[apple/ipsec.git] / ipsec-tools / racoon / vpn.c

/*
 * Copyright (c) 2007 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "config.h"

#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/signal.h>
#include <sys/stat.h>
#include <sys/un.h>

#ifdef __APPLE__
#include <System/net/pfkeyv2.h>
#else
#include <net/pfkeyv2.h>
#endif

#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
#else 
#include <netinet6/ipsec.h>
#endif


#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef ENABLE_HYBRID
#include <resolv.h>
#endif

#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"
#include "handler.h"
#include "schedule.h"
#include "localconf.h"
#include "remoteconf.h"
#include "grabmyaddr.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "oakley.h"
#include "evt.h"
#include "pfkey.h"
#include "ipsec_doi.h"
#include "admin.h"
#include "admin_var.h"
#include "isakmp_inf.h"
#ifdef ENABLE_HYBRID
#include "isakmp_cfg.h"
#include "isakmp_unity.h"
#endif
#include "session.h"
#include "gcmalloc.h"
#include "sainfo.h"
#include "ipsec_doi.h"
#include "nattraversal.h"

#include "vpn_control.h"
#include "vpn_control_var.h"
#include "strnames.h"
#include "ike_session.h"


static int vpn_get_ph2pfs(struct ph1handle *);

int
vpn_connect(struct bound_addr *srv)
{
	int error = -1;
	struct sockaddr *dst;
	struct remoteconf *rmconf;
	struct sockaddr *remote = NULL;
	struct sockaddr *local = NULL;
	u_int16_t port;

	dst = racoon_calloc(1, sizeof(struct sockaddr));	// this should come from the bound_addr parameter
	if (dst == NULL)
		goto out;
	((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in);
	((struct sockaddr_in *)(dst))->sin_family = AF_INET;
	((struct sockaddr_in *)(dst))->sin_port = 500;
	((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address;

	/*
	 * Find the source address
	 */	 
	if ((local = getlocaladdr(dst)) == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"cannot get local address\n");
		goto out1;
	}

	/* find appropreate configuration */
	rmconf = getrmconf(dst);
	if (rmconf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"no configuration found "
			"for %s\n", saddrwop2str(dst));
		goto out1;
	}

	/* get remote IP address and port number. */
	if ((remote = dupsaddr(dst)) == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to duplicate address\n");
		goto out1;
	}

	switch (remote->sa_family) {
	case AF_INET:
		((struct sockaddr_in *)remote)->sin_port =
			((struct sockaddr_in *)rmconf->remote)->sin_port;
		break;
#ifdef INET6
	case AF_INET6:
		((struct sockaddr_in6 *)remote)->sin6_port =
			((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
		break;
#endif
	default:
		plog(LLV_ERROR, LOCATION, NULL,
			"invalid family: %d\n",
			remote->sa_family);
		goto out1;
		break;
	}

	port = ntohs(getmyaddrsport(local));
	if (set_port(local, port) == NULL) 
		goto out1;

	plog(LLV_INFO, LOCATION, NULL,
		"accept a request to establish IKE-SA: "
		"%s\n", saddrwop2str(remote));

	/* begin ident mode */
	if (isakmp_ph1begin_i(rmconf, remote, local, 1) < 0)
		goto out1;
		
	error = 0;

out1:
	if (dst != NULL)
		racoon_free(dst);
	if (local != NULL)
		racoon_free(local);
	if (remote != NULL)
		racoon_free(remote);
out:

	return error;
}

int
vpn_disconnect(struct bound_addr *srv)
{
	struct sockaddr_in	saddr;

	bzero(&saddr, sizeof(saddr));
	saddr.sin_len = sizeof(saddr);
	saddr.sin_addr.s_addr = srv->address;
	saddr.sin_port = 0;
	saddr.sin_family = AF_INET;
    	ike_sessions_stopped_by_controller(&saddr,
                                       0,
                                       ike_session_stopped_by_vpn_disconnect);
	if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) {
		return 0;
	} else {
		return -1;
	}
}

int
vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt)
{
	struct vpnctl_sa_selector *selector_ptr;
	struct vpnctl_algo *algo_ptr, *next_algo;
	int					i, j, defklen;
	struct sainfoalg	*new_algo;
	struct sainfo		*new_sainfo = NULL, *check;
	u_int16_t			class, algorithm, keylen;
	struct ph1handle	*ph1;
	struct sockaddr_in	saddr;
	
	struct id {
		u_int8_t type;		/* ID Type */
		u_int8_t proto_id;	/* Protocol ID */
		u_int16_t port;		/* Port */
		u_int32_t addr;		/* IPv4 address */
		u_int32_t mask;
	} *id_ptr;
	
