]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_quick.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-92.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_quick.c
1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56 #ifdef ENABLE_HYBRID
57 #include <resolv.h>
58 #endif
59
60 #ifndef HAVE_NETINET6_IPSEC
61 #include <netinet/ipsec.h>
62 #else
63 #include <netinet6/ipsec.h>
64 #endif
65
66 #include "var.h"
67 #include "vmbuf.h"
68 #include "schedule.h"
69 #include "misc.h"
70 #include "plog.h"
71 #include "debug.h"
72
73 #include "localconf.h"
74 #include "remoteconf.h"
75 #include "handler.h"
76 #include "policy.h"
77 #include "proposal.h"
78 #include "isakmp_var.h"
79 #include "isakmp.h"
80 #include "isakmp_inf.h"
81 #include "isakmp_quick.h"
82 #include "oakley.h"
83 #include "ipsec_doi.h"
84 #include "crypto_openssl.h"
85 #include "pfkey.h"
86 #include "policy.h"
87 #include "algorithm.h"
88 #include "sockmisc.h"
89 #include "proposal.h"
90 #include "sainfo.h"
91 #include "admin.h"
92 #include "strnames.h"
93 #include "nattraversal.h"
94 #include "ipsecSessionTracer.h"
95 #include "ipsecMessageTracer.h"
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99 static int get_sainfo_r __P((struct ph2handle *));
100 static int get_proposal_r __P((struct ph2handle *, int));
101
102 /* \f%%%
103 * Quick Mode
104 */
105 /*
106 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
107 */
108 int
109 quick_i1prep(iph2, msg)
110 struct ph2handle *iph2;
111 vchar_t *msg; /* must be null pointer */
112 {
113 int error = ISAKMP_INTERNAL_ERROR;
114
115 /* validity check */
116 if (iph2->status != PHASE2ST_STATUS2) {
117 plog(LLV_ERROR, LOCATION, NULL,
118 "status mismatched %d.\n", iph2->status);
119 goto end;
120 }
121
122 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
123 if (iph2->ivm != NULL)
124 oakley_delivm(iph2->ivm);
125 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
126 if (iph2->ivm == NULL)
127 return 0;
128
129 iph2->status = PHASE2ST_GETSPISENT;
130
131 /* don't anything if local test mode. */
132 if (f_local) {
133 error = 0;
134 goto end;
135 }
136
137 /* send getspi message */
138 if (pk_sendgetspi(iph2) < 0) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "failed to send getspi message");
141 goto end;
142 }
143
144 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
145
146 iph2->sce = sched_new(lcconf->wait_ph2complete,
147 pfkey_timeover_stub, iph2);
148
149 error = 0;
150
151 end:
152 return error;
153 }
154
155 /*
156 * send to responder
157 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
158 */
159 int
160 quick_i1send(iph2, msg)
161 struct ph2handle *iph2;
162 vchar_t *msg; /* must be null pointer */
163 {
164 vchar_t *body = NULL;
165 vchar_t *hash = NULL;
166 #ifdef ENABLE_NATT
167 vchar_t *natoa_i = NULL;
168 vchar_t *natoa_r = NULL;
169 #endif /* ENABLE_NATT */
170 int natoa_type = 0;
171 struct isakmp_gen *gen;
172 char *p;
173 int tlen;
174 int error = ISAKMP_INTERNAL_ERROR;
175 int pfsgroup, idci, idcr;
176 int np;
177 struct ipsecdoi_id_b *id, *id_p;
178
179 /* validity check */
180 if (msg != NULL) {
181 plog(LLV_ERROR, LOCATION, NULL,
182 "msg has to be NULL in this function.\n");
183 goto end;
184 }
185 if (iph2->status != PHASE2ST_GETSPIDONE) {
186 plog(LLV_ERROR, LOCATION, NULL,
187 "status mismatched %d.\n", iph2->status);
188 goto end;
189 }
190
191 /* create SA payload for my proposal */
192 if (ipsecdoi_setph2proposal(iph2) < 0) {
193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to set proposal");
195 goto end;
196 }
197
198 /* generate NONCE value */
199 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
200 if (iph2->nonce == NULL) {
201 plog(LLV_ERROR, LOCATION, NULL,
202 "failed to generate NONCE");
203 goto end;
204 }
205
206 /*
207 * DH value calculation is kicked out into cfparse.y.
208 * because pfs group can not be negotiated, it's only to be checked
209 * acceptable.
210 */
211 /* generate KE value if need */
212 pfsgroup = iph2->proposal->pfs_group;
213 if (pfsgroup) {
214 /* DH group settting if PFS is required. */
215 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
216 plog(LLV_ERROR, LOCATION, NULL,
217 "failed to set DH value.\n");
218 goto end;
219 }
220 if (oakley_dh_generate(iph2->pfsgrp,
221 &iph2->dhpub, &iph2->dhpriv) < 0) {
222 plog(LLV_ERROR, LOCATION, NULL,
223 "failed to generate DH");
224 goto end;
225 }
226 }
227
228 /* generate ID value */
229 if (ipsecdoi_setid2(iph2) < 0) {
230 plog(LLV_ERROR, LOCATION, NULL,
231 "failed to get ID.\n");
232 goto end;
233 }
234 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
235 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
236 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
237 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
238
239 /*
240 * we do not attach IDci nor IDcr, under the following condition:
241 * - all proposals are transport mode
242 * - no MIP6 or proxy
243 * - id payload suggests to encrypt all the traffic (no specific
244 * protocol type)
245 */
246 id = (struct ipsecdoi_id_b *)iph2->id->v;
247 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
248 if (id->proto_id == 0
249 && id_p->proto_id == 0
250 && iph2->ph1->rmconf->support_proxy == 0
251 && ipsecdoi_transportmode(iph2->proposal)) {
252 idci = idcr = 0;
253 } else
254 idci = idcr = 1;
255
256 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
257 tlen = + sizeof(*gen) + iph2->sa->l
258 + sizeof(*gen) + iph2->nonce->l;
259 if (pfsgroup)
260 tlen += (sizeof(*gen) + iph2->dhpub->l);
261 if (idci)
262 tlen += sizeof(*gen) + iph2->id->l;
263 if (idcr)
264 tlen += sizeof(*gen) + iph2->id_p->l;
265
266 #ifdef ENABLE_NATT
267 /*
268 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
269 * we should send NAT-OA
270 */
271 if (ipsecdoi_any_transportmode(iph2->proposal)
272 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
273 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
274 if (natoa_type == -1) {
275 plog(LLV_ERROR, LOCATION, NULL,
276 "failed to generate NAT-OA payload.\n");
277 goto end;
278 } else if (natoa_type != 0) {
279 tlen += sizeof(*gen) + natoa_i->l;
280 tlen += sizeof(*gen) + natoa_r->l;
281
282 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAi:\n");
283 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
284 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAr:\n");
285 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
286 }
287 }
288 #endif
289
290 body = vmalloc(tlen);
291 if (body == NULL) {
292 plog(LLV_ERROR, LOCATION, NULL,
293 "failed to get buffer to send.\n");
294 goto end;
295 }
296
297 p = body->v;
298
299 /* add SA payload */
300 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
301
302 /* add NONCE payload */
303 if (pfsgroup)
304 np = ISAKMP_NPTYPE_KE;
305 else if (idci || idcr)
306 np = ISAKMP_NPTYPE_ID;
307 else
308 np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
309 p = set_isakmp_payload(p, iph2->nonce, np);
310
311 /* add KE payload if need. */
312 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
313 if (pfsgroup)
314 p = set_isakmp_payload(p, iph2->dhpub, np);
315
316 /* IDci */
317 np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
318 if (idci)
319 p = set_isakmp_payload(p, iph2->id, np);
320
321 /* IDcr */
322 if (idcr)
323 p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
324
325 /* natoa */
326 if (natoa_type) {
327 p = set_isakmp_payload(p, natoa_i, natoa_type);
328 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
329 }
330
331 /* generate HASH(1) */
332 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
333 if (hash == NULL) {
334 plog(LLV_ERROR, LOCATION, NULL,
335 "failed to compute HASH");
336 goto end;
337 }
338
339 /* send isakmp payload */
340 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
341 if (iph2->sendbuf == NULL) {
342 plog(LLV_ERROR, LOCATION, NULL,
343 "failed to get send buffer");
344 goto end;
345 }
346
347 /* send the packet, add to the schedule to resend */
348 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
349 if (isakmp_ph2resend(iph2) == -1) {
350 plog(LLV_ERROR, LOCATION, NULL,
351 "failed to send packet");
352 goto end;
353 }
354
355 /* change status of isakmp status entry */
356 iph2->status = PHASE2ST_MSG1SENT;
357
358 error = 0;
359
360 IPSECSESSIONTRACEREVENT(iph2->parent_session,
361 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
362 CONSTSTR("Initiator, Quick-Mode message 1"),
363 CONSTSTR(NULL));
364
365 end:
366 if (error) {
367 IPSECSESSIONTRACEREVENT(iph2->parent_session,
368 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
369 CONSTSTR("Initiator, Quick-Mode Message 1"),
370 CONSTSTR("Failed to transmit Quick-Mode Message 1"));
371 }
372 if (body != NULL)
373 vfree(body);
374 if (hash != NULL)
375 vfree(hash);
376 #ifdef ENABLE_NATT
377 if (natoa_i)
378 vfree(natoa_i);
379 if (natoa_r)
380 vfree(natoa_r);
381 #endif /* ENABLE_NATT */
382
383 return error;
384 }
385
386 /*
387 * receive from responder
388 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
389 */
390 int
391 quick_i2recv(iph2, msg0)
392 struct ph2handle *iph2;
393 vchar_t *msg0;
394 {
395 vchar_t *msg = NULL;
396 vchar_t *hbuf = NULL; /* for hash computing. */
397 vchar_t *pbuf = NULL; /* for payload parsing */
398 struct isakmp_parse_t *pa;
399 struct isakmp *isakmp = (struct isakmp *)msg0->v;
400 struct isakmp_pl_hash *hash = NULL;
401 int f_id;
402 char *p;
403 int tlen;
404 int error = ISAKMP_INTERNAL_ERROR;
405 struct sockaddr *natoa_i = NULL;
406 struct sockaddr *natoa_r = NULL;
407
408 /* validity check */
409 if (iph2->status != PHASE2ST_MSG1SENT) {
410 plog(LLV_ERROR, LOCATION, NULL,
411 "status mismatched %d.\n", iph2->status);
412 goto end;
413 }
414
415 /* decrypt packet */
416 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
417 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
418 "Packet wasn't encrypted.\n");
419 goto end;
420 }
421 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
422 if (msg == NULL) {
423 plog(LLV_ERROR, LOCATION, NULL,
424 "failed to decrypt");
425 goto end;
426 }
427
428 /* create buffer for validating HASH(2) */
429 /*
430 * ordering rule:
431 * 1. the first one must be HASH
432 * 2. the second one must be SA (added in isakmp-oakley-05!)
