_NPTYPE_HASH:
962 hash = (struct isakmp_pl_hash *)pa->ptr;
963 break;
964 case ISAKMP_NPTYPE_N:
965 if (notify != NULL) {
966 plog(LLV_WARNING, LOCATION, NULL,
967 "Ignoring multiples notifications\n");
968 break;
969 }
970 ph2_recv_n(iph2, pa->ptr);
971 notify = vmalloc(pa->len);
972 if (notify == NULL) {
973 plog(LLV_ERROR, LOCATION, NULL,
974 "failed to get notify buffer.\n");
975 goto end;
976 }
977 memcpy(notify->v, pa->ptr, notify->l);
978 break;
979 default:
980 /* don't send information, see ident_r1recv() */
981 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
982 "ignore the packet, "
983 "received unexpecting payload type %d.\n",
984 pa->type);
985 goto end;
986 }
987 }
988
989 /* payload existency check */
990 if (hash == NULL) {
991 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
992 "few isakmp message received.\n");
993 goto end;
994 }
995
996 /* validate HASH(4) */
997 {
998 char *r_hash;
999 vchar_t *my_hash = NULL;
1000 vchar_t *tmp = NULL;
1001 int result;
1002
1003 r_hash = (char *)hash + sizeof(*hash);
1004
1005 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
1006 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1007
1008 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1009 vfree(tmp);
1010 if (my_hash == NULL)
1011 goto end;
1012
1013 result = memcmp(my_hash->v, r_hash, my_hash->l);
1014 vfree(my_hash);
1015
1016 if (result) {
1017 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1018 "HASH(4) mismatch.\n");
1019 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1020 goto end;
1021 }
1022 }
1023
1024 iph2->status = PHASE2ST_ADDSA;
1025 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1026
1027 /* don't anything if local test mode. */
1028 if (f_local) {
1029 error = 0;
1030 goto end;
1031 }
1032
1033 /* Do UPDATE for initiator */
1034 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1035 if (pk_sendupdate(iph2) < 0) {
1036 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1037 goto end;
1038 }
1039 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1040
1041 /* Do ADD for responder */
1042 if (pk_sendadd(iph2) < 0) {
1043 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1044 goto end;
1045 }
1046 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1047
1048 error = 0;
1049
1050 end:
1051 if (msg != NULL)
1052 vfree(msg);
1053 if (pbuf != NULL)
1054 vfree(pbuf);
1055 if (notify != NULL)
1056 vfree(notify);
1057
1058 return error;
1059 }
1060
1061 /*
1062 * receive from initiator
1063 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1064 */
1065 int
quick_r1recv(iph2,msg0)1066 quick_r1recv(iph2, msg0)
1067 struct ph2handle *iph2;
1068 vchar_t *msg0;
1069 {
1070 vchar_t *msg = NULL;
1071 vchar_t *hbuf = NULL; /* for hash computing. */
1072 vchar_t *pbuf = NULL; /* for payload parsing */
1073 struct isakmp_parse_t *pa;
1074 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1075 struct isakmp_pl_hash *hash = NULL;
1076 char *p;
1077 int tlen;
1078 int f_id_order; /* for ID payload detection */
1079 int error = ISAKMP_INTERNAL_ERROR;
1080
1081 /* validity check */
1082 if (iph2->status != PHASE2ST_START) {
1083 plog(LLV_ERROR, LOCATION, NULL,
1084 "status mismatched %d.\n", iph2->status);
1085 goto end;
1086 }
1087
1088 /* decrypting */
1089 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1090 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1091 "Packet wasn't encrypted.\n");
1092 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1093 goto end;
1094 }
1095 /* decrypt packet */
1096 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1097 if (msg == NULL) {
1098 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1099 "Packet decryption failed.\n");
1100 goto end;
1101 }
1102
1103 /* create buffer for using to validate HASH(1) */
1104 /*
1105 * ordering rule:
1106 * 1. the first one must be HASH
1107 * 2. the second one must be SA (added in isakmp-oakley-05!)
1108 * 3. two IDs must be considered as IDci, then IDcr
1109 */
1110 pbuf = isakmp_parse(msg);
1111 if (pbuf == NULL)
1112 goto end;
1113 pa = (struct isakmp_parse_t *)pbuf->v;
1114
1115 /* HASH payload is fixed postion */
1116 if (pa->type != ISAKMP_NPTYPE_HASH) {
1117 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1118 "received invalid next payload type %d, "
1119 "expecting %d.\n",
1120 pa->type, ISAKMP_NPTYPE_HASH);
1121 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1122 goto end;
1123 }
1124 hash = (struct isakmp_pl_hash *)pa->ptr;
1125 pa++;
1126
1127 /*
1128 * this restriction was introduced in isakmp-oakley-05.
1129 * we do not check this for backward compatibility.
1130 * TODO: command line/config file option to enable/disable this code
1131 */
1132 /* HASH payload is fixed postion */
1133 if (pa->type != ISAKMP_NPTYPE_SA) {
1134 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1135 "received invalid next payload type %d, "
1136 "expecting %d.\n",
1137 pa->type, ISAKMP_NPTYPE_SA);
1138 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1139 }
1140
1141 /* allocate buffer for computing HASH(1) */
1142 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1143 hbuf = vmalloc(tlen);
1144 if (hbuf == NULL) {
1145 plog(LLV_ERROR, LOCATION, NULL,
1146 "failed to get hash buffer.\n");
1147 goto end;
1148 }
1149 p = hbuf->v;
1150
1151 /*
1152 * parse the payloads.
1153 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1154 */
1155 iph2->sa = NULL; /* we don't support multi SAs. */
1156 iph2->nonce_p = NULL;
1157 iph2->dhpub_p = NULL;
1158 iph2->id_p = NULL;
1159 iph2->id = NULL;
1160 tlen = 0; /* count payload length except of HASH payload. */
1161
1162 /*
1163 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1164 * illegal case, but logged. First ID payload is to be IDi2.
1165 * And next ID payload is to be IDr2.
