]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp.c
projects / apple / ipsec.git / blob
? search:


dc58420d088965a94ce54a3f0c6148fca89b220a
[apple/ipsec.git] / ipsec-tools / racoon / isakmp.c
1 /* $Id: isakmp.c,v 1.34.2.21 2006/02/02 10:31:01 vanhu Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31 #ifdef __APPLE__
32 #define __APPLE_API_PRIVATE
33 #endif
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/socket.h>
40 #include <sys/queue.h>
41
42 #include <netinet/in.h>
43 #include <arpa/inet.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55 #if TIME_WITH_SYS_TIME
56 # include <sys/time.h>
57 # include <time.h>
58 #else
59 # if HAVE_SYS_TIME_H
60 # include <sys/time.h>
61 # else
62 # include <time.h>
63 # endif
64 #endif
65 #include <netdb.h>
66 #ifdef HAVE_UNISTD_H
67 #include <unistd.h>
68 #endif
69 #include <ctype.h>
70 #include <fcntl.h>
71
72 #include "var.h"
73 #include "misc.h"
74 #include "vmbuf.h"
75 #include "plog.h"
76 #include "sockmisc.h"
77 #include "schedule.h"
78 #include "debug.h"
79
80 #include "remoteconf.h"
81 #include "localconf.h"
82 #include "grabmyaddr.h"
83 #include "admin.h"
84 #include "privsep.h"
85 #include "isakmp_var.h"
86 #include "isakmp.h"
87 #include "oakley.h"
88 #include "evt.h"
89 #include "handler.h"
90 #include "proposal.h"
91 #include "ipsec_doi.h"
92 #include "pfkey.h"
93 #include "crypto_openssl.h"
94 #include "policy.h"
95 #include "isakmp_ident.h"
96 #include "isakmp_agg.h"
97 #include "isakmp_base.h"
98 #include "isakmp_quick.h"
99 #include "isakmp_inf.h"
100 #include "isakmp_newg.h"
101 #include "vpn_control.h"
102 #include "vpn_control_var.h"
103 #ifdef ENABLE_HYBRID
104 #include "isakmp_xauth.h"
105 #include "isakmp_cfg.h"
106 #endif
107 #ifdef ENABLE_FRAG
108 #include "isakmp_frag.h"
109 #endif
110 #include "strnames.h"
111
112 #ifdef ENABLE_NATT
113 # include "nattraversal.h"
114 # ifdef __linux__
115 # include <linux/udp.h>
116 #include <fcntl.h>
117
118 # ifndef SOL_UDP
119 # define SOL_UDP 17
120 # endif
121 # endif /* __linux__ */
122 # if defined(__NetBSD__) || defined(__FreeBSD__)
123 # include <netinet/in.h>
124 # include <netinet/udp.h>
125 # define SOL_UDP IPPROTO_UDP
126 # endif /* __NetBSD__ / __FreeBSD__ */
127 #endif
128
129 static int nostate1 __P((struct ph1handle *, vchar_t *));
130 static int nostate2 __P((struct ph2handle *, vchar_t *));
131
132 extern caddr_t val2str(const char *, size_t);
133
134 static int (*ph1exchange[][2][PHASE1ST_MAX])
135 __P((struct ph1handle *, vchar_t *)) = {
136 /* error */
137 { {}, {}, },
138 /* Identity Protection exchange */
139 {
140 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
141 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
142 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
143 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
144 },
145 /* Aggressive exchange */
146 {
147 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
148 nostate1, nostate1, nostate1, nostate1, nostate1, },
149 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
150 nostate1, nostate1, nostate1, nostate1, nostate1, },
151 },
152 /* Base exchange */
153 {
154 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
155 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
156 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
157 nostate1, nostate1, nostate1, nostate1, nostate1, },
158 },
159 };
160
161 static int (*ph2exchange[][2][PHASE2ST_MAX])
162 __P((struct ph2handle *, vchar_t *)) = {
163 /* error */
164 { {}, {}, },
165 /* Quick mode for IKE*/
166 {
167 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
168 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
169 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
170 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
171 },
172 };
173
174 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
175
176 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
177 static int ph1_main __P((struct ph1handle *, vchar_t *));
178 static int quick_main __P((struct ph2handle *, vchar_t *));
179 static int isakmp_ph1begin_r __P((vchar_t *,
180 struct sockaddr *, struct sockaddr *, u_int8_t));
181 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
182 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
183 static int etypesw1 __P((int));
184 static int etypesw2 __P((int));
185 #ifdef ENABLE_FRAG
186 static int frag_handler(struct ph1handle *,
187 vchar_t *, struct sockaddr *, struct sockaddr *);
188 #endif
189
190 /*
191 * isakmp packet handler
192 */
193 int
194 isakmp_handler(so_isakmp)
195 int so_isakmp;
196 {
197 struct isakmp isakmp;
198 union {
199 char buf[sizeof (isakmp) + 4];
200 u_int32_t non_esp[2];
201 } x;
202 struct sockaddr_storage remote;
203 struct sockaddr_storage local;
204 unsigned int remote_len = sizeof(remote);
205 unsigned int local_len = sizeof(local);
206 int len = 0, extralen = 0;
207 u_short port;
208 vchar_t *buf = NULL, *tmpbuf = NULL;
209 int error = -1;
210
211 /* read message by MSG_PEEK */
212 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
213 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
214 (struct sockaddr *)&local, &local_len)) < 0) {
215 if (errno == EINTR)
216 continue;
217 plog(LLV_ERROR, LOCATION, NULL,
218 "failed to receive isakmp packet: %s\n",
219 strerror (errno));
220 goto end;
221 }
222
223 /* keep-alive packet - ignore */
224 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
225 /* Pull the keep-alive packet */
226 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
227 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
228 plog(LLV_ERROR, LOCATION, NULL,
229 "failed to receive keep alive packet: %s\n",
230 strerror (errno));
231 }
232 goto end;
233 }
234
235 #ifdef ENABLE_NATT
236 /* we don't know about portchange yet,
237 look for non-esp marker instead */
238 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
239 extralen = NON_ESP_MARKER_LEN;
240 #endif
241
242 /* now we know if there is an extra non-esp
243 marker at the beginning or not */
244 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
245
246 /* check isakmp header length, as well as sanity of header length */
247 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
248 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
249 "packet shorter than isakmp header size (%u, %u, %zu)\n",
250 len, ntohl(isakmp.len), sizeof(isakmp));
251 /* dummy receive */
252 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
253 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
254 plog(LLV_ERROR, LOCATION, NULL,
255 "failed to receive isakmp packet: %s\n",
256 strerror (errno));
257 }
258 goto end;
259 }
260
261 /* reject it if the size is tooooo big. */
262 if (ntohl(isakmp.len) > 0xffff) {
263 plog(LLV_ERROR, LOCATION, NULL,
264 "the length in the isakmp header is too big.\n");
265 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
266 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
267 plog(LLV_ERROR, LOCATION, NULL,
268 "failed to receive isakmp packet: %s\n",
269 strerror (errno));
270 }
271 goto end;
272 }
273
274 /* read real message */
275 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
276 plog(LLV_ERROR, LOCATION, NULL,
277 "failed to allocate reading buffer (%u Bytes)\n",
278 ntohl(isakmp.len) + extralen);
279 /* dummy receive */
280 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
281 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
282 plog(LLV_ERROR, LOCATION, NULL,
283 "failed to receive isakmp packet: %s\n",
284 strerror (errno));
285 #ifdef __APPLE__
286 error = -2; /* serious problem with socket */
287 #endif
288 }
289 goto end;
290 }
291
292 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
293 0, (struct sockaddr *)&remote, &remote_len,
294 (struct sockaddr *)&local, &local_len)) < 0) {
295 if (errno == EINTR)
296 continue;
297 plog(LLV_ERROR, LOCATION, NULL,
298 "failed to receive isakmp packet: %s\n",
299 strerror (errno));
300 goto end;
301 }
302
303 if ((buf = vmalloc(len - extralen)) == NULL) {
304 plog(LLV_ERROR, LOCATION, NULL,
305 "failed to allocate reading buffer (%u Bytes)\n",
306 (len - extralen));
307 goto end;
308 }
309
310 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
311
312 vfree (tmpbuf);
313
314 len -= extralen;
315
316 if (len != buf->l) {
317 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
318 "received invalid length (%d != %zu), why ?\n",
319 len, buf->l);
320 goto end;
321 }
322
323 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
324 plog(LLV_DEBUG, LOCATION, NULL,
325 "%d bytes message received %s\n",
326 len, saddr2str_fromto("from %s to %s",
327 (struct sockaddr *)&remote,
328 (struct sockaddr *)&local));
329 plogdump(LLV_DEBUG, buf->v, buf->l);
330
331 /* avoid packets with malicious port/address */
332 switch (remote.ss_family) {
333 case AF_INET:
334 port = ((struct sockaddr_in *)&remote)->sin_port;
335 break;
336 #ifdef INET6
337 case AF_INET6:
338 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
339 break;
340 #endif
341 default:
342 plog(LLV_ERROR, LOCATION, NULL,
343 "invalid family: %d\n", remote.ss_family);
344 goto end;
345 }
346 if (port == 0) {
347 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
348 "src port == 0 (valid as UDP but not with IKE)\n");
349 goto end;
350 }
351
352 /* XXX: check sender whether to be allowed or not to accept */
353
354 /* XXX: I don't know how to check isakmp half connection attack. */
355
356 /* simply reply if the packet was processed. */
357 if (check_recvdpkt((struct sockaddr *)&remote,
358 (struct sockaddr *)&local, buf)) {
359 plog(LLV_NOTIFY, LOCATION, NULL,
360 "the packet is retransmitted by %s.\n",
361 saddr2str((struct sockaddr *)&remote));
362 error = 0;
363 goto end;
364 }
365
366 /* isakmp main routine */
367 if (isakmp_main(buf, (struct sockaddr *)&remote,
368 (struct sockaddr *)&local) != 0) goto end;
369
370 error = 0;
371
372 end:
373 if (buf != NULL)
374 vfree(buf);
375
376 return(error);
377 }
378
379 /*
380 * main processing to handle isakmp payload
381 */
382 static int
383 isakmp_main(msg, remote, local)
384 vchar_t *msg;
385 struct sockaddr *remote, *local;
386 {
387 struct isakmp *isakmp = (struct isakmp *)msg->v;
388 isakmp_index *index = (isakmp_index *)isakmp;
389 u_int32_t msgid = isakmp->msgid;
390 struct ph1handle *iph1;
391
392 #ifdef HAVE_PRINT_ISAKMP_C
393 isakmp_printpacket(msg, remote, local, 0);
394 #endif
395
396 /* the initiator's cookie must not be zero */
397 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
398 plog(LLV_ERROR, LOCATION, remote,
399 "malformed cookie received.\n");
400 return -1;
401 }
402
403 /* Check the Major and Minor Version fields. */
404 /*
405 * XXX Is is right to check version here ?
406 * I think it may no be here because the version depends
407 * on exchange status.