433 * 3. two IDs must be considered as IDci, then IDcr
434 */
435 pbuf = isakmp_parse(msg);
436 if (pbuf == NULL) {
437 plog(LLV_ERROR, LOCATION, NULL,
438 "failed to parse msg");
439 goto end;
440 }
441 pa = (struct isakmp_parse_t *)pbuf->v;
442
443 /* HASH payload is fixed postion */
444 if (pa->type != ISAKMP_NPTYPE_HASH) {
445 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
446 "received invalid next payload type %d, "
447 "expecting %d.\n",
448 pa->type, ISAKMP_NPTYPE_HASH);
449 goto end;
450 }
451 hash = (struct isakmp_pl_hash *)pa->ptr;
452 pa++;
453
454 /*
455 * this restriction was introduced in isakmp-oakley-05.
456 * we do not check this for backward compatibility.
457 * TODO: command line/config file option to enable/disable this code
458 */
459 /* HASH payload is fixed postion */
460 if (pa->type != ISAKMP_NPTYPE_SA) {
461 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
462 "received invalid next payload type %d, "
463 "expecting %d.\n",
464 pa->type, ISAKMP_NPTYPE_HASH);
465 }
466
467 /* allocate buffer for computing HASH(2) */
468 tlen = iph2->nonce->l
469 + ntohl(isakmp->len) - sizeof(*isakmp);
470 hbuf = vmalloc(tlen);
471 if (hbuf == NULL) {
472 plog(LLV_ERROR, LOCATION, NULL,
473 "failed to get hash buffer.\n");
474 goto end;
475 }
476 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
477
478 /*
479 * parse the payloads.
480 * copy non-HASH payloads into hbuf, so that we can validate HASH.
481 */
482 iph2->sa_ret = NULL;
483 f_id = 0; /* flag to use checking ID */
484 tlen = 0; /* count payload length except of HASH payload. */
485 for (; pa->type; pa++) {
486
487 /* copy to buffer for HASH */
488 /* Don't modify the payload */
489 memcpy(p, pa->ptr, pa->len);
490
491 switch (pa->type) {
492 case ISAKMP_NPTYPE_SA:
493 if (iph2->sa_ret != NULL) {
494 plog(LLV_ERROR, LOCATION, NULL,
495 "Ignored, multiple SA "
496 "isn't supported.\n");
497 break;
498 }
499 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
500 plog(LLV_ERROR, LOCATION, NULL,
501 "failed to process SA payload");
502 goto end;
503 }
504 break;
505
506 case ISAKMP_NPTYPE_NONCE:
507 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
508 plog(LLV_ERROR, LOCATION, NULL,
509 "failed to process NONCE payload");
510 goto end;
511 }
512 break;
513
514 case ISAKMP_NPTYPE_KE:
515 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
516 plog(LLV_ERROR, LOCATION, NULL,
517 "failed to process KE payload");
518 goto end;
519 }
520 break;
521
522 case ISAKMP_NPTYPE_ID:
523 {
524 vchar_t *vp;
525
526 /* check ID value */
527 if (f_id == 0) {
528 /* for IDci */
529 vp = iph2->id;
530 } else {
531 /* for IDcr */
532 vp = iph2->id_p;
533 }
534
535 /* These ids may not match when natt is used with some devices.
536 * RFC 2407 says that the protocol and port fields should be ignored
537 * if they are zero, therefore they need to be checked individually.
538 */
539 struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v;
540 struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
541
542 if (id_ptr->type != idp_ptr->b.type
543 || (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
544 || (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
545 || memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
546 vp->l - sizeof(struct ipsecdoi_id_b))) {
547 // to support servers that use our external nat address as our ID
548 if (iph2->ph1->natt_flags & NAT_DETECTED) {
549 plog(LLV_WARNING, LOCATION, NULL,
550 "mismatched ID was returned - ignored because nat traversal is being used.\n");
551 /* If I'm behind a nat and the ID is type address - save the address
552 * and port for when the peer rekeys.
553 */
554 if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
555 if (lcconf->ext_nat_id)
556 vfree(lcconf->ext_nat_id);
557 lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
558 if (lcconf->ext_nat_id == NULL) {
559 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n");
560 goto end;
561 }
562 memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
563 if (iph2->ext_nat_id)
564 vfree(iph2->ext_nat_id);
565 iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
566 if (iph2->ext_nat_id == NULL) {
567 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating ph2's external nat id.\n");
568 goto end;
569 }
570 plog(LLV_DEBUG, LOCATION, NULL, "external nat address saved.\n");
571 } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
572 if (iph2->ext_nat_id_p)
573 vfree(iph2->ext_nat_id_p);
574 iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
575 if (iph2->ext_nat_id_p == NULL) {
576 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating peers ph2's external nat id.\n");
577 goto end;
578 }
579 memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
580 plog(LLV_DEBUG, LOCATION, NULL, "peer's external nat address saved.\n");
581 }
582 } else {
583 plog(LLV_ERROR, LOCATION, NULL, "mismatched ID was returned.\n");
584 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
585 goto end;
586 }
587 }
588 if (f_id == 0)
589 f_id = 1;
590 }
591 break;
592
593 case ISAKMP_NPTYPE_N:
594 isakmp_check_ph2_notify(pa->ptr, iph2);
595 break;
596
597 #ifdef ENABLE_NATT
598 case ISAKMP_NPTYPE_NATOA_DRAFT:
599 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
600 case ISAKMP_NPTYPE_NATOA_RFC:
601 {
602 vchar_t *vp = NULL;
603 struct sockaddr *daddr;
604
605 isakmp_p2ph(&vp, pa->ptr);
606
607 if (vp) {
608 daddr = process_natoa_payload(vp);
609 if (daddr) {
610 if (natoa_i == NULL) {
611 natoa_i = daddr;
612 plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n",
613 saddr2str(natoa_i));
614 } else if (natoa_r == NULL) {
615 natoa_r = daddr;
616 plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n",
617 saddr2str(natoa_r));
618 } else {
619 racoon_free(daddr);
620 }
621 }
622 vfree(vp);
623 }
624
625 }
626 break;
627 #endif
628
629 default:
630 /* don't send information, see ident_r1recv() */
631 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
632 "ignore the packet, "
633 "received unexpecting payload type %d.\n",
634 pa->type);
635 goto end;
636 }
637
638 p += pa->len;
639
640 /* compute true length of payload. */
641 tlen += pa->len;
642 }
643
644 /* payload existency check */
645 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
646 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
647 "few isakmp message received.\n");
648 goto end;
649 }
650
651 /* Fixed buffer for calculating HASH */
652 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
653 plog(LLV_DEBUG, LOCATION, NULL,
654 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
655 hbuf->l, tlen + iph2->nonce->l);
656 /* adjust buffer length for HASH */
657 hbuf->l = iph2->nonce->l + tlen;
658
659 /* validate HASH(2) */
660 {
661 char *r_hash;
662 vchar_t *my_hash = NULL;
663 int result;
664
665 r_hash = (char *)hash + sizeof(*hash);
666
667 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
668 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
669
670 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
671 if (my_hash == NULL) {
672 plog(LLV_ERROR, LOCATION, NULL,
673 "failed to compute HASH");
674 goto end;
675 }
676
677 result = memcmp(my_hash->v, r_hash, my_hash->l);
678 vfree(my_hash);
679
680 if (result) {
681 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
682 "HASH(2) mismatch.\n");
683 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
684 goto end;
685 }
686 }
687
688 /* validity check SA payload sent from responder */
689 if (ipsecdoi_checkph2proposal(iph2) < 0) {
690 plog(LLV_ERROR, LOCATION, NULL,
691 "failed to validate SA proposal");
692 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
693 goto end;
694 }
695
696 /* change status of isakmp status entry */
697 iph2->status = PHASE2ST_STATUS6;
698
699 error = 0;
700
701 IPSECSESSIONTRACEREVENT(iph2->parent_session,
702 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
703 CONSTSTR("Initiator, Quick-Mode message 2"),
704 CONSTSTR(NULL));
705
706 end:
707 if (error) {
708 IPSECSESSIONTRACEREVENT(iph2->parent_session,
709 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
710 CONSTSTR("Initiator, Quick-Mode Message 2"),
711 CONSTSTR("Failed to process Quick-Mode Message 2 "));
712 }
713 if (hbuf)
714 vfree(hbuf);
715 if (pbuf)
716 vfree(pbuf);
717 if (msg)
718 vfree(msg);
719
720 #ifdef ENABLE_NATT
721 if (natoa_i) {
722 racoon_free(natoa_i);
723 }
724 if (natoa_r) {
725 racoon_free(natoa_r);
726 }
727 #endif
728
729 if (error) {
730 VPTRINIT(iph2->sa_ret);
731 VPTRINIT(iph2->nonce_p);
732 VPTRINIT(iph2->dhpub_p);
733 VPTRINIT(iph2->id);
734 VPTRINIT(iph2->id_p);
735 }
736
737 return error;
738 }
739
740 /*
741 * send to responder
742 * HDR*, HASH(3)
743 */
744 int
745 quick_i2send(iph2, msg0)
746 struct ph2handle *iph2;
747 vchar_t *msg0;
748 {
749 vchar_t *msg = NULL;
750 vchar_t *buf = NULL;
751 vchar_t *hash = NULL;
752 char *p = NULL;
753 int tlen;
754 int error = ISAKMP_INTERNAL_ERROR;
755 int packet_error = -1;
756
757 /* validity check */
758 if (iph2->status != PHASE2ST_STATUS6) {
759 plog(LLV_ERROR, LOCATION, NULL,
760 "status mismatched %d.\n", iph2->status);
761 goto end;
762 }
763
764 /* generate HASH(3) */
765 {
766 vchar_t *tmp = NULL;
767
768 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
769
770 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
771 if (tmp == NULL) {
772 plog(LLV_ERROR, LOCATION, NULL,
773 "failed to get hash buffer.\n");
774 goto end;
775 }