1166 */
1167 f_id_order = 0;
1168
1169 for (; pa->type; pa++) {
1170
1171 /* copy to buffer for HASH */
1172 /* Don't modify the payload */
1173 memcpy(p, pa->ptr, pa->len);
1174
1175 if (pa->type != ISAKMP_NPTYPE_ID)
1176 f_id_order = 0;
1177
1178 switch (pa->type) {
1179 case ISAKMP_NPTYPE_SA:
1180 if (iph2->sa != NULL) {
1181 plog(LLV_ERROR, LOCATION, NULL,
1182 "Multi SAs isn't supported.\n");
1183 goto end;
1184 }
1185 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1186 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1187 "duplicate ISAKMP_NPTYPE_SA.\n");
1188 goto end;
1189 }
1190 break;
1191
1192 case ISAKMP_NPTYPE_NONCE:
1193 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1194 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1195 "duplicate ISAKMP_NPTYPE_NONCE.\n");
1196 goto end;
1197 }
1198 break;
1199
1200 case ISAKMP_NPTYPE_KE:
1201 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1202 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1203 "duplicate ISAKMP_NPTYPE_KE.\n");
1204 goto end;
1205 }
1206 break;
1207
1208 case ISAKMP_NPTYPE_ID:
1209 if (iph2->id_p == NULL) {
1210 /* for IDci */
1211 f_id_order++;
1212
1213 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
1214 goto end;
1215
1216 } else if (iph2->id == NULL) {
1217 /* for IDcr */
1218 if (f_id_order == 0) {
1219 plog(LLV_ERROR, LOCATION, NULL,
1220 "IDr2 payload is not "
1221 "immediatelly followed "
1222 "by IDi2. We allowed.\n");
1223 /* XXX we allowed in this case. */
1224 }
1225
1226 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
1227 goto end;
1228 } else {
1229 plog(LLV_ERROR, LOCATION, NULL,
1230 "received too many ID payloads.\n");
1231 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1232 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1233 goto end;
1234 }
1235 break;
1236
1237 case ISAKMP_NPTYPE_N:
1238 ph2_recv_n(iph2, pa->ptr);
1239 break;
1240
1241 #ifdef ENABLE_NATT
1242 case ISAKMP_NPTYPE_NATOA_DRAFT:
1243 case ISAKMP_NPTYPE_NATOA_RFC:
1244 {
1245 struct sockaddr_storage addr;
1246 struct sockaddr *daddr;
1247 u_int8_t prefix;
1248 u_int16_t ul_proto;
1249 vchar_t *vp = NULL;
1250
1251 if (isakmp_p2ph(&vp, pa->ptr) < 0)
1252 goto end;
1253
1254 error = ipsecdoi_id2sockaddr(vp,
1255 (struct sockaddr *) &addr,
1256 &prefix, &ul_proto);
1257
1258 vfree(vp);
1259
1260 if (error)
1261 goto end;
1262
1263 daddr = dupsaddr((struct sockaddr *) &addr);
1264 if (daddr == NULL)
1265 goto end;
1266
1267 if (iph2->natoa_dst == NULL)
1268 iph2->natoa_dst = daddr;
1269 else if (iph2->natoa_src == NULL)
1270 iph2->natoa_src = daddr;
1271 else {
1272 racoon_free(daddr);
1273 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1274 "received too many NAT-OA payloads.\n");
1275 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1276 goto end;
1277 }
1278 }
1279 break;
1280 #endif
1281
1282 default:
1283 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1284 "ignore the packet, "
1285 "received unexpecting payload type %d.\n",
1286 pa->type);
1287 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1288 goto end;
1289 }
1290
1291 p += pa->len;
1292
1293 /* compute true length of payload. */
1294 tlen += pa->len;
1295 }
1296
1297 /* payload existency check */
1298 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1299 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1300 "few isakmp message received.\n");
1301 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1302 goto end;
1303 }
1304
1305 if (iph2->id_p) {
1306 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1307 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1308 }
1309 if (iph2->id) {
1310 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1311 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1312 }
1313
1314 /* adjust buffer length for HASH */
1315 hbuf->l = tlen;
1316
1317 /* validate HASH(1) */
1318 {
1319 char *r_hash;
1320 vchar_t *my_hash = NULL;
1321 int result;
1322
1323 r_hash = (caddr_t)hash + sizeof(*hash);
1324
1325 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1326 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1327
1328 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1329 if (my_hash == NULL)
1330 goto end;
1331
1332 result = memcmp(my_hash->v, r_hash, my_hash->l);
1333 vfree(my_hash);
1334
1335 if (result) {
1336 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1337 "HASH(1) mismatch.\n");
1338 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1339 goto end;
1340 }
1341 }
1342
1343 /* get sainfo */
1344 error = get_sainfo_r(iph2);
1345 if (error) {
1346 plog(LLV_ERROR, LOCATION, NULL,
1347 "failed to get sainfo.\n");
1348 goto end;
1349 }
1350
1351
1352 /* check the existence of ID payload and create responder's proposal */
1353 error = get_proposal_r(iph2);
1354 switch (error) {
1355 case -2:
1356 /* generate a policy template from peer's proposal */
1357 if (set_proposal_from_proposal(iph2)) {
1358 plog(LLV_ERROR, LOCATION, NULL,
1359 "failed to generate a proposal template "
1360 "from client's proposal.\n");
1361 error = ISAKMP_INTERNAL_ERROR;
1362 goto end;
1363 }
1364 /*FALLTHROUGH*/
1365 case 0:
1366 /* select single proposal or reject it. */
1367 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1368 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1369 "no proposal chosen.\n");
1370 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1371 goto end;
1372 }
1373 break;
1374 default:
1375 plog(LLV_ERROR, LOCATION, NULL,
1376 "failed to get proposal for responder.\n");
1377 goto end;
1378 }
1379
1380 /* check KE and attribute of PFS */
1381 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1382 plog(LLV_ERROR, LOCATION, NULL,
1383 "no PFS is specified, but peer sends KE.\n");
1384 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1385 goto end;
1386 }
1387 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1388 plog(LLV_ERROR, LOCATION, NULL,
1389 "PFS is specified, but peer doesn't sends KE.\n");
1390 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1391 goto end;
1392 }
1393
1394 /*
1395 * save the packet from the initiator in order to resend the
1396 * responder's first packet against this packet.
