]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-164.10.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp.c,v 1.20.6.7 2007/08/01 11:52:20 vanhu Exp $ */
2
3/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
52b7d2ce 33#define __APPLE_API_PRIVATE
52b7d2ce
A		 34
35#include "config.h"
36
37#include <sys/types.h>
38#include <sys/param.h>
39#include <sys/socket.h>
e8d9021d 40#include <sys/ioctl.h>
52b7d2ce
A		 41#include <sys/queue.h>
42
43#include <netinet/in.h>
e8d9021d
A		 44#include <net/if_var.h>
45#include <netinet6/in6_var.h>
52b7d2ce
A		 46#include <arpa/inet.h>
47
48#ifndef HAVE_NETINET6_IPSEC
49#include <netinet/ipsec.h>
50#else
51#include <netinet6/ipsec.h>
52#endif
53
54#include <stdlib.h>
55#include <stdio.h>
56#include <string.h>
57#include <errno.h>
58#if TIME_WITH_SYS_TIME
59# include <sys/time.h>
60# include <time.h>
61#else
62# if HAVE_SYS_TIME_H
63# include <sys/time.h>
64# else
65# include <time.h>
66# endif
67#endif
68#include <netdb.h>
69#ifdef HAVE_UNISTD_H
70#include <unistd.h>
71#endif
72#include <ctype.h>
d1e348cf
A		 73#ifdef ENABLE_HYBRID
74#include <resolv.h>
75#endif
52b7d2ce
A		 76
77#include "var.h"
78#include "misc.h"
79#include "vmbuf.h"
80#include "plog.h"
81#include "sockmisc.h"
82#include "schedule.h"
83#include "debug.h"
84
85#include "remoteconf.h"
86#include "localconf.h"
87#include "grabmyaddr.h"
88#include "admin.h"
89#include "privsep.h"
90#include "isakmp_var.h"
91#include "isakmp.h"
92#include "oakley.h"
93#include "evt.h"
94#include "handler.h"
95#include "proposal.h"
96#include "ipsec_doi.h"
97#include "pfkey.h"
98#include "crypto_openssl.h"
99#include "policy.h"
100#include "isakmp_ident.h"
101#include "isakmp_agg.h"
102#include "isakmp_base.h"
103#include "isakmp_quick.h"
104#include "isakmp_inf.h"
105#include "isakmp_newg.h"
106#include "vpn_control.h"
107#include "vpn_control_var.h"
108#ifdef ENABLE_HYBRID
d1e348cf 109#include "vendorid.h"
52b7d2ce 110#include "isakmp_xauth.h"
d1e348cf 111#include "isakmp_unity.h"
52b7d2ce
A		 112#include "isakmp_cfg.h"
113#endif
114#ifdef ENABLE_FRAG
115#include "isakmp_frag.h"
116#endif
117#include "strnames.h"
118
d1e348cf
A		 119#include <fcntl.h>
120
52b7d2ce
A		 121#ifdef ENABLE_NATT
122# include "nattraversal.h"
d1e348cf
A		 123#endif
124#include "ike_session.h"
52b7d2ce
A		 125# include <netinet/in.h>
126# include <netinet/udp.h>
d1e348cf
A		 127# include <netinet/in_systm.h>
128# include <netinet/ip.h>
52b7d2ce 129# define SOL_UDP IPPROTO_UDP
d1e348cf
A		 130#include "ipsecSessionTracer.h"
131#include "ipsecMessageTracer.h"
e8d9021d 132#include "power_mgmt.h"
52b7d2ce
A		 133
134static int nostate1 __P((struct ph1handle *, vchar_t *));
135static int nostate2 __P((struct ph2handle *, vchar_t *));
136
137extern caddr_t val2str(const char *, size_t);
138
139static int (*ph1exchange[][2][PHASE1ST_MAX])
140 __P((struct ph1handle *, vchar_t *)) = {
141 /* error */
142 { {}, {}, },
143 /* Identity Protection exchange */
144 {
145 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
146 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
147 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
148 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
149 },
150 /* Aggressive exchange */
151 {
152 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
153 nostate1, nostate1, nostate1, nostate1, nostate1, },
154 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
155 nostate1, nostate1, nostate1, nostate1, nostate1, },
156 },
157 /* Base exchange */
158 {
159 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
160 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
161 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
162 nostate1, nostate1, nostate1, nostate1, nostate1, },
163 },
164};
165
166static int (*ph2exchange[][2][PHASE2ST_MAX])
167 __P((struct ph2handle *, vchar_t *)) = {
168 /* error */
169 { {}, {}, },
d1e348cf 170 /* Quick mode for IKE */
52b7d2ce
A		 171 {
172 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
173 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
174 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
175 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
176 },
177};
178
179static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
180
85f41bec 181static int isakmp_main __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *));
52b7d2ce
A		 182static int ph1_main __P((struct ph1handle *, vchar_t *));
183static int quick_main __P((struct ph2handle *, vchar_t *));
184static int isakmp_ph1begin_r __P((vchar_t *,
85f41bec 185 struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t));
52b7d2ce
A		 186static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
187static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
188static int etypesw1 __P((int));
189static int etypesw2 __P((int));
190#ifdef ENABLE_FRAG
191static int frag_handler(struct ph1handle *,
85f41bec 192 vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *);
52b7d2ce
A		 193#endif
194
195/*
196 * isakmp packet handler
197 */
198int
199isakmp_handler(so_isakmp)
200 int so_isakmp;
201{
202 struct isakmp isakmp;
203 union {
85f41bec 204 u_int64_t force_align; // Wcast-align fix - force alignment
52b7d2ce
A		 205 char buf[sizeof (isakmp) + 4];
206 u_int32_t non_esp[2];
d1e348cf 207 char lbuf[sizeof(struct udphdr) +
d1e348cf 208 sizeof(struct ip) +
d1e348cf 209 sizeof(isakmp) + 4];
52b7d2ce
A		 210 } x;
211 struct sockaddr_storage remote;
212 struct sockaddr_storage local;
213 unsigned int remote_len = sizeof(remote);
214 unsigned int local_len = sizeof(local);
85f41bec
A		 215 ssize_t len = 0;
216 int extralen = 0;
52b7d2ce
A		 217 u_short port;
218 vchar_t *buf = NULL, *tmpbuf = NULL;
219 int error = -1;
220
e8d9021d
A		 221 if (slept_at || woke_at) {
222 plog(LLV_DEBUG, LOCATION, NULL,
223 "ignoring isakmp port until power-mgmt event is handled.\n");
224 return 0;
225 }
226
52b7d2ce
A		 227 /* read message by MSG_PEEK */
228 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
85f41bec 229 MSG_PEEK, &remote, &remote_len, &local, &local_len)) < 0) {
52b7d2ce
A		 230 if (errno == EINTR)
231 continue;
232 plog(LLV_ERROR, LOCATION, NULL,
233 "failed to receive isakmp packet: %s\n",
234 strerror (errno));
235 goto end;
236 }
237
238 /* keep-alive packet - ignore */
239 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
240 /* Pull the keep-alive packet */
241 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
242 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
243 plog(LLV_ERROR, LOCATION, NULL,
244 "failed to receive keep alive packet: %s\n",
245 strerror (errno));
d1e348cf 246 }
52b7d2ce
A		 247 goto end;
248 }
249
d1e348cf
A		 250 /* Lucent IKE in UDP encapsulation */
251 {
252 struct udphdr *udp;
d1e348cf
A		 253 struct ip *ip;
254
85f41bec 255 udp = ALIGNED_CAST(struct udphdr *)&x.lbuf[0];
d1e348cf 256 if (ntohs(udp->uh_dport) == 501) {
85f41bec 257 ip = ALIGNED_CAST(struct ip *)(x.lbuf + sizeof(*udp));
d1e348cf
A		 258 extralen += sizeof(*udp) + ip->ip_hl;
259 }
d1e348cf
A		 260 }
261
52b7d2ce
A		 262#ifdef ENABLE_NATT
263 /* we don't know about portchange yet,
264 look for non-esp marker instead */
265 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
266 extralen = NON_ESP_MARKER_LEN;
267#endif
268
269 /* now we know if there is an extra non-esp
270 marker at the beginning or not */
271 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
272
273 /* check isakmp header length, as well as sanity of header length */
274 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
85f41bec 275 plog(LLV_ERROR, LOCATION, &remote,
52b7d2ce
A		 276 "packet shorter than isakmp header size (%u, %u, %zu)\n",
277 len, ntohl(isakmp.len), sizeof(isakmp));
278 /* dummy receive */
279 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
280 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
281 plog(LLV_ERROR, LOCATION, NULL,
282 "failed to receive isakmp packet: %s\n",
283 strerror (errno));
284 }
285 goto end;
286 }
287
288 /* reject it if the size is tooooo big. */
289 if (ntohl(isakmp.len) > 0xffff) {
290 plog(LLV_ERROR, LOCATION, NULL,
291 "the length in the isakmp header is too big.\n");
292 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
293 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
294 plog(LLV_ERROR, LOCATION, NULL,
295 "failed to receive isakmp packet: %s\n",
296 strerror (errno));
297 }
298 goto end;
299 }
300
301 /* read real message */
302 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
303 plog(LLV_ERROR, LOCATION, NULL,
304 "failed to allocate reading buffer (%u Bytes)\n",
305 ntohl(isakmp.len) + extralen);
306 /* dummy receive */
307 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
308 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
309 plog(LLV_ERROR, LOCATION, NULL,
310 "failed to receive isakmp packet: %s\n",
311 strerror (errno));
52b7d2ce 312 error = -2; /* serious problem with socket */
52b7d2ce
A		 313 }
314 goto end;
315 }
316
317 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
85f41bec 318 0, &remote, &remote_len, &local, &local_len)) < 0) {
52b7d2ce
A		 319 if (errno == EINTR)
320 continue;
321 plog(LLV_ERROR, LOCATION, NULL,
322 "failed to receive isakmp packet: %s\n",
323 strerror (errno));
324 goto end;
325 }
326
e8d9021d
A		 327 if (len < extralen) {
328 plog(LLV_ERROR, LOCATION, NULL,
329 "invalid len (%d Bytes) & extralen (%d Bytes)\n",
330 len, extralen);
331 goto end;
332 }
333
52b7d2ce
A		 334 if ((buf = vmalloc(len - extralen)) == NULL) {
335 plog(LLV_ERROR, LOCATION, NULL,
336 "failed to allocate reading buffer (%u Bytes)\n",
337 (len - extralen));
338 goto end;
339 }
340
341 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
342
52b7d2ce
A		 343 len -= extralen;
344
345 if (len != buf->l) {
85f41bec 346 plog(LLV_ERROR, LOCATION, &remote, "received invalid length (%d != %zu), why ?\n",
52b7d2ce
A		 347 len, buf->l);
348 goto end;
349 }
350
351 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
352 plog(LLV_DEBUG, LOCATION, NULL,
353 "%d bytes message received %s\n",
354 len, saddr2str_fromto("from %s to %s",
355 (struct sockaddr *)&remote,
356 (struct sockaddr *)&local));
357 plogdump(LLV_DEBUG, buf->v, buf->l);
358
359 /* avoid packets with malicious port/address */
360 switch (remote.ss_family) {
361 case AF_INET:
362 port = ((struct sockaddr_in *)&remote)->sin_port;
363 break;
364#ifdef INET6
365 case AF_INET6:
366 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
367 break;
368#endif
369 default:
370 plog(LLV_ERROR, LOCATION, NULL,
371 "invalid family: %d\n", remote.ss_family);
372 goto end;
373 }
374 if (port == 0) {
85f41bec 375 plog(LLV_ERROR, LOCATION, &remote,
52b7d2ce
A		 376 "src port == 0 (valid as UDP but not with IKE)\n");
377 goto end;
378 }
379
380 /* XXX: check sender whether to be allowed or not to accept */
381
382 /* XXX: I don't know how to check isakmp half connection attack. */
383
384 /* simply reply if the packet was processed. */
85f41bec 385 if (check_recvdpkt(&remote, &local, buf)) {
e8d9021d
A		 386 IPSECLOGASLMSG("Received retransmitted packet from %s.\n",
387 saddr2str((struct sockaddr *)&remote));
388
52b7d2ce
A		 389 plog(LLV_NOTIFY, LOCATION, NULL,
390 "the packet is retransmitted by %s.\n",
391 saddr2str((struct sockaddr *)&remote));
392 error = 0;
393 goto end;
394 }
395
396 /* isakmp main routine */
85f41bec 397 if (isakmp_main(buf, &remote, &local) != 0) goto end;
52b7d2ce
A		 398
399 error = 0;
400
401end:
d1e348cf
A		 402 if (tmpbuf != NULL)
403 vfree(tmpbuf);
52b7d2ce
A		 404 if (buf != NULL)
405 vfree(buf);
406
407 return(error);
408}
409
410/*
411 * main processing to handle isakmp payload
412 */
413static int
414isakmp_main(msg, remote, local)
415 vchar_t *msg;
85f41bec 416 struct sockaddr_storage *remote, *local;
52b7d2ce
A		 417{
418 struct isakmp *isakmp = (struct isakmp *)msg->v;
419 isakmp_index *index = (isakmp_index *)isakmp;
420 u_int32_t msgid = isakmp->msgid;
421 struct ph1handle *iph1;
422
423#ifdef HAVE_PRINT_ISAKMP_C
424 isakmp_printpacket(msg, remote, local, 0);
425#endif
426
427 /* the initiator's cookie must not be zero */
428 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
429 plog(LLV_ERROR, LOCATION, remote,
430 "malformed cookie received.\n");
431 return -1;
432 }
433
434 /* Check the Major and Minor Version fields. */
435 /*
436 * XXX Is is right to check version here ?
437 * I think it may no be here because the version depends
438 * on exchange status.
439 */
440 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
441 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
442 plog(LLV_ERROR, LOCATION, remote,
443 "invalid major version %d.\n",
444 ISAKMP_GETMAJORV(isakmp->v));
445 return -1;
446 }
447#if ISAKMP_MINOR_VERSION > 0
448 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
449 plog(LLV_ERROR, LOCATION, remote,
450 "invalid minor version %d.\n",
451 ISAKMP_GETMINORV(isakmp->v));
452 return -1;
453 }
454#endif
455 }
456
457 /* check the Flags field. */
458 /* XXX How is the exclusive check, E and A ? */
459 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
460 plog(LLV_ERROR, LOCATION, remote,
461 "invalid flag 0x%02x.\n", isakmp->flags);
462 return -1;
463 }
464
465 /* ignore commit bit. */
466 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
467 if (isakmp->msgid == 0) {
468 isakmp_info_send_nx(isakmp, remote, local,
469 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
470 plog(LLV_ERROR, LOCATION, remote,
471 "Commit bit on phase1 forbidden.\n");
472 return -1;
473 }
474 }
475
476 iph1 = getph1byindex(index);
477 if (iph1 != NULL) {
478 /* validity check */
479 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
480 iph1->side == INITIATOR) {
d1e348cf
A		 481 IPSECSESSIONTRACEREVENT(iph1->parent_session,
482 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
483 CONSTSTR("malformed or unexpected cookie"),
484 CONSTSTR("Failed to process packet (malformed/unexpected cookie)"));
52b7d2ce
A		 485 plog(LLV_DEBUG, LOCATION, remote,
486 "malformed cookie received or "
487 "the initiator's cookies collide.\n");
488 return -1;
489 }
490
491#ifdef ENABLE_NATT
492 /* Floating ports for NAT-T */
493 if (NATT_AVAILABLE(iph1) &&
494 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
495 ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
496 (cmpsaddrstrict(iph1->local, local) != 0)))
497 {
498 /* prevent memory leak */
499 racoon_free(iph1->remote);
500 racoon_free(iph1->local);
d1e348cf
A		 501 iph1->remote = NULL;
502 iph1->local = NULL;
52b7d2ce
A		 503
504 /* copy-in new addresses */
85f41bec 505 iph1->remote = dupsaddr((struct sockaddr *)remote);
d1e348cf
A		 506 if (iph1->remote == NULL) {
507 IPSECSESSIONTRACEREVENT(iph1->parent_session,
508 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
509 CONSTSTR("failed to duplicate remote address"),
510 CONSTSTR("Failed to process phase1 message (can't duplicate remote address"));
511 plog(LLV_ERROR, LOCATION, iph1->remote,
512 "phase1 failed: dupsaddr failed.\n");
513 remph1(iph1);
514 delph1(iph1);
515 return -1;
516 }
85f41bec 517 iph1->local = dupsaddr((struct sockaddr *)local);
d1e348cf
A		 518 if (iph1->local == NULL) {
519 IPSECSESSIONTRACEREVENT(iph1->parent_session,
520 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
521 CONSTSTR("failed to duplicate local address"),
522 CONSTSTR("Failed to process phase1 message (can't duplicate local address"));
523 plog(LLV_ERROR, LOCATION, iph1->remote,
524 "phase1 failed: dupsaddr failed.\n");
525 remph1(iph1);
526 delph1(iph1);
527 return -1;
528 }
52b7d2ce
A		 529
530 /* set the flag to prevent further port floating
531 (FIXME: should we allow it? E.g. when the NAT gw
532 is rebooted?) */
533 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
534
535 /* print some neat info */
536 plog (LLV_INFO, LOCATION, NULL,
537 "NAT-T: ports changed to: %s\n",
85f41bec 538 saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local));
52b7d2ce
A		 539 }
540#endif
52b7d2ce
A		 541 /* must be same addresses in one stream of a phase at least. */
542 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
543 char *saddr_db, *saddr_act;
544
85f41bec
A		 545 saddr_db = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
546 saddr_act = racoon_strdup(saddr2str((struct sockaddr *)remote));
d1e348cf
A		 547 STRDUP_FATAL(saddr_db);
548 STRDUP_FATAL(saddr_act);
52b7d2ce
A		 549
550 plog(LLV_WARNING, LOCATION, remote,
551 "remote address mismatched. db=%s, act=%s\n",
552 saddr_db, saddr_act);
553
554 racoon_free(saddr_db);
555 racoon_free(saddr_act);
556 }
557
558 /*
559 * don't check of exchange type here because other type will be
560 * with same index, for example, informational exchange.