408 */
409 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
410 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
411 plog(LLV_ERROR, LOCATION, remote,
412 "invalid major version %d.\n",
413 ISAKMP_GETMAJORV(isakmp->v));
414 return -1;
415 }
416 #if ISAKMP_MINOR_VERSION > 0
417 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
418 plog(LLV_ERROR, LOCATION, remote,
419 "invalid minor version %d.\n",
420 ISAKMP_GETMINORV(isakmp->v));
421 return -1;
422 }
423 #endif
424 }
425
426 /* check the Flags field. */
427 /* XXX How is the exclusive check, E and A ? */
428 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
429 plog(LLV_ERROR, LOCATION, remote,
430 "invalid flag 0x%02x.\n", isakmp->flags);
431 return -1;
432 }
433
434 /* ignore commit bit. */
435 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
436 if (isakmp->msgid == 0) {
437 isakmp_info_send_nx(isakmp, remote, local,
438 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
439 plog(LLV_ERROR, LOCATION, remote,
440 "Commit bit on phase1 forbidden.\n");
441 return -1;
442 }
443 }
444
445 iph1 = getph1byindex(index);
446 if (iph1 != NULL) {
447 /* validity check */
448 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
449 iph1->side == INITIATOR) {
450 plog(LLV_DEBUG, LOCATION, remote,
451 "malformed cookie received or "
452 "the initiator's cookies collide.\n");
453 return -1;
454 }
455
456 #ifdef ENABLE_NATT
457 /* Floating ports for NAT-T */
458 if (NATT_AVAILABLE(iph1) &&
459 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
460 ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
461 (cmpsaddrstrict(iph1->local, local) != 0)))
462 {
463 /* prevent memory leak */
464 racoon_free(iph1->remote);
465 racoon_free(iph1->local);
466
467 /* copy-in new addresses */
468 iph1->remote = dupsaddr(remote);
469 iph1->local = dupsaddr(local);
470
471 /* set the flag to prevent further port floating
472 (FIXME: should we allow it? E.g. when the NAT gw
473 is rebooted?) */
474 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
475
476 /* print some neat info */
477 plog (LLV_INFO, LOCATION, NULL,
478 "NAT-T: ports changed to: %s\n",
479 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
480 #ifndef __APPLE__
481 natt_keepalive_add_ph1 (iph1);
482 #endif
483 }
484 #endif
485
486 /* must be same addresses in one stream of a phase at least. */
487 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
488 char *saddr_db, *saddr_act;
489
490 saddr_db = strdup(saddr2str(iph1->remote));
491 saddr_act = strdup(saddr2str(remote));
492
493 plog(LLV_WARNING, LOCATION, remote,
494 "remote address mismatched. db=%s, act=%s\n",
495 saddr_db, saddr_act);
496
497 racoon_free(saddr_db);
498 racoon_free(saddr_act);
499 }
500
501 /*
502 * don't check of exchange type here because other type will be
503 * with same index, for example, informational exchange.
504 */
505
506 /* XXX more acceptable check */
507 }
508
509 switch (isakmp->etype) {
510 case ISAKMP_ETYPE_IDENT:
511 case ISAKMP_ETYPE_AGG:
512 case ISAKMP_ETYPE_BASE:
513 /* phase 1 validity check */
514 if (isakmp->msgid != 0) {
515 plog(LLV_ERROR, LOCATION, remote,
516 "message id should be zero in phase1.\n");
517 return -1;
518 }
519
520 /* search for isakmp status record of phase 1 */
521 if (iph1 == NULL) {
522 /*
523 * the packet must be the 1st message from a initiator
524 * or the 2nd message from the responder.
525 */
526
527 /* search for phase1 handle by index without r_ck */
528 iph1 = getph1byindex0(index);
529 if (iph1 == NULL) {
530 /*it must be the 1st message from a initiator.*/
531 if (memcmp(&isakmp->r_ck, r_ck0,
532 sizeof(cookie_t)) != 0) {
533
534 plog(LLV_DEBUG, LOCATION, remote,
535 "malformed cookie received "
536 "or the spi expired.\n");
537 return -1;
538 }
539
540 /* it must be responder's 1st exchange. */
541 if (isakmp_ph1begin_r(msg, remote, local,
542 isakmp->etype) < 0)
543 return -1;
544 break;
545
546 /*NOTREACHED*/
547 }
548
549 /* it must be the 2nd message from the responder. */
550 if (iph1->side != INITIATOR) {
551 plog(LLV_DEBUG, LOCATION, remote,
552 "malformed cookie received. "
553 "it has to be as the initiator. %s\n",
554 isakmp_pindex(&iph1->index, 0));
555 return -1;
556 }
557 }
558
559 /*
560 * Don't delete phase 1 handler when the exchange type
561 * in handler is not equal to packet's one because of no
562 * authencication completed.
563 */
564 if (iph1->etype != isakmp->etype) {
565 plog(LLV_ERROR, LOCATION, iph1->remote,
566 "exchange type is mismatched: "
567 "db=%s packet=%s, ignore it.\n",
568 s_isakmp_etype(iph1->etype),
569 s_isakmp_etype(isakmp->etype));
570 return -1;
571 }
572
573 #ifdef ENABLE_FRAG
574 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
575 return frag_handler(iph1, msg, remote, local);
576 #endif
577
578 /* call main process of phase 1 */
579 if (ph1_main(iph1, msg) < 0) {
580 plog(LLV_ERROR, LOCATION, iph1->remote,
581 "phase1 negotiation failed.\n");
582 remph1(iph1);
583 delph1(iph1);
584 return -1;
585 }
586 break;
587
588 case ISAKMP_ETYPE_AUTH:
589 plog(LLV_INFO, LOCATION, remote,
590 "unsupported exchange %d received.\n",
591 isakmp->etype);
592 break;
593
594 case ISAKMP_ETYPE_INFO:
595 case ISAKMP_ETYPE_ACKINFO:
596 /*
597 * iph1 must be present for Information message.
598 * if iph1 is null then trying to get the phase1 status
599 * as the packet from responder againt initiator's 1st
600 * exchange in phase 1.
601 * NOTE: We think such informational exchange should be ignored.
602 */
603 if (iph1 == NULL) {
604 iph1 = getph1byindex0(index);
605 if (iph1 == NULL) {
606 plog(LLV_ERROR, LOCATION, remote,
607 "unknown Informational "
608 "exchange received.\n");
609 return -1;
610 }
611 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
612 plog(LLV_WARNING, LOCATION, remote,
613 "remote address mismatched. "
614 "db=%s\n",
615 saddr2str(iph1->remote));
616 }
617 }
618
619 #ifdef ENABLE_FRAG
620 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
621 return frag_handler(iph1, msg, remote, local);
622 #endif
623
624 if (isakmp_info_recv(iph1, msg) < 0)
625 return -1;
626 break;
627
628 case ISAKMP_ETYPE_QUICK:
629 {
630 struct ph2handle *iph2;
631
632 if (iph1 == NULL) {
633 isakmp_info_send_nx(isakmp, remote, local,
634 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
635 plog(LLV_ERROR, LOCATION, remote,
636 "can't start the quick mode, "
637 "there is no ISAKMP-SA, %s\n",
638 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
639 isakmp->msgid));
640 return -1;
641 }
642
643 #ifdef ENABLE_FRAG
644 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
645 return frag_handler(iph1, msg, remote, local);
646 #endif
647
648 /* check status of phase 1 whether negotiated or not. */
649 if (iph1->status != PHASE1ST_ESTABLISHED) {
650 plog(LLV_ERROR, LOCATION, remote,
651 "can't start the quick mode, "
652 "there is no valid ISAKMP-SA, %s\n",
653 isakmp_pindex(&iph1->index, iph1->msgid));
654 return -1;
655 }
656
657 /* search isakmp phase 2 stauts record. */
658 iph2 = getph2bymsgid(iph1, msgid);
659 if (iph2 == NULL) {
660 /* it must be new negotiation as responder */
661 if (isakmp_ph2begin_r(iph1, msg) < 0)
662 return -1;
663 return 0;
664 /*NOTREACHED*/
665 }
666
667 /* commit bit. */
668 /* XXX
669 * we keep to set commit bit during negotiation.
670 * When SA is configured, bit will be reset.
671 * XXX
672 * don't initiate commit bit. should be fixed in the future.
673 */
674 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
675 iph2->flags |= ISAKMP_FLAG_C;
676
677 /* call main process of quick mode */
678 if (quick_main(iph2, msg) < 0) {
679 plog(LLV_ERROR, LOCATION, iph1->remote,
680 "phase2 negotiation failed.\n");
681 unbindph12(iph2);
682 remph2(iph2);
683 delph2(iph2);
684 return -1;
685 }
686 }
687 break;
688
689 case ISAKMP_ETYPE_NEWGRP:
690 if (iph1 == NULL) {
691 plog(LLV_ERROR, LOCATION, remote,
692 "Unknown new group mode exchange, "
693 "there is no ISAKMP-SA.\n");
694 return -1;
695 }
696
697 #ifdef ENABLE_FRAG
698 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
699 return frag_handler(iph1, msg, remote, local);
700 #endif
701
702 isakmp_newgroup_r(iph1, msg);
703 break;
704
705 #ifdef ENABLE_HYBRID
706 case ISAKMP_ETYPE_CFG:
707 if (iph1 == NULL) {
708 plog(LLV_ERROR, LOCATION, NULL,
709 "mode config %d from %s, "
710 "but we have no ISAKMP-SA.\n",
711 isakmp->etype, saddr2str(remote));
712 return -1;
713 }
714
715 #ifdef ENABLE_FRAG
716 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
717 return frag_handler(iph1, msg, remote, local);
718 #endif
719
720 isakmp_cfg_r(iph1, msg);
721 break;
722 #endif
723
724 case ISAKMP_ETYPE_NONE:
725 default:
726 plog(LLV_ERROR, LOCATION, NULL,
727 "Invalid exchange type %d from %s.\n",
728 isakmp->etype, saddr2str(remote));
729 return -1;
730 }
731
732 return 0;
733 }
734
735 /*
736 * main function of phase 1.
737 */
738 static int
739 ph1_main(iph1, msg)
740 struct ph1handle *iph1;
741 vchar_t *msg;
742 {
743 int error;
744 #ifdef ENABLE_STATS
745 struct timeval start, end;
746 #endif
747
748 /* ignore a packet */
749 if (iph1->status == PHASE1ST_ESTABLISHED)
750 return 0;
751
752 #ifdef ENABLE_STATS
753 gettimeofday(&start, NULL);
754 #endif
755 /* receive */
756 if (ph1exchange[etypesw1(iph1->etype)]
757 [iph1->side]
758 [iph1->status] == NULL) {
759 plog(LLV_ERROR, LOCATION, iph1->remote,
760 "why isn't the function defined.\n");
761 return -1;
762 }
763 error = (ph1exchange[etypesw1(iph1->etype)]
764 [iph1->side]
765 [iph1->status])(iph1, msg);
766 if (error != 0) {
767 /* XXX
768 * When an invalid packet is received on phase1, it should
769 * be selected to process this packet. That is to respond
770 * with a notify and delete phase 1 handler, OR not to respond
771 * and keep phase 1 handler. However, in PHASE1ST_START when
772 * acting as RESPONDER we must not keep phase 1 handler or else
773 * it will stay forever.
