]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_quick.c
projects / apple / ipsec.git / blob
? search:


871072ced8a2dbf5e1c11085aa1b5c6b15f5e3ce
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_quick.c
1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56 #ifdef ENABLE_HYBRID
57 #include <resolv.h>
58 #endif
59
60 #ifndef HAVE_NETINET6_IPSEC
61 #include <netinet/ipsec.h>
62 #else
63 #include <netinet6/ipsec.h>
64 #endif
65
66 #include "var.h"
67 #include "vmbuf.h"
68 #include "schedule.h"
69 #include "misc.h"
70 #include "plog.h"
71 #include "debug.h"
72
73 #include "localconf.h"
74 #include "remoteconf.h"
75 #include "handler.h"
76 #include "policy.h"
77 #include "proposal.h"
78 #include "isakmp_var.h"
79 #include "isakmp.h"
80 #include "isakmp_inf.h"
81 #include "isakmp_quick.h"
82 #include "oakley.h"
83 #include "ipsec_doi.h"
84 #include "crypto_openssl.h"
85 #include "pfkey.h"
86 #include "policy.h"
87 #include "algorithm.h"
88 #include "sockmisc.h"
89 #include "proposal.h"
90 #include "sainfo.h"
91 #include "admin.h"
92 #include "strnames.h"
93 #include "nattraversal.h"
94 #include "ipsecSessionTracer.h"
95 #include "ipsecMessageTracer.h"
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99 static int get_sainfo_r __P((struct ph2handle *));
100 static int get_proposal_r __P((struct ph2handle *));
101 static int get_proposal_r_remote __P((struct ph2handle *, int));
102
103 /* \f%%%
104 * Quick Mode
105 */
106 /*
107 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
108 */
109 int
110 quick_i1prep(iph2, msg)
111 struct ph2handle *iph2;
112 vchar_t *msg; /* must be null pointer */
113 {
114 int error = ISAKMP_INTERNAL_ERROR;
115
116 /* validity check */
117 if (iph2->status != PHASE2ST_STATUS2) {
118 plog(LLV_ERROR, LOCATION, NULL,
119 "status mismatched %d.\n", iph2->status);
120 goto end;
121 }
122
123 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
124 if (iph2->ivm != NULL)
125 oakley_delivm(iph2->ivm);
126 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
127 if (iph2->ivm == NULL)
128 return 0;
129
130 iph2->status = PHASE2ST_GETSPISENT;
131
132 /* don't anything if local test mode. */
133 if (f_local) {
134 error = 0;
135 goto end;
136 }
137
138 /* send getspi message */
139 if (pk_sendgetspi(iph2) < 0) {
140 plog(LLV_ERROR, LOCATION, NULL,
141 "failed to send getspi message");
142 goto end;
143 }
144
145 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
146
147 iph2->sce = sched_new(lcconf->wait_ph2complete,
148 pfkey_timeover_stub, iph2);
149
150 error = 0;
151
152 end:
153 return error;
154 }
155
156 /*
157 * send to responder
158 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
159 */
160 int
161 quick_i1send(iph2, msg)
162 struct ph2handle *iph2;
163 vchar_t *msg; /* must be null pointer */
164 {
165 vchar_t *body = NULL;
166 vchar_t *hash = NULL;
167 #ifdef ENABLE_NATT
168 vchar_t *natoa_i = NULL;
169 vchar_t *natoa_r = NULL;
170 #endif /* ENABLE_NATT */
171 int natoa_type = 0;
172 struct isakmp_gen *gen;
173 char *p;
174 int tlen;
175 int error = ISAKMP_INTERNAL_ERROR;
176 int pfsgroup, idci, idcr;
177 int np;
178 struct ipsecdoi_id_b *id, *id_p;
179
180 /* validity check */
181 if (msg != NULL) {
182 plog(LLV_ERROR, LOCATION, NULL,
183 "msg has to be NULL in this function.\n");
184 goto end;
185 }
186 if (iph2->status != PHASE2ST_GETSPIDONE) {
187 plog(LLV_ERROR, LOCATION, NULL,
188 "status mismatched %d.\n", iph2->status);
189 goto end;
190 }
191
192 /* create SA payload for my proposal */
193 if (ipsecdoi_setph2proposal(iph2) < 0) {
194 plog(LLV_ERROR, LOCATION, NULL,
195 "failed to set proposal");
196 goto end;
197 }
198
199 /* generate NONCE value */
200 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
201 if (iph2->nonce == NULL) {
202 plog(LLV_ERROR, LOCATION, NULL,
203 "failed to generate NONCE");
204 goto end;
205 }
206
207 /*
208 * DH value calculation is kicked out into cfparse.y.
209 * because pfs group can not be negotiated, it's only to be checked
210 * acceptable.
211 */
212 /* generate KE value if need */
213 pfsgroup = iph2->proposal->pfs_group;
214 if (pfsgroup) {
215 /* DH group settting if PFS is required. */
216 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
217 plog(LLV_ERROR, LOCATION, NULL,
218 "failed to set DH value.\n");
219 goto end;
220 }
221 if (oakley_dh_generate(iph2->pfsgrp,
222 &iph2->dhpub, &iph2->dhpriv) < 0) {
223 plog(LLV_ERROR, LOCATION, NULL,
224 "failed to generate DH");
225 goto end;
226 }
227 }
228
229 /* generate ID value */
230 if (ipsecdoi_setid2(iph2) < 0) {
231 plog(LLV_ERROR, LOCATION, NULL,
232 "failed to get ID.\n");
233 goto end;
234 }
235 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
236 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
237 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
238 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
239
240 /*
241 * we do not attach IDci nor IDcr, under the following condition:
242 * - all proposals are transport mode
243 * - no MIP6 or proxy
244 * - id payload suggests to encrypt all the traffic (no specific
245 * protocol type)
246 */
247 id = (struct ipsecdoi_id_b *)iph2->id->v;
248 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
249 if (id->proto_id == 0
250 && id_p->proto_id == 0
251 && iph2->ph1->rmconf->support_proxy == 0
252 && ipsecdoi_transportmode(iph2->proposal)) {
253 idci = idcr = 0;
254 } else
255 idci = idcr = 1;
256
257 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
258 tlen = + sizeof(*gen) + iph2->sa->l
259 + sizeof(*gen) + iph2->nonce->l;
260 if (pfsgroup)
261 tlen += (sizeof(*gen) + iph2->dhpub->l);
262 if (idci)
263 tlen += sizeof(*gen) + iph2->id->l;
264 if (idcr)
265 tlen += sizeof(*gen) + iph2->id_p->l;
266
267 #ifdef ENABLE_NATT
268 /*
269 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
270 * we should send NAT-OA
271 */
272 if (ipsecdoi_any_transportmode(iph2->proposal)
273 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
274 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
275 if (natoa_type == -1) {
276 plog(LLV_ERROR, LOCATION, NULL,
277 "failed to generate NAT-OA payload.\n");
278 goto end;
279 } else if (natoa_type != 0) {
280 tlen += sizeof(*gen) + natoa_i->l;
281 tlen += sizeof(*gen) + natoa_r->l;
282
283 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAi:\n");
284 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
285 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAr:\n");
286 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
287 }
288 }
289 #endif
290
291 body = vmalloc(tlen);
292 if (body == NULL) {
293 plog(LLV_ERROR, LOCATION, NULL,
294 "failed to get buffer to send.\n");
295 goto end;
296 }
297
298 p = body->v;
299
300 /* add SA payload */
301 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
302
303 /* add NONCE payload */
304 if (pfsgroup)
305 np = ISAKMP_NPTYPE_KE;
306 else if (idci || idcr)
307 np = ISAKMP_NPTYPE_ID;
308 else
309 np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
310 p = set_isakmp_payload(p, iph2->nonce, np);
311
312 /* add KE payload if need. */
313 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
314 if (pfsgroup)
315 p = set_isakmp_payload(p, iph2->dhpub, np);
316
317 /* IDci */
318 np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
319 if (idci)
320 p = set_isakmp_payload(p, iph2->id, np);
321
322 /* IDcr */
323 if (idcr)
324 p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
325
326 /* natoa */
327 if (natoa_type) {
328 p = set_isakmp_payload(p, natoa_i, natoa_type);
329 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
330 }
331
332 /* generate HASH(1) */
333 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
334 if (hash == NULL) {
335 plog(LLV_ERROR, LOCATION, NULL,
336 "failed to compute HASH");
337 goto end;
338 }
339
340 /* send isakmp payload */
341 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
342 if (iph2->sendbuf == NULL) {
343 plog(LLV_ERROR, LOCATION, NULL,
344 "failed to get send buffer");
345 goto end;
346 }
347
348 /* send the packet, add to the schedule to resend */
349 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
350 if (isakmp_ph2resend(iph2) == -1) {
351 plog(LLV_ERROR, LOCATION, NULL,
352 "failed to send packet");
353 goto end;
354 }
355
356 /* change status of isakmp status entry */
357 iph2->status = PHASE2ST_MSG1SENT;
358
359 error = 0;
360
361 IPSECSESSIONTRACEREVENT(iph2->parent_session,
362 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
363 CONSTSTR("Initiator, Quick-Mode message 1"),
364 CONSTSTR(NULL));
365
366 end:
367 if (error) {
368 IPSECSESSIONTRACEREVENT(iph2->parent_session,
369 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
370 CONSTSTR("Initiator, Quick-Mode Message 1"),
371 CONSTSTR("Failed to transmit Quick-Mode Message 1"));
372 }
373 if (body != NULL)
374 vfree(body);
375 if (hash != NULL)
376 vfree(hash);
377 #ifdef ENABLE_NATT
378 if (natoa_i)
379 vfree(natoa_i);
380 if (natoa_r)
381 vfree(natoa_r);
382 #endif /* ENABLE_NATT */
383
384 return error;
385 }
386
387 /*
388 * receive from responder
389 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
390 */
391 int
392 quick_i2recv(iph2, msg0)
393 struct ph2handle *iph2;
394 vchar_t *msg0;
395 {
396 vchar_t *msg = NULL;
397 vchar_t *hbuf = NULL; /* for hash computing. */
398 vchar_t *pbuf = NULL; /* for payload parsing */
399 struct isakmp_parse_t *pa;
400 struct isakmp *isakmp = (struct isakmp *)msg0->v;
401 struct isakmp_pl_hash *hash = NULL;
402 int f_id;
403 char *p;
404 int tlen;
405 int error = ISAKMP_INTERNAL_ERROR;
406 struct sockaddr *natoa_i = NULL;
407 struct sockaddr *natoa_r = NULL;
408
409 /* validity check */
410 if (iph2->status != PHASE2ST_MSG1SENT) {
411 plog(LLV_ERROR, LOCATION, NULL,
412 "status mismatched %d.\n", iph2->status);
413 goto end;
414 }
415
416 /* decrypt packet */
417 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
418 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
419 "Packet wasn't encrypted.\n");
420 goto end;
421 }
422 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
423 if (msg == NULL) {
424 plog(LLV_ERROR, LOCATION, NULL,
425 "failed to decrypt");
426 goto end;
427 }
428
429 /* create buffer for validating HASH(2) */
430 /*
431 * ordering rule:
432 * 1. the first one must be HASH
433 * 2. the second one must be SA (added in isakmp-oakley-05!)