1397 */
1398 iph2->msg1 = vdup(msg0);
1399
1400 /* change status of isakmp status entry */
1401 iph2->status = PHASE2ST_STATUS2;
1402
1403 error = 0;
1404
1405 end:
1406 if (hbuf)
1407 vfree(hbuf);
1408 if (msg)
1409 vfree(msg);
1410 if (pbuf)
1411 vfree(pbuf);
1412
1413 if (error) {
1414 VPTRINIT(iph2->sa);
1415 VPTRINIT(iph2->nonce_p);
1416 VPTRINIT(iph2->dhpub_p);
1417 VPTRINIT(iph2->id);
1418 VPTRINIT(iph2->id_p);
1419 #ifdef ENABLE_NATT
1420 if (iph2->natoa_src) {
1421 racoon_free(iph2->natoa_src);
1422 iph2->natoa_src = NULL;
1423 }
1424 if (iph2->natoa_dst) {
1425 racoon_free(iph2->natoa_dst);
1426 iph2->natoa_dst = NULL;
1427 }
1428 #endif
1429 }
1430
1431 return error;
1432 }
1433
1434 /*
1435 * call pfkey_getspi.
1436 */
1437 int
quick_r1prep(iph2,msg)1438 quick_r1prep(iph2, msg)
1439 struct ph2handle *iph2;
1440 vchar_t *msg;
1441 {
1442 int error = ISAKMP_INTERNAL_ERROR;
1443
1444 /* validity check */
1445 if (iph2->status != PHASE2ST_STATUS2) {
1446 plog(LLV_ERROR, LOCATION, NULL,
1447 "status mismatched %d.\n", iph2->status);
1448 goto end;
1449 }
1450
1451 iph2->status = PHASE2ST_GETSPISENT;
1452
1453 /* send getspi message */
1454 if (pk_sendgetspi(iph2) < 0)
1455 goto end;
1456
1457 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1458
1459 sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
1460 quick_timeover_stub);
1461
1462 error = 0;
1463
1464 end:
1465 return error;
1466 }
1467
1468 /*
1469 * send to initiator
1470 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1471 */
1472 int
quick_r2send(iph2,msg)1473 quick_r2send(iph2, msg)
1474 struct ph2handle *iph2;
1475 vchar_t *msg;
1476 {
1477 vchar_t *body = NULL;
1478 vchar_t *hash = NULL;
1479 struct isakmp_gen *gen;
1480 char *p;
1481 int tlen;
1482 int error = ISAKMP_INTERNAL_ERROR;
1483 int natoa = ISAKMP_NPTYPE_NONE;
1484 int pfsgroup;
1485 u_int8_t *np_p = NULL;
1486 #ifdef ENABLE_NATT
1487 vchar_t *nat_oai = NULL;
1488 vchar_t *nat_oar = NULL;
1489 #endif
1490
1491 /* validity check */
1492 if (msg != NULL) {
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "msg has to be NULL in this function.\n");
1495 goto end;
1496 }
1497 if (iph2->status != PHASE2ST_GETSPIDONE) {
1498 plog(LLV_ERROR, LOCATION, NULL,
1499 "status mismatched %d.\n", iph2->status);
1500 goto end;
1501 }
1502
1503 /* update responders SPI */
1504 if (ipsecdoi_updatespi(iph2) < 0) {
1505 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1506 goto end;
1507 }
1508
1509 /* generate NONCE value */
1510 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1511 if (iph2->nonce == NULL)
1512 goto end;
1513
1514 /* generate KE value if need */
1515 pfsgroup = iph2->approval->pfs_group;
1516 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1517 /* DH group settting if PFS is required. */
1518 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1519 plog(LLV_ERROR, LOCATION, NULL,
1520 "failed to set DH value.\n");
1521 goto end;
1522 }
1523 /* generate DH public value */
1524 if (oakley_dh_generate(iph2->pfsgrp,
1525 &iph2->dhpub, &iph2->dhpriv) < 0) {
1526 goto end;
1527 }
1528 }
1529
1530 #ifdef ENABLE_NATT
1531 /*
1532 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1533 * we should send NAT-OA
1534 */
1535 if (ipsecdoi_transportmode(iph2->proposal)
1536 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1537 natoa = iph2->ph1->natt_options->payload_nat_oa;
1538
1539 nat_oai = ipsecdoi_sockaddr2id(iph2->dst,
1540 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1541 nat_oar = ipsecdoi_sockaddr2id(iph2->src,
1542 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1543
1544 if (nat_oai == NULL || nat_oar == NULL) {
1545 plog(LLV_ERROR, LOCATION, NULL,
1546 "failed to generate NAT-OA payload.\n");
1547 goto end;
1548 }
1549
1550 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
1551 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
1552 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
1553 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
1554 }
1555 #endif
1556
1557 /* create SA;NONCE payload, and KE and ID if need */
1558 tlen = sizeof(*gen) + iph2->sa_ret->l
1559 + sizeof(*gen) + iph2->nonce->l;
1560 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1561 tlen += (sizeof(*gen) + iph2->dhpub->l);
1562 if (iph2->id_p != NULL)
1563 tlen += (sizeof(*gen) + iph2->id_p->l
1564 + sizeof(*gen) + iph2->id->l);
1565 #ifdef ENABLE_NATT
1566 if (natoa != ISAKMP_NPTYPE_NONE)
1567 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
1568 #endif
1569
1570 body = vmalloc(tlen);
1571 if (body == NULL) {
1572 plog(LLV_ERROR, LOCATION, NULL,
1573 "failed to get buffer to send.\n");
1574 goto end;
1575 }
1576 p = body->v;
1577
1578 /* make SA payload */
1579 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1580
1581 /* add NONCE payload */
1582 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1583 p = set_isakmp_payload(p, iph2->nonce,
1584 (iph2->dhpub_p != NULL && pfsgroup != 0)
1585 ? ISAKMP_NPTYPE_KE
1586 : (iph2->id_p != NULL
1587 ? ISAKMP_NPTYPE_ID
1588 : natoa));
1589
1590 /* add KE payload if need. */
1591 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1592 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1593 p = set_isakmp_payload(p, iph2->dhpub,
1594 (iph2->id_p == NULL)
1595 ? natoa
1596 : ISAKMP_NPTYPE_ID);
1597 }
1598
1599 /* add ID payloads received. */
1600 if (iph2->id_p != NULL) {
1601 /* IDci */
1602 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1603 /* IDcr */
1604 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1605 p = set_isakmp_payload(p, iph2->id, natoa);
1606 }
1607
1608 #ifdef ENABLE_NATT
1609 /* NAT-OA */
1610 if (natoa != ISAKMP_NPTYPE_NONE) {
1611 p = set_isakmp_payload(p, nat_oai, natoa);
1612 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
1613 }
1614 #endif
1615
1616 /* add a RESPONDER-LIFETIME notify payload if needed */
1617 {
1618 vchar_t *data = NULL;
1619 struct saprop *pp = iph2->approval;
1620 struct saproto *pr;
1621
1622 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1623 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1624 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1625 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1626 if (!data)
1627 goto end;
1628 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1629 (caddr_t)&v, sizeof(v));
1630 if (!data)
1631 goto end;
1632 }
1633 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1634 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1635 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1636 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1637 if (!data)
1638 goto end;
1639 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1640 (caddr_t)&v, sizeof(v));
1641 if (!data)
1642 goto end;
1643 }
1644
1645 /*
1646 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1647 * in the case of SA bundle ?