774 */
775
776 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
777 plog(LLV_ERROR, LOCATION, iph1->remote,
778 "failed to pre-process packet.\n");
779 return -1;
780 } else {
781 /* ignore the error and keep phase 1 handler */
782 return 0;
783 }
784 }
785
786 /* free resend buffer */
787 if (iph1->sendbuf == NULL) {
788 plog(LLV_ERROR, LOCATION, NULL,
789 "no buffer found as sendbuf\n");
790 return -1;
791 }
792 VPTRINIT(iph1->sendbuf);
793
794 /* turn off schedule */
795 if (iph1->scr)
796 SCHED_KILL(iph1->scr);
797
798 /* send */
799 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
800 if ((ph1exchange[etypesw1(iph1->etype)]
801 [iph1->side]
802 [iph1->status])(iph1, msg) != 0) {
803 plog(LLV_ERROR, LOCATION, iph1->remote,
804 "failed to process packet.\n");
805 return -1;
806 }
807
808 #ifdef ENABLE_STATS
809 gettimeofday(&end, NULL);
810 syslog(LOG_NOTICE, "%s(%s): %8.6f",
811 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
812 timedelta(&start, &end));
813 #endif
814 if (iph1->status == PHASE1ST_ESTABLISHED) {
815
816 #ifdef ENABLE_STATS
817 gettimeofday(&iph1->end, NULL);
818 syslog(LOG_NOTICE, "%s(%s): %8.6f",
819 "phase1", s_isakmp_etype(iph1->etype),
820 timedelta(&iph1->start, &iph1->end));
821 #endif
822
823 #ifdef ENABLE_VPNCONTROL_PORT
824
825 if (iph1->side == RESPONDER &&
826 iph1->local->sa_family == AF_INET) {
827
828 struct redirect *addr;
829
830 LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) {
831 if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) {
832 vchar_t *raddr = vmalloc(sizeof(u_int32_t));
833
834 if (raddr == NULL) {
835 plog(LLV_ERROR, LOCATION, iph1->remote,
836 "failed to send redirect message - memory error.\n");
837 } else {
838 memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t));
839 (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr);
840 plog(LLV_DEBUG, LOCATION, iph1->remote, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address));
841 vfree(raddr);
842 if (addr->force)
843 isakmp_ph1delete(iph1);
844 }
845 }
846 return 0;
847 }
848 }
849 #endif
850 /* save created date. */
851 (void)time(&iph1->created);
852
853 /* add to the schedule to expire, and save back pointer. */
854 iph1->sce = sched_new(iph1->approval->lifetime,
855 isakmp_ph1expire_stub, iph1);
856 #ifdef ENABLE_HYBRID
857 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
858 switch(iph1->approval->authmethod) {
859 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
860 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
861 xauth_sendreq(iph1);
862 /* XXX Don't process INITIAL_CONTACT */
863 iph1->rmconf->ini_contact = 0;
864 break;
865 default:
866 break;
867 }
868 }
869 #endif
870 #ifdef ENABLE_DPD
871 /* Schedule the r_u_there.... */
872 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
873 isakmp_sched_r_u(iph1, 0);
874 #endif
875
876 /* INITIAL-CONTACT processing */
877 /* don't send anything if local test mode. */
878 if (!f_local
879 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
880 /* send INITIAL-CONTACT */
881 isakmp_info_send_n1(iph1,
882 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
883 /* insert a node into contacted list. */
884 if (inscontacted(iph1->remote) == -1) {
885 plog(LLV_ERROR, LOCATION, iph1->remote,
886 "failed to add contacted list.\n");
887 /* ignore */
888 }
889 }
890
891 log_ph1established(iph1);
892 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
893
894 #ifdef ENABLE_VPNCONTROL_PORT
895 vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
896 #endif
897
898
899 /*
900 * SA up shell script hook: do it now,except if
901 * ISAKMP mode config was requested. In the later
902 * case it is done when we receive the configuration.
903 */
904 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
905 !iph1->rmconf->mode_cfg)
906 script_hook(iph1, SCRIPT_PHASE1_UP);
907 }
908
909 return 0;
910 }
911
912 /*
913 * main function of quick mode.
914 */
915 static int
916 quick_main(iph2, msg)
917 struct ph2handle *iph2;
918 vchar_t *msg;
919 {
920 struct isakmp *isakmp = (struct isakmp *)msg->v;
921 int error;
922 #ifdef ENABLE_STATS
923 struct timeval start, end;
924 #endif
925
926 /* ignore a packet */
927 if (iph2->status == PHASE2ST_ESTABLISHED
928 || iph2->status == PHASE2ST_GETSPISENT)
929 return 0;
930
931 #ifdef ENABLE_STATS
932 gettimeofday(&start, NULL);
933 #endif
934
935 /* receive */
936 if (ph2exchange[etypesw2(isakmp->etype)]
937 [iph2->side]
938 [iph2->status] == NULL) {
939 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
940 "why isn't the function defined.\n");
941 return -1;
942 }
943 error = (ph2exchange[etypesw2(isakmp->etype)]
944 [iph2->side]
945 [iph2->status])(iph2, msg);
946 if (error != 0) {
947 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
948 "failed to pre-process packet.\n");
949 if (error == ISAKMP_INTERNAL_ERROR)
950 return 0;
951 isakmp_info_send_n1(iph2->ph1, error, NULL);
952 return -1;
953 }
954
955 /* when using commit bit, status will be reached here. */
956 //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place
957 // return 0;
958
959 /* free resend buffer */
960 if (iph2->sendbuf == NULL) {
961 plog(LLV_ERROR, LOCATION, NULL,
962 "no buffer found as sendbuf\n");
963 return -1;
964 }
965 VPTRINIT(iph2->sendbuf);
966
967 /* turn off schedule */
968 if (iph2->scr)
969 SCHED_KILL(iph2->scr);
970
971 /* when using commit bit, status will be reached here. */
972 if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - moved to here
973 return 0;
974
975 /* send */
976 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
977 if ((ph2exchange[etypesw2(isakmp->etype)]
978 [iph2->side]
979 [iph2->status])(iph2, msg) != 0) {
980 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
981 "failed to process packet.\n");
982 return -1;
983 }
984
985 #ifdef ENABLE_STATS
986 gettimeofday(&end, NULL);
987 syslog(LOG_NOTICE, "%s(%s): %8.6f",
988 "phase2",
989 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
990 timedelta(&start, &end));
991 #endif
992
993 return 0;
994 }
995
996 /* new negotiation of phase 1 for initiator */
997 int
998 isakmp_ph1begin_i(rmconf, remote, local)
999 struct remoteconf *rmconf;
1000 struct sockaddr *remote, *local;
1001 {
1002 struct ph1handle *iph1;
1003 #ifdef ENABLE_STATS
1004 struct timeval start, end;
1005 #endif
1006
1007 /* get new entry to isakmp status table. */
1008 iph1 = newph1();
1009 if (iph1 == NULL)
1010 return -1;
1011
1012 iph1->status = PHASE1ST_START;
1013 iph1->rmconf = rmconf;
1014 iph1->side = INITIATOR;
1015 iph1->version = ISAKMP_VERSION_NUMBER;
1016 iph1->msgid = 0;
1017 iph1->flags = 0;
1018 iph1->ph2cnt = 0;
1019 #ifdef HAVE_GSSAPI
1020 iph1->gssapi_state = NULL;
1021 #endif
1022 #ifdef ENABLE_HYBRID
1023 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
1024 return -1;
1025 #endif
1026 #ifdef ENABLE_FRAG
1027 iph1->frag = 0;
1028 iph1->frag_chain = NULL;
1029 #endif
1030 iph1->approval = NULL;
1031
1032 /* XXX copy remote address */
1033 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1034 return -1;
1035
1036 (void)insph1(iph1);
1037
1038 /* start phase 1 exchange */
1039 iph1->etype = rmconf->etypes->type;
1040
1041 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1042 {
1043 char *a;
1044
1045 a = strdup(saddr2str(iph1->local));
1046 plog(LLV_INFO, LOCATION, NULL,
1047 "initiate new phase 1 negotiation: %s<=>%s\n",
1048 a, saddr2str(iph1->remote));
1049 racoon_free(a);
1050 }
1051 plog(LLV_INFO, LOCATION, NULL,
1052 "begin %s mode.\n",
1053 s_isakmp_etype(iph1->etype));
1054
1055 #ifdef ENABLE_STATS
1056 gettimeofday(&iph1->start, NULL);
1057 gettimeofday(&start, NULL);
1058 #endif
1059 /* start exchange */
1060 if ((ph1exchange[etypesw1(iph1->etype)]
1061 [iph1->side]
1062 [iph1->status])(iph1, NULL) != 0) {
1063 /* failed to start phase 1 negotiation */
1064 remph1(iph1);
1065 delph1(iph1);
1066
1067 return -1;
1068 }
1069
1070 #ifdef ENABLE_STATS
1071 gettimeofday(&end, NULL);
1072 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1073 "phase1",
1074 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1075 timedelta(&start, &end));
1076 #endif
1077
1078 #ifdef ENABLE_VPNCONTROL_PORT
1079 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1080 #endif
1081
1082
1083 return 0;
1084 }
1085
1086 /* new negotiation of phase 1 for responder */
1087 static int
1088 isakmp_ph1begin_r(msg, remote, local, etype)
1089 vchar_t *msg;
1090 struct sockaddr *remote, *local;
1091 u_int8_t etype;
1092 {
1093 struct isakmp *isakmp = (struct isakmp *)msg->v;
1094 struct remoteconf *rmconf;
1095 struct ph1handle *iph1;
1096 struct etypes *etypeok;
1097 #ifdef ENABLE_STATS
1098 struct timeval start, end;
1099 #endif
1100
1101 /* look for my configuration */
1102 rmconf = getrmconf(remote);
1103 if (rmconf == NULL) {
1104 plog(LLV_ERROR, LOCATION, remote,
1105 "couldn't find "
1106 "configuration.\n");
1107 return -1;
1108 }
1109
1110 /* check to be acceptable exchange type */
1111 etypeok = check_etypeok(rmconf, etype);
1112 if (etypeok == NULL) {
1113 plog(LLV_ERROR, LOCATION, remote,
1114 "not acceptable %s mode\n", s_isakmp_etype(etype));
1115 return -1;
1116 }
1117
1118 /* get new entry to isakmp status table. */
1119 iph1 = newph1();
1120 if (iph1 == NULL)
1121 return -1;
1122
1123 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1124 iph1->status = PHASE1ST_START;
1125 iph1->rmconf = rmconf;
1126 iph1->flags = 0;
1127 iph1->side = RESPONDER;
1128 iph1->etype = etypeok->type;
1129 iph1->version = isakmp->v;
1130 iph1->msgid = 0;
1131 #ifdef HAVE_GSSAPI
1132 iph1->gssapi_state = NULL;
1133 #endif
1134 #ifdef ENABLE_HYBRID
1135 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
1136 return -1;
1137 #endif
1138 #ifdef ENABLE_FRAG
1139 iph1->frag = 0;
1140 iph1->frag_chain = NULL;
1141 #endif
1142 iph1->approval = NULL;
1143
1144 #ifdef ENABLE_NATT
1145 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1146 * We have to setup this flag now to correctly generate the first reply.
1147 * Don't know if a better check could be done for that ?