	/* verify ph1 exists */	
	bzero(&saddr, sizeof(saddr));
	saddr.sin_len = sizeof(saddr);
	saddr.sin_addr.s_addr = addr->address;
	saddr.sin_port = 0;
	saddr.sin_family = AF_INET;
	ph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
	if (ph1 == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"cannot start phase2 - no phase1 found.\n");
		return -1;
	}
	if (ph1->status != PHASE1ST_ESTABLISHED) {
		plog(LLV_ERROR, LOCATION, NULL,
			 "cannot start phase2 - phase1 not established.\n");
		return -1;
	}

	selector_ptr = (struct vpnctl_sa_selector *)(pkt + 1);
	algo_ptr = (struct vpnctl_algo *)(selector_ptr + ntohs(pkt->selector_count));

	for (i = 0; i < ntohs(pkt->selector_count); i++, selector_ptr++) {
		new_sainfo = newsainfo();
		if (new_sainfo == NULL) {
			plog(LLV_ERROR, LOCATION, NULL,
				"unable to allocate sainfo struct.\n");
			goto fail;
		}
		
		if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF)
			new_sainfo->idsrc = vmalloc(sizeof(struct id) - sizeof(u_int32_t));
		else
			new_sainfo->idsrc = vmalloc(sizeof(struct id));
		if (new_sainfo->idsrc == NULL) {
			plog(LLV_ERROR, LOCATION, NULL,
				 "unable to allocate id struct.\n");
			goto fail;
		}
		if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF)
			new_sainfo->iddst = vmalloc(sizeof(struct id) - sizeof(u_int32_t));
		else
			new_sainfo->iddst = vmalloc(sizeof(struct id));
		if (new_sainfo->iddst == NULL) {
			plog(LLV_ERROR, LOCATION, NULL,
				 "unable to allocate id struct.\n");
			goto fail;
		}			
		
		id_ptr = (struct id *)new_sainfo->idsrc->v;
		if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF)
			id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
		else {
			id_ptr->type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
			id_ptr->mask = selector_ptr->src_tunnel_mask;
		}
		id_ptr->addr = selector_ptr->src_tunnel_address;
		id_ptr->port = selector_ptr->src_tunnel_port;
		id_ptr->proto_id = selector_ptr->ul_protocol;
				
		id_ptr = (struct id *)new_sainfo->iddst->v;
		if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF)
			id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
		else {
			id_ptr->type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
			id_ptr->mask = selector_ptr->dst_tunnel_mask;
		}
		id_ptr->addr = selector_ptr->dst_tunnel_address;
		id_ptr->port = selector_ptr->dst_tunnel_port;
		id_ptr->proto_id = selector_ptr->ul_protocol;		
				
		new_sainfo->dynamic = addr->address;
		new_sainfo->lifetime = ntohl(pkt->lifetime);
		
		if (ntohs(pkt->pfs_group) != 0) {
			new_sainfo->pfs_group = algtype2doi(algclass_isakmp_dh, ntohs(pkt->pfs_group));
			if (new_sainfo->pfs_group == -1) {
				plog(LLV_ERROR, LOCATION, NULL, "invalid dh group specified\n");
				goto fail;
			}
		}
		for (j = 0, next_algo = algo_ptr; j < ntohs(pkt->algo_count); j++, next_algo++) {

			new_algo = newsainfoalg();
			if (new_algo == NULL) {
				plog(LLV_ERROR, LOCATION, NULL,
					"failed to allocate algorithm structure\n");
				goto fail;
			}

			class = ntohs(next_algo->algo_class);
			algorithm = ntohs(next_algo->algo);
			keylen = ntohs(next_algo->key_len);
			
			new_algo->alg = algtype2doi(class, algorithm);
			if (new_algo->alg == -1) {
				plog(LLV_ERROR, LOCATION, NULL, "algorithm mismatched\n");
				racoon_free(new_algo);
				goto fail;
			}

			defklen = default_keylen(class, algorithm);
			if (defklen == 0) {
				if (keylen) {
					plog(LLV_ERROR, LOCATION, NULL, "keylen not allowed\n");
					racoon_free(new_algo);
					goto fail;
				}
			} else {
				if (keylen && check_keylen(class, algorithm, keylen) < 0) {
					plog(LLV_ERROR, LOCATION, NULL, "invalid keylen %d\n", keylen);
					racoon_free(new_algo);
					goto fail;
				}
			}

			if (keylen)
				new_algo->encklen = keylen;
			else
				new_algo->encklen = defklen;