1648 */
1649 if (data) {
1650 for (pr = pp->head; pr; pr = pr->next) {
1651 body = isakmp_add_pl_n(body, &np_p,
1652 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1653 if (!body) {
1654 vfree(data);
1655 return error; /* XXX */
1656 }
1657 }
1658 vfree(data);
1659 }
1660 }
1661
1662 /* generate HASH(2) */
1663 {
1664 vchar_t *tmp;
1665
1666 tmp = vmalloc(iph2->nonce_p->l + body->l);
1667 if (tmp == NULL) {
1668 plog(LLV_ERROR, LOCATION, NULL,
1669 "failed to get hash buffer.\n");
1670 goto end;
1671 }
1672 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1673 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1674
1675 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1676 vfree(tmp);
1677
1678 if (hash == NULL)
1679 goto end;
1680 }
1681
1682 /* send isakmp payload */
1683 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1684 if (iph2->sendbuf == NULL)
1685 goto end;
1686
1687 /* send the packet, add to the schedule to resend */
1688 if (isakmp_ph2send(iph2) == -1)
1689 goto end;
1690
1691 /* the sending message is added to the received-list. */
1692 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
1693 plog(LLV_ERROR , LOCATION, NULL,
1694 "failed to add a response packet to the tree.\n");
1695 goto end;
1696 }
1697
1698 /* change status of isakmp status entry */
1699 iph2->status = PHASE2ST_MSG1SENT;
1700
1701 error = 0;
1702
1703 end:
1704 if (body != NULL)
1705 vfree(body);
1706 if (hash != NULL)
1707 vfree(hash);
1708 #ifdef ENABLE_NATT
1709 if (nat_oai != NULL)
1710 vfree(nat_oai);
1711 if (nat_oar != NULL)
1712 vfree(nat_oar);
1713 #endif
1714
1715 return error;
1716 }
1717
1718 /*
1719 * receive from initiator
1720 * HDR*, HASH(3)
1721
1722 */
1723 int
quick_r3recv(iph2,msg0)1724 quick_r3recv(iph2, msg0)
1725 struct ph2handle *iph2;
1726 vchar_t *msg0;
1727 {
1728 vchar_t *msg = NULL;
1729 vchar_t *pbuf = NULL; /* for payload parsing */
1730 struct isakmp_parse_t *pa;
1731 struct isakmp_pl_hash *hash = NULL;
1732 int error = ISAKMP_INTERNAL_ERROR;
1733
1734 /* validity check */
1735 if (iph2->status != PHASE2ST_MSG1SENT) {
1736 plog(LLV_ERROR, LOCATION, NULL,
1737 "status mismatched %d.\n", iph2->status);
1738 goto end;
1739 }
1740
1741 /* decrypt packet */
1742 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1743 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1744 "Packet wasn't encrypted.\n");
1745 goto end;
1746 }
1747 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1748 if (msg == NULL)
1749 goto end;
1750
1751 /* validate the type of next payload */
1752 pbuf = isakmp_parse(msg);
1753 if (pbuf == NULL)
1754 goto end;
1755
1756 for (pa = (struct isakmp_parse_t *)pbuf->v;
1757 pa->type != ISAKMP_NPTYPE_NONE;
1758 pa++) {
1759
1760 switch (pa->type) {
1761 case ISAKMP_NPTYPE_HASH:
1762 hash = (struct isakmp_pl_hash *)pa->ptr;
1763 break;
1764 case ISAKMP_NPTYPE_N:
1765 ph2_recv_n(iph2, pa->ptr);
1766 break;
1767 default:
1768 /* don't send information, see ident_r1recv() */
1769 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1770 "ignore the packet, "
1771 "received unexpecting payload type %d.\n",
1772 pa->type);
1773 goto end;
1774 }
1775 }
1776
1777 /* payload existency check */
1778 if (hash == NULL) {
1779 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1780 "few isakmp message received.\n");
1781 goto end;
1782 }
1783
1784 /* validate HASH(3) */
1785 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1786 {
1787 char *r_hash;
1788 vchar_t *my_hash = NULL;
1789 vchar_t *tmp = NULL;
1790 int result;
1791
1792 r_hash = (char *)hash + sizeof(*hash);
1793
1794 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1795 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1796
1797 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1798 if (tmp == NULL) {
1799 plog(LLV_ERROR, LOCATION, NULL,
1800 "failed to get hash buffer.\n");
1801 goto end;
1802 }
1803 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1804 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1805
1806 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1807 vfree(tmp);
1808 if (my_hash == NULL)
1809 goto end;
1810
1811 result = memcmp(my_hash->v, r_hash, my_hash->l);
1812 vfree(my_hash);
1813
1814 if (result) {
1815 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1816 "HASH(3) mismatch.\n");
1817 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1818 goto end;
1819 }
1820 }
1821
1822 /* if there is commit bit, don't set up SA now. */
1823 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1824 iph2->status = PHASE2ST_COMMIT;
1825 } else
1826 iph2->status = PHASE2ST_STATUS6;
1827
1828 error = 0;
1829
1830 end:
1831 if (pbuf != NULL)
1832 vfree(pbuf);
1833 if (msg != NULL)
1834 vfree(msg);
1835
1836 return error;
1837 }
1838
1839 /*
1840 * send to initiator
1841 * HDR#*, HASH(4), notify
1842 */
1843 int
quick_r3send(iph2,msg0)1844 quick_r3send(iph2, msg0)
1845 struct ph2handle *iph2;
1846 vchar_t *msg0;
1847 {
1848 vchar_t *buf = NULL;
1849 vchar_t *myhash = NULL;
1850 struct isakmp_pl_n *n;
1851 vchar_t *notify = NULL;
1852 char *p;
1853 int tlen;
1854 int error = ISAKMP_INTERNAL_ERROR;
1855
1856 /* validity check */
1857 if (iph2->status != PHASE2ST_COMMIT) {
1858 plog(LLV_ERROR, LOCATION, NULL,
1859 "status mismatched %d.\n", iph2->status);
1860 goto end;
1861 }
1862
1863 /* generate HASH(4) */
1864 /* XXX What can I do in the case of multiple different SA */
1865 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1866