561 */
562
563 /* XXX more acceptable check */
d1e348cf
A		 564
565#ifdef ENABLE_DPD
566 // received ike packets: update dpd checks
567 isakmp_reschedule_info_monitor_if_pending(iph1,
568 "ike packets received from peer");
569#endif /* DPD */
52b7d2ce
A		 570 }
571
572 switch (isakmp->etype) {
573 case ISAKMP_ETYPE_IDENT:
574 case ISAKMP_ETYPE_AGG:
575 case ISAKMP_ETYPE_BASE:
576 /* phase 1 validity check */
577 if (isakmp->msgid != 0) {
578 plog(LLV_ERROR, LOCATION, remote,
579 "message id should be zero in phase1.\n");
580 return -1;
581 }
582
583 /* search for isakmp status record of phase 1 */
584 if (iph1 == NULL) {
585 /*
586 * the packet must be the 1st message from a initiator
587 * or the 2nd message from the responder.
588 */
589
590 /* search for phase1 handle by index without r_ck */
591 iph1 = getph1byindex0(index);
592 if (iph1 == NULL) {
593 /*it must be the 1st message from a initiator.*/
594 if (memcmp(&isakmp->r_ck, r_ck0,
595 sizeof(cookie_t)) != 0) {
596
597 plog(LLV_DEBUG, LOCATION, remote,
598 "malformed cookie received "
599 "or the spi expired.\n");
600 return -1;
601 }
602
603 /* it must be responder's 1st exchange. */
604 if (isakmp_ph1begin_r(msg, remote, local,
605 isakmp->etype) < 0)
606 return -1;
607 break;
608
609 /*NOTREACHED*/
610 }
611
612 /* it must be the 2nd message from the responder. */
613 if (iph1->side != INITIATOR) {
d1e348cf
A		 614 IPSECSESSIONTRACEREVENT(iph1->parent_session,
615 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
616 CONSTSTR("malformed cookie and unexpected side"),
617 CONSTSTR("Failed to process phase1 message (unexpected side)"));
52b7d2ce
A		 618 plog(LLV_DEBUG, LOCATION, remote,
619 "malformed cookie received. "
620 "it has to be as the initiator. %s\n",
621 isakmp_pindex(&iph1->index, 0));
622 return -1;
623 }
624 }
625
626 /*
627 * Don't delete phase 1 handler when the exchange type
628 * in handler is not equal to packet's one because of no
629 * authencication completed.
630 */
631 if (iph1->etype != isakmp->etype) {
d1e348cf
A		 632 IPSECSESSIONTRACEREVENT(iph1->parent_session,
633 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
634 CONSTSTR("mismatched exchange type"),
635 CONSTSTR("Failed to process phase1 message (mismatched exchange type)"));
52b7d2ce
A		 636 plog(LLV_ERROR, LOCATION, iph1->remote,
637 "exchange type is mismatched: "
638 "db=%s packet=%s, ignore it.\n",
639 s_isakmp_etype(iph1->etype),
640 s_isakmp_etype(isakmp->etype));
641 return -1;
642 }
643
644#ifdef ENABLE_FRAG
645 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
646 return frag_handler(iph1, msg, remote, local);
647#endif
648
649 /* call main process of phase 1 */
650 if (ph1_main(iph1, msg) < 0) {
651 plog(LLV_ERROR, LOCATION, iph1->remote,
652 "phase1 negotiation failed.\n");
653 remph1(iph1);
654 delph1(iph1);
655 return -1;
656 }
657 break;
658
659 case ISAKMP_ETYPE_AUTH:
660 plog(LLV_INFO, LOCATION, remote,
661 "unsupported exchange %d received.\n",
662 isakmp->etype);
663 break;
664
665 case ISAKMP_ETYPE_INFO:
666 case ISAKMP_ETYPE_ACKINFO:
667 /*
668 * iph1 must be present for Information message.
669 * if iph1 is null then trying to get the phase1 status
670 * as the packet from responder againt initiator's 1st
671 * exchange in phase 1.
672 * NOTE: We think such informational exchange should be ignored.
673 */
674 if (iph1 == NULL) {
675 iph1 = getph1byindex0(index);
676 if (iph1 == NULL) {
677 plog(LLV_ERROR, LOCATION, remote,
678 "unknown Informational "
679 "exchange received.\n");
680 return -1;
681 }
682 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
683 plog(LLV_WARNING, LOCATION, remote,
684 "remote address mismatched. "
685 "db=%s\n",
85f41bec 686 saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 687 }
688 }
689
690#ifdef ENABLE_FRAG
691 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
692 return frag_handler(iph1, msg, remote, local);
693#endif
694
695 if (isakmp_info_recv(iph1, msg) < 0)
696 return -1;
697 break;
698
699 case ISAKMP_ETYPE_QUICK:
700 {
701 struct ph2handle *iph2;
702
703 if (iph1 == NULL) {
704 isakmp_info_send_nx(isakmp, remote, local,
705 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
706 plog(LLV_ERROR, LOCATION, remote,
707 "can't start the quick mode, "
708 "there is no ISAKMP-SA, %s\n",
709 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
710 isakmp->msgid));
711 return -1;
712 }
d1e348cf
A		 713#ifdef ENABLE_HYBRID
714 /* Reinit the IVM if it's still there */
715 if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
716 oakley_delivm(iph1->mode_cfg->ivm);
717 iph1->mode_cfg->ivm = NULL;
718 }
719#endif
52b7d2ce
A		 720#ifdef ENABLE_FRAG
721 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
722 return frag_handler(iph1, msg, remote, local);
723#endif
724
725 /* check status of phase 1 whether negotiated or not. */
726 if (iph1->status != PHASE1ST_ESTABLISHED) {
d1e348cf
A		 727 IPSECSESSIONTRACEREVENT(iph1->parent_session,
728 IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP,
729 CONSTSTR("can't start phase2 without valid phase1"),
730 CONSTSTR("Failed to start phase2 resonder (no established phase1"));
52b7d2ce
A		 731 plog(LLV_ERROR, LOCATION, remote,
732 "can't start the quick mode, "
733 "there is no valid ISAKMP-SA, %s\n",
734 isakmp_pindex(&iph1->index, iph1->msgid));
735 return -1;
736 }
737
738 /* search isakmp phase 2 stauts record. */
739 iph2 = getph2bymsgid(iph1, msgid);
740 if (iph2 == NULL) {
741 /* it must be new negotiation as responder */
742 if (isakmp_ph2begin_r(iph1, msg) < 0)
743 return -1;
744 return 0;
745 /*NOTREACHED*/
746 }
747
748 /* commit bit. */
749 /* XXX
750 * we keep to set commit bit during negotiation.
751 * When SA is configured, bit will be reset.
752 * XXX
753 * don't initiate commit bit. should be fixed in the future.
754 */
755 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
756 iph2->flags |= ISAKMP_FLAG_C;
757
47612122
A		 758 if (ISSET(isakmp->flags, ISAKMP_FLAG_E) &&
759 (iph2->ph1 == NULL || iph2->ph1->approval == NULL)) {
760 IPSECSESSIONTRACEREVENT(iph2->parent_session,
761 IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP,
762 CONSTSTR("can't continue phase2 without valid phase1"),
763 CONSTSTR("Failed to continue phase2 resonder (invalid linked phase1"));
764 plog(LLV_ERROR, LOCATION, remote,
765 "can't start the quick mode, "
766 "invalid linked ISAKMP-SA\n");
767 return -1;
768 }
769
52b7d2ce
A		 770 /* call main process of quick mode */
771 if (quick_main(iph2, msg) < 0) {
772 plog(LLV_ERROR, LOCATION, iph1->remote,
773 "phase2 negotiation failed.\n");
774 unbindph12(iph2);
775 remph2(iph2);
776 delph2(iph2);
777 return -1;
778 }
779 }
780 break;
781
782 case ISAKMP_ETYPE_NEWGRP:
783 if (iph1 == NULL) {
784 plog(LLV_ERROR, LOCATION, remote,
785 "Unknown new group mode exchange, "
786 "there is no ISAKMP-SA.\n");
787 return -1;
788 }
789
790#ifdef ENABLE_FRAG
791 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
792 return frag_handler(iph1, msg, remote, local);
793#endif
794
795 isakmp_newgroup_r(iph1, msg);
796 break;
797
798#ifdef ENABLE_HYBRID
799 case ISAKMP_ETYPE_CFG:
800 if (iph1 == NULL) {
801 plog(LLV_ERROR, LOCATION, NULL,
802 "mode config %d from %s, "
803 "but we have no ISAKMP-SA.\n",
85f41bec 804 isakmp->etype, saddr2str((struct sockaddr *)remote));
52b7d2ce
A		 805 return -1;
806 }
e8d9021d
A		 807 if (iph1->status != PHASE1ST_ESTABLISHED) {
808 plog(LLV_ERROR, LOCATION, NULL,
809 "mode config %d from %s, "
810 "but ISAKMP-SA %s isn't established.\n",
85f41bec 811 isakmp->etype, saddr2str((struct sockaddr *)remote),
e8d9021d
A		 812 isakmp_pindex(&iph1->index, iph1->msgid));
813 return -1;
814 }
52b7d2ce
A		 815#ifdef ENABLE_FRAG
816 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
817 return frag_handler(iph1, msg, remote, local);
818#endif
819
820 isakmp_cfg_r(iph1, msg);
821 break;
822#endif
823
824 case ISAKMP_ETYPE_NONE:
825 default:
826 plog(LLV_ERROR, LOCATION, NULL,
827 "Invalid exchange type %d from %s.\n",
85f41bec 828 isakmp->etype, saddr2str((struct sockaddr *)remote));
52b7d2ce
A		 829 return -1;
830 }
831
832 return 0;
833}
834
835/*
836 * main function of phase 1.
837 */
838static int
839ph1_main(iph1, msg)
840 struct ph1handle *iph1;
841 vchar_t *msg;
842{
843 int error;
d1e348cf 844 int ini_contact = iph1->rmconf->ini_contact;
52b7d2ce
A		 845#ifdef ENABLE_STATS
846 struct timeval start, end;
847#endif
d1e348cf
A		 848 int spi_cmp;
849 u_int rekey_lifetime;
52b7d2ce
A		 850
851 /* ignore a packet */
852 if (iph1->status == PHASE1ST_ESTABLISHED)
853 return 0;
854
855#ifdef ENABLE_STATS
856 gettimeofday(&start, NULL);
857#endif
858 /* receive */
859 if (ph1exchange[etypesw1(iph1->etype)]
860 [iph1->side]
861 [iph1->status] == NULL) {
d1e348cf
A		 862 IPSECSESSIONTRACEREVENT(iph1->parent_session,
863 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
864 CONSTSTR("unavailable function"),
865 CONSTSTR("Failed to process phase1 message (no state function)"));
52b7d2ce
A		 866 plog(LLV_ERROR, LOCATION, iph1->remote,
867 "why isn't the function defined.\n");
868 return -1;
869 }
870 error = (ph1exchange[etypesw1(iph1->etype)]
871 [iph1->side]
872 [iph1->status])(iph1, msg);
873 if (error != 0) {
d1e348cf 874
52b7d2ce
A		 875 /* XXX
876 * When an invalid packet is received on phase1, it should
877 * be selected to process this packet. That is to respond
878 * with a notify and delete phase 1 handler, OR not to respond
5122e997
A		 879 * and keep phase 1 handler. However, in PHASE1ST_START when
880 * acting as RESPONDER we must not keep phase 1 handler or else
881 * it will stay forever.
52b7d2ce 882 */
d1e348cf 883
5122e997
A		 884 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
885 plog(LLV_ERROR, LOCATION, iph1->remote,
886 "failed to pre-process packet.\n");
887 return -1;
888 } else {
889 /* ignore the error and keep phase 1 handler */
890 return 0;
891 }
52b7d2ce
A		 892 }
893
d1e348cf 894#ifndef ENABLE_FRAG
52b7d2ce
A		 895 /* free resend buffer */
896 if (iph1->sendbuf == NULL) {
897 plog(LLV_ERROR, LOCATION, NULL,
898 "no buffer found as sendbuf\n");
899 return -1;
900 }
d1e348cf
A		 901#endif
902
52b7d2ce
A		 903 VPTRINIT(iph1->sendbuf);
904
905 /* turn off schedule */
d1e348cf 906 SCHED_KILL(iph1->scr);
52b7d2ce
A		 907
908 /* send */
909 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
910 if ((ph1exchange[etypesw1(iph1->etype)]
911 [iph1->side]
912 [iph1->status])(iph1, msg) != 0) {
913 plog(LLV_ERROR, LOCATION, iph1->remote,
914 "failed to process packet.\n");
915 return -1;
916 }
917
918#ifdef ENABLE_STATS
919 gettimeofday(&end, NULL);
920 syslog(LOG_NOTICE, "%s(%s): %8.6f",
921 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
922 timedelta(&start, &end));
923#endif
924 if (iph1->status == PHASE1ST_ESTABLISHED) {
925
926#ifdef ENABLE_STATS
927 gettimeofday(&iph1->end, NULL);
928 syslog(LOG_NOTICE, "%s(%s): %8.6f",
929 "phase1", s_isakmp_etype(iph1->etype),
930 timedelta(&iph1->start, &iph1->end));
931#endif
932
933#ifdef ENABLE_VPNCONTROL_PORT
934
d1e348cf 935 if (iph1->side == RESPONDER &&
85f41bec 936 iph1->local->ss_family == AF_INET) {
d1e348cf
A		 937
938 struct redirect *addr;
52b7d2ce 939
d1e348cf
A		 940 LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) {
941 if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) {
942 vchar_t *raddr = vmalloc(sizeof(u_int32_t));
943
944 if (raddr == NULL) {
945 plog(LLV_ERROR, LOCATION, iph1->remote,
946 "failed to send redirect message - memory error.\n");
947 } else {
948 memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t));
949 (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr);
950 plog(LLV_DEBUG, LOCATION, iph1->remote, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address));
951 vfree(raddr);
952 if (addr->force) {
953 (void)ike_session_update_ph1_ph2tree(iph1);
869d26af 954 isakmp_ph1expire(iph1);
d1e348cf
A		 955 }
956 }
52b7d2ce 957 }
d1e348cf 958 return 0;
52b7d2ce 959 }
52b7d2ce 960 }
52b7d2ce
A		 961#endif
962 /* save created date. */
963 (void)time(&iph1->created);
964
965 /* add to the schedule to expire, and save back pointer. */
966 iph1->sce = sched_new(iph1->approval->lifetime,
d1e348cf
A		 967 isakmp_ph1expire_stub, iph1);
968
969 if (iph1->rmconf->initiate_ph1rekey) {
970 if (iph1->side == INITIATOR) {
971 spi_cmp = memcmp(&iph1->index.i_ck, &iph1->index.r_ck, sizeof(iph1->index.i_ck));
972 if (spi_cmp == 0)
973 spi_cmp = 1;
974 } else {
975 spi_cmp = memcmp(&iph1->index.r_ck, &iph1->index.i_ck, sizeof(iph1->index.r_ck));
976 if (spi_cmp == 0)
977 spi_cmp = -1;
978 }
979 rekey_lifetime = ike_session_get_rekey_lifetime((spi_cmp > 0),
980 iph1->approval->lifetime);
981 if (rekey_lifetime) {
982 iph1->sce_rekey = sched_new(rekey_lifetime,
983 isakmp_ph1rekeyexpire_stub,
984 iph1);
985 } else {
986 /* iph1->approval->lifetime is too small (e.g. 1) so why bother?
987 * LOG ERROR
988 */
989 plog(LLV_ERROR, LOCATION, iph1->remote,
990 "failed to get rekey timer - lifetime is too small... probably.\n");
991 }
992 }
993
52b7d2ce 994#ifdef ENABLE_HYBRID
d1e348cf
A		 995 /* ignore xauth if it is a rekey */
996 if (!iph1->is_rekey &&
997 iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
998 switch(AUTHMETHOD(iph1)) {
999 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1000 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1001 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1002 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1003 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1004 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1005 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
52b7d2ce
A		 1006 xauth_sendreq(iph1);
1007 /* XXX Don't process INITIAL_CONTACT */
d1e348cf 1008 ini_contact = 0;
52b7d2ce
A		 1009 break;
1010 default:
1011 break;
1012 }
1013 }
1014#endif
1015#ifdef ENABLE_DPD
1016 /* Schedule the r_u_there.... */
1017 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
1018 isakmp_sched_r_u(iph1, 0);
1019#endif
1020
1021 /* INITIAL-CONTACT processing */
d1e348cf 1022 /* ignore initial-contact if it is a rekey */
52b7d2ce 1023 /* don't send anything if local test mode. */
d1e348cf 1024 if (!iph1->is_rekey && !f_local && ini_contact && !getcontacted(iph1->remote)) {
52b7d2ce
A		 1025 /* send INITIAL-CONTACT */
1026 isakmp_info_send_n1(iph1,
1027 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
1028 /* insert a node into contacted list. */
1029 if (inscontacted(iph1->remote) == -1) {
1030 plog(LLV_ERROR, LOCATION, iph1->remote,
1031 "failed to add contacted list.\n");
1032 /* ignore */
1033 }
1034 }
1035
1036 log_ph1established(iph1);
1037 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1038
52b7d2ce 1039 /*
d1e348cf
A		 1040 * SA up shell script hook: do it now for rekeys, otherwise only
1041 * if ISAKMP mode config wasn't requested. In the later
52b7d2ce
A		 1042 * case it is done when we receive the configuration.
1043 */
1044 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
d1e348cf
A		 1045 (iph1->is_rekey || !iph1->rmconf->mode_cfg)) {
1046 switch (AUTHMETHOD(iph1)) {
1047#ifdef ENABLE_HYBRID
1048 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1049 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1050 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1051 /* Unimplemeted... */
1052 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1053 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1054 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1055 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1056 break;
1057#endif
1058 default:
1059 script_hook(iph1, SCRIPT_PHASE1_UP);
1060 break;
1061 }
1062 }
1063
1064 ike_session_cleanup_other_established_ph1s(iph1->parent_session, iph1);
1065
1066#ifdef ENABLE_VPNCONTROL_PORT
1067 vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
e8d9021d 1068 vpncontrol_notify_peer_resp_ph1(1, iph1);
d1e348cf
A		 1069#endif
1070
52b7d2ce
A		 1071 }
1072
1073 return 0;
1074}
1075
1076/*
1077 * main function of quick mode.