776 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
777 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
778
779 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
780 vfree(tmp);
781
782 if (hash == NULL) {
783 plog(LLV_ERROR, LOCATION, NULL,
784 "failed to compute HASH");
785 goto end;
786 }
787 }
788
789 /* create buffer for isakmp payload */
790 tlen = sizeof(struct isakmp)
791 + sizeof(struct isakmp_gen) + hash->l;
792 buf = vmalloc(tlen);
793 if (buf == NULL) {
794 plog(LLV_ERROR, LOCATION, NULL,
795 "failed to get buffer to send.\n");
796 goto end;
797 }
798
799 /* create isakmp header */
800 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
801 if (p == NULL) {
802 plog(LLV_ERROR, LOCATION, NULL,
803 "failed to create ISAKMP header");
804 goto end;
805 }
806
807 /* add HASH(3) payload */
808 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
809
810 #ifdef HAVE_PRINT_ISAKMP_C
811 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
812 #endif
813
814 /* encoding */
815 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
816 if (iph2->sendbuf == NULL) {
817 plog(LLV_ERROR, LOCATION, NULL,
818 "failed to encrypt packet");
819 goto end;
820 }
821
822 /* if there is commit bit, need resending */
823 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
824 /* send the packet, add to the schedule to resend */
825 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
826 if (isakmp_ph2resend(iph2) == -1) {
827 plog(LLV_ERROR, LOCATION, NULL,
828 "failed to send packet, commit-bit");
829 goto end;
830 }
831 } else {
832 /* send the packet */
833 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
834 plog(LLV_ERROR, LOCATION, NULL,
835 "failed to send packet");
836 goto end;
837 }
838 }
839
840 /* the sending message is added to the received-list. */
841 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
842 iph2->sendbuf, msg0,
843 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
844 plog(LLV_ERROR , LOCATION, NULL,
845 "failed to add a response packet to the tree.\n");
846 goto end;
847 }
848
849 IPSECSESSIONTRACEREVENT(iph2->parent_session,
850 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
851 CONSTSTR("Initiator, Quick-Mode message 3"),
852 CONSTSTR(NULL));
853 packet_error = 0;
854
855 /* compute both of KEYMATs */
856 if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
857 plog(LLV_ERROR, LOCATION, NULL,
858 "failed to compute KEYMAT");
859 goto end;
860 }
861
862 iph2->status = PHASE2ST_ADDSA;
863
864 /* don't anything if local test mode. */
865 if (f_local) {
866 error = 0;
867 goto end;
868 }
869
870 /* if there is commit bit don't set up SA now. */
871 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
872 iph2->status = PHASE2ST_COMMIT;
873 error = 0;
874 goto end;
875 }
876
877 /* Do UPDATE for initiator */
878 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
879 if (pk_sendupdate(iph2) < 0) {
880 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
881 goto end;
882 }
883 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
884
885 /* Do ADD for responder */
886 if (pk_sendadd(iph2) < 0) {
887 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
888 goto end;
889 }
890 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
891
892 error = 0;
893
894 end:
895 if (packet_error) {
896 IPSECSESSIONTRACEREVENT(iph2->parent_session,
897 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
898 CONSTSTR("Initiator, Quick-Mode Message 3"),
899 CONSTSTR("Failed to transmit Quick-Mode Message 3"));
900 }
901 if (buf != NULL)
902 vfree(buf);
903 if (msg != NULL)
904 vfree(msg);
905 if (hash != NULL)
906 vfree(hash);
907
908 return error;
909 }
910
911 /*
912 * receive from responder
913 * HDR#*, HASH(4), notify
914 */
915 int
916 quick_i3recv(iph2, msg0)
917 struct ph2handle *iph2;
918 vchar_t *msg0;
919 {
920 vchar_t *msg = NULL;
921 vchar_t *pbuf = NULL; /* for payload parsing */
922 struct isakmp_parse_t *pa;
923 struct isakmp_pl_hash *hash = NULL;
924 vchar_t *notify = NULL;
925 int error = ISAKMP_INTERNAL_ERROR;
926 int packet_error = -1;
927
928 /* validity check */
929 if (iph2->status != PHASE2ST_COMMIT) {
930 plog(LLV_ERROR, LOCATION, NULL,
931 "status mismatched %d.\n", iph2->status);
932 goto end;
933 }
934
935 /* decrypt packet */
936 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
937 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
938 "Packet wasn't encrypted.\n");
939 goto end;
940 }
941 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
942 if (msg == NULL) {
943 plog(LLV_ERROR, LOCATION, NULL,
944 "failed to decrypt packet");
945 goto end;
946 }
947
948 /* validate the type of next payload */
949 pbuf = isakmp_parse(msg);
950 if (pbuf == NULL) {
951 plog(LLV_ERROR, LOCATION, NULL,
952 "failed to parse msg");
953 goto end;
954 }
955
956 for (pa = (struct isakmp_parse_t *)pbuf->v;
957 pa->type != ISAKMP_NPTYPE_NONE;
958 pa++) {
959
960 switch (pa->type) {
961 case ISAKMP_NPTYPE_HASH:
962 hash = (struct isakmp_pl_hash *)pa->ptr;
963 break;
964 case ISAKMP_NPTYPE_N:
965 if (notify != NULL) {
966 plog(LLV_WARNING, LOCATION, NULL,
967 "Ignoring multiple notifications\n");
968 break;
969 }
970 isakmp_check_ph2_notify(pa->ptr, iph2);
971 notify = vmalloc(pa->len);
972 if (notify == NULL) {
973 plog(LLV_ERROR, LOCATION, NULL,
974 "failed to get notify buffer.\n");
975 goto end;
976 }
977 memcpy(notify->v, pa->ptr, notify->l);
978 break;
979 default:
980 /* don't send information, see ident_r1recv() */
981 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
982 "ignore the packet, "
983 "received unexpecting payload type %d.\n",
984 pa->type);
985 goto end;
986 }
987 }
988
989 /* payload existency check */
990 if (hash == NULL) {
991 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
992 "few isakmp message received.\n");
993 goto end;
994 }
995
996 /* validate HASH(4) */
997 {
998 char *r_hash;
999 vchar_t *my_hash = NULL;
1000 vchar_t *tmp = NULL;
1001 int result;
1002
1003 r_hash = (char *)hash + sizeof(*hash);
1004
1005 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
1006 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1007
1008 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1009 vfree(tmp);
1010 if (my_hash == NULL) {
1011 plog(LLV_ERROR, LOCATION, NULL,
1012 "failed to compute HASH");
1013 goto end;
1014 }
1015
1016 result = memcmp(my_hash->v, r_hash, my_hash->l);
1017 vfree(my_hash);
1018
1019 if (result) {
1020 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1021 "HASH(4) mismatch.\n");
1022 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1023 goto end;
1024 }
1025 }
1026
1027 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1028 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1029 CONSTSTR("Initiator, Quick-Mode message 4"),
1030 CONSTSTR(NULL));
1031 packet_error = 0;
1032
1033 iph2->status = PHASE2ST_ADDSA;
1034 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1035
1036 /* don't anything if local test mode. */
1037 if (f_local) {
1038 error = 0;
1039 goto end;
1040 }
1041
1042 /* Do UPDATE for initiator */
1043 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1044 if (pk_sendupdate(iph2) < 0) {
1045 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1046 goto end;
1047 }
1048 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1049
1050 /* Do ADD for responder */
1051 if (pk_sendadd(iph2) < 0) {
1052 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1053 goto end;
1054 }
1055 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1056
1057 error = 0;
1058
1059 end:
1060 if (packet_error) {
1061 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1062 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1063 CONSTSTR("Initiator, Quick-Mode Message 4"),
1064 CONSTSTR("Failed to process Quick-Mode Message 4"));
1065 }
1066 if (msg != NULL)
1067 vfree(msg);
1068 if (pbuf != NULL)
1069 vfree(pbuf);
1070 if (notify != NULL)
1071 vfree(notify);
1072
1073 return error;
1074 }
1075
1076 /*
1077 * receive from initiator
1078 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1079 */
1080 int
1081 quick_r1recv(iph2, msg0)
1082 struct ph2handle *iph2;
1083 vchar_t *msg0;
1084 {
1085 vchar_t *msg = NULL;
1086 vchar_t *hbuf = NULL; /* for hash computing. */
1087 vchar_t *pbuf = NULL; /* for payload parsing */
1088 struct isakmp_parse_t *pa;
1089 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1090 struct isakmp_pl_hash *hash = NULL;
1091 char *p;
1092 int tlen;
1093 int f_id_order; /* for ID payload detection */
1094 int error = ISAKMP_INTERNAL_ERROR;
1095 struct sockaddr *natoa_i = NULL;
1096 struct sockaddr *natoa_r = NULL;
1097
1098 /* validity check */
1099 if (iph2->status != PHASE2ST_START) {
1100 plog(LLV_ERROR, LOCATION, NULL,
1101 "status mismatched %d.\n", iph2->status);
1102 goto end;
1103 }
1104
1105 /* decrypting */
1106 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1107 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1108 "Packet wasn't encrypted.\n");
1109 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1110 goto end;
1111 }
1112 /* decrypt packet */
1113 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1114 if (msg == NULL) {
1115 plog(LLV_ERROR, LOCATION, NULL,
1116 "failed to decrypt packet");
1117 goto end;
1118 }
1119
1120 /* create buffer for using to validate HASH(1) */
1121 /*
1122 * ordering rule:
1123 * 1. the first one must be HASH
1124 * 2. the second one must be SA (added in isakmp-oakley-05!)