			/* check if it's supported algorithm by kernel */
			if (!(class == algclass_ipsec_auth && algorithm == algtype_non_auth)
			 && pk_checkalg(class, algorithm, new_algo->encklen)) {
				int a = algclass2doi(class);
				int b = new_algo->alg;
				if (a == IPSECDOI_ATTR_AUTH)
					a = IPSECDOI_PROTO_IPSEC_AH;
				plog(LLV_ERROR, LOCATION, NULL, 
					"algorithm %s not supported by the kernel (missing module?)\n", s_ipsecdoi_trns(a, b));
				racoon_free(new_algo);
				goto fail;
			}
			inssainfoalg(&new_sainfo->algs[class], new_algo);
		}

		if (new_sainfo->algs[algclass_ipsec_enc] == 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"no encryption algorithm at %s\n", sainfo2str(new_sainfo));
			goto fail;
		}
		if (new_sainfo->algs[algclass_ipsec_auth] == 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"no authentication algorithm at %s\n", sainfo2str(new_sainfo));
			goto fail;
		}
		if (new_sainfo->algs[algclass_ipsec_comp] == 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"no compression algorithm at %s\n", sainfo2str(new_sainfo));
			goto fail;
		}

		/* duplicate check */
		check = getsainfo(new_sainfo->idsrc, new_sainfo->iddst, new_sainfo->id_i, 0);
		if (check && (!check->idsrc && !new_sainfo->idsrc)) {
			plog(LLV_ERROR, LOCATION, NULL,"duplicated sainfo: %s\n", sainfo2str(new_sainfo));
			goto fail;
		}
		plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo));
		inssainfo(new_sainfo);
		new_sainfo = NULL;
	}
	
	return 0;
	
fail:
	if (new_sainfo)
		delsainfo(new_sainfo);
	flushsainfo_dynamic(addr);
	return -1;
}

static int 
vpn_get_ph2pfs(struct ph1handle *ph1)
{
}


int
vpn_get_config(struct ph1handle *iph1, struct vpnctl_status_phase_change **msg, size_t *msg_size)
{

	struct vpnctl_modecfg_params *params;
	struct myaddrs *myaddr;
	u_int16_t ifname_len, msize;
	u_int8_t  *cptr;
	
	*msg = NULL;
	msize = 0;
	
	if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) {
		plog(LLV_ERROR, LOCATION, NULL,
			"IPv6 not supported for mode config.\n");
		return -1;
	}
	
	if (iph1->mode_cfg->attr_list == NULL)
		return 1;	/* haven't received configuration yet */
		
	myaddr = find_myaddr(iph1->local, 0);
	if (myaddr == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"unable to find address structure.\n");
		return -1;
	}
	
	msize = sizeof(struct vpnctl_status_phase_change) 
			+ sizeof(struct vpnctl_modecfg_params);
	msize += iph1->mode_cfg->attr_list->l;

	*msg = racoon_calloc(1, msize);
	if (*msg == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"faled to allocate space for message.\n");
		return -1;
	}
	
	(*msg)->hdr.flags = htons(VPNCTL_FLAG_MODECFG_USED);
	params = (struct vpnctl_modecfg_params *)(*msg + 1);
	params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr;
	params->outer_remote_port = htons(0);
	params->outer_local_port = htons(0);
	ifname_len = strlen(myaddr->ifname);
	memset(&params->ifname, 0, IFNAMSIZ);
	memcpy(&params->ifname, myaddr->ifname, ifname_len < IFNAMSIZ ? ifname_len : IFNAMSIZ-1);
	cptr = (u_int8_t *)(params + 1);
	memcpy(cptr, iph1->mode_cfg->attr_list->v, iph1->mode_cfg->attr_list->l);
	*msg_size = msize;

	return 0;
}


int
vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len)
{

	struct isakmp_pl_attr *reply;
	void* attr_ptr;
	vchar_t *payload = NULL;
	struct ph1handle	*iph1;
	struct sockaddr_in	saddr;
	int error = -1;
	int tlen = attr_len;
	struct isakmp_data *attr;
	char *dataptr = (char *)attr_list;

