1 /* $NetBSD: isakmp.c,v 1.20.6.13 2008/09/25 09:34:39 vanhu Exp $ */
2
3 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43
44 #include PATH_IPSEC_H
45
46 #include <stdlib.h>
47 #include <stdio.h>
48 #include <string.h>
49 #include <errno.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #ifdef ENABLE_HYBRID
66 #include <resolv.h>
67 #endif
68
69 #include "var.h"
70 #include "misc.h"
71 #include "vmbuf.h"
72 #include "plog.h"
73 #include "sockmisc.h"
74 #include "schedule.h"
75 #include "debug.h"
76
77 #include "remoteconf.h"
78 #include "localconf.h"
79 #include "grabmyaddr.h"
80 #include "admin.h"
81 #include "privsep.h"
82 #include "isakmp_var.h"
83 #include "isakmp.h"
84 #include "oakley.h"
85 #include "evt.h"
86 #include "handler.h"
87 #include "ipsec_doi.h"
88 #include "pfkey.h"
89 #include "crypto_openssl.h"
90 #include "policy.h"
91 #include "isakmp_ident.h"
92 #include "isakmp_agg.h"
93 #include "isakmp_base.h"
94 #include "isakmp_quick.h"
95 #include "isakmp_inf.h"
96 #include "isakmp_newg.h"
97 #ifdef ENABLE_HYBRID
98 #include "vendorid.h"
99 #include "isakmp_xauth.h"
100 #include "isakmp_unity.h"
101 #include "isakmp_cfg.h"
102 #endif
103 #ifdef ENABLE_FRAG
104 #include "isakmp_frag.h"
105 #endif
106 #include "strnames.h"
107
108 #include <fcntl.h>
109
110 #ifdef ENABLE_NATT
111 # include "nattraversal.h"
112 #endif
113 # ifdef __linux__
114 # include <linux/udp.h>
115 # include <linux/ip.h>
116 # ifndef SOL_UDP
117 # define SOL_UDP 17
118 # endif
119 #if defined(__ANDROID__)
120 #include <netinet/udp.h>
121 #endif
122 # endif /* __linux__ */
123 # if defined(__NetBSD__) || defined(__FreeBSD__) || \
124 (defined(__APPLE__) && defined(__MACH__))
125 # include <netinet/in.h>
126 # include <netinet/udp.h>
127 # include <netinet/in_systm.h>
128 # include <netinet/ip.h>
129 # define SOL_UDP IPPROTO_UDP
130 # endif /* __NetBSD__ / __FreeBSD__ */
131
132 static int nostate1 __P((struct ph1handle *, vchar_t *));
133 static int nostate2 __P((struct ph2handle *, vchar_t *));
134
135 extern caddr_t val2str(const char *, size_t);
136
137 static int (*ph1exchange[][2][PHASE1ST_MAX])
138 __P((struct ph1handle *, vchar_t *)) = {
139 /* error */
140 { {}, {}, },
141 /* Identity Protection exchange */
142 {
143 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
144 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
145 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
146 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
147 },
148 /* Aggressive exchange */
149 {
150 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
151 nostate1, nostate1, nostate1, nostate1, nostate1, },
152 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
153 nostate1, nostate1, nostate1, nostate1, nostate1, },
154 },
155 /* Base exchange */
156 {
157 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
158 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
159 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
160 nostate1, nostate1, nostate1, nostate1, nostate1, },
161 },
162 };
163
164 static int (*ph2exchange[][2][PHASE2ST_MAX])
165 __P((struct ph2handle *, vchar_t *)) = {
166 /* error */
167 { {}, {}, },
168 /* Quick mode for IKE */
169 {
170 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
171 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
172 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
173 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
174 },
175 };
176
177 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
178
179 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
180 static int ph1_main __P((struct ph1handle *, vchar_t *));
181 static int quick_main __P((struct ph2handle *, vchar_t *));
182 static int isakmp_ph1begin_r __P((vchar_t *,
183 struct sockaddr *, struct sockaddr *, u_int8_t));
184 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
185 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
186 static int etypesw1 __P((int));
187 static int etypesw2 __P((int));
188 #ifdef ENABLE_FRAG
189 static int frag_handler(struct ph1handle *,
190 vchar_t *, struct sockaddr *, struct sockaddr *);
191 #endif
192
193 /*
194 * isakmp packet handler
195 */
196 int
isakmp_handler(so_isakmp)197 isakmp_handler(so_isakmp)
198 int so_isakmp;
199 {
200 struct isakmp isakmp;
201 union {
202 char buf[sizeof (isakmp) + 4];
203 u_int32_t non_esp[2];
204 char lbuf[sizeof(struct udphdr) +
205 #ifdef __linux
206 sizeof(struct iphdr) +
207 #else
208 sizeof(struct ip) +
209 #endif
210 sizeof(isakmp) + 4];
211 } x;
212 struct sockaddr_storage remote;
213 struct sockaddr_storage local;
214 unsigned int remote_len = sizeof(remote);
215 unsigned int local_len = sizeof(local);
216 int len = 0, extralen = 0;
217 vchar_t *buf = NULL, *tmpbuf = NULL;
218 int error = -1, res;
219
220 /* read message by MSG_PEEK */
221 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
222 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
223 (struct sockaddr *)&local, &local_len)) < 0) {
224 if (errno == EINTR)
225 continue;
226 plog(LLV_ERROR, LOCATION, NULL,
227 "failed to receive isakmp packet: %s\n",
228 strerror (errno));
229 goto end;
230 }
231
232 /* keep-alive packet - ignore */
233 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
234 /* Pull the keep-alive packet */
235 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
236 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
237 plog(LLV_ERROR, LOCATION, NULL,
238 "failed to receive keep alive packet: %s\n",
239 strerror (errno));
240 }
241 goto end;
242 }
243
244 /* Lucent IKE in UDP encapsulation */
245 {
246 struct udphdr *udp;
247 #ifdef __linux__
248 struct iphdr *ip;
249
250 udp = (struct udphdr *)&x.lbuf[0];
251 if (ntohs(udp->dest) == 501) {
252 ip = (struct iphdr *)(x.lbuf + sizeof(*udp));
253 extralen += sizeof(*udp) + ip->ihl;
254 }
255 #else
256 struct ip *ip;
257
258 udp = (struct udphdr *)&x.lbuf[0];
259 if (ntohs(udp->uh_dport) == 501) {
260 ip = (struct ip *)(x.lbuf + sizeof(*udp));
261 extralen += sizeof(*udp) + ip->ip_hl;
262 }
263 #endif
264 }
265
266 #ifdef ENABLE_NATT
267 /* we don't know about portchange yet,
268 look for non-esp marker instead */
269 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
270 extralen = NON_ESP_MARKER_LEN;
271 #endif
272
273 /* now we know if there is an extra non-esp
274 marker at the beginning or not */
275 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
276
277 /* check isakmp header length, as well as sanity of header length */
278 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
279 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
280 "packet shorter than isakmp header size (%u, %u, %zu)\n",
281 len, ntohl(isakmp.len), sizeof(isakmp));
282 /* dummy receive */
283 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
284 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
285 plog(LLV_ERROR, LOCATION, NULL,
286 "failed to receive isakmp packet: %s\n",
287 strerror (errno));
288 }
289 goto end;
290 }
291
292 /* reject it if the size is tooooo big. */
293 if (ntohl(isakmp.len) > 0xffff) {
294 plog(LLV_ERROR, LOCATION, NULL,
295 "the length in the isakmp header is too big.\n");
296 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
297 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
298 plog(LLV_ERROR, LOCATION, NULL,
299 "failed to receive isakmp packet: %s\n",
300 strerror (errno));
301 }
302 goto end;
303 }
304
305 /* read real message */
306 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
307 plog(LLV_ERROR, LOCATION, NULL,
308 "failed to allocate reading buffer (%u Bytes)\n",
309 ntohl(isakmp.len) + extralen);
310 /* dummy receive */
311 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
312 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
313 plog(LLV_ERROR, LOCATION, NULL,
314 "failed to receive isakmp packet: %s\n",
315 strerror (errno));
316 }
317 goto end;
318 }
319
320 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
321 0, (struct sockaddr *)&remote, &remote_len,
322 (struct sockaddr *)&local, &local_len)) < 0) {
323 if (errno == EINTR)
324 continue;
325 plog(LLV_ERROR, LOCATION, NULL,
326 "failed to receive isakmp packet: %s\n",
327 strerror (errno));
328 goto end;
329 }
330
331 if ((buf = vmalloc(len - extralen)) == NULL) {
332 plog(LLV_ERROR, LOCATION, NULL,
333 "failed to allocate reading buffer (%u Bytes)\n",
334 (len - extralen));
335 goto end;
336 }
337
338 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
339
340 len -= extralen;
341
342 if (len != buf->l) {
343 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
344 "received invalid length (%d != %zu), why ?\n",
345 len, buf->l);
346 goto end;
347 }
348
349 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
350 plog(LLV_DEBUG, LOCATION, NULL,
351 "%d bytes message received %s\n",
352 len, saddr2str_fromto("from %s to %s",
353 (struct sockaddr *)&remote,
354 (struct sockaddr *)&local));
355 plogdump(LLV_DEBUG, buf->v, buf->l);
356
357 /* avoid packets with malicious port/address */
358 if (extract_port((struct sockaddr *)&remote) == 0) {
359 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
360 "src port == 0 (valid as UDP but not with IKE)\n");
361 goto end;
362 }
363
364 /* XXX: check sender whether to be allowed or not to accept */
365
366 /* XXX: I don't know how to check isakmp half connection attack. */
367
368 /* simply reply if the packet was processed. */
369 res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
370 if (res) {
371 plog(LLV_NOTIFY, LOCATION, NULL,
372 "the packet is retransmitted by %s (%d).\n",
373 saddr2str((struct sockaddr *)&remote), res);
374 error = 0;
375 goto end;
376 }
377
378 /* isakmp main routine */
379 if (isakmp_main(buf, (struct sockaddr *)&remote,
380 (struct sockaddr *)&local) != 0) goto end;
381
382 error = 0;
383
384 end:
385 if (tmpbuf != NULL)
386 vfree(tmpbuf);
387 if (buf != NULL)
388 vfree(buf);
389
390 return(error);
391 }
392
393 /*
394 * main processing to handle isakmp payload
395 */
396 static int
isakmp_main(msg,remote,local)397 isakmp_main(msg, remote, local)
398 vchar_t *msg;
399 struct sockaddr *remote, *local;
400 {
401 struct isakmp *isakmp = (struct isakmp *)msg->v;
402 isakmp_index *index = (isakmp_index *)isakmp;
403 u_int32_t msgid = isakmp->msgid;
404 struct ph1handle *iph1;
405
406 #ifdef HAVE_PRINT_ISAKMP_C
407 isakmp_printpacket(msg, remote, local, 0);
408 #endif
409
410 /* the initiator's cookie must not be zero */
411 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
412 plog(LLV_ERROR, LOCATION, remote,
413 "malformed cookie received.\n");
414 return -1;
415 }
416
417 /* Check the Major and Minor Version fields. */
418 /*
419 * XXX Is is right to check version here ?
420 * I think it may no be here because the version depends
421 * on exchange status.
422 */
423 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
424 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
425 plog(LLV_ERROR, LOCATION, remote,
426 "invalid major version %d.\n",
427 ISAKMP_GETMAJORV(isakmp->v));
428 return -1;
429 }
430 #if ISAKMP_MINOR_VERSION > 0
431 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
432 plog(LLV_ERROR, LOCATION, remote,
433 "invalid minor version %d.\n",
434 ISAKMP_GETMINORV(isakmp->v));
435 return -1;
436 }
437 #endif
438 }
439
440 /* check the Flags field. */
441 /* XXX How is the exclusive check, E and A ? */
442 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
443 plog(LLV_ERROR, LOCATION, remote,
444 "invalid flag 0x%02x.\n", isakmp->flags);
445 return -1;
446 }
447
448 /* ignore commit bit. */
449 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
450 if (isakmp->msgid == 0) {
451 isakmp_info_send_nx(isakmp, remote, local,
452 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
453 plog(LLV_ERROR, LOCATION, remote,
454 "Commit bit on phase1 forbidden.\n");
455 return -1;
456 }
457 }
458
459 iph1 = getph1byindex(index);
460 if (iph1 != NULL) {
461 /* validity check */
462 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
463 iph1->side == INITIATOR) {
464 plog(LLV_DEBUG, LOCATION, remote,
465 "malformed cookie received or "
466 "the initiator's cookies collide.\n");
467 return -1;
468 }
469
470 #ifdef ENABLE_NATT
471 /* Floating ports for NAT-T */
472 if (NATT_AVAILABLE(iph1) &&
473 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
474 ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
475 (cmpsaddrstrict(iph1->local, local) != 0)))
476 {
477 /* prevent memory leak */
478 racoon_free(iph1->remote);
479 racoon_free(iph1->local);
480 iph1->remote = NULL;
481 iph1->local = NULL;
482
483 /* copy-in new addresses */
484 iph1->remote = dupsaddr(remote);
485 if (iph1->remote == NULL) {
486 plog(LLV_ERROR, LOCATION, iph1->remote,
487 "phase1 failed: dupsaddr failed.\n");
488 remph1(iph1);
489 delph1(iph1);
490 return -1;
491 }
492 iph1->local = dupsaddr(local);
493 if (iph1->local == NULL) {
494 plog(LLV_ERROR, LOCATION, iph1->remote,
495 "phase1 failed: dupsaddr failed.\n");
496 remph1(iph1);
497 delph1(iph1);
498 return -1;
499 }
500
501 /* set the flag to prevent further port floating
502 (FIXME: should we allow it? E.g. when the NAT gw
503 is rebooted?) */
504 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
505
506 /* print some neat info */
507 plog (LLV_INFO, LOCATION, NULL,
508 "NAT-T: ports changed to: %s\n",
509 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
510
511 natt_keepalive_add_ph1 (iph1);
512 }
513 #endif
514
515 /* must be same addresses in one stream of a phase at least. */
516 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
517 char *saddr_db, *saddr_act;
518
519 saddr_db = racoon_strdup(saddr2str(iph1->remote));
520 saddr_act = racoon_strdup(saddr2str(remote));
521 STRDUP_FATAL(saddr_db);
522 STRDUP_FATAL(saddr_act);
523
524 plog(LLV_WARNING, LOCATION, remote,
525 "remote address mismatched. db=%s, act=%s\n",
526 saddr_db, saddr_act);
527
528 racoon_free(saddr_db);
529 racoon_free(saddr_act);
530 }
531
532 /*
533 * don't check of exchange type here because other type will be
534 * with same index, for example, informational exchange.
