]>
Commit | Line | Data |
---|---|---|
1 | /* $Id: isakmp.c,v 1.34.2.21 2006/02/02 10:31:01 vanhu Exp $ */ | |
2 | ||
3 | /* | |
4 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
5 | * All rights reserved. | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. Neither the name of the project nor the names of its contributors | |
16 | * may be used to endorse or promote products derived from this software | |
17 | * without specific prior written permission. | |
18 | * | |
19 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
29 | * SUCH DAMAGE. | |
30 | */ | |
31 | #ifdef __APPLE__ | |
32 | #define __APPLE_API_PRIVATE | |
33 | #endif | |
34 | ||
35 | #include "config.h" | |
36 | ||
37 | #include <sys/types.h> | |
38 | #include <sys/param.h> | |
39 | #include <sys/socket.h> | |
40 | #include <sys/queue.h> | |
41 | ||
42 | #include <netinet/in.h> | |
43 | #include <arpa/inet.h> | |
44 | ||
45 | #ifndef HAVE_NETINET6_IPSEC | |
46 | #include <netinet/ipsec.h> | |
47 | #else | |
48 | #include <netinet6/ipsec.h> | |
49 | #endif | |
50 | ||
51 | #include <stdlib.h> | |
52 | #include <stdio.h> | |
53 | #include <string.h> | |
54 | #include <errno.h> | |
55 | #if TIME_WITH_SYS_TIME | |
56 | # include <sys/time.h> | |
57 | # include <time.h> | |
58 | #else | |
59 | # if HAVE_SYS_TIME_H | |
60 | # include <sys/time.h> | |
61 | # else | |
62 | # include <time.h> | |
63 | # endif | |
64 | #endif | |
65 | #include <netdb.h> | |
66 | #ifdef HAVE_UNISTD_H | |
67 | #include <unistd.h> | |
68 | #endif | |
69 | #include <ctype.h> | |
70 | #include <fcntl.h> | |
71 | ||
72 | #include "var.h" | |
73 | #include "misc.h" | |
74 | #include "vmbuf.h" | |
75 | #include "plog.h" | |
76 | #include "sockmisc.h" | |
77 | #include "schedule.h" | |
78 | #include "debug.h" | |
79 | ||
80 | #include "remoteconf.h" | |
81 | #include "localconf.h" | |
82 | #include "grabmyaddr.h" | |
83 | #include "admin.h" | |
84 | #include "privsep.h" | |
85 | #include "isakmp_var.h" | |
86 | #include "isakmp.h" | |
87 | #include "oakley.h" | |
88 | #include "evt.h" | |
89 | #include "handler.h" | |
90 | #include "proposal.h" | |
91 | #include "ipsec_doi.h" | |
92 | #include "pfkey.h" | |
93 | #include "crypto_openssl.h" | |
94 | #include "policy.h" | |
95 | #include "isakmp_ident.h" | |
96 | #include "isakmp_agg.h" | |
97 | #include "isakmp_base.h" | |
98 | #include "isakmp_quick.h" | |
99 | #include "isakmp_inf.h" | |
100 | #include "isakmp_newg.h" | |
101 | #include "vpn_control.h" | |
102 | #include "vpn_control_var.h" | |
103 | #ifdef ENABLE_HYBRID | |
104 | #include "isakmp_xauth.h" | |
105 | #include "isakmp_cfg.h" | |
106 | #endif | |
107 | #ifdef ENABLE_FRAG | |
108 | #include "isakmp_frag.h" | |
109 | #endif | |
110 | #include "strnames.h" | |
111 | ||
112 | #ifdef ENABLE_NATT | |
113 | # include "nattraversal.h" | |
114 | # ifdef __linux__ | |
115 | # include <linux/udp.h> | |
116 | #include <fcntl.h> | |
117 | ||
118 | # ifndef SOL_UDP | |
119 | # define SOL_UDP 17 | |
120 | # endif | |
121 | # endif /* __linux__ */ | |
122 | # if defined(__NetBSD__) || defined(__FreeBSD__) | |
123 | # include <netinet/in.h> | |
124 | # include <netinet/udp.h> | |
125 | # define SOL_UDP IPPROTO_UDP | |
126 | # endif /* __NetBSD__ / __FreeBSD__ */ | |
127 | #endif | |
128 | ||
129 | static int nostate1 __P((struct ph1handle *, vchar_t *)); | |
130 | static int nostate2 __P((struct ph2handle *, vchar_t *)); | |
131 | ||
132 | extern caddr_t val2str(const char *, size_t); | |
133 | ||
134 | static int (*ph1exchange[][2][PHASE1ST_MAX]) | |
135 | __P((struct ph1handle *, vchar_t *)) = { | |
136 | /* error */ | |
137 | { {}, {}, }, | |
138 | /* Identity Protection exchange */ | |
139 | { | |
140 | { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send, | |
141 | ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, }, | |
142 | { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send, | |
143 | ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, }, | |
144 | }, | |
145 | /* Aggressive exchange */ | |
146 | { | |
147 | { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, | |
148 | nostate1, nostate1, nostate1, nostate1, nostate1, }, | |
149 | { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, | |
150 | nostate1, nostate1, nostate1, nostate1, nostate1, }, | |
151 | }, | |
152 | /* Base exchange */ | |
153 | { | |
154 | { nostate1, base_i1send, nostate1, base_i2recv, base_i2send, | |
155 | base_i3recv, base_i3send, nostate1, nostate1, nostate1, }, | |
156 | { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send, | |
157 | nostate1, nostate1, nostate1, nostate1, nostate1, }, | |
158 | }, | |
159 | }; | |
160 | ||
161 | static int (*ph2exchange[][2][PHASE2ST_MAX]) | |
162 | __P((struct ph2handle *, vchar_t *)) = { | |
163 | /* error */ | |
164 | { {}, {}, }, | |
165 | /* Quick mode for IKE*/ | |
166 | { | |
167 | { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send, | |
168 | quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, }, | |
169 | { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send, | |
170 | quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, } | |
171 | }, | |
172 | }; | |
173 | ||
174 | static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ | |
175 | ||
176 | static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); | |
177 | static int ph1_main __P((struct ph1handle *, vchar_t *)); | |
178 | static int quick_main __P((struct ph2handle *, vchar_t *)); | |
179 | static int isakmp_ph1begin_r __P((vchar_t *, | |
180 | struct sockaddr *, struct sockaddr *, u_int8_t)); | |
181 | static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); | |
182 | static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); | |
183 | static int etypesw1 __P((int)); | |
184 | static int etypesw2 __P((int)); | |
185 | #ifdef ENABLE_FRAG | |
186 | static int frag_handler(struct ph1handle *, | |
187 | vchar_t *, struct sockaddr *, struct sockaddr *); | |
188 | #endif | |
189 | ||
190 | /* | |
191 | * isakmp packet handler | |
192 | */ | |
193 | int | |
194 | isakmp_handler(so_isakmp) | |
195 | int so_isakmp; | |
196 | { | |
197 | struct isakmp isakmp; | |
198 | union { | |
199 | char buf[sizeof (isakmp) + 4]; | |
200 | u_int32_t non_esp[2]; | |
201 | } x; | |
202 | struct sockaddr_storage remote; | |
203 | struct sockaddr_storage local; | |
204 | unsigned int remote_len = sizeof(remote); | |
205 | unsigned int local_len = sizeof(local); | |
206 | int len = 0, extralen = 0; | |
207 | u_short port; | |
208 | vchar_t *buf = NULL, *tmpbuf = NULL; | |
209 | int error = -1; | |
210 | ||
211 | /* read message by MSG_PEEK */ | |
212 | while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), | |
213 | MSG_PEEK, (struct sockaddr *)&remote, &remote_len, | |
214 | (struct sockaddr *)&local, &local_len)) < 0) { | |
215 | if (errno == EINTR) | |
216 | continue; | |
217 | plog(LLV_ERROR, LOCATION, NULL, | |
218 | "failed to receive isakmp packet: %s\n", | |
219 | strerror (errno)); | |
220 | goto end; | |
221 | } | |
222 | ||
223 | /* keep-alive packet - ignore */ | |
224 | if (len == 1 && (x.buf[0]&0xff) == 0xff) { | |
225 | /* Pull the keep-alive packet */ | |
226 | if ((len = recvfrom(so_isakmp, (char *)x.buf, 1, | |
227 | 0, (struct sockaddr *)&remote, &remote_len)) != 1) { | |
228 | plog(LLV_ERROR, LOCATION, NULL, | |
229 | "failed to receive keep alive packet: %s\n", | |
230 | strerror (errno)); | |
231 | } | |
232 | goto end; | |
233 | } | |
234 | ||
235 | #ifdef ENABLE_NATT | |
236 | /* we don't know about portchange yet, | |
237 | look for non-esp marker instead */ | |
238 | if (x.non_esp[0] == 0 && x.non_esp[1] != 0) | |
239 | extralen = NON_ESP_MARKER_LEN; | |
240 | #endif | |
241 | ||
242 | /* now we know if there is an extra non-esp | |
243 | marker at the beginning or not */ | |
244 | memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); | |
245 | ||
246 | /* check isakmp header length, as well as sanity of header length */ | |
247 | if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { | |
248 | plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, | |
249 | "packet shorter than isakmp header size (%u, %u, %zu)\n", | |
250 | len, ntohl(isakmp.len), sizeof(isakmp)); | |
251 | /* dummy receive */ | |
252 | if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), | |
253 | 0, (struct sockaddr *)&remote, &remote_len)) < 0) { | |
254 | plog(LLV_ERROR, LOCATION, NULL, | |
255 | "failed to receive isakmp packet: %s\n", | |
256 | strerror (errno)); | |
257 | } | |
258 | goto end; | |
259 | } | |
260 | ||
261 | /* reject it if the size is tooooo big. */ | |
262 | if (ntohl(isakmp.len) > 0xffff) { | |
263 | plog(LLV_ERROR, LOCATION, NULL, | |
264 | "the length in the isakmp header is too big.\n"); | |
265 | if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), | |
266 | 0, (struct sockaddr *)&remote, &remote_len)) < 0) { | |
267 | plog(LLV_ERROR, LOCATION, NULL, | |
268 | "failed to receive isakmp packet: %s\n", | |
269 | strerror (errno)); | |
270 | } | |
271 | goto end; | |
272 | } | |
273 | ||
274 | /* read real message */ | |
275 | if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) { | |
276 | plog(LLV_ERROR, LOCATION, NULL, | |
277 | "failed to allocate reading buffer (%u Bytes)\n", | |
278 | ntohl(isakmp.len) + extralen); | |
279 | /* dummy receive */ | |
280 | if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), | |
281 | 0, (struct sockaddr *)&remote, &remote_len)) < 0) { | |
282 | plog(LLV_ERROR, LOCATION, NULL, | |
283 | "failed to receive isakmp packet: %s\n", | |
284 | strerror (errno)); | |
285 | #ifdef __APPLE__ | |
286 | error = -2; /* serious problem with socket */ | |
287 | #endif | |
288 | } | |
289 | goto end; | |
290 | } | |
291 | ||
292 | while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l, | |
293 | 0, (struct sockaddr *)&remote, &remote_len, | |
294 | (struct sockaddr *)&local, &local_len)) < 0) { | |
295 | if (errno == EINTR) | |
296 | continue; | |
297 | plog(LLV_ERROR, LOCATION, NULL, | |
298 | "failed to receive isakmp packet: %s\n", | |
299 | strerror (errno)); | |
300 | goto end; | |
301 | } | |
302 | ||
303 | if ((buf = vmalloc(len - extralen)) == NULL) { | |
304 | plog(LLV_ERROR, LOCATION, NULL, | |
305 | "failed to allocate reading buffer (%u Bytes)\n", | |
306 | (len - extralen)); | |
307 | goto end; | |
308 | } | |
309 | ||
310 | memcpy (buf->v, tmpbuf->v + extralen, buf->l); | |
311 | ||
312 | vfree (tmpbuf); | |
313 | ||
314 | len -= extralen; | |
315 | ||
316 | if (len != buf->l) { | |
317 | plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, | |
318 | "received invalid length (%d != %zu), why ?\n", | |
319 | len, buf->l); | |
320 | goto end; | |
321 | } | |
322 | ||
323 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
324 | plog(LLV_DEBUG, LOCATION, NULL, | |
325 | "%d bytes message received %s\n", | |
326 | len, saddr2str_fromto("from %s to %s", | |
327 | (struct sockaddr *)&remote, | |
328 | (struct sockaddr *)&local)); | |
329 | plogdump(LLV_DEBUG, buf->v, buf->l); | |
330 | ||
331 | /* avoid packets with malicious port/address */ | |
332 | switch (remote.ss_family) { | |
333 | case AF_INET: | |
334 | port = ((struct sockaddr_in *)&remote)->sin_port; | |
335 | break; | |
336 | #ifdef INET6 | |
337 | case AF_INET6: | |
338 | port = ((struct sockaddr_in6 *)&remote)->sin6_port; | |
339 | break; | |
340 | #endif | |
341 | default: | |
342 | plog(LLV_ERROR, LOCATION, NULL, | |
343 | "invalid family: %d\n", remote.ss_family); | |
344 | goto end; | |
345 | } | |
346 | if (port == 0) { | |
347 | plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, | |
348 | "src port == 0 (valid as UDP but not with IKE)\n"); | |
349 | goto end; | |
350 | } | |
351 | ||
352 | /* XXX: check sender whether to be allowed or not to accept */ | |
353 | ||
354 | /* XXX: I don't know how to check isakmp half connection attack. */ | |
355 | ||
356 | /* simply reply if the packet was processed. */ | |
357 | if (check_recvdpkt((struct sockaddr *)&remote, | |
358 | (struct sockaddr *)&local, buf)) { | |
359 | plog(LLV_NOTIFY, LOCATION, NULL, | |
360 | "the packet is retransmitted by %s.\n", | |
361 | saddr2str((struct sockaddr *)&remote)); | |
362 | error = 0; | |
363 | goto end; | |
364 | } | |
365 | ||
366 | /* isakmp main routine */ | |
367 | if (isakmp_main(buf, (struct sockaddr *)&remote, | |
368 | (struct sockaddr *)&local) != 0) goto end; | |
369 | ||
370 | error = 0; | |
371 | ||
372 | end: | |
373 | if (buf != NULL) | |
374 | vfree(buf); | |
375 | ||
376 | return(error); | |
377 | } | |
378 | ||
379 | /* | |
380 | * main processing to handle isakmp payload | |
381 | */ | |
382 | static int | |
383 | isakmp_main(msg, remote, local) | |
384 | vchar_t *msg; | |
385 | struct sockaddr *remote, *local; | |
386 | { | |
387 | struct isakmp *isakmp = (struct isakmp *)msg->v; | |
388 | isakmp_index *index = (isakmp_index *)isakmp; | |
389 | u_int32_t msgid = isakmp->msgid; | |
390 | struct ph1handle *iph1; | |
391 | ||
392 | #ifdef HAVE_PRINT_ISAKMP_C | |
393 | isakmp_printpacket(msg, remote, local, 0); | |
394 | #endif | |
395 | ||
396 | /* the initiator's cookie must not be zero */ | |
397 | if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { | |
398 | plog(LLV_ERROR, LOCATION, remote, | |
399 | "malformed cookie received.\n"); | |
400 | return -1; | |
401 | } | |
402 | ||
403 | /* Check the Major and Minor Version fields. */ | |
404 | /* | |
405 | * XXX Is is right to check version here ? | |
406 | * I think it may no be here because the version depends | |
407 | * on exchange status. | |
408 | */ | |
409 | if (isakmp->v < ISAKMP_VERSION_NUMBER) { | |
410 | if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) { | |
411 | plog(LLV_ERROR, LOCATION, remote, | |
412 | "invalid major version %d.\n", | |
413 | ISAKMP_GETMAJORV(isakmp->v)); | |
414 | return -1; | |
415 | } | |
416 | #if ISAKMP_MINOR_VERSION > 0 | |
417 | if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { | |
418 | plog(LLV_ERROR, LOCATION, remote, | |
419 | "invalid minor version %d.\n", | |
420 | ISAKMP_GETMINORV(isakmp->v)); | |
421 | return -1; | |
422 | } | |
423 | #endif | |
424 | } | |
425 | ||
426 | /* check the Flags field. */ | |
427 | /* XXX How is the exclusive check, E and A ? */ | |
428 | if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { | |
429 | plog(LLV_ERROR, LOCATION, remote, | |
430 | "invalid flag 0x%02x.\n", isakmp->flags); | |
431 | return -1; | |
432 | } | |
433 | ||
434 | /* ignore commit bit. */ | |
435 | if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { | |
436 | if (isakmp->msgid == 0) { | |
437 | isakmp_info_send_nx(isakmp, remote, local, | |
438 | ISAKMP_NTYPE_INVALID_FLAGS, NULL); | |
439 | plog(LLV_ERROR, LOCATION, remote, | |
440 | "Commit bit on phase1 forbidden.\n"); | |
441 | return -1; | |
442 | } | |
443 | } | |
444 | ||
445 | iph1 = getph1byindex(index); | |
446 | if (iph1 != NULL) { | |
447 | /* validity check */ | |
448 | if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && | |
449 | iph1->side == INITIATOR) { | |
450 | plog(LLV_DEBUG, LOCATION, remote, | |
451 | "malformed cookie received or " | |
452 | "the initiator's cookies collide.\n"); | |
453 | return -1; | |
454 | } | |
455 | ||
456 | #ifdef ENABLE_NATT | |
457 | /* Floating ports for NAT-T */ | |
458 | if (NATT_AVAILABLE(iph1) && | |
459 | ! (iph1->natt_flags & NAT_PORTS_CHANGED) && | |
460 | ((cmpsaddrstrict(iph1->remote, remote) != 0) || | |
461 | (cmpsaddrstrict(iph1->local, local) != 0))) | |
462 | { | |
463 | /* prevent memory leak */ | |
464 | racoon_free(iph1->remote); | |
465 | racoon_free(iph1->local); | |
466 | ||
467 | /* copy-in new addresses */ | |
468 | iph1->remote = dupsaddr(remote); | |
469 | iph1->local = dupsaddr(local); | |
470 | ||
471 | /* set the flag to prevent further port floating | |
472 | (FIXME: should we allow it? E.g. when the NAT gw | |
473 | is rebooted?) */ | |
474 | iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; | |
475 | ||
476 | /* print some neat info */ | |
477 | plog (LLV_INFO, LOCATION, NULL, | |
478 | "NAT-T: ports changed to: %s\n", | |
479 | saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); | |
480 | #ifndef __APPLE__ | |
481 | natt_keepalive_add_ph1 (iph1); | |
482 | #endif | |
483 | } | |
484 | #endif | |
485 | ||
486 | /* must be same addresses in one stream of a phase at least. */ | |
487 | if (cmpsaddrstrict(iph1->remote, remote) != 0) { | |
488 | char *saddr_db, *saddr_act; | |
489 | ||
490 | saddr_db = strdup(saddr2str(iph1->remote)); | |
491 | saddr_act = strdup(saddr2str(remote)); | |
492 | ||
493 | plog(LLV_WARNING, LOCATION, remote, | |
494 | "remote address mismatched. db=%s, act=%s\n", | |
495 | saddr_db, saddr_act); | |
496 | ||
497 | racoon_free(saddr_db); | |
498 | racoon_free(saddr_act); | |
499 | } | |
500 | ||
501 | /* | |
502 | * don't check of exchange type here because other type will be | |
503 | * with same index, for example, informational exchange. | |
504 | */ | |
505 | ||
506 | /* XXX more acceptable check */ | |
507 | } | |
508 | ||
509 | switch (isakmp->etype) { | |
510 | case ISAKMP_ETYPE_IDENT: | |
511 | case ISAKMP_ETYPE_AGG: | |
512 | case ISAKMP_ETYPE_BASE: | |
513 | /* phase 1 validity check */ | |
514 | if (isakmp->msgid != 0) { | |
515 | plog(LLV_ERROR, LOCATION, remote, | |
516 | "message id should be zero in phase1.\n"); | |
517 | return -1; | |
518 | } | |
519 | ||
520 | /* search for isakmp status record of phase 1 */ | |
521 | if (iph1 == NULL) { | |
522 | /* | |
523 | * the packet must be the 1st message from a initiator | |
524 | * or the 2nd message from the responder. | |
525 | */ | |
526 | ||
527 | /* search for phase1 handle by index without r_ck */ | |
528 | iph1 = getph1byindex0(index); | |
529 | if (iph1 == NULL) { | |
530 | /*it must be the 1st message from a initiator.*/ | |
531 | if (memcmp(&isakmp->r_ck, r_ck0, | |
532 | sizeof(cookie_t)) != 0) { | |
533 | ||
534 | plog(LLV_DEBUG, LOCATION, remote, | |
535 | "malformed cookie received " | |
536 | "or the spi expired.\n"); | |
537 | return -1; | |
538 | } | |
539 | ||
540 | /* it must be responder's 1st exchange. */ | |
541 | if (isakmp_ph1begin_r(msg, remote, local, | |
542 | isakmp->etype) < 0) | |
543 | return -1; | |
544 | break; | |
545 | ||
546 | /*NOTREACHED*/ | |
547 | } | |
548 | ||
549 | /* it must be the 2nd message from the responder. */ | |
550 | if (iph1->side != INITIATOR) { | |
551 | plog(LLV_DEBUG, LOCATION, remote, | |
552 | "malformed cookie received. " | |
553 | "it has to be as the initiator. %s\n", | |
554 | isakmp_pindex(&iph1->index, 0)); | |
555 | return -1; | |
556 | } | |
557 | } | |
558 | ||
559 | /* | |
560 | * Don't delete phase 1 handler when the exchange type | |
561 | * in handler is not equal to packet's one because of no | |
562 | * authencication completed. | |
563 | */ | |
564 | if (iph1->etype != isakmp->etype) { | |
565 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
566 | "exchange type is mismatched: " | |
567 | "db=%s packet=%s, ignore it.\n", | |
568 | s_isakmp_etype(iph1->etype), | |
569 | s_isakmp_etype(isakmp->etype)); | |
570 | return -1; | |
571 | } | |
572 | ||
573 | #ifdef ENABLE_FRAG | |
574 | if (isakmp->np == ISAKMP_NPTYPE_FRAG) | |
575 | return frag_handler(iph1, msg, remote, local); | |
576 | #endif | |
577 | ||
578 | /* call main process of phase 1 */ | |
579 | if (ph1_main(iph1, msg) < 0) { | |
580 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
581 | "phase1 negotiation failed.\n"); | |
582 | remph1(iph1); | |
583 | delph1(iph1); | |
584 | return -1; | |
585 | } | |
586 | break; | |
587 | ||
588 | case ISAKMP_ETYPE_AUTH: | |
589 | plog(LLV_INFO, LOCATION, remote, | |
590 | "unsupported exchange %d received.\n", | |
591 | isakmp->etype); | |
592 | break; | |
593 | ||
594 | case ISAKMP_ETYPE_INFO: | |
595 | case ISAKMP_ETYPE_ACKINFO: | |
596 | /* | |
597 | * iph1 must be present for Information message. | |
598 | * if iph1 is null then trying to get the phase1 status | |
599 | * as the packet from responder againt initiator's 1st | |
600 | * exchange in phase 1. | |
601 | * NOTE: We think such informational exchange should be ignored. | |
602 | */ | |
603 | if (iph1 == NULL) { | |
604 | iph1 = getph1byindex0(index); | |
605 | if (iph1 == NULL) { | |
606 | plog(LLV_ERROR, LOCATION, remote, | |
607 | "unknown Informational " | |
608 | "exchange received.\n"); | |
609 | return -1; | |
610 | } | |
611 | if (cmpsaddrstrict(iph1->remote, remote) != 0) { | |
612 | plog(LLV_WARNING, LOCATION, remote, | |
613 | "remote address mismatched. " | |
614 | "db=%s\n", | |
615 | saddr2str(iph1->remote)); | |
616 | } | |
617 | } | |
618 | ||
619 | #ifdef ENABLE_FRAG | |
620 | if (isakmp->np == ISAKMP_NPTYPE_FRAG) | |
621 | return frag_handler(iph1, msg, remote, local); | |
622 | #endif | |
623 | ||
624 | if (isakmp_info_recv(iph1, msg) < 0) | |
625 | return -1; | |
626 | break; | |
627 | ||
628 | case ISAKMP_ETYPE_QUICK: | |
629 | { | |
630 | struct ph2handle *iph2; | |
631 | ||
632 | if (iph1 == NULL) { | |
633 | isakmp_info_send_nx(isakmp, remote, local, | |
634 | ISAKMP_NTYPE_INVALID_COOKIE, NULL); | |
635 | plog(LLV_ERROR, LOCATION, remote, | |
636 | "can't start the quick mode, " | |
637 | "there is no ISAKMP-SA, %s\n", | |
638 | isakmp_pindex((isakmp_index *)&isakmp->i_ck, | |
639 | isakmp->msgid)); | |
640 | return -1; | |
641 | } | |
642 | ||
643 | #ifdef ENABLE_FRAG | |
644 | if (isakmp->np == ISAKMP_NPTYPE_FRAG) | |
645 | return frag_handler(iph1, msg, remote, local); | |
646 | #endif | |
647 | ||
648 | /* check status of phase 1 whether negotiated or not. */ | |
649 | if (iph1->status != PHASE1ST_ESTABLISHED) { | |
650 | plog(LLV_ERROR, LOCATION, remote, | |
651 | "can't start the quick mode, " | |
652 | "there is no valid ISAKMP-SA, %s\n", | |
653 | isakmp_pindex(&iph1->index, iph1->msgid)); | |
654 | return -1; | |
655 | } | |
656 | ||
657 | /* search isakmp phase 2 stauts record. */ | |
658 | iph2 = getph2bymsgid(iph1, msgid); | |
659 | if (iph2 == NULL) { | |
660 | /* it must be new negotiation as responder */ | |
661 | if (isakmp_ph2begin_r(iph1, msg) < 0) | |
662 | return -1; | |
663 | return 0; | |
664 | /*NOTREACHED*/ | |
665 | } | |
666 | ||
667 | /* commit bit. */ | |
668 | /* XXX | |
669 | * we keep to set commit bit during negotiation. | |
670 | * When SA is configured, bit will be reset. | |
671 | * XXX | |
672 | * don't initiate commit bit. should be fixed in the future. | |
673 | */ | |
674 | if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) | |
675 | iph2->flags |= ISAKMP_FLAG_C; | |
676 | ||
677 | /* call main process of quick mode */ | |
678 | if (quick_main(iph2, msg) < 0) { | |
679 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
680 | "phase2 negotiation failed.\n"); | |
681 | unbindph12(iph2); | |
682 | remph2(iph2); | |
683 | delph2(iph2); | |
684 | return -1; | |
685 | } | |
686 | } | |
687 | break; | |
688 | ||
689 | case ISAKMP_ETYPE_NEWGRP: | |
690 | if (iph1 == NULL) { | |
691 | plog(LLV_ERROR, LOCATION, remote, | |
692 | "Unknown new group mode exchange, " | |
693 | "there is no ISAKMP-SA.\n"); | |
694 | return -1; | |
695 | } | |
696 | ||
697 | #ifdef ENABLE_FRAG | |
698 | if (isakmp->np == ISAKMP_NPTYPE_FRAG) | |
699 | return frag_handler(iph1, msg, remote, local); | |
700 | #endif | |
701 | ||
702 | isakmp_newgroup_r(iph1, msg); | |
703 | break; | |
704 | ||
705 | #ifdef ENABLE_HYBRID | |
706 | case ISAKMP_ETYPE_CFG: | |
707 | if (iph1 == NULL) { | |
708 | plog(LLV_ERROR, LOCATION, NULL, | |
709 | "mode config %d from %s, " | |
710 | "but we have no ISAKMP-SA.\n", | |
711 | isakmp->etype, saddr2str(remote)); | |
712 | return -1; | |
713 | } | |
714 | ||
715 | #ifdef ENABLE_FRAG | |
716 | if (isakmp->np == ISAKMP_NPTYPE_FRAG) | |
717 | return frag_handler(iph1, msg, remote, local); | |
718 | #endif | |
719 | ||
720 | isakmp_cfg_r(iph1, msg); | |
721 | break; | |
722 | #endif | |
723 | ||
724 | case ISAKMP_ETYPE_NONE: | |
725 | default: | |
726 | plog(LLV_ERROR, LOCATION, NULL, | |
727 | "Invalid exchange type %d from %s.\n", | |
728 | isakmp->etype, saddr2str(remote)); | |
729 | return -1; | |
730 | } | |
731 | ||
732 | return 0; | |
733 | } | |
734 | ||
735 | /* | |
736 | * main function of phase 1. | |
737 | */ | |
738 | static int | |
739 | ph1_main(iph1, msg) | |
740 | struct ph1handle *iph1; | |
741 | vchar_t *msg; | |
742 | { | |
743 | int error; | |
744 | #ifdef ENABLE_STATS | |
745 | struct timeval start, end; | |
746 | #endif | |
747 | ||
748 | /* ignore a packet */ | |
749 | if (iph1->status == PHASE1ST_ESTABLISHED) | |
750 | return 0; | |
751 | ||
752 | #ifdef ENABLE_STATS | |
753 | gettimeofday(&start, NULL); | |
754 | #endif | |
755 | /* receive */ | |
756 | if (ph1exchange[etypesw1(iph1->etype)] | |
757 | [iph1->side] | |
758 | [iph1->status] == NULL) { | |
759 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
760 | "why isn't the function defined.\n"); | |
761 | return -1; | |
762 | } | |
763 | error = (ph1exchange[etypesw1(iph1->etype)] | |
764 | [iph1->side] | |
765 | [iph1->status])(iph1, msg); | |
766 | if (error != 0) { | |
767 | #if 0 | |
768 | /* XXX | |
769 | * When an invalid packet is received on phase1, it should | |
770 | * be selected to process this packet. That is to respond | |
771 | * with a notify and delete phase 1 handler, OR not to respond | |
772 | * and keep phase 1 handler. | |
773 | */ | |
774 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
775 | "failed to pre-process packet.\n"); | |
776 | return -1; | |
777 | #else | |
778 | /* ignore the error and keep phase 1 handler */ | |
779 | return 0; | |
780 | #endif | |
781 | } | |
782 | ||
783 | /* free resend buffer */ | |
784 | if (iph1->sendbuf == NULL) { | |
785 | plog(LLV_ERROR, LOCATION, NULL, | |
786 | "no buffer found as sendbuf\n"); | |
787 | return -1; | |
788 | } | |
789 | VPTRINIT(iph1->sendbuf); | |
790 | ||
791 | /* turn off schedule */ | |
792 | if (iph1->scr) | |
793 | SCHED_KILL(iph1->scr); | |
794 | ||
795 | /* send */ | |
796 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
797 | if ((ph1exchange[etypesw1(iph1->etype)] | |
798 | [iph1->side] | |
799 | [iph1->status])(iph1, msg) != 0) { | |
800 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
801 | "failed to process packet.\n"); | |
802 | return -1; | |
803 | } | |
804 | ||
805 | #ifdef ENABLE_STATS | |
806 | gettimeofday(&end, NULL); | |
807 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
808 | "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), | |
809 | timedelta(&start, &end)); | |
810 | #endif | |
811 | if (iph1->status == PHASE1ST_ESTABLISHED) { | |
812 | ||
813 | #ifdef ENABLE_STATS | |
814 | gettimeofday(&iph1->end, NULL); | |
815 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
816 | "phase1", s_isakmp_etype(iph1->etype), | |
817 | timedelta(&iph1->start, &iph1->end)); | |
818 | #endif | |
819 | ||
820 | #ifdef ENABLE_VPNCONTROL_PORT | |
821 | ||
822 | if (iph1->side == RESPONDER && | |
823 | iph1->local->sa_family == AF_INET) { | |
824 | ||
825 | struct redirect *addr; | |
826 | ||
827 | LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) { | |
828 | if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) { | |
829 | vchar_t *raddr = vmalloc(sizeof(u_int32_t)); | |
830 | ||
831 | if (raddr == NULL) { | |
832 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
833 | "failed to send redirect message - memory error.\n"); | |
834 | } else { | |
835 | memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t)); | |
836 | (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr); | |
837 | plog(LLV_DEBUG, LOCATION, iph1->remote, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); | |
838 | vfree(raddr); | |
839 | if (addr->force) | |
840 | isakmp_ph1delete(iph1); | |
841 | } | |
842 | } | |
843 | return 0; | |
844 | } | |
845 | } | |
846 | #endif | |
847 | /* save created date. */ | |
848 | (void)time(&iph1->created); | |
849 | ||
850 | /* add to the schedule to expire, and save back pointer. */ | |
851 | iph1->sce = sched_new(iph1->approval->lifetime, | |
852 | isakmp_ph1expire_stub, iph1); | |
853 | #ifdef ENABLE_HYBRID | |
854 | if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { | |
855 | switch(iph1->approval->authmethod) { | |
856 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: | |
857 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: | |
858 | xauth_sendreq(iph1); | |
859 | /* XXX Don't process INITIAL_CONTACT */ | |
860 | iph1->rmconf->ini_contact = 0; | |
861 | break; | |
862 | default: | |
863 | break; | |
864 | } | |
865 | } | |
866 | #endif | |
867 | #ifdef ENABLE_DPD | |
868 | /* Schedule the r_u_there.... */ | |