434 * 3. two IDs must be considered as IDci, then IDcr
435 */
436 pbuf = isakmp_parse(msg);
437 if (pbuf == NULL) {
438 plog(LLV_ERROR, LOCATION, NULL,
439 "failed to parse msg");
440 goto end;
441 }
442 pa = (struct isakmp_parse_t *)pbuf->v;
443
444 /* HASH payload is fixed postion */
445 if (pa->type != ISAKMP_NPTYPE_HASH) {
446 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
447 "received invalid next payload type %d, "
448 "expecting %d.\n",
449 pa->type, ISAKMP_NPTYPE_HASH);
450 goto end;
451 }
452 hash = (struct isakmp_pl_hash *)pa->ptr;
453 pa++;
454
455 /*
456 * this restriction was introduced in isakmp-oakley-05.
457 * we do not check this for backward compatibility.
458 * TODO: command line/config file option to enable/disable this code
459 */
460 /* HASH payload is fixed postion */
461 if (pa->type != ISAKMP_NPTYPE_SA) {
462 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
463 "received invalid next payload type %d, "
464 "expecting %d.\n",
465 pa->type, ISAKMP_NPTYPE_HASH);
466 }
467
468 /* allocate buffer for computing HASH(2) */
469 tlen = iph2->nonce->l
470 + ntohl(isakmp->len) - sizeof(*isakmp);
471 hbuf = vmalloc(tlen);
472 if (hbuf == NULL) {
473 plog(LLV_ERROR, LOCATION, NULL,
474 "failed to get hash buffer.\n");
475 goto end;
476 }
477 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
478
479 /*
480 * parse the payloads.
481 * copy non-HASH payloads into hbuf, so that we can validate HASH.
482 */
483 iph2->sa_ret = NULL;
484 f_id = 0; /* flag to use checking ID */
485 tlen = 0; /* count payload length except of HASH payload. */
486 for (; pa->type; pa++) {
487
488 /* copy to buffer for HASH */
489 /* Don't modify the payload */
490 memcpy(p, pa->ptr, pa->len);
491
492 switch (pa->type) {
493 case ISAKMP_NPTYPE_SA:
494 if (iph2->sa_ret != NULL) {
495 plog(LLV_ERROR, LOCATION, NULL,
496 "Ignored, multiple SA "
497 "isn't supported.\n");
498 break;
499 }
500 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
501 plog(LLV_ERROR, LOCATION, NULL,
502 "failed to process SA payload");
503 goto end;
504 }
505 break;
506
507 case ISAKMP_NPTYPE_NONCE:
508 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
509 plog(LLV_ERROR, LOCATION, NULL,
510 "failed to process NONCE payload");
511 goto end;
512 }
513 break;
514
515 case ISAKMP_NPTYPE_KE:
516 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
517 plog(LLV_ERROR, LOCATION, NULL,
518 "failed to process KE payload");
519 goto end;
520 }
521 break;
522
523 case ISAKMP_NPTYPE_ID:
524 {
525 vchar_t *vp;
526
527 /* check ID value */
528 if (f_id == 0) {
529 /* for IDci */
530 vp = iph2->id;
531 } else {
532 /* for IDcr */
533 vp = iph2->id_p;
534 }
535
536 /* These ids may not match when natt is used with some devices.
537 * RFC 2407 says that the protocol and port fields should be ignored
538 * if they are zero, therefore they need to be checked individually.
539 */
540 struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v;
541 struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
542
543 if (id_ptr->type != idp_ptr->b.type
544 || (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
545 || (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
546 || memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
547 vp->l - sizeof(struct ipsecdoi_id_b))) {
548 // to support servers that use our external nat address as our ID
549 if (iph2->ph1->natt_flags & NAT_DETECTED) {
550 plog(LLV_WARNING, LOCATION, NULL,
551 "mismatched ID was returned - ignored because nat traversal is being used.\n");
552 /* If I'm behind a nat and the ID is type address - save the address
553 * and port for when the peer rekeys.
554 */
555 if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
556 if (lcconf->ext_nat_id)
557 vfree(lcconf->ext_nat_id);
558 lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
559 if (lcconf->ext_nat_id == NULL) {
560 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n");
561 goto end;
562 }
563 memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
564 if (iph2->ext_nat_id)
565 vfree(iph2->ext_nat_id);
566 iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
567 if (iph2->ext_nat_id == NULL) {
568 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating ph2's external nat id.\n");
569 goto end;
570 }
571 plog(LLV_DEBUG, LOCATION, NULL, "external nat address saved.\n");
572 plogdump(LLV_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l);
573 } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
574 if (iph2->ext_nat_id_p)
575 vfree(iph2->ext_nat_id_p);
576 iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
577 if (iph2->ext_nat_id_p == NULL) {
578 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating peers ph2's external nat id.\n");
579 goto end;
580 }
581 memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
582 plog(LLV_DEBUG, LOCATION, NULL, "peer's external nat address saved.\n");
583 plogdump(LLV_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l);
584 }
585 } else {
586 plog(LLV_ERROR, LOCATION, NULL, "mismatched ID was returned.\n");
587 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
588 goto end;
589 }
590 }
591 if (f_id == 0)
592 f_id = 1;
593 }
594 break;
595
596 case ISAKMP_NPTYPE_N:
597 isakmp_check_ph2_notify(pa->ptr, iph2);
598 break;
599
600 #ifdef ENABLE_NATT
601 case ISAKMP_NPTYPE_NATOA_DRAFT:
602 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
603 case ISAKMP_NPTYPE_NATOA_RFC:
604 {
605 vchar_t *vp = NULL;
606 struct sockaddr *daddr;
607
608 isakmp_p2ph(&vp, pa->ptr);
609
610 if (vp) {
611 daddr = process_natoa_payload(vp);
612 if (daddr) {
613 if (natoa_i == NULL) {
614 natoa_i = daddr;
615 plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n",
616 saddr2str(natoa_i));
617 } else if (natoa_r == NULL) {
618 natoa_r = daddr;
619 plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n",
620 saddr2str(natoa_r));
621 } else {
622 racoon_free(daddr);
623 }
624 }
625 vfree(vp);
626 }
627
628 }
629 break;
630 #endif
631
632 default:
633 /* don't send information, see ident_r1recv() */
634 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
635 "ignore the packet, "
636 "received unexpecting payload type %d.\n",
637 pa->type);
638 goto end;
639 }
640
641 p += pa->len;
642
643 /* compute true length of payload. */
644 tlen += pa->len;
645 }
646
647 /* payload existency check */
648 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
649 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
650 "few isakmp message received.\n");
651 goto end;
652 }
653
654 /* Fixed buffer for calculating HASH */
655 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
656 plog(LLV_DEBUG, LOCATION, NULL,
657 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
658 hbuf->l, tlen + iph2->nonce->l);
659 /* adjust buffer length for HASH */
660 hbuf->l = iph2->nonce->l + tlen;
661
662 /* validate HASH(2) */
663 {
664 char *r_hash;
665 vchar_t *my_hash = NULL;
666 int result;
667
668 r_hash = (char *)hash + sizeof(*hash);
669
670 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
671 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
672
673 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
674 if (my_hash == NULL) {
675 plog(LLV_ERROR, LOCATION, NULL,
676 "failed to compute HASH");
677 goto end;
678 }
679
680 result = memcmp(my_hash->v, r_hash, my_hash->l);
681 vfree(my_hash);
682
683 if (result) {
684 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
685 "HASH(2) mismatch.\n");
686 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
687 goto end;
688 }
689 }
690
691 /* validity check SA payload sent from responder */
692 if (ipsecdoi_checkph2proposal(iph2) < 0) {
693 plog(LLV_ERROR, LOCATION, NULL,
694 "failed to validate SA proposal");
695 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
696 goto end;
697 }
698
699 /* change status of isakmp status entry */
700 iph2->status = PHASE2ST_STATUS6;
701
702 error = 0;
703
704 IPSECSESSIONTRACEREVENT(iph2->parent_session,
705 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
706 CONSTSTR("Initiator, Quick-Mode message 2"),
707 CONSTSTR(NULL));
708
709 end:
710 if (error) {
711 IPSECSESSIONTRACEREVENT(iph2->parent_session,
712 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
713 CONSTSTR("Initiator, Quick-Mode Message 2"),
714 CONSTSTR("Failed to process Quick-Mode Message 2 "));
715 }
716 if (hbuf)
717 vfree(hbuf);
718 if (pbuf)
719 vfree(pbuf);
720 if (msg)
721 vfree(msg);
722
723 #ifdef ENABLE_NATT
724 if (natoa_i) {
725 racoon_free(natoa_i);
726 }
727 if (natoa_r) {
728 racoon_free(natoa_r);
729 }
730 #endif
731
732 if (error) {
733 VPTRINIT(iph2->sa_ret);
734 VPTRINIT(iph2->nonce_p);
735 VPTRINIT(iph2->dhpub_p);
736 VPTRINIT(iph2->id);
737 VPTRINIT(iph2->id_p);
738 }
739
740 return error;
741 }
742
743 /*
744 * send to responder
745 * HDR*, HASH(3)
746 */
747 int
748 quick_i2send(iph2, msg0)
749 struct ph2handle *iph2;
750 vchar_t *msg0;
751 {
752 vchar_t *msg = NULL;
753 vchar_t *buf = NULL;
754 vchar_t *hash = NULL;
755 char *p = NULL;
756 int tlen;
757 int error = ISAKMP_INTERNAL_ERROR;
758 int packet_error = -1;
759
760 /* validity check */
761 if (iph2->status != PHASE2ST_STATUS6) {
762 plog(LLV_ERROR, LOCATION, NULL,
763 "status mismatched %d.\n", iph2->status);
764 goto end;
765 }
766
767 /* generate HASH(3) */
768 {
769 vchar_t *tmp = NULL;
770
771 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
772
773 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
774 if (tmp == NULL) {
775 plog(LLV_ERROR, LOCATION, NULL,