535 */
536
537 /* XXX more acceptable check */
538 }
539
540 switch (isakmp->etype) {
541 case ISAKMP_ETYPE_IDENT:
542 case ISAKMP_ETYPE_AGG:
543 case ISAKMP_ETYPE_BASE:
544 /* phase 1 validity check */
545 if (isakmp->msgid != 0) {
546 plog(LLV_ERROR, LOCATION, remote,
547 "message id should be zero in phase1.\n");
548 return -1;
549 }
550
551 /* search for isakmp status record of phase 1 */
552 if (iph1 == NULL) {
553 /*
554 * the packet must be the 1st message from a initiator
555 * or the 2nd message from the responder.
556 */
557
558 /* search for phase1 handle by index without r_ck */
559 iph1 = getph1byindex0(index);
560 if (iph1 == NULL) {
561 /*it must be the 1st message from a initiator.*/
562 if (memcmp(&isakmp->r_ck, r_ck0,
563 sizeof(cookie_t)) != 0) {
564
565 plog(LLV_DEBUG, LOCATION, remote,
566 "malformed cookie received "
567 "or the spi expired.\n");
568 return -1;
569 }
570
571 /* it must be responder's 1st exchange. */
572 if (isakmp_ph1begin_r(msg, remote, local,
573 isakmp->etype) < 0)
574 return -1;
575 break;
576
577 /*NOTREACHED*/
578 }
579
580 /* it must be the 2nd message from the responder. */
581 if (iph1->side != INITIATOR) {
582 plog(LLV_DEBUG, LOCATION, remote,
583 "malformed cookie received. "
584 "it has to be as the initiator. %s\n",
585 isakmp_pindex(&iph1->index, 0));
586 return -1;
587 }
588 }
589
590 /*
591 * Don't delete phase 1 handler when the exchange type
592 * in handler is not equal to packet's one because of no
593 * authencication completed.
594 */
595 if (iph1->etype != isakmp->etype) {
596 plog(LLV_ERROR, LOCATION, iph1->remote,
597 "exchange type is mismatched: "
598 "db=%s packet=%s, ignore it.\n",
599 s_isakmp_etype(iph1->etype),
600 s_isakmp_etype(isakmp->etype));
601 return -1;
602 }
603
604 #ifdef ENABLE_FRAG
605 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
606 return frag_handler(iph1, msg, remote, local);
607 #endif
608
609 /* call main process of phase 1 */
610 if (ph1_main(iph1, msg) < 0) {
611 plog(LLV_ERROR, LOCATION, iph1->remote,
612 "phase1 negotiation failed.\n");
613 remph1(iph1);
614 delph1(iph1);
615 return -1;
616 }
617 break;
618
619 case ISAKMP_ETYPE_AUTH:
620 plog(LLV_INFO, LOCATION, remote,
621 "unsupported exchange %d received.\n",
622 isakmp->etype);
623 break;
624
625 case ISAKMP_ETYPE_INFO:
626 case ISAKMP_ETYPE_ACKINFO:
627 /*
628 * iph1 must be present for Information message.
629 * if iph1 is null then trying to get the phase1 status
630 * as the packet from responder againt initiator's 1st
631 * exchange in phase 1.
632 * NOTE: We think such informational exchange should be ignored.
633 */
634 if (iph1 == NULL) {
635 iph1 = getph1byindex0(index);
636 if (iph1 == NULL) {
637 plog(LLV_ERROR, LOCATION, remote,
638 "unknown Informational "
639 "exchange received.\n");
640 return -1;
641 }
642 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
643 plog(LLV_WARNING, LOCATION, remote,
644 "remote address mismatched. "
645 "db=%s\n",
646 saddr2str(iph1->remote));
647 }
648 }
649
650 #ifdef ENABLE_FRAG
651 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
652 return frag_handler(iph1, msg, remote, local);
653 #endif
654
655 if (isakmp_info_recv(iph1, msg) < 0)
656 return -1;
657 break;
658
659 case ISAKMP_ETYPE_QUICK:
660 {
661 struct ph2handle *iph2;
662
663 if (iph1 == NULL) {
664 isakmp_info_send_nx(isakmp, remote, local,
665 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
666 plog(LLV_ERROR, LOCATION, remote,
667 "can't start the quick mode, "
668 "there is no ISAKMP-SA, %s\n",
669 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
670 isakmp->msgid));
671 return -1;
672 }
673 #ifdef ENABLE_HYBRID
674 /* Reinit the IVM if it's still there */
675 if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
676 oakley_delivm(iph1->mode_cfg->ivm);
677 iph1->mode_cfg->ivm = NULL;
678 }
679 #endif
680 #ifdef ENABLE_FRAG
681 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
682 return frag_handler(iph1, msg, remote, local);
683 #endif
684
685 /* check status of phase 1 whether negotiated or not. */
686 if (iph1->status != PHASE1ST_ESTABLISHED) {
687 plog(LLV_ERROR, LOCATION, remote,
688 "can't start the quick mode, "
689 "there is no valid ISAKMP-SA, %s\n",
690 isakmp_pindex(&iph1->index, iph1->msgid));
691 return -1;
692 }
693
694 /* search isakmp phase 2 stauts record. */
695 iph2 = getph2bymsgid(iph1, msgid);
696 if (iph2 == NULL) {
697 /* it must be new negotiation as responder */
698 if (isakmp_ph2begin_r(iph1, msg) < 0)
699 return -1;
700 return 0;
701 /*NOTREACHED*/
702 }
703
704 /* commit bit. */
705 /* XXX
706 * we keep to set commit bit during negotiation.
707 * When SA is configured, bit will be reset.
708 * XXX
709 * don't initiate commit bit. should be fixed in the future.
710 */
711 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
712 iph2->flags |= ISAKMP_FLAG_C;
713
714 /* call main process of quick mode */
715 if (quick_main(iph2, msg) < 0) {
716 plog(LLV_ERROR, LOCATION, iph1->remote,
717 "phase2 negotiation failed.\n");
718 unbindph12(iph2);
719 remph2(iph2);
720 delph2(iph2);
721 return -1;
722 }
723 }
724 break;
725
726 case ISAKMP_ETYPE_NEWGRP:
727 if (iph1 == NULL) {
728 plog(LLV_ERROR, LOCATION, remote,
729 "Unknown new group mode exchange, "
730 "there is no ISAKMP-SA.\n");
731 return -1;
732 }
733
734 #ifdef ENABLE_FRAG
735 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
736 return frag_handler(iph1, msg, remote, local);
737 #endif
738
739 isakmp_newgroup_r(iph1, msg);
740 break;
741
742 #ifdef ENABLE_HYBRID
743 case ISAKMP_ETYPE_CFG:
744 if (iph1 == NULL) {
745 plog(LLV_ERROR, LOCATION, NULL,
746 "mode config %d from %s, "
747 "but we have no ISAKMP-SA.\n",
748 isakmp->etype, saddr2str(remote));
749 return -1;
750 }
751
752 #ifdef ENABLE_FRAG
753 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
754 return frag_handler(iph1, msg, remote, local);
755 #endif
756
757 isakmp_cfg_r(iph1, msg);
758 break;
759 #endif
760
761 case ISAKMP_ETYPE_NONE:
762 default:
763 plog(LLV_ERROR, LOCATION, NULL,
764 "Invalid exchange type %d from %s.\n",
765 isakmp->etype, saddr2str(remote));
766 return -1;
767 }
768
769 return 0;
770 }
771
772 /*
773 * main function of phase 1.
774 */
775 static int
ph1_main(iph1,msg)776 ph1_main(iph1, msg)
777 struct ph1handle *iph1;
778 vchar_t *msg;
779 {
780 int error;
781 #ifdef ENABLE_STATS
782 struct timeval start, end;
783 #endif
784
785 /* ignore a packet */
786 if (iph1->status == PHASE1ST_ESTABLISHED)
787 return 0;
788
789 #ifdef ENABLE_STATS
790 gettimeofday(&start, NULL);
791 #endif
792 /* receive */
793 if (ph1exchange[etypesw1(iph1->etype)]
794 [iph1->side]
795 [iph1->status] == NULL) {
796 plog(LLV_ERROR, LOCATION, iph1->remote,
797 "why isn't the function defined.\n");
798 return -1;
799 }
800 error = (ph1exchange[etypesw1(iph1->etype)]
801 [iph1->side]
802 [iph1->status])(iph1, msg);
803 if (error != 0) {
804
805 /* XXX
806 * When an invalid packet is received on phase1, it should
807 * be selected to process this packet. That is to respond
808 * with a notify and delete phase 1 handler, OR not to respond
809 * and keep phase 1 handler. However, in PHASE1ST_START when
810 * acting as RESPONDER we must not keep phase 1 handler or else
811 * it will stay forever.
812 */
813
814 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
815 plog(LLV_ERROR, LOCATION, iph1->remote,
816 "failed to pre-process packet.\n");
817 return -1;
818 } else {
819 /* ignore the error and keep phase 1 handler */
820 return 0;
821 }
822 }
823
824 #ifndef ENABLE_FRAG
825 /* free resend buffer */
826 if (iph1->sendbuf == NULL) {
827 plog(LLV_ERROR, LOCATION, NULL,
828 "no buffer found as sendbuf\n");
829 return -1;
830 }
831 #endif
832
833 VPTRINIT(iph1->sendbuf);
834
835 /* turn off schedule */
836 SCHED_KILL(iph1->scr);
837
838 /* send */
839 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
840 if ((ph1exchange[etypesw1(iph1->etype)]
841 [iph1->side]
842 [iph1->status])(iph1, msg) != 0) {
843 plog(LLV_ERROR, LOCATION, iph1->remote,
844 "failed to process packet.\n");
845 return -1;
846 }
847
848 #ifdef ENABLE_STATS
849 gettimeofday(&end, NULL);
850 syslog(LOG_NOTICE, "%s(%s): %8.6f",
851 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
852 timedelta(&start, &end));
853 #endif
854 if (iph1->status == PHASE1ST_ESTABLISHED) {
855
856 #ifdef ENABLE_STATS
857 gettimeofday(&iph1->end, NULL);
858 syslog(LOG_NOTICE, "%s(%s): %8.6f",
859 "phase1", s_isakmp_etype(iph1->etype),
860 timedelta(&iph1->start, &iph1->end));
861 #endif
862
863 /* save created date. */
864 (void)time(&iph1->created);
865
866 /* add to the schedule to expire, and seve back pointer. */
867 iph1->sce = sched_new(iph1->approval->lifetime,
868 isakmp_ph1expire_stub, iph1);
869 #ifdef ENABLE_HYBRID
870 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
871 switch(AUTHMETHOD(iph1)) {
872 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
873 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
874 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
875 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
876 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
877 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
878 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
879 xauth_sendreq(iph1);
880 /* XXX Don't process INITIAL_CONTACT */
881 iph1->rmconf->ini_contact = 0;
882 break;
883 default:
884 break;
885 }
886 }
887 #endif
888 #ifdef ENABLE_DPD
889 /* Schedule the r_u_there.... */
890 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
891 isakmp_sched_r_u(iph1, 0);
892 #endif
893
894 /* INITIAL-CONTACT processing */
895 /* don't anything if local test mode. */
896 if (!f_local
897 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
898 /* send INITIAL-CONTACT */
899 isakmp_info_send_n1(iph1,
900 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
901 /* insert a node into contacted list. */
902 if (inscontacted(iph1->remote) == -1) {
903 plog(LLV_ERROR, LOCATION, iph1->remote,
904 "failed to add contacted list.\n");
905 /* ignore */
906 }
907 }
908
909 log_ph1established(iph1);
910 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
911
912 /*
913 * SA up shell script hook: do it now,except if
914 * ISAKMP mode config was requested. In the later
915 * case it is done when we receive the configuration.
916 */
917 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
918 !iph1->rmconf->mode_cfg) {
919 switch (AUTHMETHOD(iph1)) {
920 #ifdef ENABLE_HYBRID
921 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
922 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
923 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
924 /* Unimplemeted... */
925 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
926 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
927 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
928 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
929 break;
930 #endif
931 default:
932 script_hook(iph1, SCRIPT_PHASE1_UP);
933 break;
934 }
935 }
936 }
937
938 return 0;
939 }
940
941 /*
942 * main function of quick mode.