1125 * 3. two IDs must be considered as IDci, then IDcr
1126 */
1127 pbuf = isakmp_parse(msg);
1128 if (pbuf == NULL) {
1129 plog(LLV_ERROR, LOCATION, NULL,
1130 "failed to parse msg");
1131 goto end;
1132 }
1133 pa = (struct isakmp_parse_t *)pbuf->v;
1134
1135 /* HASH payload is fixed postion */
1136 if (pa->type != ISAKMP_NPTYPE_HASH) {
1137 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1138 "received invalid next payload type %d, "
1139 "expecting %d.\n",
1140 pa->type, ISAKMP_NPTYPE_HASH);
1141 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1142 goto end;
1143 }
1144 hash = (struct isakmp_pl_hash *)pa->ptr;
1145 pa++;
1146
1147 /*
1148 * this restriction was introduced in isakmp-oakley-05.
1149 * we do not check this for backward compatibility.
1150 * TODO: command line/config file option to enable/disable this code
1151 */
1152 /* HASH payload is fixed postion */
1153 if (pa->type != ISAKMP_NPTYPE_SA) {
1154 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1155 "received invalid next payload type %d, "
1156 "expecting %d.\n",
1157 pa->type, ISAKMP_NPTYPE_SA);
1158 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1159 }
1160
1161 /* allocate buffer for computing HASH(1) */
1162 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1163 hbuf = vmalloc(tlen);
1164 if (hbuf == NULL) {
1165 plog(LLV_ERROR, LOCATION, NULL,
1166 "failed to get hash buffer.\n");
1167 goto end;
1168 }
1169 p = hbuf->v;
1170
1171 /*
1172 * parse the payloads.
1173 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1174 */
1175 iph2->sa = NULL; /* we don't support multi SAs. */
1176 iph2->nonce_p = NULL;
1177 iph2->dhpub_p = NULL;
1178 iph2->id_p = NULL;
1179 iph2->id = NULL;
1180 tlen = 0; /* count payload length except of HASH payload. */
1181
1182 /*
1183 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1184 * illegal case, but logged. First ID payload is to be IDi2.
1185 * And next ID payload is to be IDr2.
1186 */
1187 f_id_order = 0;
1188
1189 for (; pa->type; pa++) {
1190
1191 /* copy to buffer for HASH */
1192 /* Don't modify the payload */
1193 memcpy(p, pa->ptr, pa->len);
1194
1195 if (pa->type != ISAKMP_NPTYPE_ID)
1196 f_id_order = 0;
1197
1198 switch (pa->type) {
1199 case ISAKMP_NPTYPE_SA:
1200 if (iph2->sa != NULL) {
1201 plog(LLV_ERROR, LOCATION, NULL,
1202 "Multi SAs isn't supported.\n");
1203 goto end;
1204 }
1205 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1206 plog(LLV_ERROR, LOCATION, NULL,
1207 "failed to process SA payload");
1208 goto end;
1209 }
1210 break;
1211
1212 case ISAKMP_NPTYPE_NONCE:
1213 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1214 plog(LLV_ERROR, LOCATION, NULL,
1215 "failed to process NONCE payload");
1216 goto end;
1217 }
1218 break;
1219
1220 case ISAKMP_NPTYPE_KE:
1221 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1222 plog(LLV_ERROR, LOCATION, NULL,
1223 "failed to process KE payload");
1224 goto end;
1225 }
1226 break;
1227
1228 case ISAKMP_NPTYPE_ID:
1229 if (iph2->id_p == NULL) {
1230 /* for IDci */
1231 f_id_order++;
1232
1233 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
1234 plog(LLV_ERROR, LOCATION, NULL,
1235 "failed to process IDci2 payload");
1236 goto end;
1237 }
1238
1239 } else if (iph2->id == NULL) {
1240 /* for IDcr */
1241 if (f_id_order == 0) {
1242 plog(LLV_ERROR, LOCATION, NULL,
1243 "IDr2 payload is not "
1244 "immediatelly followed "
1245 "by IDi2. We allowed.\n");
1246 /* XXX we allowed in this case. */
1247 }
1248
1249 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
1250 plog(LLV_ERROR, LOCATION, NULL,
1251 "failed to process IDcr2 payload");
1252 goto end;
1253 }
1254 } else {
1255 plog(LLV_ERROR, LOCATION, NULL,
1256 "received too many ID payloads.\n");
1257 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1258 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1259 goto end;
1260 }
1261 break;
1262
1263 case ISAKMP_NPTYPE_N:
1264 isakmp_check_ph2_notify(pa->ptr, iph2);
1265 break;
1266
1267 #ifdef ENABLE_NATT
1268 case ISAKMP_NPTYPE_NATOA_DRAFT:
1269 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
1270 case ISAKMP_NPTYPE_NATOA_RFC:
1271 {
1272 vchar_t *vp = NULL;
1273 struct sockaddr *daddr;
1274
1275 isakmp_p2ph(&vp, pa->ptr);
1276
1277 if (vp) {
1278 daddr = process_natoa_payload(vp);
1279 if (daddr) {
1280 if (natoa_i == NULL) {
1281 natoa_i = daddr;
1282 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n",
1283 saddr2str(natoa_i));
1284 } else if (natoa_r == NULL) {
1285 natoa_r = daddr;
1286 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n",
1287 saddr2str(natoa_r));
1288 } else {
1289 racoon_free(daddr);
1290 }
1291 }
1292 vfree(vp);
1293 }
1294
1295 }
1296 break;
1297 #endif
1298
1299 default:
1300 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1301 "ignore the packet, "
1302 "received unexpected payload type %d.\n",
1303 pa->type);
1304 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1305 goto end;
1306 }
1307
1308 p += pa->len;
1309
1310 /* compute true length of payload. */
1311 tlen += pa->len;
1312 }
1313
1314 /* payload existency check */
1315 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1316 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1317 "expected isakmp payloads missing.\n");
1318 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1319 goto end;
1320 }
1321
1322 if (iph2->id_p) {
1323 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1324 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1325 }
1326 if (iph2->id) {
1327 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1328 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1329 }
1330
1331 /* adjust buffer length for HASH */
1332 hbuf->l = tlen;
1333
1334 /* validate HASH(1) */
1335 {
1336 char *r_hash;
1337 vchar_t *my_hash = NULL;
1338 int result;
1339
1340 r_hash = (caddr_t)hash + sizeof(*hash);
1341
1342 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1343 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1344
1345 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1346 if (my_hash == NULL) {
1347 plog(LLV_ERROR, LOCATION, NULL,
1348 "failed to compute HASH");
1349 goto end;
1350 }
1351
1352 result = memcmp(my_hash->v, r_hash, my_hash->l);
1353 vfree(my_hash);
1354
1355 if (result) {
1356 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1357 "HASH(1) mismatch.\n");
1358 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1359 goto end;
1360 }
1361 }
1362
1363 /* get sainfo */
1364 error = get_sainfo_r(iph2);
1365 if (error) {
1366 plog(LLV_ERROR, LOCATION, NULL,
1367 "failed to get sainfo.\n");
1368 goto end;
1369 }
1370
1371 /* check the existence of ID payload and create responder's proposal */
1372 error = get_proposal_r(iph2, 0);
1373 if (error != -2 && error != 0 &&
1374 (((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
1375 (iph2->parent_session && iph2->parent_session->is_client)))
1376 error = get_proposal_r(iph2, 1);
1377
1378 switch (error) {
1379 case -2:
1380 /* generate a policy template from peer's proposal */
1381 if (set_proposal_from_proposal(iph2)) {
1382 plog(LLV_ERROR, LOCATION, NULL,
1383 "failed to generate a proposal template "
1384 "from client's proposal.\n");
1385 return ISAKMP_INTERNAL_ERROR;
1386 }
1387 /*FALLTHROUGH*/
1388 case 0:
1389 /* select single proposal or reject it. */
1390 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1391 plog(LLV_ERROR, LOCATION, NULL,
1392 "failed to select proposal.\n");
1393 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1394 goto end;
1395 }
1396 break;
1397 default:
1398 plog(LLV_ERROR, LOCATION, NULL,
1399 "failed to get proposal for responder.\n");
1400 goto end;
1401 }
1402
1403 /* check KE and attribute of PFS */
1404 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1405 plog(LLV_ERROR, LOCATION, NULL,
1406 "no PFS is specified, but peer sends KE.\n");
1407 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1408 goto end;
1409 }
1410 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1411 plog(LLV_ERROR, LOCATION, NULL,
1412 "PFS is specified, but peer doesn't sends KE.\n");
1413 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1414 goto end;
1415 }
1416
1417 ike_session_update_mode(iph2); /* update the mode, now that we have a proposal */
1418
1419 /*
1420 * save the packet from the initiator in order to resend the
1421 * responder's first packet against this packet.