776 "failed to get hash buffer.\n");
777 goto end;
778 }
779 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
780 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
781
782 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
783 vfree(tmp);
784
785 if (hash == NULL) {
786 plog(LLV_ERROR, LOCATION, NULL,
787 "failed to compute HASH");
788 goto end;
789 }
790 }
791
792 /* create buffer for isakmp payload */
793 tlen = sizeof(struct isakmp)
794 + sizeof(struct isakmp_gen) + hash->l;
795 buf = vmalloc(tlen);
796 if (buf == NULL) {
797 plog(LLV_ERROR, LOCATION, NULL,
798 "failed to get buffer to send.\n");
799 goto end;
800 }
801
802 /* create isakmp header */
803 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
804 if (p == NULL) {
805 plog(LLV_ERROR, LOCATION, NULL,
806 "failed to create ISAKMP header");
807 goto end;
808 }
809
810 /* add HASH(3) payload */
811 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
812
813 #ifdef HAVE_PRINT_ISAKMP_C
814 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
815 #endif
816
817 /* encoding */
818 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
819 if (iph2->sendbuf == NULL) {
820 plog(LLV_ERROR, LOCATION, NULL,
821 "failed to encrypt packet");
822 goto end;
823 }
824
825 /* if there is commit bit, need resending */
826 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
827 /* send the packet, add to the schedule to resend */
828 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
829 if (isakmp_ph2resend(iph2) == -1) {
830 plog(LLV_ERROR, LOCATION, NULL,
831 "failed to send packet, commit-bit");
832 goto end;
833 }
834 } else {
835 /* send the packet */
836 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
837 plog(LLV_ERROR, LOCATION, NULL,
838 "failed to send packet");
839 goto end;
840 }
841 }
842
843 /* the sending message is added to the received-list. */
844 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
845 iph2->sendbuf, msg0,
846 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
847 plog(LLV_ERROR , LOCATION, NULL,
848 "failed to add a response packet to the tree.\n");
849 goto end;
850 }
851
852 IPSECSESSIONTRACEREVENT(iph2->parent_session,
853 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
854 CONSTSTR("Initiator, Quick-Mode message 3"),
855 CONSTSTR(NULL));
856 packet_error = 0;
857
858 /* compute both of KEYMATs */
859 if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
860 plog(LLV_ERROR, LOCATION, NULL,
861 "failed to compute KEYMAT");
862 goto end;
863 }
864
865 iph2->status = PHASE2ST_ADDSA;
866
867 /* don't anything if local test mode. */
868 if (f_local) {
869 error = 0;
870 goto end;
871 }
872
873 /* if there is commit bit don't set up SA now. */
874 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
875 iph2->status = PHASE2ST_COMMIT;
876 error = 0;
877 goto end;
878 }
879
880 /* Do UPDATE for initiator */
881 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
882 if (pk_sendupdate(iph2) < 0) {
883 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
884 goto end;
885 }
886 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
887
888 /* Do ADD for responder */
889 if (pk_sendadd(iph2) < 0) {
890 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
891 goto end;
892 }
893 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
894
895 error = 0;
896
897 end:
898 if (packet_error) {
899 IPSECSESSIONTRACEREVENT(iph2->parent_session,
900 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
901 CONSTSTR("Initiator, Quick-Mode Message 3"),
902 CONSTSTR("Failed to transmit Quick-Mode Message 3"));
903 }
904 if (buf != NULL)
905 vfree(buf);
906 if (msg != NULL)
907 vfree(msg);
908 if (hash != NULL)
909 vfree(hash);
910
911 return error;
912 }
913
914 /*
915 * receive from responder
916 * HDR#*, HASH(4), notify
917 */
918 int
919 quick_i3recv(iph2, msg0)
920 struct ph2handle *iph2;
921 vchar_t *msg0;
922 {
923 vchar_t *msg = NULL;
924 vchar_t *pbuf = NULL; /* for payload parsing */
925 struct isakmp_parse_t *pa;
926 struct isakmp_pl_hash *hash = NULL;
927 vchar_t *notify = NULL;
928 int error = ISAKMP_INTERNAL_ERROR;
929 int packet_error = -1;
930
931 /* validity check */
932 if (iph2->status != PHASE2ST_COMMIT) {
933 plog(LLV_ERROR, LOCATION, NULL,
934 "status mismatched %d.\n", iph2->status);
935 goto end;
936 }
937
938 /* decrypt packet */
939 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
940 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
941 "Packet wasn't encrypted.\n");
942 goto end;
943 }
944 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
945 if (msg == NULL) {
946 plog(LLV_ERROR, LOCATION, NULL,
947 "failed to decrypt packet");
948 goto end;
949 }
950
951 /* validate the type of next payload */
952 pbuf = isakmp_parse(msg);
953 if (pbuf == NULL) {
954 plog(LLV_ERROR, LOCATION, NULL,
955 "failed to parse msg");
956 goto end;
957 }
958
959 for (pa = (struct isakmp_parse_t *)pbuf->v;
960 pa->type != ISAKMP_NPTYPE_NONE;
961 pa++) {
962
963 switch (pa->type) {
964 case ISAKMP_NPTYPE_HASH:
965 hash = (struct isakmp_pl_hash *)pa->ptr;
966 break;
967 case ISAKMP_NPTYPE_N:
968 if (notify != NULL) {
969 plog(LLV_WARNING, LOCATION, NULL,
970 "Ignoring multiple notifications\n");
971 break;
972 }
973 isakmp_check_ph2_notify(pa->ptr, iph2);
974 notify = vmalloc(pa->len);
975 if (notify == NULL) {
976 plog(LLV_ERROR, LOCATION, NULL,
977 "failed to get notify buffer.\n");
978 goto end;
979 }
980 memcpy(notify->v, pa->ptr, notify->l);
981 break;
982 default:
983 /* don't send information, see ident_r1recv() */
984 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
985 "ignore the packet, "
986 "received unexpecting payload type %d.\n",
987 pa->type);
988 goto end;
989 }
990 }
991
992 /* payload existency check */
993 if (hash == NULL) {
994 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
995 "few isakmp message received.\n");
996 goto end;
997 }
998
999 /* validate HASH(4) */
1000 {
1001 char *r_hash;
1002 vchar_t *my_hash = NULL;
1003 vchar_t *tmp = NULL;
1004 int result;
1005
1006 r_hash = (char *)hash + sizeof(*hash);
1007
1008 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
1009 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1010
1011 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1012 vfree(tmp);
1013 if (my_hash == NULL) {
1014 plog(LLV_ERROR, LOCATION, NULL,
1015 "failed to compute HASH");
1016 goto end;
1017 }
1018
1019 result = memcmp(my_hash->v, r_hash, my_hash->l);
1020 vfree(my_hash);
1021
1022 if (result) {
1023 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1024 "HASH(4) mismatch.\n");
1025 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1026 goto end;
1027 }
1028 }
1029
1030 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1031 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1032 CONSTSTR("Initiator, Quick-Mode message 4"),
1033 CONSTSTR(NULL));
1034 packet_error = 0;
1035
1036 iph2->status = PHASE2ST_ADDSA;
1037 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1038
1039 /* don't anything if local test mode. */
1040 if (f_local) {
1041 error = 0;
1042 goto end;
1043 }
1044
1045 /* Do UPDATE for initiator */
1046 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1047 if (pk_sendupdate(iph2) < 0) {
1048 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1049 goto end;
1050 }
1051 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1052
1053 /* Do ADD for responder */
1054 if (pk_sendadd(iph2) < 0) {
1055 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1056 goto end;
1057 }
1058 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1059
1060 error = 0;
1061
1062 end:
1063 if (packet_error) {
1064 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1065 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1066 CONSTSTR("Initiator, Quick-Mode Message 4"),
1067 CONSTSTR("Failed to process Quick-Mode Message 4"));
1068 }
1069 if (msg != NULL)
1070 vfree(msg);
1071 if (pbuf != NULL)
1072 vfree(pbuf);
1073 if (notify != NULL)
1074 vfree(notify);
1075
1076 return error;
1077 }
1078
1079 /*
1080 * receive from initiator
1081 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1082 */
1083 int
1084 quick_r1recv(iph2, msg0)
1085 struct ph2handle *iph2;
1086 vchar_t *msg0;
1087 {
1088 vchar_t *msg = NULL;
1089 vchar_t *hbuf = NULL; /* for hash computing. */
1090 vchar_t *pbuf = NULL; /* for payload parsing */
1091 struct isakmp_parse_t *pa;
1092 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1093 struct isakmp_pl_hash *hash = NULL;
1094 char *p;
1095 int tlen;
1096 int f_id_order; /* for ID payload detection */
1097 int error = ISAKMP_INTERNAL_ERROR;
1098 struct sockaddr *natoa_i = NULL;
1099 struct sockaddr *natoa_r = NULL;
1100
1101 /* validity check */
1102 if (iph2->status != PHASE2ST_START) {
1103 plog(LLV_ERROR, LOCATION, NULL,
1104 "status mismatched %d.\n", iph2->status);
1105 goto end;
1106 }
1107
1108 /* decrypting */
1109 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1110 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1111 "Packet wasn't encrypted.\n");
1112 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1113 goto end;
1114 }
1115 /* decrypt packet */
1116 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1117 if (msg == NULL) {
1118 plog(LLV_ERROR, LOCATION, NULL,
1119 "failed to decrypt packet");
1120 goto end;
1121 }
1122
1123 /* create buffer for using to validate HASH(1) */
1124 /*
1125 * ordering rule:
1126 * 1. the first one must be HASH
1127 * 2. the second one must be SA (added in isakmp-oakley-05!)