943 */
944 static int
quick_main(iph2,msg)945 quick_main(iph2, msg)
946 struct ph2handle *iph2;
947 vchar_t *msg;
948 {
949 struct isakmp *isakmp = (struct isakmp *)msg->v;
950 int error;
951 #ifdef ENABLE_STATS
952 struct timeval start, end;
953 #endif
954
955 /* ignore a packet */
956 if (iph2->status == PHASE2ST_ESTABLISHED
957 || iph2->status == PHASE2ST_GETSPISENT)
958 return 0;
959
960 #ifdef ENABLE_STATS
961 gettimeofday(&start, NULL);
962 #endif
963
964 /* receive */
965 if (ph2exchange[etypesw2(isakmp->etype)]
966 [iph2->side]
967 [iph2->status] == NULL) {
968 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
969 "why isn't the function defined.\n");
970 return -1;
971 }
972 error = (ph2exchange[etypesw2(isakmp->etype)]
973 [iph2->side]
974 [iph2->status])(iph2, msg);
975 if (error != 0) {
976 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
977 "failed to pre-process packet.\n");
978 if (error == ISAKMP_INTERNAL_ERROR)
979 return 0;
980 isakmp_info_send_n1(iph2->ph1, error, NULL);
981 return -1;
982 }
983
984 /* when using commit bit, status will be reached here. */
985 if (iph2->status == PHASE2ST_ADDSA)
986 return 0;
987
988 /* free resend buffer */
989 if (iph2->sendbuf == NULL) {
990 plog(LLV_ERROR, LOCATION, NULL,
991 "no buffer found as sendbuf\n");
992 return -1;
993 }
994 VPTRINIT(iph2->sendbuf);
995
996 /* turn off schedule */
997 SCHED_KILL(iph2->scr);
998
999 /* send */
1000 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1001 if ((ph2exchange[etypesw2(isakmp->etype)]
1002 [iph2->side]
1003 [iph2->status])(iph2, msg) != 0) {
1004 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1005 "failed to process packet.\n");
1006 return -1;
1007 }
1008
1009 #ifdef ENABLE_STATS
1010 gettimeofday(&end, NULL);
1011 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1012 "phase2",
1013 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1014 timedelta(&start, &end));
1015 #endif
1016
1017 return 0;
1018 }
1019
1020 /* new negotiation of phase 1 for initiator */
1021 int
isakmp_ph1begin_i(rmconf,remote,local)1022 isakmp_ph1begin_i(rmconf, remote, local)
1023 struct remoteconf *rmconf;
1024 struct sockaddr *remote, *local;
1025 {
1026 struct ph1handle *iph1;
1027 #ifdef ENABLE_STATS
1028 struct timeval start, end;
1029 #endif
1030
1031 /* get new entry to isakmp status table. */
1032 iph1 = newph1();
1033 if (iph1 == NULL)
1034 return -1;
1035
1036 iph1->status = PHASE1ST_START;
1037 iph1->rmconf = rmconf;
1038 iph1->side = INITIATOR;
1039 iph1->version = ISAKMP_VERSION_NUMBER;
1040 iph1->msgid = 0;
1041 iph1->flags = 0;
1042 iph1->ph2cnt = 0;
1043 #ifdef HAVE_GSSAPI
1044 iph1->gssapi_state = NULL;
1045 #endif
1046 #ifdef ENABLE_HYBRID
1047 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1048 delph1(iph1);
1049 return -1;
1050 }
1051 #endif
1052 #ifdef ENABLE_FRAG
1053
1054 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1055 iph1->frag = 1;
1056 else
1057 iph1->frag = 0;
1058 iph1->frag_chain = NULL;
1059 #endif
1060 iph1->approval = NULL;
1061
1062 /* XXX copy remote address */
1063 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1064 delph1(iph1);
1065 return -1;
1066 }
1067
1068 (void)insph1(iph1);
1069
1070 /* start phase 1 exchange */
1071 iph1->etype = rmconf->etypes->type;
1072
1073 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1074 {
1075 char *a;
1076
1077 a = racoon_strdup(saddr2str(iph1->local));
1078 STRDUP_FATAL(a);
1079
1080 plog(LLV_INFO, LOCATION, NULL,
1081 "initiate new phase 1 negotiation: %s<=>%s\n",
1082 a, saddr2str(iph1->remote));
1083 racoon_free(a);
1084 }
1085 plog(LLV_INFO, LOCATION, NULL,
1086 "begin %s mode.\n",
1087 s_isakmp_etype(iph1->etype));
1088
1089 #ifdef ENABLE_STATS
1090 gettimeofday(&iph1->start, NULL);
1091 gettimeofday(&start, NULL);
1092 #endif
1093 /* start exchange */
1094 if ((ph1exchange[etypesw1(iph1->etype)]
1095 [iph1->side]
1096 [iph1->status])(iph1, NULL) != 0) {
1097 /* failed to start phase 1 negotiation */
1098 remph1(iph1);
1099 delph1(iph1);
1100
1101 return -1;
1102 }
1103
1104 #ifdef ENABLE_STATS
1105 gettimeofday(&end, NULL);
1106 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1107 "phase1",
1108 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1109 timedelta(&start, &end));
1110 #endif
1111
1112 return 0;
1113 }
1114
1115 /* new negotiation of phase 1 for responder */
1116 static int
isakmp_ph1begin_r(vchar_t * msg,struct sockaddr * remote,struct sockaddr * local,u_int8_t etype)1117 isakmp_ph1begin_r(vchar_t *msg, struct sockaddr *remote,
1118 struct sockaddr *local, u_int8_t etype)
1119 {
1120 struct isakmp *isakmp = (struct isakmp *)msg->v;
1121 struct remoteconf *rmconf;
1122 struct ph1handle *iph1;
1123 struct etypes *etypeok;
1124 #ifdef ENABLE_STATS
1125 struct timeval start, end;
1126 #endif
1127
1128 /* look for my configuration */
1129 rmconf = getrmconf(remote);
1130 if (rmconf == NULL) {
1131 plog(LLV_ERROR, LOCATION, remote,
1132 "couldn't find "
1133 "configuration.\n");
1134 return -1;
1135 }
1136
1137 /* check to be acceptable exchange type */
1138 etypeok = check_etypeok(rmconf, etype);
1139 if (etypeok == NULL) {
1140 plog(LLV_ERROR, LOCATION, remote,
1141 "not acceptable %s mode\n", s_isakmp_etype(etype));
1142 return -1;
1143 }
1144
1145 /* get new entry to isakmp status table. */
1146 iph1 = newph1();
1147 if (iph1 == NULL)
1148 return -1;
1149
1150 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1151 iph1->status = PHASE1ST_START;
1152 iph1->rmconf = rmconf;
1153 iph1->flags = 0;
1154 iph1->side = RESPONDER;
1155 iph1->etype = etypeok->type;
1156 iph1->version = isakmp->v;
1157 iph1->msgid = 0;
1158 #ifdef HAVE_GSSAPI
1159 iph1->gssapi_state = NULL;
1160 #endif
1161 #ifdef ENABLE_HYBRID
1162 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1163 delph1(iph1);
1164 return -1;
1165 }
1166 #endif
1167 #ifdef ENABLE_FRAG
1168 iph1->frag = 0;
1169 iph1->frag_chain = NULL;
1170 #endif
1171 iph1->approval = NULL;
1172
1173 #ifdef ENABLE_NATT
1174 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1175 * We have to setup this flag now to correctly generate the first reply.
1176 * Don't know if a better check could be done for that ?
1177 */
1178 if(extract_port(local) == lcconf->port_isakmp_natt)
1179 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1180 #endif
1181
1182 /* copy remote address */
1183 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1184 delph1(iph1);
1185 return -1;
1186 }
1187 (void)insph1(iph1);
1188
1189 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1190 {
1191 char *a;
1192
1193 a = racoon_strdup(saddr2str(iph1->local));
1194 STRDUP_FATAL(a);
1195
1196 plog(LLV_INFO, LOCATION, NULL,
1197 "respond new phase 1 negotiation: %s<=>%s\n",
1198 a, saddr2str(iph1->remote));
1199 racoon_free(a);
1200 }
1201 plog(LLV_INFO, LOCATION, NULL,
1202 "begin %s mode.\n", s_isakmp_etype(etype));
1203
1204 #ifdef ENABLE_STATS
1205 gettimeofday(&iph1->start, NULL);
1206 gettimeofday(&start, NULL);
1207 #endif
1208
1209 #ifndef ENABLE_FRAG
1210
1211 /* start exchange */
1212 if ((ph1exchange[etypesw1(iph1->etype)]
1213 [iph1->side]
1214 [iph1->status])(iph1, msg) < 0
1215 || (ph1exchange[etypesw1(iph1->etype)]
1216 [iph1->side]
1217 [iph1->status])(iph1, msg) < 0) {
1218 plog(LLV_ERROR, LOCATION, remote,
1219 "failed to process packet.\n");
1220 remph1(iph1);
1221 delph1(iph1);
1222 return -1;
1223 }
1224
1225 #ifdef ENABLE_STATS
1226 gettimeofday(&end, NULL);
1227 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1228 "phase1",
1229 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1230 timedelta(&start, &end));
1231 #endif
1232
1233 return 0;
1234
1235 #else /* ENABLE_FRAG */
1236
1237 /* now that we have a phase1 handle, feed back into our
1238 * main receive function to catch fragmented packets
1239 */
1240
1241 return isakmp_main(msg, remote, local);
1242
1243 #endif /* ENABLE_FRAG */
1244
1245 }
1246
1247 /* new negotiation of phase 2 for initiator */
1248 static int
isakmp_ph2begin_i(iph1,iph2)1249 isakmp_ph2begin_i(iph1, iph2)
1250 struct ph1handle *iph1;
1251 struct ph2handle *iph2;
1252 {
1253 #ifdef ENABLE_HYBRID
1254 if (xauth_check(iph1) != 0) {
1255 plog(LLV_ERROR, LOCATION, NULL,
1256 "Attempt to start phase 2 whereas Xauth failed\n");
1257 return -1;
1258 }
1259 #endif
1260
1261 /* found ISAKMP-SA. */
1262 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1263 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1264 {
1265 char *a;
1266 a = racoon_strdup(saddr2str(iph2->src));
1267 STRDUP_FATAL(a);
1268
1269 plog(LLV_INFO, LOCATION, NULL,
1270 "initiate new phase 2 negotiation: %s<=>%s\n",
1271 a, saddr2str(iph2->dst));
1272 racoon_free(a);
1273 }
1274
1275 #ifdef ENABLE_STATS
1276 gettimeofday(&iph2->start, NULL);
1277 #endif
1278 /* found isakmp-sa */
1279 bindph12(iph1, iph2);
1280 iph2->status = PHASE2ST_STATUS2;
1281
1282 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1283 [iph2->side]
1284 [iph2->status])(iph2, NULL) < 0) {
1285 unbindph12(iph2);
1286 /* release ipsecsa handler due to internal error. */
1287 remph2(iph2);
1288 return -1;
1289 }
1290 return 0;
1291 }
1292
1293 /* new negotiation of phase 2 for responder */
1294 static int
isakmp_ph2begin_r(iph1,msg)1295 isakmp_ph2begin_r(iph1, msg)
1296 struct ph1handle *iph1;
1297 vchar_t *msg;
1298 {
1299 struct isakmp *isakmp = (struct isakmp *)msg->v;
1300 struct ph2handle *iph2 = 0;
1301 int error;
1302 #ifdef ENABLE_STATS
1303 struct timeval start, end;
1304 #endif
1305 #ifdef ENABLE_HYBRID
1306 if (xauth_check(iph1) != 0) {
1307 plog(LLV_ERROR, LOCATION, NULL,
1308 "Attempt to start phase 2 whereas Xauth failed\n");
1309 return -1;
1310 }
1311 #endif
1312
1313 iph2 = newph2();
1314 if (iph2 == NULL) {
1315 plog(LLV_ERROR, LOCATION, NULL,
1316 "failed to allocate phase2 entry.\n");
1317 return -1;
1318 }
1319
1320 iph2->ph1 = iph1;
1321 iph2->side = RESPONDER;
1322 iph2->status = PHASE2ST_START;
1323 iph2->flags = isakmp->flags;
1324 iph2->msgid = isakmp->msgid;
1325 iph2->seq = pk_getseq();
1326 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1327 if (iph2->ivm == NULL) {
1328 delph2(iph2);
1329 return -1;
1330 }
1331 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1332 if (iph2->dst == NULL) {
1333 delph2(iph2);
1334 return -1;
1335 }
1336 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1337 if (iph2->src == NULL) {
1338 delph2(iph2);
1339 return -1;
1340 }
1341 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
1342 if (set_port(iph2->dst, 0) == NULL ||
1343 set_port(iph2->src, 0) == NULL) {
1344 plog(LLV_ERROR, LOCATION, NULL,
1345 "invalid family: %d\n", iph2->dst->sa_family);
1346 delph2(iph2);
1347 return -1;
1348 }
1349 #endif
1350
1351 /* add new entry to isakmp status table */
1352 insph2(iph2);
1353 bindph12(iph1, iph2);
1354
1355 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1356 {
1357 char *a;
1358
1359 a = racoon_strdup(saddr2str(iph2->src));
1360 STRDUP_FATAL(a);
1361
1362 plog(LLV_INFO, LOCATION, NULL,
1363 "respond new phase 2 negotiation: %s<=>%s\n",
1364 a, saddr2str(iph2->dst));
1365 racoon_free(a);
1366 }
1367
1368 #ifdef ENABLE_STATS
1369 gettimeofday(&start, NULL);
1370 #endif
1371
1372 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1373 [iph2->side]
1374 [iph2->status])(iph2, msg);
1375 if (error != 0) {
1376 plog(LLV_ERROR, LOCATION, iph1->remote,
1377 "failed to pre-process packet.\n");
1378 if (error != ISAKMP_INTERNAL_ERROR)
1379 isakmp_info_send_n1(iph2->ph1, error, NULL);
1380 /*
1381 * release handler because it's wrong that ph2handle is kept
1382 * after failed to check message for responder's.