869 | if(iph1->dpd_support && iph1->rmconf->dpd_interval) | |
870 | isakmp_sched_r_u(iph1, 0); | |
871 | #endif | |
872 | ||
873 | /* INITIAL-CONTACT processing */ | |
874 | /* don't send anything if local test mode. */ | |
875 | if (!f_local | |
876 | && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { | |
877 | /* send INITIAL-CONTACT */ | |
878 | isakmp_info_send_n1(iph1, | |
879 | ISAKMP_NTYPE_INITIAL_CONTACT, NULL); | |
880 | /* insert a node into contacted list. */ | |
881 | if (inscontacted(iph1->remote) == -1) { | |
882 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
883 | "failed to add contacted list.\n"); | |
884 | /* ignore */ | |
885 | } | |
886 | } | |
887 | ||
888 | log_ph1established(iph1); | |
889 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
890 | ||
891 | #ifdef ENABLE_VPNCONTROL_PORT | |
892 | vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); | |
893 | #endif | |
894 | ||
895 | ||
896 | /* | |
897 | * SA up shell script hook: do it now,except if | |
898 | * ISAKMP mode config was requested. In the later | |
899 | * case it is done when we receive the configuration. | |
900 | */ | |
901 | if ((iph1->status == PHASE1ST_ESTABLISHED) && | |
902 | !iph1->rmconf->mode_cfg) | |
903 | script_hook(iph1, SCRIPT_PHASE1_UP); | |
904 | } | |
905 | ||
906 | return 0; | |
907 | } | |
908 | ||
909 | /* | |
910 | * main function of quick mode. | |
911 | */ | |
912 | static int | |
913 | quick_main(iph2, msg) | |
914 | struct ph2handle *iph2; | |
915 | vchar_t *msg; | |
916 | { | |
917 | struct isakmp *isakmp = (struct isakmp *)msg->v; | |
918 | int error; | |
919 | #ifdef ENABLE_STATS | |
920 | struct timeval start, end; | |
921 | #endif | |
922 | ||
923 | /* ignore a packet */ | |
924 | if (iph2->status == PHASE2ST_ESTABLISHED | |
925 | || iph2->status == PHASE2ST_GETSPISENT) | |
926 | return 0; | |
927 | ||
928 | #ifdef ENABLE_STATS | |
929 | gettimeofday(&start, NULL); | |
930 | #endif | |
931 | ||
932 | /* receive */ | |
933 | if (ph2exchange[etypesw2(isakmp->etype)] | |
934 | [iph2->side] | |
935 | [iph2->status] == NULL) { | |
936 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, | |
937 | "why isn't the function defined.\n"); | |
938 | return -1; | |
939 | } | |
940 | error = (ph2exchange[etypesw2(isakmp->etype)] | |
941 | [iph2->side] | |
942 | [iph2->status])(iph2, msg); | |
943 | if (error != 0) { | |
944 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, | |
945 | "failed to pre-process packet.\n"); | |
946 | if (error == ISAKMP_INTERNAL_ERROR) | |
947 | return 0; | |
948 | isakmp_info_send_n1(iph2->ph1, error, NULL); | |
949 | return -1; | |
950 | } | |
951 | ||
952 | /* when using commit bit, status will be reached here. */ | |
953 | //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place | |
954 | // return 0; | |
955 | ||
956 | /* free resend buffer */ | |
957 | if (iph2->sendbuf == NULL) { | |
958 | plog(LLV_ERROR, LOCATION, NULL, | |
959 | "no buffer found as sendbuf\n"); | |
960 | return -1; | |
961 | } | |
962 | VPTRINIT(iph2->sendbuf); | |
963 | ||
964 | /* turn off schedule */ | |
965 | if (iph2->scr) | |
966 | SCHED_KILL(iph2->scr); | |
967 | ||
968 | /* when using commit bit, status will be reached here. */ | |
969 | if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - moved to here | |
970 | return 0; | |
971 | ||
972 | /* send */ | |
973 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
974 | if ((ph2exchange[etypesw2(isakmp->etype)] | |
975 | [iph2->side] | |
976 | [iph2->status])(iph2, msg) != 0) { | |
977 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, | |
978 | "failed to process packet.\n"); | |
979 | return -1; | |
980 | } | |
981 | ||
982 | #ifdef ENABLE_STATS | |
983 | gettimeofday(&end, NULL); | |
984 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
985 | "phase2", | |
986 | s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), | |
987 | timedelta(&start, &end)); | |
988 | #endif | |
989 | ||
990 | return 0; | |
991 | } | |
992 | ||
993 | /* new negotiation of phase 1 for initiator */ | |
994 | int | |
995 | isakmp_ph1begin_i(rmconf, remote, local) | |
996 | struct remoteconf *rmconf; | |
997 | struct sockaddr *remote, *local; | |
998 | { | |
999 | struct ph1handle *iph1; | |
1000 | #ifdef ENABLE_STATS | |
1001 | struct timeval start, end; | |
1002 | #endif | |
1003 | ||
1004 | /* get new entry to isakmp status table. */ | |
1005 | iph1 = newph1(); | |
1006 | if (iph1 == NULL) | |
1007 | return -1; | |
1008 | ||
1009 | iph1->status = PHASE1ST_START; | |
1010 | iph1->rmconf = rmconf; | |
1011 | iph1->side = INITIATOR; | |
1012 | iph1->version = ISAKMP_VERSION_NUMBER; | |
1013 | iph1->msgid = 0; | |
1014 | iph1->flags = 0; | |
1015 | iph1->ph2cnt = 0; | |
1016 | #ifdef HAVE_GSSAPI | |
1017 | iph1->gssapi_state = NULL; | |
1018 | #endif | |
1019 | #ifdef ENABLE_HYBRID | |
1020 | if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) | |
1021 | return -1; | |
1022 | #endif | |
1023 | #ifdef ENABLE_FRAG | |
1024 | iph1->frag = 0; | |
1025 | iph1->frag_chain = NULL; | |
1026 | #endif | |
1027 | iph1->approval = NULL; | |
1028 | ||
1029 | /* XXX copy remote address */ | |
1030 | if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) | |
1031 | return -1; | |
1032 | ||
1033 | (void)insph1(iph1); | |
1034 | ||
1035 | /* start phase 1 exchange */ | |
1036 | iph1->etype = rmconf->etypes->type; | |
1037 | ||
1038 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
1039 | { | |
1040 | char *a; | |
1041 | ||
1042 | a = strdup(saddr2str(iph1->local)); | |
1043 | plog(LLV_INFO, LOCATION, NULL, | |
1044 | "initiate new phase 1 negotiation: %s<=>%s\n", | |
1045 | a, saddr2str(iph1->remote)); | |
1046 | racoon_free(a); | |
1047 | } | |
1048 | plog(LLV_INFO, LOCATION, NULL, | |
1049 | "begin %s mode.\n", | |
1050 | s_isakmp_etype(iph1->etype)); | |
1051 | ||
1052 | #ifdef ENABLE_STATS | |
1053 | gettimeofday(&iph1->start, NULL); | |
1054 | gettimeofday(&start, NULL); | |
1055 | #endif | |
1056 | /* start exchange */ | |
1057 | if ((ph1exchange[etypesw1(iph1->etype)] | |
1058 | [iph1->side] | |
1059 | [iph1->status])(iph1, NULL) != 0) { | |
1060 | /* failed to start phase 1 negotiation */ | |
1061 | remph1(iph1); | |
1062 | delph1(iph1); | |
1063 | ||
1064 | return -1; | |
1065 | } | |
1066 | ||
1067 | #ifdef ENABLE_STATS | |
1068 | gettimeofday(&end, NULL); | |
1069 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
1070 | "phase1", | |
1071 | s_isakmp_state(iph1->etype, iph1->side, iph1->status), | |
1072 | timedelta(&start, &end)); | |
1073 | #endif | |
1074 | ||
1075 | #ifdef ENABLE_VPNCONTROL_PORT | |
1076 | vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); | |
1077 | #endif | |
1078 | ||
1079 | ||
1080 | return 0; | |
1081 | } | |
1082 | ||
1083 | /* new negotiation of phase 1 for responder */ | |
1084 | static int | |
1085 | isakmp_ph1begin_r(msg, remote, local, etype) | |
1086 | vchar_t *msg; | |
1087 | struct sockaddr *remote, *local; | |
1088 | u_int8_t etype; | |
1089 | { | |
1090 | struct isakmp *isakmp = (struct isakmp *)msg->v; | |
1091 | struct remoteconf *rmconf; | |
1092 | struct ph1handle *iph1; | |
1093 | struct etypes *etypeok; | |
1094 | #ifdef ENABLE_STATS | |
1095 | struct timeval start, end; | |
1096 | #endif | |
1097 | ||
1098 | /* look for my configuration */ | |
1099 | rmconf = getrmconf(remote); | |
1100 | if (rmconf == NULL) { | |
1101 | plog(LLV_ERROR, LOCATION, remote, | |
1102 | "couldn't find " | |
1103 | "configuration.\n"); | |
1104 | return -1; | |
1105 | } | |
1106 | ||
1107 | /* check to be acceptable exchange type */ | |
1108 | etypeok = check_etypeok(rmconf, etype); | |
1109 | if (etypeok == NULL) { | |
1110 | plog(LLV_ERROR, LOCATION, remote, | |
1111 | "not acceptable %s mode\n", s_isakmp_etype(etype)); | |
1112 | return -1; | |
1113 | } | |
1114 | ||
1115 | /* get new entry to isakmp status table. */ | |
1116 | iph1 = newph1(); | |
1117 | if (iph1 == NULL) | |
1118 | return -1; | |
1119 | ||
1120 | memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); | |
1121 | iph1->status = PHASE1ST_START; | |
1122 | iph1->rmconf = rmconf; | |
1123 | iph1->flags = 0; | |
1124 | iph1->side = RESPONDER; | |
1125 | iph1->etype = etypeok->type; | |
1126 | iph1->version = isakmp->v; | |
1127 | iph1->msgid = 0; | |
1128 | #ifdef HAVE_GSSAPI | |
1129 | iph1->gssapi_state = NULL; | |
1130 | #endif | |
1131 | #ifdef ENABLE_HYBRID | |
1132 | if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) | |
1133 | return -1; | |
1134 | #endif | |
1135 | #ifdef ENABLE_FRAG | |
1136 | iph1->frag = 0; | |
1137 | iph1->frag_chain = NULL; | |
1138 | #endif | |
1139 | iph1->approval = NULL; | |
1140 | ||
1141 | #ifdef ENABLE_NATT | |
1142 | /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. | |
1143 | * We have to setup this flag now to correctly generate the first reply. | |
1144 | * Don't know if a better check could be done for that ? | |
1145 | */ | |
1146 | if(extract_port(local) == lcconf->port_isakmp_natt) | |
1147 | iph1->natt_flags |= (NAT_PORTS_CHANGED); | |
1148 | #endif | |
1149 | ||
1150 | /* copy remote address */ | |
1151 | if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) | |
1152 | return -1; | |
1153 | ||
1154 | (void)insph1(iph1); | |
1155 | ||
1156 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
1157 | { | |
1158 | char *a; | |
1159 | ||
1160 | a = strdup(saddr2str(iph1->local)); | |
1161 | plog(LLV_INFO, LOCATION, NULL, | |
1162 | "respond new phase 1 negotiation: %s<=>%s\n", | |
1163 | a, saddr2str(iph1->remote)); | |
1164 | racoon_free(a); | |
1165 | } | |
1166 | plog(LLV_INFO, LOCATION, NULL, | |
1167 | "begin %s mode.\n", s_isakmp_etype(etype)); | |
1168 | ||
1169 | #ifdef ENABLE_STATS | |
1170 | gettimeofday(&iph1->start, NULL); | |
1171 | gettimeofday(&start, NULL); | |
1172 | #endif | |
1173 | /* start exchange */ | |
1174 | if ((ph1exchange[etypesw1(iph1->etype)] | |
1175 | [iph1->side] | |
1176 | [iph1->status])(iph1, msg) < 0 | |
1177 | || (ph1exchange[etypesw1(iph1->etype)] | |
1178 | [iph1->side] | |
1179 | [iph1->status])(iph1, msg) < 0) { | |
1180 | plog(LLV_ERROR, LOCATION, remote, | |
1181 | "failed to process packet.\n"); | |
1182 | remph1(iph1); | |
1183 | delph1(iph1); | |
1184 | return -1; | |
1185 | } | |
1186 | #ifdef ENABLE_STATS | |
1187 | gettimeofday(&end, NULL); | |
1188 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
1189 | "phase1", | |
1190 | s_isakmp_state(iph1->etype, iph1->side, iph1->status), | |
1191 | timedelta(&start, &end)); | |
1192 | #endif | |
1193 | #ifdef ENABLE_VPNCONTROL_PORT | |
1194 | vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); | |
1195 | #endif | |
1196 | ||
1197 | return 0; | |
1198 | } | |
1199 | ||
1200 | /* new negotiation of phase 2 for initiator */ | |
1201 | static int | |
1202 | isakmp_ph2begin_i(iph1, iph2) | |
1203 | struct ph1handle *iph1; | |
1204 | struct ph2handle *iph2; | |
1205 | { | |
1206 | #ifdef ENABLE_HYBRID | |
1207 | if (xauth_check(iph1) != 0) { | |
1208 | plog(LLV_ERROR, LOCATION, NULL, | |
1209 | "Attempt to start phase 2 whereas Xauth failed\n"); | |
1210 | return -1; | |
1211 | } | |
1212 | #endif | |
1213 | ||
1214 | /* found ISAKMP-SA. */ | |
1215 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
1216 | plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); | |
1217 | { | |
1218 | char *a; | |
1219 | a = strdup(saddr2str(iph2->src)); | |
1220 | plog(LLV_INFO, LOCATION, NULL, | |
1221 | "initiate new phase 2 negotiation: %s<=>%s\n", | |
1222 | a, saddr2str(iph2->dst)); | |
1223 | racoon_free(a); | |
1224 | } | |
1225 | ||
1226 | #ifdef ENABLE_STATS | |
1227 | gettimeofday(&iph2->start, NULL); | |
1228 | #endif | |
1229 | /* found isakmp-sa */ | |
1230 | bindph12(iph1, iph2); | |
1231 | iph2->status = PHASE2ST_STATUS2; | |
1232 | ||
1233 | if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] | |
1234 | [iph2->side] | |
1235 | [iph2->status])(iph2, NULL) < 0) { | |
1236 | unbindph12(iph2); | |
1237 | /* release ipsecsa handler due to internal error. */ | |
1238 | remph2(iph2); | |
1239 | return -1; | |
1240 | } | |
1241 | ||
1242 | #ifdef ENABLE_VPNCONTROL_PORT | |
1243 | vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2); | |
1244 | #endif | |
1245 | ||
1246 | return 0; | |
1247 | } | |
1248 | ||
1249 | /* new negotiation of phase 2 for responder */ | |
1250 | static int | |
1251 | isakmp_ph2begin_r(iph1, msg) | |
1252 | struct ph1handle *iph1; | |
1253 | vchar_t *msg; | |
1254 | { | |
1255 | struct isakmp *isakmp = (struct isakmp *)msg->v; | |
1256 | struct ph2handle *iph2 = 0; | |
1257 | int error; | |
1258 | #ifdef ENABLE_STATS | |
1259 | struct timeval start, end; | |
1260 | #endif | |
1261 | #ifdef ENABLE_HYBRID | |
1262 | if (xauth_check(iph1) != 0) { | |
1263 | plog(LLV_ERROR, LOCATION, NULL, | |
1264 | "Attempt to start phase 2 whereas Xauth failed\n"); | |
1265 | return -1; | |
1266 | } | |
1267 | #endif | |
1268 | ||
1269 | iph2 = newph2(); | |
1270 | if (iph2 == NULL) { | |
1271 | plog(LLV_ERROR, LOCATION, NULL, | |
1272 | "failed to allocate phase2 entry.\n"); | |
1273 | return -1; | |
1274 | } | |
1275 | ||
1276 | iph2->ph1 = iph1; | |
1277 | iph2->side = RESPONDER; | |
1278 | iph2->status = PHASE2ST_START; | |
1279 | iph2->flags = isakmp->flags; | |
1280 | iph2->msgid = isakmp->msgid; | |
1281 | iph2->seq = pk_getseq(); | |
1282 | iph2->ivm = oakley_newiv2(iph1, iph2->msgid); | |
1283 | if (iph2->ivm == NULL) { | |
1284 | delph2(iph2); | |
1285 | return -1; | |
1286 | } | |
1287 | iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ | |
1288 | if (iph2->dst == NULL) { | |
1289 | delph2(iph2); | |
1290 | return -1; | |
1291 | } | |
1292 | switch (iph2->dst->sa_family) { | |
1293 | case AF_INET: | |
1294 | #ifndef ENABLE_NATT | |
1295 | ((struct sockaddr_in *)iph2->dst)->sin_port = 0; | |
1296 | #endif | |
1297 | break; | |
1298 | #ifdef INET6 | |
1299 | case AF_INET6: | |
1300 | #ifndef ENABLE_NATT | |
1301 | ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0; | |
1302 | #endif | |
1303 | break; | |
1304 | #endif | |
1305 | default: | |
1306 | plog(LLV_ERROR, LOCATION, NULL, | |
1307 | "invalid family: %d\n", iph2->dst->sa_family); | |
1308 | delph2(iph2); | |
1309 | return -1; | |
1310 | } | |
1311 | ||
1312 | iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ | |
1313 | if (iph2->src == NULL) { | |
1314 | delph2(iph2); | |