1078 */
1079static int
1080quick_main(iph2, msg)
1081 struct ph2handle *iph2;
1082 vchar_t *msg;
1083{
1084 struct isakmp *isakmp = (struct isakmp *)msg->v;
1085 int error;
1086#ifdef ENABLE_STATS
1087 struct timeval start, end;
1088#endif
1089
1090 /* ignore a packet */
1091 if (iph2->status == PHASE2ST_ESTABLISHED
1092 || iph2->status == PHASE2ST_GETSPISENT)
1093 return 0;
1094
1095#ifdef ENABLE_STATS
1096 gettimeofday(&start, NULL);
1097#endif
1098
1099 /* receive */
1100 if (ph2exchange[etypesw2(isakmp->etype)]
1101 [iph2->side]
1102 [iph2->status] == NULL) {
1103 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1104 "why isn't the function defined.\n");
1105 return -1;
1106 }
1107 error = (ph2exchange[etypesw2(isakmp->etype)]
1108 [iph2->side]
1109 [iph2->status])(iph2, msg);
1110 if (error != 0) {
1111 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1112 "failed to pre-process packet.\n");
1113 if (error == ISAKMP_INTERNAL_ERROR)
1114 return 0;
1115 isakmp_info_send_n1(iph2->ph1, error, NULL);
1116 return -1;
1117 }
1118
1119 /* when using commit bit, status will be reached here. */
1120 //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place
1121 // return 0;
1122
1123 /* free resend buffer */
1124 if (iph2->sendbuf == NULL) {
1125 plog(LLV_ERROR, LOCATION, NULL,
1126 "no buffer found as sendbuf\n");
1127 return -1;
1128 }
1129 VPTRINIT(iph2->sendbuf);
1130
1131 /* turn off schedule */
d1e348cf 1132 SCHED_KILL(iph2->scr);
52b7d2ce
A		 1133
1134 /* when using commit bit, status will be reached here. */
1135 if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - moved to here
1136 return 0;
1137
1138 /* send */
1139 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1140 if ((ph2exchange[etypesw2(isakmp->etype)]
1141 [iph2->side]
1142 [iph2->status])(iph2, msg) != 0) {
1143 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1144 "failed to process packet.\n");
1145 return -1;
1146 }
1147
1148#ifdef ENABLE_STATS
1149 gettimeofday(&end, NULL);
1150 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1151 "phase2",
1152 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1153 timedelta(&start, &end));
1154#endif
1155
1156 return 0;
1157}
1158
1159/* new negotiation of phase 1 for initiator */
1160int
d1e348cf 1161isakmp_ph1begin_i(rmconf, remote, local, started_by_api)
52b7d2ce 1162 struct remoteconf *rmconf;
85f41bec 1163 struct sockaddr_storage *remote, *local;
d1e348cf 1164 int started_by_api;
52b7d2ce
A		 1165{
1166 struct ph1handle *iph1;
1167#ifdef ENABLE_STATS
1168 struct timeval start, end;
1169#endif
1170
1171 /* get new entry to isakmp status table. */
1172 iph1 = newph1();
1173 if (iph1 == NULL)
1174 return -1;
1175
1176 iph1->status = PHASE1ST_START;
1177 iph1->rmconf = rmconf;
d1e348cf
A		 1178 if (link_rmconf_to_ph1(rmconf) < 0) {
1179 plog(LLV_ERROR, LOCATION, remote,
1180 "couldn't link "
1181 "configuration.\n");
1182 iph1->rmconf = NULL;
1183 /* don't call remph1(iph1) until after insph1(iph1) is called */
1184 delph1(iph1);
1185 return -1;
1186 }
52b7d2ce 1187 iph1->side = INITIATOR;
d1e348cf 1188 iph1->started_by_api = started_by_api;
52b7d2ce
A		 1189 iph1->version = ISAKMP_VERSION_NUMBER;
1190 iph1->msgid = 0;
1191 iph1->flags = 0;
1192 iph1->ph2cnt = 0;
1193#ifdef HAVE_GSSAPI
1194 iph1->gssapi_state = NULL;
1195#endif
1196#ifdef ENABLE_HYBRID
d1e348cf
A		 1197 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1198 /* don't call remph1(iph1) until after insph1(iph1) is called */
1199 delph1(iph1);
52b7d2ce 1200 return -1;
d1e348cf 1201 }
52b7d2ce
A		 1202#endif
1203#ifdef ENABLE_FRAG
d1e348cf
A		 1204
1205 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1206 iph1->frag = 1;
1207 else
1208 iph1->frag = 0;
52b7d2ce
A		 1209 iph1->frag_chain = NULL;
1210#endif
1211 iph1->approval = NULL;
1212
1213 /* XXX copy remote address */
d1e348cf
A		 1214 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1215 /* don't call remph1(iph1) until after insph1(iph1) is called */
47612122 1216 iph1 = NULL; /* deleted in copy_ph1addresses */
52b7d2ce 1217 return -1;
d1e348cf 1218 }
52b7d2ce
A		 1219
1220 (void)insph1(iph1);
1221
d1e348cf
A		 1222 if (ike_session_link_ph1_to_session(iph1) != 0) {
1223 plog(LLV_DEBUG, LOCATION, NULL, "Failed to link ph1 to session\n");
1224 remph1(iph1);
1225 delph1(iph1);
1226 return -1;
1227 }
e8d9021d
A		 1228 // HACK!!! to track rekeys across SIGHUPs
1229 if (started_by_api == VPN_RESTARTED_BY_API &&
1230 !iph1->is_rekey) {
1231 iph1->parent_session->established = 1;
1232 iph1->parent_session->ikev1_state.ph2cnt++;
1233 iph1->is_rekey = 1;
1234 }
d1e348cf 1235
52b7d2ce
A		 1236 /* start phase 1 exchange */
1237 iph1->etype = rmconf->etypes->type;
1238
1239 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1240 {
1241 char *a;
1242
85f41bec 1243 a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
d1e348cf
A		 1244 STRDUP_FATAL(a);
1245
52b7d2ce
A		 1246 plog(LLV_INFO, LOCATION, NULL,
1247 "initiate new phase 1 negotiation: %s<=>%s\n",
85f41bec 1248 a, saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 1249 racoon_free(a);
1250 }
1251 plog(LLV_INFO, LOCATION, NULL,
1252 "begin %s mode.\n",
1253 s_isakmp_etype(iph1->etype));
1254
1255#ifdef ENABLE_STATS
1256 gettimeofday(&iph1->start, NULL);
1257 gettimeofday(&start, NULL);
1258#endif
e8d9021d
A		 1259
1260 IPSECLOGASLMSG("IPSec Phase1 started (Initiated by me).\n");
1261
52b7d2ce
A		 1262 /* start exchange */
1263 if ((ph1exchange[etypesw1(iph1->etype)]
1264 [iph1->side]
1265 [iph1->status])(iph1, NULL) != 0) {
1266 /* failed to start phase 1 negotiation */
1267 remph1(iph1);
1268 delph1(iph1);
1269
1270 return -1;
1271 }
1272
1273#ifdef ENABLE_STATS
1274 gettimeofday(&end, NULL);
1275 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1276 "phase1",
1277 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1278 timedelta(&start, &end));
1279#endif
1280
1281#ifdef ENABLE_VPNCONTROL_PORT
1282 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1283#endif
52b7d2ce
A		 1284
1285 return 0;
1286}
1287
1288/* new negotiation of phase 1 for responder */
1289static int
1290isakmp_ph1begin_r(msg, remote, local, etype)
1291 vchar_t *msg;
85f41bec 1292 struct sockaddr_storage *remote, *local;
52b7d2ce
A		 1293 u_int8_t etype;
1294{
1295 struct isakmp *isakmp = (struct isakmp *)msg->v;
1296 struct remoteconf *rmconf;
1297 struct ph1handle *iph1;
1298 struct etypes *etypeok;
1299#ifdef ENABLE_STATS
1300 struct timeval start, end;
1301#endif
1302
1303 /* look for my configuration */
1304 rmconf = getrmconf(remote);
1305 if (rmconf == NULL) {
1306 plog(LLV_ERROR, LOCATION, remote,
1307 "couldn't find "
1308 "configuration.\n");
1309 return -1;
1310 }
1311
1312 /* check to be acceptable exchange type */
1313 etypeok = check_etypeok(rmconf, etype);
1314 if (etypeok == NULL) {
1315 plog(LLV_ERROR, LOCATION, remote,
1316 "not acceptable %s mode\n", s_isakmp_etype(etype));
1317 return -1;
1318 }
1319
1320 /* get new entry to isakmp status table. */
1321 iph1 = newph1();
1322 if (iph1 == NULL)
1323 return -1;
1324
1325 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1326 iph1->status = PHASE1ST_START;
1327 iph1->rmconf = rmconf;
d1e348cf
A		 1328 if (link_rmconf_to_ph1(rmconf) < 0) {
1329 plog(LLV_ERROR, LOCATION, remote,
1330 "couldn't link "
1331 "configuration.\n");
1332 iph1->rmconf = NULL;
1333 /* don't call remph1(iph1) until after insph1(iph1) is called */
1334 delph1(iph1);
1335 return -1;
1336 }
52b7d2ce
A		 1337 iph1->flags = 0;
1338 iph1->side = RESPONDER;
d1e348cf 1339 iph1->started_by_api = 0;
52b7d2ce
A		 1340 iph1->etype = etypeok->type;
1341 iph1->version = isakmp->v;
1342 iph1->msgid = 0;
1343#ifdef HAVE_GSSAPI
1344 iph1->gssapi_state = NULL;
1345#endif
1346#ifdef ENABLE_HYBRID
d1e348cf
A		 1347 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1348 /* don't call remph1(iph1) until after insph1(iph1) is called */
1349 delph1(iph1);
52b7d2ce 1350 return -1;
d1e348cf 1351 }
52b7d2ce
A		 1352#endif
1353#ifdef ENABLE_FRAG
1354 iph1->frag = 0;
1355 iph1->frag_chain = NULL;
1356#endif
1357 iph1->approval = NULL;
1358
1359#ifdef ENABLE_NATT
1360 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1361 * We have to setup this flag now to correctly generate the first reply.
1362 * Don't know if a better check could be done for that ?
1363 */
1364 if(extract_port(local) == lcconf->port_isakmp_natt)
1365 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1366#endif
1367
1368 /* copy remote address */
d1e348cf
A		 1369 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1370 /* don't call remph1(iph1) until after insph1(iph1) is called */
47612122 1371 iph1 = NULL; /* deleted in copy_ph1addresses */
52b7d2ce 1372 return -1;
d1e348cf 1373 }
52b7d2ce
A		 1374 (void)insph1(iph1);
1375
d1e348cf
A		 1376 if (ike_session_link_ph1_to_session(iph1) != 0) {
1377 remph1(iph1);
1378 delph1(iph1);
1379 return -1;
1380 }
1381
52b7d2ce
A		 1382 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1383 {
1384 char *a;
1385
85f41bec 1386 a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
d1e348cf
A		 1387 STRDUP_FATAL(a);
1388
52b7d2ce
A		 1389 plog(LLV_INFO, LOCATION, NULL,
1390 "respond new phase 1 negotiation: %s<=>%s\n",
85f41bec 1391 a, saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 1392 racoon_free(a);
1393 }
1394 plog(LLV_INFO, LOCATION, NULL,
1395 "begin %s mode.\n", s_isakmp_etype(etype));
1396
1397#ifdef ENABLE_STATS
1398 gettimeofday(&iph1->start, NULL);
1399 gettimeofday(&start, NULL);
1400#endif
d1e348cf 1401
e8d9021d
A		 1402 IPSECLOGASLMSG("IPSec Phase1 started (Initiated by peer).\n");
1403
d1e348cf
A		 1404#ifndef ENABLE_FRAG
1405
52b7d2ce
A		 1406 /* start exchange */
1407 if ((ph1exchange[etypesw1(iph1->etype)]
1408 [iph1->side]
1409 [iph1->status])(iph1, msg) < 0
1410 || (ph1exchange[etypesw1(iph1->etype)]
1411 [iph1->side]
1412 [iph1->status])(iph1, msg) < 0) {
1413 plog(LLV_ERROR, LOCATION, remote,
1414 "failed to process packet.\n");
1415 remph1(iph1);
1416 delph1(iph1);
1417 return -1;
1418 }
d1e348cf 1419
52b7d2ce
A		 1420#ifdef ENABLE_STATS
1421 gettimeofday(&end, NULL);
1422 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1423 "phase1",
1424 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1425 timedelta(&start, &end));
1426#endif
1427#ifdef ENABLE_VPNCONTROL_PORT
1428 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
1429#endif
1430
1431 return 0;
d1e348cf
A		 1432
1433#else /* ENABLE_FRAG */
1434
1435 /* now that we have a phase1 handle, feed back into our
1436 * main receive function to catch fragmented packets
1437 */
1438
1439 return isakmp_main(msg, remote, local);
1440
1441#endif /* ENABLE_FRAG */
1442
52b7d2ce
A		 1443}
1444
1445/* new negotiation of phase 2 for initiator */
1446static int
1447isakmp_ph2begin_i(iph1, iph2)
1448 struct ph1handle *iph1;
1449 struct ph2handle *iph2;
1450{
1451#ifdef ENABLE_HYBRID
1452 if (xauth_check(iph1) != 0) {
1453 plog(LLV_ERROR, LOCATION, NULL,
1454 "Attempt to start phase 2 whereas Xauth failed\n");
1455 return -1;
1456 }
1457#endif
1458
1459 /* found ISAKMP-SA. */
1460 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1461 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1462 {
1463 char *a;
85f41bec 1464 a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
d1e348cf
A		 1465 STRDUP_FATAL(a);
1466
52b7d2ce
A		 1467 plog(LLV_INFO, LOCATION, NULL,
1468 "initiate new phase 2 negotiation: %s<=>%s\n",
85f41bec 1469 a, saddr2str((struct sockaddr *)iph2->dst));
52b7d2ce
A		 1470 racoon_free(a);
1471 }
1472
1473#ifdef ENABLE_STATS
1474 gettimeofday(&iph2->start, NULL);
1475#endif
1476 /* found isakmp-sa */
d1e348cf
A		 1477 if (iph2->ph1 && iph1 != iph2->ph1) {
1478 plog(LLV_DEBUG2, LOCATION, NULL, "phase2 already bound in %s.\n",__FUNCTION__);
1479 rebindph12(iph1, iph2);
1480 } else if (!iph2->ph1) {
1481 bindph12(iph1, iph2);
1482 }
1483 iph2->is_dying = 0;
1484 if (ike_session_link_ph2_to_session(iph2) != 0) {
1485 return -1;
1486 }
52b7d2ce
A		 1487 iph2->status = PHASE2ST_STATUS2;
1488
e8d9021d
A		 1489 IPSECLOGASLMSG("IPSec Phase2 started (Initiated by me).\n");
1490
52b7d2ce
A		 1491 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1492 [iph2->side]
1493 [iph2->status])(iph2, NULL) < 0) {
52b7d2ce
A		 1494 return -1;
1495 }
1496
1497#ifdef ENABLE_VPNCONTROL_PORT
1498 vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2);
1499#endif
1500
1501 return 0;
1502}
1503
1504/* new negotiation of phase 2 for responder */
1505static int
1506isakmp_ph2begin_r(iph1, msg)
1507 struct ph1handle *iph1;
1508 vchar_t *msg;
1509{
1510 struct isakmp *isakmp = (struct isakmp *)msg->v;
1511 struct ph2handle *iph2 = 0;
1512 int error;
1513#ifdef ENABLE_STATS
1514 struct timeval start, end;
1515#endif
1516#ifdef ENABLE_HYBRID
1517 if (xauth_check(iph1) != 0) {
1518 plog(LLV_ERROR, LOCATION, NULL,
1519 "Attempt to start phase 2 whereas Xauth failed\n");
1520 return -1;
1521 }
1522#endif
1523
1524 iph2 = newph2();
1525 if (iph2 == NULL) {
1526 plog(LLV_ERROR, LOCATION, NULL,
1527 "failed to allocate phase2 entry.\n");
1528 return -1;
1529 }
1530
1531 iph2->ph1 = iph1;
1532 iph2->side = RESPONDER;
1533 iph2->status = PHASE2ST_START;
1534 iph2->flags = isakmp->flags;
1535 iph2->msgid = isakmp->msgid;
1536 iph2->seq = pk_getseq();
1537 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1538 if (iph2->ivm == NULL) {
1539 delph2(iph2);
1540 return -1;
1541 }
85f41bec 1542 iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); /* XXX should be considered */
52b7d2ce
A		 1543 if (iph2->dst == NULL) {
1544 delph2(iph2);
1545 return -1;
1546 }
85f41bec 1547 switch (iph2->dst->ss_family) {
52b7d2ce
A		 1548 case AF_INET:
1549#ifndef ENABLE_NATT
1550 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1551#endif
1552 break;
1553#ifdef INET6
1554 case AF_INET6:
1555#ifndef ENABLE_NATT
1556 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1557#endif
1558 break;
1559#endif
1560 default:
1561 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 1562 "invalid family: %d\n", iph2->dst->ss_family);
52b7d2ce
A		 1563 delph2(iph2);
1564 return -1;
1565 }
1566
85f41bec 1567 iph2->src = dupsaddr((struct sockaddr *)iph1->local); /* XXX should be considered */
52b7d2ce
A		 1568 if (iph2->src == NULL) {
1569 delph2(iph2);
1570 return -1;
1571 }
85f41bec 1572 switch (iph2->src->ss_family) {
52b7d2ce
A		 1573 case AF_INET:
1574#ifndef ENABLE_NATT
1575 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1576#endif
1577 break;
1578#ifdef INET6
1579 case AF_INET6:
1580#ifndef ENABLE_NATT
1581 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1582#endif
1583 break;
1584#endif
1585 default:
1586 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 1587 "invalid family: %d\n", iph2->src->ss_family);
52b7d2ce
A		 1588 delph2(iph2);
1589 return -1;
1590 }
1591
1592 /* add new entry to isakmp status table */
1593 insph2(iph2);
1594 bindph12(iph1, iph2);
d1e348cf
A		 1595 iph2->is_dying = 0;
1596 if (ike_session_link_ph2_to_session(iph2) != 0) {
1597 unbindph12(iph2);
1598 remph2(iph2);
1599 delph2(iph2);
1600 return -1;
1601 }
1602
52b7d2ce
A		 1603 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1604 {
1605 char *a;
1606
85f41bec 1607 a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
d1e348cf
A		 1608 STRDUP_FATAL(a);
1609
52b7d2ce
A		 1610 plog(LLV_INFO, LOCATION, NULL,
1611 "respond new phase 2 negotiation: %s<=>%s\n",
85f41bec 1612 a, saddr2str((struct sockaddr *)iph2->dst));
52b7d2ce
A		 1613 racoon_free(a);
1614 }
1615
1616#ifdef ENABLE_STATS
1617 gettimeofday(&start, NULL);
1618#endif
1619
e8d9021d
A		 1620 IPSECLOGASLMSG("IPSec Phase2 started (Initiated by peer).\n");
1621
52b7d2ce
A		 1622 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1623 [iph2->side]
1624 [iph2->status])(iph2, msg);
1625 if (error != 0) {
1626 plog(LLV_ERROR, LOCATION, iph1->remote,
1627 "failed to pre-process packet.\n");
1628 if (error != ISAKMP_INTERNAL_ERROR)
1629 isakmp_info_send_n1(iph2->ph1, error, NULL);
1630 /*
1631 * release handler because it's wrong that ph2handle is kept
1632 * after failed to check message for responder's.