	/* find ph1 */	
	bzero(&saddr, sizeof(saddr));
	saddr.sin_len = sizeof(saddr);
	saddr.sin_addr.s_addr = address;
	saddr.sin_port = 0;
	saddr.sin_family = AF_INET;
	iph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
	if (iph1 == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"cannot reply to xauth request - no ph1 found.\n");
		goto end;
	}

	if (iph1->xauth_awaiting_userinput == 0) {
		plog(LLV_ERROR, LOCATION, NULL, "Huh? recvd xauth reply data with no xauth reply pending \n");
		goto end;
	}
	
	/* validate attr lengths */
	while (tlen > 0)
	{
		int tlv;
		
		attr = (struct isakmp_data *)dataptr;
		tlv = (attr->type & htons(0x8000)) == 0;
		
		if (tlv) {
			tlen -= ntohs(attr->lorv);
			dataptr += ntohs(attr->lorv);
		}
		tlen -= sizeof(u_int32_t);
		dataptr += sizeof(u_int32_t);
	}
	if (tlen != 0) {
		plog(LLV_ERROR, LOCATION, NULL, "invalid auth info received from VPN Control socket.\n");
		goto end;
	}
	
	payload = vmalloc(sizeof(struct isakmp_pl_attr) + attr_len);
	if (payload == NULL) {	
		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory for xauth reply\n");
		goto end;
	}
	memset(payload->v, 0, sizeof(reply));

	reply = (struct isakmp_pl_attr *)payload->v;
	reply->h.len = htons(payload->l);
	reply->type = ISAKMP_CFG_REPLY;
	reply->id = iph1->pended_xauth_id;	/* network byte order */
	iph1->xauth_awaiting_userinput = 0;	/* no longer waiting */
	attr_ptr = reply + 1;
	memcpy(attr_ptr, attr_list, attr_len);

	plog(LLV_DEBUG, LOCATION, NULL, 
		    "Sending MODE_CFG REPLY\n");
	error = isakmp_cfg_send(iph1, payload, 
	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, iph1->xauth_awaiting_userinput_msg);
	VPTRINIT(iph1->xauth_awaiting_userinput_msg);
	ike_session_stop_xauth_timer(iph1);