1383 */
1384 unbindph12(iph2);
1385 remph2(iph2);
1386 delph2(iph2);
1387 return -1;
1388 }
1389
1390 /* send */
1391 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1392 if ((ph2exchange[etypesw2(isakmp->etype)]
1393 [iph2->side]
1394 [iph2->status])(iph2, msg) < 0) {
1395 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1396 "failed to process packet.\n");
1397 /* don't release handler */
1398 return -1;
1399 }
1400 #ifdef ENABLE_STATS
1401 gettimeofday(&end, NULL);
1402 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1403 "phase2",
1404 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1405 timedelta(&start, &end));
1406 #endif
1407
1408 return 0;
1409 }
1410
1411 /*
1412 * parse ISAKMP payloads, without ISAKMP base header.
1413 */
1414 vchar_t *
isakmp_parsewoh(np0,gen,len)1415 isakmp_parsewoh(np0, gen, len)
1416 int np0;
1417 struct isakmp_gen *gen;
1418 int len;
1419 {
1420 u_char np = np0 & 0xff;
1421 int tlen, plen;
1422 vchar_t *result;
1423 struct isakmp_parse_t *p, *ep;
1424
1425 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1426
1427 /*
1428 * 5 is a magic number, but any value larger than 2 should be fine
1429 * as we do vrealloc() in the following loop.
1430 */
1431 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1432 if (result == NULL) {
1433 plog(LLV_ERROR, LOCATION, NULL,
1434 "failed to get buffer.\n");
1435 return NULL;
1436 }
1437 p = (struct isakmp_parse_t *)result->v;
1438 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1439
1440 tlen = len;
1441
1442 /* parse through general headers */
1443 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1444 if (tlen <= sizeof(struct isakmp_gen)) {
1445 /* don't send information, see isakmp_ident_r1() */
1446 plog(LLV_ERROR, LOCATION, NULL,
1447 "invalid length of payload\n");
1448 vfree(result);
1449 return NULL;
1450 }
1451
1452 plog(LLV_DEBUG, LOCATION, NULL,
1453 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1454
1455 p->type = np;
1456 p->len = ntohs(gen->len);
1457 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1458 plog(LLV_DEBUG, LOCATION, NULL,
1459 "invalid length of payload\n");
1460 vfree(result);
1461 return NULL;
1462 }
1463 p->ptr = gen;
1464 p++;
1465 if (ep <= p) {
1466 int off;
1467
1468 off = p - (struct isakmp_parse_t *)result->v;
1469 result = vrealloc(result, result->l * 2);
1470 if (result == NULL) {
1471 plog(LLV_DEBUG, LOCATION, NULL,
1472 "failed to realloc buffer.\n");
1473 vfree(result);
1474 return NULL;
1475 }
1476 ep = (struct isakmp_parse_t *)
1477 (result->v + result->l - sizeof(*ep));
1478 p = (struct isakmp_parse_t *)result->v;
1479 p += off;
1480 }
1481
1482 np = gen->np;
1483 plen = ntohs(gen->len);
1484 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1485 tlen -= plen;
1486 }
1487 p->type = ISAKMP_NPTYPE_NONE;
1488 p->len = 0;
1489 p->ptr = NULL;
1490
1491 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1492
1493 return result;
1494 }
1495
1496 /*
1497 * parse ISAKMP payloads, including ISAKMP base header.
1498 */
1499 vchar_t *
isakmp_parse(buf)1500 isakmp_parse(buf)
1501 vchar_t *buf;
1502 {
1503 struct isakmp *isakmp = (struct isakmp *)buf->v;
1504 struct isakmp_gen *gen;
1505 int tlen;
1506 vchar_t *result;
1507 u_char np;
1508
1509 np = isakmp->np;
1510 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1511 tlen = buf->l - sizeof(struct isakmp);
1512 result = isakmp_parsewoh(np, gen, tlen);
1513
1514 return result;
1515 }
1516
1517 /* %%% */
1518 int
isakmp_init()1519 isakmp_init()
1520 {
1521 /* initialize a isakmp status table */
1522 initph1tree();
1523 initph2tree();
1524 initctdtree();
1525 init_recvdpkt();
1526
1527 if (isakmp_open() < 0)
1528 goto err;
1529
1530 return(0);
1531
1532 err:
1533 isakmp_close();
1534 return(-1);
1535 }
1536
1537 /*
1538 * make strings containing i_cookie + r_cookie + msgid
1539 */
1540 const char *
isakmp_pindex(index,msgid)1541 isakmp_pindex(index, msgid)
1542 const isakmp_index *index;
1543 const u_int32_t msgid;
1544 {
1545 static char buf[64];
1546 const u_char *p;
1547 int i, j;
1548
1549 memset(buf, 0, sizeof(buf));
1550
1551 /* copy index */
1552 p = (const u_char *)index;
1553 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1554 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1555 j += 2;
1556 switch (i) {
1557 case 7:
1558 buf[j++] = ':';
1559 }
1560 }
1561
1562 if (msgid == 0)
1563 return buf;
1564
1565 /* copy msgid */
1566 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1567
1568 return buf;
1569 }
1570
1571 /* open ISAKMP sockets. */
1572 int
isakmp_open()1573 isakmp_open()
1574 {
1575 const int yes = 1;
1576 int ifnum = 0, encap_ifnum = 0;
1577 #ifdef INET6
1578 int pktinfo;
1579 #endif
1580 struct myaddrs *p;
1581
1582 for (p = lcconf->myaddrs; p; p = p->next) {
1583 if (!p->addr)
1584 continue;
1585
1586 /* warn if wildcard address - should we forbid this? */
1587 switch (p->addr->sa_family) {
1588 case AF_INET:
1589 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1590 plog(LLV_WARNING, LOCATION, NULL,
1591 "listening to wildcard address,"
1592 "broadcast IKE packet may kill you\n");
1593 break;
1594 #ifdef INET6
1595 case AF_INET6:
1596 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1597 plog(LLV_WARNING, LOCATION, NULL,
1598 "listening to wildcard address, "
1599 "broadcast IKE packet may kill you\n");
1600 break;
1601 #endif
1602 default:
1603 plog(LLV_ERROR, LOCATION, NULL,
1604 "unsupported address family %d\n",
1605 lcconf->default_af);
1606 goto err_and_next;
1607 }
1608
1609 #ifdef INET6
1610 if (p->addr->sa_family == AF_INET6 &&
1611 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
1612 p->addr)->sin6_addr))
1613 {
1614 plog(LLV_DEBUG, LOCATION, NULL,
1615 "Ignoring multicast address %s\n",
1616 saddr2str(p->addr));
1617 racoon_free(p->addr);
1618 p->addr = NULL;
1619 continue;
1620 }
1621 #endif
1622
1623 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1624 plog(LLV_ERROR, LOCATION, NULL,
1625 "socket (%s)\n", strerror(errno));
1626 goto err_and_next;
1627 }
1628
1629 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
1630 plog(LLV_WARNING, LOCATION, NULL,
1631 "failed to put socket in non-blocking mode\n");
1632
1633 /* receive my interface address on inbound packets. */
1634 switch (p->addr->sa_family) {
1635 case AF_INET:
1636 if (setsockopt(p->sock, IPPROTO_IP,
1637 #ifdef __linux__
1638 IP_PKTINFO,
1639 #else
1640 IP_RECVDSTADDR,
1641 #endif
1642 (const void *)&yes, sizeof(yes)) < 0) {
1643 plog(LLV_ERROR, LOCATION, NULL,
1644 "setsockopt IP_RECVDSTADDR (%s)\n",
1645 strerror(errno));
1646 goto err_and_next;
1647 }
1648 break;
1649 #ifdef INET6
1650 case AF_INET6:
1651 #ifdef INET6_ADVAPI
1652 #ifdef IPV6_RECVPKTINFO
1653 pktinfo = IPV6_RECVPKTINFO;
1654 #else /* old adv. API */
1655 pktinfo = IPV6_PKTINFO;
1656 #endif /* IPV6_RECVPKTINFO */
1657 #else
1658 pktinfo = IPV6_RECVDSTADDR;
1659 #endif
1660 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1661 (const void *)&yes, sizeof(yes)) < 0)
1662 {
1663 plog(LLV_ERROR, LOCATION, NULL,
1664 "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
1665 pktinfo, strerror(errno));
1666 goto err_and_next;
1667 }
1668 break;
1669 #endif
1670 }
1671
1672 #ifdef IPV6_USE_MIN_MTU
1673 if (p->addr->sa_family == AF_INET6 &&
1674 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1675 (void *)&yes, sizeof(yes)) < 0) {
1676 plog(LLV_ERROR, LOCATION, NULL,
1677 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
1678 strerror(errno));
1679 return -1;
1680 }
1681 #endif
1682
1683 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
1684 goto err_and_next;
1685
1686 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
1687 plog(LLV_ERROR, LOCATION, p->addr,
1688 "failed to bind to address %s (%s).\n",
1689 saddr2str(p->addr), strerror(errno));
1690 close(p->sock);
1691 goto err_and_next;
1692 }
1693
1694 ifnum++;
1695
1696 plog(LLV_INFO, LOCATION, NULL,
1697 "%s used as isakmp port (fd=%d)\n",
1698 saddr2str(p->addr), p->sock);
1699
1700 #ifdef ENABLE_NATT
1701 if (p->addr->sa_family == AF_INET) {
1702 int option = -1;
1703
1704
1705 if(p->udp_encap)
1706 option = UDP_ENCAP_ESPINUDP;
1707 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1708 else
1709 option = UDP_ENCAP_ESPINUDP_NON_IKE;
1710 #endif
1711 if(option != -1){
1712 if (setsockopt (p->sock, SOL_UDP,
1713 UDP_ENCAP, &option, sizeof (option)) < 0) {
1714 plog(LLV_WARNING, LOCATION, NULL,
1715 "setsockopt(%s): UDP_ENCAP %s\n",
1716 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1717 strerror(errno));
1718 goto skip_encap;
1719 }
1720 else {
1721 plog(LLV_INFO, LOCATION, NULL,
1722 "%s used for NAT-T\n",
1723 saddr2str(p->addr));
1724 encap_ifnum++;
1725 }
1726 }
1727 }
1728 skip_encap:
1729 #endif
1730 continue;
1731
1732 err_and_next:
1733 racoon_free(p->addr);
1734 p->addr = NULL;
1735 if (! lcconf->autograbaddr && lcconf->strict_address)
1736 return -1;
1737 continue;
1738 }
1739
1740 if (!ifnum) {
1741 plog(LLV_ERROR, LOCATION, NULL,
1742 "no address could be bound.\n");
1743 return -1;
1744 }
1745
1746 #ifdef ENABLE_NATT
1747 if (natt_enabled_in_rmconf() && !encap_ifnum) {
1748 plog(LLV_WARNING, LOCATION, NULL,
1749 "NAT-T is enabled in at least one remote{} section,\n");
1750 plog(LLV_WARNING, LOCATION, NULL,
1751 "but no 'isakmp_natt' address was specified!\n");
1752 }
1753 #endif
1754
1755 return 0;
1756 }
1757
1758 void
isakmp_close()1759 isakmp_close()
1760 {
1761 #ifndef ANDROID_PATCHED
1762 struct myaddrs *p, *next;
1763
1764 for (p = lcconf->myaddrs; p; p = next) {
1765 next = p->next;
1766
1767 if (!p->addr) {
1768 racoon_free(p);
1769 continue;
1770 }
1771 close(p->sock);
1772 racoon_free(p->addr);
1773 racoon_free(p);
1774 }
1775
1776 lcconf->myaddrs = NULL;
1777 #endif
1778 }
1779
1780 int
isakmp_send(iph1,sbuf)1781 isakmp_send(iph1, sbuf)
1782 struct ph1handle *iph1;
1783 vchar_t *sbuf;
1784 {
1785 int len = 0;
1786 int s;
1787 vchar_t *vbuf = NULL, swap;
1788
1789 #ifdef ENABLE_NATT
1790 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1791
1792 /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
1793 */
1794 if(extralen == NON_ESP_MARKER_LEN &&
1795 *(u_int32_t *)sbuf->v == 0)
1796 extralen = 0;
1797
1798 #ifdef ENABLE_FRAG
1799 /*
1800 * Do not add the non ESP marker for a packet that will
1801 * be fragmented. The non ESP marker should appear in
1802 * all fragment's packets, but not in the fragmented packet
1803 */
1804 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1805 extralen = 0;
1806 #endif
1807 if (extralen)
1808 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1809
1810 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1811 must added just before the packet itself. For this we must
1812 allocate a new buffer and release it at the end. */
1813 if (extralen) {
1814 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
1815 plog(LLV_ERROR, LOCATION, NULL,
1816 "vbuf allocation failed\n");
1817 return -1;
1818 }
1819 *(u_int32_t *)vbuf->v = 0;
1820 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1821 /* ensures that the modified buffer will be sent back to the caller, so
1822 * add_recvdpkt() will add the correct buffer
1823 */
1824 swap = *sbuf;
1825 *sbuf = *vbuf;
1826 *vbuf = swap;
1827 vfree(vbuf);
1828 }
1829 #endif
1830
1831 /* select the socket to be sent */
1832 s = getsockmyaddr(iph1->local);
1833 if (s == -1){
1834 return -1;
1835 }
1836
1837 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1838 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1839
1840 #ifdef ENABLE_FRAG
1841 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1842 if (isakmp_sendfrags(iph1, sbuf) == -1) {
1843 plog(LLV_ERROR, LOCATION, NULL,
1844 "isakmp_sendfrags failed\n");
1845 return -1;
1846 }
1847 } else
1848 #endif
1849 {
1850 len = sendfromto(s, sbuf->v, sbuf->l,
1851 iph1->local, iph1->remote, lcconf->count_persend);
1852
1853 if (len == -1) {
1854 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1855 return -1;
1856 }
1857 }
1858
1859 return 0;
1860 }
1861
1862 /* called from scheduler */
1863 void
isakmp_ph1resend_stub(p)1864 isakmp_ph1resend_stub(p)
1865 void *p;
1866 {
1867 struct ph1handle *iph1;
1868
1869 iph1=(struct ph1handle *)p;
1870 if(isakmp_ph1resend(iph1) < 0){
1871 if(iph1->scr != NULL){
1872 /* Should not happen...