1315 | return -1; | |
1316 | } | |
1317 | switch (iph2->src->sa_family) { | |
1318 | case AF_INET: | |
1319 | #ifndef ENABLE_NATT | |
1320 | ((struct sockaddr_in *)iph2->src)->sin_port = 0; | |
1321 | #endif | |
1322 | break; | |
1323 | #ifdef INET6 | |
1324 | case AF_INET6: | |
1325 | #ifndef ENABLE_NATT | |
1326 | ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0; | |
1327 | #endif | |
1328 | break; | |
1329 | #endif | |
1330 | default: | |
1331 | plog(LLV_ERROR, LOCATION, NULL, | |
1332 | "invalid family: %d\n", iph2->src->sa_family); | |
1333 | delph2(iph2); | |
1334 | return -1; | |
1335 | } | |
1336 | ||
1337 | /* add new entry to isakmp status table */ | |
1338 | insph2(iph2); | |
1339 | bindph12(iph1, iph2); | |
1340 | ||
1341 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
1342 | { | |
1343 | char *a; | |
1344 | ||
1345 | a = strdup(saddr2str(iph2->src)); | |
1346 | plog(LLV_INFO, LOCATION, NULL, | |
1347 | "respond new phase 2 negotiation: %s<=>%s\n", | |
1348 | a, saddr2str(iph2->dst)); | |
1349 | racoon_free(a); | |
1350 | } | |
1351 | ||
1352 | #ifdef ENABLE_STATS | |
1353 | gettimeofday(&start, NULL); | |
1354 | #endif | |
1355 | ||
1356 | error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] | |
1357 | [iph2->side] | |
1358 | [iph2->status])(iph2, msg); | |
1359 | if (error != 0) { | |
1360 | plog(LLV_ERROR, LOCATION, iph1->remote, | |
1361 | "failed to pre-process packet.\n"); | |
1362 | if (error != ISAKMP_INTERNAL_ERROR) | |
1363 | isakmp_info_send_n1(iph2->ph1, error, NULL); | |
1364 | /* | |
1365 | * release handler because it's wrong that ph2handle is kept | |
1366 | * after failed to check message for responder's. | |
1367 | */ | |
1368 | unbindph12(iph2); | |
1369 | remph2(iph2); | |
1370 | delph2(iph2); | |
1371 | return -1; | |
1372 | } | |
1373 | ||
1374 | /* send */ | |
1375 | plog(LLV_DEBUG, LOCATION, NULL, "===\n"); | |
1376 | if ((ph2exchange[etypesw2(isakmp->etype)] | |
1377 | [iph2->side] | |
1378 | [iph2->status])(iph2, msg) < 0) { | |
1379 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, | |
1380 | "failed to process packet.\n"); | |
1381 | /* don't release handler */ | |
1382 | return -1; | |
1383 | } | |
1384 | #ifdef ENABLE_STATS | |
1385 | gettimeofday(&end, NULL); | |
1386 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
1387 | "phase2", | |
1388 | s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), | |
1389 | timedelta(&start, &end)); | |
1390 | #endif | |
1391 | ||
1392 | #ifdef ENABLE_VPNCONTROL_PORT | |
1393 | vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2); | |
1394 | #endif | |
1395 | ||
1396 | ||
1397 | return 0; | |
1398 | } | |
1399 | ||
1400 | /* | |
1401 | * parse ISAKMP payloads, without ISAKMP base header. | |
1402 | */ | |
1403 | vchar_t * | |
1404 | isakmp_parsewoh(np0, gen, len) | |
1405 | int np0; | |
1406 | struct isakmp_gen *gen; | |
1407 | int len; | |
1408 | { | |
1409 | u_char np = np0 & 0xff; | |
1410 | int tlen, plen; | |
1411 | vchar_t *result; | |
1412 | struct isakmp_parse_t *p, *ep; | |
1413 | ||
1414 | plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); | |
1415 | ||
1416 | /* | |
1417 | * 5 is a magic number, but any value larger than 2 should be fine | |
1418 | * as we do vrealloc() in the following loop. | |
1419 | */ | |
1420 | result = vmalloc(sizeof(struct isakmp_parse_t) * 5); | |
1421 | if (result == NULL) { | |
1422 | plog(LLV_ERROR, LOCATION, NULL, | |
1423 | "failed to get buffer.\n"); | |
1424 | return NULL; | |
1425 | } | |
1426 | p = (struct isakmp_parse_t *)result->v; | |
1427 | ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); | |
1428 | ||
1429 | tlen = len; | |
1430 | ||
1431 | /* parse through general headers */ | |
1432 | while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { | |
1433 | if (tlen <= sizeof(struct isakmp_gen)) { | |
1434 | /* don't send information, see isakmp_ident_r1() */ | |
1435 | plog(LLV_ERROR, LOCATION, NULL, | |
1436 | "invalid length of payload\n"); | |
1437 | vfree(result); | |
1438 | return NULL; | |
1439 | } | |
1440 | ||
1441 | plog(LLV_DEBUG, LOCATION, NULL, | |
1442 | "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); | |
1443 | ||
1444 | p->type = np; | |
1445 | p->len = ntohs(gen->len); | |
1446 | if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { | |
1447 | plog(LLV_DEBUG, LOCATION, NULL, | |
1448 | "invalid length of payload\n"); | |
1449 | vfree(result); | |
1450 | return NULL; | |
1451 | } | |
1452 | p->ptr = gen; | |
1453 | p++; | |
1454 | if (ep <= p) { | |
1455 | int off; | |
1456 | ||
1457 | off = p - (struct isakmp_parse_t *)result->v; | |
1458 | result = vrealloc(result, result->l * 2); | |
1459 | if (result == NULL) { | |
1460 | plog(LLV_DEBUG, LOCATION, NULL, | |
1461 | "failed to realloc buffer.\n"); | |
1462 | vfree(result); | |
1463 | return NULL; | |
1464 | } | |
1465 | ep = (struct isakmp_parse_t *) | |
1466 | (result->v + result->l - sizeof(*ep)); | |
1467 | p = (struct isakmp_parse_t *)result->v; | |
1468 | p += off; | |
1469 | } | |
1470 | ||
1471 | np = gen->np; | |
1472 | plen = ntohs(gen->len); | |
1473 | gen = (struct isakmp_gen *)((caddr_t)gen + plen); | |
1474 | tlen -= plen; | |
1475 | } | |
1476 | p->type = ISAKMP_NPTYPE_NONE; | |
1477 | p->len = 0; | |
1478 | p->ptr = NULL; | |
1479 | ||
1480 | plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n"); | |
1481 | ||
1482 | return result; | |
1483 | } | |
1484 | ||
1485 | /* | |
1486 | * parse ISAKMP payloads, including ISAKMP base header. | |
1487 | */ | |
1488 | vchar_t * | |
1489 | isakmp_parse(buf) | |
1490 | vchar_t *buf; | |
1491 | { | |
1492 | struct isakmp *isakmp = (struct isakmp *)buf->v; | |
1493 | struct isakmp_gen *gen; | |
1494 | int tlen; | |
1495 | vchar_t *result; | |
1496 | u_char np; | |
1497 | ||
1498 | np = isakmp->np; | |
1499 | gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp)); | |
1500 | tlen = buf->l - sizeof(struct isakmp); | |
1501 | result = isakmp_parsewoh(np, gen, tlen); | |
1502 | ||
1503 | return result; | |
1504 | } | |
1505 | ||
1506 | /* %%% */ | |
1507 | int | |
1508 | isakmp_init() | |
1509 | { | |
1510 | /* initialize a isakmp status table */ | |
1511 | initph1tree(); | |
1512 | initph2tree(); | |
1513 | initctdtree(); | |
1514 | init_recvdpkt(); | |
1515 | ||
1516 | if (isakmp_open() < 0) | |
1517 | goto err; | |
1518 | ||
1519 | return(0); | |
1520 | ||
1521 | err: | |
1522 | isakmp_close(); | |
1523 | return(-1); | |
1524 | } | |
1525 | ||
1526 | void | |
1527 | isakmp_cleanup() | |
1528 | { | |
1529 | clear_recvdpkt(); | |
1530 | clear_contacted(); | |
1531 | } | |
1532 | ||
1533 | /* | |
1534 | * make strings containing i_cookie + r_cookie + msgid | |
1535 | */ | |
1536 | const char * | |
1537 | isakmp_pindex(index, msgid) | |
1538 | const isakmp_index *index; | |
1539 | const u_int32_t msgid; | |
1540 | { | |
1541 | static char buf[64]; | |
1542 | const u_char *p; | |
1543 | int i, j; | |
1544 | ||
1545 | memset(buf, 0, sizeof(buf)); | |
1546 | ||
1547 | /* copy index */ | |
1548 | p = (const u_char *)index; | |
1549 | for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { | |
1550 | snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); | |
1551 | j += 2; | |
1552 | switch (i) { | |
1553 | case 7: | |
1554 | buf[j++] = ':'; | |
1555 | } | |
1556 | } | |
1557 | ||
1558 | if (msgid == 0) | |
1559 | return buf; | |
1560 | ||
1561 | /* copy msgid */ | |
1562 | snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid)); | |
1563 | ||
1564 | return buf; | |
1565 | } | |
1566 | ||
1567 | /* open ISAKMP sockets. */ | |
1568 | int | |
1569 | isakmp_open() | |
1570 | { | |
1571 | const int yes = 1; | |
1572 | int ifnum = 0, encap_ifnum = 0; | |
1573 | #ifdef INET6 | |
1574 | int pktinfo; | |
1575 | #endif | |
1576 | struct myaddrs *p; | |
1577 | ||
1578 | for (p = lcconf->myaddrs; p; p = p->next) { | |
1579 | if (!p->addr) | |
1580 | continue; | |
1581 | ||
1582 | #ifdef __APPLE__ | |
1583 | if (p->sock != -1) { | |
1584 | ifnum++; | |
1585 | if (p->udp_encap) | |
1586 | encap_ifnum++; | |
1587 | continue; // socket already open | |
1588 | } | |
1589 | #endif | |
1590 | ||
1591 | /* warn if wildcard address - should we forbid this? */ | |
1592 | switch (p->addr->sa_family) { | |
1593 | case AF_INET: | |
1594 | if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) | |
1595 | plog(LLV_WARNING, LOCATION, NULL, | |
1596 | "listening to wildcard address," | |
1597 | "broadcast IKE packet may kill you\n"); | |
1598 | break; | |
1599 | #ifdef INET6 | |
1600 | case AF_INET6: | |
1601 | if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr)) | |
1602 | plog(LLV_WARNING, LOCATION, NULL, | |
1603 | "listening to wildcard address, " | |
1604 | "broadcast IKE packet may kill you\n"); | |
1605 | break; | |
1606 | #endif | |
1607 | default: | |
1608 | plog(LLV_ERROR, LOCATION, NULL, | |
1609 | "unsupported address family %d\n", | |
1610 | lcconf->default_af); | |
1611 | goto err_and_next; | |
1612 | } | |
1613 | ||
1614 | #ifdef INET6 | |
1615 | if (p->addr->sa_family == AF_INET6 && | |
1616 | IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) | |
1617 | p->addr)->sin6_addr)) | |
1618 | { | |
1619 | plog(LLV_DEBUG, LOCATION, NULL, | |
1620 | "Ignoring multicast address %s\n", | |
1621 | saddr2str(p->addr)); | |
1622 | racoon_free(p->addr); | |
1623 | p->addr = NULL; | |
1624 | continue; | |
1625 | } | |
1626 | #endif | |
1627 | ||
1628 | if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) { | |
1629 | plog(LLV_ERROR, LOCATION, NULL, | |
1630 | "socket (%s)\n", strerror(errno)); | |
1631 | goto err_and_next; | |
1632 | } | |
1633 | ||
1634 | /* receive my interface address on inbound packets. */ | |
1635 | switch (p->addr->sa_family) { | |
1636 | case AF_INET: | |
1637 | if (setsockopt(p->sock, IPPROTO_IP, | |
1638 | #ifdef __linux__ | |
1639 | IP_PKTINFO, | |
1640 | #else | |
1641 | IP_RECVDSTADDR, | |
1642 | #endif | |
1643 | (const void *)&yes, sizeof(yes)) < 0) { | |
1644 | plog(LLV_ERROR, LOCATION, NULL, | |
1645 | "setsockopt (%s)\n", strerror(errno)); | |
1646 | goto err_and_next; | |
1647 | } | |
1648 | break; | |
1649 | #ifdef INET6 | |
1650 | case AF_INET6: | |
1651 | #ifdef INET6_ADVAPI | |
1652 | #ifdef IPV6_RECVPKTINFO | |
1653 | pktinfo = IPV6_RECVPKTINFO; | |
1654 | #else /* old adv. API */ | |
1655 | pktinfo = IPV6_PKTINFO; | |
1656 | #endif /* IPV6_RECVPKTINFO */ | |
1657 | #else | |
1658 | pktinfo = IPV6_RECVDSTADDR; | |
1659 | #endif | |
1660 | if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, | |
1661 | (const void *)&yes, sizeof(yes)) < 0) | |
1662 | { | |
1663 | plog(LLV_ERROR, LOCATION, NULL, | |
1664 | "setsockopt(%d): %s\n", | |
1665 | pktinfo, strerror(errno)); | |
1666 | if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) | |
1667 | plog(LLV_WARNING, LOCATION, NULL, | |
1668 | "failed to put socket in non-blocking mode\n"); | |
1669 | ||
1670 | goto err_and_next; | |
1671 | } | |
1672 | break; | |
1673 | #endif | |
1674 | } | |
1675 | ||
1676 | #ifdef IPV6_USE_MIN_MTU | |
1677 | if (p->addr->sa_family == AF_INET6 && | |
1678 | setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, | |
1679 | (void *)&yes, sizeof(yes)) < 0) { | |
1680 | plog(LLV_ERROR, LOCATION, NULL, | |
1681 | "setsockopt (%s)\n", strerror(errno)); | |
1682 | return -1; | |
1683 | } | |
1684 | #endif | |
1685 | ||
1686 | if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0) | |
1687 | goto err_and_next; | |
1688 | ||
1689 | #ifdef __APPLE__ | |
1690 | if (extract_port(p->addr) == PORT_ISAKMP) { | |
1691 | if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, | |
1692 | (void *)&yes, sizeof(yes)) < 0) { | |
1693 | plog(LLV_ERROR, LOCATION, p->addr, | |
1694 | "setsockopt (%s)\n", strerror(errno)); | |
1695 | goto err_and_next; | |
1696 | } | |
1697 | } | |
1698 | #endif | |
1699 | ||
1700 | if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) { | |
1701 | plog(LLV_ERROR, LOCATION, p->addr, | |
1702 | "failed to bind to address %s (%s).\n", | |
1703 | saddr2str(p->addr), strerror(errno)); | |
1704 | close(p->sock); | |
1705 | p->sock = -1; | |
1706 | goto err_and_next; | |
1707 | } | |
1708 | ||
1709 | ifnum++; | |
1710 | #ifdef __APPLE__ | |
1711 | if (p->udp_encap) | |
1712 | encap_ifnum++; | |
1713 | #endif | |
1714 | ||
1715 | plog(LLV_INFO, LOCATION, NULL, | |
1716 | "%s used as isakmp port (fd=%d)\n", | |
1717 | saddr2str(p->addr), p->sock); | |
1718 | ||
1719 | #ifndef __APPLE__ | |
1720 | #ifdef ENABLE_NATT | |
1721 | if (p->addr->sa_family == AF_INET) { | |
1722 | int option = -1; | |
1723 | ||
1724 | if(p->udp_encap) | |
1725 | option = UDP_ENCAP_ESPINUDP; | |
1726 | #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01) | |
1727 | else | |
1728 | option = UDP_ENCAP_ESPINUDP_NON_IKE; | |
1729 | #endif | |
1730 | if(option != -1){ | |
1731 | if (setsockopt (p->sock, SOL_UDP, UDP_ENCAP, | |
1732 | &option, sizeof (option)) < 0) { | |
1733 | plog(LLV_WARNING, LOCATION, NULL, | |
1734 | "setsockopt(%s): %s\n", | |
1735 | option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE", | |
1736 | strerror(errno)); | |
1737 | goto skip_encap; | |
1738 | } | |
1739 | else { | |
1740 | plog(LLV_INFO, LOCATION, NULL, | |
1741 | "%s used for NAT-T\n", | |
1742 | saddr2str(p->addr)); | |
1743 | encap_ifnum++; | |
1744 | } | |
1745 | } | |
1746 | } | |
1747 | skip_encap: | |
1748 | #endif | |
1749 | #endif /* __APPLE__ */ | |
1750 | ||
1751 | continue; | |
1752 | ||
1753 | err_and_next: | |
1754 | racoon_free(p->addr); | |
1755 | p->addr = NULL; | |
1756 | if (! lcconf->autograbaddr && lcconf->strict_address) | |
1757 | return -1; | |
1758 | continue; | |
1759 | } | |
1760 | ||
1761 | if (!ifnum) { | |
1762 | plog(LLV_ERROR, LOCATION, NULL, | |
1763 | "no address could be bound.\n"); | |
1764 | return -1; | |
1765 | } | |
1766 | ||
1767 | #ifdef ENABLE_NATT | |
1768 | if (natt_enabled_in_rmconf() && !encap_ifnum) { | |
1769 | plog(LLV_WARNING, LOCATION, NULL, | |
1770 | "NAT-T is enabled in at least one remote{} section,\n"); | |
1771 | plog(LLV_WARNING, LOCATION, NULL, | |
1772 | "but no 'isakmp_natt' address was specified!\n"); | |
1773 | } | |
1774 | #endif | |
1775 | ||
1776 | return 0; | |
1777 | } | |
1778 | ||
1779 | void | |
1780 | isakmp_close() | |
1781 | { | |
1782 | isakmp_close_sockets(); | |
1783 | clear_myaddr(); | |
1784 | } | |
1785 | ||