end:
	if (payload)
		vfree(payload);
	return error;
}
Commit	Line	Data
d1e348cf A	1	/*
	2	* Copyright (c) 2007 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22
	23	/*
	24	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	25	* All rights reserved.
	26	*
	27	* Redistribution and use in source and binary forms, with or without
	28	* modification, are permitted provided that the following conditions
	29	* are met:
	30	* 1. Redistributions of source code must retain the above copyright
	31	* notice, this list of conditions and the following disclaimer.
	32	* 2. Redistributions in binary form must reproduce the above copyright
	33	* notice, this list of conditions and the following disclaimer in the
	34	* documentation and/or other materials provided with the distribution.
	35	* 3. Neither the name of the project nor the names of its contributors
	36	* may be used to endorse or promote products derived from this software
	37	* without specific prior written permission.
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	40	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	42	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	43	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	44	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	45	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	46	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	47	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	48	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	49	* SUCH DAMAGE.
	50	*/
	51
	52	#include "config.h"
	53
	54	#include <sys/types.h>
	55	#include <sys/param.h>
	56	#include <sys/socket.h>
	57	#include <sys/signal.h>
	58	#include <sys/stat.h>
	59	#include <sys/un.h>
	60
	61	#ifdef __APPLE__
	62	#include <System/net/pfkeyv2.h>
	63	#else
	64	#include <net/pfkeyv2.h>
65	#endif
66
67	#include <netinet/in.h>
68	#ifndef HAVE_NETINET6_IPSEC
69	#include <netinet/ipsec.h>
70	#else
71	#include <netinet6/ipsec.h>
72	#endif
73
74
75	#include <stdlib.h>
76	#include <stdio.h>
77	#include <string.h>
78	#include <errno.h>
79	#include <netdb.h>
80	#ifdef HAVE_UNISTD_H
81	#include <unistd.h>
82	#endif
83	#ifdef ENABLE_HYBRID
84	#include <resolv.h>
85	#endif
86
87	#include "var.h"
88	#include "misc.h"
89	#include "vmbuf.h"
90	#include "plog.h"
91	#include "sockmisc.h"
92	#include "debug.h"
93	#include "handler.h"
94	#include "schedule.h"
95	#include "localconf.h"
96	#include "remoteconf.h"
97	#include "grabmyaddr.h"
98	#include "isakmp_var.h"
99	#include "isakmp.h"
100	#include "oakley.h"
101	#include "evt.h"
102	#include "pfkey.h"
103	#include "ipsec_doi.h"
104	#include "admin.h"
105	#include "admin_var.h"
106	#include "isakmp_inf.h"
107	#ifdef ENABLE_HYBRID
108	#include "isakmp_cfg.h"
109	#include "isakmp_unity.h"
110	#endif
111	#include "session.h"
112	#include "gcmalloc.h"
113	#include "sainfo.h"
114	#include "ipsec_doi.h"
115	#include "nattraversal.h"
116
117	#include "vpn_control.h"
118	#include "vpn_control_var.h"
119	#include "strnames.h"
120	#include "ike_session.h"
121
122
123	static int vpn_get_ph2pfs(struct ph1handle *);
124
125	int
126	vpn_connect(struct bound_addr *srv)
127	{
128	int error = -1;
129	struct sockaddr *dst;
130	struct remoteconf *rmconf;
131	struct sockaddr *remote = NULL;
132	struct sockaddr *local = NULL;
133	u_int16_t port;
134
135	dst = racoon_calloc(1, sizeof(struct sockaddr)); // this should come from the bound_addr parameter
136	if (dst == NULL)
137	goto out;
138	((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in);
139	((struct sockaddr_in *)(dst))->sin_family = AF_INET;
140	((struct sockaddr_in *)(dst))->sin_port = 500;
141	((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address;
142
143	/*
144	* Find the source address
145	*/
146	if ((local = getlocaladdr(dst)) == NULL) {
147	plog(LLV_ERROR, LOCATION, NULL,
148	"cannot get local address\n");
149	goto out1;
150	}
151
152	/* find appropreate configuration */
153	rmconf = getrmconf(dst);
154	if (rmconf == NULL) {