1633 */
1634 unbindph12(iph2);
1635 remph2(iph2);
1636 delph2(iph2);
1637 return -1;
1638 }
1639
1640 /* send */
1641 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1642 if ((ph2exchange[etypesw2(isakmp->etype)]
1643 [iph2->side]
1644 [iph2->status])(iph2, msg) < 0) {
1645 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1646 "failed to process packet.\n");
1647 /* don't release handler */
1648 return -1;
1649 }
1650#ifdef ENABLE_STATS
1651 gettimeofday(&end, NULL);
1652 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1653 "phase2",
1654 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1655 timedelta(&start, &end));
1656#endif
1657
1658#ifdef ENABLE_VPNCONTROL_PORT
1659 vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2);
1660#endif
1661
1662
1663 return 0;
1664}
1665
1666/*
1667 * parse ISAKMP payloads, without ISAKMP base header.
1668 */
1669vchar_t *
1670isakmp_parsewoh(np0, gen, len)
1671 int np0;
1672 struct isakmp_gen *gen;
1673 int len;
1674{
1675 u_char np = np0 & 0xff;
1676 int tlen, plen;
1677 vchar_t *result;
1678 struct isakmp_parse_t *p, *ep;
1679
1680 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1681
1682 /*
1683 * 5 is a magic number, but any value larger than 2 should be fine
1684 * as we do vrealloc() in the following loop.
1685 */
1686 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1687 if (result == NULL) {
1688 plog(LLV_ERROR, LOCATION, NULL,
1689 "failed to get buffer.\n");
1690 return NULL;
85f41bec
A		 1691 }
1692 // Wcast-align fix (void*) - result = aligned buffer of struct isakmp_parse_t
1693 p = ALIGNED_CAST(struct isakmp_parse_t *)result->v;
1694 ep = ALIGNED_CAST(struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
52b7d2ce
A		 1695
1696 tlen = len;
1697
1698 /* parse through general headers */
1699 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1700 if (tlen <= sizeof(struct isakmp_gen)) {
1701 /* don't send information, see isakmp_ident_r1() */
1702 plog(LLV_ERROR, LOCATION, NULL,
1703 "invalid length of payload\n");
1704 vfree(result);
1705 return NULL;
1706 }
1707
1708 plog(LLV_DEBUG, LOCATION, NULL,
1709 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1710
1711 p->type = np;
1712 p->len = ntohs(gen->len);
1713 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1714 plog(LLV_DEBUG, LOCATION, NULL,
1715 "invalid length of payload\n");
1716 vfree(result);
1717 return NULL;
1718 }
1719 p->ptr = gen;
1720 p++;
1721 if (ep <= p) {
1722 int off;
1723
85f41bec 1724 off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v;
52b7d2ce
A		 1725 result = vrealloc(result, result->l * 2);
1726 if (result == NULL) {
1727 plog(LLV_DEBUG, LOCATION, NULL,
1728 "failed to realloc buffer.\n");
1729 vfree(result);
1730 return NULL;
1731 }
85f41bec 1732 ep = ALIGNED_CAST(struct isakmp_parse_t *)
52b7d2ce 1733 (result->v + result->l - sizeof(*ep));
85f41bec 1734 p = ALIGNED_CAST(struct isakmp_parse_t *)result->v;
52b7d2ce
A		 1735 p += off;
1736 }
1737
1738 np = gen->np;
1739 plen = ntohs(gen->len);
1740 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1741 tlen -= plen;
1742 }
1743 p->type = ISAKMP_NPTYPE_NONE;
1744 p->len = 0;
1745 p->ptr = NULL;
1746
1747 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1748
1749 return result;
1750}
1751
1752/*
1753 * parse ISAKMP payloads, including ISAKMP base header.
1754 */
1755vchar_t *
1756isakmp_parse(buf)
1757 vchar_t *buf;
1758{
1759 struct isakmp *isakmp = (struct isakmp *)buf->v;
1760 struct isakmp_gen *gen;
1761 int tlen;
1762 vchar_t *result;
1763 u_char np;
1764
1765 np = isakmp->np;
1766 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1767 tlen = buf->l - sizeof(struct isakmp);
1768 result = isakmp_parsewoh(np, gen, tlen);
1769
1770 return result;
1771}
1772
d1e348cf 1773int
e8d9021d 1774isakmp_init(int ignore_phX, int *tentative_failures)
d1e348cf
A		 1775{
1776 /* initialize a isakmp status table */
1777 if (!ignore_phX) {
1778 initph1tree();
1779 initph2tree();
1780 }
1781 initctdtree();
1782 init_recvdpkt();
1783
e8d9021d 1784 if (isakmp_open(tentative_failures) < 0)
d1e348cf
A		 1785 goto err;
1786
1787 return(0);
1788
1789err:
1790 isakmp_close();
1791 return(-1);
1792}
52b7d2ce
A		 1793
1794void
1795isakmp_cleanup()
1796{
1797 clear_recvdpkt();
1798 clear_contacted();
1799}
1800
1801/*
1802 * make strings containing i_cookie + r_cookie + msgid
1803 */
1804const char *
1805isakmp_pindex(index, msgid)
1806 const isakmp_index *index;
1807 const u_int32_t msgid;
1808{
1809 static char buf[64];
1810 const u_char *p;
1811 int i, j;
1812
1813 memset(buf, 0, sizeof(buf));
1814
1815 /* copy index */
1816 p = (const u_char *)index;
1817 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1818 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1819 j += 2;
1820 switch (i) {
1821 case 7:
1822 buf[j++] = ':';
1823 }
1824 }
1825
1826 if (msgid == 0)
1827 return buf;
1828
1829 /* copy msgid */
1830 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1831
1832 return buf;
1833}
1834
1835/* open ISAKMP sockets. */
1836int
e8d9021d 1837isakmp_open(int *tentative_failures)
52b7d2ce
A		 1838{
1839 const int yes = 1;
1840 int ifnum = 0, encap_ifnum = 0;
1841#ifdef INET6
1842 int pktinfo;
1843#endif
1844 struct myaddrs *p;
1845
e8d9021d
A		 1846 if (tentative_failures) {
1847 *tentative_failures = FALSE;
1848 }
1849
52b7d2ce
A		 1850 for (p = lcconf->myaddrs; p; p = p->next) {
1851 if (!p->addr)
1852 continue;
52b7d2ce
A		 1853 if (p->sock != -1) {
1854 ifnum++;
1855 if (p->udp_encap)
1856 encap_ifnum++;
1857 continue; // socket already open
1858 }
52b7d2ce
A		 1859
1860 /* warn if wildcard address - should we forbid this? */
85f41bec 1861 switch (p->addr->ss_family) {
52b7d2ce
A		 1862 case AF_INET:
1863 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1864 plog(LLV_WARNING, LOCATION, NULL,
1865 "listening to wildcard address,"
1866 "broadcast IKE packet may kill you\n");
1867 break;
1868#ifdef INET6
1869 case AF_INET6:
1870 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1871 plog(LLV_WARNING, LOCATION, NULL,
1872 "listening to wildcard address, "
1873 "broadcast IKE packet may kill you\n");
1874 break;
1875#endif
1876 default:
1877 plog(LLV_ERROR, LOCATION, NULL,
1878 "unsupported address family %d\n",
1879 lcconf->default_af);
1880 goto err_and_next;
1881 }
1882
1883#ifdef INET6
85f41bec 1884 if (p->addr->ss_family == AF_INET6 &&
52b7d2ce
A		 1885 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
1886 p->addr)->sin6_addr))
1887 {
1888 plog(LLV_DEBUG, LOCATION, NULL,
1889 "Ignoring multicast address %s\n",
85f41bec 1890 saddr2str((struct sockaddr *)p->addr));
52b7d2ce
A		 1891 racoon_free(p->addr);
1892 p->addr = NULL;
1893 continue;
1894 }
1895#endif
1896
85f41bec 1897 if ((p->sock = socket(p->addr->ss_family, SOCK_DGRAM, 0)) < 0) {
52b7d2ce
A		 1898 plog(LLV_ERROR, LOCATION, NULL,
1899 "socket (%s)\n", strerror(errno));
1900 goto err_and_next;
1901 }
1902
d1e348cf 1903 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
85f41bec 1904 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf
A		 1905 "failed to put socket in non-blocking mode\n");
1906
52b7d2ce 1907 /* receive my interface address on inbound packets. */
85f41bec 1908 switch (p->addr->ss_family) {
52b7d2ce
A		 1909 case AF_INET:
1910 if (setsockopt(p->sock, IPPROTO_IP,
52b7d2ce 1911 IP_RECVDSTADDR,
52b7d2ce
A		 1912 (const void *)&yes, sizeof(yes)) < 0) {
1913 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf
A		 1914 "setsockopt IP_RECVDSTADDR (%s)\n",
1915 strerror(errno));
52b7d2ce
A		 1916 goto err_and_next;
1917 }
1918 break;
1919#ifdef INET6
1920 case AF_INET6:
1921#ifdef INET6_ADVAPI
52b7d2ce 1922 pktinfo = IPV6_RECVPKTINFO;
52b7d2ce
A		 1923#else
1924 pktinfo = IPV6_RECVDSTADDR;
1925#endif
1926 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1927 (const void *)&yes, sizeof(yes)) < 0)
1928 {
1929 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 1930 "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
52b7d2ce 1931 pktinfo, strerror(errno));
52b7d2ce
A		 1932 goto err_and_next;
1933 }
1934 break;
1935#endif
1936 }
1937
1938#ifdef IPV6_USE_MIN_MTU
85f41bec 1939 if (p->addr->ss_family == AF_INET6 &&
52b7d2ce
A		 1940 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1941 (void *)&yes, sizeof(yes)) < 0) {
1942 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf
A		 1943 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
1944 strerror(errno));
52b7d2ce
A		 1945 return -1;
1946 }
1947#endif
1948
85f41bec 1949 if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0)
52b7d2ce
A		 1950 goto err_and_next;
1951
52b7d2ce
A		 1952 if (extract_port(p->addr) == PORT_ISAKMP) {
1953 if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT,
1954 (void *)&yes, sizeof(yes)) < 0) {
1955 plog(LLV_ERROR, LOCATION, p->addr,
1956 "setsockopt (%s)\n", strerror(errno));
1957 goto err_and_next;
1958 }
1959 }
52b7d2ce 1960
85f41bec 1961 if (bind(p->sock, (struct sockaddr *)p->addr, sysdep_sa_len((struct sockaddr *)p->addr)) < 0) {
e8d9021d 1962 int tmp_errno = errno;
52b7d2ce
A		 1963 plog(LLV_ERROR, LOCATION, p->addr,
1964 "failed to bind to address %s (%s).\n",
85f41bec 1965 saddr2str((struct sockaddr *)p->addr), strerror(tmp_errno));
e8d9021d
A		 1966#ifdef INET6
1967 // if bind failed b/c of a tentative v6 address, try again later
85f41bec 1968 if (tmp_errno == EADDRNOTAVAIL && p->addr->ss_family == AF_INET6) {
e8d9021d
A		 1969 struct in6_ifreq ifr6;
1970
1971 bzero(&ifr6, sizeof(ifr6));
1972 strlcpy(ifr6.ifr_name, p->ifname, sizeof(ifr6.ifr_name));
1973 memcpy(&ifr6.ifr_addr, p->addr, sizeof(ifr6.ifr_addr));
1974 if (ioctl(p->sock, SIOCGIFAFLAG_IN6, &ifr6) >= 0) {
1975 /*
1976 * the tentative flag may have cleared between the bind() and ioctl() calls (i.e due to timing), so
1977 * try infering that it was tentative from ensuring the absense other cases of EADDRNOTAVAIL.
1978 */
1979 if ((ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_ANYCAST | IN6_IFF_DUPLICATED | IN6_IFF_DETACHED | IN6_IFF_DEPRECATED)) == 0) {
1980 // address may have been tentantive... invalidate sock but leave address around for another try later
1981 plog(LLV_ERROR, LOCATION, p->addr,
1982 "failed to bind to address %s: because interface address is/was not ready (flags %x).\n",
85f41bec 1983 saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6);
e8d9021d
A		 1984 close(p->sock);
1985 p->sock = -1;
1986 if (tentative_failures) {
1987 *tentative_failures = TRUE;
1988 }
1989 continue;
1990 } else {
1991 plog(LLV_ERROR, LOCATION, p->addr,
1992 "failed to bind to address %s: because of interface address error, flags %x.\n",
85f41bec 1993 saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6);
e8d9021d
A		 1994 }
1995 } else {
1996 plog(LLV_ERROR, LOCATION, p->addr,
1997 "failed to bind to address %s: can't read interface address flags.\n",
85f41bec 1998 saddr2str((struct sockaddr *)p->addr));
e8d9021d
A		 1999 }
2000 }
2001#endif
52b7d2ce 2002 close(p->sock);
47612122 2003 p->sock = -1;
52b7d2ce
A		 2004 goto err_and_next;
2005 }
2006
2007 ifnum++;
52b7d2ce
A		 2008 if (p->udp_encap)
2009 encap_ifnum++;
52b7d2ce
A		 2010
2011 plog(LLV_INFO, LOCATION, NULL,
2012 "%s used as isakmp port (fd=%d)\n",
85f41bec 2013 saddr2str((struct sockaddr *)p->addr), p->sock);
52b7d2ce
A		 2014 continue;
2015
2016 err_and_next:
2017 racoon_free(p->addr);
2018 p->addr = NULL;
2019 if (! lcconf->autograbaddr && lcconf->strict_address)
2020 return -1;
2021 continue;
2022 }
2023
2024 if (!ifnum) {
2025 plog(LLV_ERROR, LOCATION, NULL,
2026 "no address could be bound.\n");
2027 return -1;
2028 }
2029
2030#ifdef ENABLE_NATT
2031 if (natt_enabled_in_rmconf() && !encap_ifnum) {
2032 plog(LLV_WARNING, LOCATION, NULL,
2033 "NAT-T is enabled in at least one remote{} section,\n");
2034 plog(LLV_WARNING, LOCATION, NULL,
2035 "but no 'isakmp_natt' address was specified!\n");
2036 }
2037#endif
2038
2039 return 0;
2040}
2041
2042void
2043isakmp_close()
2044{
2045 isakmp_close_sockets();
2046 clear_myaddr();
2047}
2048
2049void
2050isakmp_close_sockets()
2051{
2052 struct myaddrs *p;
2053
2054 for (p = lcconf->myaddrs; p; p = p->next) {
2055
2056 if (!p->addr)
2057 continue;
2058
2059 if (p->sock >= 0) {
2060 close(p->sock);
2061 p->sock = -1;
2062 }
2063 }
2064
2065}
2066
2067
2068// close sockets for addresses that have gone away
2069void
2070isakmp_close_unused()
2071{
2072 struct myaddrs *p, *next, **prev;
2073
2074 prev = &(lcconf->myaddrs);
2075 for (p = lcconf->myaddrs; p; p = next) {
2076 next = p->next;
2077 if (p->in_use == 0) { // not in use ?
2078
2079 if (p->sock >= 0)
d1e348cf 2080 close(p->sock);
52b7d2ce 2081 *prev = p->next;
d1e348cf 2082 delmyaddr(p);
52b7d2ce
A		 2083 } else
2084 prev = &(p->next);
2085 }
2086}
2087
2088int
2089isakmp_send(iph1, sbuf)
2090 struct ph1handle *iph1;
2091 vchar_t *sbuf;
2092{
2093 int len = 0;
2094 int s;
2095 vchar_t *vbuf = NULL;
2096
2097#ifdef ENABLE_NATT
2098 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
2099
2100#ifdef ENABLE_FRAG
2101 /*
2102 * Do not add the non ESP marker for a packet that will
2103 * be fragmented. The non ESP marker should appear in
2104 * all fragment's packets, but not in the fragmented packet
2105 */
2106 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
2107 extralen = 0;
2108#endif
2109 if (extralen)
2110 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
2111
2112 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
2113 must added just before the packet itself. For this we must
2114 allocate a new buffer and release it at the end. */
2115 if (extralen) {
d1e348cf
A		 2116 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
2117 plog(LLV_ERROR, LOCATION, NULL,
2118 "vbuf allocation failed\n");
2119 return -1;
2120 }
85f41bec 2121 *ALIGNED_CAST(u_int32_t *)vbuf->v = 0;
52b7d2ce
A		 2122 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
2123 sbuf = vbuf;
2124 }
2125#endif
2126
2127 /* select the socket to be sent */
85f41bec 2128 s = getsockmyaddr((struct sockaddr *)iph1->local);
52b7d2ce
A		 2129 if (s == -1){
2130 if ( vbuf != NULL )
2131 vfree(vbuf);
2132 return -1;
2133 }
2134
2135 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
85f41bec 2136 saddr2str_fromto("from %s to %s", (struct sockaddr *)iph1->local, (struct sockaddr *)iph1->remote));
52b7d2ce
A		 2137
2138#ifdef ENABLE_FRAG
2139 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
2140 if (isakmp_sendfrags(iph1, sbuf) == -1) {
2141 plog(LLV_ERROR, LOCATION, NULL,
2142 "isakmp_sendfrags failed\n");
2143 if ( vbuf != NULL )
2144 vfree(vbuf);
2145 return -1;
2146 }
2147 } else
2148#endif
2149 {
2150 len = sendfromto(s, sbuf->v, sbuf->l,
2151 iph1->local, iph1->remote, lcconf->count_persend);
2152 if (len == -1) {
2153 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
2154 if ( vbuf != NULL )
2155 vfree(vbuf);
2156 return -1;
2157 }
2158 }
2159
2160 if ( vbuf != NULL )
2161 vfree(vbuf);
2162
2163 return 0;
2164}
2165
2166/* called from scheduler */
2167void
2168isakmp_ph1resend_stub(p)
2169 void *p;
2170{
d1e348cf
A		 2171 struct ph1handle *iph1;
2172
2173 iph1=(struct ph1handle *)p;
2174 if(isakmp_ph1resend(iph1) < 0){
2175 if(iph1->scr != NULL){
2176 /* Should not happen...