1786 | void | |
1787 | isakmp_close_sockets() | |
1788 | { | |
1789 | struct myaddrs *p; | |
1790 | ||
1791 | for (p = lcconf->myaddrs; p; p = p->next) { | |
1792 | ||
1793 | if (!p->addr) | |
1794 | continue; | |
1795 | ||
1796 | if (p->sock >= 0) { | |
1797 | close(p->sock); | |
1798 | p->sock = -1; | |
1799 | } | |
1800 | } | |
1801 | ||
1802 | } | |
1803 | ||
1804 | ||
1805 | // close sockets for addresses that have gone away | |
1806 | void | |
1807 | isakmp_close_unused() | |
1808 | { | |
1809 | struct myaddrs *p, *next, **prev; | |
1810 | ||
1811 | prev = &(lcconf->myaddrs); | |
1812 | for (p = lcconf->myaddrs; p; p = next) { | |
1813 | next = p->next; | |
1814 | if (p->in_use == 0) { // not in use ? | |
1815 | ||
1816 | if (p->sock >= 0) | |
1817 | close(p->sock); | |
1818 | if (p->addr) | |
1819 | racoon_free(p->addr); | |
1820 | *prev = p->next; | |
1821 | racoon_free(p); | |
1822 | } else | |
1823 | prev = &(p->next); | |
1824 | } | |
1825 | } | |
1826 | ||
1827 | int | |
1828 | isakmp_send(iph1, sbuf) | |
1829 | struct ph1handle *iph1; | |
1830 | vchar_t *sbuf; | |
1831 | { | |
1832 | int len = 0; | |
1833 | int s; | |
1834 | vchar_t *vbuf = NULL; | |
1835 | ||
1836 | #ifdef ENABLE_NATT | |
1837 | size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; | |
1838 | ||
1839 | #ifdef ENABLE_FRAG | |
1840 | /* | |
1841 | * Do not add the non ESP marker for a packet that will | |
1842 | * be fragmented. The non ESP marker should appear in | |
1843 | * all fragment's packets, but not in the fragmented packet | |
1844 | */ | |
1845 | if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) | |
1846 | extralen = 0; | |
1847 | #endif | |
1848 | if (extralen) | |
1849 | plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); | |
1850 | ||
1851 | /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) | |
1852 | must added just before the packet itself. For this we must | |
1853 | allocate a new buffer and release it at the end. */ | |
1854 | if (extralen) { | |
1855 | vbuf = vmalloc (sbuf->l + extralen); | |
1856 | *(u_int32_t *)vbuf->v = 0; | |
1857 | memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); | |
1858 | sbuf = vbuf; | |
1859 | } | |
1860 | #endif | |
1861 | ||
1862 | /* select the socket to be sent */ | |
1863 | s = getsockmyaddr(iph1->local); | |
1864 | if (s == -1){ | |
1865 | if ( vbuf != NULL ) | |
1866 | vfree(vbuf); | |
1867 | return -1; | |
1868 | } | |
1869 | ||
1870 | plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, | |
1871 | saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); | |
1872 | ||
1873 | #ifdef ENABLE_FRAG | |
1874 | if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { | |
1875 | if (isakmp_sendfrags(iph1, sbuf) == -1) { | |
1876 | plog(LLV_ERROR, LOCATION, NULL, | |
1877 | "isakmp_sendfrags failed\n"); | |
1878 | if ( vbuf != NULL ) | |
1879 | vfree(vbuf); | |
1880 | return -1; | |
1881 | } | |
1882 | } else | |
1883 | #endif | |
1884 | { | |
1885 | len = sendfromto(s, sbuf->v, sbuf->l, | |
1886 | iph1->local, iph1->remote, lcconf->count_persend); | |
1887 | if (len == -1) { | |
1888 | plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); | |
1889 | if ( vbuf != NULL ) | |
1890 | vfree(vbuf); | |
1891 | return -1; | |
1892 | } | |
1893 | } | |
1894 | ||
1895 | if ( vbuf != NULL ) | |
1896 | vfree(vbuf); | |
1897 | ||
1898 | return 0; | |
1899 | } | |
1900 | ||
1901 | /* called from scheduler */ | |
1902 | void | |
1903 | isakmp_ph1resend_stub(p) | |
1904 | void *p; | |
1905 | { | |
1906 | (void)isakmp_ph1resend((struct ph1handle *)p); | |
1907 | } | |
1908 | ||
1909 | int | |
1910 | isakmp_ph1resend(iph1) | |
1911 | struct ph1handle *iph1; | |
1912 | { | |
1913 | if (iph1->retry_counter < 0) { | |
1914 | plog(LLV_ERROR, LOCATION, NULL, | |
1915 | "phase1 negotiation failed due to time up. %s\n", | |
1916 | isakmp_pindex(&iph1->index, iph1->msgid)); | |
1917 | EVT_PUSH(iph1->local, iph1->remote, | |
1918 | EVTT_PEER_NO_RESPONSE, NULL); | |
1919 | ||
1920 | remph1(iph1); | |
1921 | delph1(iph1); | |
1922 | return -1; | |
1923 | } | |
1924 | ||
1925 | if (isakmp_send(iph1, iph1->sendbuf) < 0){ | |
1926 | iph1->retry_counter--; | |
1927 | ||
1928 | iph1->scr = sched_new(iph1->rmconf->retry_interval, | |
1929 | isakmp_ph1resend_stub, iph1); | |
1930 | return -1; | |
1931 | } | |
1932 | ||
1933 | plog(LLV_DEBUG, LOCATION, NULL, | |
1934 | "resend phase1 packet %s\n", | |
1935 | isakmp_pindex(&iph1->index, iph1->msgid)); | |
1936 | ||
1937 | iph1->retry_counter--; | |
1938 | ||
1939 | iph1->scr = sched_new(iph1->rmconf->retry_interval, | |
1940 | isakmp_ph1resend_stub, iph1); | |
1941 | ||
1942 | return 0; | |
1943 | } | |
1944 | ||
1945 | /* called from scheduler */ | |
1946 | void | |
1947 | isakmp_ph2resend_stub(p) | |
1948 | void *p; | |
1949 | { | |
1950 | ||
1951 | (void)isakmp_ph2resend((struct ph2handle *)p); | |
1952 | } | |
1953 | ||
1954 | int | |
1955 | isakmp_ph2resend(iph2) | |
1956 | struct ph2handle *iph2; | |
1957 | { | |
1958 | if (iph2->retry_counter < 0) { | |
1959 | plog(LLV_ERROR, LOCATION, NULL, | |
1960 | "phase2 negotiation failed due to time up. %s\n", | |
1961 | isakmp_pindex(&iph2->ph1->index, iph2->msgid)); | |
1962 | EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); | |
1963 | unbindph12(iph2); | |
1964 | remph2(iph2); | |
1965 | delph2(iph2); | |
1966 | return -1; | |
1967 | } | |
1968 | ||
1969 | //%%% BUG FIX - related to commit bit usage - crash happened here | |
1970 | if (iph2->ph1 == 0) { | |
1971 | plog(LLV_ERROR, LOCATION, NULL, | |
1972 | "internal error - attempt to re-send phase2 with no phase1 bound.\n"); | |
1973 | iph2->retry_counter = -1; | |
1974 | remph2(iph2); | |
1975 | delph2(iph2); | |
1976 | return -1; | |
1977 | } | |
1978 | ||
1979 | if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) | |
1980 | return -1; | |
1981 | ||
1982 | plog(LLV_DEBUG, LOCATION, NULL, | |
1983 | "resend phase2 packet %s\n", | |
1984 | isakmp_pindex(&iph2->ph1->index, iph2->msgid)); | |
1985 | ||
1986 | iph2->retry_counter--; | |
1987 | ||
1988 | iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval, | |
1989 | isakmp_ph2resend_stub, iph2); | |
1990 | ||
1991 | return 0; | |
1992 | } | |
1993 | ||
1994 | /* called from scheduler */ | |
1995 | void | |
1996 | isakmp_ph1expire_stub(p) | |
1997 | void *p; | |
1998 | { | |
1999 | ||
2000 | isakmp_ph1expire((struct ph1handle *)p); | |
2001 | } | |
2002 | ||
2003 | void | |
2004 | isakmp_ph1expire(iph1) | |
2005 | struct ph1handle *iph1; | |
2006 | { | |
2007 | char *src, *dst; | |
2008 | ||
2009 | SCHED_KILL(iph1->sce); | |
2010 | ||
2011 | if(iph1->status != PHASE1ST_EXPIRED){ | |
2012 | src = strdup(saddr2str(iph1->local)); | |
2013 | dst = strdup(saddr2str(iph1->remote)); | |
2014 | plog(LLV_INFO, LOCATION, NULL, | |
2015 | "ISAKMP-SA expired %s-%s spi:%s\n", | |
2016 | src, dst, | |
2017 | isakmp_pindex(&iph1->index, 0)); | |
2018 | racoon_free(src); | |
2019 | racoon_free(dst); | |
2020 | iph1->status = PHASE1ST_EXPIRED; | |
2021 | } | |
2022 | ||
2023 | /* | |
2024 | * the phase1 deletion is postponed until there is no phase2. | |
2025 | */ | |
2026 | if (LIST_FIRST(&iph1->ph2tree) != NULL) { | |
2027 | iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); | |
2028 | return; | |
2029 | } | |
2030 | ||
2031 | iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); | |
2032 | } | |
2033 | ||
2034 | /* called from scheduler */ | |
2035 | void | |
2036 | isakmp_ph1delete_stub(p) | |
2037 | void *p; | |
2038 | { | |
2039 | ||
2040 | isakmp_ph1delete((struct ph1handle *)p); | |
2041 | } | |
2042 | ||
2043 | void | |
2044 | isakmp_ph1delete(iph1) | |
2045 | struct ph1handle *iph1; | |
2046 | { | |
2047 | char *src, *dst; | |
2048 | ||
2049 | if (iph1->sce) | |
2050 | SCHED_KILL(iph1->sce); | |
2051 | ||
2052 | if (LIST_FIRST(&iph1->ph2tree) != NULL) { | |
2053 | iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); | |
2054 | return; | |
2055 | } | |
2056 | ||
2057 | /* don't re-negosiation when the phase 1 SA expires. */ | |
2058 | ||
2059 | src = strdup(saddr2str(iph1->local)); | |
2060 | dst = strdup(saddr2str(iph1->remote)); | |
2061 | plog(LLV_INFO, LOCATION, NULL, | |
2062 | "ISAKMP-SA deleted %s-%s spi:%s\n", | |
2063 | src, dst, isakmp_pindex(&iph1->index, 0)); | |
2064 | EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); | |
2065 | racoon_free(src); | |
2066 | racoon_free(dst); | |
2067 | ||
2068 | remph1(iph1); | |
2069 | delph1(iph1); | |
2070 | ||
2071 | return; | |
2072 | } | |
2073 | ||
2074 | /* called from scheduler. | |
2075 | * this function will call only isakmp_ph2delete(). | |
2076 | * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA | |
2077 | * by something cause. That's why this function is called after phase 2 SA | |
2078 | * expires in the userland. | |
2079 | */ | |
2080 | void | |
2081 | isakmp_ph2expire_stub(p) | |
2082 | void *p; | |
2083 | { | |
2084 | ||
2085 | isakmp_ph2expire((struct ph2handle *)p); | |
2086 | } | |
2087 | ||
2088 | void | |
2089 | isakmp_ph2expire(iph2) | |
2090 | struct ph2handle *iph2; | |
2091 | { | |
2092 | char *src, *dst; | |
2093 | ||
2094 | SCHED_KILL(iph2->sce); | |
2095 | ||
2096 | src = strdup(saddrwop2str(iph2->src)); | |
2097 | dst = strdup(saddrwop2str(iph2->dst)); | |
2098 | plog(LLV_INFO, LOCATION, NULL, | |
2099 | "phase2 sa expired %s-%s\n", src, dst); | |
2100 | racoon_free(src); | |
2101 | racoon_free(dst); | |
2102 | ||
2103 | iph2->status = PHASE2ST_EXPIRED; | |
2104 | ||
2105 | iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); | |
2106 | ||
2107 | return; | |
2108 | } | |
2109 | ||
2110 | /* called from scheduler */ | |
2111 | void | |
2112 | isakmp_ph2delete_stub(p) | |
2113 | void *p; | |
2114 | { | |
2115 | ||
2116 | isakmp_ph2delete((struct ph2handle *)p); | |
2117 | } | |
2118 | ||
2119 | void | |
2120 | isakmp_ph2delete(iph2) | |
2121 | struct ph2handle *iph2; | |
2122 | { | |
2123 | char *src, *dst; | |
2124 | ||
2125 | SCHED_KILL(iph2->sce); | |
2126 | ||
2127 | src = strdup(saddrwop2str(iph2->src)); | |
2128 | dst = strdup(saddrwop2str(iph2->dst)); | |
2129 | plog(LLV_INFO, LOCATION, NULL, | |
2130 | "phase2 sa deleted %s-%s\n", src, dst); | |
2131 | racoon_free(src); | |
2132 | racoon_free(dst); | |
2133 | ||
2134 | unbindph12(iph2); | |
2135 | remph2(iph2); | |
2136 | delph2(iph2); | |
2137 | ||
2138 | return; | |
2139 | } | |
2140 | ||
2141 | /* \f%%% | |
2142 | * Interface between PF_KEYv2 and ISAKMP | |
2143 | */ | |
2144 | /* | |
2145 | * receive ACQUIRE from kernel, and begin either phase1 or phase2. | |
2146 | * if phase1 has been finished, begin phase2. | |
2147 | */ | |
2148 | int | |
2149 | isakmp_post_acquire(iph2) | |
2150 | struct ph2handle *iph2; | |
2151 | { | |
2152 | struct remoteconf *rmconf; | |
2153 | struct ph1handle *iph1 = NULL; | |
2154 | ||
2155 | /* search appropreate configuration with masking port. */ | |
2156 | rmconf = getrmconf(iph2->dst); | |
2157 | if (rmconf == NULL) { | |
2158 | plog(LLV_ERROR, LOCATION, NULL, | |
2159 | "no configuration found for %s.\n", | |
2160 | saddrwop2str(iph2->dst)); | |
2161 | return -1; | |
2162 | } | |
2163 | ||
2164 | /* if passive mode, ignore the acquire message */ | |
2165 | if (rmconf->passive) { | |
2166 | plog(LLV_DEBUG, LOCATION, NULL, | |
2167 | "because of passive mode, " | |
2168 | "ignore the acquire message for %s.\n", | |
2169 | saddrwop2str(iph2->dst)); | |
2170 | return 0; | |
2171 | } | |
2172 | ||
2173 | /* | |
2174 | * Search isakmp status table by address and port | |
2175 | * If NAT-T is in use, consider null ports as a | |
2176 | * wildcard and use IKE ports instead. | |
2177 | */ | |
2178 | #ifdef ENABLE_NATT | |
2179 | if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { | |
2180 | if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { | |
2181 | set_port(iph2->src, extract_port(iph1->local)); | |
2182 | set_port(iph2->dst, extract_port(iph1->remote)); | |
2183 | } | |
2184 | } else { | |
2185 | iph1 = getph1byaddr(iph2->src, iph2->dst); | |
2186 | } | |
2187 | #else | |
2188 | iph1 = getph1byaddr(iph2->src, iph2->dst); | |
2189 | #endif | |
2190 | ||
2191 | /* no ISAKMP-SA found. */ | |
2192 | if (iph1 == NULL) { | |
2193 | struct sched *sc; | |
2194 | ||
2195 | iph2->retry_checkph1 = lcconf->retry_checkph1; | |
2196 | sc = sched_new(1, isakmp_chkph1there_stub, iph2); | |
2197 | plog(LLV_INFO, LOCATION, NULL, | |
2198 | "IPsec-SA request for %s queued " | |
2199 | "due to no phase1 found.\n", | |
2200 | saddrwop2str(iph2->dst)); | |
2201 | ||
2202 | /* start phase 1 negotiation as a initiator. */ | |
2203 | if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) { | |
2204 | SCHED_KILL(sc); | |
2205 | return -1; | |
2206 | } | |
2207 | ||
2208 | return 0; | |
2209 | /*NOTREACHED*/ | |
2210 | } | |
2211 | ||
2212 | /* found ISAKMP-SA, but on negotiation. */ | |
2213 | if (iph1->status != PHASE1ST_ESTABLISHED) { | |
2214 | iph2->retry_checkph1 = lcconf->retry_checkph1; | |
2215 | sched_new(1, isakmp_chkph1there_stub, iph2); | |
2216 | plog(LLV_INFO, LOCATION, iph2->dst, | |
2217 | "request for establishing IPsec-SA was queued " | |
2218 | "due to no phase1 found.\n"); | |
2219 | return 0; | |
2220 | /*NOTREACHED*/ | |
2221 | } | |
2222 | ||
2223 | /* found established ISAKMP-SA */ | |
2224 | /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ | |
2225 | ||
2226 | /* found ISAKMP-SA. */ | |
2227 | plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); | |
2228 | ||
2229 | /* begin quick mode */ | |
2230 | if (isakmp_ph2begin_i(iph1, iph2)) | |
2231 | return -1; | |
2232 | ||
2233 | return 0; | |
2234 | } | |
2235 | ||
2236 | /* | |
2237 | * receive GETSPI from kernel. | |
2238 | */ | |
2239 | int | |
2240 | isakmp_post_getspi(iph2) | |
2241 | struct ph2handle *iph2; | |
2242 | { | |
2243 | #ifdef ENABLE_STATS | |
2244 | struct timeval start, end; | |
2245 | #endif | |
2246 | ||
2247 | /* don't process it because there is no suitable phase1-sa. */ | |
2248 | if (iph2->ph1->status == PHASE1ST_EXPIRED) { | |
2249 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, | |
2250 | "the negotiation is stopped, " | |
2251 | "because there is no suitable ISAKMP-SA.\n"); | |
2252 | return -1; | |
2253 | } | |
2254 | ||
2255 | #ifdef ENABLE_STATS | |
2256 | gettimeofday(&start, NULL); | |
2257 | #endif | |
2258 | if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] | |