1128 * 3. two IDs must be considered as IDci, then IDcr
1129 */
1130 pbuf = isakmp_parse(msg);
1131 if (pbuf == NULL) {
1132 plog(LLV_ERROR, LOCATION, NULL,
1133 "failed to parse msg");
1134 goto end;
1135 }
1136 pa = (struct isakmp_parse_t *)pbuf->v;
1137
1138 /* HASH payload is fixed postion */
1139 if (pa->type != ISAKMP_NPTYPE_HASH) {
1140 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1141 "received invalid next payload type %d, "
1142 "expecting %d.\n",
1143 pa->type, ISAKMP_NPTYPE_HASH);
1144 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1145 goto end;
1146 }
1147 hash = (struct isakmp_pl_hash *)pa->ptr;
1148 pa++;
1149
1150 /*
1151 * this restriction was introduced in isakmp-oakley-05.
1152 * we do not check this for backward compatibility.
1153 * TODO: command line/config file option to enable/disable this code
1154 */
1155 /* HASH payload is fixed postion */
1156 if (pa->type != ISAKMP_NPTYPE_SA) {
1157 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1158 "received invalid next payload type %d, "
1159 "expecting %d.\n",
1160 pa->type, ISAKMP_NPTYPE_SA);
1161 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1162 }
1163
1164 /* allocate buffer for computing HASH(1) */
1165 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1166 hbuf = vmalloc(tlen);
1167 if (hbuf == NULL) {
1168 plog(LLV_ERROR, LOCATION, NULL,
1169 "failed to get hash buffer.\n");
1170 goto end;
1171 }
1172 p = hbuf->v;
1173
1174 /*
1175 * parse the payloads.
1176 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1177 */
1178 iph2->sa = NULL; /* we don't support multi SAs. */
1179 iph2->nonce_p = NULL;
1180 iph2->dhpub_p = NULL;
1181 iph2->id_p = NULL;
1182 iph2->id = NULL;
1183 tlen = 0; /* count payload length except of HASH payload. */
1184
1185 /*
1186 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1187 * illegal case, but logged. First ID payload is to be IDi2.
1188 * And next ID payload is to be IDr2.
1189 */
1190 f_id_order = 0;
1191
1192 for (; pa->type; pa++) {
1193
1194 /* copy to buffer for HASH */
1195 /* Don't modify the payload */
1196 memcpy(p, pa->ptr, pa->len);
1197
1198 if (pa->type != ISAKMP_NPTYPE_ID)
1199 f_id_order = 0;
1200
1201 switch (pa->type) {
1202 case ISAKMP_NPTYPE_SA:
1203 if (iph2->sa != NULL) {
1204 plog(LLV_ERROR, LOCATION, NULL,
1205 "Multi SAs isn't supported.\n");
1206 goto end;
1207 }
1208 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1209 plog(LLV_ERROR, LOCATION, NULL,
1210 "failed to process SA payload");
1211 goto end;
1212 }
1213 break;
1214
1215 case ISAKMP_NPTYPE_NONCE:
1216 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1217 plog(LLV_ERROR, LOCATION, NULL,
1218 "failed to process NONCE payload");
1219 goto end;
1220 }
1221 break;
1222
1223 case ISAKMP_NPTYPE_KE:
1224 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1225 plog(LLV_ERROR, LOCATION, NULL,
1226 "failed to process KE payload");
1227 goto end;
1228 }
1229 break;
1230
1231 case ISAKMP_NPTYPE_ID:
1232 if (iph2->id_p == NULL) {
1233 /* for IDci */
1234 f_id_order++;
1235
1236 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
1237 plog(LLV_ERROR, LOCATION, NULL,
1238 "failed to process IDci2 payload");
1239 goto end;
1240 }
1241
1242 } else if (iph2->id == NULL) {
1243 /* for IDcr */
1244 if (f_id_order == 0) {
1245 plog(LLV_ERROR, LOCATION, NULL,
1246 "IDr2 payload is not "
1247 "immediatelly followed "
1248 "by IDi2. We allowed.\n");
1249 /* XXX we allowed in this case. */
1250 }
1251
1252 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
1253 plog(LLV_ERROR, LOCATION, NULL,
1254 "failed to process IDcr2 payload");
1255 goto end;
1256 }
1257 } else {
1258 plog(LLV_ERROR, LOCATION, NULL,
1259 "received too many ID payloads.\n");
1260 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1261 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1262 goto end;
1263 }
1264 break;
1265
1266 case ISAKMP_NPTYPE_N:
1267 isakmp_check_ph2_notify(pa->ptr, iph2);
1268 break;
1269
1270 #ifdef ENABLE_NATT
1271 case ISAKMP_NPTYPE_NATOA_DRAFT:
1272 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
1273 case ISAKMP_NPTYPE_NATOA_RFC:
1274 {
1275 vchar_t *vp = NULL;
1276 struct sockaddr *daddr;
1277
1278 isakmp_p2ph(&vp, pa->ptr);
1279
1280 if (vp) {
1281 daddr = process_natoa_payload(vp);
1282 if (daddr) {
1283 if (natoa_i == NULL) {
1284 natoa_i = daddr;
1285 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n",
1286 saddr2str(natoa_i));
1287 } else if (natoa_r == NULL) {
1288 natoa_r = daddr;
1289 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n",
1290 saddr2str(natoa_r));
1291 } else {
1292 racoon_free(daddr);
1293 }
1294 }
1295 vfree(vp);
1296 }
1297
1298 }
1299 break;
1300 #endif
1301
1302 default:
1303 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1304 "ignore the packet, "
1305 "received unexpected payload type %d.\n",
1306 pa->type);
1307 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1308 goto end;
1309 }
1310
1311 p += pa->len;
1312
1313 /* compute true length of payload. */
1314 tlen += pa->len;
1315 }
1316
1317 /* payload existency check */
1318 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1319 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1320 "expected isakmp payloads missing.\n");
1321 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1322 goto end;
1323 }
1324
1325 if (iph2->id_p) {
1326 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1327 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1328 }
1329 if (iph2->id) {
1330 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1331 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1332 }
1333
1334 /* adjust buffer length for HASH */
1335 hbuf->l = tlen;
1336
1337 /* validate HASH(1) */
1338 {
1339 char *r_hash;
1340 vchar_t *my_hash = NULL;
1341 int result;
1342
1343 r_hash = (caddr_t)hash + sizeof(*hash);
1344
1345 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1346 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1347
1348 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1349 if (my_hash == NULL) {
1350 plog(LLV_ERROR, LOCATION, NULL,
1351 "failed to compute HASH");
1352 goto end;
1353 }
1354
1355 result = memcmp(my_hash->v, r_hash, my_hash->l);
1356 vfree(my_hash);
1357
1358 if (result) {
1359 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1360 "HASH(1) mismatch.\n");
1361 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1362 goto end;
1363 }
1364 }
1365
1366 /* get sainfo */
1367 error = get_sainfo_r(iph2);
1368 if (error) {
1369 plog(LLV_ERROR, LOCATION, NULL,
1370 "failed to get sainfo.\n");
1371 goto end;
1372 }
1373
1374 /* check the existence of ID payload and create responder's proposal */
1375 error = get_proposal_r(iph2);
1376 switch (error) {
1377 case -2:
1378 /* generate a policy template from peer's proposal */
1379 if (set_proposal_from_proposal(iph2)) {
1380 plog(LLV_ERROR, LOCATION, NULL,
1381 "failed to generate a proposal template "
1382 "from client's proposal.\n");
1383 return ISAKMP_INTERNAL_ERROR;
1384 }
1385 /*FALLTHROUGH*/
1386 case 0:
1387 /* select single proposal or reject it. */
1388 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1389 plog(LLV_ERROR, LOCATION, NULL,
1390 "failed to select proposal.\n");
1391 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1392 goto end;
1393 }
1394 break;
1395 default:
1396 plog(LLV_ERROR, LOCATION, NULL,
1397 "failed to get proposal for responder.\n");
1398 goto end;
1399 }
1400
1401 /* check KE and attribute of PFS */
1402 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1403 plog(LLV_ERROR, LOCATION, NULL,
1404 "no PFS is specified, but peer sends KE.\n");
1405 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1406 goto end;
1407 }
1408 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1409 plog(LLV_ERROR, LOCATION, NULL,
1410 "PFS is specified, but peer doesn't sends KE.\n");
1411 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1412 goto end;
1413 }
1414
1415 ike_session_update_mode(iph2); /* update the mode, now that we have a proposal */
1416
1417 /*
1418 * save the packet from the initiator in order to resend the
1419 * responder's first packet against this packet.