1873 */
1874 sched_kill(iph1->scr);
1875 iph1->scr=NULL;
1876 }
1877
1878 remph1(iph1);
1879 delph1(iph1);
1880 }
1881 }
1882
1883 int
isakmp_ph1resend(iph1)1884 isakmp_ph1resend(iph1)
1885 struct ph1handle *iph1;
1886 {
1887 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
1888 */
1889 if (iph1->retry_counter <= 0) {
1890 plog(LLV_ERROR, LOCATION, NULL,
1891 "phase1 negotiation failed due to time up. %s\n",
1892 isakmp_pindex(&iph1->index, iph1->msgid));
1893 EVT_PUSH(iph1->local, iph1->remote,
1894 EVTT_PEER_NO_RESPONSE, NULL);
1895
1896 return -1;
1897 }
1898
1899 if (isakmp_send(iph1, iph1->sendbuf) < 0){
1900 plog(LLV_ERROR, LOCATION, NULL,
1901 "phase1 negotiation failed due to send error. %s\n",
1902 isakmp_pindex(&iph1->index, iph1->msgid));
1903 EVT_PUSH(iph1->local, iph1->remote,
1904 EVTT_PEER_NO_RESPONSE, NULL);
1905 return -1;
1906 }
1907
1908 plog(LLV_DEBUG, LOCATION, NULL,
1909 "resend phase1 packet %s\n",
1910 isakmp_pindex(&iph1->index, iph1->msgid));
1911
1912 iph1->retry_counter--;
1913
1914 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1915 isakmp_ph1resend_stub, iph1);
1916
1917 return 0;
1918 }
1919
1920 /* called from scheduler */
1921 void
isakmp_ph2resend_stub(p)1922 isakmp_ph2resend_stub(p)
1923 void *p;
1924 {
1925 struct ph2handle *iph2;
1926
1927 iph2=(struct ph2handle *)p;
1928
1929 if(isakmp_ph2resend(iph2) < 0){
1930 unbindph12(iph2);
1931 remph2(iph2);
1932 delph2(iph2);
1933 }
1934 }
1935
1936 int
isakmp_ph2resend(iph2)1937 isakmp_ph2resend(iph2)
1938 struct ph2handle *iph2;
1939 {
1940 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
1941 */
1942 if (iph2->ph1->status == PHASE1ST_EXPIRED){
1943 plog(LLV_ERROR, LOCATION, NULL,
1944 "phase2 negotiation failed due to phase1 expired. %s\n",
1945 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1946 return -1;
1947 }
1948
1949 if (iph2->retry_counter <= 0) {
1950 plog(LLV_ERROR, LOCATION, NULL,
1951 "phase2 negotiation failed due to time up. %s\n",
1952 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1953 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1954 unbindph12(iph2);
1955 return -1;
1956 }
1957
1958 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
1959 plog(LLV_ERROR, LOCATION, NULL,
1960 "phase2 negotiation failed due to send error. %s\n",
1961 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1962 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1963
1964 return -1;
1965 }
1966
1967 plog(LLV_DEBUG, LOCATION, NULL,
1968 "resend phase2 packet %s\n",
1969 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1970
1971 iph2->retry_counter--;
1972
1973 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1974 isakmp_ph2resend_stub, iph2);
1975
1976 return 0;
1977 }
1978
1979 /* called from scheduler */
1980 void
isakmp_ph1expire_stub(p)1981 isakmp_ph1expire_stub(p)
1982 void *p;
1983 {
1984
1985 isakmp_ph1expire((struct ph1handle *)p);
1986 }
1987
1988 void
isakmp_ph1expire(iph1)1989 isakmp_ph1expire(iph1)
1990 struct ph1handle *iph1;
1991 {
1992 char *src, *dst;
1993
1994 SCHED_KILL(iph1->sce);
1995
1996 if(iph1->status != PHASE1ST_EXPIRED){
1997 src = racoon_strdup(saddr2str(iph1->local));
1998 dst = racoon_strdup(saddr2str(iph1->remote));
1999 STRDUP_FATAL(src);
2000 STRDUP_FATAL(dst);
2001
2002 plog(LLV_INFO, LOCATION, NULL,
2003 "ISAKMP-SA expired %s-%s spi:%s\n",
2004 src, dst,
2005 isakmp_pindex(&iph1->index, 0));
2006 racoon_free(src);
2007 racoon_free(dst);
2008 iph1->status = PHASE1ST_EXPIRED;
2009 }
2010
2011 /*
2012 * the phase1 deletion is postponed until there is no phase2.
2013 */
2014 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2015 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
2016 return;
2017 }
2018
2019 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2020 }
2021
2022 /* called from scheduler */
2023 void
isakmp_ph1delete_stub(p)2024 isakmp_ph1delete_stub(p)
2025 void *p;
2026 {
2027
2028 isakmp_ph1delete((struct ph1handle *)p);
2029 }
2030
2031 void
isakmp_ph1delete(iph1)2032 isakmp_ph1delete(iph1)
2033 struct ph1handle *iph1;
2034 {
2035 char *src, *dst;
2036
2037 SCHED_KILL(iph1->sce);
2038
2039 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2040 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2041 return;
2042 }
2043
2044 /* don't re-negosiation when the phase 1 SA expires. */
2045
2046 src = racoon_strdup(saddr2str(iph1->local));
2047 dst = racoon_strdup(saddr2str(iph1->remote));
2048 STRDUP_FATAL(src);
2049 STRDUP_FATAL(dst);
2050
2051 plog(LLV_INFO, LOCATION, NULL,
2052 "ISAKMP-SA deleted %s-%s spi:%s\n",
2053 src, dst, isakmp_pindex(&iph1->index, 0));
2054 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
2055 racoon_free(src);
2056 racoon_free(dst);
2057
2058 remph1(iph1);
2059 delph1(iph1);
2060
2061 return;
2062 }
2063
2064 /* called from scheduler.
2065 * this function will call only isakmp_ph2delete().
2066 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2067 * by something cause. That's why this function is called after phase 2 SA
2068 * expires in the userland.
2069 */
2070 void
isakmp_ph2expire_stub(p)2071 isakmp_ph2expire_stub(p)
2072 void *p;
2073 {
2074
2075 isakmp_ph2expire((struct ph2handle *)p);
2076 }
2077
2078 void
isakmp_ph2expire(iph2)2079 isakmp_ph2expire(iph2)
2080 struct ph2handle *iph2;
2081 {
2082 char *src, *dst;
2083
2084 SCHED_KILL(iph2->sce);
2085
2086 src = racoon_strdup(saddrwop2str(iph2->src));
2087 dst = racoon_strdup(saddrwop2str(iph2->dst));
2088 STRDUP_FATAL(src);
2089 STRDUP_FATAL(dst);
2090
2091 plog(LLV_INFO, LOCATION, NULL,
2092 "phase2 sa expired %s-%s\n", src, dst);
2093 racoon_free(src);
2094 racoon_free(dst);
2095
2096 iph2->status = PHASE2ST_EXPIRED;
2097
2098 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
2099
2100 return;
2101 }
2102
2103 /* called from scheduler */
2104 void
isakmp_ph2delete_stub(p)2105 isakmp_ph2delete_stub(p)
2106 void *p;
2107 {
2108
2109 isakmp_ph2delete((struct ph2handle *)p);
2110 }
2111
2112 void
isakmp_ph2delete(iph2)2113 isakmp_ph2delete(iph2)
2114 struct ph2handle *iph2;
2115 {
2116 char *src, *dst;
2117
2118 SCHED_KILL(iph2->sce);
2119
2120 src = racoon_strdup(saddrwop2str(iph2->src));
2121 dst = racoon_strdup(saddrwop2str(iph2->dst));
2122 STRDUP_FATAL(src);
2123 STRDUP_FATAL(dst);
2124
2125 plog(LLV_INFO, LOCATION, NULL,
2126 "phase2 sa deleted %s-%s\n", src, dst);
2127 racoon_free(src);
2128 racoon_free(dst);
2129
2130 unbindph12(iph2);
2131 remph2(iph2);
2132 delph2(iph2);
2133
2134 return;
2135 }
2136
2137 /* %%%
2138 * Interface between PF_KEYv2 and ISAKMP
2139 */
2140 /*
2141 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2142 * if phase1 has been finished, begin phase2.
2143 */
2144 int
isakmp_post_acquire(iph2)2145 isakmp_post_acquire(iph2)
2146 struct ph2handle *iph2;
2147 {
2148 struct remoteconf *rmconf;
2149 struct ph1handle *iph1 = NULL;
2150
2151 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
2152
2153 /* search appropreate configuration with masking port. */
2154 rmconf = getrmconf(iph2->dst);
2155 if (rmconf == NULL) {
2156 plog(LLV_ERROR, LOCATION, NULL,
2157 "no configuration found for %s.\n",
2158 saddrwop2str(iph2->dst));
2159 return -1;
2160 }
2161
2162 /* if passive mode, ignore the acquire message */
2163 if (rmconf->passive) {
2164 plog(LLV_DEBUG, LOCATION, NULL,
2165 "because of passive mode, "
2166 "ignore the acquire message for %s.\n",
2167 saddrwop2str(iph2->dst));
2168 return 0;
2169 }
2170
2171 /*
2172 * Search isakmp status table by address and port
2173 * If NAT-T is in use, consider null ports as a
2174 * wildcard and use IKE ports instead.
2175 */
2176 #ifdef ENABLE_NATT
2177 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2178 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2179 set_port(iph2->src, extract_port(iph1->local));
2180 set_port(iph2->dst, extract_port(iph1->remote));
2181 }
2182 } else {
2183 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2184 }
2185 #else
2186 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2187 #endif
2188
2189 /* no ISAKMP-SA found. */
2190 if (iph1 == NULL) {
2191 struct sched *sc;
2192
2193 iph2->retry_checkph1 = lcconf->retry_checkph1;
2194 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2195 plog(LLV_INFO, LOCATION, NULL,
2196 "IPsec-SA request for %s queued "
2197 "due to no phase1 found.\n",
2198 saddrwop2str(iph2->dst));
2199
2200 /* start phase 1 negotiation as a initiator. */
2201 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
2202 SCHED_KILL(sc);
2203 return -1;
2204 }
2205
2206 return 0;
2207 /*NOTREACHED*/
2208 }
2209
2210 /* found ISAKMP-SA, but on negotiation. */
2211 if (iph1->status != PHASE1ST_ESTABLISHED) {
2212 iph2->retry_checkph1 = lcconf->retry_checkph1;
2213 sched_new(1, isakmp_chkph1there_stub, iph2);
2214 plog(LLV_INFO, LOCATION, iph2->dst,
2215 "request for establishing IPsec-SA was queued "
2216 "due to no phase1 found.\n");
2217 return 0;
2218 /*NOTREACHED*/
2219 }
2220
2221 /* found established ISAKMP-SA */
2222 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2223
2224 /* found ISAKMP-SA. */
2225 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2226
2227 /* begin quick mode */
2228 if (isakmp_ph2begin_i(iph1, iph2))
2229 return -1;
2230
2231 return 0;
2232 }
2233
2234 /*
2235 * receive GETSPI from kernel.
2236 */
2237 int
isakmp_post_getspi(iph2)2238 isakmp_post_getspi(iph2)
2239 struct ph2handle *iph2;
2240 {
2241 #ifdef ENABLE_STATS
2242 struct timeval start, end;
2243 #endif
2244
2245 /* don't process it because there is no suitable phase1-sa. */
2246 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
2247 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2248 "the negotiation is stopped, "
2249 "because there is no suitable ISAKMP-SA.\n");
2250 return -1;
2251 }
2252
2253 #ifdef ENABLE_STATS
2254 gettimeofday(&start, NULL);
2255 #endif
2256 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2257 [iph2->side]
2258 [iph2->status])(iph2, NULL) != 0)
2259 return -1;
2260 #ifdef ENABLE_STATS
2261 gettimeofday(&end, NULL);
2262 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2263 "phase2",
2264 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2265 timedelta(&start, &end));
2266 #endif
2267
2268 return 0;
2269 }
2270
2271 /* called by scheduler */
2272 void
isakmp_chkph1there_stub(p)2273 isakmp_chkph1there_stub(p)
2274 void *p;
2275 {
2276 isakmp_chkph1there((struct ph2handle *)p);
2277 }
2278
2279 void
isakmp_chkph1there(iph2)2280 isakmp_chkph1there(iph2)
2281 struct ph2handle *iph2;
2282 {
2283 struct ph1handle *iph1;
2284
2285 iph2->retry_checkph1--;
2286 if (iph2->retry_checkph1 < 0) {
2287 plog(LLV_ERROR, LOCATION, iph2->dst,
2288 "phase2 negotiation failed "
2289 "due to time up waiting for phase1. %s\n",
2290 sadbsecas2str(iph2->dst, iph2->src,
2291 iph2->satype, 0, 0));
2292 plog(LLV_INFO, LOCATION, NULL,
2293 "delete phase 2 handler.\n");
2294
2295 /* send acquire to kernel as error */
2296 pk_sendeacquire(iph2);
2297
2298 unbindph12(iph2);
2299 remph2(iph2);
2300 delph2(iph2);
2301
2302 return;
2303 }
2304
2305 /*
2306 * Search isakmp status table by address and port
2307 * If NAT-T is in use, consider null ports as a
2308 * wildcard and use IKE ports instead.