2259 | [iph2->side] | |
2260 | [iph2->status])(iph2, NULL) != 0) | |
2261 | return -1; | |
2262 | #ifdef ENABLE_STATS | |
2263 | gettimeofday(&end, NULL); | |
2264 | syslog(LOG_NOTICE, "%s(%s): %8.6f", | |
2265 | "phase2", | |
2266 | s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), | |
2267 | timedelta(&start, &end)); | |
2268 | #endif | |
2269 | ||
2270 | return 0; | |
2271 | } | |
2272 | ||
2273 | /* called by scheduler */ | |
2274 | void | |
2275 | isakmp_chkph1there_stub(p) | |
2276 | void *p; | |
2277 | { | |
2278 | isakmp_chkph1there((struct ph2handle *)p); | |
2279 | } | |
2280 | ||
2281 | void | |
2282 | isakmp_chkph1there(iph2) | |
2283 | struct ph2handle *iph2; | |
2284 | { | |
2285 | struct ph1handle *iph1; | |
2286 | ||
2287 | iph2->retry_checkph1--; | |
2288 | if (iph2->retry_checkph1 < 0) { | |
2289 | plog(LLV_ERROR, LOCATION, iph2->dst, | |
2290 | "phase2 negotiation failed " | |
2291 | "due to time up waiting for phase1. %s\n", | |
2292 | sadbsecas2str(iph2->dst, iph2->src, | |
2293 | iph2->satype, 0, 0)); | |
2294 | plog(LLV_INFO, LOCATION, NULL, | |
2295 | "delete phase 2 handler.\n"); | |
2296 | ||
2297 | /* send acquire to kernel as error */ | |
2298 | pk_sendeacquire(iph2); | |
2299 | ||
2300 | unbindph12(iph2); | |
2301 | remph2(iph2); | |
2302 | delph2(iph2); | |
2303 | ||
2304 | return; | |
2305 | } | |
2306 | ||
2307 | /* | |
2308 | * Search isakmp status table by address and port | |
2309 | * If NAT-T is in use, consider null ports as a | |
2310 | * wildcard and use IKE ports instead. | |
2311 | */ | |
2312 | #ifdef ENABLE_NATT | |
2313 | if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { | |
2314 | if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { | |
2315 | /* | |
2316 | * cannot set ph2 ports until after switch to natt port | |
2317 | * otherwise this function will never again find phase 1 | |
2318 | */ | |
2319 | if (iph1->status == PHASE1ST_ESTABLISHED) { | |
2320 | set_port(iph2->src, extract_port(iph1->local)); | |
2321 | set_port(iph2->dst, extract_port(iph1->remote)); | |
2322 | } | |
2323 | } | |
2324 | } else { | |
2325 | iph1 = getph1byaddr(iph2->src, iph2->dst); | |
2326 | } | |
2327 | #else | |
2328 | iph1 = getph1byaddr(iph2->src, iph2->dst); | |
2329 | #endif | |
2330 | ||
2331 | /* XXX Even if ph1 as responder is there, should we not start | |
2332 | * phase 2 negotiation ? */ | |
2333 | if (iph1 != NULL | |
2334 | && iph1->status == PHASE1ST_ESTABLISHED) { | |
2335 | /* found isakmp-sa */ | |
2336 | /* begin quick mode */ | |
2337 | (void)isakmp_ph2begin_i(iph1, iph2); | |
2338 | return; | |
2339 | } | |
2340 | ||
2341 | /* no isakmp-sa found */ | |
2342 | sched_new(1, isakmp_chkph1there_stub, iph2); | |
2343 | ||
2344 | return; | |
2345 | } | |
2346 | ||
2347 | /* copy variable data into ALLOCATED buffer. */ | |
2348 | caddr_t | |
2349 | isakmp_set_attr_v(buf, type, val, len) | |
2350 | caddr_t buf; | |
2351 | int type; | |
2352 | caddr_t val; | |
2353 | int len; | |
2354 | { | |
2355 | struct isakmp_data *data; | |
2356 | ||
2357 | data = (struct isakmp_data *)buf; | |
2358 | data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); | |
2359 | data->lorv = htons((u_int16_t)len); | |
2360 | memcpy(data + 1, val, len); | |
2361 | ||
2362 | return buf + sizeof(*data) + len; | |
2363 | } | |
2364 | ||
2365 | /* copy fixed length data into ALLOCATED buffer. */ | |
2366 | caddr_t | |
2367 | isakmp_set_attr_l(buf, type, val) | |
2368 | caddr_t buf; | |
2369 | int type; | |
2370 | u_int32_t val; | |
2371 | { | |
2372 | struct isakmp_data *data; | |
2373 | ||
2374 | data = (struct isakmp_data *)buf; | |
2375 | data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); | |
2376 | data->lorv = htons((u_int16_t)val); | |
2377 | ||
2378 | return buf + sizeof(*data); | |
2379 | } | |
2380 | ||
2381 | /* add a variable data attribute to the buffer by reallocating it. */ | |
2382 | vchar_t * | |
2383 | isakmp_add_attr_v(buf0, type, val, len) | |
2384 | vchar_t *buf0; | |
2385 | int type; | |
2386 | caddr_t val; | |
2387 | int len; | |
2388 | { | |
2389 | vchar_t *buf = NULL; | |
2390 | struct isakmp_data *data; | |
2391 | int tlen; | |
2392 | int oldlen = 0; | |
2393 | ||
2394 | tlen = sizeof(*data) + len; | |
2395 | ||
2396 | if (buf0) { | |
2397 | oldlen = buf0->l; | |
2398 | buf = vrealloc(buf0, oldlen + tlen); | |
2399 | } else | |
2400 | buf = vmalloc(tlen); | |
2401 | if (!buf) { | |
2402 | plog(LLV_ERROR, LOCATION, NULL, | |
2403 | "failed to get a attribute buffer.\n"); | |
2404 | return NULL; | |
2405 | } | |
2406 | ||
2407 | data = (struct isakmp_data *)(buf->v + oldlen); | |
2408 | data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); | |
2409 | data->lorv = htons((u_int16_t)len); | |
2410 | memcpy(data + 1, val, len); | |
2411 | ||
2412 | return buf; | |
2413 | } | |
2414 | ||
2415 | /* add a fixed data attribute to the buffer by reallocating it. */ | |
2416 | vchar_t * | |
2417 | isakmp_add_attr_l(buf0, type, val) | |
2418 | vchar_t *buf0; | |
2419 | int type; | |
2420 | u_int32_t val; | |
2421 | { | |
2422 | vchar_t *buf = NULL; | |
2423 | struct isakmp_data *data; | |
2424 | int tlen; | |
2425 | int oldlen = 0; | |
2426 | ||
2427 | tlen = sizeof(*data); | |
2428 | ||
2429 | if (buf0) { | |
2430 | oldlen = buf0->l; | |
2431 | buf = vrealloc(buf0, oldlen + tlen); | |
2432 | } else | |
2433 | buf = vmalloc(tlen); | |
2434 | if (!buf) { | |
2435 | plog(LLV_ERROR, LOCATION, NULL, | |
2436 | "failed to get a attribute buffer.\n"); | |
2437 | return NULL; | |
2438 | } | |
2439 | ||
2440 | data = (struct isakmp_data *)(buf->v + oldlen); | |
2441 | data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); | |
2442 | data->lorv = htons((u_int16_t)val); | |
2443 | ||
2444 | return buf; | |
2445 | } | |
2446 | ||
2447 | /* | |
2448 | * calculate cookie and set. | |
2449 | */ | |
2450 | int | |
2451 | isakmp_newcookie(place, remote, local) | |
2452 | caddr_t place; | |
2453 | struct sockaddr *remote; | |
2454 | struct sockaddr *local; | |
2455 | { | |
2456 | vchar_t *buf = NULL, *buf2 = NULL; | |
2457 | char *p; | |
2458 | int blen; | |
2459 | int alen; | |
2460 | caddr_t sa1, sa2; | |
2461 | time_t t; | |
2462 | int error = -1; | |
2463 | u_short port; | |
2464 | ||
2465 | ||
2466 | if (remote->sa_family != local->sa_family) { | |
2467 | plog(LLV_ERROR, LOCATION, NULL, | |
2468 | "address family mismatch, remote:%d local:%d\n", | |
2469 | remote->sa_family, local->sa_family); | |
2470 | goto end; | |
2471 | } | |
2472 | switch (remote->sa_family) { | |
2473 | case AF_INET: | |
2474 | alen = sizeof(struct in_addr); | |
2475 | sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; | |
2476 | sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr; | |
2477 | break; | |
2478 | #ifdef INET6 | |
2479 | case AF_INET6: | |
2480 | alen = sizeof(struct in_addr); | |
2481 | sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr; | |
2482 | sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr; | |
2483 | break; | |
2484 | #endif | |
2485 | default: | |
2486 | plog(LLV_ERROR, LOCATION, NULL, | |
2487 | "invalid family: %d\n", remote->sa_family); | |
2488 | goto end; | |
2489 | } | |
2490 | blen = (alen + sizeof(u_short)) * 2 | |
2491 | + sizeof(time_t) + lcconf->secret_size; | |
2492 | buf = vmalloc(blen); | |
2493 | if (buf == NULL) { | |
2494 | plog(LLV_ERROR, LOCATION, NULL, | |
2495 | "failed to get a cookie.\n"); | |
2496 | goto end; | |
2497 | } | |
2498 | p = buf->v; | |
2499 | ||
2500 | /* copy my address */ | |
2501 | memcpy(p, sa1, alen); | |
2502 | p += alen; | |
2503 | port = ((struct sockaddr_in *)remote)->sin_port; | |
2504 | memcpy(p, &port, sizeof(u_short)); | |
2505 | p += sizeof(u_short); | |
2506 | ||
2507 | /* copy target address */ | |
2508 | memcpy(p, sa2, alen); | |
2509 | p += alen; | |
2510 | port = ((struct sockaddr_in *)local)->sin_port; | |
2511 | memcpy(p, &port, sizeof(u_short)); | |
2512 | p += sizeof(u_short); | |
2513 | ||
2514 | /* copy time */ | |
2515 | t = time(0); | |
2516 | memcpy(p, (caddr_t)&t, sizeof(t)); | |
2517 | p += sizeof(t); | |
2518 | ||
2519 | /* copy random value */ | |
2520 | buf2 = eay_set_random(lcconf->secret_size); | |
2521 | if (buf2 == NULL) | |
2522 | goto end; | |
2523 | memcpy(p, buf2->v, lcconf->secret_size); | |
2524 | p += lcconf->secret_size; | |
2525 | vfree(buf2); | |
2526 | ||
2527 | buf2 = eay_sha1_one(buf); | |
2528 | memcpy(place, buf2->v, sizeof(cookie_t)); | |
2529 | ||
2530 | sa1 = val2str(place, sizeof (cookie_t)); | |
2531 | plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1); | |
2532 | racoon_free(sa1); | |
2533 | ||
2534 | error = 0; | |
2535 | end: | |
2536 | if (buf != NULL) | |
2537 | vfree(buf); | |
2538 | if (buf2 != NULL) | |
2539 | vfree(buf2); | |
2540 | return error; | |
2541 | } | |
2542 | ||
2543 | /* | |
2544 | * save partner's(payload) data into phhandle. | |
2545 | */ | |
2546 | int | |
2547 | isakmp_p2ph(buf, gen) | |
2548 | vchar_t **buf; | |
2549 | struct isakmp_gen *gen; | |
2550 | { | |
2551 | /* XXX to be checked in each functions for logging. */ | |
2552 | if (*buf) { | |
2553 | plog(LLV_WARNING, LOCATION, NULL, | |
2554 | "ignore this payload, same payload type exist.\n"); | |
2555 | return -1; | |
2556 | } | |
2557 | ||
2558 | *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); | |
2559 | if (*buf == NULL) { | |
2560 | plog(LLV_ERROR, LOCATION, NULL, | |
2561 | "failed to get buffer.\n"); | |
2562 | return -1; | |
2563 | } | |
2564 | memcpy((*buf)->v, gen + 1, (*buf)->l); | |
2565 | ||
2566 | return 0; | |
2567 | } | |
2568 | ||
2569 | u_int32_t | |
2570 | isakmp_newmsgid2(iph1) | |
2571 | struct ph1handle *iph1; | |
2572 | { | |
2573 | u_int32_t msgid2; | |
2574 | ||
2575 | do { | |
2576 | msgid2 = eay_random(); | |
2577 | } while (getph2bymsgid(iph1, msgid2)); | |
2578 | ||
2579 | return msgid2; | |
2580 | } | |
2581 | ||
2582 | /* | |
2583 | * set values into allocated buffer of isakmp header for phase 1 | |
2584 | */ | |
2585 | static caddr_t | |
2586 | set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) | |
2587 | vchar_t *vbuf; | |
2588 | struct ph1handle *iph1; | |
2589 | int nptype; | |
2590 | u_int8_t etype; | |
2591 | u_int8_t flags; | |
2592 | u_int32_t msgid; | |
2593 | { | |
2594 | struct isakmp *isakmp; | |
2595 | ||
2596 | if (vbuf->l < sizeof(*isakmp)) | |
2597 | return NULL; | |
2598 | ||
2599 | isakmp = (struct isakmp *)vbuf->v; | |
2600 | ||
2601 | memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); | |
2602 | memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); | |
2603 | isakmp->np = nptype; | |
2604 | isakmp->v = iph1->version; | |
2605 | isakmp->etype = etype; | |
2606 | isakmp->flags = flags; | |
2607 | isakmp->msgid = msgid; | |
2608 | isakmp->len = htonl(vbuf->l); | |
2609 | ||
2610 | return vbuf->v + sizeof(*isakmp); | |
2611 | } | |
2612 | ||
2613 | /* | |
2614 | * set values into allocated buffer of isakmp header for phase 1 | |
2615 | */ | |
2616 | caddr_t | |
2617 | set_isakmp_header1(vbuf, iph1, nptype) | |
2618 | vchar_t *vbuf; | |
2619 | struct ph1handle *iph1; | |
2620 | int nptype; | |
2621 | { | |
2622 | return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid); | |
2623 | } | |
2624 | ||
2625 | /* | |
2626 | * set values into allocated buffer of isakmp header for phase 2 | |
2627 | */ | |
2628 | caddr_t | |
2629 | set_isakmp_header2(vbuf, iph2, nptype) | |
2630 | vchar_t *vbuf; | |
2631 | struct ph2handle *iph2; | |
2632 | int nptype; | |
2633 | { | |
2634 | return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid); | |
2635 | } | |
2636 | ||
2637 | /* | |
2638 | * set values into allocated buffer of isakmp payload. | |
2639 | */ | |
2640 | caddr_t | |
2641 | set_isakmp_payload(buf, src, nptype) | |
2642 | caddr_t buf; | |
2643 | vchar_t *src; | |
2644 | int nptype; | |
2645 | { | |
2646 | struct isakmp_gen *gen; | |
2647 | caddr_t p = buf; | |
2648 | ||
2649 | plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n", | |
2650 | src->l, nptype); | |
2651 | ||
2652 | gen = (struct isakmp_gen *)p; | |
2653 | gen->np = nptype; | |
2654 | gen->len = htons(sizeof(*gen) + src->l); | |
2655 | p += sizeof(*gen); | |
2656 | memcpy(p, src->v, src->l); | |
2657 | p += src->l; | |
2658 | ||
2659 | return p; | |
2660 | } | |
2661 | ||
2662 | static int | |
2663 | etypesw1(etype) | |
2664 | int etype; | |
2665 | { | |
2666 | switch (etype) { | |
2667 | case ISAKMP_ETYPE_IDENT: | |
2668 | return 1; | |
2669 | case ISAKMP_ETYPE_AGG: | |
2670 | return 2; | |
2671 | case ISAKMP_ETYPE_BASE: | |
2672 | return 3; | |
2673 | default: | |
2674 | return 0; | |
2675 | } | |
2676 | /*NOTREACHED*/ | |
2677 | } | |
2678 | ||
2679 | static int | |
2680 | etypesw2(etype) | |
2681 | int etype; | |
2682 | { | |
2683 | switch (etype) { | |
2684 | case ISAKMP_ETYPE_QUICK: | |
2685 | return 1; | |
2686 | default: | |
2687 | return 0; | |
2688 | } | |
2689 | /*NOTREACHED*/ | |
2690 | } | |
2691 | ||
2692 | #ifdef HAVE_PRINT_ISAKMP_C | |
2693 | /* for print-isakmp.c */ | |
2694 | char *snapend; | |
2695 | extern void isakmp_print __P((const u_char *, u_int, const u_char *)); | |
2696 | ||
2697 | char *getname __P((const u_char *)); | |
2698 | #ifdef INET6 | |
2699 | char *getname6 __P((const u_char *)); | |
2700 | #endif | |
2701 | int safeputchar __P((int)); | |
2702 | ||
2703 | /* | |
2704 | * Return a name for the IP address pointed to by ap. This address | |
2705 | * is assumed to be in network byte order. | |
2706 | */ | |
2707 | char * | |
2708 | getname(ap) | |
2709 | const u_char *ap; | |
2710 | { | |
2711 | struct sockaddr_in addr; | |
2712 | static char ntop_buf[NI_MAXHOST]; | |
2713 | ||
2714 | memset(&addr, 0, sizeof(addr)); | |
2715 | #ifndef __linux__ | |
2716 | addr.sin_len = sizeof(struct sockaddr_in); | |
2717 | #endif | |
2718 | addr.sin_family = AF_INET; | |
2719 | memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); | |
2720 | if (getnameinfo((struct sockaddr *)&addr, sizeof(addr), | |
2721 | ntop_buf, sizeof(ntop_buf), NULL, 0, | |
2722 | NI_NUMERICHOST | niflags)) | |
2723 | strlcpy(ntop_buf, "?", sizeof(ntop_buf)); | |
2724 | ||
2725 | return ntop_buf; | |
2726 | } | |
2727 | ||
2728 | #ifdef INET6 | |
2729 | /* | |
2730 | * Return a name for the IP6 address pointed to by ap. This address | |
2731 | * is assumed to be in network byte order. | |