1867 /* XXX What should I do if there are multiple SAs ? */
1868 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1869 notify = vmalloc(tlen);
1870 if (notify == NULL) {
1871 plog(LLV_ERROR, LOCATION, NULL,
1872 "failed to get notify buffer.\n");
1873 goto end;
1874 }
1875 n = (struct isakmp_pl_n *)notify->v;
1876 n->h.np = ISAKMP_NPTYPE_NONE;
1877 n->h.len = htons(tlen);
1878 n->doi = htonl(IPSEC_DOI);
1879 n->proto_id = iph2->approval->head->proto_id;
1880 n->spi_size = sizeof(iph2->approval->head->spisize);
1881 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1882 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1883
1884 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1885 if (myhash == NULL)
1886 goto end;
1887
1888 /* create buffer for isakmp payload */
1889 tlen = sizeof(struct isakmp)
1890 + sizeof(struct isakmp_gen) + myhash->l
1891 + notify->l;
1892 buf = vmalloc(tlen);
1893 if (buf == NULL) {
1894 plog(LLV_ERROR, LOCATION, NULL,
1895 "failed to get buffer to send.\n");
1896 goto end;
1897 }
1898
1899 /* create isakmp header */
1900 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1901 if (p == NULL)
1902 goto end;
1903
1904 /* add HASH(4) payload */
1905 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1906
1907 /* add notify payload */
1908 memcpy(p, notify->v, notify->l);
1909
1910 #ifdef HAVE_PRINT_ISAKMP_C
1911 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1912 #endif
1913
1914 /* encoding */
1915 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1916 if (iph2->sendbuf == NULL)
1917 goto end;
1918
1919 /* send the packet */
1920 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1921 goto end;
1922
1923 /* the sending message is added to the received-list. */
1924 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
1925 plog(LLV_ERROR , LOCATION, NULL,
1926 "failed to add a response packet to the tree.\n");
1927 goto end;
1928 }
1929
1930 iph2->status = PHASE2ST_COMMIT;
1931
1932 error = 0;
1933
1934 end:
1935 if (buf != NULL)
1936 vfree(buf);
1937 if (myhash != NULL)
1938 vfree(myhash);
1939 if (notify != NULL)
1940 vfree(notify);
1941
1942 return error;
1943 }
1944
1945 int
tunnel_mode_prop(p)1946 tunnel_mode_prop(p)
1947 struct saprop *p;
1948 {
1949 struct saproto *pr;
1950
1951 for (pr = p->head; pr; pr = pr->next)
1952 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
1953 return 1;
1954 return 0;
1955 }
1956
1957 /*
1958 * set SA to kernel.
1959 */
1960 int
quick_r3prep(iph2,msg0)1961 quick_r3prep(iph2, msg0)
1962 struct ph2handle *iph2;
1963 vchar_t *msg0;
1964 {
1965 int error = ISAKMP_INTERNAL_ERROR;
1966
1967 /* validity check */
1968 if (iph2->status != PHASE2ST_STATUS6) {
1969 plog(LLV_ERROR, LOCATION, NULL,
1970 "status mismatched %d.\n", iph2->status);
1971 goto end;
1972 }
1973
1974 /* compute both of KEYMATs */
1975 if (oakley_compute_keymat(iph2, RESPONDER) < 0)
1976 goto end;
1977
1978 iph2->status = PHASE2ST_ADDSA;
1979 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1980
1981 /* don't anything if local test mode. */
1982 if (f_local) {
1983 error = 0;
1984 goto end;
1985 }
1986
1987 /* Do UPDATE as responder */
1988 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1989 if (pk_sendupdate(iph2) < 0) {
1990 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1991 goto end;
1992 }
1993 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1994
1995 /* Do ADD for responder */
1996 if (pk_sendadd(iph2) < 0) {
1997 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1998 goto end;
1999 }
2000 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
2001
2002 /*
2003 * set policies into SPD if the policy is generated
2004 * from peer's policy.
2005 */
2006 if (iph2->spidx_gen) {
2007
2008 struct policyindex *spidx;
2009 struct sockaddr_storage addr;
2010 u_int8_t pref;
2011 struct sockaddr *src = iph2->src;
2012 struct sockaddr *dst = iph2->dst;
2013
2014 /* make inbound policy */
2015 iph2->src = dst;
2016 iph2->dst = src;
2017 if (pk_sendspdupdate2(iph2) < 0) {
2018 plog(LLV_ERROR, LOCATION, NULL,
2019 "pfkey spdupdate2(inbound) failed.\n");
2020 goto end;
2021 }
2022 plog(LLV_DEBUG, LOCATION, NULL,
2023 "pfkey spdupdate2(inbound) sent.\n");
2024
2025 spidx = (struct policyindex *)iph2->spidx_gen;
2026 #ifdef HAVE_POLICY_FWD
2027 /* make forward policy if required */
2028 if (tunnel_mode_prop(iph2->approval)) {
2029 spidx->dir = IPSEC_DIR_FWD;
2030 if (pk_sendspdupdate2(iph2) < 0) {
2031 plog(LLV_ERROR, LOCATION, NULL,
2032 "pfkey spdupdate2(forward) failed.\n");
2033 goto end;
2034 }
2035 plog(LLV_DEBUG, LOCATION, NULL,
2036 "pfkey spdupdate2(forward) sent.\n");
2037 }
2038 #endif
2039
2040 /* make outbound policy */
2041 iph2->src = src;
2042 iph2->dst = dst;
2043 spidx->dir = IPSEC_DIR_OUTBOUND;
2044 addr = spidx->src;
2045 spidx->src = spidx->dst;
2046 spidx->dst = addr;
2047 pref = spidx->prefs;
2048 spidx->prefs = spidx->prefd;
2049 spidx->prefd = pref;
2050
2051 if (pk_sendspdupdate2(iph2) < 0) {
2052 plog(LLV_ERROR, LOCATION, NULL,
2053 "pfkey spdupdate2(outbound) failed.\n");
2054 goto end;
2055 }
2056 plog(LLV_DEBUG, LOCATION, NULL,
2057 "pfkey spdupdate2(outbound) sent.\n");
2058
2059 /* spidx_gen is unnecessary any more */
2060 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2061 racoon_free(iph2->spidx_gen);
2062 iph2->spidx_gen = NULL;
2063 iph2->generated_spidx=1;
2064 }
2065
2066 error = 0;
2067
2068 end:
2069 return error;
2070 }
2071
2072 /*
2073 * create HASH, body (SA, NONCE) payload with isakmp header.