1420 */
1421 iph2->msg1 = vdup(msg0);
1422
1423 /* change status of isakmp status entry */
1424 iph2->status = PHASE2ST_STATUS2;
1425
1426 error = 0;
1427
1428 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1429 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1430 CONSTSTR("Responder, Quick-Mode message 1"),
1431 CONSTSTR(NULL));
1432
1433 end:
1434 if (error) {
1435 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1436 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1437 CONSTSTR("Responder, Quick-Mode Message 1"),
1438 CONSTSTR("Failed to process Quick-Mode Message 1"));
1439 }
1440 if (hbuf)
1441 vfree(hbuf);
1442 if (msg)
1443 vfree(msg);
1444 if (pbuf)
1445 vfree(pbuf);
1446
1447 #ifdef ENABLE_NATT
1448 if (natoa_i) {
1449 racoon_free(natoa_i);
1450 }
1451 if (natoa_r) {
1452 racoon_free(natoa_r);
1453 }
1454 #endif
1455
1456 if (error) {
1457 VPTRINIT(iph2->sa);
1458 VPTRINIT(iph2->nonce_p);
1459 VPTRINIT(iph2->dhpub_p);
1460 VPTRINIT(iph2->id);
1461 VPTRINIT(iph2->id_p);
1462 }
1463
1464 return error;
1465 }
1466
1467 /*
1468 * call pfkey_getspi.
1469 */
1470 int
1471 quick_r1prep(iph2, msg)
1472 struct ph2handle *iph2;
1473 vchar_t *msg;
1474 {
1475 int error = ISAKMP_INTERNAL_ERROR;
1476
1477 /* validity check */
1478 if (iph2->status != PHASE2ST_STATUS2) {
1479 plog(LLV_ERROR, LOCATION, NULL,
1480 "status mismatched %d.\n", iph2->status);
1481 goto end;
1482 }
1483
1484 iph2->status = PHASE2ST_GETSPISENT;
1485
1486 /* send getspi message */
1487 if (pk_sendgetspi(iph2) < 0) {
1488 plog(LLV_ERROR, LOCATION, NULL,
1489 "failed to send getspi");
1490 goto end;
1491 }
1492
1493 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1494
1495 iph2->sce = sched_new(lcconf->wait_ph2complete,
1496 pfkey_timeover_stub, iph2);
1497
1498 error = 0;
1499
1500 end:
1501 return error;
1502 }
1503
1504 /*
1505 * send to initiator
1506 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1507 */
1508 int
1509 quick_r2send(iph2, msg)
1510 struct ph2handle *iph2;
1511 vchar_t *msg;
1512 {
1513 vchar_t *body = NULL;
1514 vchar_t *hash = NULL;
1515 vchar_t *natoa_i = NULL;
1516 vchar_t *natoa_r = NULL;
1517 int natoa_type = 0;
1518 struct isakmp_gen *gen;
1519 char *p;
1520 int tlen;
1521 int error = ISAKMP_INTERNAL_ERROR;
1522 int pfsgroup;
1523 u_int8_t *np_p = NULL;
1524
1525 /* validity check */
1526 if (msg != NULL) {
1527 plog(LLV_ERROR, LOCATION, NULL,
1528 "msg has to be NULL in this function.\n");
1529 goto end;
1530 }
1531 if (iph2->status != PHASE2ST_GETSPIDONE) {
1532 plog(LLV_ERROR, LOCATION, NULL,
1533 "status mismatched %d.\n", iph2->status);
1534 goto end;
1535 }
1536
1537 /* update responders SPI */
1538 if (ipsecdoi_updatespi(iph2) < 0) {
1539 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1540 goto end;
1541 }
1542
1543 /* generate NONCE value */
1544 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1545 if (iph2->nonce == NULL) {
1546 plog(LLV_ERROR, LOCATION, NULL,
1547 "failed to generate NONCE");
1548 goto end;
1549 }
1550
1551 /* generate KE value if need */
1552 pfsgroup = iph2->approval->pfs_group;
1553 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1554 /* DH group settting if PFS is required. */
1555 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1556 plog(LLV_ERROR, LOCATION, NULL,
1557 "failed to set DH value.\n");
1558 goto end;
1559 }
1560 /* generate DH public value */
1561 if (oakley_dh_generate(iph2->pfsgrp,
1562 &iph2->dhpub, &iph2->dhpriv) < 0) {
1563 plog(LLV_ERROR, LOCATION, NULL,
1564 "failed to generate DH public");
1565 goto end;
1566 }
1567 }
1568
1569 /* create SA;NONCE payload, and KE and ID if need */
1570 tlen = sizeof(*gen) + iph2->sa_ret->l
1571 + sizeof(*gen) + iph2->nonce->l;
1572 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1573 tlen += (sizeof(*gen) + iph2->dhpub->l);
1574 if (iph2->id_p != NULL)
1575 tlen += (sizeof(*gen) + iph2->id_p->l
1576 + sizeof(*gen) + iph2->id->l);
1577
1578 #ifdef ENABLE_NATT
1579 /*
1580 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1581 * we should send NAT-OA
1582 */
1583 if (ipsecdoi_any_transportmode(iph2->approval)
1584 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1585 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
1586 if (natoa_type == -1) {
1587 plog(LLV_ERROR, LOCATION, NULL,
1588 "failed to create NATOA payloads");
1589 goto end;
1590 }
1591 else if (natoa_type != 0) {
1592 tlen += sizeof(*gen) + natoa_i->l;
1593 tlen += sizeof(*gen) + natoa_r->l;
1594
1595 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAi:\n");
1596 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
1597 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAr:\n");
1598 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
1599 }
1600 }
1601 #endif
1602
1603 plog(LLV_DEBUG, LOCATION, NULL, "Approved SA\n");
1604 printsaprop0(LLV_DEBUG, iph2->approval);
1605
1606 body = vmalloc(tlen);
1607 if (body == NULL) {
1608 plog(LLV_ERROR, LOCATION, NULL,
1609 "failed to get buffer to send.\n");
1610 goto end;
1611 }
1612 p = body->v;
1613
1614 /* make SA payload */
1615 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1616
1617 /* add NONCE payload */
1618 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1619 p = set_isakmp_payload(p, iph2->nonce,
1620 (iph2->dhpub_p != NULL && pfsgroup != 0)
1621 ? ISAKMP_NPTYPE_KE
1622 : (iph2->id_p != NULL
1623 ? ISAKMP_NPTYPE_ID
1624 : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
1625
1626 /* add KE payload if need. */
1627 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1628 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1629 p = set_isakmp_payload(p, iph2->dhpub,
1630 (iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
1631 }
1632
1633 /* add ID payloads received. */
1634 if (iph2->id_p != NULL) {
1635 /* IDci */
1636 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1637 plog(LLV_DEBUG, LOCATION, NULL, "sending IDci2:\n");
1638 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1639 /* IDcr */
1640 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1641 p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
1642 plog(LLV_DEBUG, LOCATION, NULL, "sending IDcr2:\n");
1643 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1644 }
1645
1646 /* add a RESPONDER-LIFETIME notify payload if needed */
1647 {
1648 vchar_t *data = NULL;
1649 struct saprop *pp = iph2->approval;
1650 struct saproto *pr;
1651
1652 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1653 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1654 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1655 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1656 if (!data) {
1657 plog(LLV_ERROR, LOCATION, NULL,
1658 "failed to add RESPONDER-LIFETIME notify (type) payload");
1659 goto end;
1660 }
1661 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1662 (caddr_t)&v, sizeof(v));
1663 if (!data) {
1664 plog(LLV_ERROR, LOCATION, NULL,
1665 "failed to add RESPONDER-LIFETIME notify (value) payload");
1666 goto end;
1667 }
1668 }
1669 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1670 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1671 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1672 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1673 if (!data) {
1674 plog(LLV_ERROR, LOCATION, NULL,
1675 "failed to add RESPONDER-LIFETIME notify (type) payload");
1676 goto end;
1677 }
1678 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1679 (caddr_t)&v, sizeof(v));
1680 if (!data) {
1681 plog(LLV_ERROR, LOCATION, NULL,
1682 "failed to add RESPONDER-LIFETIME notify (value) payload");
1683 goto end;
1684 }
1685 }
1686
1687 /*
1688 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1689 * in the case of SA bundle ?