1148 */
1149 if(extract_port(local) == lcconf->port_isakmp_natt)
1150 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1151 #endif
1152
1153 /* copy remote address */
1154 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1155 return -1;
1156
1157 (void)insph1(iph1);
1158
1159 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1160 {
1161 char *a;
1162
1163 a = strdup(saddr2str(iph1->local));
1164 plog(LLV_INFO, LOCATION, NULL,
1165 "respond new phase 1 negotiation: %s<=>%s\n",
1166 a, saddr2str(iph1->remote));
1167 racoon_free(a);
1168 }
1169 plog(LLV_INFO, LOCATION, NULL,
1170 "begin %s mode.\n", s_isakmp_etype(etype));
1171
1172 #ifdef ENABLE_STATS
1173 gettimeofday(&iph1->start, NULL);
1174 gettimeofday(&start, NULL);
1175 #endif
1176 /* start exchange */
1177 if ((ph1exchange[etypesw1(iph1->etype)]
1178 [iph1->side]
1179 [iph1->status])(iph1, msg) < 0
1180 || (ph1exchange[etypesw1(iph1->etype)]
1181 [iph1->side]
1182 [iph1->status])(iph1, msg) < 0) {
1183 plog(LLV_ERROR, LOCATION, remote,
1184 "failed to process packet.\n");
1185 remph1(iph1);
1186 delph1(iph1);
1187 return -1;
1188 }
1189 #ifdef ENABLE_STATS
1190 gettimeofday(&end, NULL);
1191 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1192 "phase1",
1193 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1194 timedelta(&start, &end));
1195 #endif
1196 #ifdef ENABLE_VPNCONTROL_PORT
1197 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
1198 #endif
1199
1200 return 0;
1201 }
1202
1203 /* new negotiation of phase 2 for initiator */
1204 static int
1205 isakmp_ph2begin_i(iph1, iph2)
1206 struct ph1handle *iph1;
1207 struct ph2handle *iph2;
1208 {
1209 #ifdef ENABLE_HYBRID
1210 if (xauth_check(iph1) != 0) {
1211 plog(LLV_ERROR, LOCATION, NULL,
1212 "Attempt to start phase 2 whereas Xauth failed\n");
1213 return -1;
1214 }
1215 #endif
1216
1217 /* found ISAKMP-SA. */
1218 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1219 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1220 {
1221 char *a;
1222 a = strdup(saddr2str(iph2->src));
1223 plog(LLV_INFO, LOCATION, NULL,
1224 "initiate new phase 2 negotiation: %s<=>%s\n",
1225 a, saddr2str(iph2->dst));
1226 racoon_free(a);
1227 }
1228
1229 #ifdef ENABLE_STATS
1230 gettimeofday(&iph2->start, NULL);
1231 #endif
1232 /* found isakmp-sa */
1233 bindph12(iph1, iph2);
1234 iph2->status = PHASE2ST_STATUS2;
1235
1236 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1237 [iph2->side]
1238 [iph2->status])(iph2, NULL) < 0) {
1239 unbindph12(iph2);
1240 /* release ipsecsa handler due to internal error. */
1241 remph2(iph2);
1242 return -1;
1243 }
1244
1245 #ifdef ENABLE_VPNCONTROL_PORT
1246 vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2);
1247 #endif
1248
1249 return 0;
1250 }
1251
1252 /* new negotiation of phase 2 for responder */
1253 static int
1254 isakmp_ph2begin_r(iph1, msg)
1255 struct ph1handle *iph1;
1256 vchar_t *msg;
1257 {
1258 struct isakmp *isakmp = (struct isakmp *)msg->v;
1259 struct ph2handle *iph2 = 0;
1260 int error;
1261 #ifdef ENABLE_STATS
1262 struct timeval start, end;
1263 #endif
1264 #ifdef ENABLE_HYBRID
1265 if (xauth_check(iph1) != 0) {
1266 plog(LLV_ERROR, LOCATION, NULL,
1267 "Attempt to start phase 2 whereas Xauth failed\n");
1268 return -1;
1269 }
1270 #endif
1271
1272 iph2 = newph2();
1273 if (iph2 == NULL) {
1274 plog(LLV_ERROR, LOCATION, NULL,
1275 "failed to allocate phase2 entry.\n");
1276 return -1;
1277 }
1278
1279 iph2->ph1 = iph1;
1280 iph2->side = RESPONDER;
1281 iph2->status = PHASE2ST_START;
1282 iph2->flags = isakmp->flags;
1283 iph2->msgid = isakmp->msgid;
1284 iph2->seq = pk_getseq();
1285 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1286 if (iph2->ivm == NULL) {
1287 delph2(iph2);
1288 return -1;
1289 }
1290 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1291 if (iph2->dst == NULL) {
1292 delph2(iph2);
1293 return -1;
1294 }
1295 switch (iph2->dst->sa_family) {
1296 case AF_INET:
1297 #ifndef ENABLE_NATT
1298 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1299 #endif
1300 break;
1301 #ifdef INET6
1302 case AF_INET6:
1303 #ifndef ENABLE_NATT
1304 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1305 #endif
1306 break;
1307 #endif
1308 default:
1309 plog(LLV_ERROR, LOCATION, NULL,
1310 "invalid family: %d\n", iph2->dst->sa_family);
1311 delph2(iph2);
1312 return -1;
1313 }
1314
1315 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1316 if (iph2->src == NULL) {
1317 delph2(iph2);
1318 return -1;
1319 }
1320 switch (iph2->src->sa_family) {
1321 case AF_INET:
1322 #ifndef ENABLE_NATT
1323 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1324 #endif
1325 break;
1326 #ifdef INET6
1327 case AF_INET6:
1328 #ifndef ENABLE_NATT
1329 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1330 #endif
1331 break;
1332 #endif
1333 default:
1334 plog(LLV_ERROR, LOCATION, NULL,
1335 "invalid family: %d\n", iph2->src->sa_family);
1336 delph2(iph2);
1337 return -1;
1338 }
1339
1340 /* add new entry to isakmp status table */
1341 insph2(iph2);
1342 bindph12(iph1, iph2);
1343
1344 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1345 {
1346 char *a;
1347
1348 a = strdup(saddr2str(iph2->src));
1349 plog(LLV_INFO, LOCATION, NULL,
1350 "respond new phase 2 negotiation: %s<=>%s\n",
1351 a, saddr2str(iph2->dst));
1352 racoon_free(a);
1353 }
1354
1355 #ifdef ENABLE_STATS
1356 gettimeofday(&start, NULL);
1357 #endif
1358
1359 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1360 [iph2->side]
1361 [iph2->status])(iph2, msg);
1362 if (error != 0) {
1363 plog(LLV_ERROR, LOCATION, iph1->remote,
1364 "failed to pre-process packet.\n");
1365 if (error != ISAKMP_INTERNAL_ERROR)
1366 isakmp_info_send_n1(iph2->ph1, error, NULL);
1367 /*
1368 * release handler because it's wrong that ph2handle is kept
1369 * after failed to check message for responder's.
1370 */
1371 unbindph12(iph2);
1372 remph2(iph2);
1373 delph2(iph2);
1374 return -1;
1375 }
1376
1377 /* send */
1378 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1379 if ((ph2exchange[etypesw2(isakmp->etype)]
1380 [iph2->side]
1381 [iph2->status])(iph2, msg) < 0) {
1382 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1383 "failed to process packet.\n");
1384 /* don't release handler */
1385 return -1;
1386 }
1387 #ifdef ENABLE_STATS
1388 gettimeofday(&end, NULL);
1389 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1390 "phase2",
1391 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1392 timedelta(&start, &end));
1393 #endif
1394
1395 #ifdef ENABLE_VPNCONTROL_PORT
1396 vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2);
1397 #endif
1398
1399
1400 return 0;
1401 }
1402
1403 /*
1404 * parse ISAKMP payloads, without ISAKMP base header.
1405 */
1406 vchar_t *
1407 isakmp_parsewoh(np0, gen, len)
1408 int np0;
1409 struct isakmp_gen *gen;
1410 int len;
1411 {
1412 u_char np = np0 & 0xff;
1413 int tlen, plen;
1414 vchar_t *result;
1415 struct isakmp_parse_t *p, *ep;
1416
1417 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1418
1419 /*
1420 * 5 is a magic number, but any value larger than 2 should be fine
1421 * as we do vrealloc() in the following loop.
1422 */
1423 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1424 if (result == NULL) {
1425 plog(LLV_ERROR, LOCATION, NULL,
1426 "failed to get buffer.\n");
1427 return NULL;
1428 }
1429 p = (struct isakmp_parse_t *)result->v;
1430 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1431
1432 tlen = len;
1433
1434 /* parse through general headers */
1435 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1436 if (tlen <= sizeof(struct isakmp_gen)) {
1437 /* don't send information, see isakmp_ident_r1() */
1438 plog(LLV_ERROR, LOCATION, NULL,
1439 "invalid length of payload\n");
1440 vfree(result);
1441 return NULL;
1442 }
1443
1444 plog(LLV_DEBUG, LOCATION, NULL,
1445 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1446
1447 p->type = np;
1448 p->len = ntohs(gen->len);
1449 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1450 plog(LLV_DEBUG, LOCATION, NULL,
1451 "invalid length of payload\n");
1452 vfree(result);
1453 return NULL;
1454 }
1455 p->ptr = gen;
1456 p++;
1457 if (ep <= p) {
1458 int off;
1459
1460 off = p - (struct isakmp_parse_t *)result->v;
1461 result = vrealloc(result, result->l * 2);
1462 if (result == NULL) {
1463 plog(LLV_DEBUG, LOCATION, NULL,
1464 "failed to realloc buffer.\n");
1465 vfree(result);
1466 return NULL;
1467 }
1468 ep = (struct isakmp_parse_t *)
1469 (result->v + result->l - sizeof(*ep));
1470 p = (struct isakmp_parse_t *)result->v;
1471 p += off;
1472 }
1473
1474 np = gen->np;
1475 plen = ntohs(gen->len);
1476 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1477 tlen -= plen;
1478 }
1479 p->type = ISAKMP_NPTYPE_NONE;
1480 p->len = 0;
1481 p->ptr = NULL;
1482
1483 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1484
1485 return result;
1486 }
1487
1488 /*
1489 * parse ISAKMP payloads, including ISAKMP base header.