155	plog(LLV_ERROR, LOCATION, NULL,
156	"no configuration found "
157	"for %s\n", saddrwop2str(dst));
158	goto out1;
159	}
160
161	/* get remote IP address and port number. */
162	if ((remote = dupsaddr(dst)) == NULL) {
163	plog(LLV_ERROR, LOCATION, NULL,
164	"failed to duplicate address\n");
165	goto out1;
166	}
167
168	switch (remote->sa_family) {
169	case AF_INET:
170	((struct sockaddr_in *)remote)->sin_port =
171	((struct sockaddr_in *)rmconf->remote)->sin_port;
172	break;
173	#ifdef INET6
174	case AF_INET6:
175	((struct sockaddr_in6 *)remote)->sin6_port =
176	((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
177	break;
178	#endif
179	default:
180	plog(LLV_ERROR, LOCATION, NULL,
181	"invalid family: %d\n",
182	remote->sa_family);
183	goto out1;
184	break;
185	}
186
187	port = ntohs(getmyaddrsport(local));
188	if (set_port(local, port) == NULL)
189	goto out1;
190
191	plog(LLV_INFO, LOCATION, NULL,
192	"accept a request to establish IKE-SA: "
193	"%s\n", saddrwop2str(remote));
194
195	/* begin ident mode */
196	if (isakmp_ph1begin_i(rmconf, remote, local, 1) < 0)
197	goto out1;
198
199	error = 0;
200
201	out1:
202	if (dst != NULL)
203	racoon_free(dst);
204	if (local != NULL)
205	racoon_free(local);
206	if (remote != NULL)
207	racoon_free(remote);
208	out:
209
210	return error;
211	}
212
213	int
214	vpn_disconnect(struct bound_addr *srv)
215	{
216	struct sockaddr_in saddr;
217
218	bzero(&saddr, sizeof(saddr));
219	saddr.sin_len = sizeof(saddr);
220	saddr.sin_addr.s_addr = srv->address;
221	saddr.sin_port = 0;
222	saddr.sin_family = AF_INET;
223	ike_sessions_stopped_by_controller(&saddr,
224	0,
225	ike_session_stopped_by_vpn_disconnect);
226	if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) {
227	return 0;
228	} else {
229	return -1;
230	}
231	}
232
233	int
234	vpn_start_ph2(struct bound_addr addr, struct vpnctl_cmd_start_ph2 pkt)
235	{
236	struct vpnctl_sa_selector *selector_ptr;
237	struct vpnctl_algo algo_ptr, next_algo;
238	int i, j, defklen;
239	struct sainfoalg *new_algo;
240	struct sainfo new_sainfo = NULL, check;
241	u_int16_t class, algorithm, keylen;
242	struct ph1handle *ph1;
243	struct sockaddr_in saddr;
244
245	struct id {
246	u_int8_t type; /* ID Type */
247	u_int8_t proto_id; /* Protocol ID */
248	u_int16_t port; /* Port */
249	u_int32_t addr; /* IPv4 address */
250	u_int32_t mask;
251	} *id_ptr;
252
253	/* verify ph1 exists */
254	bzero(&saddr, sizeof(saddr));
255	saddr.sin_len = sizeof(saddr);
256	saddr.sin_addr.s_addr = addr->address;
257	saddr.sin_port = 0;
258	saddr.sin_family = AF_INET;
259	ph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
260	if (ph1 == NULL) {
261	plog(LLV_ERROR, LOCATION, NULL,
262	"cannot start phase2 - no phase1 found.\n");
263	return -1;
264	}
265	if (ph1->status != PHASE1ST_ESTABLISHED) {
266	plog(LLV_ERROR, LOCATION, NULL,
267	"cannot start phase2 - phase1 not established.\n");
268	return -1;
269	}
270
271	selector_ptr = (struct vpnctl_sa_selector *)(pkt + 1);
272	algo_ptr = (struct vpnctl_algo *)(selector_ptr + ntohs(pkt->selector_count));
273
274	for (i = 0; i < ntohs(pkt->selector_count); i++, selector_ptr++) {
275	new_sainfo = newsainfo();
276	if (new_sainfo == NULL) {
277	plog(LLV_ERROR, LOCATION, NULL,
278	"unable to allocate sainfo struct.\n");
279	goto fail;
280	}
281
282	if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF)
283	new_sainfo->idsrc = vmalloc(sizeof(struct id) - sizeof(u_int32_t));
284	else
285	new_sainfo->idsrc = vmalloc(sizeof(struct id));
286	if (new_sainfo->idsrc == NULL) {
287	plog(LLV_ERROR, LOCATION, NULL,
288	"unable to allocate id struct.\n");
289	goto fail;
290	}
291	if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF)
292	new_sainfo->iddst = vmalloc(sizeof(struct id) - sizeof(u_int32_t));
293	else
294	new_sainfo->iddst = vmalloc(sizeof(struct id));
295	if (new_sainfo->iddst == NULL) {
296	plog(LLV_ERROR, LOCATION, NULL,
297	"unable to allocate id struct.\n");
298	goto fail;
299	}
300