1690 */
1691 if (data) {
1692 for (pr = pp->head; pr; pr = pr->next) {
1693 body = isakmp_add_pl_n(body, &np_p,
1694 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1695 if (!body) {
1696 plog(LLV_ERROR, LOCATION, NULL,
1697 "invalid RESPONDER-LIFETIME payload");
1698 vfree(data);
1699 return error; /* XXX */
1700 }
1701 }
1702 vfree(data);
1703 }
1704 }
1705
1706 /* natoa */
1707 if (natoa_type) {
1708 p = set_isakmp_payload(p, natoa_i, natoa_type);
1709 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
1710 }
1711
1712 /* generate HASH(2) */
1713 {
1714 vchar_t *tmp;
1715
1716 tmp = vmalloc(iph2->nonce_p->l + body->l);
1717 if (tmp == NULL) {
1718 plog(LLV_ERROR, LOCATION, NULL,
1719 "failed to get hash buffer.\n");
1720 goto end;
1721 }
1722 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1723 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1724
1725 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1726 vfree(tmp);
1727
1728 if (hash == NULL) {
1729 plog(LLV_ERROR, LOCATION, NULL,
1730 "failed to compute HASH");
1731 goto end;
1732 }
1733 }
1734
1735 /* send isakmp payload */
1736 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1737 if (iph2->sendbuf == NULL) {
1738 plog(LLV_ERROR, LOCATION, NULL,
1739 "failed to get send buffer");
1740 goto end;
1741 }
1742
1743 /* send the packet, add to the schedule to resend */
1744 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1745 if (isakmp_ph2resend(iph2) == -1) {
1746 plog(LLV_ERROR, LOCATION, NULL,
1747 "failed to send packet");
1748 goto end;
1749 }
1750
1751 /* the sending message is added to the received-list. */
1752 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
1753 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
1754 plog(LLV_ERROR , LOCATION, NULL,
1755 "failed to add a response packet to the tree.\n");
1756 goto end;
1757 }
1758
1759 /* change status of isakmp status entry */
1760 iph2->status = PHASE2ST_MSG1SENT;
1761
1762 error = 0;
1763
1764 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1765 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1766 CONSTSTR("Responder, Quick-Mode message 2"),
1767 CONSTSTR(NULL));
1768
1769 end:
1770 if (error) {
1771 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1772 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1773 CONSTSTR("Responder, Quick-Mode Message 2"),
1774 CONSTSTR("Failed to transmit Quick-Mode Message 2"));
1775 }
1776 if (body != NULL)
1777 vfree(body);
1778 if (hash != NULL)
1779 vfree(hash);
1780 if (natoa_i)
1781 vfree(natoa_i);
1782 if (natoa_r)
1783 vfree(natoa_r);
1784
1785 return error;
1786 }
1787
1788 /*
1789 * receive from initiator
1790 * HDR*, HASH(3)
1791 */
1792 int
1793 quick_r3recv(iph2, msg0)
1794 struct ph2handle *iph2;
1795 vchar_t *msg0;
1796 {
1797 vchar_t *msg = NULL;
1798 vchar_t *pbuf = NULL; /* for payload parsing */
1799 struct isakmp_parse_t *pa;
1800 struct isakmp_pl_hash *hash = NULL;
1801 int error = ISAKMP_INTERNAL_ERROR;
1802
1803 /* validity check */
1804 if (iph2->status != PHASE2ST_MSG1SENT) {
1805 plog(LLV_ERROR, LOCATION, NULL,
1806 "status mismatched %d.\n", iph2->status);
1807 goto end;
1808 }
1809
1810 /* decrypt packet */
1811 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1812 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1813 "Packet wasn't encrypted.\n");
1814 goto end;
1815 }
1816 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1817 if (msg == NULL) {
1818 plog(LLV_ERROR, LOCATION, NULL,
1819 "failed to decrypt packet");
1820 goto end;
1821 }
1822
1823 /* validate the type of next payload */
1824 pbuf = isakmp_parse(msg);
1825 if (pbuf == NULL) {
1826 plog(LLV_ERROR, LOCATION, NULL,
1827 "failed to parse msg");
1828 goto end;
1829 }
1830
1831 for (pa = (struct isakmp_parse_t *)pbuf->v;
1832 pa->type != ISAKMP_NPTYPE_NONE;
1833 pa++) {
1834
1835 switch (pa->type) {
1836 case ISAKMP_NPTYPE_HASH:
1837 hash = (struct isakmp_pl_hash *)pa->ptr;
1838 break;
1839 case ISAKMP_NPTYPE_N:
1840 isakmp_check_ph2_notify(pa->ptr, iph2);
1841 break;
1842 default:
1843 /* don't send information, see ident_r1recv() */
1844 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1845 "ignore the packet, "
1846 "received unexpecting payload type %d.\n",
1847 pa->type);
1848 goto end;
1849 }
1850 }
1851
1852 /* payload existency check */
1853 if (hash == NULL) {
1854 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1855 "few isakmp message received.\n");
1856 goto end;
1857 }
1858
1859 /* validate HASH(3) */
1860 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1861 {
1862 char *r_hash;
1863 vchar_t *my_hash = NULL;
1864 vchar_t *tmp = NULL;
1865 int result;
1866
1867 r_hash = (char *)hash + sizeof(*hash);
1868
1869 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1870 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1871
1872 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1873 if (tmp == NULL) {
1874 plog(LLV_ERROR, LOCATION, NULL,
1875 "failed to get hash buffer.\n");
1876 goto end;
1877 }
1878 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1879 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1880
1881 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1882 vfree(tmp);
1883 if (my_hash == NULL) {
1884 plog(LLV_ERROR, LOCATION, NULL,
1885 "failed to compute HASH");
1886 goto end;
1887 }
1888
1889 result = memcmp(my_hash->v, r_hash, my_hash->l);
1890 vfree(my_hash);
1891
1892 if (result) {
1893 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1894 "HASH(3) mismatch.\n");
1895 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1896 goto end;
1897 }
1898 }
1899
1900 /* if there is commit bit, don't set up SA now. */
1901 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1902 iph2->status = PHASE2ST_COMMIT;
1903 } else
1904 iph2->status = PHASE2ST_STATUS6;
1905
1906 error = 0;
1907
1908 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1909 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1910 CONSTSTR("Responder, Quick-Mode message 3"),
1911 CONSTSTR(NULL));
1912
1913 end:
1914 if (error) {
1915 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1916 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1917 CONSTSTR("Responder, Quick-Mode Message 3"),
1918 CONSTSTR("Failed to process Quick-Mode Message 3"));
1919 }
1920 if (pbuf != NULL)
1921 vfree(pbuf);
1922 if (msg != NULL)
1923 vfree(msg);
1924
1925 return error;
1926 }
1927
1928 /*
1929 * send to initiator
1930 * HDR#*, HASH(4), notify
1931 */
1932 int
1933 quick_r3send(iph2, msg0)
1934 struct ph2handle *iph2;
1935 vchar_t *msg0;
1936 {
1937 vchar_t *buf = NULL;
1938 vchar_t *myhash = NULL;
1939 struct isakmp_pl_n *n;
1940 vchar_t *notify = NULL;
1941 char *p;
1942 int tlen;
1943 int error = ISAKMP_INTERNAL_ERROR;
1944
1945 /* validity check */
1946 if (iph2->status != PHASE2ST_COMMIT) {
1947 plog(LLV_ERROR, LOCATION, NULL,
1948 "status mismatched %d.\n", iph2->status);
1949 goto end;
1950 }
1951
1952 /* generate HASH(4) */
1953 /* XXX What can I do in the case of multiple different SA */
1954 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1955
1956 /* XXX What should I do if there are multiple SAs ? */
1957 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1958 notify = vmalloc(tlen);
1959 if (notify == NULL) {
1960 plog(LLV_ERROR, LOCATION, NULL,
1961 "failed to get notify buffer.\n");
1962 goto end;
1963 }
1964 n = (struct isakmp_pl_n *)notify->v;
1965 n->h.np = ISAKMP_NPTYPE_NONE;
1966 n->h.len = htons(tlen);
1967 n->doi = htonl(IPSEC_DOI);
1968 n->proto_id = iph2->approval->head->proto_id;
1969 n->spi_size = sizeof(iph2->approval->head->spisize);
1970 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1971 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1972
1973 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1974 if (myhash == NULL) {
1975 plog(LLV_ERROR, LOCATION, NULL,
1976 "failed to compute HASH");
1977 goto end;
1978 }
1979
1980 /* create buffer for isakmp payload */
1981 tlen = sizeof(struct isakmp)
1982 + sizeof(struct isakmp_gen) + myhash->l
1983 + notify->l;
1984 buf = vmalloc(tlen);
1985 if (buf == NULL) {
1986 plog(LLV_ERROR, LOCATION, NULL,
1987 "failed to get buffer to send.\n");
1988 goto end;
1989 }
1990
1991 /* create isakmp header */
1992 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1993 if (p == NULL) {
1994 plog(LLV_ERROR, LOCATION, NULL,
1995 "failed to set ISAKMP header");
1996 goto end;
1997 }
1998
1999 /* add HASH(4) payload */
2000 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
2001
2002 /* add notify payload */
2003 memcpy(p, notify->v, notify->l);
2004
2005 #ifdef HAVE_PRINT_ISAKMP_C
2006 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2007 #endif
2008
2009 /* encoding */
2010 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2011 if (iph2->sendbuf == NULL) {
2012 plog(LLV_ERROR, LOCATION, NULL,
2013 "failed to encrypt packet");
2014 goto end;
2015 }
2016
2017 /* send the packet */
2018 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
2019 plog(LLV_ERROR, LOCATION, NULL,
2020 "failed to send packet");
2021 goto end;
2022 }
2023
2024 /* the sending message is added to the received-list. */
2025 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
2026 PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
2027 plog(LLV_ERROR , LOCATION, NULL,
2028 "failed to add a response packet to the tree.\n");
2029 goto end;
2030 }
2031
2032 iph2->status = PHASE2ST_COMMIT;
2033
2034 error = 0;
2035
2036 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2037 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2038 CONSTSTR("Responder, Quick-Mode message 4"),
2039 CONSTSTR(NULL));
2040
2041 end:
2042 if (error) {
2043 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2044 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2045 CONSTSTR("Responder, Quick-Mode Message 4"),
2046 CONSTSTR("Failed to transmit Quick-Mode Message 4"));
2047 }
2048 if (buf != NULL)
2049 vfree(buf);
2050 if (myhash != NULL)
2051 vfree(myhash);
2052 if (notify != NULL)
2053 vfree(notify);
2054
2055 return error;
2056 }
2057
2058
2059 /*
2060 * set SA to kernel.
2061 */
2062 int
2063 quick_r3prep(iph2, msg0)
2064 struct ph2handle *iph2;
2065 vchar_t *msg0;
2066 {
2067 vchar_t *msg = NULL;
2068 int error = ISAKMP_INTERNAL_ERROR;
2069
2070 /* validity check */
2071 if (iph2->status != PHASE2ST_STATUS6) {
2072 plog(LLV_ERROR, LOCATION, NULL,
2073 "status mismatched %d.\n", iph2->status);
2074 goto end;
2075 }
2076
2077 /* compute both of KEYMATs */
2078 if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
2079 plog(LLV_ERROR, LOCATION, NULL,
2080 "failed to compute KEYMAT");
2081 goto end;
2082 }
2083
2084 iph2->status = PHASE2ST_ADDSA;
2085 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
2086
2087 /* don't anything if local test mode. */
2088 if (f_local) {
2089 error = 0;
2090 goto end;
2091 }
2092
2093 /* Do UPDATE as responder */
2094 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
2095 if (pk_sendupdate(iph2) < 0) {
2096 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
2097 goto end;
2098 }
2099 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
2100
2101 /* Do ADD for responder */
2102 if (pk_sendadd(iph2) < 0) {
2103 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
2104 goto end;
2105 }
2106 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
2107
2108 /*
2109 * set policies into SPD if the policy is generated
2110 * from peer's policy.