2177 */
2178 sched_kill(iph1->scr);
2179 iph1->scr=NULL;
2180 }
2181
2182 remph1(iph1);
2183 delph1(iph1);
2184 }
52b7d2ce
A		 2185}
2186
2187int
2188isakmp_ph1resend(iph1)
2189 struct ph1handle *iph1;
2190{
e8d9021d
A		 2191 time_t retry_interval;
2192
2193 // make sure there is a buffer to send
2194 // isakmp_plist_set_all() could have returned NULL
2195 if (iph1->sendbuf == NULL)
2196 return -1;
2197
d1e348cf
A		 2198 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
2199 */
2200 if (iph1->retry_counter <= 0) {
2201 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2202 IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT,
2203 CONSTSTR("Phase1 Maximum Retransmits"),
2204 CONSTSTR("Phase1 negotiation failed (Maximum retransmits)"));
2205
52b7d2ce
A		 2206 plog(LLV_ERROR, LOCATION, NULL,
2207 "phase1 negotiation failed due to time up. %s\n",
2208 isakmp_pindex(&iph1->index, iph1->msgid));
2209 EVT_PUSH(iph1->local, iph1->remote,
2210 EVTT_PEER_NO_RESPONSE, NULL);
d1e348cf
A		 2211 if (iph1->side == INITIATOR && iph1->is_rekey && iph1->parent_session && iph1->parent_session->is_client) {
2212 /* to get around a bug on the peer, in which rekeys to port 4500 are dropped */
2213 if (isakmp_ph1rekeyretry(iph1) == 0)
2214 return 0;
2215 }
52b7d2ce 2216 return -1;
e8d9021d
A		 2217 } else {
2218 ike_session_ph1_retransmits(iph1);
52b7d2ce
A		 2219 }
2220
2221 if (isakmp_send(iph1, iph1->sendbuf) < 0){
d1e348cf
A		 2222 if (iph1->rmconf->retry_counter != iph1->retry_counter) {
2223 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2224 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2225 CONSTSTR("Phase1 Retransmit"),
2226 CONSTSTR("Failed to retrasmit Phase1"));
2227 }
2228 plog(LLV_ERROR, LOCATION, iph1->remote,
2229 "phase1 negotiation failed due to send error. %s\n",
2230 isakmp_pindex(&iph1->index, iph1->msgid));
2231 EVT_PUSH(iph1->local, iph1->remote,
2232 EVTT_PEER_NO_RESPONSE, NULL);
52b7d2ce
A		 2233 return -1;
2234 }
2235
d1e348cf
A		 2236 if (iph1->rmconf->retry_counter != iph1->retry_counter) {
2237 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2238 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2239 CONSTSTR("Phase1 Retransmit"),
2240 CONSTSTR(NULL));
2241 }
2242
2243 plog(LLV_DEBUG, LOCATION, iph1->remote,
52b7d2ce
A		 2244 "resend phase1 packet %s\n",
2245 isakmp_pindex(&iph1->index, iph1->msgid));
2246
2247 iph1->retry_counter--;
e8d9021d
A		 2248 retry_interval = get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter),
2249 iph1->rmconf->retry_interval);
2250 iph1->scr = sched_new(retry_interval,
52b7d2ce
A		 2251 isakmp_ph1resend_stub, iph1);
2252
2253 return 0;
2254}
2255
2256/* called from scheduler */
2257void
2258isakmp_ph2resend_stub(p)
2259 void *p;
2260{
d1e348cf
A		 2261 struct ph2handle *iph2;
2262
2263 iph2=(struct ph2handle *)p;
52b7d2ce 2264
d1e348cf
A		 2265 if(isakmp_ph2resend(iph2) < 0){
2266 unbindph12(iph2);
2267 remph2(iph2);
2268 delph2(iph2);
2269 }
52b7d2ce
A		 2270}
2271
2272int
2273isakmp_ph2resend(iph2)
2274 struct ph2handle *iph2;
2275{
e8d9021d
A		 2276 time_t retry_interval;
2277
d1e348cf
A		 2278 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
2279 */
2280 //%%% BUG FIX - related to commit bit usage - crash happened here
2281 if (iph2->ph1 == 0) {
52b7d2ce 2282 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf
A		 2283 "internal error - attempt to re-send phase2 with no phase1 bound.\n");
2284 return -1;
2285 }
2286
2287 if (iph2->ph1->status == PHASE1ST_EXPIRED){
2288 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
2289 IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT,
2290 CONSTSTR("Underlying Phase1 expired"),
2291 CONSTSTR("Failed to retransmit phase2 (underlying phase1 expired)"));
2292 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2293 "phase2 negotiation failed due to phase1 expired. %s\n",
2294 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
2295 return -1;
2296 }
2297
2298 if (iph2->retry_counter <= 0) {
2299 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
2300 IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT,
2301 CONSTSTR("Phase2 maximum retransmits"),
2302 CONSTSTR("Phase2 negotiation failed (maximum retransmits)"));
2303 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
52b7d2ce
A		 2304 "phase2 negotiation failed due to time up. %s\n",
2305 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
2306 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
52b7d2ce 2307 return -1;
fce29cd9
A		 2308 } else {
2309 ike_session_ph2_retransmits(iph2);
52b7d2ce
A		 2310 }
2311
d1e348cf
A		 2312 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
2313 if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) {
2314 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
2315 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2316 CONSTSTR("Phase2 Retransmit"),
2317 CONSTSTR("Failed to retransmit Phase2 message"));
2318 }
52b7d2ce 2319 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf
A		 2320 "phase2 negotiation failed due to send error. %s\n",
2321 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
2322 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
52b7d2ce 2323
52b7d2ce 2324 return -1;
d1e348cf
A		 2325 }
2326 if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) {
2327 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
2328 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2329 CONSTSTR("Phase2 Retransmit"),
2330 CONSTSTR(NULL));
2331 }
52b7d2ce
A		 2332
2333 plog(LLV_DEBUG, LOCATION, NULL,
2334 "resend phase2 packet %s\n",
2335 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
2336
2337 iph2->retry_counter--;
e8d9021d
A		 2338 retry_interval = get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter),
2339 iph2->ph1->rmconf->retry_interval);
2340 iph2->scr = sched_new(retry_interval,
52b7d2ce
A		 2341 isakmp_ph2resend_stub, iph2);
2342
d1e348cf
A		 2343#ifdef ENABLE_DPD
2344 if (iph2->scr) {
2345 isakmp_reschedule_info_monitor_if_pending(iph2->ph1,
2346 "phase2 packets sent to peer: retransmit timer armed");
2347 }
2348#endif /* DPD */
2349
52b7d2ce
A		 2350 return 0;
2351}
2352
2353/* called from scheduler */
2354void
2355isakmp_ph1expire_stub(p)
2356 void *p;
2357{
2358
2359 isakmp_ph1expire((struct ph1handle *)p);
2360}
2361
2362void
2363isakmp_ph1expire(iph1)
2364 struct ph1handle *iph1;
2365{
2366 char *src, *dst;
2367
2368 SCHED_KILL(iph1->sce);
d1e348cf
A		 2369#ifdef ENABLE_DPD
2370 SCHED_KILL(iph1->dpd_r_u);
2371#endif
52b7d2ce
A		 2372
2373 if(iph1->status != PHASE1ST_EXPIRED){
85f41bec
A		 2374 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
2375 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2376 STRDUP_FATAL(src);
2377 STRDUP_FATAL(dst);
2378
52b7d2ce
A		 2379 plog(LLV_INFO, LOCATION, NULL,
2380 "ISAKMP-SA expired %s-%s spi:%s\n",
2381 src, dst,
2382 isakmp_pindex(&iph1->index, 0));
2383 racoon_free(src);
2384 racoon_free(dst);
2385 iph1->status = PHASE1ST_EXPIRED;
d1e348cf 2386 (void)ike_session_update_ph1_ph2tree(iph1);
52b7d2ce
A		 2387 }
2388
2389 /*
2390 * the phase1 deletion is postponed until there is no phase2.
2391 */
2392 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2393 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
2394 return;
2395 }
2396
2397 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2398}
2399
d1e348cf
A		 2400/* called from scheduler */
2401void
2402isakmp_ph1rekeyexpire_stub(p)
2403void *p;
2404{
2405
fce29cd9 2406 isakmp_ph1rekeyexpire((struct ph1handle *)p, FALSE);
d1e348cf
A		 2407}
2408
2409void
fce29cd9 2410isakmp_ph1rekeyexpire(iph1, ignore_sess_drop_policy)
d1e348cf 2411struct ph1handle *iph1;
fce29cd9 2412int ignore_sess_drop_policy;
d1e348cf
A		 2413{
2414 char *src, *dst;
2415 struct remoteconf *rmconf;
2416
2417 SCHED_KILL(iph1->sce_rekey);
2418
2419 // early exit if iph2->sce == NULL, iph2 isn't established or if entire session is going down
2420 if (iph1->sce == NULL ||
2421 iph1->status != PHASE1ST_ESTABLISHED ||
2422 iph1->is_dying) {
2423 return;
2424 }
2425
85f41bec
A		 2426 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
2427 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2428 STRDUP_FATAL(src);
2429 STRDUP_FATAL(dst);
2430
2431 plog(LLV_INFO, LOCATION, NULL,
2432 "ISAKMP-SA rekey-timer expired %s-%s spi:%s\n",
2433 src, dst,
2434 isakmp_pindex(&iph1->index, 0));
2435 racoon_free(src);
2436 racoon_free(dst);
2437
e8d9021d 2438 if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
fce29cd9
A		 2439 return;
2440 }
2441
d1e348cf
A		 2442 // exit if there is another ph1 that is established (with a pending rekey timer)
2443 if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) {
2444 plog(LLV_INFO, LOCATION, iph1->remote,
2445 "request for ISAKMP-SA rekey was ignored "
2446 "due to another established ph1.\n");
2447 return;
2448 }
2449
2450 // if there is another ph1 that is negotiating, postpone this rekey for a few seconds later
2451 if (ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) {
2452 plog(LLV_DEBUG, LOCATION, NULL, "reschedule Phase1 rekey.\n");
2453 iph1->sce_rekey = sched_new(1,
2454 isakmp_ph1rekeyexpire_stub,
2455 iph1);
2456 return;
2457 }
2458
2459 // get rmconf to initiate rekey with
2460 rmconf = iph1->rmconf;
2461 if (!rmconf || rmconf->to_delete || rmconf->to_remove) {
2462 rmconf = getrmconf(iph1->remote);
2463 }
2464 if (rmconf) {
2465 /* begin quick mode */
2466 plog(LLV_DEBUG, LOCATION, NULL, "begin Phase1 rekey.\n");
2467
2468 /* start phase 1 negotiation as a initiator. */
2469 if (isakmp_ph1begin_i(rmconf, iph1->remote, iph1->local, 0) < 0) {
2470 plog(LLV_DEBUG, LOCATION, NULL, "Phase1 rekey Failed.\n");
2471 }
2472 } else {
2473 plog(LLV_ERROR, LOCATION, NULL,
2474 "Phase1 rekey failed: no configuration found for %s.\n",
85f41bec 2475 saddrwop2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2476 }
2477}
2478
2479int
2480isakmp_ph1rekeyretry(iph1)
2481struct ph1handle *iph1;
2482{
2483 char *src, *dst;
2484 struct remoteconf *rmconf;
2485
2486 // this code path is meant for floated ph1 rekeys that are failing on the first message
2487 if (iph1->sce != NULL ||
2488 iph1->sce_rekey != NULL ||
85f41bec 2489 (iph1->status != PHASE1ST_MSG1SENT || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) ||
d1e348cf
A		 2490 (extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) ||
2491 iph1->is_dying) {
2492 return -1;
2493 }
2494
85f41bec
A		 2495 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
2496 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2497 STRDUP_FATAL(src);
2498 STRDUP_FATAL(dst);
2499
2500 plog(LLV_INFO, LOCATION, NULL,
2501 "ISAKMP-SA rekey failed... retrying %s-%s spi:%s\n",
2502 src, dst,
2503 isakmp_pindex(&iph1->index, 0));
2504 racoon_free(src);
2505 racoon_free(dst);
2506
e8d9021d
A		 2507 if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
2508 plog(LLV_INFO, LOCATION, iph1->remote,
2509 "request for ISAKMP-SA rekey was ignored "
2510 "due to idleness.\n");
2511 return 0;
2512 }
2513
d1e348cf
A		 2514 // exit if there is another ph1 that is established (with a pending rekey timer)
2515 if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) {
2516 plog(LLV_INFO, LOCATION, iph1->remote,
2517 "request to retry ISAKMP-SA rekey was ignored "
2518 "due to another established ph1.\n");
2519 return -1;
2520 }
2521
2522 // some servers don't like respond to 4500 for rekeys... try accomodate them
2523 if (extract_port(iph1->local) == PORT_ISAKMP_NATT) {
2524 set_port(iph1->local, PORT_ISAKMP);
2525 }
2526 if (extract_port(iph1->remote) == PORT_ISAKMP_NATT) {
2527 set_port(iph1->remote, PORT_ISAKMP);
2528 }
2529 iph1->natt_flags &= ~NAT_PORTS_CHANGED;
2530 rmconf = getrmconf(iph1->remote);
2531 if (rmconf) {
2532 /* begin quick mode */
2533 plog(LLV_DEBUG, LOCATION, NULL, "begin Phase1 rekey retry.\n");
2534
2535 /* start phase 1 negotiation as a initiator. */
2536 if (isakmp_ph1begin_i(rmconf, iph1->remote, iph1->local, 0) < 0) {
2537 plog(LLV_DEBUG, LOCATION, NULL, "Phase1 rekey retry Failed.\n");
2538 return -1;
2539 }
2540 } else {
2541 plog(LLV_ERROR, LOCATION, NULL,
2542 "Phase1 rekey retry failed: no configuration found for %s.\n",
85f41bec 2543 saddrwop2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2544 return -1;
2545 }
2546 return 0;
2547}
2548
52b7d2ce
A		 2549/* called from scheduler */
2550void
2551isakmp_ph1delete_stub(p)
2552 void *p;
2553{
2554
2555 isakmp_ph1delete((struct ph1handle *)p);
2556}
2557
2558void
2559isakmp_ph1delete(iph1)
2560 struct ph1handle *iph1;
2561{
2562 char *src, *dst;
2563
d1e348cf
A		 2564 SCHED_KILL(iph1->sce);
2565 SCHED_KILL(iph1->sce_rekey);
2566#ifdef ENABLE_DPD
2567 SCHED_KILL(iph1->dpd_r_u);
2568#endif
52b7d2ce
A		 2569
2570 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2571 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2572 return;
2573 }
2574
d1e348cf
A		 2575 isakmp_info_send_d1(iph1);
2576
52b7d2ce
A		 2577 /* don't re-negosiation when the phase 1 SA expires. */
2578
85f41bec
A		 2579 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
2580 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 2581 STRDUP_FATAL(src);
2582 STRDUP_FATAL(dst);
2583
52b7d2ce
A		 2584 plog(LLV_INFO, LOCATION, NULL,
2585 "ISAKMP-SA deleted %s-%s spi:%s\n",
2586 src, dst, isakmp_pindex(&iph1->index, 0));
2587 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
2588 racoon_free(src);
2589 racoon_free(dst);
2590
2591 remph1(iph1);
2592 delph1(iph1);
2593
2594 return;
2595}
2596
2597/* called from scheduler.
2598 * this function will call only isakmp_ph2delete().
2599 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2600 * by something cause. That's why this function is called after phase 2 SA
2601 * expires in the userland.
2602 */
2603void
2604isakmp_ph2expire_stub(p)
2605 void *p;
2606{
2607
2608 isakmp_ph2expire((struct ph2handle *)p);
2609}
2610
2611void
2612isakmp_ph2expire(iph2)
2613 struct ph2handle *iph2;
2614{
2615 char *src, *dst;
2616
80318cb7
A		 2617 if (iph2->status == PHASE2ST_EXPIRED) {
2618 return;
2619 }
2620
52b7d2ce
A		 2621 SCHED_KILL(iph2->sce);
2622
85f41bec
A		 2623 src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src));
2624 dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst));
d1e348cf
A		 2625 STRDUP_FATAL(src);
2626 STRDUP_FATAL(dst);
2627
52b7d2ce
A		 2628 plog(LLV_INFO, LOCATION, NULL,
2629 "phase2 sa expired %s-%s\n", src, dst);
2630 racoon_free(src);
2631 racoon_free(dst);
2632
d1e348cf
A		 2633 // delete outgoing SAs
2634 if (iph2->status == PHASE2ST_ESTABLISHED && iph2->approval) {
2635 struct saproto *pr;
2636
2637 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
2638 if (pr->ok) {
2639 pfkey_send_delete(lcconf->sock_pfkey,
2640 ipsecdoi2pfkey_proto(pr->proto_id),
2641 IPSEC_MODE_ANY,
2642 iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */);
2643 }
2644 }
2645 }
2646
52b7d2ce
A		 2647 iph2->status = PHASE2ST_EXPIRED;
2648
2649 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
2650
2651 return;
2652}
2653
2654/* called from scheduler */
2655void
2656isakmp_ph2delete_stub(p)
2657 void *p;
2658{
2659
2660 isakmp_ph2delete((struct ph2handle *)p);
2661}
2662
2663void
2664isakmp_ph2delete(iph2)
2665 struct ph2handle *iph2;
2666{
2667 char *src, *dst;
2668
2669 SCHED_KILL(iph2->sce);
2670
85f41bec
A		 2671 src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src));
2672 dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst));
d1e348cf
A		 2673 STRDUP_FATAL(src);
2674 STRDUP_FATAL(dst);
2675
52b7d2ce
A		 2676 plog(LLV_INFO, LOCATION, NULL,
2677 "phase2 sa deleted %s-%s\n", src, dst);
2678 racoon_free(src);
2679 racoon_free(dst);
2680
2681 unbindph12(iph2);
2682 remph2(iph2);
2683 delph2(iph2);
2684
2685 return;
2686}
2687
2688/* \f%%%
2689 * Interface between PF_KEYv2 and ISAKMP
2690 */
2691/*
2692 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2693 * if phase1 has been finished, begin phase2.