2732 | */ | |
2733 | char * | |
2734 | getname6(ap) | |
2735 | const u_char *ap; | |
2736 | { | |
2737 | struct sockaddr_in6 addr; | |
2738 | static char ntop_buf[NI_MAXHOST]; | |
2739 | ||
2740 | memset(&addr, 0, sizeof(addr)); | |
2741 | addr.sin6_len = sizeof(struct sockaddr_in6); | |
2742 | addr.sin6_family = AF_INET6; | |
2743 | memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); | |
2744 | if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len, | |
2745 | ntop_buf, sizeof(ntop_buf), NULL, 0, | |
2746 | NI_NUMERICHOST | niflags)) | |
2747 | strlcpy(ntop_buf, "?", sizeof(ntop_buf)); | |
2748 | ||
2749 | return ntop_buf; | |
2750 | } | |
2751 | #endif /* INET6 */ | |
2752 | ||
2753 | int | |
2754 | safeputchar(c) | |
2755 | int c; | |
2756 | { | |
2757 | unsigned char ch; | |
2758 | ||
2759 | ch = (unsigned char)(c & 0xff); | |
2760 | if (c < 0x80 && isprint(c)) | |
2761 | return printf("%c", c & 0xff); | |
2762 | else | |
2763 | return printf("\\%03o", c & 0xff); | |
2764 | } | |
2765 | ||
2766 | void | |
2767 | isakmp_printpacket(msg, from, my, decoded) | |
2768 | vchar_t *msg; | |
2769 | struct sockaddr *from; | |
2770 | struct sockaddr *my; | |
2771 | int decoded; | |
2772 | { | |
2773 | #ifdef YIPS_DEBUG | |
2774 | struct timeval tv; | |
2775 | int s; | |
2776 | char hostbuf[NI_MAXHOST]; | |
2777 | char portbuf[NI_MAXSERV]; | |
2778 | struct isakmp *isakmp; | |
2779 | vchar_t *buf; | |
2780 | #endif | |
2781 | ||
2782 | if (loglevel < LLV_DEBUG) | |
2783 | return; | |
2784 | ||
2785 | #ifdef YIPS_DEBUG | |
2786 | plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); | |
2787 | ||
2788 | gettimeofday(&tv, NULL); | |
2789 | s = tv.tv_sec % 3600; | |
2790 | printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); | |
2791 | ||
2792 | if (from) { | |
2793 | if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf), | |
2794 | portbuf, sizeof(portbuf), | |
2795 | NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { | |
2796 | strlcpy(hostbuf, "?", sizeof(hostbuf)); | |
2797 | strlcpy(portbuf, "?", sizeof(portbuf)); | |
2798 | } | |
2799 | printf("%s:%s", hostbuf, portbuf); | |
2800 | } else | |
2801 | printf("?"); | |
2802 | printf(" -> "); | |
2803 | if (my) { | |
2804 | if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf), | |
2805 | portbuf, sizeof(portbuf), | |
2806 | NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { | |
2807 | strlcpy(hostbuf, "?", sizeof(hostbuf)); | |
2808 | strlcpy(portbuf, "?", sizeof(portbuf)); | |
2809 | } | |
2810 | printf("%s:%s", hostbuf, portbuf); | |
2811 | } else | |
2812 | printf("?"); | |
2813 | printf(": "); | |
2814 | ||
2815 | buf = vdup(msg); | |
2816 | if (!buf) { | |
2817 | printf("(malloc fail)\n"); | |
2818 | return; | |
2819 | } | |
2820 | if (decoded) { | |
2821 | isakmp = (struct isakmp *)buf->v; | |
2822 | if (isakmp->flags & ISAKMP_FLAG_E) { | |
2823 | #if 0 | |
2824 | int pad; | |
2825 | pad = *(u_char *)(buf->v + buf->l - 1); | |
2826 | if (buf->l < pad && 2 < vflag) | |
2827 | printf("(wrong padding)"); | |
2828 | #endif | |
2829 | isakmp->flags &= ~ISAKMP_FLAG_E; | |
2830 | } | |
2831 | } | |
2832 | ||
2833 | snapend = buf->v + buf->l; | |
2834 | isakmp_print(buf->v, buf->l, NULL); | |
2835 | vfree(buf); | |
2836 | printf("\n"); | |
2837 | fflush(stdout); | |
2838 | ||
2839 | return; | |
2840 | #endif | |
2841 | } | |
2842 | #endif /*HAVE_PRINT_ISAKMP_C*/ | |
2843 | ||
2844 | int | |
2845 | copy_ph1addresses(iph1, rmconf, remote, local) | |
2846 | struct ph1handle *iph1; | |
2847 | struct remoteconf *rmconf; | |
2848 | struct sockaddr *remote, *local; | |
2849 | { | |
2850 | u_short *port = NULL; | |
2851 | ||
2852 | /* address portion must be grabbed from real remote address "remote" */ | |
2853 | iph1->remote = dupsaddr(remote); | |
2854 | if (iph1->remote == NULL) { | |
2855 | delph1(iph1); | |
2856 | return -1; | |
2857 | } | |
2858 | ||
2859 | /* | |
2860 | * if remote has no port # (in case of initiator - from ACQUIRE msg) | |
2861 | * - if remote.conf specifies port #, use that | |
2862 | * - if remote.conf does not, use 500 | |
2863 | * if remote has port # (in case of responder - from recvfrom(2)) | |
2864 | * respect content of "remote". | |
2865 | */ | |
2866 | switch (iph1->remote->sa_family) { | |
2867 | case AF_INET: | |
2868 | port = &((struct sockaddr_in *)iph1->remote)->sin_port; | |
2869 | if (*port) | |
2870 | break; | |
2871 | *port = ((struct sockaddr_in *)rmconf->remote)->sin_port; | |
2872 | if (*port) | |
2873 | break; | |
2874 | *port = htons(PORT_ISAKMP); | |
2875 | break; | |
2876 | #ifdef INET6 | |
2877 | case AF_INET6: | |
2878 | port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port; | |
2879 | if (*port) | |
2880 | break; | |
2881 | *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port; | |
2882 | if (*port) | |
2883 | break; | |
2884 | *port = htons(PORT_ISAKMP); | |
2885 | break; | |
2886 | #endif | |
2887 | default: | |
2888 | plog(LLV_ERROR, LOCATION, NULL, | |
2889 | "invalid family: %d\n", iph1->remote->sa_family); | |
2890 | return -1; | |
2891 | } | |
2892 | ||
2893 | if (local == NULL) | |
2894 | iph1->local = getlocaladdr(iph1->remote); | |
2895 | else | |
2896 | iph1->local = dupsaddr(local); | |
2897 | if (iph1->local == NULL) { | |
2898 | delph1(iph1); | |
2899 | return -1; | |
2900 | } | |
2901 | port = NULL; | |
2902 | switch (iph1->local->sa_family) { | |
2903 | case AF_INET: | |
2904 | port = &((struct sockaddr_in *)iph1->local)->sin_port; | |
2905 | if (*port) | |
2906 | break; | |
2907 | *port = ((struct sockaddr_in *)local)->sin_port; | |
2908 | if (*port) | |
2909 | break; | |
2910 | *port = getmyaddrsport(iph1->local); | |
2911 | break; | |
2912 | #ifdef INET6 | |
2913 | case AF_INET6: | |
2914 | port = &((struct sockaddr_in6 *)iph1->local)->sin6_port; | |
2915 | if (*port) | |
2916 | break; | |
2917 | *port = ((struct sockaddr_in6 *)local)->sin6_port; | |
2918 | if (*port) | |
2919 | break; | |
2920 | *port = getmyaddrsport(iph1->local); | |
2921 | break; | |
2922 | #endif | |
2923 | default: | |
2924 | plog(LLV_ERROR, LOCATION, NULL, | |
2925 | "invalid family: %d\n", iph1->local->sa_family); | |
2926 | delph1(iph1); | |
2927 | return -1; | |
2928 | } | |
2929 | #ifdef ENABLE_NATT | |
2930 | if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) { | |
2931 | plog (LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n"); | |
2932 | iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; | |
2933 | } | |
2934 | #endif | |
2935 | ||
2936 | return 0; | |
2937 | } | |
2938 | ||
2939 | static int | |
2940 | nostate1(iph1, msg) | |
2941 | struct ph1handle *iph1; | |
2942 | vchar_t *msg; | |
2943 | { | |
2944 | plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n", | |
2945 | iph1->status); | |
2946 | return -1; | |
2947 | } | |
2948 | ||
2949 | static int | |
2950 | nostate2(iph2, msg) | |
2951 | struct ph2handle *iph2; | |
2952 | vchar_t *msg; | |
2953 | { | |
2954 | plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n", | |
2955 | iph2->status); | |
2956 | return -1; | |
2957 | } | |
2958 | ||
2959 | void | |
2960 | log_ph1established(iph1) | |
2961 | const struct ph1handle *iph1; | |
2962 | { | |
2963 | char *src, *dst; | |
2964 | ||
2965 | src = strdup(saddr2str(iph1->local)); | |
2966 | dst = strdup(saddr2str(iph1->remote)); | |
2967 | plog(LLV_INFO, LOCATION, NULL, | |
2968 | "ISAKMP-SA established %s-%s spi:%s\n", | |
2969 | src, dst, | |
2970 | isakmp_pindex(&iph1->index, 0)); | |
2971 | EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL); | |
2972 | racoon_free(src); | |
2973 | racoon_free(dst); | |
2974 | ||
2975 | return; | |
2976 | } | |
2977 | ||
2978 | struct payload_list * | |
2979 | isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type) | |
2980 | { | |
2981 | if (! plist) { | |
2982 | plist = racoon_malloc (sizeof (struct payload_list)); | |
2983 | plist->prev = NULL; | |
2984 | } | |
2985 | else { | |
2986 | plist->next = racoon_malloc (sizeof (struct payload_list)); | |
2987 | plist->next->prev = plist; | |
2988 | plist = plist->next; | |
2989 | } | |
2990 | ||
2991 | plist->next = NULL; | |
2992 | plist->payload = payload; | |
2993 | plist->payload_type = payload_type; | |
2994 | ||
2995 | return plist; | |
2996 | } | |
2997 | ||
2998 | vchar_t * | |
2999 | isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) | |
3000 | { | |
3001 | struct payload_list *ptr, *first; | |
3002 | size_t tlen = sizeof (struct isakmp), n = 0; | |
3003 | vchar_t *buf; | |
3004 | char *p; | |
3005 | ||
3006 | if (plist == NULL) { | |
3007 | plog(LLV_ERROR, LOCATION, NULL, | |
3008 | "in isakmp_plist_set_all: plist == NULL\n"); | |
3009 | return NULL; | |
3010 | } | |
3011 | ||
3012 | /* Seek to the first item. */ | |
3013 | ptr = *plist; | |
3014 | while (ptr->prev) | |
3015 | ptr = ptr->prev; | |
3016 | first = ptr; | |
3017 | ||
3018 | /* Compute the whole length. */ | |
3019 | while (ptr) { | |
3020 | tlen += ptr->payload->l + sizeof (struct isakmp_gen); | |
3021 | ptr = ptr->next; | |
3022 | } | |
3023 | ||
3024 | buf = vmalloc(tlen); | |
3025 | if (buf == NULL) { | |
3026 | plog(LLV_ERROR, LOCATION, NULL, | |
3027 | "failed to get buffer to send.\n"); | |
3028 | goto end; | |
3029 | } | |
3030 | ||
3031 | ptr = first; | |
3032 | ||
3033 | p = set_isakmp_header1(buf, iph1, ptr->payload_type); | |
3034 | if (p == NULL) | |
3035 | goto end; | |
3036 | ||
3037 | while (ptr) | |
3038 | { | |
3039 | p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE); | |
3040 | first = ptr; | |
3041 | ptr = ptr->next; | |
3042 | racoon_free (first); | |
3043 | /* ptr->prev = NULL; first = NULL; ... omitted. */ | |
3044 | n++; | |
3045 | } | |
3046 | ||
3047 | *plist = NULL; | |
3048 | ||
3049 | return buf; | |
3050 | end: | |
3051 | return NULL; | |
3052 | } | |
3053 | ||
3054 | #ifdef ENABLE_FRAG | |
3055 | int | |
3056 | frag_handler(iph1, msg, remote, local) | |
3057 | struct ph1handle *iph1; | |
3058 | vchar_t *msg; | |
3059 | struct sockaddr *remote; | |
3060 | struct sockaddr *local; | |
3061 | { | |
3062 | vchar_t *newmsg; | |
3063 | ||
3064 | if (isakmp_frag_extract(iph1, msg) == 1) { | |
3065 | if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { | |
3066 | plog(LLV_ERROR, LOCATION, remote, | |
3067 | "Packet reassembly failed\n"); | |
3068 | return -1; | |
3069 | } | |
3070 | return isakmp_main(newmsg, remote, local); | |
3071 | } | |
3072 | ||
3073 | return 0; | |
3074 | } | |
3075 | #endif | |
3076 | ||
3077 | void | |
3078 | script_hook(iph1, script) | |
3079 | struct ph1handle *iph1; | |
3080 | int script; | |
3081 | { | |
3082 | #define IP_MAX 40 | |
3083 | #define PORT_MAX 6 | |
3084 | char addrstr[IP_MAX]; | |
3085 | char portstr[PORT_MAX]; | |
3086 | char **envp = NULL; | |
3087 | int envc = 1; | |
3088 | struct sockaddr_in *sin; | |
3089 | char **c; | |
3090 | ||
3091 | if (iph1->rmconf->script[script] == -1) | |
3092 | return; | |
3093 | ||
3094 | #ifdef ENABLE_HYBRID | |
3095 | (void)isakmp_cfg_setenv(iph1, &envp, &envc); | |
3096 | #endif | |
3097 | ||
3098 | /* local address */ | |
3099 | sin = (struct sockaddr_in *)iph1->local; | |
3100 | inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); | |
3101 | snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port)); | |
3102 | ||
3103 | if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) { | |
3104 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n"); | |
3105 | goto out; | |
3106 | } | |
3107 | ||
3108 | if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) { | |
3109 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n"); | |
3110 | goto out; | |
3111 | } | |
3112 | ||
3113 | /* Peer address */ | |
3114 | sin = (struct sockaddr_in *)iph1->remote; | |
3115 | inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); | |
3116 | snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port)); | |
3117 | ||
3118 | if (script_env_append(&envp, &envc, "REMOTE_ADDR", addrstr) != 0) { | |
3119 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTE_ADDR\n"); | |
3120 | goto out; | |
3121 | } | |
3122 | ||
3123 | if (script_env_append(&envp, &envc, "REMOTE_PORT", portstr) != 0) { | |
3124 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTEL_PORT\n"); | |
3125 | goto out; | |
3126 | } | |
3127 | ||
3128 | if (privsep_script_exec(iph1->rmconf->script[script], | |
3129 | script, envp) != 0) | |
3130 | plog(LLV_ERROR, LOCATION, NULL, | |
3131 | "Script %s execution failed\n", script_names[script]); | |
3132 | ||
3133 | out: | |
3134 | for (c = envp; *c; c++) | |
3135 | racoon_free(*c); | |
3136 | ||
3137 | racoon_free(envp); | |
3138 | ||
3139 | return; | |
3140 | } | |
3141 | ||
3142 | int | |
3143 | script_env_append(envp, envc, name, value) | |
3144 | char ***envp; | |
3145 | int *envc; | |
3146 | char *name; | |
3147 | char *value; | |
3148 | { | |
3149 | char *envitem; | |
3150 | char **newenvp; | |
3151 | int newenvc; | |
3152 | int envitemlen = strlen(name) + 1 + strlen(value) + 1; | |
3153 | ||
3154 | envitem = racoon_malloc(envitemlen); | |
3155 | if (envitem == NULL) { | |
3156 | plog(LLV_ERROR, LOCATION, NULL, | |
3157 | "Cannot allocate memory: %s\n", strerror(errno)); | |
3158 | return -1; | |
3159 | } | |
3160 | snprintf(envitem, envitemlen, "%s=%s", name, value); | |
3161 | ||
3162 | newenvc = (*envc) + 1; | |
3163 | newenvp = racoon_realloc(*envp, newenvc * sizeof(char *)); | |
3164 | if (newenvp == NULL) { | |
3165 | plog(LLV_ERROR, LOCATION, NULL, | |
3166 | "Cannot allocate memory: %s\n", strerror(errno)); | |
3167 | return -1; | |
3168 | } | |
3169 | ||
3170 | newenvp[newenvc - 2] = envitem; | |
3171 | newenvp[newenvc - 1] = NULL; | |
3172 | ||
3173 | *envp = newenvp; | |
3174 | *envc = newenvc; | |
3175 | return 0; | |
3176 | } | |
3177 | ||
3178 | int | |
3179 | script_exec(script, name, envp) | |
3180 | int script; | |
3181 | int name; | |
3182 | char *const envp[]; | |
3183 | { | |
3184 | char *argv[] = { NULL, NULL, NULL }; | |
3185 | vchar_t **sp; | |
3186 | ||
3187 | if (script_paths == NULL) { | |
3188 | plog(LLV_ERROR, LOCATION, NULL, | |
3189 | "privsep_script_exec: script_paths was not initialized\n"); | |
3190 | return -1; | |
3191 | } | |
3192 | ||
3193 | sp = (vchar_t **)(script_paths->v); | |
3194 | ||
3195 | argv[0] = sp[script]->v; | |
3196 | argv[1] = script_names[name]; | |