1490 */
1491 vchar_t *
1492 isakmp_parse(buf)
1493 vchar_t *buf;
1494 {
1495 struct isakmp *isakmp = (struct isakmp *)buf->v;
1496 struct isakmp_gen *gen;
1497 int tlen;
1498 vchar_t *result;
1499 u_char np;
1500
1501 np = isakmp->np;
1502 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1503 tlen = buf->l - sizeof(struct isakmp);
1504 result = isakmp_parsewoh(np, gen, tlen);
1505
1506 return result;
1507 }
1508
1509 /* %%% */
1510 int
1511 isakmp_init()
1512 {
1513 /* initialize a isakmp status table */
1514 initph1tree();
1515 initph2tree();
1516 initctdtree();
1517 init_recvdpkt();
1518
1519 if (isakmp_open() < 0)
1520 goto err;
1521
1522 return(0);
1523
1524 err:
1525 isakmp_close();
1526 return(-1);
1527 }
1528
1529 void
1530 isakmp_cleanup()
1531 {
1532 clear_recvdpkt();
1533 clear_contacted();
1534 }
1535
1536 /*
1537 * make strings containing i_cookie + r_cookie + msgid
1538 */
1539 const char *
1540 isakmp_pindex(index, msgid)
1541 const isakmp_index *index;
1542 const u_int32_t msgid;
1543 {
1544 static char buf[64];
1545 const u_char *p;
1546 int i, j;
1547
1548 memset(buf, 0, sizeof(buf));
1549
1550 /* copy index */
1551 p = (const u_char *)index;
1552 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1553 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1554 j += 2;
1555 switch (i) {
1556 case 7:
1557 buf[j++] = ':';
1558 }
1559 }
1560
1561 if (msgid == 0)
1562 return buf;
1563
1564 /* copy msgid */
1565 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1566
1567 return buf;
1568 }
1569
1570 /* open ISAKMP sockets. */
1571 int
1572 isakmp_open()
1573 {
1574 const int yes = 1;
1575 int ifnum = 0, encap_ifnum = 0;
1576 #ifdef INET6
1577 int pktinfo;
1578 #endif
1579 struct myaddrs *p;
1580
1581 for (p = lcconf->myaddrs; p; p = p->next) {
1582 if (!p->addr)
1583 continue;
1584
1585 #ifdef __APPLE__
1586 if (p->sock != -1) {
1587 ifnum++;
1588 if (p->udp_encap)
1589 encap_ifnum++;
1590 continue; // socket already open
1591 }
1592 #endif
1593
1594 /* warn if wildcard address - should we forbid this? */
1595 switch (p->addr->sa_family) {
1596 case AF_INET:
1597 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1598 plog(LLV_WARNING, LOCATION, NULL,
1599 "listening to wildcard address,"
1600 "broadcast IKE packet may kill you\n");
1601 break;
1602 #ifdef INET6
1603 case AF_INET6:
1604 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1605 plog(LLV_WARNING, LOCATION, NULL,
1606 "listening to wildcard address, "
1607 "broadcast IKE packet may kill you\n");
1608 break;
1609 #endif
1610 default:
1611 plog(LLV_ERROR, LOCATION, NULL,
1612 "unsupported address family %d\n",
1613 lcconf->default_af);
1614 goto err_and_next;
1615 }
1616
1617 #ifdef INET6
1618 if (p->addr->sa_family == AF_INET6 &&
1619 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
1620 p->addr)->sin6_addr))
1621 {
1622 plog(LLV_DEBUG, LOCATION, NULL,
1623 "Ignoring multicast address %s\n",
1624 saddr2str(p->addr));
1625 racoon_free(p->addr);
1626 p->addr = NULL;
1627 continue;
1628 }
1629 #endif
1630
1631 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1632 plog(LLV_ERROR, LOCATION, NULL,
1633 "socket (%s)\n", strerror(errno));
1634 goto err_and_next;
1635 }
1636
1637 /* receive my interface address on inbound packets. */
1638 switch (p->addr->sa_family) {
1639 case AF_INET:
1640 if (setsockopt(p->sock, IPPROTO_IP,
1641 #ifdef __linux__
1642 IP_PKTINFO,
1643 #else
1644 IP_RECVDSTADDR,
1645 #endif
1646 (const void *)&yes, sizeof(yes)) < 0) {
1647 plog(LLV_ERROR, LOCATION, NULL,
1648 "setsockopt (%s)\n", strerror(errno));
1649 goto err_and_next;
1650 }
1651 break;
1652 #ifdef INET6
1653 case AF_INET6:
1654 #ifdef INET6_ADVAPI
1655 #ifdef IPV6_RECVPKTINFO
1656 pktinfo = IPV6_RECVPKTINFO;
1657 #else /* old adv. API */
1658 pktinfo = IPV6_PKTINFO;
1659 #endif /* IPV6_RECVPKTINFO */
1660 #else
1661 pktinfo = IPV6_RECVDSTADDR;
1662 #endif
1663 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1664 (const void *)&yes, sizeof(yes)) < 0)
1665 {
1666 plog(LLV_ERROR, LOCATION, NULL,
1667 "setsockopt(%d): %s\n",
1668 pktinfo, strerror(errno));
1669 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
1670 plog(LLV_WARNING, LOCATION, NULL,
1671 "failed to put socket in non-blocking mode\n");
1672
1673 goto err_and_next;
1674 }
1675 break;
1676 #endif
1677 }
1678
1679 #ifdef IPV6_USE_MIN_MTU
1680 if (p->addr->sa_family == AF_INET6 &&
1681 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1682 (void *)&yes, sizeof(yes)) < 0) {
1683 plog(LLV_ERROR, LOCATION, NULL,
1684 "setsockopt (%s)\n", strerror(errno));
1685 return -1;
1686 }
1687 #endif
1688
1689 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
1690 goto err_and_next;
1691
1692 #ifdef __APPLE__
1693 if (extract_port(p->addr) == PORT_ISAKMP) {
1694 if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT,
1695 (void *)&yes, sizeof(yes)) < 0) {
1696 plog(LLV_ERROR, LOCATION, p->addr,
1697 "setsockopt (%s)\n", strerror(errno));
1698 goto err_and_next;
1699 }
1700 }
1701 #endif
1702
1703 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
1704 plog(LLV_ERROR, LOCATION, p->addr,
1705 "failed to bind to address %s (%s).\n",
1706 saddr2str(p->addr), strerror(errno));
1707 close(p->sock);
1708 p->sock = -1;
1709 goto err_and_next;
1710 }
1711
1712 ifnum++;
1713 #ifdef __APPLE__
1714 if (p->udp_encap)
1715 encap_ifnum++;
1716 #endif
1717
1718 plog(LLV_INFO, LOCATION, NULL,
1719 "%s used as isakmp port (fd=%d)\n",
1720 saddr2str(p->addr), p->sock);
1721
1722 #ifndef __APPLE__
1723 #ifdef ENABLE_NATT
1724 if (p->addr->sa_family == AF_INET) {
1725 int option = -1;
1726
1727 if(p->udp_encap)
1728 option = UDP_ENCAP_ESPINUDP;
1729 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1730 else
1731 option = UDP_ENCAP_ESPINUDP_NON_IKE;
1732 #endif
1733 if(option != -1){
1734 if (setsockopt (p->sock, SOL_UDP, UDP_ENCAP,
1735 &option, sizeof (option)) < 0) {
1736 plog(LLV_WARNING, LOCATION, NULL,
1737 "setsockopt(%s): %s\n",
1738 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1739 strerror(errno));
1740 goto skip_encap;
1741 }
1742 else {
1743 plog(LLV_INFO, LOCATION, NULL,
1744 "%s used for NAT-T\n",
1745 saddr2str(p->addr));
1746 encap_ifnum++;
1747 }
1748 }
1749 }
1750 skip_encap:
1751 #endif
1752 #endif /* __APPLE__ */
1753
1754 continue;
1755
1756 err_and_next:
1757 racoon_free(p->addr);
1758 p->addr = NULL;
1759 if (! lcconf->autograbaddr && lcconf->strict_address)
1760 return -1;
1761 continue;
1762 }
1763
1764 if (!ifnum) {
1765 plog(LLV_ERROR, LOCATION, NULL,
1766 "no address could be bound.\n");
1767 return -1;
1768 }
1769
1770 #ifdef ENABLE_NATT
1771 if (natt_enabled_in_rmconf() && !encap_ifnum) {
1772 plog(LLV_WARNING, LOCATION, NULL,
1773 "NAT-T is enabled in at least one remote{} section,\n");
1774 plog(LLV_WARNING, LOCATION, NULL,
1775 "but no 'isakmp_natt' address was specified!\n");
1776 }
1777 #endif
1778
1779 return 0;
1780 }
1781
1782 void
1783 isakmp_close()
1784 {
1785 isakmp_close_sockets();
1786 clear_myaddr();
1787 }
1788
1789 void
1790 isakmp_close_sockets()
1791 {
1792 struct myaddrs *p;
1793
1794 for (p = lcconf->myaddrs; p; p = p->next) {
1795
1796 if (!p->addr)
1797 continue;
1798
1799 if (p->sock >= 0) {
1800 close(p->sock);
1801 p->sock = -1;
1802 }
1803 }
1804
1805 }
1806
1807
1808 // close sockets for addresses that have gone away
1809 void
1810 isakmp_close_unused()
1811 {
1812 struct myaddrs *p, *next, **prev;
1813
1814 prev = &(lcconf->myaddrs);
1815 for (p = lcconf->myaddrs; p; p = next) {
1816 next = p->next;
1817 if (p->in_use == 0) { // not in use ?
1818
1819 if (p->sock >= 0)
1820 close(p->sock);
1821 if (p->addr)
1822 racoon_free(p->addr);
1823 *prev = p->next;
1824 racoon_free(p);
1825 } else
1826 prev = &(p->next);
1827 }
1828 }
1829
1830 int
1831 isakmp_send(iph1, sbuf)
1832 struct ph1handle *iph1;
1833 vchar_t *sbuf;
1834 {
1835 int len = 0;
1836 int s;
1837 vchar_t *vbuf = NULL;
1838
1839 #ifdef ENABLE_NATT
1840 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1841
1842 #ifdef ENABLE_FRAG
1843 /*
1844 * Do not add the non ESP marker for a packet that will
1845 * be fragmented. The non ESP marker should appear in
1846 * all fragment's packets, but not in the fragmented packet
1847 */
1848 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1849 extralen = 0;
1850 #endif
1851 if (extralen)
1852 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1853
1854 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1855 must added just before the packet itself. For this we must
1856 allocate a new buffer and release it at the end. */
1857 if (extralen) {
1858 vbuf = vmalloc (sbuf->l + extralen);
1859 *(u_int32_t *)vbuf->v = 0;
1860 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1861 sbuf = vbuf;
1862 }
1863 #endif
1864
1865 /* select the socket to be sent */
1866 s = getsockmyaddr(iph1->local);
1867 if (s == -1){
1868 if ( vbuf != NULL )
1869 vfree(vbuf);
1870 return -1;
1871 }
1872
1873 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1874 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1875
1876 #ifdef ENABLE_FRAG
1877 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1878 if (isakmp_sendfrags(iph1, sbuf) == -1) {
1879 plog(LLV_ERROR, LOCATION, NULL,
1880 "isakmp_sendfrags failed\n");
1881 if ( vbuf != NULL )
1882 vfree(vbuf);
1883 return -1;
1884 }
1885 } else
1886 #endif
1887 {
1888 len = sendfromto(s, sbuf->v, sbuf->l,
1889 iph1->local, iph1->remote, lcconf->count_persend);
1890 if (len == -1) {
1891 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1892 if ( vbuf != NULL )
1893 vfree(vbuf);
1894 return -1;
1895 }
1896 }
1897
1898 if ( vbuf != NULL )
1899 vfree(vbuf);
1900
1901 return 0;
1902 }
1903
1904 /* called from scheduler */
1905 void
1906 isakmp_ph1resend_stub(p)
1907 void *p;
1908 {
1909 (void)isakmp_ph1resend((struct ph1handle *)p);
1910 }
1911
1912 int
1913 isakmp_ph1resend(iph1)
1914 struct ph1handle *iph1;
1915 {
1916 if (iph1->retry_counter < 0) {
1917 plog(LLV_ERROR, LOCATION, NULL,
1918 "phase1 negotiation failed due to time up. %s\n",
1919 isakmp_pindex(&iph1->index, iph1->msgid));
1920 EVT_PUSH(iph1->local, iph1->remote,
1921 EVTT_PEER_NO_RESPONSE, NULL);
1922
1923 remph1(iph1);
1924 delph1(iph1);
1925 return -1;
1926 }
1927
1928 if (isakmp_send(iph1, iph1->sendbuf) < 0){
1929 iph1->retry_counter--;
1930
1931 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1932 isakmp_ph1resend_stub, iph1);
1933 return -1;
1934 }
1935
1936 plog(LLV_DEBUG, LOCATION, NULL,
1937 "resend phase1 packet %s\n",
1938 isakmp_pindex(&iph1->index, iph1->msgid));
1939
1940 iph1->retry_counter--;
1941
1942 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1943 isakmp_ph1resend_stub, iph1);
1944
1945 return 0;
1946 }
1947
1948 /* called from scheduler */
1949 void
1950 isakmp_ph2resend_stub(p)
1951 void *p;
1952 {
1953
1954 (void)isakmp_ph2resend((struct ph2handle *)p);
1955 }
1956
1957 int
1958 isakmp_ph2resend(iph2)
1959 struct ph2handle *iph2;
1960 {
1961 if (iph2->retry_counter < 0) {
1962 plog(LLV_ERROR, LOCATION, NULL,
1963 "phase2 negotiation failed due to time up. %s\n",
1964 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1965 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1966 unbindph12(iph2);
1967 remph2(iph2);
1968 delph2(iph2);
1969 return -1;
1970 }
1971
1972 //%%% BUG FIX - related to commit bit usage - crash happened here
1973 if (iph2->ph1 == 0) {
1974 plog(LLV_ERROR, LOCATION, NULL,
1975 "internal error - attempt to re-send phase2 with no phase1 bound.\n");
1976 iph2->retry_counter = -1;
1977 remph2(iph2);
1978 delph2(iph2);
1979 return -1;
1980 }
1981
1982 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1983 return -1;
1984
1985 plog(LLV_DEBUG, LOCATION, NULL,
1986 "resend phase2 packet %s\n",
1987 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1988
1989 iph2->retry_counter--;
1990
1991 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1992 isakmp_ph2resend_stub, iph2);
1993
1994 return 0;
1995 }
1996
1997 /* called from scheduler */
1998 void
1999 isakmp_ph1expire_stub(p)
2000 void *p;
2001 {
2002
2003 isakmp_ph1expire((struct ph1handle *)p);
2004 }
2005
2006 void
2007 isakmp_ph1expire(iph1)
2008 struct ph1handle *iph1;
2009 {
2010 char *src, *dst;
2011
2012 SCHED_KILL(iph1->sce);
2013
2014 if(iph1->status != PHASE1ST_EXPIRED){
2015 src = strdup(saddr2str(iph1->local));
2016 dst = strdup(saddr2str(iph1->remote));
2017 plog(LLV_INFO, LOCATION, NULL,
2018 "ISAKMP-SA expired %s-%s spi:%s\n",
2019 src, dst,
2020 isakmp_pindex(&iph1->index, 0));
2021 racoon_free(src);
2022 racoon_free(dst);
2023 iph1->status = PHASE1ST_EXPIRED;
2024 }
2025
2026 /*
2027 * the phase1 deletion is postponed until there is no phase2.