2309 */
2310 #ifdef ENABLE_NATT
2311 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2312 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
2313 if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
2314 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
2315 }
2316 } else {
2317 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
2318 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2319 if(iph1 != NULL)
2320 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
2321 }
2322 #else
2323 iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2324 #endif
2325
2326 /* XXX Even if ph1 as responder is there, should we not start
2327 * phase 2 negotiation ? */
2328 if (iph1 != NULL
2329 && iph1->status == PHASE1ST_ESTABLISHED) {
2330 /* found isakmp-sa */
2331
2332 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
2333 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
2334 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
2335 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
2336 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2337 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2338 set_port(iph2->src, extract_port(iph1->local));
2339 set_port(iph2->dst, extract_port(iph1->remote));
2340 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
2341 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2342 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2343
2344 /* begin quick mode */
2345 (void)isakmp_ph2begin_i(iph1, iph2);
2346 return;
2347 }
2348
2349 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
2350
2351 /* no isakmp-sa found */
2352 sched_new(1, isakmp_chkph1there_stub, iph2);
2353
2354 return;
2355 }
2356
2357 /* copy variable data into ALLOCATED buffer. */
2358 caddr_t
isakmp_set_attr_v(buf,type,val,len)2359 isakmp_set_attr_v(buf, type, val, len)
2360 caddr_t buf;
2361 int type;
2362 caddr_t val;
2363 int len;
2364 {
2365 struct isakmp_data *data;
2366
2367 data = (struct isakmp_data *)buf;
2368 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2369 data->lorv = htons((u_int16_t)len);
2370 memcpy(data + 1, val, len);
2371
2372 return buf + sizeof(*data) + len;
2373 }
2374
2375 /* copy fixed length data into ALLOCATED buffer. */
2376 caddr_t
isakmp_set_attr_l(buf,type,val)2377 isakmp_set_attr_l(buf, type, val)
2378 caddr_t buf;
2379 int type;
2380 u_int32_t val;
2381 {
2382 struct isakmp_data *data;
2383
2384 data = (struct isakmp_data *)buf;
2385 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2386 data->lorv = htons((u_int16_t)val);
2387
2388 return buf + sizeof(*data);
2389 }
2390
2391 /* add a variable data attribute to the buffer by reallocating it. */
2392 vchar_t *
isakmp_add_attr_v(buf0,type,val,len)2393 isakmp_add_attr_v(buf0, type, val, len)
2394 vchar_t *buf0;
2395 int type;
2396 caddr_t val;
2397 int len;
2398 {
2399 vchar_t *buf = NULL;
2400 struct isakmp_data *data;
2401 int tlen;
2402 int oldlen = 0;
2403
2404 tlen = sizeof(*data) + len;
2405
2406 if (buf0) {
2407 oldlen = buf0->l;
2408 buf = vrealloc(buf0, oldlen + tlen);
2409 } else
2410 buf = vmalloc(tlen);
2411 if (!buf) {
2412 plog(LLV_ERROR, LOCATION, NULL,
2413 "failed to get a attribute buffer.\n");
2414 return NULL;
2415 }
2416
2417 data = (struct isakmp_data *)(buf->v + oldlen);
2418 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2419 data->lorv = htons((u_int16_t)len);
2420 memcpy(data + 1, val, len);
2421
2422 return buf;
2423 }
2424
2425 /* add a fixed data attribute to the buffer by reallocating it. */
2426 vchar_t *
isakmp_add_attr_l(buf0,type,val)2427 isakmp_add_attr_l(buf0, type, val)
2428 vchar_t *buf0;
2429 int type;
2430 u_int32_t val;
2431 {
2432 vchar_t *buf = NULL;
2433 struct isakmp_data *data;
2434 int tlen;
2435 int oldlen = 0;
2436
2437 tlen = sizeof(*data);
2438
2439 if (buf0) {
2440 oldlen = buf0->l;
2441 buf = vrealloc(buf0, oldlen + tlen);
2442 } else
2443 buf = vmalloc(tlen);
2444 if (!buf) {
2445 plog(LLV_ERROR, LOCATION, NULL,
2446 "failed to get a attribute buffer.\n");
2447 return NULL;
2448 }
2449
2450 data = (struct isakmp_data *)(buf->v + oldlen);
2451 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2452 data->lorv = htons((u_int16_t)val);
2453
2454 return buf;
2455 }
2456
2457 /*
2458 * calculate cookie and set.
2459 */
2460 int
isakmp_newcookie(place,remote,local)2461 isakmp_newcookie(place, remote, local)
2462 caddr_t place;
2463 struct sockaddr *remote;
2464 struct sockaddr *local;
2465 {
2466 vchar_t *buf = NULL, *buf2 = NULL;
2467 char *p;
2468 int blen;
2469 int alen;
2470 caddr_t sa1, sa2;
2471 time_t t;
2472 int error = -1;
2473 u_short port;
2474
2475
2476 if (remote->sa_family != local->sa_family) {
2477 plog(LLV_ERROR, LOCATION, NULL,
2478 "address family mismatch, remote:%d local:%d\n",
2479 remote->sa_family, local->sa_family);
2480 goto end;
2481 }
2482 switch (remote->sa_family) {
2483 case AF_INET:
2484 alen = sizeof(struct in_addr);
2485 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2486 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2487 break;
2488 #ifdef INET6
2489 case AF_INET6:
2490 alen = sizeof(struct in6_addr);
2491 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2492 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2493 break;
2494 #endif
2495 default:
2496 plog(LLV_ERROR, LOCATION, NULL,
2497 "invalid family: %d\n", remote->sa_family);
2498 goto end;
2499 }
2500 blen = (alen + sizeof(u_short)) * 2
2501 + sizeof(time_t) + lcconf->secret_size;
2502 buf = vmalloc(blen);
2503 if (buf == NULL) {
2504 plog(LLV_ERROR, LOCATION, NULL,
2505 "failed to get a cookie.\n");
2506 goto end;
2507 }
2508 p = buf->v;
2509
2510 /* copy my address */
2511 memcpy(p, sa1, alen);
2512 p += alen;
2513 port = ((struct sockaddr_in *)remote)->sin_port;
2514 memcpy(p, &port, sizeof(u_short));
2515 p += sizeof(u_short);
2516
2517 /* copy target address */
2518 memcpy(p, sa2, alen);
2519 p += alen;
2520 port = ((struct sockaddr_in *)local)->sin_port;
2521 memcpy(p, &port, sizeof(u_short));
2522 p += sizeof(u_short);
2523
2524 /* copy time */
2525 t = time(0);
2526 memcpy(p, (caddr_t)&t, sizeof(t));
2527 p += sizeof(t);
2528
2529 /* copy random value */
2530 buf2 = eay_set_random(lcconf->secret_size);
2531 if (buf2 == NULL)
2532 goto end;
2533 memcpy(p, buf2->v, lcconf->secret_size);
2534 p += lcconf->secret_size;
2535 vfree(buf2);
2536
2537 buf2 = eay_sha1_one(buf);
2538 memcpy(place, buf2->v, sizeof(cookie_t));
2539
2540 sa1 = val2str(place, sizeof (cookie_t));
2541 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2542 racoon_free(sa1);
2543
2544 error = 0;
2545 end:
2546 if (buf != NULL)
2547 vfree(buf);
2548 if (buf2 != NULL)
2549 vfree(buf2);
2550 return error;
2551 }
2552
2553 /*
2554 * save partner's(payload) data into phhandle.
2555 */
2556 int
isakmp_p2ph(buf,gen)2557 isakmp_p2ph(buf, gen)
2558 vchar_t **buf;
2559 struct isakmp_gen *gen;
2560 {
2561 /* XXX to be checked in each functions for logging. */
2562 if (*buf) {
2563 plog(LLV_WARNING, LOCATION, NULL,
2564 "ignore this payload, same payload type exist.\n");
2565 return -1;
2566 }
2567
2568 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2569 if (*buf == NULL) {
2570 plog(LLV_ERROR, LOCATION, NULL,
2571 "failed to get buffer.\n");
2572 return -1;
2573 }
2574 memcpy((*buf)->v, gen + 1, (*buf)->l);
2575
2576 return 0;
2577 }
2578
2579 u_int32_t
isakmp_newmsgid2(iph1)2580 isakmp_newmsgid2(iph1)
2581 struct ph1handle *iph1;
2582 {
2583 u_int32_t msgid2;
2584
2585 do {
2586 msgid2 = eay_random();
2587 } while (getph2bymsgid(iph1, msgid2));
2588
2589 return msgid2;
2590 }
2591
2592 /*
2593 * set values into allocated buffer of isakmp header for phase 1
2594 */
2595 static caddr_t
set_isakmp_header(vbuf,iph1,nptype,etype,flags,msgid)2596 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2597 vchar_t *vbuf;
2598 struct ph1handle *iph1;
2599 int nptype;
2600 u_int8_t etype;
2601 u_int8_t flags;
2602 u_int32_t msgid;
2603 {
2604 struct isakmp *isakmp;
2605
2606 if (vbuf->l < sizeof(*isakmp))
2607 return NULL;
2608
2609 isakmp = (struct isakmp *)vbuf->v;
2610
2611 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2612 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2613 isakmp->np = nptype;
2614 isakmp->v = iph1->version;
2615 isakmp->etype = etype;
2616 isakmp->flags = flags;
2617 isakmp->msgid = msgid;
2618 isakmp->len = htonl(vbuf->l);
2619
2620 return vbuf->v + sizeof(*isakmp);
2621 }
2622
2623 /*
2624 * set values into allocated buffer of isakmp header for phase 1
2625 */
2626 caddr_t
set_isakmp_header1(vbuf,iph1,nptype)2627 set_isakmp_header1(vbuf, iph1, nptype)
2628 vchar_t *vbuf;
2629 struct ph1handle *iph1;
2630 int nptype;
2631 {
2632 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2633 }
2634
2635 /*
2636 * set values into allocated buffer of isakmp header for phase 2
2637 */
2638 caddr_t
set_isakmp_header2(vbuf,iph2,nptype)2639 set_isakmp_header2(vbuf, iph2, nptype)
2640 vchar_t *vbuf;
2641 struct ph2handle *iph2;
2642 int nptype;
2643 {
2644 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2645 }
2646
2647 /*
2648 * set values into allocated buffer of isakmp payload.
2649 */
2650 caddr_t
set_isakmp_payload(buf,src,nptype)2651 set_isakmp_payload(buf, src, nptype)
2652 caddr_t buf;
2653 vchar_t *src;
2654 int nptype;
2655 {
2656 struct isakmp_gen *gen;
2657 caddr_t p = buf;
2658
2659 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2660 src->l, nptype);
2661
2662 gen = (struct isakmp_gen *)p;
2663 gen->np = nptype;
2664 gen->len = htons(sizeof(*gen) + src->l);
2665 p += sizeof(*gen);
2666 memcpy(p, src->v, src->l);
2667 p += src->l;
2668
2669 return p;
2670 }
2671
2672 static int
etypesw1(etype)2673 etypesw1(etype)
2674 int etype;
2675 {
2676 switch (etype) {
2677 case ISAKMP_ETYPE_IDENT:
2678 return 1;
2679 case ISAKMP_ETYPE_AGG:
2680 return 2;
2681 case ISAKMP_ETYPE_BASE:
2682 return 3;
2683 default:
2684 return 0;
2685 }
2686 /*NOTREACHED*/
2687 }
2688
2689 static int
etypesw2(etype)2690 etypesw2(etype)
2691 int etype;
2692 {
2693 switch (etype) {
2694 case ISAKMP_ETYPE_QUICK:
2695 return 1;
2696 default:
2697 return 0;
2698 }
2699 /*NOTREACHED*/
2700 }
2701
2702 #ifdef HAVE_PRINT_ISAKMP_C
2703 /* for print-isakmp.c */
2704 char *snapend;
2705 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2706
2707 char *getname __P((const u_char *));
2708 #ifdef INET6
2709 char *getname6 __P((const u_char *));
2710 #endif
2711 int safeputchar __P((int));
2712
2713 /*
2714 * Return a name for the IP address pointed to by ap. This address
2715 * is assumed to be in network byte order.
2716 */
2717 char *
getname(ap)2718 getname(ap)
2719 const u_char *ap;
2720 {
2721 struct sockaddr_in addr;
2722 static char ntop_buf[NI_MAXHOST];
2723
2724 memset(&addr, 0, sizeof(addr));
2725 #ifndef __linux__
2726 addr.sin_len = sizeof(struct sockaddr_in);
2727 #endif
2728 addr.sin_family = AF_INET;
2729 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2730 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2731 ntop_buf, sizeof(ntop_buf), NULL, 0,
2732 NI_NUMERICHOST | niflags))
2733 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2734
2735 return ntop_buf;
2736 }
2737
2738 #ifdef INET6
2739 /*
2740 * Return a name for the IP6 address pointed to by ap. This address
2741 * is assumed to be in network byte order.