2074 */
2075 static vchar_t *
quick_ir1mx(iph2,body,hash)2076 quick_ir1mx(iph2, body, hash)
2077 struct ph2handle *iph2;
2078 vchar_t *body, *hash;
2079 {
2080 struct isakmp *isakmp;
2081 vchar_t *buf = NULL, *new = NULL;
2082 char *p;
2083 int tlen;
2084 struct isakmp_gen *gen;
2085 int error = ISAKMP_INTERNAL_ERROR;
2086
2087 /* create buffer for isakmp payload */
2088 tlen = sizeof(*isakmp)
2089 + sizeof(*gen) + hash->l
2090 + body->l;
2091 buf = vmalloc(tlen);
2092 if (buf == NULL) {
2093 plog(LLV_ERROR, LOCATION, NULL,
2094 "failed to get buffer to send.\n");
2095 goto end;
2096 }
2097
2098 /* re-set encryption flag, for serurity. */
2099 iph2->flags |= ISAKMP_FLAG_E;
2100
2101 /* set isakmp header */
2102 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2103 if (p == NULL)
2104 goto end;
2105
2106 /* add HASH payload */
2107 /* XXX is next type always SA ? */
2108 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2109
2110 /* add body payload */
2111 memcpy(p, body->v, body->l);
2112
2113 #ifdef HAVE_PRINT_ISAKMP_C
2114 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2115 #endif
2116
2117 /* encoding */
2118 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2119
2120 if (new == NULL)
2121 goto end;
2122
2123 vfree(buf);
2124
2125 buf = new;
2126
2127 error = 0;
2128
2129 end:
2130 if (error && buf != NULL) {
2131 vfree(buf);
2132 buf = NULL;
2133 }
2134
2135 return buf;
2136 }
2137
2138 /*
2139 * get remote's sainfo.
2140 * NOTE: this function is for responder.
2141 */
2142 static int
get_sainfo_r(iph2)2143 get_sainfo_r(iph2)
2144 struct ph2handle *iph2;
2145 {
2146 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL;
2147 int error = ISAKMP_INTERNAL_ERROR;
2148
2149 if (iph2->id == NULL) {
2150 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
2151 IPSEC_ULPROTO_ANY);
2152 } else {
2153 idsrc = vdup(iph2->id);
2154 }
2155 if (idsrc == NULL) {
2156 plog(LLV_ERROR, LOCATION, NULL,
2157 "failed to set ID for source.\n");
2158 goto end;
2159 }
2160
2161 if (iph2->id_p == NULL) {
2162 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2163 IPSEC_ULPROTO_ANY);
2164 } else {
2165 iddst = vdup(iph2->id_p);
2166 }
2167 if (iddst == NULL) {
2168 plog(LLV_ERROR, LOCATION, NULL,
2169 "failed to set ID for destination.\n");
2170 goto end;
2171 }
2172
2173 #ifdef ENABLE_HYBRID
2174
2175 /* clientaddr check : obtain modecfg address */
2176 if (iph2->ph1->mode_cfg != NULL) {
2177 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
2178 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
2179 struct sockaddr saddr;
2180 saddr.sa_family = AF_INET;
2181 #ifndef __linux__
2182 saddr.sa_len = sizeof(struct sockaddr_in);
2183 #endif
2184 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
2185 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
2186 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
2187 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
2188 }
2189 }
2190
2191 /* clientaddr check, fallback to peer address */
2192 if (client == NULL)
2193 {
2194 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2195 IPSEC_ULPROTO_ANY);
2196 }
2197 #endif
2198
2199 /* obtain a matching sainfo section */
2200 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id);
2201 if (iph2->sainfo == NULL) {
2202 plog(LLV_ERROR, LOCATION, NULL,
2203 "failed to get sainfo.\n");
2204 goto end;
2205 }
2206
2207 #ifdef ENABLE_HYBRID
2208 /* xauth group inclusion check */
2209 if (iph2->sainfo->group != NULL)
2210 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
2211 goto end;
2212 #endif
2213
2214 plog(LLV_DEBUG, LOCATION, NULL,
2215 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2216
2217 error = 0;
2218 end:
2219 if (idsrc)
2220 vfree(idsrc);
2221 if (iddst)
2222 vfree(iddst);
2223 if (client)
2224 vfree(client);
2225
2226 return error;
2227 }
2228
2229 /*
2230 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2231 * are IP address and same address family.
2232 * Then get remote's policy from SPD copied from kernel.
2233 * If the type of ID payload is address or subnet type, then the index is
2234 * made from the payload. If there is no ID payload, or the type of ID
2235 * payload is NOT address type, then the index is made from the address
2236 * pair of phase 1.
2237 * NOTE: This function is only for responder.
2238 */
2239 static int
get_proposal_r(iph2)2240 get_proposal_r(iph2)
2241 struct ph2handle *iph2;
2242 {
2243 struct policyindex spidx;
2244 struct secpolicy *sp_in, *sp_out;
2245 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2246 int error = ISAKMP_INTERNAL_ERROR;
2247
2248 /* check the existence of ID payload */
2249 if ((iph2->id_p != NULL && iph2->id == NULL)
2250 || (iph2->id_p == NULL && iph2->id != NULL)) {
2251 plog(LLV_ERROR, LOCATION, NULL,
2252 "Both IDs wasn't found in payload.\n");
2253 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2254 }
2255
2256 /* make sure if sa_[src, dst] are null. */
2257 if (iph2->sa_src || iph2->sa_dst) {
2258 plog(LLV_ERROR, LOCATION, NULL,
2259 "Why do ID[src,dst] exist already.\n");
2260 return ISAKMP_INTERNAL_ERROR;
2261 }
2262
2263 memset(&spidx, 0, sizeof(spidx));
2264
2265 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2266
2267 /* make a spidx; a key to search SPD */
2268 spidx.dir = IPSEC_DIR_INBOUND;
2269 spidx.ul_proto = 0;
2270
2271 /*
2272 * make destination address in spidx from either ID payload
2273 * or phase 1 address into a address in spidx.