2028 */
2029 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2030 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
2031 return;
2032 }
2033
2034 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2035 }
2036
2037 /* called from scheduler */
2038 void
2039 isakmp_ph1delete_stub(p)
2040 void *p;
2041 {
2042
2043 isakmp_ph1delete((struct ph1handle *)p);
2044 }
2045
2046 void
2047 isakmp_ph1delete(iph1)
2048 struct ph1handle *iph1;
2049 {
2050 char *src, *dst;
2051
2052 if (iph1->sce)
2053 SCHED_KILL(iph1->sce);
2054
2055 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2056 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2057 return;
2058 }
2059
2060 /* don't re-negosiation when the phase 1 SA expires. */
2061
2062 src = strdup(saddr2str(iph1->local));
2063 dst = strdup(saddr2str(iph1->remote));
2064 plog(LLV_INFO, LOCATION, NULL,
2065 "ISAKMP-SA deleted %s-%s spi:%s\n",
2066 src, dst, isakmp_pindex(&iph1->index, 0));
2067 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
2068 racoon_free(src);
2069 racoon_free(dst);
2070
2071 remph1(iph1);
2072 delph1(iph1);
2073
2074 return;
2075 }
2076
2077 /* called from scheduler.
2078 * this function will call only isakmp_ph2delete().
2079 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2080 * by something cause. That's why this function is called after phase 2 SA
2081 * expires in the userland.
2082 */
2083 void
2084 isakmp_ph2expire_stub(p)
2085 void *p;
2086 {
2087
2088 isakmp_ph2expire((struct ph2handle *)p);
2089 }
2090
2091 void
2092 isakmp_ph2expire(iph2)
2093 struct ph2handle *iph2;
2094 {
2095 char *src, *dst;
2096
2097 SCHED_KILL(iph2->sce);
2098
2099 src = strdup(saddrwop2str(iph2->src));
2100 dst = strdup(saddrwop2str(iph2->dst));
2101 plog(LLV_INFO, LOCATION, NULL,
2102 "phase2 sa expired %s-%s\n", src, dst);
2103 racoon_free(src);
2104 racoon_free(dst);
2105
2106 iph2->status = PHASE2ST_EXPIRED;
2107
2108 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
2109
2110 return;
2111 }
2112
2113 /* called from scheduler */
2114 void
2115 isakmp_ph2delete_stub(p)
2116 void *p;
2117 {
2118
2119 isakmp_ph2delete((struct ph2handle *)p);
2120 }
2121
2122 void
2123 isakmp_ph2delete(iph2)
2124 struct ph2handle *iph2;
2125 {
2126 char *src, *dst;
2127
2128 SCHED_KILL(iph2->sce);
2129
2130 src = strdup(saddrwop2str(iph2->src));
2131 dst = strdup(saddrwop2str(iph2->dst));
2132 plog(LLV_INFO, LOCATION, NULL,
2133 "phase2 sa deleted %s-%s\n", src, dst);
2134 racoon_free(src);
2135 racoon_free(dst);
2136
2137 unbindph12(iph2);
2138 remph2(iph2);
2139 delph2(iph2);
2140
2141 return;
2142 }
2143
2144 /* \f%%%
2145 * Interface between PF_KEYv2 and ISAKMP
2146 */
2147 /*
2148 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2149 * if phase1 has been finished, begin phase2.
2150 */
2151 int
2152 isakmp_post_acquire(iph2)
2153 struct ph2handle *iph2;
2154 {
2155 struct remoteconf *rmconf;
2156 struct ph1handle *iph1 = NULL;
2157
2158 /* search appropreate configuration with masking port. */
2159 rmconf = getrmconf(iph2->dst);
2160 if (rmconf == NULL) {
2161 plog(LLV_ERROR, LOCATION, NULL,
2162 "no configuration found for %s.\n",
2163 saddrwop2str(iph2->dst));
2164 return -1;
2165 }
2166
2167 /* if passive mode, ignore the acquire message */
2168 if (rmconf->passive) {
2169 plog(LLV_DEBUG, LOCATION, NULL,
2170 "because of passive mode, "
2171 "ignore the acquire message for %s.\n",
2172 saddrwop2str(iph2->dst));
2173 return 0;
2174 }
2175
2176 /*
2177 * Search isakmp status table by address and port
2178 * If NAT-T is in use, consider null ports as a
2179 * wildcard and use IKE ports instead.
2180 */
2181 #ifdef ENABLE_NATT
2182 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2183 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2184 set_port(iph2->src, extract_port(iph1->local));
2185 set_port(iph2->dst, extract_port(iph1->remote));
2186 }
2187 } else {
2188 iph1 = getph1byaddr(iph2->src, iph2->dst);
2189 }
2190 #else
2191 iph1 = getph1byaddr(iph2->src, iph2->dst);
2192 #endif
2193
2194 /* no ISAKMP-SA found. */
2195 if (iph1 == NULL) {
2196 struct sched *sc;
2197
2198 iph2->retry_checkph1 = lcconf->retry_checkph1;
2199 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2200 plog(LLV_INFO, LOCATION, NULL,
2201 "IPsec-SA request for %s queued "
2202 "due to no phase1 found.\n",
2203 saddrwop2str(iph2->dst));
2204
2205 /* start phase 1 negotiation as a initiator. */
2206 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
2207 SCHED_KILL(sc);
2208 return -1;
2209 }
2210
2211 return 0;
2212 /*NOTREACHED*/
2213 }
2214
2215 /* found ISAKMP-SA, but on negotiation. */
2216 if (iph1->status != PHASE1ST_ESTABLISHED) {
2217 iph2->retry_checkph1 = lcconf->retry_checkph1;
2218 sched_new(1, isakmp_chkph1there_stub, iph2);
2219 plog(LLV_INFO, LOCATION, iph2->dst,
2220 "request for establishing IPsec-SA was queued "
2221 "due to no phase1 found.\n");
2222 return 0;
2223 /*NOTREACHED*/
2224 }
2225
2226 /* found established ISAKMP-SA */
2227 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2228
2229 /* found ISAKMP-SA. */
2230 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2231
2232 /* begin quick mode */
2233 if (isakmp_ph2begin_i(iph1, iph2))
2234 return -1;
2235
2236 return 0;
2237 }
2238
2239 /*
2240 * receive GETSPI from kernel.
2241 */
2242 int
2243 isakmp_post_getspi(iph2)
2244 struct ph2handle *iph2;
2245 {
2246 #ifdef ENABLE_STATS
2247 struct timeval start, end;
2248 #endif
2249
2250 /* don't process it because there is no suitable phase1-sa. */
2251 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
2252 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2253 "the negotiation is stopped, "
2254 "because there is no suitable ISAKMP-SA.\n");
2255 return -1;
2256 }
2257
2258 #ifdef ENABLE_STATS
2259 gettimeofday(&start, NULL);
2260 #endif
2261 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2262 [iph2->side]
2263 [iph2->status])(iph2, NULL) != 0)
2264 return -1;
2265 #ifdef ENABLE_STATS
2266 gettimeofday(&end, NULL);
2267 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2268 "phase2",
2269 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2270 timedelta(&start, &end));
2271 #endif
2272
2273 return 0;
2274 }
2275
2276 /* called by scheduler */
2277 void
2278 isakmp_chkph1there_stub(p)
2279 void *p;
2280 {
2281 isakmp_chkph1there((struct ph2handle *)p);
2282 }
2283
2284 void
2285 isakmp_chkph1there(iph2)
2286 struct ph2handle *iph2;
2287 {
2288 struct ph1handle *iph1;
2289
2290 iph2->retry_checkph1--;
2291 if (iph2->retry_checkph1 < 0) {
2292 plog(LLV_ERROR, LOCATION, iph2->dst,
2293 "phase2 negotiation failed "
2294 "due to time up waiting for phase1. %s\n",
2295 sadbsecas2str(iph2->dst, iph2->src,
2296 iph2->satype, 0, 0));
2297 plog(LLV_INFO, LOCATION, NULL,
2298 "delete phase 2 handler.\n");
2299
2300 /* send acquire to kernel as error */
2301 pk_sendeacquire(iph2);
2302
2303 unbindph12(iph2);
2304 remph2(iph2);
2305 delph2(iph2);
2306
2307 return;
2308 }
2309
2310 /*
2311 * Search isakmp status table by address and port
2312 * If NAT-T is in use, consider null ports as a
2313 * wildcard and use IKE ports instead.
2314 */
2315 #ifdef ENABLE_NATT
2316 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2317 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2318 /*
2319 * cannot set ph2 ports until after switch to natt port
2320 * otherwise this function will never again find phase 1
2321 */
2322 if (iph1->status == PHASE1ST_ESTABLISHED) {
2323 set_port(iph2->src, extract_port(iph1->local));
2324 set_port(iph2->dst, extract_port(iph1->remote));
2325 }
2326 }
2327 } else {
2328 iph1 = getph1byaddr(iph2->src, iph2->dst);
2329 }
2330 #else
2331 iph1 = getph1byaddr(iph2->src, iph2->dst);
2332 #endif
2333
2334 /* XXX Even if ph1 as responder is there, should we not start
2335 * phase 2 negotiation ? */
2336 if (iph1 != NULL
2337 && iph1->status == PHASE1ST_ESTABLISHED) {
2338 /* found isakmp-sa */
2339 /* begin quick mode */
2340 (void)isakmp_ph2begin_i(iph1, iph2);
2341 return;
2342 }
2343
2344 /* no isakmp-sa found */
2345 sched_new(1, isakmp_chkph1there_stub, iph2);
2346
2347 return;
2348 }
2349
2350 /* copy variable data into ALLOCATED buffer. */
2351 caddr_t
2352 isakmp_set_attr_v(buf, type, val, len)
2353 caddr_t buf;
2354 int type;
2355 caddr_t val;
2356 int len;
2357 {
2358 struct isakmp_data *data;
2359
2360 data = (struct isakmp_data *)buf;
2361 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2362 data->lorv = htons((u_int16_t)len);
2363 memcpy(data + 1, val, len);
2364
2365 return buf + sizeof(*data) + len;
2366 }
2367
2368 /* copy fixed length data into ALLOCATED buffer. */
2369 caddr_t
2370 isakmp_set_attr_l(buf, type, val)
2371 caddr_t buf;
2372 int type;
2373 u_int32_t val;
2374 {
2375 struct isakmp_data *data;
2376
2377 data = (struct isakmp_data *)buf;
2378 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2379 data->lorv = htons((u_int16_t)val);
2380
2381 return buf + sizeof(*data);
2382 }
2383
2384 /* add a variable data attribute to the buffer by reallocating it. */
2385 vchar_t *
2386 isakmp_add_attr_v(buf0, type, val, len)
2387 vchar_t *buf0;
2388 int type;
2389 caddr_t val;
2390 int len;
2391 {
2392 vchar_t *buf = NULL;
2393 struct isakmp_data *data;
2394 int tlen;
2395 int oldlen = 0;
2396
2397 tlen = sizeof(*data) + len;
2398
2399 if (buf0) {
2400 oldlen = buf0->l;
2401 buf = vrealloc(buf0, oldlen + tlen);
2402 } else
2403 buf = vmalloc(tlen);
2404 if (!buf) {
2405 plog(LLV_ERROR, LOCATION, NULL,
2406 "failed to get a attribute buffer.\n");
2407 return NULL;
2408 }
2409
2410 data = (struct isakmp_data *)(buf->v + oldlen);
2411 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2412 data->lorv = htons((u_int16_t)len);
2413 memcpy(data + 1, val, len);
2414
2415 return buf;
2416 }
2417
2418 /* add a fixed data attribute to the buffer by reallocating it. */
2419 vchar_t *
2420 isakmp_add_attr_l(buf0, type, val)
2421 vchar_t *buf0;
2422 int type;
2423 u_int32_t val;
2424 {
2425 vchar_t *buf = NULL;
2426 struct isakmp_data *data;
2427 int tlen;
2428 int oldlen = 0;
2429
2430 tlen = sizeof(*data);
2431
2432 if (buf0) {
2433 oldlen = buf0->l;
2434 buf = vrealloc(buf0, oldlen + tlen);
2435 } else
2436 buf = vmalloc(tlen);
2437 if (!buf) {
2438 plog(LLV_ERROR, LOCATION, NULL,
2439 "failed to get a attribute buffer.\n");
2440 return NULL;
2441 }
2442
2443 data = (struct isakmp_data *)(buf->v + oldlen);
2444 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2445 data->lorv = htons((u_int16_t)val);
2446
2447 return buf;
2448 }
2449
2450 /*
2451 * calculate cookie and set.