2742 */
2743 char *
getname6(ap)2744 getname6(ap)
2745 const u_char *ap;
2746 {
2747 struct sockaddr_in6 addr;
2748 static char ntop_buf[NI_MAXHOST];
2749
2750 memset(&addr, 0, sizeof(addr));
2751 addr.sin6_len = sizeof(struct sockaddr_in6);
2752 addr.sin6_family = AF_INET6;
2753 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2754 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2755 ntop_buf, sizeof(ntop_buf), NULL, 0,
2756 NI_NUMERICHOST | niflags))
2757 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2758
2759 return ntop_buf;
2760 }
2761 #endif /* INET6 */
2762
2763 int
safeputchar(c)2764 safeputchar(c)
2765 int c;
2766 {
2767 unsigned char ch;
2768
2769 ch = (unsigned char)(c & 0xff);
2770 if (c < 0x80 && isprint(c))
2771 return printf("%c", c & 0xff);
2772 else
2773 return printf("\\%03o", c & 0xff);
2774 }
2775
2776 void
isakmp_printpacket(msg,from,my,decoded)2777 isakmp_printpacket(msg, from, my, decoded)
2778 vchar_t *msg;
2779 struct sockaddr *from;
2780 struct sockaddr *my;
2781 int decoded;
2782 {
2783 #ifdef YIPS_DEBUG
2784 struct timeval tv;
2785 int s;
2786 char hostbuf[NI_MAXHOST];
2787 char portbuf[NI_MAXSERV];
2788 struct isakmp *isakmp;
2789 vchar_t *buf;
2790 #endif
2791
2792 if (loglevel < LLV_DEBUG)
2793 return;
2794
2795 #ifdef YIPS_DEBUG
2796 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2797
2798 gettimeofday(&tv, NULL);
2799 s = tv.tv_sec % 3600;
2800 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2801
2802 if (from) {
2803 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2804 portbuf, sizeof(portbuf),
2805 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2806 strlcpy(hostbuf, "?", sizeof(hostbuf));
2807 strlcpy(portbuf, "?", sizeof(portbuf));
2808 }
2809 printf("%s:%s", hostbuf, portbuf);
2810 } else
2811 printf("?");
2812 printf(" -> ");
2813 if (my) {
2814 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2815 portbuf, sizeof(portbuf),
2816 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2817 strlcpy(hostbuf, "?", sizeof(hostbuf));
2818 strlcpy(portbuf, "?", sizeof(portbuf));
2819 }
2820 printf("%s:%s", hostbuf, portbuf);
2821 } else
2822 printf("?");
2823 printf(": ");
2824
2825 buf = vdup(msg);
2826 if (!buf) {
2827 printf("(malloc fail)\n");
2828 return;
2829 }
2830 if (decoded) {
2831 isakmp = (struct isakmp *)buf->v;
2832 if (isakmp->flags & ISAKMP_FLAG_E) {
2833 #if 0
2834 int pad;
2835 pad = *(u_char *)(buf->v + buf->l - 1);
2836 if (buf->l < pad && 2 < vflag)
2837 printf("(wrong padding)");
2838 #endif
2839 isakmp->flags &= ~ISAKMP_FLAG_E;
2840 }
2841 }
2842
2843 snapend = buf->v + buf->l;
2844 isakmp_print(buf->v, buf->l, NULL);
2845 vfree(buf);
2846 printf("\n");
2847 fflush(stdout);
2848
2849 return;
2850 #endif
2851 }
2852 #endif /*HAVE_PRINT_ISAKMP_C*/
2853
2854 int
copy_ph1addresses(iph1,rmconf,remote,local)2855 copy_ph1addresses(iph1, rmconf, remote, local)
2856 struct ph1handle *iph1;
2857 struct remoteconf *rmconf;
2858 struct sockaddr *remote, *local;
2859 {
2860 u_int16_t port;
2861
2862 /* address portion must be grabbed from real remote address "remote" */
2863 iph1->remote = dupsaddr(remote);
2864 if (iph1->remote == NULL)
2865 return -1;
2866
2867 /*
2868 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2869 * - if remote.conf specifies port #, use that
2870 * - if remote.conf does not, use 500
2871 * if remote has port # (in case of responder - from recvfrom(2))
2872 * respect content of "remote".
2873 */
2874 if (extract_port(iph1->remote) == 0) {
2875 port = extract_port(rmconf->remote);
2876 if (port == 0)
2877 port = PORT_ISAKMP;
2878 set_port(iph1->remote, port);
2879 }
2880
2881 if (local == NULL)
2882 iph1->local = getlocaladdr(iph1->remote);
2883 else
2884 iph1->local = dupsaddr(local);
2885 if (iph1->local == NULL)
2886 return -1;
2887
2888 if (extract_port(iph1->local) == 0)
2889 set_port(iph1->local, PORT_ISAKMP);
2890
2891 #ifdef ENABLE_NATT
2892 if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
2893 plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2894 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2895 }
2896 #endif
2897
2898 return 0;
2899 }
2900
2901 static int
nostate1(iph1,msg)2902 nostate1(iph1, msg)
2903 struct ph1handle *iph1;
2904 vchar_t *msg;
2905 {
2906 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2907 iph1->status);
2908 return -1;
2909 }
2910
2911 static int
nostate2(iph2,msg)2912 nostate2(iph2, msg)
2913 struct ph2handle *iph2;
2914 vchar_t *msg;
2915 {
2916 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2917 iph2->status);
2918 return -1;
2919 }
2920
2921 void
log_ph1established(iph1)2922 log_ph1established(iph1)
2923 const struct ph1handle *iph1;
2924 {
2925 char *src, *dst;
2926
2927 src = racoon_strdup(saddr2str(iph1->local));
2928 dst = racoon_strdup(saddr2str(iph1->remote));
2929 STRDUP_FATAL(src);
2930 STRDUP_FATAL(dst);
2931
2932 plog(LLV_INFO, LOCATION, NULL,
2933 "ISAKMP-SA established %s-%s spi:%s\n",
2934 src, dst,
2935 isakmp_pindex(&iph1->index, 0));
2936
2937 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
2938 if(!iph1->rmconf->mode_cfg) {
2939 EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
2940 }
2941
2942 racoon_free(src);
2943 racoon_free(dst);
2944
2945 return;
2946 }
2947
2948 struct payload_list *
isakmp_plist_append(struct payload_list * plist,vchar_t * payload,int payload_type)2949 isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
2950 {
2951 if (! plist) {
2952 plist = racoon_malloc (sizeof (struct payload_list));
2953 plist->prev = NULL;
2954 }
2955 else {
2956 plist->next = racoon_malloc (sizeof (struct payload_list));
2957 plist->next->prev = plist;
2958 plist = plist->next;
2959 }
2960
2961 plist->next = NULL;
2962 plist->payload = payload;
2963 plist->payload_type = payload_type;
2964
2965 return plist;
2966 }
2967
2968 vchar_t *
isakmp_plist_set_all(struct payload_list ** plist,struct ph1handle * iph1)2969 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
2970 {
2971 struct payload_list *ptr = *plist, *first;
2972 size_t tlen = sizeof (struct isakmp), n = 0;
2973 vchar_t *buf = NULL;
2974 char *p;
2975
2976 /* Seek to the first item. */
2977 while (ptr->prev) ptr = ptr->prev;
2978 first = ptr;
2979
2980 /* Compute the whole length. */
2981 while (ptr) {
2982 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
2983 ptr = ptr->next;
2984 }
2985
2986 buf = vmalloc(tlen);
2987 if (buf == NULL) {
2988 plog(LLV_ERROR, LOCATION, NULL,
2989 "failed to get buffer to send.\n");
2990 goto end;
2991 }
2992
2993 ptr = first;
2994
2995 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
2996 if (p == NULL)
2997 goto end;
2998
2999 while (ptr)
3000 {
3001 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3002 first = ptr;
3003 ptr = ptr->next;
3004 racoon_free (first);
3005 /* ptr->prev = NULL; first = NULL; ... omitted. */
3006 n++;
3007 }
3008
3009 *plist = NULL;
3010
3011 return buf;
3012 end:
3013 if (buf != NULL)
3014 vfree(buf);
3015 return NULL;
3016 }
3017
3018 #ifdef ENABLE_FRAG
3019 int
frag_handler(iph1,msg,remote,local)3020 frag_handler(iph1, msg, remote, local)
3021 struct ph1handle *iph1;
3022 vchar_t *msg;
3023 struct sockaddr *remote;
3024 struct sockaddr *local;
3025 {
3026 vchar_t *newmsg;
3027
3028 if (isakmp_frag_extract(iph1, msg) == 1) {
3029 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3030 plog(LLV_ERROR, LOCATION, remote,
3031 "Packet reassembly failed\n");
3032 return -1;
3033 }
3034 return isakmp_main(newmsg, remote, local);
3035 }
3036
3037 return 0;
3038 }
3039 #endif
3040
3041 void
script_hook(iph1,script)3042 script_hook(iph1, script)
3043 struct ph1handle *iph1;
3044 int script;
3045 {
3046 #define IP_MAX 40
3047 #define PORT_MAX 6
3048 char addrstr[IP_MAX];
3049 char portstr[PORT_MAX];
3050 char **envp = NULL;
3051 int envc = 1;
3052 struct sockaddr_in *sin;
3053 char **c;
3054
3055 if (iph1 == NULL ||
3056 iph1->rmconf == NULL ||
3057 iph1->rmconf->script[script] == NULL)
3058 return;
3059
3060 #ifdef ENABLE_HYBRID
3061 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3062 #endif
3063
3064 /* local address */
3065 sin = (struct sockaddr_in *)iph1->local;
3066 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3067 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3068
3069 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3070 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3071 goto out;
3072 }
3073
3074 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3075 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3076 goto out;
3077 }
3078
3079 /* Peer address */
3080 if (iph1->remote != NULL) {
3081 sin = (struct sockaddr_in *)iph1->remote;
3082 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3083 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3084
3085 if (script_env_append(&envp, &envc,
3086 "REMOTE_ADDR", addrstr) != 0) {
3087 plog(LLV_ERROR, LOCATION, NULL,
3088 "Cannot set REMOTE_ADDR\n");
3089 goto out;
3090 }
3091
3092 if (script_env_append(&envp, &envc,
3093 "REMOTE_PORT", portstr) != 0) {
3094 plog(LLV_ERROR, LOCATION, NULL,
3095 "Cannot set REMOTEL_PORT\n");
3096 goto out;
3097 }
3098 }
3099
3100 if (privsep_script_exec(iph1->rmconf->script[script]->v,
3101 script, envp) != 0)
3102 plog(LLV_ERROR, LOCATION, NULL,
3103 "Script %s execution failed\n", script_names[script]);
3104
3105 out:
3106 for (c = envp; *c; c++)
3107 racoon_free(*c);
3108
3109 racoon_free(envp);
3110
3111 return;
3112 }
3113
3114 int
script_env_append(envp,envc,name,value)3115 script_env_append(envp, envc, name, value)
3116 char ***envp;
3117 int *envc;
3118 char *name;
3119 char *value;
3120 {
3121 char *envitem;
3122 char **newenvp;
3123 int newenvc;
3124
3125 if (value == NULL) {
3126 value = "";
3127 }
3128
3129 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3130 if (envitem == NULL) {
3131 plog(LLV_ERROR, LOCATION, NULL,
3132 "Cannot allocate memory: %s\n", strerror(errno));
3133 return -1;
3134 }
3135 sprintf(envitem, "%s=%s", name, value);
3136
3137 newenvc = (*envc) + 1;
3138 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3139 if (newenvp == NULL) {
3140 plog(LLV_ERROR, LOCATION, NULL,
3141 "Cannot allocate memory: %s\n", strerror(errno));
3142 racoon_free(envitem);
3143 return -1;
3144 }
3145
3146 newenvp[newenvc - 2] = envitem;
3147 newenvp[newenvc - 1] = NULL;
3148
3149 *envp = newenvp;
3150 *envc = newenvc;
3151 return 0;
3152 }
3153
3154 int
script_exec(script,name,envp)3155 script_exec(script, name, envp)
3156 char *script;
3157 int name;
3158 char *const envp[];
3159 {
3160 char *argv[] = { NULL, NULL, NULL };
3161
3162 argv[0] = script;
3163 argv[1] = script_names[name];
3164 argv[2] = NULL;
3165
3166 switch (fork()) {
3167 case 0:
3168 execve(argv[0], argv, envp);
3169 plog(LLV_ERROR, LOCATION, NULL,
3170 "execve(\"%s\") failed: %s\n",
3171 argv[0], strerror(errno));
3172 _exit(1);
3173 break;
3174 case -1:
3175 plog(LLV_ERROR, LOCATION, NULL,
3176 "Cannot fork: %s\n", strerror(errno));
3177 return -1;
3178 break;
3179 default:
3180 break;
3181 }
3182 return 0;
3183
3184 }
3185
3186 void
purge_remote(iph1)3187 purge_remote(iph1)
3188 struct ph1handle *iph1;
3189 {
3190 vchar_t *buf = NULL;
3191 struct sadb_msg *msg, *next, *end;
3192 struct sadb_sa *sa;
3193 struct sockaddr *src, *dst;
3194 caddr_t mhp[SADB_EXT_MAX + 1];
3195 u_int proto_id;
3196 struct ph2handle *iph2;
3197 struct ph1handle *new_iph1;
3198
3199 plog(LLV_INFO, LOCATION, NULL,
3200 "purging ISAKMP-SA spi=%s.\n",
3201 isakmp_pindex(&(iph1->index), iph1->msgid));
3202
3203 /* Mark as expired. */
3204 iph1->status = PHASE1ST_EXPIRED;
3205
3206 /* Check if we have another, still valid, phase1 SA. */
3207 new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
3208
3209 /*
3210 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3211 * Keep all others phase2 SAs.