2274 */
2275 if (iph2->id != NULL
2276 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2277 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2278 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2279 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2280 /* get a destination address of a policy */
2281 error = ipsecdoi_id2sockaddr(iph2->id,
2282 (struct sockaddr *)&spidx.dst,
2283 &spidx.prefd, &spidx.ul_proto);
2284 if (error)
2285 return error;
2286
2287 #ifdef INET6
2288 /*
2289 * get scopeid from the SA address.
2290 * note that the phase 1 source address is used as
2291 * a destination address to search for a inbound policy entry
2292 * because rcoon is responder.
2293 */
2294 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2295 error = setscopeid((struct sockaddr *)&spidx.dst,
2296 iph2->src);
2297 if (error)
2298 return error;
2299 }
2300 #endif
2301
2302 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2303 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2304 idi2type = _XIDT(iph2->id);
2305
2306 } else {
2307
2308 plog(LLV_DEBUG, LOCATION, NULL,
2309 "get a destination address of SP index "
2310 "from phase1 address "
2311 "due to no ID payloads found "
2312 "OR because ID type is not address.\n");
2313
2314 /*
2315 * copy the SOURCE address of IKE into the DESTINATION address
2316 * of the key to search the SPD because the direction of policy
2317 * is inbound.
2318 */
2319 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2320 switch (spidx.dst.ss_family) {
2321 case AF_INET:
2322 spidx.prefd = sizeof(struct in_addr) << 3;
2323 break;
2324 #ifdef INET6
2325 case AF_INET6:
2326 spidx.prefd = sizeof(struct in6_addr) << 3;
2327 break;
2328 #endif
2329 default:
2330 spidx.prefd = 0;
2331 break;
2332 }
2333 }
2334
2335 /* make source address in spidx */
2336 if (iph2->id_p != NULL
2337 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2338 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2339 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2340 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2341 /* get a source address of inbound SA */
2342 error = ipsecdoi_id2sockaddr(iph2->id_p,
2343 (struct sockaddr *)&spidx.src,
2344 &spidx.prefs, &spidx.ul_proto);
2345 if (error)
2346 return error;
2347
2348 #ifdef INET6
2349 /*
2350 * get scopeid from the SA address.
2351 * for more detail, see above of this function.
2352 */
2353 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2354 error = setscopeid((struct sockaddr *)&spidx.src,
2355 iph2->dst);
2356 if (error)
2357 return error;
2358 }
2359 #endif
2360
2361 /* Before setting iph2->[sa_src, sa_dst] with the addresses
2362 * provided in ID payloads, we check:
2363 * - they are both addresses of same family
2364 * - sainfo has not been selected only based on ID payload
2365 * information but also based on specific Phase 1
2366 * credentials (iph2->sainfo->id_i is defined), i.e.
2367 * local configuration _explicitly_ expect that user
2368 * (e.g. from asn1dn "C=FR, ...") with those IDs) */
2369 if (_XIDT(iph2->id_p) == idi2type &&
2370 spidx.dst.ss_family == spidx.src.ss_family &&
2371 iph2->sainfo && iph2->sainfo->id_i) {
2372
2373 iph2->sa_src = dupsaddr((struct sockaddr *)&spidx.dst);
2374 if (iph2->sa_src == NULL) {
2375 plog(LLV_ERROR, LOCATION, NULL,
2376 "buffer allocation failed.\n");
2377 return ISAKMP_INTERNAL_ERROR;
2378 }
2379
2380 iph2->sa_dst = dupsaddr((struct sockaddr *)&spidx.src);
2381 if (iph2->sa_dst == NULL) {
2382 plog(LLV_ERROR, LOCATION, NULL,
2383 "buffer allocation failed.\n");
2384 return ISAKMP_INTERNAL_ERROR;
2385 }
2386 } else {
2387 plog(LLV_DEBUG, LOCATION, NULL,
2388 "Either family (%d - %d), types (%d - %d) of ID "
2389 "from initiator differ or matching sainfo "
2390 "has no id_i defined for the peer. Not filling "
2391 "iph2->sa_src and iph2->sa_dst.\n",
2392 spidx.src.ss_family, spidx.dst.ss_family,
2393 _XIDT(iph2->id_p),idi2type);
2394 }
2395 } else {
2396 plog(LLV_DEBUG, LOCATION, NULL,
2397 "get a source address of SP index from Phase 1"
2398 "addresses due to no ID payloads found"
2399 "OR because ID type is not address.\n");
2400
2401 /* see above comment. */
2402 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2403 switch (spidx.src.ss_family) {
2404 case AF_INET:
2405 spidx.prefs = sizeof(struct in_addr) << 3;
2406 break;
2407 #ifdef INET6
2408 case AF_INET6:
2409 spidx.prefs = sizeof(struct in6_addr) << 3;
2410 break;
2411 #endif
2412 default:
2413 spidx.prefs = 0;
2414 break;
2415 }
2416 }
2417
2418 #undef _XIDT
2419
2420 plog(LLV_DEBUG, LOCATION, NULL,
2421 "get src address from ID payload "
2422 "%s prefixlen=%u ul_proto=%u\n",
2423 saddr2str((struct sockaddr *)&spidx.src),
2424 spidx.prefs, spidx.ul_proto);
2425 plog(LLV_DEBUG, LOCATION, NULL,
2426 "get dst address from ID payload "
2427 "%s prefixlen=%u ul_proto=%u\n",
2428 saddr2str((struct sockaddr *)&spidx.dst),
2429 spidx.prefd, spidx.ul_proto);
2430
2431 /*
2432 * convert the ul_proto if it is 0
2433 * because 0 in ID payload means a wild card.