1422 */
1423 iph2->msg1 = vdup(msg0);
1424
1425 /* change status of isakmp status entry */
1426 iph2->status = PHASE2ST_STATUS2;
1427
1428 error = 0;
1429
1430 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1431 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1432 CONSTSTR("Responder, Quick-Mode message 1"),
1433 CONSTSTR(NULL));
1434
1435 end:
1436 if (error) {
1437 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1438 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1439 CONSTSTR("Responder, Quick-Mode Message 1"),
1440 CONSTSTR("Failed to process Quick-Mode Message 1"));
1441 }
1442 if (hbuf)
1443 vfree(hbuf);
1444 if (msg)
1445 vfree(msg);
1446 if (pbuf)
1447 vfree(pbuf);
1448
1449 #ifdef ENABLE_NATT
1450 if (natoa_i) {
1451 racoon_free(natoa_i);
1452 }
1453 if (natoa_r) {
1454 racoon_free(natoa_r);
1455 }
1456 #endif
1457
1458 if (error) {
1459 VPTRINIT(iph2->sa);
1460 VPTRINIT(iph2->nonce_p);
1461 VPTRINIT(iph2->dhpub_p);
1462 VPTRINIT(iph2->id);
1463 VPTRINIT(iph2->id_p);
1464 }
1465
1466 return error;
1467 }
1468
1469 /*
1470 * call pfkey_getspi.
1471 */
1472 int
1473 quick_r1prep(iph2, msg)
1474 struct ph2handle *iph2;
1475 vchar_t *msg;
1476 {
1477 int error = ISAKMP_INTERNAL_ERROR;
1478
1479 /* validity check */
1480 if (iph2->status != PHASE2ST_STATUS2) {
1481 plog(LLV_ERROR, LOCATION, NULL,
1482 "status mismatched %d.\n", iph2->status);
1483 goto end;
1484 }
1485
1486 iph2->status = PHASE2ST_GETSPISENT;
1487
1488 /* send getspi message */
1489 if (pk_sendgetspi(iph2) < 0) {
1490 plog(LLV_ERROR, LOCATION, NULL,
1491 "failed to send getspi");
1492 goto end;
1493 }
1494
1495 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1496
1497 iph2->sce = sched_new(lcconf->wait_ph2complete,
1498 pfkey_timeover_stub, iph2);
1499
1500 error = 0;
1501
1502 end:
1503 return error;
1504 }
1505
1506 /*
1507 * send to initiator
1508 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1509 */
1510 int
1511 quick_r2send(iph2, msg)
1512 struct ph2handle *iph2;
1513 vchar_t *msg;
1514 {
1515 vchar_t *body = NULL;
1516 vchar_t *hash = NULL;
1517 vchar_t *natoa_i = NULL;
1518 vchar_t *natoa_r = NULL;
1519 int natoa_type = 0;
1520 struct isakmp_gen *gen;
1521 char *p;
1522 int tlen;
1523 int error = ISAKMP_INTERNAL_ERROR;
1524 int pfsgroup;
1525 u_int8_t *np_p = NULL;
1526
1527 /* validity check */
1528 if (msg != NULL) {
1529 plog(LLV_ERROR, LOCATION, NULL,
1530 "msg has to be NULL in this function.\n");
1531 goto end;
1532 }
1533 if (iph2->status != PHASE2ST_GETSPIDONE) {
1534 plog(LLV_ERROR, LOCATION, NULL,
1535 "status mismatched %d.\n", iph2->status);
1536 goto end;
1537 }
1538
1539 /* update responders SPI */
1540 if (ipsecdoi_updatespi(iph2) < 0) {
1541 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1542 goto end;
1543 }
1544
1545 /* generate NONCE value */
1546 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1547 if (iph2->nonce == NULL) {
1548 plog(LLV_ERROR, LOCATION, NULL,
1549 "failed to generate NONCE");
1550 goto end;
1551 }
1552
1553 /* generate KE value if need */
1554 pfsgroup = iph2->approval->pfs_group;
1555 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1556 /* DH group settting if PFS is required. */
1557 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1558 plog(LLV_ERROR, LOCATION, NULL,
1559 "failed to set DH value.\n");
1560 goto end;
1561 }
1562 /* generate DH public value */
1563 if (oakley_dh_generate(iph2->pfsgrp,
1564 &iph2->dhpub, &iph2->dhpriv) < 0) {
1565 plog(LLV_ERROR, LOCATION, NULL,
1566 "failed to generate DH public");
1567 goto end;
1568 }
1569 }
1570
1571 /* create SA;NONCE payload, and KE and ID if need */
1572 tlen = sizeof(*gen) + iph2->sa_ret->l
1573 + sizeof(*gen) + iph2->nonce->l;
1574 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1575 tlen += (sizeof(*gen) + iph2->dhpub->l);
1576 if (iph2->id_p != NULL)
1577 tlen += (sizeof(*gen) + iph2->id_p->l
1578 + sizeof(*gen) + iph2->id->l);
1579
1580 #ifdef ENABLE_NATT
1581 /*
1582 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1583 * we should send NAT-OA
1584 */
1585 if (ipsecdoi_any_transportmode(iph2->approval)
1586 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1587 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
1588 if (natoa_type == -1) {
1589 plog(LLV_ERROR, LOCATION, NULL,
1590 "failed to create NATOA payloads");
1591 goto end;
1592 }
1593 else if (natoa_type != 0) {
1594 tlen += sizeof(*gen) + natoa_i->l;
1595 tlen += sizeof(*gen) + natoa_r->l;
1596
1597 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAi:\n");
1598 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
1599 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAr:\n");
1600 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
1601 }
1602 }
1603 #endif
1604
1605
1606 body = vmalloc(tlen);
1607 if (body == NULL) {
1608 plog(LLV_ERROR, LOCATION, NULL,
1609 "failed to get buffer to send.\n");
1610 goto end;
1611 }
1612 p = body->v;
1613
1614 /* make SA payload */
1615 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1616
1617 /* add NONCE payload */
1618 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1619 p = set_isakmp_payload(p, iph2->nonce,
1620 (iph2->dhpub_p != NULL && pfsgroup != 0)
1621 ? ISAKMP_NPTYPE_KE
1622 : (iph2->id_p != NULL
1623 ? ISAKMP_NPTYPE_ID
1624 : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
1625
1626 /* add KE payload if need. */
1627 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1628 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1629 p = set_isakmp_payload(p, iph2->dhpub,
1630 (iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
1631 }
1632
1633 /* add ID payloads received. */
1634 if (iph2->id_p != NULL) {
1635 /* IDci */
1636 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1637 /* IDcr */
1638 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1639 p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
1640 }
1641
1642 /* add a RESPONDER-LIFETIME notify payload if needed */
1643 {
1644 vchar_t *data = NULL;
1645 struct saprop *pp = iph2->approval;
1646 struct saproto *pr;
1647
1648 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1649 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1650 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1651 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1652 if (!data) {
1653 plog(LLV_ERROR, LOCATION, NULL,
1654 "failed to add RESPONDER-LIFETIME notify (type) payload");
1655 goto end;
1656 }
1657 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1658 (caddr_t)&v, sizeof(v));
1659 if (!data) {
1660 plog(LLV_ERROR, LOCATION, NULL,
1661 "failed to add RESPONDER-LIFETIME notify (value) payload");
1662 goto end;
1663 }
1664 }
1665 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1666 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1667 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1668 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1669 if (!data) {
1670 plog(LLV_ERROR, LOCATION, NULL,
1671 "failed to add RESPONDER-LIFETIME notify (type) payload");
1672 goto end;
1673 }
1674 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1675 (caddr_t)&v, sizeof(v));
1676 if (!data) {
1677 plog(LLV_ERROR, LOCATION, NULL,
1678 "failed to add RESPONDER-LIFETIME notify (value) payload");
1679 goto end;
1680 }
1681 }
1682
1683 /*
1684 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1685 * in the case of SA bundle ?