2111 */
2112 if (iph2->spidx_gen) {
2113
2114 struct policyindex *spidx;
2115 struct sockaddr_storage addr;
2116 u_int8_t pref;
2117 struct sockaddr *src = iph2->src;
2118 struct sockaddr *dst = iph2->dst;
2119
2120 /* make inbound policy */
2121 iph2->src = dst;
2122 iph2->dst = src;
2123 if (pk_sendspdupdate2(iph2) < 0) {
2124 plog(LLV_ERROR, LOCATION, NULL,
2125 "pfkey spdupdate2(inbound) failed.\n");
2126 goto end;
2127 }
2128 plog(LLV_DEBUG, LOCATION, NULL,
2129 "pfkey spdupdate2(inbound) sent.\n");
2130
2131 spidx = (struct policyindex *)iph2->spidx_gen;
2132 #ifdef HAVE_POLICY_FWD
2133 /* make forward policy if required */
2134 if (tunnel_mode_prop(iph2->approval)) {
2135 spidx->dir = IPSEC_DIR_FWD;
2136 if (pk_sendspdupdate2(iph2) < 0) {
2137 plog(LLV_ERROR, LOCATION, NULL,
2138 "pfkey spdupdate2(forward) failed.\n");
2139 goto end;
2140 }
2141 plog(LLV_DEBUG, LOCATION, NULL,
2142 "pfkey spdupdate2(forward) sent.\n");
2143 }
2144 #endif
2145
2146 /* make outbound policy */
2147 iph2->src = src;
2148 iph2->dst = dst;
2149 spidx->dir = IPSEC_DIR_OUTBOUND;
2150 addr = spidx->src;
2151 spidx->src = spidx->dst;
2152 spidx->dst = addr;
2153 pref = spidx->prefs;
2154 spidx->prefs = spidx->prefd;
2155 spidx->prefd = pref;
2156
2157 if (pk_sendspdupdate2(iph2) < 0) {
2158 plog(LLV_ERROR, LOCATION, NULL,
2159 "pfkey spdupdate2(outbound) failed.\n");
2160 goto end;
2161 }
2162 plog(LLV_DEBUG, LOCATION, NULL,
2163 "pfkey spdupdate2(outbound) sent.\n");
2164
2165 /* spidx_gen is unnecessary any more */
2166 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2167 racoon_free(iph2->spidx_gen);
2168 iph2->spidx_gen = NULL;
2169 iph2->generated_spidx=1;
2170 }
2171
2172 error = 0;
2173
2174 end:
2175 if (msg != NULL)
2176 vfree(msg);
2177
2178 return error;
2179 }
2180
2181 /*
2182 * create HASH, body (SA, NONCE) payload with isakmp header.
2183 */
2184 static vchar_t *
2185 quick_ir1mx(iph2, body, hash)
2186 struct ph2handle *iph2;
2187 vchar_t *body, *hash;
2188 {
2189 struct isakmp *isakmp;
2190 vchar_t *buf = NULL, *new = NULL;
2191 char *p;
2192 int tlen;
2193 struct isakmp_gen *gen;
2194 int error = ISAKMP_INTERNAL_ERROR;
2195
2196 /* create buffer for isakmp payload */
2197 tlen = sizeof(*isakmp)
2198 + sizeof(*gen) + hash->l
2199 + body->l;
2200 buf = vmalloc(tlen);
2201 if (buf == NULL) {
2202 plog(LLV_ERROR, LOCATION, NULL,
2203 "failed to get buffer to send.\n");
2204 goto end;
2205 }
2206
2207 /* re-set encryption flag, for serurity. */
2208 iph2->flags |= ISAKMP_FLAG_E;
2209
2210 /* set isakmp header */
2211 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2212 if (p == NULL) {
2213 plog(LLV_ERROR, LOCATION, NULL,
2214 "failed to set ISAKMP header");
2215 goto end;
2216 }
2217
2218 /* add HASH payload */
2219 /* XXX is next type always SA ? */
2220 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2221
2222 /* add body payload */
2223 memcpy(p, body->v, body->l);
2224
2225 #ifdef HAVE_PRINT_ISAKMP_C
2226 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2227 #endif
2228
2229 /* encoding */
2230 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2231 if (new == NULL) {
2232 plog(LLV_ERROR, LOCATION, NULL,
2233 "failed to encrypt packet");
2234 goto end;
2235 }
2236
2237 vfree(buf);
2238
2239 buf = new;
2240
2241 error = 0;
2242
2243 end:
2244 if (error && buf != NULL) {
2245 vfree(buf);
2246 buf = NULL;
2247 }
2248
2249 return buf;
2250 }
2251
2252 /*
2253 * get remote's sainfo.
2254 * NOTE: this function is for responder.
2255 */
2256 static int
2257 get_sainfo_r(iph2)
2258 struct ph2handle *iph2;
2259 {
2260 vchar_t *idsrc = NULL, *iddst = NULL;
2261 int prefixlen;
2262 int error = ISAKMP_INTERNAL_ERROR;
2263 struct sainfo *anonymous = NULL;
2264
2265 if (iph2->id == NULL) {
2266 switch (iph2->src->sa_family) {
2267 case AF_INET:
2268 prefixlen = sizeof(struct in_addr) << 3;
2269 break;
2270 case AF_INET6:
2271 prefixlen = sizeof(struct in6_addr) << 3;
2272 break;
2273 default:
2274 plog(LLV_ERROR, LOCATION, NULL,
2275 "invalid family: %d\n", iph2->src->sa_family);
2276 goto end;
2277 }
2278 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
2279 IPSEC_ULPROTO_ANY);
2280 } else {
2281 idsrc = vdup(iph2->id);
2282 }
2283 if (idsrc == NULL) {
2284 plog(LLV_ERROR, LOCATION, NULL,
2285 "failed to set ID for source.\n");
2286 goto end;
2287 }
2288
2289 if (iph2->id_p == NULL) {
2290 switch (iph2->dst->sa_family) {
2291 case AF_INET:
2292 prefixlen = sizeof(struct in_addr) << 3;
2293 break;
2294 case AF_INET6:
2295 prefixlen = sizeof(struct in6_addr) << 3;
2296 break;
2297 default:
2298 plog(LLV_ERROR, LOCATION, NULL,
2299 "invalid family: %d\n", iph2->dst->sa_family);
2300 goto end;
2301 }
2302 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
2303 IPSEC_ULPROTO_ANY);
2304 } else {
2305 iddst = vdup(iph2->id_p);
2306 }
2307 if (iddst == NULL) {
2308 plog(LLV_ERROR, LOCATION, NULL,
2309 "failed to set ID for destination.\n");
2310 goto end;
2311 }
2312
2313 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
2314 // track anonymous sainfo, because we'll try to find a better sainfo if this is a client
2315 if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
2316 anonymous = iph2->sainfo;
2317
2318 if (iph2->sainfo == NULL ||
2319 (anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
2320 if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
2321 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
2322 if (iph2->sainfo) {
2323 plog(LLV_DEBUG2, LOCATION, NULL,
2324 "get_sainfo_r case 1.\n");
2325 }
2326 // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2
2327 if (iph2->sainfo == NULL ||
2328 (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
2329 ike_session_get_sainfo_r(iph2);
2330 if (iph2->sainfo) {
2331 plog(LLV_DEBUG2, LOCATION, NULL,
2332 "get_sainfo_r case 2.\n");
2333 }
2334 // still no sainfo (or anonymous): fallback to sainfo picked by dst id
2335 if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) {
2336 plog(LLV_DEBUG2, LOCATION, NULL,
2337 "get_sainfo_r about to try dst id only.\n");
2338 iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p);
2339 if (iph2->sainfo) {
2340 plog(LLV_DEBUG2, LOCATION, NULL,
2341 "get_sainfo_r case 3.\n");
2342 if (iph2->sainfo->idsrc == NULL)
2343 anonymous = iph2->sainfo;
2344 }
2345 }
2346 }
2347 }
2348 if (iph2->sainfo == NULL) {
2349 if (anonymous == NULL) {
2350 plog(LLV_ERROR, LOCATION, NULL,
2351 "failed to get sainfo.\n");
2352 goto end;
2353 }
2354 iph2->sainfo = anonymous;
2355 }
2356 #ifdef __APPLE__
2357 if (link_sainfo_to_ph2(iph2->sainfo) != 0) {
2358 plog(LLV_ERROR, LOCATION, NULL,
2359 "failed to link sainfo\n");
2360 iph2->sainfo = NULL;
2361 goto end;
2362 }
2363 #endif
2364
2365 #ifdef ENABLE_HYBRID
2366 /* xauth group inclusion check */
2367 if (iph2->sainfo->group != NULL)
2368 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
2369 plog(LLV_ERROR, LOCATION, NULL,
2370 "failed to group check");
2371 goto end;
2372 }
2373 #endif
2374
2375 plog(LLV_DEBUG, LOCATION, NULL,
2376 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2377
2378 error = 0;
2379 end:
2380 if (idsrc)
2381 vfree(idsrc);
2382 if (iddst)
2383 vfree(iddst);
2384
2385 return error;
2386 }
2387
2388 static int
2389 get_proposal_r(iph2)
2390 struct ph2handle *iph2;
2391 {
2392 int error = get_proposal_r_remote(iph2, 0);
2393 if (error != -2 && error != 0 &&
2394 (((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
2395 (iph2->parent_session && iph2->parent_session->is_client))) {
2396 if (iph2->parent_session && iph2->parent_session->is_client)
2397 error = ike_session_get_proposal_r(iph2);
2398 if (error != -2 && error != 0)
2399 error = get_proposal_r_remote(iph2, 1);
2400 }
2401 return error;
2402 }
2403
2404 /*
2405 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2406 * are IP address and same address family.