2452 */
2453 int
2454 isakmp_newcookie(place, remote, local)
2455 caddr_t place;
2456 struct sockaddr *remote;
2457 struct sockaddr *local;
2458 {
2459 vchar_t *buf = NULL, *buf2 = NULL;
2460 char *p;
2461 int blen;
2462 int alen;
2463 caddr_t sa1, sa2;
2464 time_t t;
2465 int error = -1;
2466 u_short port;
2467
2468
2469 if (remote->sa_family != local->sa_family) {
2470 plog(LLV_ERROR, LOCATION, NULL,
2471 "address family mismatch, remote:%d local:%d\n",
2472 remote->sa_family, local->sa_family);
2473 goto end;
2474 }
2475 switch (remote->sa_family) {
2476 case AF_INET:
2477 alen = sizeof(struct in_addr);
2478 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2479 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2480 break;
2481 #ifdef INET6
2482 case AF_INET6:
2483 alen = sizeof(struct in_addr);
2484 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2485 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2486 break;
2487 #endif
2488 default:
2489 plog(LLV_ERROR, LOCATION, NULL,
2490 "invalid family: %d\n", remote->sa_family);
2491 goto end;
2492 }
2493 blen = (alen + sizeof(u_short)) * 2
2494 + sizeof(time_t) + lcconf->secret_size;
2495 buf = vmalloc(blen);
2496 if (buf == NULL) {
2497 plog(LLV_ERROR, LOCATION, NULL,
2498 "failed to get a cookie.\n");
2499 goto end;
2500 }
2501 p = buf->v;
2502
2503 /* copy my address */
2504 memcpy(p, sa1, alen);
2505 p += alen;
2506 port = ((struct sockaddr_in *)remote)->sin_port;
2507 memcpy(p, &port, sizeof(u_short));
2508 p += sizeof(u_short);
2509
2510 /* copy target address */
2511 memcpy(p, sa2, alen);
2512 p += alen;
2513 port = ((struct sockaddr_in *)local)->sin_port;
2514 memcpy(p, &port, sizeof(u_short));
2515 p += sizeof(u_short);
2516
2517 /* copy time */
2518 t = time(0);
2519 memcpy(p, (caddr_t)&t, sizeof(t));
2520 p += sizeof(t);
2521
2522 /* copy random value */
2523 buf2 = eay_set_random(lcconf->secret_size);
2524 if (buf2 == NULL)
2525 goto end;
2526 memcpy(p, buf2->v, lcconf->secret_size);
2527 p += lcconf->secret_size;
2528 vfree(buf2);
2529
2530 buf2 = eay_sha1_one(buf);
2531 memcpy(place, buf2->v, sizeof(cookie_t));
2532
2533 sa1 = val2str(place, sizeof (cookie_t));
2534 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2535 racoon_free(sa1);
2536
2537 error = 0;
2538 end:
2539 if (buf != NULL)
2540 vfree(buf);
2541 if (buf2 != NULL)
2542 vfree(buf2);
2543 return error;
2544 }
2545
2546 /*
2547 * save partner's(payload) data into phhandle.
2548 */
2549 int
2550 isakmp_p2ph(buf, gen)
2551 vchar_t **buf;
2552 struct isakmp_gen *gen;
2553 {
2554 /* XXX to be checked in each functions for logging. */
2555 if (*buf) {
2556 plog(LLV_WARNING, LOCATION, NULL,
2557 "ignore this payload, same payload type exist.\n");
2558 return -1;
2559 }
2560
2561 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2562 if (*buf == NULL) {
2563 plog(LLV_ERROR, LOCATION, NULL,
2564 "failed to get buffer.\n");
2565 return -1;
2566 }
2567 memcpy((*buf)->v, gen + 1, (*buf)->l);
2568
2569 return 0;
2570 }
2571
2572 u_int32_t
2573 isakmp_newmsgid2(iph1)
2574 struct ph1handle *iph1;
2575 {
2576 u_int32_t msgid2;
2577
2578 do {
2579 msgid2 = eay_random();
2580 } while (getph2bymsgid(iph1, msgid2));
2581
2582 return msgid2;
2583 }
2584
2585 /*
2586 * set values into allocated buffer of isakmp header for phase 1
2587 */
2588 static caddr_t
2589 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2590 vchar_t *vbuf;
2591 struct ph1handle *iph1;
2592 int nptype;
2593 u_int8_t etype;
2594 u_int8_t flags;
2595 u_int32_t msgid;
2596 {
2597 struct isakmp *isakmp;
2598
2599 if (vbuf->l < sizeof(*isakmp))
2600 return NULL;
2601
2602 isakmp = (struct isakmp *)vbuf->v;
2603
2604 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2605 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2606 isakmp->np = nptype;
2607 isakmp->v = iph1->version;
2608 isakmp->etype = etype;
2609 isakmp->flags = flags;
2610 isakmp->msgid = msgid;
2611 isakmp->len = htonl(vbuf->l);
2612
2613 return vbuf->v + sizeof(*isakmp);
2614 }
2615
2616 /*
2617 * set values into allocated buffer of isakmp header for phase 1
2618 */
2619 caddr_t
2620 set_isakmp_header1(vbuf, iph1, nptype)
2621 vchar_t *vbuf;
2622 struct ph1handle *iph1;
2623 int nptype;
2624 {
2625 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2626 }
2627
2628 /*
2629 * set values into allocated buffer of isakmp header for phase 2
2630 */
2631 caddr_t
2632 set_isakmp_header2(vbuf, iph2, nptype)
2633 vchar_t *vbuf;
2634 struct ph2handle *iph2;
2635 int nptype;
2636 {
2637 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2638 }
2639
2640 /*
2641 * set values into allocated buffer of isakmp payload.
2642 */
2643 caddr_t
2644 set_isakmp_payload(buf, src, nptype)
2645 caddr_t buf;
2646 vchar_t *src;
2647 int nptype;
2648 {
2649 struct isakmp_gen *gen;
2650 caddr_t p = buf;
2651
2652 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2653 src->l, nptype);
2654
2655 gen = (struct isakmp_gen *)p;
2656 gen->np = nptype;
2657 gen->len = htons(sizeof(*gen) + src->l);
2658 p += sizeof(*gen);
2659 memcpy(p, src->v, src->l);
2660 p += src->l;
2661
2662 return p;
2663 }
2664
2665 static int
2666 etypesw1(etype)
2667 int etype;
2668 {
2669 switch (etype) {
2670 case ISAKMP_ETYPE_IDENT:
2671 return 1;
2672 case ISAKMP_ETYPE_AGG:
2673 return 2;
2674 case ISAKMP_ETYPE_BASE:
2675 return 3;
2676 default:
2677 return 0;
2678 }
2679 /*NOTREACHED*/
2680 }
2681
2682 static int
2683 etypesw2(etype)
2684 int etype;
2685 {
2686 switch (etype) {
2687 case ISAKMP_ETYPE_QUICK:
2688 return 1;
2689 default:
2690 return 0;
2691 }
2692 /*NOTREACHED*/
2693 }
2694
2695 #ifdef HAVE_PRINT_ISAKMP_C
2696 /* for print-isakmp.c */
2697 char *snapend;
2698 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2699
2700 char *getname __P((const u_char *));
2701 #ifdef INET6
2702 char *getname6 __P((const u_char *));
2703 #endif
2704 int safeputchar __P((int));
2705
2706 /*
2707 * Return a name for the IP address pointed to by ap. This address
2708 * is assumed to be in network byte order.
2709 */
2710 char *
2711 getname(ap)
2712 const u_char *ap;
2713 {
2714 struct sockaddr_in addr;
2715 static char ntop_buf[NI_MAXHOST];
2716
2717 memset(&addr, 0, sizeof(addr));
2718 #ifndef __linux__
2719 addr.sin_len = sizeof(struct sockaddr_in);
2720 #endif
2721 addr.sin_family = AF_INET;
2722 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2723 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2724 ntop_buf, sizeof(ntop_buf), NULL, 0,
2725 NI_NUMERICHOST | niflags))
2726 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2727
2728 return ntop_buf;
2729 }
2730
2731 #ifdef INET6
2732 /*
2733 * Return a name for the IP6 address pointed to by ap. This address
2734 * is assumed to be in network byte order.
2735 */
2736 char *
2737 getname6(ap)
2738 const u_char *ap;
2739 {
2740 struct sockaddr_in6 addr;
2741 static char ntop_buf[NI_MAXHOST];
2742
2743 memset(&addr, 0, sizeof(addr));
2744 addr.sin6_len = sizeof(struct sockaddr_in6);
2745 addr.sin6_family = AF_INET6;
2746 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2747 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2748 ntop_buf, sizeof(ntop_buf), NULL, 0,
2749 NI_NUMERICHOST | niflags))
2750 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2751
2752 return ntop_buf;
2753 }
2754 #endif /* INET6 */
2755
2756 int
2757 safeputchar(c)
2758 int c;
2759 {
2760 unsigned char ch;
2761
2762 ch = (unsigned char)(c & 0xff);
2763 if (c < 0x80 && isprint(c))
2764 return printf("%c", c & 0xff);
2765 else
2766 return printf("\\%03o", c & 0xff);
2767 }
2768
2769 void
2770 isakmp_printpacket(msg, from, my, decoded)
2771 vchar_t *msg;
2772 struct sockaddr *from;
2773 struct sockaddr *my;
2774 int decoded;
2775 {
2776 #ifdef YIPS_DEBUG
2777 struct timeval tv;
2778 int s;
2779 char hostbuf[NI_MAXHOST];
2780 char portbuf[NI_MAXSERV];
2781 struct isakmp *isakmp;
2782 vchar_t *buf;
2783 #endif
2784
2785 if (loglevel < LLV_DEBUG)
2786 return;
2787
2788 #ifdef YIPS_DEBUG
2789 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2790
2791 gettimeofday(&tv, NULL);
2792 s = tv.tv_sec % 3600;
2793 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2794
2795 if (from) {
2796 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2797 portbuf, sizeof(portbuf),
2798 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2799 strlcpy(hostbuf, "?", sizeof(hostbuf));
2800 strlcpy(portbuf, "?", sizeof(portbuf));
2801 }
2802 printf("%s:%s", hostbuf, portbuf);
2803 } else
2804 printf("?");
2805 printf(" -> ");
2806 if (my) {
2807 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2808 portbuf, sizeof(portbuf),
2809 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2810 strlcpy(hostbuf, "?", sizeof(hostbuf));
2811 strlcpy(portbuf, "?", sizeof(portbuf));
2812 }
2813 printf("%s:%s", hostbuf, portbuf);
2814 } else
2815 printf("?");
2816 printf(": ");
2817
2818 buf = vdup(msg);
2819 if (!buf) {
2820 printf("(malloc fail)\n");
2821 return;
2822 }
2823 if (decoded) {
2824 isakmp = (struct isakmp *)buf->v;
2825 if (isakmp->flags & ISAKMP_FLAG_E) {
2826 #if 0
2827 int pad;
2828 pad = *(u_char *)(buf->v + buf->l - 1);
2829 if (buf->l < pad && 2 < vflag)
2830 printf("(wrong padding)");
2831 #endif
2832 isakmp->flags &= ~ISAKMP_FLAG_E;
2833 }
2834 }
2835
2836 snapend = buf->v + buf->l;
2837 isakmp_print(buf->v, buf->l, NULL);
2838 vfree(buf);
2839 printf("\n");
2840 fflush(stdout);
2841
2842 return;
2843 #endif
2844 }
2845 #endif /*HAVE_PRINT_ISAKMP_C*/
2846
2847 int
2848 copy_ph1addresses(iph1, rmconf, remote, local)
2849 struct ph1handle *iph1;
2850 struct remoteconf *rmconf;
2851 struct sockaddr *remote, *local;
2852 {
2853 u_short *port = NULL;
2854
2855 /* address portion must be grabbed from real remote address "remote" */
2856 iph1->remote = dupsaddr(remote);
2857 if (iph1->remote == NULL) {
2858 delph1(iph1);
2859 return -1;
2860 }
2861
2862 /*
2863 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2864 * - if remote.conf specifies port #, use that
2865 * - if remote.conf does not, use 500
2866 * if remote has port # (in case of responder - from recvfrom(2))
2867 * respect content of "remote".