301	id_ptr = (struct id *)new_sainfo->idsrc->v;
302	if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF)
303	id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
304	else {
305	id_ptr->type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
306	id_ptr->mask = selector_ptr->src_tunnel_mask;
307	}
308	id_ptr->addr = selector_ptr->src_tunnel_address;
309	id_ptr->port = selector_ptr->src_tunnel_port;
310	id_ptr->proto_id = selector_ptr->ul_protocol;
311
312	id_ptr = (struct id *)new_sainfo->iddst->v;
313	if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF)
314	id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
315	else {
316	id_ptr->type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
317	id_ptr->mask = selector_ptr->dst_tunnel_mask;
318	}
319	id_ptr->addr = selector_ptr->dst_tunnel_address;
320	id_ptr->port = selector_ptr->dst_tunnel_port;
321	id_ptr->proto_id = selector_ptr->ul_protocol;
322
323	new_sainfo->dynamic = addr->address;
324	new_sainfo->lifetime = ntohl(pkt->lifetime);
325
326	if (ntohs(pkt->pfs_group) != 0) {
327	new_sainfo->pfs_group = algtype2doi(algclass_isakmp_dh, ntohs(pkt->pfs_group));
328	if (new_sainfo->pfs_group == -1) {
329	plog(LLV_ERROR, LOCATION, NULL, "invalid dh group specified\n");
330	goto fail;
331	}
332	}
333	for (j = 0, next_algo = algo_ptr; j < ntohs(pkt->algo_count); j++, next_algo++) {
334
335	new_algo = newsainfoalg();
336	if (new_algo == NULL) {
337	plog(LLV_ERROR, LOCATION, NULL,
338	"failed to allocate algorithm structure\n");
339	goto fail;
340	}
341
342	class = ntohs(next_algo->algo_class);
343	algorithm = ntohs(next_algo->algo);
344	keylen = ntohs(next_algo->key_len);
345
346	new_algo->alg = algtype2doi(class, algorithm);
347	if (new_algo->alg == -1) {
348	plog(LLV_ERROR, LOCATION, NULL, "algorithm mismatched\n");
349	racoon_free(new_algo);
350	goto fail;
351	}
352
353	defklen = default_keylen(class, algorithm);
354	if (defklen == 0) {
355	if (keylen) {
356	plog(LLV_ERROR, LOCATION, NULL, "keylen not allowed\n");
357	racoon_free(new_algo);
358	goto fail;
359	}
360	} else {
361	if (keylen && check_keylen(class, algorithm, keylen) < 0) {
362	plog(LLV_ERROR, LOCATION, NULL, "invalid keylen %d\n", keylen);
363	racoon_free(new_algo);
364	goto fail;
365	}
366	}
367
368	if (keylen)
369	new_algo->encklen = keylen;
370	else
371	new_algo->encklen = defklen;
372
373	/* check if it's supported algorithm by kernel */
374	if (!(class == algclass_ipsec_auth && algorithm == algtype_non_auth)
375	&& pk_checkalg(class, algorithm, new_algo->encklen)) {
376	int a = algclass2doi(class);
377	int b = new_algo->alg;
378	if (a == IPSECDOI_ATTR_AUTH)
379	a = IPSECDOI_PROTO_IPSEC_AH;
380	plog(LLV_ERROR, LOCATION, NULL,
381	"algorithm %s not supported by the kernel (missing module?)\n", s_ipsecdoi_trns(a, b));
382	racoon_free(new_algo);
383	goto fail;
384	}
385	inssainfoalg(&new_sainfo->algs[class], new_algo);
386	}
387
388	if (new_sainfo->algs[algclass_ipsec_enc] == 0) {
389	plog(LLV_ERROR, LOCATION, NULL,
390	"no encryption algorithm at %s\n", sainfo2str(new_sainfo));
391	goto fail;
392	}
393	if (new_sainfo->algs[algclass_ipsec_auth] == 0) {
394	plog(LLV_ERROR, LOCATION, NULL,
395	"no authentication algorithm at %s\n", sainfo2str(new_sainfo));
396	goto fail;
397	}
398	if (new_sainfo->algs[algclass_ipsec_comp] == 0) {
399	plog(LLV_ERROR, LOCATION, NULL,
400	"no compression algorithm at %s\n", sainfo2str(new_sainfo));
401	goto fail;
402	}
403
404	/* duplicate check */
405	check = getsainfo(new_sainfo->idsrc, new_sainfo->iddst, new_sainfo->id_i, 0);
406	if (check && (!check->idsrc && !new_sainfo->idsrc)) {
407	plog(LLV_ERROR, LOCATION, NULL,"duplicated sainfo: %s\n", sainfo2str(new_sainfo));
408	goto fail;
409	}
410	plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo));
411	inssainfo(new_sainfo);
412	new_sainfo = NULL;
413	}
414
415	return 0;
416
417	fail:
418	if (new_sainfo)
419	delsainfo(new_sainfo);
420	flushsainfo_dynamic(addr);
421	return -1;
422	}
423
424	static int