3212 */
3213 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3214 if (buf == NULL) {
3215 plog(LLV_DEBUG, LOCATION, NULL,
3216 "pfkey_dump_sadb returned nothing.\n");
3217 return;
3218 }
3219
3220 msg = (struct sadb_msg *)buf->v;
3221 end = (struct sadb_msg *)(buf->v + buf->l);
3222
3223 while (msg < end) {
3224 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3225 break;
3226 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3227 if (msg->sadb_msg_type != SADB_DUMP) {
3228 msg = next;
3229 continue;
3230 }
3231
3232 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3233 plog(LLV_ERROR, LOCATION, NULL,
3234 "pfkey_check (%s)\n", ipsec_strerror());
3235 msg = next;
3236 continue;
3237 }
3238
3239 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3240 if (!sa ||
3241 !mhp[SADB_EXT_ADDRESS_SRC] ||
3242 !mhp[SADB_EXT_ADDRESS_DST]) {
3243 msg = next;
3244 continue;
3245 }
3246 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3247 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3248
3249 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3250 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3251 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3252 msg = next;
3253 continue;
3254 }
3255
3256 /*
3257 * check in/outbound SAs.
3258 * Select only SAs where src == local and dst == remote (outgoing)
3259 * or src == remote and dst == local (incoming).
3260 */
3261 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
3262 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
3263 msg = next;
3264 continue;
3265 }
3266
3267 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3268 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3269
3270 /* Check if there is another valid ISAKMP-SA */
3271 if (new_iph1 != NULL) {
3272
3273 if (iph2 == NULL) {
3274 /* No handler... still send a pfkey_delete message, but log this !*/
3275 plog(LLV_INFO, LOCATION, NULL,
3276 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3277 ntohl(sa->sadb_sa_spi));
3278 }else{
3279
3280 /*
3281 * If we have a new ph1, do not purge IPsec-SAs binded
3282 * to a different ISAKMP-SA
3283 */
3284 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3285 msg = next;
3286 continue;
3287 }
3288
3289 /* If the ph2handle is established, do not purge IPsec-SA */
3290 if (iph2->status == PHASE2ST_ESTABLISHED ||
3291 iph2->status == PHASE2ST_EXPIRED) {
3292
3293 plog(LLV_INFO, LOCATION, NULL,
3294 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3295 ntohl(sa->sadb_sa_spi),
3296 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3297 msg = next;
3298 continue;
3299 }
3300 }
3301 }
3302
3303
3304 pfkey_send_delete(lcconf->sock_pfkey,
3305 msg->sadb_msg_satype,
3306 IPSEC_MODE_ANY,
3307 src, dst, sa->sadb_sa_spi);
3308
3309 /* delete a relative phase 2 handle. */
3310 if (iph2 != NULL) {
3311 delete_spd(iph2, 0);
3312 unbindph12(iph2);
3313 remph2(iph2);
3314 delph2(iph2);
3315 }
3316
3317 plog(LLV_INFO, LOCATION, NULL,
3318 "purged IPsec-SA spi=%u.\n",
3319 ntohl(sa->sadb_sa_spi));
3320
3321 msg = next;
3322 }
3323
3324 if (buf)
3325 vfree(buf);
3326
3327 /* Mark the phase1 handler as EXPIRED */
3328 plog(LLV_INFO, LOCATION, NULL,
3329 "purged ISAKMP-SA spi=%s.\n",
3330 isakmp_pindex(&(iph1->index), iph1->msgid));
3331
3332 SCHED_KILL(iph1->sce);
3333
3334 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
3335 }
3336
3337 void
delete_spd(iph2,created)3338 delete_spd(iph2, created)
3339 struct ph2handle *iph2;
3340 u_int64_t created;
3341 {
3342 struct policyindex spidx;
3343 struct sockaddr_storage addr;
3344 u_int8_t pref;
3345 struct sockaddr *src;
3346 struct sockaddr *dst;
3347 int error;
3348 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3349
3350 if (iph2 == NULL)
3351 return;
3352
3353 /* Delete the SPD entry if we generated it
3354 */
3355 if (! iph2->generated_spidx )
3356 return;
3357
3358 src = iph2->src;
3359 dst = iph2->dst;
3360
3361 plog(LLV_INFO, LOCATION, NULL,
3362 "generated policy, deleting it.\n");
3363
3364 memset(&spidx, 0, sizeof(spidx));
3365 iph2->spidx_gen = (caddr_t )&spidx;
3366
3367 /* make inbound policy */
3368 iph2->src = dst;
3369 iph2->dst = src;
3370 spidx.dir = IPSEC_DIR_INBOUND;
3371 spidx.ul_proto = 0;
3372
3373 /*
3374 * Note: code from get_proposal_r
3375 */
3376
3377 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3378
3379 /*
3380 * make destination address in spidx from either ID payload
3381 * or phase 1 address into a address in spidx.
3382 */
3383 if (iph2->id != NULL
3384 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3385 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3386 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3387 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3388 /* get a destination address of a policy */
3389 error = ipsecdoi_id2sockaddr(iph2->id,
3390 (struct sockaddr *)&spidx.dst,
3391 &spidx.prefd, &spidx.ul_proto);
3392 if (error)
3393 goto purge;
3394
3395 #ifdef INET6
3396 /*
3397 * get scopeid from the SA address.
3398 * note that the phase 1 source address is used as
3399 * a destination address to search for a inbound
3400 * policy entry because rcoon is responder.
3401 */
3402 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3403 if ((error =
3404 setscopeid((struct sockaddr *)&spidx.dst,
3405 iph2->src)) != 0)
3406 goto purge;
3407 }
3408 #endif
3409
3410 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3411 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3412 idi2type = _XIDT(iph2->id);
3413
3414 } else {
3415
3416 plog(LLV_DEBUG, LOCATION, NULL,
3417 "get a destination address of SP index "
3418 "from phase1 address "
3419 "due to no ID payloads found "
3420 "OR because ID type is not address.\n");
3421
3422 /*
3423 * copy the SOURCE address of IKE into the
3424 * DESTINATION address of the key to search the
3425 * SPD because the direction of policy is inbound.
3426 */
3427 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3428 switch (spidx.dst.ss_family) {
3429 case AF_INET:
3430 spidx.prefd =
3431 sizeof(struct in_addr) << 3;
3432 break;
3433 #ifdef INET6
3434 case AF_INET6:
3435 spidx.prefd =
3436 sizeof(struct in6_addr) << 3;
3437 break;
3438 #endif
3439 default:
3440 spidx.prefd = 0;
3441 break;
3442 }
3443 }
3444
3445 /* make source address in spidx */
3446 if (iph2->id_p != NULL
3447 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3448 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3449 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3450 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3451 /* get a source address of inbound SA */
3452 error = ipsecdoi_id2sockaddr(iph2->id_p,
3453 (struct sockaddr *)&spidx.src,
3454 &spidx.prefs, &spidx.ul_proto);
3455 if (error)
3456 goto purge;
3457
3458 #ifdef INET6
3459 /*
3460 * get scopeid from the SA address.
3461 * for more detail, see above of this function.
3462 */
3463 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3464 error =
3465 setscopeid((struct sockaddr *)&spidx.src,
3466 iph2->dst);
3467 if (error)
3468 goto purge;
3469 }
3470 #endif
3471
3472 /* make id[src,dst] if both ID types are IP address and same */
3473 if (_XIDT(iph2->id_p) == idi2type
3474 && spidx.dst.ss_family == spidx.src.ss_family) {
3475 iph2->src_id =
3476 dupsaddr((struct sockaddr *)&spidx.dst);
3477 if (iph2->src_id == NULL) {
3478 plog(LLV_ERROR, LOCATION, NULL,
3479 "allocation failed\n");
3480 goto purge;
3481 }
3482 iph2->dst_id =
3483 dupsaddr((struct sockaddr *)&spidx.src);
3484 if (iph2->dst_id == NULL) {
3485 plog(LLV_ERROR, LOCATION, NULL,
3486 "allocation failed\n");
3487 goto purge;
3488 }
3489 }
3490
3491 } else {
3492 plog(LLV_DEBUG, LOCATION, NULL,
3493 "get a source address of SP index "
3494 "from phase1 address "
3495 "due to no ID payloads found "
3496 "OR because ID type is not address.\n");
3497
3498 /* see above comment. */
3499 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3500 switch (spidx.src.ss_family) {
3501 case AF_INET:
3502 spidx.prefs =
3503 sizeof(struct in_addr) << 3;
3504 break;
3505 #ifdef INET6
3506 case AF_INET6:
3507 spidx.prefs =
3508 sizeof(struct in6_addr) << 3;
3509 break;
3510 #endif
3511 default:
3512 spidx.prefs = 0;
3513 break;
3514 }
3515 }
3516
3517 #undef _XIDT
3518
3519 plog(LLV_DEBUG, LOCATION, NULL,
3520 "get a src address from ID payload "
3521 "%s prefixlen=%u ul_proto=%u\n",
3522 saddr2str((struct sockaddr *)&spidx.src),
3523 spidx.prefs, spidx.ul_proto);
3524 plog(LLV_DEBUG, LOCATION, NULL,
3525 "get dst address from ID payload "
3526 "%s prefixlen=%u ul_proto=%u\n",
3527 saddr2str((struct sockaddr *)&spidx.dst),
3528 spidx.prefd, spidx.ul_proto);
3529
3530 /*
3531 * convert the ul_proto if it is 0
3532 * because 0 in ID payload means a wild card.
3533 */
3534 if (spidx.ul_proto == 0)
3535 spidx.ul_proto = IPSEC_ULPROTO_ANY;
3536
3537 #undef _XIDT
3538
3539 /* Check if the generated SPD has the same timestamp as the SA.
3540 * If timestamps are different, this means that the SPD entry has been
3541 * refreshed by another SA, and should NOT be deleted with the current SA.
3542 */
3543 if( created ){
3544 struct secpolicy *p;
3545
3546 p = getsp(&spidx);
3547 if(p != NULL){
3548 /* just do no test if p is NULL, because this probably just means
3549 * that the policy has already be deleted for some reason.
3550 */
3551 if(p->spidx.created != created)
3552 goto purge;
3553 }
3554 }
3555
3556 /* End of code from get_proposal_r
3557 */
3558
3559 if (pk_sendspddelete(iph2) < 0) {
3560 plog(LLV_ERROR, LOCATION, NULL,
3561 "pfkey spddelete(inbound) failed.\n");
3562 }else{
3563 plog(LLV_DEBUG, LOCATION, NULL,
3564 "pfkey spddelete(inbound) sent.\n");
3565 }
3566
3567 #ifdef HAVE_POLICY_FWD
3568 /* make forward policy if required */
3569 if (tunnel_mode_prop(iph2->approval)) {
3570 spidx.dir = IPSEC_DIR_FWD;
3571 if (pk_sendspddelete(iph2) < 0) {
3572 plog(LLV_ERROR, LOCATION, NULL,
3573 "pfkey spddelete(forward) failed.\n");
3574 }else{
3575 plog(LLV_DEBUG, LOCATION, NULL,
3576 "pfkey spddelete(forward) sent.\n");
3577 }
3578 }
3579 #endif
3580
3581 /* make outbound policy */
3582 iph2->src = src;
3583 iph2->dst = dst;
3584 spidx.dir = IPSEC_DIR_OUTBOUND;
3585 addr = spidx.src;
3586 spidx.src = spidx.dst;
3587 spidx.dst = addr;
3588 pref = spidx.prefs;
3589 spidx.prefs = spidx.prefd;
3590 spidx.prefd = pref;
3591
3592 if (pk_sendspddelete(iph2) < 0) {
3593 plog(LLV_ERROR, LOCATION, NULL,
3594 "pfkey spddelete(outbound) failed.\n");
3595 }else{
3596 plog(LLV_DEBUG, LOCATION, NULL,
3597 "pfkey spddelete(outbound) sent.\n");
3598 }
3599 purge:
3600 iph2->spidx_gen=NULL;
3601 }
3602
3603
3604 #ifdef INET6
3605 u_int32_t
setscopeid(sp_addr0,sa_addr0)3606 setscopeid(sp_addr0, sa_addr0)
3607 struct sockaddr *sp_addr0, *sa_addr0;
3608 {
3609 struct sockaddr_in6 *sp_addr, *sa_addr;
3610
3611 sp_addr = (struct sockaddr_in6 *)sp_addr0;
3612 sa_addr = (struct sockaddr_in6 *)sa_addr0;
3613
3614 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3615 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3616 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3617 return 0;
3618
3619 /* this check should not be here ? */
3620 if (sa_addr->sin6_family != AF_INET6) {
3621 plog(LLV_ERROR, LOCATION, NULL,
3622 "can't get scope ID: family mismatch\n");
3623 return -1;
3624 }
3625
3626 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3627 plog(LLV_ERROR, LOCATION, NULL,
3628 "scope ID is not supported except of lladdr.\n");
3629 return -1;
3630 }
3631
3632 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3633
3634 return 0;
3635 }
3636 #endif
3637