2694 */
2695int
2696isakmp_post_acquire(iph2)
2697 struct ph2handle *iph2;
2698{
2699 struct remoteconf *rmconf;
2700 struct ph1handle *iph1 = NULL;
d1e348cf
A		 2701
2702 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
52b7d2ce
A		 2703
2704 /* search appropreate configuration with masking port. */
2705 rmconf = getrmconf(iph2->dst);
2706 if (rmconf == NULL) {
2707 plog(LLV_ERROR, LOCATION, NULL,
2708 "no configuration found for %s.\n",
85f41bec 2709 saddrwop2str((struct sockaddr *)iph2->dst));
52b7d2ce
A		 2710 return -1;
2711 }
2712
2713 /* if passive mode, ignore the acquire message */
2714 if (rmconf->passive) {
2715 plog(LLV_DEBUG, LOCATION, NULL,
2716 "because of passive mode, "
2717 "ignore the acquire message for %s.\n",
85f41bec 2718 saddrwop2str((struct sockaddr *)iph2->dst));
52b7d2ce
A		 2719 return 0;
2720 }
2721
d1e348cf
A		 2722 if (ike_session_verify_ph2_parent_session(iph2)) {
2723 plog(LLV_INFO, LOCATION, iph2->dst,
2724 "request for establishing IPsec-SA was ignored "
2725 "because there was a failure verifying parent session.\n");
2726 return -1;
52b7d2ce 2727 }
d1e348cf
A		 2728
2729 // what if there is another ph2 that is negotiating
2730 if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) {
2731 // TODO: postpone this rekey for a second later
2732 plog(LLV_INFO, LOCATION, iph2->dst,
2733 "request for establishing IPsec-SA was ignored "
2734 "due to another negoing ph2.\n");
2735 return -1;
2736 }
2737
2738 // if this is a phase2 rekeys (the policy may not have the current port number).
2739 // so, use the appropriate ports.
2740 if (iph2->is_rekey) {
2741 ike_session_update_ph2_ports(iph2);
2742 }
2743
2744 iph1 = ike_session_update_ph2_ph1bind(iph2);
52b7d2ce
A		 2745
2746 /* no ISAKMP-SA found. */
2747 if (iph1 == NULL) {
2748 struct sched *sc;
2749
2750 iph2->retry_checkph1 = lcconf->retry_checkph1;
2751 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2752 plog(LLV_INFO, LOCATION, NULL,
2753 "IPsec-SA request for %s queued "
2754 "due to no phase1 found.\n",
85f41bec 2755 saddrwop2str((struct sockaddr *)iph2->dst));
52b7d2ce 2756
e8d9021d
A		 2757 // exit if there is another ph1 that is established (with a pending rekey timer)
2758 if (ike_session_has_negoing_ph1(iph2->parent_session)) {
2759 plog(LLV_INFO, LOCATION, iph2->dst,
2760 "request for phase1 was ignored "
2761 "due to another negotiating ph1.\n");
2762 return 0;
2763 }
2764
52b7d2ce 2765 /* start phase 1 negotiation as a initiator. */
d1e348cf 2766 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) {
e8d9021d
A		 2767 plog(LLV_INFO, LOCATION, iph2->dst,
2768 "request for phase1 failed. will try later.\n");
52b7d2ce
A		 2769 }
2770
2771 return 0;
2772 /*NOTREACHED*/
2773 }
2774
2775 /* found ISAKMP-SA, but on negotiation. */
2776 if (iph1->status != PHASE1ST_ESTABLISHED) {
2777 iph2->retry_checkph1 = lcconf->retry_checkph1;
2778 sched_new(1, isakmp_chkph1there_stub, iph2);
2779 plog(LLV_INFO, LOCATION, iph2->dst,
2780 "request for establishing IPsec-SA was queued "
2781 "due to no phase1 found.\n");
2782 return 0;
2783 /*NOTREACHED*/
2784 }
2785
2786 /* found established ISAKMP-SA */
2787 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2788
2789 /* found ISAKMP-SA. */
2790 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2791
2792 /* begin quick mode */
2793 if (isakmp_ph2begin_i(iph1, iph2))
2794 return -1;
2795
2796 return 0;
2797}
2798
2799/*
2800 * receive GETSPI from kernel.
2801 */
2802int
2803isakmp_post_getspi(iph2)
2804 struct ph2handle *iph2;
2805{
2806#ifdef ENABLE_STATS
2807 struct timeval start, end;
2808#endif
2809
2810 /* don't process it because there is no suitable phase1-sa. */
2811 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
2812 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2813 "the negotiation is stopped, "
2814 "because there is no suitable ISAKMP-SA.\n");
2815 return -1;
2816 }
2817
2818#ifdef ENABLE_STATS
2819 gettimeofday(&start, NULL);
2820#endif
2821 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2822 [iph2->side]
2823 [iph2->status])(iph2, NULL) != 0)
2824 return -1;
2825#ifdef ENABLE_STATS
2826 gettimeofday(&end, NULL);
2827 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2828 "phase2",
2829 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2830 timedelta(&start, &end));
2831#endif
2832
2833 return 0;
2834}
2835
2836/* called by scheduler */
2837void
2838isakmp_chkph1there_stub(p)
2839 void *p;
2840{
2841 isakmp_chkph1there((struct ph2handle *)p);
2842}
2843
2844void
2845isakmp_chkph1there(iph2)
2846 struct ph2handle *iph2;
2847{
2848 struct ph1handle *iph1;
2849
869d26af
A		 2850 if (iph2->status != PHASE2ST_STATUS2 ||
2851 iph2->is_dying) {
2852 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: ph2 handle has advanced too far (status %d, STATUS2 %d, dying %d)... ignoring\n", iph2->status, PHASE2ST_STATUS2, iph2->is_dying);
2853 return;
2854 }
2855
52b7d2ce 2856 iph2->retry_checkph1--;
d1e348cf
A		 2857 if (iph2->retry_checkph1 < 0 ||
2858 ike_session_verify_ph2_parent_session(iph2)) {
2859 if (iph2->retry_checkph1 < 0) {
2860 plog(LLV_ERROR, LOCATION, iph2->dst,
2861 "phase2 negotiation failed "
2862 "due to time up waiting for phase1. %s\n",
2863 sadbsecas2str(iph2->dst, iph2->src,
2864 iph2->satype, 0, 0));
2865 } else {
2866 plog(LLV_ERROR, LOCATION, iph2->dst,
2867 "phase2 negotiation failed "
2868 "due to invalid parent session. %s\n",
2869 sadbsecas2str(iph2->dst, iph2->src,
2870 iph2->satype, 0, 0));
2871 }
52b7d2ce
A		 2872 plog(LLV_INFO, LOCATION, NULL,
2873 "delete phase 2 handler.\n");
2874
2875 /* send acquire to kernel as error */
2876 pk_sendeacquire(iph2);
2877
2878 unbindph12(iph2);
2879 remph2(iph2);
2880 delph2(iph2);
2881
2882 return;
2883 }
2884
d1e348cf 2885 iph1 = ike_session_update_ph2_ph1bind(iph2);
52b7d2ce
A		 2886
2887 /* XXX Even if ph1 as responder is there, should we not start
2888 * phase 2 negotiation ? */
2889 if (iph1 != NULL
2890 && iph1->status == PHASE1ST_ESTABLISHED) {
2891 /* found isakmp-sa */
d1e348cf
A		 2892
2893 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
85f41bec
A		 2894 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local));
2895 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote));
d1e348cf 2896 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
85f41bec
A		 2897 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src));
2898 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst));
d1e348cf
A		 2899 set_port(iph2->src, extract_port(iph1->local));
2900 set_port(iph2->dst, extract_port(iph1->remote));
2901 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
85f41bec
A		 2902 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src));
2903 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst));
d1e348cf 2904
52b7d2ce 2905 /* begin quick mode */
d1e348cf
A		 2906 if (isakmp_ph2begin_i(iph1, iph2)) {
2907 unbindph12(iph2);
2908 remph2(iph2);
2909 delph2(iph2);
2910 }
52b7d2ce
A		 2911 return;
2912 }
d1e348cf
A		 2913 if (!ike_session_has_negoing_ph1(iph2->parent_session)) {
2914 struct remoteconf *rmconf = getrmconf(iph2->dst);
2915 /* start phase 1 negotiation as a initiator. */
2916 if (rmconf == NULL ||
2917 isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src, 0) < 0) {
2918 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
2919 }
2920 }
2921
2922 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
52b7d2ce
A		 2923
2924 /* no isakmp-sa found */
2925 sched_new(1, isakmp_chkph1there_stub, iph2);
2926
2927 return;
2928}
2929
2930/* copy variable data into ALLOCATED buffer. */
2931caddr_t
2932isakmp_set_attr_v(buf, type, val, len)
2933 caddr_t buf;
2934 int type;
2935 caddr_t val;
2936 int len;
2937{
2938 struct isakmp_data *data;
2939
2940 data = (struct isakmp_data *)buf;
2941 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2942 data->lorv = htons((u_int16_t)len);
2943 memcpy(data + 1, val, len);
2944
2945 return buf + sizeof(*data) + len;
2946}
2947
2948/* copy fixed length data into ALLOCATED buffer. */
2949caddr_t
2950isakmp_set_attr_l(buf, type, val)
2951 caddr_t buf;
2952 int type;
2953 u_int32_t val;
2954{
2955 struct isakmp_data *data;
2956
2957 data = (struct isakmp_data *)buf;
2958 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2959 data->lorv = htons((u_int16_t)val);
2960
2961 return buf + sizeof(*data);
2962}
2963
2964/* add a variable data attribute to the buffer by reallocating it. */
2965vchar_t *
2966isakmp_add_attr_v(buf0, type, val, len)
2967 vchar_t *buf0;
2968 int type;
2969 caddr_t val;
2970 int len;
2971{
2972 vchar_t *buf = NULL;
2973 struct isakmp_data *data;
2974 int tlen;
2975 int oldlen = 0;
2976
2977 tlen = sizeof(*data) + len;
2978
2979 if (buf0) {
2980 oldlen = buf0->l;
2981 buf = vrealloc(buf0, oldlen + tlen);
2982 } else
2983 buf = vmalloc(tlen);
2984 if (!buf) {
2985 plog(LLV_ERROR, LOCATION, NULL,
2986 "failed to get a attribute buffer.\n");
2987 return NULL;
2988 }
2989
2990 data = (struct isakmp_data *)(buf->v + oldlen);
2991 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2992 data->lorv = htons((u_int16_t)len);
2993 memcpy(data + 1, val, len);
2994
2995 return buf;
2996}
2997
2998/* add a fixed data attribute to the buffer by reallocating it. */
2999vchar_t *
3000isakmp_add_attr_l(buf0, type, val)
3001 vchar_t *buf0;
3002 int type;
3003 u_int32_t val;
3004{
3005 vchar_t *buf = NULL;
3006 struct isakmp_data *data;
3007 int tlen;
3008 int oldlen = 0;
3009
3010 tlen = sizeof(*data);
3011
3012 if (buf0) {
3013 oldlen = buf0->l;
3014 buf = vrealloc(buf0, oldlen + tlen);
3015 } else
3016 buf = vmalloc(tlen);
3017 if (!buf) {
3018 plog(LLV_ERROR, LOCATION, NULL,
3019 "failed to get a attribute buffer.\n");
3020 return NULL;
3021 }
3022
3023 data = (struct isakmp_data *)(buf->v + oldlen);
3024 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
3025 data->lorv = htons((u_int16_t)val);
3026
3027 return buf;
3028}
3029
3030/*
3031 * calculate cookie and set.
3032 */
3033int
3034isakmp_newcookie(place, remote, local)
3035 caddr_t place;
85f41bec
A		 3036 struct sockaddr_storage *remote;
3037 struct sockaddr_storage *local;
52b7d2ce
A		 3038{
3039 vchar_t *buf = NULL, *buf2 = NULL;
3040 char *p;
3041 int blen;
3042 int alen;
3043 caddr_t sa1, sa2;
3044 time_t t;
3045 int error = -1;
3046 u_short port;
3047
3048
85f41bec 3049 if (remote->ss_family != local->ss_family) {
52b7d2ce
A		 3050 plog(LLV_ERROR, LOCATION, NULL,
3051 "address family mismatch, remote:%d local:%d\n",
85f41bec 3052 remote->ss_family, local->ss_family);
52b7d2ce
A		 3053 goto end;
3054 }
85f41bec 3055 switch (remote->ss_family) {
52b7d2ce
A		 3056 case AF_INET:
3057 alen = sizeof(struct in_addr);
3058 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
3059 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
3060 break;
3061#ifdef INET6
3062 case AF_INET6:
3063 alen = sizeof(struct in_addr);
3064 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
3065 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
3066 break;
3067#endif
3068 default:
3069 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 3070 "invalid family: %d\n", remote->ss_family);
52b7d2ce
A		 3071 goto end;
3072 }
3073 blen = (alen + sizeof(u_short)) * 2
3074 + sizeof(time_t) + lcconf->secret_size;
3075 buf = vmalloc(blen);
3076 if (buf == NULL) {
3077 plog(LLV_ERROR, LOCATION, NULL,
3078 "failed to get a cookie.\n");
3079 goto end;
3080 }
3081 p = buf->v;
3082
3083 /* copy my address */
3084 memcpy(p, sa1, alen);
3085 p += alen;
3086 port = ((struct sockaddr_in *)remote)->sin_port;
3087 memcpy(p, &port, sizeof(u_short));
3088 p += sizeof(u_short);
3089
3090 /* copy target address */
3091 memcpy(p, sa2, alen);
3092 p += alen;
3093 port = ((struct sockaddr_in *)local)->sin_port;
3094 memcpy(p, &port, sizeof(u_short));
3095 p += sizeof(u_short);
3096
3097 /* copy time */
3098 t = time(0);
3099 memcpy(p, (caddr_t)&t, sizeof(t));
3100 p += sizeof(t);
3101
3102 /* copy random value */
3103 buf2 = eay_set_random(lcconf->secret_size);
3104 if (buf2 == NULL)
3105 goto end;
3106 memcpy(p, buf2->v, lcconf->secret_size);
3107 p += lcconf->secret_size;
3108 vfree(buf2);
3109
3110 buf2 = eay_sha1_one(buf);
3111 memcpy(place, buf2->v, sizeof(cookie_t));
3112
3113 sa1 = val2str(place, sizeof (cookie_t));
3114 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
3115 racoon_free(sa1);
3116
3117 error = 0;
3118end:
3119 if (buf != NULL)
3120 vfree(buf);
3121 if (buf2 != NULL)
3122 vfree(buf2);
3123 return error;
3124}
3125
3126/*
3127 * save partner's(payload) data into phhandle.
3128 */
3129int
3130isakmp_p2ph(buf, gen)
3131 vchar_t **buf;
3132 struct isakmp_gen *gen;
3133{
3134 /* XXX to be checked in each functions for logging. */
3135 if (*buf) {
3136 plog(LLV_WARNING, LOCATION, NULL,
3137 "ignore this payload, same payload type exist.\n");
3138 return -1;
3139 }
3140
e8d9021d
A		 3141 if (ntohs(gen->len) < sizeof(*gen)) {
3142 plog(LLV_ERROR, LOCATION, NULL,
3143 "ignore this payload, invalid payload len %d.\n",
3144 ntohs(gen->len));
3145 return -1;
3146 }
3147
52b7d2ce
A		 3148 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
3149 if (*buf == NULL) {
3150 plog(LLV_ERROR, LOCATION, NULL,
3151 "failed to get buffer.\n");
3152 return -1;
3153 }
3154 memcpy((*buf)->v, gen + 1, (*buf)->l);
3155
3156 return 0;
3157}
3158
3159u_int32_t
3160isakmp_newmsgid2(iph1)
3161 struct ph1handle *iph1;
3162{
3163 u_int32_t msgid2;
3164
3165 do {
3166 msgid2 = eay_random();
3167 } while (getph2bymsgid(iph1, msgid2));
3168
3169 return msgid2;
3170}
3171
3172/*
3173 * set values into allocated buffer of isakmp header for phase 1
3174 */
3175static caddr_t
3176set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
3177 vchar_t *vbuf;
3178 struct ph1handle *iph1;
3179 int nptype;
3180 u_int8_t etype;
3181 u_int8_t flags;
3182 u_int32_t msgid;
3183{
3184 struct isakmp *isakmp;
3185
3186 if (vbuf->l < sizeof(*isakmp))
3187 return NULL;
3188
3189 isakmp = (struct isakmp *)vbuf->v;
3190
3191 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
3192 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
3193 isakmp->np = nptype;
3194 isakmp->v = iph1->version;
3195 isakmp->etype = etype;
3196 isakmp->flags = flags;
3197 isakmp->msgid = msgid;
3198 isakmp->len = htonl(vbuf->l);
3199
3200 return vbuf->v + sizeof(*isakmp);
3201}
3202
3203/*
3204 * set values into allocated buffer of isakmp header for phase 1
3205 */
3206caddr_t
3207set_isakmp_header1(vbuf, iph1, nptype)
3208 vchar_t *vbuf;
3209 struct ph1handle *iph1;
3210 int nptype;
3211{
3212 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
3213}
3214
3215/*
3216 * set values into allocated buffer of isakmp header for phase 2
3217 */
3218caddr_t
3219set_isakmp_header2(vbuf, iph2, nptype)
3220 vchar_t *vbuf;
3221 struct ph2handle *iph2;
3222 int nptype;
3223{
3224 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
3225}
3226
3227/*
3228 * set values into allocated buffer of isakmp payload.