425	vpn_get_ph2pfs(struct ph1handle *ph1)
426	{
427	}
428
429
430	int
431	vpn_get_config(struct ph1handle iph1, struct vpnctl_status_phase_change msg, size_t msg_size)
432	{
433
434	struct vpnctl_modecfg_params *params;
435	struct myaddrs *myaddr;
436	u_int16_t ifname_len, msize;
437	u_int8_t *cptr;
438
439	*msg = NULL;
440	msize = 0;
441
442	if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) {
443	plog(LLV_ERROR, LOCATION, NULL,
444	"IPv6 not supported for mode config.\n");
445	return -1;
446	}
447
448	if (iph1->mode_cfg->attr_list == NULL)
449	return 1; /* haven't received configuration yet */
450
451	myaddr = find_myaddr(iph1->local, 0);
452	if (myaddr == NULL) {
453	plog(LLV_ERROR, LOCATION, NULL,
454	"unable to find address structure.\n");
455	return -1;
456	}
457
458	msize = sizeof(struct vpnctl_status_phase_change)
459	+ sizeof(struct vpnctl_modecfg_params);
460	msize += iph1->mode_cfg->attr_list->l;
461
462	*msg = racoon_calloc(1, msize);
463	if (*msg == NULL) {
464	plog(LLV_ERROR, LOCATION, NULL,
465	"faled to allocate space for message.\n");
466	return -1;
467	}
468
469	(*msg)->hdr.flags = htons(VPNCTL_FLAG_MODECFG_USED);
470	params = (struct vpnctl_modecfg_params )(msg + 1);
471	params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr;
472	params->outer_remote_port = htons(0);
473	params->outer_local_port = htons(0);
474	ifname_len = strlen(myaddr->ifname);
475	memset(&params->ifname, 0, IFNAMSIZ);
476	memcpy(&params->ifname, myaddr->ifname, ifname_len < IFNAMSIZ ? ifname_len : IFNAMSIZ-1);
477	cptr = (u_int8_t *)(params + 1);
478	memcpy(cptr, iph1->mode_cfg->attr_list->v, iph1->mode_cfg->attr_list->l);
479	*msg_size = msize;
480
481	return 0;
482	}
483
484
485	int
486	vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len)
487	{
488
489	struct isakmp_pl_attr *reply;
490	void* attr_ptr;
491	vchar_t *payload = NULL;
492	struct ph1handle *iph1;
493	struct sockaddr_in saddr;
494	int error = -1;
495	int tlen = attr_len;
496	struct isakmp_data *attr;
497	char dataptr = (char )attr_list;
498
499	/* find ph1 */
500	bzero(&saddr, sizeof(saddr));
501	saddr.sin_len = sizeof(saddr);
502	saddr.sin_addr.s_addr = address;
503	saddr.sin_port = 0;
504	saddr.sin_family = AF_INET;
505	iph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
506	if (iph1 == NULL) {
507	plog(LLV_ERROR, LOCATION, NULL,
508	"cannot reply to xauth request - no ph1 found.\n");
509	goto end;
510	}
511
512	if (iph1->xauth_awaiting_userinput == 0) {
513	plog(LLV_ERROR, LOCATION, NULL, "Huh? recvd xauth reply data with no xauth reply pending \n");
514	goto end;
515	}
516
517	/* validate attr lengths */
518	while (tlen > 0)
519	{
520	int tlv;
521
522	attr = (struct isakmp_data *)dataptr;
523	tlv = (attr->type & htons(0x8000)) == 0;
524
525	if (tlv) {
526	tlen -= ntohs(attr->lorv);
527	dataptr += ntohs(attr->lorv);
528	}
529	tlen -= sizeof(u_int32_t);
530	dataptr += sizeof(u_int32_t);
531	}
532	if (tlen != 0) {
533	plog(LLV_ERROR, LOCATION, NULL, "invalid auth info received from VPN Control socket.\n");
534	goto end;
535	}
536
537	payload = vmalloc(sizeof(struct isakmp_pl_attr) + attr_len);
538	if (payload == NULL) {
539	plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory for xauth reply\n");
540	goto end;
541	}
542	memset(payload->v, 0, sizeof(reply));
543
544	reply = (struct isakmp_pl_attr *)payload->v;
545	reply->h.len = htons(payload->l);
546	reply->type = ISAKMP_CFG_REPLY;
547	reply->id = iph1->pended_xauth_id; /* network byte order */
548	iph1->xauth_awaiting_userinput = 0; /* no longer waiting */
549	attr_ptr = reply + 1;
550	memcpy(attr_ptr, attr_list, attr_len);
551
552	plog(LLV_DEBUG, LOCATION, NULL,
553	"Sending MODE_CFG REPLY\n");
554	error = isakmp_cfg_send(iph1, payload,
555	ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, iph1->xauth_awaiting_userinput_msg);
556	VPTRINIT(iph1->xauth_awaiting_userinput_msg);
557	ike_session_stop_xauth_timer(iph1);
558
559	end:
560	if (payload)
561	vfree(payload);
562	return error;
563	}
564