2434 */
2435 if (spidx.ul_proto == 0)
2436 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2437
2438 #ifdef HAVE_SECCTX
2439 /*
2440 * Need to use security context in spidx to ensure the correct
2441 * policy is selected. The only way to get the security context
2442 * is to look into the proposal sent by peer ahead of time.
2443 */
2444 if (get_security_context(iph2->sa, &spidx)) {
2445 plog(LLV_ERROR, LOCATION, NULL,
2446 "error occurred trying to get security context.\n");
2447 return ISAKMP_INTERNAL_ERROR;
2448 }
2449 #endif /* HAVE_SECCTX */
2450
2451 /* get inbound policy */
2452 sp_in = getsp_r(&spidx);
2453 if (sp_in == NULL) {
2454 if (iph2->ph1->rmconf->gen_policy) {
2455 plog(LLV_INFO, LOCATION, NULL,
2456 "no policy found, "
2457 "try to generate the policy : %s\n",
2458 spidx2str(&spidx));
2459 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2460 if (!iph2->spidx_gen) {
2461 plog(LLV_ERROR, LOCATION, NULL,
2462 "buffer allocation failed.\n");
2463 return ISAKMP_INTERNAL_ERROR;
2464 }
2465 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2466 return -2; /* special value */
2467 }
2468 plog(LLV_ERROR, LOCATION, NULL,
2469 "no policy found: %s\n", spidx2str(&spidx));
2470 return ISAKMP_INTERNAL_ERROR;
2471 }
2472 /* Refresh existing generated policies
2473 */
2474 if (iph2->ph1->rmconf->gen_policy) {
2475 plog(LLV_INFO, LOCATION, NULL,
2476 "Update the generated policy : %s\n",
2477 spidx2str(&spidx));
2478 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2479 if (!iph2->spidx_gen) {
2480 plog(LLV_ERROR, LOCATION, NULL,
2481 "buffer allocation failed.\n");
2482 return ISAKMP_INTERNAL_ERROR;
2483 }
2484 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2485 }
2486
2487 /* get outbound policy */
2488 {
2489 struct sockaddr_storage addr;
2490 u_int8_t pref;
2491
2492 spidx.dir = IPSEC_DIR_OUTBOUND;
2493 addr = spidx.src;
2494 spidx.src = spidx.dst;
2495 spidx.dst = addr;
2496 pref = spidx.prefs;
2497 spidx.prefs = spidx.prefd;
2498 spidx.prefd = pref;
2499
2500 sp_out = getsp_r(&spidx);
2501 if (!sp_out) {
2502 plog(LLV_WARNING, LOCATION, NULL,
2503 "no outbound policy found: %s\n",
2504 spidx2str(&spidx));
2505 }
2506 }
2507
2508 plog(LLV_DEBUG, LOCATION, NULL,
2509 "suitable SP found:%s\n", spidx2str(&spidx));
2510
2511 /*
2512 * In the responder side, the inbound policy should be using IPsec.
2513 * outbound policy is not checked currently.
2514 */
2515 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2516 plog(LLV_ERROR, LOCATION, NULL,
2517 "policy found, but no IPsec required: %s\n",
2518 spidx2str(&spidx));
2519 return ISAKMP_INTERNAL_ERROR;
2520 }
2521
2522 /* set new proposal derived from a policy into the iph2->proposal. */
2523 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2524 plog(LLV_ERROR, LOCATION, NULL,
2525 "failed to create saprop.\n");
2526 return ISAKMP_INTERNAL_ERROR;
2527 }
2528
2529 #ifdef HAVE_SECCTX
2530 if (spidx.sec_ctx.ctx_str) {
2531 set_secctx_in_proposal(iph2, spidx);
2532 }
2533 #endif /* HAVE_SECCTX */
2534
2535 iph2->spid = sp_in->id;
2536
2537 return 0;
2538 }
2539
2540 /*
2541 * handle a notification payload inside phase2 exchange.
2542 * phase2 is always encrypted, so it does not need to be checked
2543 * for explicitely.
2544 */
2545 static int
ph2_recv_n(iph2,gen)2546 ph2_recv_n(iph2, gen)
2547 struct ph2handle *iph2;
2548 struct isakmp_gen *gen;
2549 {
2550 struct ph1handle *iph1 = iph2->ph1;
2551 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
2552 u_int type;
2553 int check_level;
2554
2555 type = ntohs(notify->type);
2556 switch (type) {
2557 case ISAKMP_NTYPE_CONNECTED:
2558 break;
2559 case ISAKMP_NTYPE_INITIAL_CONTACT:
2560 return isakmp_info_recv_initialcontact(iph1, iph2);
2561 case ISAKMP_NTYPE_RESPONDER_LIFETIME:
2562 ipsecdoi_parse_responder_lifetime(notify,
2563 &iph2->lifetime_secs, &iph2->lifetime_kb);
2564
2565 if (iph1 != NULL && iph1->rmconf != NULL) {
2566 check_level = iph1->rmconf->pcheck_level;
2567 } else {
2568 if (iph1 != NULL)
2569 plog(LLV_DEBUG, LOCATION, NULL,
2570 "No phase1 rmconf found !\n");
2571 else
2572 plog(LLV_DEBUG, LOCATION, NULL,
2573 "No phase1 found !\n");
2574 check_level = PROP_CHECK_EXACT;
2575 }
2576
2577 switch (check_level) {
2578 case PROP_CHECK_OBEY:
2579 break;
2580 case PROP_CHECK_STRICT:
2581 case PROP_CHECK_CLAIM:
2582 if (iph2->sainfo == NULL
2583 || iph2->sainfo->lifetime <= iph2->lifetime_secs) {
2584 plog(LLV_WARNING, LOCATION, NULL,
2585 "RESPONDER-LIFETIME: lifetime mismatch\n");
2586 iph2->lifetime_secs = 0;
2587 }
2588 break;
2589 case PROP_CHECK_EXACT:
2590 if (iph2->sainfo == NULL
2591 || iph2->sainfo->lifetime != iph2->lifetime_secs) {
2592 plog(LLV_WARNING, LOCATION, NULL,
2593 "RESPONDER-LIFETIME: lifetime mismatch\n");
2594 iph2->lifetime_secs = 0;
2595 }
2596 break;
2597 }
2598 break;
2599 default:
2600 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange");
2601 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE,
2602 NULL);
2603 break;
2604 }
2605 return 0;
2606 }
2607
2608