1686 */
1687 if (data) {
1688 for (pr = pp->head; pr; pr = pr->next) {
1689 body = isakmp_add_pl_n(body, &np_p,
1690 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1691 if (!body) {
1692 plog(LLV_ERROR, LOCATION, NULL,
1693 "invalid RESPONDER-LIFETIME payload");
1694 vfree(data);
1695 return error; /* XXX */
1696 }
1697 }
1698 vfree(data);
1699 }
1700 }
1701
1702 /* natoa */
1703 if (natoa_type) {
1704 p = set_isakmp_payload(p, natoa_i, natoa_type);
1705 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
1706 }
1707
1708 /* generate HASH(2) */
1709 {
1710 vchar_t *tmp;
1711
1712 tmp = vmalloc(iph2->nonce_p->l + body->l);
1713 if (tmp == NULL) {
1714 plog(LLV_ERROR, LOCATION, NULL,
1715 "failed to get hash buffer.\n");
1716 goto end;
1717 }
1718 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1719 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1720
1721 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1722 vfree(tmp);
1723
1724 if (hash == NULL) {
1725 plog(LLV_ERROR, LOCATION, NULL,
1726 "failed to compute HASH");
1727 goto end;
1728 }
1729 }
1730
1731 /* send isakmp payload */
1732 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1733 if (iph2->sendbuf == NULL) {
1734 plog(LLV_ERROR, LOCATION, NULL,
1735 "failed to get send buffer");
1736 goto end;
1737 }
1738
1739 /* send the packet, add to the schedule to resend */
1740 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1741 if (isakmp_ph2resend(iph2) == -1) {
1742 plog(LLV_ERROR, LOCATION, NULL,
1743 "failed to send packet");
1744 goto end;
1745 }
1746
1747 /* the sending message is added to the received-list. */
1748 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
1749 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
1750 plog(LLV_ERROR , LOCATION, NULL,
1751 "failed to add a response packet to the tree.\n");
1752 goto end;
1753 }
1754
1755 /* change status of isakmp status entry */
1756 iph2->status = PHASE2ST_MSG1SENT;
1757
1758 error = 0;
1759
1760 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1761 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1762 CONSTSTR("Responder, Quick-Mode message 2"),
1763 CONSTSTR(NULL));
1764
1765 end:
1766 if (error) {
1767 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1768 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1769 CONSTSTR("Responder, Quick-Mode Message 2"),
1770 CONSTSTR("Failed to transmit Quick-Mode Message 2"));
1771 }
1772 if (body != NULL)
1773 vfree(body);
1774 if (hash != NULL)
1775 vfree(hash);
1776 if (natoa_i)
1777 vfree(natoa_i);
1778 if (natoa_r)
1779 vfree(natoa_r);
1780
1781 return error;
1782 }
1783
1784 /*
1785 * receive from initiator
1786 * HDR*, HASH(3)
1787 */
1788 int
1789 quick_r3recv(iph2, msg0)
1790 struct ph2handle *iph2;
1791 vchar_t *msg0;
1792 {
1793 vchar_t *msg = NULL;
1794 vchar_t *pbuf = NULL; /* for payload parsing */
1795 struct isakmp_parse_t *pa;
1796 struct isakmp_pl_hash *hash = NULL;
1797 int error = ISAKMP_INTERNAL_ERROR;
1798
1799 /* validity check */
1800 if (iph2->status != PHASE2ST_MSG1SENT) {
1801 plog(LLV_ERROR, LOCATION, NULL,
1802 "status mismatched %d.\n", iph2->status);
1803 goto end;
1804 }
1805
1806 /* decrypt packet */
1807 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1808 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1809 "Packet wasn't encrypted.\n");
1810 goto end;
1811 }
1812 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1813 if (msg == NULL) {
1814 plog(LLV_ERROR, LOCATION, NULL,
1815 "failed to decrypt packet");
1816 goto end;
1817 }
1818
1819 /* validate the type of next payload */
1820 pbuf = isakmp_parse(msg);
1821 if (pbuf == NULL) {
1822 plog(LLV_ERROR, LOCATION, NULL,
1823 "failed to parse msg");
1824 goto end;
1825 }
1826
1827 for (pa = (struct isakmp_parse_t *)pbuf->v;
1828 pa->type != ISAKMP_NPTYPE_NONE;
1829 pa++) {
1830
1831 switch (pa->type) {
1832 case ISAKMP_NPTYPE_HASH:
1833 hash = (struct isakmp_pl_hash *)pa->ptr;
1834 break;
1835 case ISAKMP_NPTYPE_N:
1836 isakmp_check_ph2_notify(pa->ptr, iph2);
1837 break;
1838 default:
1839 /* don't send information, see ident_r1recv() */
1840 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1841 "ignore the packet, "
1842 "received unexpecting payload type %d.\n",
1843 pa->type);
1844 goto end;
1845 }
1846 }
1847
1848 /* payload existency check */
1849 if (hash == NULL) {
1850 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1851 "few isakmp message received.\n");
1852 goto end;
1853 }
1854
1855 /* validate HASH(3) */
1856 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1857 {
1858 char *r_hash;
1859 vchar_t *my_hash = NULL;
1860 vchar_t *tmp = NULL;
1861 int result;
1862
1863 r_hash = (char *)hash + sizeof(*hash);
1864
1865 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1866 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1867
1868 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1869 if (tmp == NULL) {
1870 plog(LLV_ERROR, LOCATION, NULL,
1871 "failed to get hash buffer.\n");
1872 goto end;
1873 }
1874 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1875 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1876
1877 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1878 vfree(tmp);
1879 if (my_hash == NULL) {
1880 plog(LLV_ERROR, LOCATION, NULL,
1881 "failed to compute HASH");
1882 goto end;
1883 }
1884
1885 result = memcmp(my_hash->v, r_hash, my_hash->l);
1886 vfree(my_hash);
1887
1888 if (result) {
1889 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1890 "HASH(3) mismatch.\n");
1891 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1892 goto end;
1893 }
1894 }
1895
1896 /* if there is commit bit, don't set up SA now. */
1897 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1898 iph2->status = PHASE2ST_COMMIT;
1899 } else
1900 iph2->status = PHASE2ST_STATUS6;
1901
1902 error = 0;
1903
1904 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1905 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1906 CONSTSTR("Responder, Quick-Mode message 3"),
1907 CONSTSTR(NULL));
1908
1909 end:
1910 if (error) {
1911 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1912 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1913 CONSTSTR("Responder, Quick-Mode Message 3"),
1914 CONSTSTR("Failed to process Quick-Mode Message 3"));
1915 }
1916 if (pbuf != NULL)
1917 vfree(pbuf);
1918 if (msg != NULL)
1919 vfree(msg);
1920
1921 return error;
1922 }
1923
1924 /*
1925 * send to initiator
1926 * HDR#*, HASH(4), notify
1927 */
1928 int
1929 quick_r3send(iph2, msg0)
1930 struct ph2handle *iph2;
1931 vchar_t *msg0;
1932 {
1933 vchar_t *buf = NULL;
1934 vchar_t *myhash = NULL;
1935 struct isakmp_pl_n *n;
1936 vchar_t *notify = NULL;
1937 char *p;
1938 int tlen;
1939 int error = ISAKMP_INTERNAL_ERROR;
1940
1941 /* validity check */
1942 if (iph2->status != PHASE2ST_COMMIT) {
1943 plog(LLV_ERROR, LOCATION, NULL,
1944 "status mismatched %d.\n", iph2->status);
1945 goto end;
1946 }
1947
1948 /* generate HASH(4) */
1949 /* XXX What can I do in the case of multiple different SA */
1950 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1951
1952 /* XXX What should I do if there are multiple SAs ? */
1953 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1954 notify = vmalloc(tlen);
1955 if (notify == NULL) {
1956 plog(LLV_ERROR, LOCATION, NULL,
1957 "failed to get notify buffer.\n");
1958 goto end;
1959 }
1960 n = (struct isakmp_pl_n *)notify->v;
1961 n->h.np = ISAKMP_NPTYPE_NONE;
1962 n->h.len = htons(tlen);
1963 n->doi = htonl(IPSEC_DOI);
1964 n->proto_id = iph2->approval->head->proto_id;
1965 n->spi_size = sizeof(iph2->approval->head->spisize);
1966 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1967 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1968
1969 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1970 if (myhash == NULL) {
1971 plog(LLV_ERROR, LOCATION, NULL,
1972 "failed to compute HASH");
1973 goto end;
1974 }
1975
1976 /* create buffer for isakmp payload */
1977 tlen = sizeof(struct isakmp)
1978 + sizeof(struct isakmp_gen) + myhash->l
1979 + notify->l;
1980 buf = vmalloc(tlen);
1981 if (buf == NULL) {
1982 plog(LLV_ERROR, LOCATION, NULL,
1983 "failed to get buffer to send.\n");
1984 goto end;
1985 }
1986
1987 /* create isakmp header */
1988 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1989 if (p == NULL) {
1990 plog(LLV_ERROR, LOCATION, NULL,
1991 "failed to set ISAKMP header");
1992 goto end;
1993 }
1994
1995 /* add HASH(4) payload */
1996 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1997
1998 /* add notify payload */
1999 memcpy(p, notify->v, notify->l);
2000
2001 #ifdef HAVE_PRINT_ISAKMP_C
2002 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2003 #endif
2004
2005 /* encoding */
2006 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2007 if (iph2->sendbuf == NULL) {
2008 plog(LLV_ERROR, LOCATION, NULL,
2009 "failed to encrypt packet");
2010 goto end;
2011 }
2012
2013 /* send the packet */
2014 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
2015 plog(LLV_ERROR, LOCATION, NULL,
2016 "failed to send packet");
2017 goto end;
2018 }
2019
2020 /* the sending message is added to the received-list. */
2021 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
2022 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
2023 plog(LLV_ERROR , LOCATION, NULL,
2024 "failed to add a response packet to the tree.\n");
2025 goto end;
2026 }
2027
2028 iph2->status = PHASE2ST_COMMIT;
2029
2030 error = 0;
2031
2032 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2033 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2034 CONSTSTR("Responder, Quick-Mode message 4"),
2035 CONSTSTR(NULL));
2036
2037 end:
2038 if (error) {
2039 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2040 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2041 CONSTSTR("Responder, Quick-Mode Message 4"),
2042 CONSTSTR("Failed to transmit Quick-Mode Message 4"));
2043 }
2044 if (buf != NULL)
2045 vfree(buf);
2046 if (myhash != NULL)
2047 vfree(myhash);
2048 if (notify != NULL)
2049 vfree(notify);
2050
2051 return error;
2052 }
2053
2054
2055 /*
2056 * set SA to kernel.