3229 */
3230caddr_t
3231set_isakmp_payload(buf, src, nptype)
3232 caddr_t buf;
3233 vchar_t *src;
3234 int nptype;
3235{
3236 struct isakmp_gen *gen;
3237 caddr_t p = buf;
3238
3239 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
3240 src->l, nptype);
3241
3242 gen = (struct isakmp_gen *)p;
3243 gen->np = nptype;
3244 gen->len = htons(sizeof(*gen) + src->l);
3245 p += sizeof(*gen);
3246 memcpy(p, src->v, src->l);
3247 p += src->l;
3248
3249 return p;
3250}
3251
3252static int
3253etypesw1(etype)
3254 int etype;
3255{
3256 switch (etype) {
3257 case ISAKMP_ETYPE_IDENT:
3258 return 1;
3259 case ISAKMP_ETYPE_AGG:
3260 return 2;
3261 case ISAKMP_ETYPE_BASE:
3262 return 3;
3263 default:
3264 return 0;
3265 }
3266 /*NOTREACHED*/
3267}
3268
3269static int
3270etypesw2(etype)
3271 int etype;
3272{
3273 switch (etype) {
3274 case ISAKMP_ETYPE_QUICK:
3275 return 1;
3276 default:
3277 return 0;
3278 }
3279 /*NOTREACHED*/
3280}
3281
3282#ifdef HAVE_PRINT_ISAKMP_C
3283/* for print-isakmp.c */
3284char *snapend;
3285extern void isakmp_print __P((const u_char *, u_int, const u_char *));
3286
3287char *getname __P((const u_char *));
3288#ifdef INET6
3289char *getname6 __P((const u_char *));
3290#endif
3291int safeputchar __P((int));
3292
3293/*
3294 * Return a name for the IP address pointed to by ap. This address
3295 * is assumed to be in network byte order.
3296 */
3297char *
3298getname(ap)
3299 const u_char *ap;
3300{
3301 struct sockaddr_in addr;
3302 static char ntop_buf[NI_MAXHOST];
3303
3304 memset(&addr, 0, sizeof(addr));
52b7d2ce 3305 addr.sin_len = sizeof(struct sockaddr_in);
52b7d2ce
A		 3306 addr.sin_family = AF_INET;
3307 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
85f41bec 3308 if (getnameinfo(&addr, sizeof(addr),
52b7d2ce
A		 3309 ntop_buf, sizeof(ntop_buf), NULL, 0,
3310 NI_NUMERICHOST | niflags))
3311 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
3312
3313 return ntop_buf;
3314}
3315
3316#ifdef INET6
3317/*
3318 * Return a name for the IP6 address pointed to by ap. This address
3319 * is assumed to be in network byte order.
3320 */
3321char *
3322getname6(ap)
3323 const u_char *ap;
3324{
3325 struct sockaddr_in6 addr;
3326 static char ntop_buf[NI_MAXHOST];
3327
3328 memset(&addr, 0, sizeof(addr));
3329 addr.sin6_len = sizeof(struct sockaddr_in6);
3330 addr.sin6_family = AF_INET6;
3331 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
85f41bec 3332 if (getnameinfo(&addr, addr.sin6_len,
52b7d2ce
A		 3333 ntop_buf, sizeof(ntop_buf), NULL, 0,
3334 NI_NUMERICHOST | niflags))
3335 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
3336
3337 return ntop_buf;
3338}
3339#endif /* INET6 */
3340
3341int
3342safeputchar(c)
3343 int c;
3344{
3345 unsigned char ch;
3346
3347 ch = (unsigned char)(c & 0xff);
3348 if (c < 0x80 && isprint(c))
3349 return printf("%c", c & 0xff);
3350 else
3351 return printf("\\%03o", c & 0xff);
3352}
3353
3354void
3355isakmp_printpacket(msg, from, my, decoded)
3356 vchar_t *msg;
85f41bec
A		 3357 struct sockaddr_storage *from;
3358 struct sockaddr_storage *my;
52b7d2ce
A		 3359 int decoded;
3360{
3361#ifdef YIPS_DEBUG
3362 struct timeval tv;
3363 int s;
3364 char hostbuf[NI_MAXHOST];
3365 char portbuf[NI_MAXSERV];
3366 struct isakmp *isakmp;
3367 vchar_t *buf;
3368#endif
3369
3370 if (loglevel < LLV_DEBUG)
3371 return;
3372
3373#ifdef YIPS_DEBUG
3374 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
3375
3376 gettimeofday(&tv, NULL);
3377 s = tv.tv_sec % 3600;
3378 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
3379
3380 if (from) {
85f41bec 3381 if (getnameinfo(from, sysdep_sa_len((struct sockaddr *)from), hostbuf, sizeof(hostbuf),
52b7d2ce
A		 3382 portbuf, sizeof(portbuf),
3383 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
3384 strlcpy(hostbuf, "?", sizeof(hostbuf));
3385 strlcpy(portbuf, "?", sizeof(portbuf));
3386 }
3387 printf("%s:%s", hostbuf, portbuf);
3388 } else
3389 printf("?");
3390 printf(" -> ");
3391 if (my) {
85f41bec 3392 if (getnameinfo(my, sysdep_sa_len((struct sockaddr *)my), hostbuf, sizeof(hostbuf),
52b7d2ce
A		 3393 portbuf, sizeof(portbuf),
3394 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
3395 strlcpy(hostbuf, "?", sizeof(hostbuf));
3396 strlcpy(portbuf, "?", sizeof(portbuf));
3397 }
3398 printf("%s:%s", hostbuf, portbuf);
3399 } else
3400 printf("?");
3401 printf(": ");
3402
3403 buf = vdup(msg);
3404 if (!buf) {
3405 printf("(malloc fail)\n");
3406 return;
3407 }
3408 if (decoded) {
3409 isakmp = (struct isakmp *)buf->v;
3410 if (isakmp->flags & ISAKMP_FLAG_E) {
3411#if 0
3412 int pad;
3413 pad = *(u_char *)(buf->v + buf->l - 1);
3414 if (buf->l < pad && 2 < vflag)
3415 printf("(wrong padding)");
3416#endif
3417 isakmp->flags &= ~ISAKMP_FLAG_E;
3418 }
3419 }
3420
3421 snapend = buf->v + buf->l;
3422 isakmp_print(buf->v, buf->l, NULL);
3423 vfree(buf);
3424 printf("\n");
3425 fflush(stdout);
3426
3427 return;
3428#endif
3429}
3430#endif /*HAVE_PRINT_ISAKMP_C*/
3431
3432int
3433copy_ph1addresses(iph1, rmconf, remote, local)
3434 struct ph1handle *iph1;
3435 struct remoteconf *rmconf;
85f41bec 3436 struct sockaddr_storage *remote, *local;
52b7d2ce
A		 3437{
3438 u_short *port = NULL;
3439
3440 /* address portion must be grabbed from real remote address "remote" */
85f41bec 3441 iph1->remote = dupsaddr((struct sockaddr *)remote);
52b7d2ce
A		 3442 if (iph1->remote == NULL) {
3443 delph1(iph1);
3444 return -1;
3445 }
3446
3447 /*
3448 * if remote has no port # (in case of initiator - from ACQUIRE msg)
3449 * - if remote.conf specifies port #, use that
3450 * - if remote.conf does not, use 500
3451 * if remote has port # (in case of responder - from recvfrom(2))
3452 * respect content of "remote".
3453 */
85f41bec 3454 switch (iph1->remote->ss_family) {
52b7d2ce
A		 3455 case AF_INET:
3456 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
3457 if (*port)
3458 break;
3459 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
3460 if (*port)
3461 break;
3462 *port = htons(PORT_ISAKMP);
3463 break;
3464#ifdef INET6
3465 case AF_INET6:
3466 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
3467 if (*port)
3468 break;
3469 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
3470 if (*port)
3471 break;
3472 *port = htons(PORT_ISAKMP);
3473 break;
3474#endif
3475 default:
3476 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 3477 "invalid family: %d\n", iph1->remote->ss_family);
47612122 3478 delph1(iph1);
52b7d2ce
A		 3479 return -1;
3480 }
3481
3482 if (local == NULL)
85f41bec 3483 iph1->local = getlocaladdr((struct sockaddr *)iph1->remote);
52b7d2ce 3484 else
85f41bec 3485 iph1->local = dupsaddr((struct sockaddr *)local);
52b7d2ce
A		 3486 if (iph1->local == NULL) {
3487 delph1(iph1);
3488 return -1;
3489 }
3490 port = NULL;
85f41bec 3491 switch (iph1->local->ss_family) {
52b7d2ce
A		 3492 case AF_INET:
3493 port = &((struct sockaddr_in *)iph1->local)->sin_port;
3494 if (*port)
3495 break;
d1e348cf 3496 *port = ((struct sockaddr_in *)iph1->local)->sin_port;
52b7d2ce
A		 3497 if (*port)
3498 break;
3499 *port = getmyaddrsport(iph1->local);
3500 break;
3501#ifdef INET6
3502 case AF_INET6:
3503 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port;
3504 if (*port)
3505 break;
d1e348cf 3506 *port = ((struct sockaddr_in6 *)iph1->local)->sin6_port;
52b7d2ce
A		 3507 if (*port)
3508 break;
3509 *port = getmyaddrsport(iph1->local);
3510 break;
3511#endif
3512 default:
3513 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 3514 "invalid family: %d\n", iph1->local->ss_family);
52b7d2ce
A		 3515 delph1(iph1);
3516 return -1;
3517 }
3518#ifdef ENABLE_NATT
3519 if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) {
3520 plog (LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
3521 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
3522 }
3523#endif
3524
3525 return 0;
3526}
3527
3528static int
3529nostate1(iph1, msg)
3530 struct ph1handle *iph1;
3531 vchar_t *msg;
3532{
3533 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
3534 iph1->status);
3535 return -1;
3536}
3537
3538static int
3539nostate2(iph2, msg)
3540 struct ph2handle *iph2;
3541 vchar_t *msg;
3542{
3543 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
3544 iph2->status);
3545 return -1;
3546}
3547
3548void
3549log_ph1established(iph1)
3550 const struct ph1handle *iph1;
3551{
3552 char *src, *dst;
3553
85f41bec
A		 3554 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
3555 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
d1e348cf
A		 3556 STRDUP_FATAL(src);
3557 STRDUP_FATAL(dst);
3558
52b7d2ce
A		 3559 plog(LLV_INFO, LOCATION, NULL,
3560 "ISAKMP-SA established %s-%s spi:%s\n",
3561 src, dst,
3562 isakmp_pindex(&iph1->index, 0));
3563 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
d1e348cf
A		 3564 if(!iph1->rmconf->mode_cfg)
3565 EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
3566
52b7d2ce
A		 3567 racoon_free(src);
3568 racoon_free(dst);
3569
e8d9021d
A		 3570 IPSECLOGASLMSG("IPSec Phase1 established (Initiated by %s).\n",
3571 (iph1->side == INITIATOR)? "me" : "peer");
3572
52b7d2ce
A		 3573 return;
3574}
3575
3576struct payload_list *
3577isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
3578{
3579 if (! plist) {
3580 plist = racoon_malloc (sizeof (struct payload_list));
3581 plist->prev = NULL;
3582 }
3583 else {
3584 plist->next = racoon_malloc (sizeof (struct payload_list));
3585 plist->next->prev = plist;
3586 plist = plist->next;
3587 }
3588
3589 plist->next = NULL;
3590 plist->payload = payload;
3591 plist->payload_type = payload_type;
3592
3593 return plist;
3594}
3595
3596vchar_t *
3597isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
3598{
d1e348cf 3599 struct payload_list *ptr = *plist, *first;
52b7d2ce 3600 size_t tlen = sizeof (struct isakmp), n = 0;
d1e348cf 3601 vchar_t *buf = NULL;
52b7d2ce
A		 3602 char *p;
3603
52b7d2ce 3604 /* Seek to the first item. */
d1e348cf 3605 while (ptr->prev) ptr = ptr->prev;
52b7d2ce
A		 3606 first = ptr;
3607
3608 /* Compute the whole length. */
3609 while (ptr) {
3610 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3611 ptr = ptr->next;
3612 }
3613
3614 buf = vmalloc(tlen);
3615 if (buf == NULL) {
3616 plog(LLV_ERROR, LOCATION, NULL,
3617 "failed to get buffer to send.\n");
3618 goto end;
3619 }
3620
3621 ptr = first;
3622
3623 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3624 if (p == NULL)
3625 goto end;
3626
3627 while (ptr)
3628 {
3629 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3630 first = ptr;
3631 ptr = ptr->next;
3632 racoon_free (first);
3633 /* ptr->prev = NULL; first = NULL; ... omitted. */
3634 n++;
3635 }
3636
3637 *plist = NULL;
3638
3639 return buf;
3640end:
d1e348cf
A		 3641 if (buf != NULL)
3642 vfree(buf);
52b7d2ce
A		 3643 return NULL;
3644}
3645
3646#ifdef ENABLE_FRAG
3647int
3648frag_handler(iph1, msg, remote, local)
3649 struct ph1handle *iph1;
3650 vchar_t *msg;
85f41bec
A		 3651 struct sockaddr_storage *remote;
3652 struct sockaddr_storage *local;
52b7d2ce
A		 3653{
3654 vchar_t *newmsg;
85f41bec 3655 int result;
52b7d2ce
A		 3656
3657 if (isakmp_frag_extract(iph1, msg) == 1) {
3658 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3659 plog(LLV_ERROR, LOCATION, remote,
3660 "Packet reassembly failed\n");
3661 return -1;
3662 }
e8d9021d
A		 3663
3664 /* simply reply if the packet was processed. */
85f41bec 3665 if (check_recvdpkt(remote, local, newmsg) > 0) {
e8d9021d
A		 3666 IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n",
3667 saddr2str((struct sockaddr *)remote));
3668
3669 plog(LLV_NOTIFY, LOCATION, NULL,
3670 "the reassembled packet is retransmitted by %s.\n",
3671 saddr2str((struct sockaddr *)remote));
85f41bec 3672 vfree(newmsg);
e8d9021d
A		 3673 return 0;
3674 }
3675
85f41bec
A		 3676 result = isakmp_main(newmsg, remote, local);
3677 vfree(newmsg);
3678 return result;
52b7d2ce
A		 3679 }
3680
3681 return 0;
3682}
3683#endif
3684
3685void
3686script_hook(iph1, script)
3687 struct ph1handle *iph1;
3688 int script;
3689{
3690#define IP_MAX 40
3691#define PORT_MAX 6
3692 char addrstr[IP_MAX];
3693 char portstr[PORT_MAX];
3694 char **envp = NULL;
3695 int envc = 1;
3696 struct sockaddr_in *sin;
3697 char **c;
3698
d1e348cf
A		 3699 if (iph1 == NULL ||
3700 iph1->rmconf == NULL ||
3701 iph1->rmconf->script[script] == NULL)
52b7d2ce
A		 3702 return;
3703
3704#ifdef ENABLE_HYBRID
3705 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3706#endif
3707
3708 /* local address */
3709 sin = (struct sockaddr_in *)iph1->local;
3710 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
d1e348cf 3711 snprintf(portstr, sizeof(portstr), "%d", ntohs(sin->sin_port));
52b7d2ce
A		 3712
3713 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3714 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3715 goto out;
3716 }
3717
3718 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3719 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3720 goto out;
3721 }
3722
3723 /* Peer address */
d1e348cf
A		 3724 if (iph1->remote != NULL) {
3725 sin = (struct sockaddr_in *)iph1->remote;
3726 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3727 snprintf(portstr, sizeof(portstr), "%d", ntohs(sin->sin_port));
52b7d2ce 3728
d1e348cf
A		 3729 if (script_env_append(&envp, &envc,
3730 "REMOTE_ADDR", addrstr) != 0) {
3731 plog(LLV_ERROR, LOCATION, NULL,
3732 "Cannot set REMOTE_ADDR\n");
3733 goto out;
3734 }
52b7d2ce 3735
d1e348cf
A		 3736 if (script_env_append(&envp, &envc,
3737 "REMOTE_PORT", portstr) != 0) {
3738 plog(LLV_ERROR, LOCATION, NULL,
3739 "Cannot set REMOTEL_PORT\n");
3740 goto out;
3741 }
52b7d2ce
A		 3742 }
3743
e8d9021d 3744#ifdef HAVE_OPENSSL
d1e348cf 3745 if (privsep_script_exec(iph1->rmconf->script[script]->v,
52b7d2ce
A		 3746 script, envp) != 0)
3747 plog(LLV_ERROR, LOCATION, NULL,
3748 "Script %s execution failed\n", script_names[script]);
e8d9021d
A		 3749#else
3750 if (script_exec(iph1->rmconf->script[script]->v,
3751 script, envp) != 0)
3752 plog(LLV_ERROR, LOCATION, NULL,
3753 "Script %s execution failed\n", script_names[script]);
3754#endif
3755
52b7d2ce
A		 3756out:
3757 for (c = envp; *c; c++)
3758 racoon_free(*c);
3759
3760 racoon_free(envp);
3761
3762 return;
3763}
3764
3765int
3766script_env_append(envp, envc, name, value)
3767 char ***envp;
3768 int *envc;
3769 char *name;
3770 char *value;
3771{
3772 char *envitem;
3773 char **newenvp;
3774 int newenvc;
d1e348cf 3775 int envitem_len;
52b7d2ce 3776
d1e348cf
A		 3777 envitem_len = strlen(name) + 1 + strlen(value) + 1;
3778 envitem = racoon_malloc(envitem_len);
52b7d2ce
A		 3779 if (envitem == NULL) {
3780 plog(LLV_ERROR, LOCATION, NULL,
3781 "Cannot allocate memory: %s\n", strerror(errno));
3782 return -1;
3783 }
d1e348cf 3784 snprintf(envitem, envitem_len, "%s=%s", name, value);
52b7d2ce
A		 3785
3786 newenvc = (*envc) + 1;
3787 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3788 if (newenvp == NULL) {
3789 plog(LLV_ERROR, LOCATION, NULL,
3790 "Cannot allocate memory: %s\n", strerror(errno));
d1e348cf 3791 racoon_free(envitem);
52b7d2ce
A		 3792 return -1;
3793 }
3794
3795 newenvp[newenvc - 2] = envitem;
3796 newenvp[newenvc - 1] = NULL;
3797
3798 *envp = newenvp;
3799 *envc = newenvc;
3800 return 0;
3801}
3802
3803int
3804script_exec(script, name, envp)
d1e348cf 3805 char *script;
52b7d2ce
A		 3806 int name;
3807 char *const envp[];
3808{
3809 char *argv[] = { NULL, NULL, NULL };
52b7d2ce 3810
d1e348cf 3811 argv[0] = script;
52b7d2ce
A		 3812 argv[1] = script_names[name];
3813 argv[2] = NULL;
3814
3815 switch (fork()) {
3816 case 0:
3817 execve(argv[0], argv, envp);
d1e348cf 3818 plog(LLV_ERROR, LOCATION, NULL,
52b7d2ce
A		 3819 "execve(\"%s\") failed: %s\n",
3820 argv[0], strerror(errno));
3821 _exit(1);
3822 break;
3823 case -1:
3824 plog(LLV_ERROR, LOCATION, NULL,
3825 "Cannot fork: %s\n", strerror(errno));
3826 return -1;
3827 break;
3828 default:
3829 break;
3830 }
3831
3832 return 0;
3833}
3834
3835void
3836purge_remote(iph1)
3837 struct ph1handle *iph1;
3838{
3839 vchar_t *buf = NULL;
3840 struct sadb_msg *msg, *next, *end;
3841 struct sadb_sa *sa;
85f41bec 3842 struct sockaddr_storage *src, *dst;
52b7d2ce
A		 3843 caddr_t mhp[SADB_EXT_MAX + 1];
3844 u_int proto_id;
3845 struct ph2handle *iph2;
3846 struct ph1handle *new_iph1;
3847
3848 plog(LLV_INFO, LOCATION, NULL,
3849 "purging ISAKMP-SA spi=%s.\n",
3850 isakmp_pindex(&(iph1->index), iph1->msgid));
3851
3852 /* Mark as expired. */
3853 iph1->status = PHASE1ST_EXPIRED;
3854
d1e348cf 3855 new_iph1 = ike_session_update_ph1_ph2tree(iph1);
52b7d2ce
A		 3856
3857 /*
3858 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3859 * Keep all others phase2 SAs.