2407 * Then get remote's policy from SPD copied from kernel.
2408 * If the type of ID payload is address or subnet type, then the index is
2409 * made from the payload. If there is no ID payload, or the type of ID
2410 * payload is NOT address type, then the index is made from the address
2411 * pair of phase 1.
2412 * NOTE: This function is only for responder.
2413 */
2414 static int
2415 get_proposal_r_remote(iph2, ignore_id)
2416 struct ph2handle *iph2;
2417 int ignore_id;
2418 {
2419 struct policyindex spidx;
2420 struct secpolicy *sp_in, *sp_out;
2421 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2422 int error = ISAKMP_INTERNAL_ERROR;
2423 int generated_policy_exit_early = 1;
2424
2425 /* check the existence of ID payload */
2426 if ((iph2->id_p != NULL && iph2->id == NULL)
2427 || (iph2->id_p == NULL && iph2->id != NULL)) {
2428 plog(LLV_ERROR, LOCATION, NULL,
2429 "Both IDs wasn't found in payload.\n");
2430 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2431 }
2432
2433 /* make sure if id[src,dst] is null (if use_remote_addr == 0). */
2434 if (!ignore_id && (iph2->src_id || iph2->dst_id)) {
2435 plog(LLV_ERROR, LOCATION, NULL,
2436 "Why do ID[src,dst] exist already.\n");
2437 return ISAKMP_INTERNAL_ERROR;
2438 }
2439
2440 plog(LLV_DEBUG, LOCATION, NULL,
2441 "%s: ignore_id %x.\n", __FUNCTION__, ignore_id);
2442
2443 memset(&spidx, 0, sizeof(spidx));
2444
2445 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2446
2447 /* make a spidx; a key to search SPD */
2448 spidx.dir = IPSEC_DIR_INBOUND;
2449 spidx.ul_proto = 0;
2450
2451 /*
2452 * make destination address in spidx from either ID payload
2453 * or phase 1 address into a address in spidx.
2454 * If behind a nat - use phase1 address because server's
2455 * use the nat's address in the ID payload.
2456 */
2457 if (iph2->id != NULL
2458 && ignore_id == 0
2459 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2460 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2461 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2462 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2463 /* get a destination address of a policy */
2464 error = ipsecdoi_id2sockaddr(iph2->id,
2465 (struct sockaddr *)&spidx.dst,
2466 &spidx.prefd, &spidx.ul_proto);
2467 if (error)
2468 return error;
2469
2470 #ifdef INET6
2471 /*
2472 * get scopeid from the SA address.
2473 * note that the phase 1 source address is used as
2474 * a destination address to search for a inbound policy entry
2475 * because rcoon is responder.
2476 */
2477 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2478 error = setscopeid((struct sockaddr *)&spidx.dst,
2479 iph2->src);
2480 if (error)
2481 return error;
2482 }
2483 #endif
2484
2485 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2486 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2487 idi2type = _XIDT(iph2->id);
2488
2489 } else {
2490
2491 plog(LLV_DEBUG, LOCATION, NULL,
2492 "get a destination address of SP index "
2493 "from phase1 address "
2494 "due to no ID payloads found "
2495 "OR because ID type is not address.\n");
2496
2497 /*
2498 * copy the SOURCE address of IKE into the DESTINATION address
2499 * of the key to search the SPD because the direction of policy
2500 * is inbound.
2501 */
2502 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2503 switch (spidx.dst.ss_family) {
2504 case AF_INET:
2505 {
2506 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
2507 spidx.prefd = sizeof(struct in_addr) << 3;
2508 s->sin_port = htons(0);
2509 }
2510 break;
2511 #ifdef INET6
2512 case AF_INET6:
2513 spidx.prefd = sizeof(struct in6_addr) << 3;
2514 break;
2515 #endif
2516 default:
2517 spidx.prefd = 0;
2518 break;
2519 }
2520 }
2521
2522 /* make source address in spidx */
2523 if (iph2->id_p != NULL
2524 && ignore_id == 0
2525 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2526 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2527 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2528 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2529 /* get a source address of inbound SA */
2530 error = ipsecdoi_id2sockaddr(iph2->id_p,
2531 (struct sockaddr *)&spidx.src,
2532 &spidx.prefs, &spidx.ul_proto);
2533 if (error)
2534 return error;
2535
2536 #ifdef INET6
2537 /*
2538 * get scopeid from the SA address.
2539 * for more detail, see above of this function.
2540 */
2541 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2542 error = setscopeid((struct sockaddr *)&spidx.src,
2543 iph2->dst);
2544 if (error)
2545 return error;
2546 }
2547 #endif
2548
2549 /* make id[src,dst] if both ID types are IP address and same */
2550 if (_XIDT(iph2->id_p) == idi2type
2551 && spidx.dst.ss_family == spidx.src.ss_family) {
2552 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2553 if (iph2->src_id == NULL) {
2554 plog(LLV_ERROR, LOCATION, NULL,
2555 "buffer allocation failed.\n");
2556 return ISAKMP_INTERNAL_ERROR;
2557 }
2558 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2559 if (iph2->dst_id == NULL) {
2560 plog(LLV_ERROR, LOCATION, NULL,
2561 "buffer allocation failed.\n");
2562 return ISAKMP_INTERNAL_ERROR;
2563 }
2564 }
2565
2566 } else {
2567 plog(LLV_DEBUG, LOCATION, NULL,
2568 "get a source address of SP index "
2569 "from phase1 address "
2570 "due to no ID payloads found "
2571 "OR because ID type is not address.\n");
2572
2573 /* see above comment. */
2574 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2575 switch (spidx.src.ss_family) {
2576 case AF_INET:
2577 {
2578 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
2579 spidx.prefs = sizeof(struct in_addr) << 3;
2580 s->sin_port = htons(0);
2581 }
2582 break;
2583 #ifdef INET6
2584 case AF_INET6:
2585 spidx.prefs = sizeof(struct in6_addr) << 3;
2586 break;
2587 #endif
2588 default:
2589 spidx.prefs = 0;
2590 break;
2591 }
2592 }
2593
2594 #undef _XIDT
2595
2596 plog(LLV_DEBUG, LOCATION, NULL,
2597 "get a src address from ID payload "
2598 "%s prefixlen=%u ul_proto=%u\n",
2599 saddr2str((struct sockaddr *)&spidx.src),
2600 spidx.prefs, spidx.ul_proto);
2601 plog(LLV_DEBUG, LOCATION, NULL,
2602 "get dst address from ID payload "
2603 "%s prefixlen=%u ul_proto=%u\n",
2604 saddr2str((struct sockaddr *)&spidx.dst),
2605 spidx.prefd, spidx.ul_proto);
2606
2607 /*
2608 * convert the ul_proto if it is 0
2609 * because 0 in ID payload means a wild card.
2610 */
2611 if (spidx.ul_proto == 0)
2612 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2613
2614 /* get inbound policy */
2615 sp_in = getsp_r(&spidx, iph2);
2616 if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
2617 if (iph2->ph1->rmconf->gen_policy) {
2618 if (sp_in)
2619 plog(LLV_INFO, LOCATION, NULL,
2620 "Update the generated policy : %s\n",
2621 spidx2str(&spidx));
2622 else
2623 plog(LLV_INFO, LOCATION, NULL,
2624 "no policy found, "
2625 "try to generate the policy : %s\n",
2626 spidx2str(&spidx));
2627 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2628 if (!iph2->spidx_gen) {
2629 plog(LLV_ERROR, LOCATION, NULL,
2630 "buffer allocation failed.\n");
2631 return ISAKMP_INTERNAL_ERROR;
2632 }
2633 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2634 generated_policy_exit_early = 1; /* special value */
2635 } else {
2636 plog(LLV_ERROR, LOCATION, NULL,
2637 "no policy found: %s\n", spidx2str(&spidx));
2638 return ISAKMP_INTERNAL_ERROR;
2639 }
2640 }
2641
2642 /* get outbound policy */
2643 {
2644 struct sockaddr_storage addr;
2645 u_int8_t pref;
2646
2647 spidx.dir = IPSEC_DIR_OUTBOUND;
2648 addr = spidx.src;
2649 spidx.src = spidx.dst;
2650 spidx.dst = addr;
2651 pref = spidx.prefs;
2652 spidx.prefs = spidx.prefd;
2653 spidx.prefd = pref;
2654
2655 sp_out = getsp_r(&spidx, iph2);
2656 if (!sp_out) {
2657 plog(LLV_WARNING, LOCATION, NULL,
2658 "no outbound policy found: %s\n",
2659 spidx2str(&spidx));
2660 } else {
2661
2662 if (!iph2->spid) {
2663 iph2->spid = sp_out->id;
2664 }
2665 }
2666 }
2667
2668 plog(LLV_DEBUG, LOCATION, NULL,
2669 "suitable SP found:%s\n", spidx2str(&spidx));
2670
2671 if (generated_policy_exit_early) {
2672 return -2;
2673 }
2674
2675 /*
2676 * In the responder side, the inbound policy should be using IPsec.
2677 * outbound policy is not checked currently.
2678 */
2679 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2680 plog(LLV_ERROR, LOCATION, NULL,
2681 "policy found, but no IPsec required: %s\n",
2682 spidx2str(&spidx));
2683 return ISAKMP_INTERNAL_ERROR;
2684 }
2685
2686 /* set new proposal derived from a policy into the iph2->proposal. */
2687 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2688 plog(LLV_ERROR, LOCATION, NULL,
2689 "failed to create saprop.\n");
2690 return ISAKMP_INTERNAL_ERROR;
2691 }
2692
2693 return 0;
2694 }
mirror of ipsec