3197 | argv[2] = NULL; | |
3198 | ||
3199 | switch (fork()) { | |
3200 | case 0: | |
3201 | execve(argv[0], argv, envp); | |
3202 | plog(LLV_ERROR2, LOCATION, NULL, | |
3203 | "execve(\"%s\") failed: %s\n", | |
3204 | argv[0], strerror(errno)); | |
3205 | _exit(1); | |
3206 | break; | |
3207 | case -1: | |
3208 | plog(LLV_ERROR, LOCATION, NULL, | |
3209 | "Cannot fork: %s\n", strerror(errno)); | |
3210 | return -1; | |
3211 | break; | |
3212 | default: | |
3213 | break; | |
3214 | } | |
3215 | ||
3216 | return 0; | |
3217 | } | |
3218 | ||
3219 | void | |
3220 | purge_remote(iph1) | |
3221 | struct ph1handle *iph1; | |
3222 | { | |
3223 | vchar_t *buf = NULL; | |
3224 | struct sadb_msg *msg, *next, *end; | |
3225 | struct sadb_sa *sa; | |
3226 | struct sockaddr *src, *dst; | |
3227 | caddr_t mhp[SADB_EXT_MAX + 1]; | |
3228 | u_int proto_id; | |
3229 | struct ph2handle *iph2; | |
3230 | struct ph1handle *new_iph1; | |
3231 | ||
3232 | plog(LLV_INFO, LOCATION, NULL, | |
3233 | "purging ISAKMP-SA spi=%s.\n", | |
3234 | isakmp_pindex(&(iph1->index), iph1->msgid)); | |
3235 | ||
3236 | /* Mark as expired. */ | |
3237 | iph1->status = PHASE1ST_EXPIRED; | |
3238 | ||
3239 | /* Check if we have another, still valid, phase1 SA. */ | |
3240 | new_iph1 = getph1byaddr(iph1->local, iph1->remote); | |
3241 | ||
3242 | /* | |
3243 | * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. | |
3244 | * Keep all others phase2 SAs. | |
3245 | */ | |
3246 | buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); | |
3247 | if (buf == NULL) { | |
3248 | plog(LLV_DEBUG, LOCATION, NULL, | |
3249 | "pfkey_dump_sadb returned nothing.\n"); | |
3250 | return; | |
3251 | } | |
3252 | ||
3253 | msg = (struct sadb_msg *)buf->v; | |
3254 | end = (struct sadb_msg *)(buf->v + buf->l); | |
3255 | ||
3256 | while (msg < end) { | |
3257 | if ((msg->sadb_msg_len << 3) < sizeof(*msg)) | |
3258 | break; | |
3259 | next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); | |
3260 | if (msg->sadb_msg_type != SADB_DUMP) { | |
3261 | msg = next; | |
3262 | continue; | |
3263 | } | |
3264 | ||
3265 | if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { | |
3266 | plog(LLV_ERROR, LOCATION, NULL, | |
3267 | "pfkey_check (%s)\n", ipsec_strerror()); | |
3268 | msg = next; | |
3269 | continue; | |
3270 | } | |
3271 | ||
3272 | sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); | |
3273 | if (!sa || | |
3274 | !mhp[SADB_EXT_ADDRESS_SRC] || | |
3275 | !mhp[SADB_EXT_ADDRESS_DST]) { | |
3276 | msg = next; | |
3277 | continue; | |
3278 | } | |
3279 | src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); | |
3280 | dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); | |
3281 | ||
3282 | if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && | |
3283 | sa->sadb_sa_state != SADB_SASTATE_MATURE && | |
3284 | sa->sadb_sa_state != SADB_SASTATE_DYING) { | |
3285 | msg = next; | |
3286 | continue; | |
3287 | } | |
3288 | ||
3289 | /* check in/outbound SAs */ | |
3290 | if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && | |
3291 | (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { | |
3292 | msg = next; | |
3293 | continue; | |
3294 | } | |
3295 | ||
3296 | proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); | |
3297 | iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); | |
3298 | ||
3299 | /* Check if there is another valid ISAKMP-SA */ | |
3300 | if (new_iph1 != NULL) { | |
3301 | ||
3302 | if (iph2 == NULL) { | |
3303 | /* No handler... still send a pfkey_delete message, but log this !*/ | |
3304 | plog(LLV_INFO, LOCATION, NULL, | |
3305 | "Unknown IPsec-SA spi=%u, hmmmm?\n", | |
3306 | ntohl(sa->sadb_sa_spi)); | |
3307 | }else{ | |
3308 | ||
3309 | /* | |
3310 | * If we have a new ph1, do not purge IPsec-SAs binded | |
3311 | * to a different ISAKMP-SA | |
3312 | */ | |
3313 | if (iph2->ph1 != NULL && iph2->ph1 != iph1){ | |
3314 | msg = next; | |
3315 | continue; | |
3316 | } | |
3317 | ||
3318 | /* If the ph2handle is established, do not purge IPsec-SA */ | |
3319 | if (iph2->status == PHASE2ST_ESTABLISHED || | |
3320 | iph2->status == PHASE2ST_EXPIRED) { | |
3321 | ||
3322 | plog(LLV_INFO, LOCATION, NULL, | |
3323 | "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", | |
3324 | ntohl(sa->sadb_sa_spi), | |
3325 | isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); | |
3326 | msg = next; | |
3327 | continue; | |
3328 | } | |
3329 | } | |
3330 | } | |
3331 | ||
3332 | ||
3333 | pfkey_send_delete(lcconf->sock_pfkey, | |
3334 | msg->sadb_msg_satype, | |
3335 | IPSEC_MODE_ANY, | |
3336 | src, dst, sa->sadb_sa_spi); | |
3337 | ||
3338 | /* delete a relative phase 2 handle. */ | |
3339 | if (iph2 != NULL) { | |
3340 | delete_spd(iph2); | |
3341 | unbindph12(iph2); | |
3342 | remph2(iph2); | |
3343 | delph2(iph2); | |
3344 | } | |
3345 | ||
3346 | plog(LLV_INFO, LOCATION, NULL, | |
3347 | "purged IPsec-SA spi=%u.\n", | |
3348 | ntohl(sa->sadb_sa_spi)); | |
3349 | ||
3350 | msg = next; | |
3351 | } | |
3352 | ||
3353 | if (buf) | |
3354 | vfree(buf); | |
3355 | ||
3356 | /* Mark the phase1 handler as EXPIRED */ | |
3357 | plog(LLV_INFO, LOCATION, NULL, | |
3358 | "purged ISAKMP-SA spi=%s.\n", | |
3359 | isakmp_pindex(&(iph1->index), iph1->msgid)); | |
3360 | ||
3361 | if (iph1->sce) | |
3362 | SCHED_KILL(iph1->sce); | |
3363 | ||
3364 | iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); | |
3365 | } | |
3366 | ||
3367 | void | |
3368 | delete_spd(iph2) | |
3369 | struct ph2handle *iph2; | |
3370 | { | |
3371 | if (iph2 == NULL) | |
3372 | return; | |
3373 | ||
3374 | /* Delete the SPD entry if we generated it | |
3375 | */ | |
3376 | if (iph2->generated_spidx) { | |
3377 | struct policyindex spidx; | |
3378 | struct sockaddr_storage addr; | |
3379 | u_int8_t pref; | |
3380 | struct sockaddr *src = iph2->src; | |
3381 | struct sockaddr *dst = iph2->dst; | |
3382 | int error; | |
3383 | int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ | |
3384 | ||
3385 | plog(LLV_INFO, LOCATION, NULL, | |
3386 | "generated policy, deleting it.\n"); | |
3387 | ||
3388 | memset(&spidx, 0, sizeof(spidx)); | |
3389 | iph2->spidx_gen = (caddr_t )&spidx; | |
3390 | ||
3391 | /* make inbound policy */ | |
3392 | iph2->src = dst; | |
3393 | iph2->dst = src; | |
3394 | spidx.dir = IPSEC_DIR_INBOUND; | |
3395 | spidx.ul_proto = 0; | |
3396 | ||
3397 | /* | |
3398 | * Note: code from get_proposal_r | |
3399 | */ | |
3400 | ||
3401 | #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type | |
3402 | ||
3403 | /* | |
3404 | * make destination address in spidx from either ID payload | |
3405 | * or phase 1 address into a address in spidx. | |
3406 | */ | |
3407 | if (iph2->id != NULL | |
3408 | && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR | |
3409 | || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR | |
3410 | || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET | |
3411 | || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { | |
3412 | /* get a destination address of a policy */ | |
3413 | error = ipsecdoi_id2sockaddr(iph2->id, | |
3414 | (struct sockaddr *)&spidx.dst, | |
3415 | &spidx.prefd, &spidx.ul_proto); | |
3416 | if (error) | |
3417 | goto purge; | |
3418 | ||
3419 | #ifdef INET6 | |
3420 | /* | |
3421 | * get scopeid from the SA address. | |
3422 | * note that the phase 1 source address is used as | |
3423 | * a destination address to search for a inbound | |
3424 | * policy entry because rcoon is responder. | |
3425 | */ | |
3426 | if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { | |
3427 | if ((error = | |
3428 | setscopeid((struct sockaddr *)&spidx.dst, | |
3429 | iph2->src)) != 0) | |
3430 | goto purge; | |
3431 | } | |
3432 | #endif | |
3433 | ||
3434 | if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR | |
3435 | || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) | |
3436 | idi2type = _XIDT(iph2->id); | |
3437 | ||
3438 | } else { | |
3439 | ||
3440 | plog(LLV_DEBUG, LOCATION, NULL, | |
3441 | "get a destination address of SP index " | |
3442 | "from phase1 address " | |
3443 | "due to no ID payloads found " | |
3444 | "OR because ID type is not address.\n"); | |
3445 | ||
3446 | /* | |
3447 | * copy the SOURCE address of IKE into the | |
3448 | * DESTINATION address of the key to search the | |
3449 | * SPD because the direction of policy is inbound. | |
3450 | */ | |
3451 | memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); | |
3452 | switch (spidx.dst.ss_family) { | |
3453 | case AF_INET: | |
3454 | spidx.prefd = | |
3455 | sizeof(struct in_addr) << 3; | |
3456 | break; | |
3457 | #ifdef INET6 | |
3458 | case AF_INET6: | |
3459 | spidx.prefd = | |
3460 | sizeof(struct in6_addr) << 3; | |
3461 | break; | |
3462 | #endif | |
3463 | default: | |
3464 | spidx.prefd = 0; | |
3465 | break; | |
3466 | } | |
3467 | } | |
3468 | ||
3469 | /* make source address in spidx */ | |
3470 | if (iph2->id_p != NULL | |
3471 | && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR | |
3472 | || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR | |
3473 | || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET | |
3474 | || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { | |
3475 | /* get a source address of inbound SA */ | |
3476 | error = ipsecdoi_id2sockaddr(iph2->id_p, | |
3477 | (struct sockaddr *)&spidx.src, | |
3478 | &spidx.prefs, &spidx.ul_proto); | |
3479 | if (error) | |
3480 | goto purge; | |
3481 | ||
3482 | #ifdef INET6 | |
3483 | /* | |
3484 | * get scopeid from the SA address. | |
3485 | * for more detail, see above of this function. | |
3486 | */ | |
3487 | if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { | |
3488 | error = | |
3489 | setscopeid((struct sockaddr *)&spidx.src, | |
3490 | iph2->dst); | |
3491 | if (error) | |
3492 | goto purge; | |
3493 | } | |
3494 | #endif | |
3495 | ||
3496 | /* make id[src,dst] if both ID types are IP address and same */ | |
3497 | if (_XIDT(iph2->id_p) == idi2type | |
3498 | && spidx.dst.ss_family == spidx.src.ss_family) { | |
3499 | iph2->src_id = | |
3500 | dupsaddr((struct sockaddr *)&spidx.dst); | |
3501 | iph2->dst_id = | |
3502 | dupsaddr((struct sockaddr *)&spidx.src); | |
3503 | } | |
3504 | ||
3505 | } else { | |
3506 | plog(LLV_DEBUG, LOCATION, NULL, | |
3507 | "get a source address of SP index " | |
3508 | "from phase1 address " | |
3509 | "due to no ID payloads found " | |
3510 | "OR because ID type is not address.\n"); | |
3511 | ||
3512 | /* see above comment. */ | |
3513 | memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); | |
3514 | switch (spidx.src.ss_family) { | |
3515 | case AF_INET: | |
3516 | spidx.prefs = | |
3517 | sizeof(struct in_addr) << 3; | |
3518 | break; | |
3519 | #ifdef INET6 | |
3520 | case AF_INET6: | |
3521 | spidx.prefs = | |
3522 | sizeof(struct in6_addr) << 3; | |
3523 | break; | |
3524 | #endif | |
3525 | default: | |
3526 | spidx.prefs = 0; | |
3527 | break; | |
3528 | } | |
3529 | } | |
3530 | ||
3531 | #undef _XIDT | |
3532 | ||
3533 | plog(LLV_DEBUG, LOCATION, NULL, | |
3534 | "get a src address from ID payload " | |
3535 | "%s prefixlen=%u ul_proto=%u\n", | |
3536 | saddr2str((struct sockaddr *)&spidx.src), | |
3537 | spidx.prefs, spidx.ul_proto); | |
3538 | plog(LLV_DEBUG, LOCATION, NULL, | |
3539 | "get dst address from ID payload " | |
3540 | "%s prefixlen=%u ul_proto=%u\n", | |
3541 | saddr2str((struct sockaddr *)&spidx.dst), | |
3542 | spidx.prefd, spidx.ul_proto); | |
3543 | ||
3544 | /* | |
3545 | * convert the ul_proto if it is 0 | |
3546 | * because 0 in ID payload means a wild card. | |
3547 | */ | |
3548 | if (spidx.ul_proto == 0) | |
3549 | spidx.ul_proto = IPSEC_ULPROTO_ANY; | |
3550 | ||
3551 | #undef _XIDT | |
3552 | ||
3553 | /* End of code from get_proposal_r | |
3554 | */ | |
3555 | ||
3556 | if (pk_sendspddelete(iph2) < 0) { | |
3557 | plog(LLV_ERROR, LOCATION, NULL, | |
3558 | "pfkey spddelete(inbound) failed.\n"); | |
3559 | }else{ | |
3560 | plog(LLV_DEBUG, LOCATION, NULL, | |
3561 | "pfkey spddelete(inbound) sent.\n"); | |
3562 | } | |
3563 | ||
3564 | #ifdef HAVE_POLICY_FWD | |
3565 | /* make forward policy if required */ | |
3566 | if (tunnel_mode_prop(iph2->approval)) { | |
3567 | spidx.dir = IPSEC_DIR_FWD; | |
3568 | if (pk_sendspddelete(iph2) < 0) { | |
3569 | plog(LLV_ERROR, LOCATION, NULL, | |
3570 | "pfkey spddelete(forward) failed.\n"); | |
3571 | }else{ | |
3572 | plog(LLV_DEBUG, LOCATION, NULL, | |
3573 | "pfkey spddelete(forward) sent.\n"); | |
3574 | } | |
3575 | } | |
3576 | #endif | |
3577 | ||
3578 | /* make outbound policy */ | |
3579 | iph2->src = src; | |
3580 | iph2->dst = dst; | |
3581 | spidx.dir = IPSEC_DIR_OUTBOUND; | |
3582 | addr = spidx.src; | |
3583 | spidx.src = spidx.dst; | |
3584 | spidx.dst = addr; | |
3585 | pref = spidx.prefs; | |
3586 | spidx.prefs = spidx.prefd; | |
3587 | spidx.prefd = pref; | |
3588 | ||
3589 | if (pk_sendspddelete(iph2) < 0) { | |
3590 | plog(LLV_ERROR, LOCATION, NULL, | |
3591 | "pfkey spddelete(outbound) failed.\n"); | |
3592 | }else{ | |
3593 | plog(LLV_DEBUG, LOCATION, NULL, | |
3594 | "pfkey spddelete(outbound) sent.\n"); | |
3595 | } | |
3596 | purge: | |
3597 | iph2->spidx_gen=NULL; | |
3598 | } | |
3599 | } | |
3600 | ||
3601 | #ifdef INET6 | |
3602 | u_int32_t | |
3603 | setscopeid(sp_addr0, sa_addr0) | |
3604 | struct sockaddr *sp_addr0, *sa_addr0; | |
3605 | { | |
3606 | struct sockaddr_in6 *sp_addr, *sa_addr; | |
3607 | ||
3608 | sp_addr = (struct sockaddr_in6 *)sp_addr0; | |
3609 | sa_addr = (struct sockaddr_in6 *)sa_addr0; | |
3610 | ||
3611 | if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr) | |
3612 | && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr) | |
3613 | && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr)) | |
3614 | return 0; | |
3615 | ||
3616 | /* this check should not be here ? */ | |
3617 | if (sa_addr->sin6_family != AF_INET6) { | |
3618 | plog(LLV_ERROR, LOCATION, NULL, | |
3619 | "can't get scope ID: family mismatch\n"); | |
3620 | return -1; | |
3621 | } | |
3622 | ||
3623 | if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { | |
3624 | plog(LLV_ERROR, LOCATION, NULL, | |
3625 | "scope ID is not supported except of lladdr.\n"); | |
3626 | return -1; | |
3627 | } | |
3628 | ||
3629 | sp_addr->sin6_scope_id = sa_addr->sin6_scope_id; | |
3630 | ||
3631 | return 0; | |
3632 | } | |
3633 | #endif |