2057 */
2058 int
2059 quick_r3prep(iph2, msg0)
2060 struct ph2handle *iph2;
2061 vchar_t *msg0;
2062 {
2063 vchar_t *msg = NULL;
2064 int error = ISAKMP_INTERNAL_ERROR;
2065
2066 /* validity check */
2067 if (iph2->status != PHASE2ST_STATUS6) {
2068 plog(LLV_ERROR, LOCATION, NULL,
2069 "status mismatched %d.\n", iph2->status);
2070 goto end;
2071 }
2072
2073 /* compute both of KEYMATs */
2074 if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
2075 plog(LLV_ERROR, LOCATION, NULL,
2076 "failed to compute KEYMAT");
2077 goto end;
2078 }
2079
2080 iph2->status = PHASE2ST_ADDSA;
2081 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
2082
2083 /* don't anything if local test mode. */
2084 if (f_local) {
2085 error = 0;
2086 goto end;
2087 }
2088
2089 /* Do UPDATE as responder */
2090 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
2091 if (pk_sendupdate(iph2) < 0) {
2092 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
2093 goto end;
2094 }
2095 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
2096
2097 /* Do ADD for responder */
2098 if (pk_sendadd(iph2) < 0) {
2099 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
2100 goto end;
2101 }
2102 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
2103
2104 /*
2105 * set policies into SPD if the policy is generated
2106 * from peer's policy.
2107 */
2108 if (iph2->spidx_gen) {
2109
2110 struct policyindex *spidx;
2111 struct sockaddr_storage addr;
2112 u_int8_t pref;
2113 struct sockaddr *src = iph2->src;
2114 struct sockaddr *dst = iph2->dst;
2115
2116 /* make inbound policy */
2117 iph2->src = dst;
2118 iph2->dst = src;
2119 if (pk_sendspdupdate2(iph2) < 0) {
2120 plog(LLV_ERROR, LOCATION, NULL,
2121 "pfkey spdupdate2(inbound) failed.\n");
2122 goto end;
2123 }
2124 plog(LLV_DEBUG, LOCATION, NULL,
2125 "pfkey spdupdate2(inbound) sent.\n");
2126
2127 spidx = (struct policyindex *)iph2->spidx_gen;
2128 #ifdef HAVE_POLICY_FWD
2129 /* make forward policy if required */
2130 if (tunnel_mode_prop(iph2->approval)) {
2131 spidx->dir = IPSEC_DIR_FWD;
2132 if (pk_sendspdupdate2(iph2) < 0) {
2133 plog(LLV_ERROR, LOCATION, NULL,
2134 "pfkey spdupdate2(forward) failed.\n");
2135 goto end;
2136 }
2137 plog(LLV_DEBUG, LOCATION, NULL,
2138 "pfkey spdupdate2(forward) sent.\n");
2139 }
2140 #endif
2141
2142 /* make outbound policy */
2143 iph2->src = src;
2144 iph2->dst = dst;
2145 spidx->dir = IPSEC_DIR_OUTBOUND;
2146 addr = spidx->src;
2147 spidx->src = spidx->dst;
2148 spidx->dst = addr;
2149 pref = spidx->prefs;
2150 spidx->prefs = spidx->prefd;
2151 spidx->prefd = pref;
2152
2153 if (pk_sendspdupdate2(iph2) < 0) {
2154 plog(LLV_ERROR, LOCATION, NULL,
2155 "pfkey spdupdate2(outbound) failed.\n");
2156 goto end;
2157 }
2158 plog(LLV_DEBUG, LOCATION, NULL,
2159 "pfkey spdupdate2(outbound) sent.\n");
2160
2161 /* spidx_gen is unnecessary any more */
2162 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2163 racoon_free(iph2->spidx_gen);
2164 iph2->spidx_gen = NULL;
2165 iph2->generated_spidx=1;
2166 }
2167
2168 error = 0;
2169
2170 end:
2171 if (msg != NULL)
2172 vfree(msg);
2173
2174 return error;
2175 }
2176
2177 /*
2178 * create HASH, body (SA, NONCE) payload with isakmp header.
2179 */
2180 static vchar_t *
2181 quick_ir1mx(iph2, body, hash)
2182 struct ph2handle *iph2;
2183 vchar_t *body, *hash;
2184 {
2185 struct isakmp *isakmp;
2186 vchar_t *buf = NULL, *new = NULL;
2187 char *p;
2188 int tlen;
2189 struct isakmp_gen *gen;
2190 int error = ISAKMP_INTERNAL_ERROR;
2191
2192 /* create buffer for isakmp payload */
2193 tlen = sizeof(*isakmp)
2194 + sizeof(*gen) + hash->l
2195 + body->l;
2196 buf = vmalloc(tlen);
2197 if (buf == NULL) {
2198 plog(LLV_ERROR, LOCATION, NULL,
2199 "failed to get buffer to send.\n");
2200 goto end;
2201 }
2202
2203 /* re-set encryption flag, for serurity. */
2204 iph2->flags |= ISAKMP_FLAG_E;
2205
2206 /* set isakmp header */
2207 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2208 if (p == NULL) {
2209 plog(LLV_ERROR, LOCATION, NULL,
2210 "failed to set ISAKMP header");
2211 goto end;
2212 }
2213
2214 /* add HASH payload */
2215 /* XXX is next type always SA ? */
2216 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2217
2218 /* add body payload */
2219 memcpy(p, body->v, body->l);
2220
2221 #ifdef HAVE_PRINT_ISAKMP_C
2222 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2223 #endif
2224
2225 /* encoding */
2226 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2227 if (new == NULL) {
2228 plog(LLV_ERROR, LOCATION, NULL,
2229 "failed to encrypt packet");
2230 goto end;
2231 }
2232
2233 vfree(buf);
2234
2235 buf = new;
2236
2237 error = 0;
2238
2239 end:
2240 if (error && buf != NULL) {
2241 vfree(buf);
2242 buf = NULL;
2243 }
2244
2245 return buf;
2246 }
2247
2248 /*
2249 * get remote's sainfo.
2250 * NOTE: this function is for responder.
2251 */
2252 static int
2253 get_sainfo_r(iph2)
2254 struct ph2handle *iph2;
2255 {
2256 vchar_t *idsrc = NULL, *iddst = NULL;
2257 int prefixlen;
2258 int error = ISAKMP_INTERNAL_ERROR;
2259 struct sainfo *anonymous = NULL;
2260
2261 if (iph2->id == NULL) {
2262 switch (iph2->src->sa_family) {
2263 case AF_INET:
2264 prefixlen = sizeof(struct in_addr) << 3;
2265 break;
2266 case AF_INET6:
2267 prefixlen = sizeof(struct in6_addr) << 3;
2268 break;
2269 default:
2270 plog(LLV_ERROR, LOCATION, NULL,
2271 "invalid family: %d\n", iph2->src->sa_family);
2272 goto end;
2273 }
2274 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
2275 IPSEC_ULPROTO_ANY);
2276 } else {
2277 idsrc = vdup(iph2->id);
2278 }
2279 if (idsrc == NULL) {
2280 plog(LLV_ERROR, LOCATION, NULL,
2281 "failed to set ID for source.\n");
2282 goto end;
2283 }
2284
2285 if (iph2->id_p == NULL) {
2286 switch (iph2->dst->sa_family) {
2287 case AF_INET:
2288 prefixlen = sizeof(struct in_addr) << 3;
2289 break;
2290 case AF_INET6:
2291 prefixlen = sizeof(struct in6_addr) << 3;
2292 break;
2293 default:
2294 plog(LLV_ERROR, LOCATION, NULL,
2295 "invalid family: %d\n", iph2->dst->sa_family);
2296 goto end;
2297 }
2298 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
2299 IPSEC_ULPROTO_ANY);
2300 } else {
2301 iddst = vdup(iph2->id_p);
2302 }
2303 if (iddst == NULL) {
2304 plog(LLV_ERROR, LOCATION, NULL,
2305 "failed to set ID for destination.\n");
2306 goto end;
2307 }
2308
2309 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
2310 // track anonymous sainfo, because we'll try to find a better sainfo if this is a client
2311 if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
2312 anonymous = iph2->sainfo;
2313
2314 if (iph2->sainfo == NULL ||
2315 (anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
2316 if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
2317 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
2318 if (iph2->sainfo) {
2319 plog(LLV_DEBUG2, LOCATION, NULL,
2320 "get_sainfo_r case 1.\n");
2321 }
2322 // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2
2323 if (iph2->sainfo == NULL ||
2324 (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
2325 ike_session_get_sainfo_r(iph2);
2326 if (iph2->sainfo) {
2327 plog(LLV_DEBUG2, LOCATION, NULL,
2328 "get_sainfo_r case 2.\n");
2329 }
2330 }
2331 }
2332 if (iph2->sainfo == NULL) {
2333 if (anonymous == NULL) {
2334 plog(LLV_ERROR, LOCATION, NULL,
2335 "failed to get sainfo.\n");
2336 goto end;
2337 }
2338 iph2->sainfo = anonymous;
2339 }
2340 #ifdef __APPLE__
2341 if (link_sainfo_to_ph2(iph2->sainfo) != 0) {
2342 plog(LLV_ERROR, LOCATION, NULL,
2343 "failed to link sainfo\n");
2344 iph2->sainfo = NULL;
2345 goto end;
2346 }
2347 #endif
2348
2349 #ifdef ENABLE_HYBRID
2350 /* xauth group inclusion check */
2351 if (iph2->sainfo->group != NULL)
2352 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
2353 plog(LLV_ERROR, LOCATION, NULL,
2354 "failed to group check");
2355 goto end;
2356 }
2357 #endif
2358
2359 plog(LLV_DEBUG, LOCATION, NULL,
2360 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2361
2362 error = 0;
2363 end:
2364 if (idsrc)
2365 vfree(idsrc);
2366 if (iddst)
2367 vfree(iddst);
2368
2369 return error;
2370 }
2371
2372 /*
2373 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2374 * are IP address and same address family.
2375 * Then get remote's policy from SPD copied from kernel.
2376 * If the type of ID payload is address or subnet type, then the index is
2377 * made from the payload. If there is no ID payload, or the type of ID
2378 * payload is NOT address type, then the index is made from the address
2379 * pair of phase 1.