3860 */
3861 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3862 if (buf == NULL) {
3863 plog(LLV_DEBUG, LOCATION, NULL,
3864 "pfkey_dump_sadb returned nothing.\n");
3865 return;
3866 }
3867
85f41bec
A		 3868 msg = ALIGNED_CAST(struct sadb_msg *)buf->v;
3869 end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l);
52b7d2ce
A		 3870
3871 while (msg < end) {
3872 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3873 break;
85f41bec 3874 next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
52b7d2ce
A		 3875 if (msg->sadb_msg_type != SADB_DUMP) {
3876 msg = next;
3877 continue;
3878 }
3879
3880 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3881 plog(LLV_ERROR, LOCATION, NULL,
3882 "pfkey_check (%s)\n", ipsec_strerror());
3883 msg = next;
3884 continue;
3885 }
3886
85f41bec 3887 sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]);
52b7d2ce
A		 3888 if (!sa ||
3889 !mhp[SADB_EXT_ADDRESS_SRC] ||
3890 !mhp[SADB_EXT_ADDRESS_DST]) {
3891 msg = next;
3892 continue;
3893 }
85f41bec
A		 3894 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3895 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
52b7d2ce
A		 3896
3897 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3898 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3899 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3900 msg = next;
3901 continue;
3902 }
3903
d1e348cf
A		 3904 /*
3905 * check in/outbound SAs.
3906 * Select only SAs where src == local and dst == remote (outgoing)
3907 * or src == remote and dst == local (incoming).
3908 */
52b7d2ce
A		 3909 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
3910 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
3911 msg = next;
3912 continue;
3913 }
3914
3915 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3916 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3917
3918 /* Check if there is another valid ISAKMP-SA */
3919 if (new_iph1 != NULL) {
3920
3921 if (iph2 == NULL) {
3922 /* No handler... still send a pfkey_delete message, but log this !*/
3923 plog(LLV_INFO, LOCATION, NULL,
3924 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3925 ntohl(sa->sadb_sa_spi));
3926 }else{
3927
3928 /*
3929 * If we have a new ph1, do not purge IPsec-SAs binded
3930 * to a different ISAKMP-SA
3931 */
3932 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3933 msg = next;
3934 continue;
3935 }
3936
3937 /* If the ph2handle is established, do not purge IPsec-SA */
3938 if (iph2->status == PHASE2ST_ESTABLISHED ||
3939 iph2->status == PHASE2ST_EXPIRED) {
3940
3941 plog(LLV_INFO, LOCATION, NULL,
3942 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3943 ntohl(sa->sadb_sa_spi),
3944 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3945 msg = next;
3946 continue;
3947 }
3948 }
3949 }
3950
3951
3952 pfkey_send_delete(lcconf->sock_pfkey,
3953 msg->sadb_msg_satype,
3954 IPSEC_MODE_ANY,
3955 src, dst, sa->sadb_sa_spi);
3956
3957 /* delete a relative phase 2 handle. */
3958 if (iph2 != NULL) {
3959 delete_spd(iph2);
3960 unbindph12(iph2);
3961 remph2(iph2);
3962 delph2(iph2);
3963 }
3964
3965 plog(LLV_INFO, LOCATION, NULL,
3966 "purged IPsec-SA spi=%u.\n",
3967 ntohl(sa->sadb_sa_spi));
3968
3969 msg = next;
3970 }
3971
3972 if (buf)
3973 vfree(buf);
3974
3975 /* Mark the phase1 handler as EXPIRED */
3976 plog(LLV_INFO, LOCATION, NULL,
3977 "purged ISAKMP-SA spi=%s.\n",
3978 isakmp_pindex(&(iph1->index), iph1->msgid));
3979
d1e348cf 3980 SCHED_KILL(iph1->sce);
52b7d2ce
A		 3981
3982 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
3983}
3984
3985void
3986delete_spd(iph2)
3987 struct ph2handle *iph2;
3988{
3989 if (iph2 == NULL)
3990 return;
3991
3992 /* Delete the SPD entry if we generated it
3993 */
3994 if (iph2->generated_spidx) {
85f41bec
A		 3995 union {
3996 u_int64_t force_align; // Wcast-align fix - force alignment
3997 struct policyindex spidx;
3998 } u;
52b7d2ce
A		 3999 struct sockaddr_storage addr;
4000 u_int8_t pref;
85f41bec
A		 4001 struct sockaddr_storage *src = iph2->src;
4002 struct sockaddr_storage *dst = iph2->dst;
52b7d2ce
A		 4003 int error;
4004 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
4005
4006 plog(LLV_INFO, LOCATION, NULL,
4007 "generated policy, deleting it.\n");
4008
85f41bec
A		 4009 memset(&u.spidx, 0, sizeof(u.spidx));
4010 iph2->spidx_gen = &u.spidx;
52b7d2ce
A		 4011
4012 /* make inbound policy */
4013 iph2->src = dst;
4014 iph2->dst = src;
85f41bec
A		 4015 u.spidx.dir = IPSEC_DIR_INBOUND;
4016 u.spidx.ul_proto = 0;
52b7d2ce
A		 4017
4018 /*
4019 * Note: code from get_proposal_r
4020 */
4021
85f41bec 4022#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
52b7d2ce
A		 4023
4024 /*
4025 * make destination address in spidx from either ID payload
4026 * or phase 1 address into a address in spidx.
4027 */
4028 if (iph2->id != NULL
4029 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
4030 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
4031 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
4032 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
4033 /* get a destination address of a policy */
85f41bec
A		 4034 error = ipsecdoi_id2sockaddr(iph2->id, &u.spidx.dst,
4035 &u.spidx.prefd, &u.spidx.ul_proto);
52b7d2ce
A		 4036 if (error)
4037 goto purge;
4038
4039#ifdef INET6
4040 /*
4041 * get scopeid from the SA address.
4042 * note that the phase 1 source address is used as
4043 * a destination address to search for a inbound
4044 * policy entry because rcoon is responder.
4045 */
4046 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
4047 if ((error =
85f41bec 4048 setscopeid(&u.spidx.dst, iph2->src)) != 0)
52b7d2ce
A		 4049 goto purge;
4050 }
4051#endif
4052
4053 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
4054 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
4055 idi2type = _XIDT(iph2->id);
4056
4057 } else {
4058
4059 plog(LLV_DEBUG, LOCATION, NULL,
4060 "get a destination address of SP index "
4061 "from phase1 address "
4062 "due to no ID payloads found "
4063 "OR because ID type is not address.\n");
4064
4065 /*
4066 * copy the SOURCE address of IKE into the
4067 * DESTINATION address of the key to search the
4068 * SPD because the direction of policy is inbound.
4069 */
85f41bec
A		 4070 memcpy(&u.spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
4071 switch (u.spidx.dst.ss_family) {
52b7d2ce 4072 case AF_INET:
85f41bec 4073 u.spidx.prefd =
52b7d2ce
A		 4074 sizeof(struct in_addr) << 3;
4075 break;
4076#ifdef INET6
4077 case AF_INET6:
85f41bec 4078 u.spidx.prefd =
52b7d2ce
A		 4079 sizeof(struct in6_addr) << 3;
4080 break;
4081#endif
4082 default:
85f41bec 4083 u.spidx.prefd = 0;
52b7d2ce
A		 4084 break;
4085 }
4086 }
4087
4088 /* make source address in spidx */
4089 if (iph2->id_p != NULL
4090 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
4091 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
4092 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
4093 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
4094 /* get a source address of inbound SA */
85f41bec
A		 4095 error = ipsecdoi_id2sockaddr(iph2->id_p, &u.spidx.src,
4096 &u.spidx.prefs, &u.spidx.ul_proto);
52b7d2ce
A		 4097 if (error)
4098 goto purge;
4099
4100#ifdef INET6
4101 /*
4102 * get scopeid from the SA address.
4103 * for more detail, see above of this function.
4104 */
4105 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
4106 error =
85f41bec 4107 setscopeid(&u.spidx.src, iph2->dst);
52b7d2ce
A		 4108 if (error)
4109 goto purge;
4110 }
4111#endif
4112
4113 /* make id[src,dst] if both ID types are IP address and same */
4114 if (_XIDT(iph2->id_p) == idi2type
85f41bec 4115 && u.spidx.dst.ss_family == u.spidx.src.ss_family) {
52b7d2ce 4116 iph2->src_id =
85f41bec 4117 dupsaddr((struct sockaddr *)&u.spidx.dst);
52b7d2ce 4118 iph2->dst_id =
85f41bec 4119 dupsaddr((struct sockaddr *)&u.spidx.src);
52b7d2ce
A		 4120 }
4121
4122 } else {
4123 plog(LLV_DEBUG, LOCATION, NULL,
4124 "get a source address of SP index "
4125 "from phase1 address "
4126 "due to no ID payloads found "
4127 "OR because ID type is not address.\n");
4128
4129 /* see above comment. */
85f41bec
A		 4130 memcpy(&u.spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
4131 switch (u.spidx.src.ss_family) {
52b7d2ce 4132 case AF_INET:
85f41bec 4133 u.spidx.prefs =
52b7d2ce
A		 4134 sizeof(struct in_addr) << 3;
4135 break;
4136#ifdef INET6
4137 case AF_INET6:
85f41bec 4138 u.spidx.prefs =
52b7d2ce
A		 4139 sizeof(struct in6_addr) << 3;
4140 break;
4141#endif
4142 default:
85f41bec 4143 u.spidx.prefs = 0;
52b7d2ce
A		 4144 break;
4145 }
4146 }
4147
4148#undef _XIDT
4149
4150 plog(LLV_DEBUG, LOCATION, NULL,
4151 "get a src address from ID payload "
4152 "%s prefixlen=%u ul_proto=%u\n",
85f41bec
A		 4153 saddr2str((struct sockaddr *)&u.spidx.src),
4154 u.spidx.prefs, u.spidx.ul_proto);
52b7d2ce
A		 4155 plog(LLV_DEBUG, LOCATION, NULL,
4156 "get dst address from ID payload "
4157 "%s prefixlen=%u ul_proto=%u\n",
85f41bec
A		 4158 saddr2str((struct sockaddr *)&u.spidx.dst),
4159 u.spidx.prefd, u.spidx.ul_proto);
52b7d2ce
A		 4160
4161 /*
4162 * convert the ul_proto if it is 0
4163 * because 0 in ID payload means a wild card.
4164 */
85f41bec
A		 4165 if (u.spidx.ul_proto == 0)
4166 u.spidx.ul_proto = IPSEC_ULPROTO_ANY;
52b7d2ce
A		 4167
4168#undef _XIDT
4169
4170 /* End of code from get_proposal_r
4171 */
4172
4173 if (pk_sendspddelete(iph2) < 0) {
4174 plog(LLV_ERROR, LOCATION, NULL,
4175 "pfkey spddelete(inbound) failed.\n");
4176 }else{
4177 plog(LLV_DEBUG, LOCATION, NULL,
4178 "pfkey spddelete(inbound) sent.\n");
4179 }
4180
4181#ifdef HAVE_POLICY_FWD
4182 /* make forward policy if required */
4183 if (tunnel_mode_prop(iph2->approval)) {
85f41bec 4184 u.spidx.dir = IPSEC_DIR_FWD;
52b7d2ce
A		 4185 if (pk_sendspddelete(iph2) < 0) {
4186 plog(LLV_ERROR, LOCATION, NULL,
4187 "pfkey spddelete(forward) failed.\n");
4188 }else{
4189 plog(LLV_DEBUG, LOCATION, NULL,
4190 "pfkey spddelete(forward) sent.\n");
4191 }
4192 }
4193#endif
4194
4195 /* make outbound policy */
4196 iph2->src = src;
4197 iph2->dst = dst;
85f41bec
A		 4198 u.spidx.dir = IPSEC_DIR_OUTBOUND;
4199 addr = u.spidx.src;
4200 u.spidx.src = u.spidx.dst;
4201 u.spidx.dst = addr;
4202 pref = u.spidx.prefs;
4203 u.spidx.prefs = u.spidx.prefd;
4204 u.spidx.prefd = pref;
52b7d2ce
A		 4205
4206 if (pk_sendspddelete(iph2) < 0) {
4207 plog(LLV_ERROR, LOCATION, NULL,
4208 "pfkey spddelete(outbound) failed.\n");
4209 }else{
4210 plog(LLV_DEBUG, LOCATION, NULL,
4211 "pfkey spddelete(outbound) sent.\n");
4212 }
4213purge:
4214 iph2->spidx_gen=NULL;
4215 }
4216}
4217
4218#ifdef INET6
4219u_int32_t
4220setscopeid(sp_addr0, sa_addr0)
85f41bec 4221 struct sockaddr_storage *sp_addr0, *sa_addr0;
52b7d2ce
A		 4222{
4223 struct sockaddr_in6 *sp_addr, *sa_addr;
4224
4225 sp_addr = (struct sockaddr_in6 *)sp_addr0;
4226 sa_addr = (struct sockaddr_in6 *)sa_addr0;
4227
4228 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
4229 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
4230 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
4231 return 0;
4232
4233 /* this check should not be here ? */
4234 if (sa_addr->sin6_family != AF_INET6) {
4235 plog(LLV_ERROR, LOCATION, NULL,
4236 "can't get scope ID: family mismatch\n");
4237 return -1;
4238 }
4239
4240 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
4241 plog(LLV_ERROR, LOCATION, NULL,
4242 "scope ID is not supported except of lladdr.\n");
4243 return -1;
4244 }
4245
4246 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
4247
4248 return 0;
4249}
4250#endif
b8c37798
A		 4251
4252vchar_t *
4253isakmp_plist_append_initial_contact (iph1, plist)
e8d9021d
A		 4254 struct ph1handle *iph1;
4255 struct payload_list *plist;
b8c37798
A		 4256{
4257 if (!iph1->is_rekey && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
4258 vchar_t *notp_ini = NULL;
4259 struct isakmp_pl_n np, *nptr;
4260 char *cptr;
e8d9021d 4261
b8c37798
A		 4262 np.doi = htonl(iph1->rmconf->doitype);
4263 np.proto_id = IPSECDOI_PROTO_ISAKMP;
4264 np.spi_size = sizeof(isakmp_index);
4265 np.type = htons(ISAKMP_NTYPE_INITIAL_CONTACT);
4266 if ((notp_ini = vmalloc(sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen)
4267 + sizeof(isakmp_index)))) {
4268 nptr = &np;
4269 memcpy(notp_ini->v, &nptr->doi, sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen));
4270 cptr = notp_ini->v + sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen);
4271 memcpy(cptr, &iph1->index, sizeof(isakmp_index));
4272 plist = isakmp_plist_append(plist, notp_ini, ISAKMP_NPTYPE_N);
4273 plog(LLV_DEBUG2, LOCATION, iph1->remote,
4274 "added initial-contact payload.\n");
4275
4276 /* insert a node into contacted list. */
4277 if (inscontacted(iph1->remote) == -1) {
4278 plog(LLV_ERROR, LOCATION, iph1->remote,
4279 "failed to add contacted list.\n");
4280 /* ignore */
4281 }
4282 return notp_ini;
4283 } else {
4284 plog(LLV_ERROR, LOCATION, iph1->remote,
4285 "failed to allocate notification payload.\n");
4286 return NULL;
4287 }
869d26af
A		 4288 } else {
4289 plog(LLV_DEBUG, LOCATION, iph1->remote,
4290 "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n",
4291 iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, getcontacted(iph1->remote)? 1:0);
b8c37798
A		 4292 }
4293 return NULL;
4294}
mirror of ipsec