2380 * NOTE: This function is only for responder.
2381 */
2382 static int
2383 get_proposal_r(iph2, use_remote_addr)
2384 struct ph2handle *iph2;
2385 int use_remote_addr;
2386 {
2387 struct policyindex spidx;
2388 struct secpolicy *sp_in, *sp_out;
2389 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2390 int error = ISAKMP_INTERNAL_ERROR;
2391 int generated_policy_exit_early = 1;
2392
2393 /* check the existence of ID payload */
2394 if ((iph2->id_p != NULL && iph2->id == NULL)
2395 || (iph2->id_p == NULL && iph2->id != NULL)) {
2396 plog(LLV_ERROR, LOCATION, NULL,
2397 "Both IDs wasn't found in payload.\n");
2398 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2399 }
2400
2401 /* make sure if id[src,dst] is null. */
2402 if (iph2->src_id || iph2->dst_id) {
2403 plog(LLV_ERROR, LOCATION, NULL,
2404 "Why do ID[src,dst] exist already.\n");
2405 return ISAKMP_INTERNAL_ERROR;
2406 }
2407
2408 memset(&spidx, 0, sizeof(spidx));
2409
2410 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2411
2412 /* make a spidx; a key to search SPD */
2413 spidx.dir = IPSEC_DIR_INBOUND;
2414 spidx.ul_proto = 0;
2415
2416 /*
2417 * make destination address in spidx from either ID payload
2418 * or phase 1 address into a address in spidx.
2419 * If behind a nat - use phase1 address because server's
2420 * use the nat's address in the ID payload.
2421 */
2422 if (iph2->id != NULL
2423 && use_remote_addr == 0
2424 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2425 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2426 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2427 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2428 /* get a destination address of a policy */
2429 error = ipsecdoi_id2sockaddr(iph2->id,
2430 (struct sockaddr *)&spidx.dst,
2431 &spidx.prefd, &spidx.ul_proto);
2432 if (error)
2433 return error;
2434
2435 #ifdef INET6
2436 /*
2437 * get scopeid from the SA address.
2438 * note that the phase 1 source address is used as
2439 * a destination address to search for a inbound policy entry
2440 * because rcoon is responder.
2441 */
2442 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2443 error = setscopeid((struct sockaddr *)&spidx.dst,
2444 iph2->src);
2445 if (error)
2446 return error;
2447 }
2448 #endif
2449
2450 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2451 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2452 idi2type = _XIDT(iph2->id);
2453
2454 } else {
2455
2456 plog(LLV_DEBUG, LOCATION, NULL,
2457 "get a destination address of SP index "
2458 "from phase1 address "
2459 "due to no ID payloads found "
2460 "OR because ID type is not address.\n");
2461
2462 /*
2463 * copy the SOURCE address of IKE into the DESTINATION address
2464 * of the key to search the SPD because the direction of policy
2465 * is inbound.
2466 */
2467 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2468 switch (spidx.dst.ss_family) {
2469 case AF_INET:
2470 {
2471 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
2472 spidx.prefd = sizeof(struct in_addr) << 3;
2473 s->sin_port = htons(0);
2474 }
2475 break;
2476 #ifdef INET6
2477 case AF_INET6:
2478 spidx.prefd = sizeof(struct in6_addr) << 3;
2479 break;
2480 #endif
2481 default:
2482 spidx.prefd = 0;
2483 break;
2484 }
2485 }
2486
2487 /* make source address in spidx */
2488 if (iph2->id_p != NULL
2489 && use_remote_addr == 0
2490 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2491 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2492 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2493 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2494 /* get a source address of inbound SA */
2495 error = ipsecdoi_id2sockaddr(iph2->id_p,
2496 (struct sockaddr *)&spidx.src,
2497 &spidx.prefs, &spidx.ul_proto);
2498 if (error)
2499 return error;
2500
2501 #ifdef INET6
2502 /*
2503 * get scopeid from the SA address.
2504 * for more detail, see above of this function.
2505 */
2506 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2507 error = setscopeid((struct sockaddr *)&spidx.src,
2508 iph2->dst);
2509 if (error)
2510 return error;
2511 }
2512 #endif
2513
2514 /* make id[src,dst] if both ID types are IP address and same */
2515 if (_XIDT(iph2->id_p) == idi2type
2516 && spidx.dst.ss_family == spidx.src.ss_family) {
2517 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2518 if (iph2->src_id == NULL) {
2519 plog(LLV_ERROR, LOCATION, NULL,
2520 "buffer allocation failed.\n");
2521 return ISAKMP_INTERNAL_ERROR;
2522 }
2523 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2524 if (iph2->dst_id == NULL) {
2525 plog(LLV_ERROR, LOCATION, NULL,
2526 "buffer allocation failed.\n");
2527 return ISAKMP_INTERNAL_ERROR;
2528 }
2529 }
2530
2531 } else {
2532 plog(LLV_DEBUG, LOCATION, NULL,
2533 "get a source address of SP index "
2534 "from phase1 address "
2535 "due to no ID payloads found "
2536 "OR because ID type is not address.\n");
2537
2538 /* see above comment. */
2539 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2540 switch (spidx.src.ss_family) {
2541 case AF_INET:
2542 {
2543 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
2544 spidx.prefs = sizeof(struct in_addr) << 3;
2545 s->sin_port = htons(0);
2546 }
2547 break;
2548 #ifdef INET6
2549 case AF_INET6:
2550 spidx.prefs = sizeof(struct in6_addr) << 3;
2551 break;
2552 #endif
2553 default:
2554 spidx.prefs = 0;
2555 break;
2556 }
2557 }
2558
2559 #undef _XIDT
2560
2561 plog(LLV_DEBUG, LOCATION, NULL,
2562 "get a src address from ID payload "
2563 "%s prefixlen=%u ul_proto=%u\n",
2564 saddr2str((struct sockaddr *)&spidx.src),
2565 spidx.prefs, spidx.ul_proto);
2566 plog(LLV_DEBUG, LOCATION, NULL,
2567 "get dst address from ID payload "
2568 "%s prefixlen=%u ul_proto=%u\n",
2569 saddr2str((struct sockaddr *)&spidx.dst),
2570 spidx.prefd, spidx.ul_proto);
2571
2572 /*
2573 * convert the ul_proto if it is 0
2574 * because 0 in ID payload means a wild card.
2575 */
2576 if (spidx.ul_proto == 0)
2577 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2578
2579 /* get inbound policy */
2580 sp_in = getsp_r(&spidx);
2581 if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
2582 if (iph2->ph1->rmconf->gen_policy) {
2583 if (sp_in)
2584 plog(LLV_INFO, LOCATION, NULL,
2585 "Update the generated policy : %s\n",
2586 spidx2str(&spidx));
2587 else
2588 plog(LLV_INFO, LOCATION, NULL,
2589 "no policy found, "
2590 "try to generate the policy : %s\n",
2591 spidx2str(&spidx));
2592 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2593 if (!iph2->spidx_gen) {
2594 plog(LLV_ERROR, LOCATION, NULL,
2595 "buffer allocation failed.\n");
2596 return ISAKMP_INTERNAL_ERROR;
2597 }
2598 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2599 generated_policy_exit_early = 1; /* special value */
2600 } else {
2601 plog(LLV_ERROR, LOCATION, NULL,
2602 "no policy found: %s\n", spidx2str(&spidx));
2603 return ISAKMP_INTERNAL_ERROR;
2604 }
2605 } else {
2606 /* Refresh existing generated policies
2607 */
2608 if (iph2->ph1->rmconf->gen_policy) {
2609 plog(LLV_INFO, LOCATION, NULL,
2610 "Update the generated policy : %s\n",
2611 spidx2str(&spidx));
2612 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2613 if (!iph2->spidx_gen) {
2614 plog(LLV_ERROR, LOCATION, NULL,
2615 "buffer allocation failed.\n");
2616 return ISAKMP_INTERNAL_ERROR;
2617 }
2618 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2619 }
2620 }
2621
2622 /* get outbound policy */
2623 {
2624 struct sockaddr_storage addr;
2625 u_int8_t pref;
2626
2627 spidx.dir = IPSEC_DIR_OUTBOUND;
2628 addr = spidx.src;
2629 spidx.src = spidx.dst;
2630 spidx.dst = addr;
2631 pref = spidx.prefs;
2632 spidx.prefs = spidx.prefd;
2633 spidx.prefd = pref;
2634
2635 sp_out = getsp_r(&spidx);
2636 if (!sp_out) {
2637 plog(LLV_WARNING, LOCATION, NULL,
2638 "no outbound policy found: %s\n",
2639 spidx2str(&spidx));
2640 } else {
2641
2642 if (!iph2->spid) {
2643 iph2->spid = sp_out->id;
2644 }
2645 }
2646 }
2647
2648 plog(LLV_DEBUG, LOCATION, NULL,
2649 "suitable SP found:%s\n", spidx2str(&spidx));
2650
2651 if (generated_policy_exit_early) {
2652 return -2;
2653 }
2654
2655 /*
2656 * In the responder side, the inbound policy should be using IPsec.
2657 * outbound policy is not checked currently.
2658 */
2659 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2660 plog(LLV_ERROR, LOCATION, NULL,
2661 "policy found, but no IPsec required: %s\n",
2662 spidx2str(&spidx));
2663 return ISAKMP_INTERNAL_ERROR;
2664 }
2665
2666 /* set new proposal derived from a policy into the iph2->proposal. */
2667 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2668 plog(LLV_ERROR, LOCATION, NULL,
2669 "failed to create saprop.\n");
2670 return ISAKMP_INTERNAL_ERROR;
2671 }
2672
2673 return 0;
2674 }
mirror of ipsec