2868 */
2869 switch (iph1->remote->sa_family) {
2870 case AF_INET:
2871 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2872 if (*port)
2873 break;
2874 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2875 if (*port)
2876 break;
2877 *port = htons(PORT_ISAKMP);
2878 break;
2879 #ifdef INET6
2880 case AF_INET6:
2881 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2882 if (*port)
2883 break;
2884 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2885 if (*port)
2886 break;
2887 *port = htons(PORT_ISAKMP);
2888 break;
2889 #endif
2890 default:
2891 plog(LLV_ERROR, LOCATION, NULL,
2892 "invalid family: %d\n", iph1->remote->sa_family);
2893 return -1;
2894 }
2895
2896 if (local == NULL)
2897 iph1->local = getlocaladdr(iph1->remote);
2898 else
2899 iph1->local = dupsaddr(local);
2900 if (iph1->local == NULL) {
2901 delph1(iph1);
2902 return -1;
2903 }
2904 port = NULL;
2905 switch (iph1->local->sa_family) {
2906 case AF_INET:
2907 port = &((struct sockaddr_in *)iph1->local)->sin_port;
2908 if (*port)
2909 break;
2910 *port = ((struct sockaddr_in *)local)->sin_port;
2911 if (*port)
2912 break;
2913 *port = getmyaddrsport(iph1->local);
2914 break;
2915 #ifdef INET6
2916 case AF_INET6:
2917 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port;
2918 if (*port)
2919 break;
2920 *port = ((struct sockaddr_in6 *)local)->sin6_port;
2921 if (*port)
2922 break;
2923 *port = getmyaddrsport(iph1->local);
2924 break;
2925 #endif
2926 default:
2927 plog(LLV_ERROR, LOCATION, NULL,
2928 "invalid family: %d\n", iph1->local->sa_family);
2929 delph1(iph1);
2930 return -1;
2931 }
2932 #ifdef ENABLE_NATT
2933 if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) {
2934 plog (LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2935 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2936 }
2937 #endif
2938
2939 return 0;
2940 }
2941
2942 static int
2943 nostate1(iph1, msg)
2944 struct ph1handle *iph1;
2945 vchar_t *msg;
2946 {
2947 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2948 iph1->status);
2949 return -1;
2950 }
2951
2952 static int
2953 nostate2(iph2, msg)
2954 struct ph2handle *iph2;
2955 vchar_t *msg;
2956 {
2957 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2958 iph2->status);
2959 return -1;
2960 }
2961
2962 void
2963 log_ph1established(iph1)
2964 const struct ph1handle *iph1;
2965 {
2966 char *src, *dst;
2967
2968 src = strdup(saddr2str(iph1->local));
2969 dst = strdup(saddr2str(iph1->remote));
2970 plog(LLV_INFO, LOCATION, NULL,
2971 "ISAKMP-SA established %s-%s spi:%s\n",
2972 src, dst,
2973 isakmp_pindex(&iph1->index, 0));
2974 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
2975 racoon_free(src);
2976 racoon_free(dst);
2977
2978 return;
2979 }
2980
2981 struct payload_list *
2982 isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
2983 {
2984 if (! plist) {
2985 plist = racoon_malloc (sizeof (struct payload_list));
2986 plist->prev = NULL;
2987 }
2988 else {
2989 plist->next = racoon_malloc (sizeof (struct payload_list));
2990 plist->next->prev = plist;
2991 plist = plist->next;
2992 }
2993
2994 plist->next = NULL;
2995 plist->payload = payload;
2996 plist->payload_type = payload_type;
2997
2998 return plist;
2999 }
3000
3001 vchar_t *
3002 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
3003 {
3004 struct payload_list *ptr, *first;
3005 size_t tlen = sizeof (struct isakmp), n = 0;
3006 vchar_t *buf;
3007 char *p;
3008
3009 if (plist == NULL) {
3010 plog(LLV_ERROR, LOCATION, NULL,
3011 "in isakmp_plist_set_all: plist == NULL\n");
3012 return NULL;
3013 }
3014
3015 /* Seek to the first item. */
3016 ptr = *plist;
3017 while (ptr->prev)
3018 ptr = ptr->prev;
3019 first = ptr;
3020
3021 /* Compute the whole length. */
3022 while (ptr) {
3023 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3024 ptr = ptr->next;
3025 }
3026
3027 buf = vmalloc(tlen);
3028 if (buf == NULL) {
3029 plog(LLV_ERROR, LOCATION, NULL,
3030 "failed to get buffer to send.\n");
3031 goto end;
3032 }
3033
3034 ptr = first;
3035
3036 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3037 if (p == NULL)
3038 goto end;
3039
3040 while (ptr)
3041 {
3042 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3043 first = ptr;
3044 ptr = ptr->next;
3045 racoon_free (first);
3046 /* ptr->prev = NULL; first = NULL; ... omitted. */
3047 n++;
3048 }
3049
3050 *plist = NULL;
3051
3052 return buf;
3053 end:
3054 return NULL;
3055 }
3056
3057 #ifdef ENABLE_FRAG
3058 int
3059 frag_handler(iph1, msg, remote, local)
3060 struct ph1handle *iph1;
3061 vchar_t *msg;
3062 struct sockaddr *remote;
3063 struct sockaddr *local;
3064 {
3065 vchar_t *newmsg;
3066
3067 if (isakmp_frag_extract(iph1, msg) == 1) {
3068 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3069 plog(LLV_ERROR, LOCATION, remote,
3070 "Packet reassembly failed\n");
3071 return -1;
3072 }
3073 return isakmp_main(newmsg, remote, local);
3074 }
3075
3076 return 0;
3077 }
3078 #endif
3079
3080 void
3081 script_hook(iph1, script)
3082 struct ph1handle *iph1;
3083 int script;
3084 {
3085 #define IP_MAX 40
3086 #define PORT_MAX 6
3087 char addrstr[IP_MAX];
3088 char portstr[PORT_MAX];
3089 char **envp = NULL;
3090 int envc = 1;
3091 struct sockaddr_in *sin;
3092 char **c;
3093
3094 if (iph1->rmconf->script[script] == -1)
3095 return;
3096
3097 #ifdef ENABLE_HYBRID
3098 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3099 #endif
3100
3101 /* local address */
3102 sin = (struct sockaddr_in *)iph1->local;
3103 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3104 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3105
3106 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3107 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3108 goto out;
3109 }
3110
3111 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3112 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3113 goto out;
3114 }
3115
3116 /* Peer address */
3117 sin = (struct sockaddr_in *)iph1->remote;
3118 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3119 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3120
3121 if (script_env_append(&envp, &envc, "REMOTE_ADDR", addrstr) != 0) {
3122 plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTE_ADDR\n");
3123 goto out;
3124 }
3125
3126 if (script_env_append(&envp, &envc, "REMOTE_PORT", portstr) != 0) {
3127 plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTEL_PORT\n");
3128 goto out;
3129 }
3130
3131 if (privsep_script_exec(iph1->rmconf->script[script],
3132 script, envp) != 0)
3133 plog(LLV_ERROR, LOCATION, NULL,
3134 "Script %s execution failed\n", script_names[script]);
3135
3136 out:
3137 for (c = envp; *c; c++)
3138 racoon_free(*c);
3139
3140 racoon_free(envp);
3141
3142 return;
3143 }
3144
3145 int
3146 script_env_append(envp, envc, name, value)
3147 char ***envp;
3148 int *envc;
3149 char *name;
3150 char *value;
3151 {
3152 char *envitem;
3153 char **newenvp;
3154 int newenvc;
3155 int envitemlen = strlen(name) + 1 + strlen(value) + 1;
3156
3157 envitem = racoon_malloc(envitemlen);
3158 if (envitem == NULL) {
3159 plog(LLV_ERROR, LOCATION, NULL,
3160 "Cannot allocate memory: %s\n", strerror(errno));
3161 return -1;
3162 }
3163 snprintf(envitem, envitemlen, "%s=%s", name, value);
3164
3165 newenvc = (*envc) + 1;
3166 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3167 if (newenvp == NULL) {
3168 plog(LLV_ERROR, LOCATION, NULL,
3169 "Cannot allocate memory: %s\n", strerror(errno));
3170 return -1;
3171 }
3172
3173 newenvp[newenvc - 2] = envitem;
3174 newenvp[newenvc - 1] = NULL;
3175
3176 *envp = newenvp;
3177 *envc = newenvc;
3178 return 0;
3179 }
3180
3181 int
3182 script_exec(script, name, envp)
3183 int script;
3184 int name;
3185 char *const envp[];
3186 {
3187 char *argv[] = { NULL, NULL, NULL };
3188 vchar_t **sp;
3189
3190 if (script_paths == NULL) {
3191 plog(LLV_ERROR, LOCATION, NULL,
3192 "privsep_script_exec: script_paths was not initialized\n");
3193 return -1;
3194 }
3195
3196 sp = (vchar_t **)(script_paths->v);
3197
3198 argv[0] = sp[script]->v;
3199 argv[1] = script_names[name];
3200 argv[2] = NULL;
3201
3202 switch (fork()) {
3203 case 0:
3204 execve(argv[0], argv, envp);
3205 plog(LLV_ERROR2, LOCATION, NULL,
3206 "execve(\"%s\") failed: %s\n",
3207 argv[0], strerror(errno));
3208 _exit(1);
3209 break;
3210 case -1:
3211 plog(LLV_ERROR, LOCATION, NULL,
3212 "Cannot fork: %s\n", strerror(errno));
3213 return -1;
3214 break;
3215 default:
3216 break;
3217 }
3218
3219 return 0;
3220 }
3221
3222 void
3223 purge_remote(iph1)
3224 struct ph1handle *iph1;
3225 {
3226 vchar_t *buf = NULL;
3227 struct sadb_msg *msg, *next, *end;
3228 struct sadb_sa *sa;
3229 struct sockaddr *src, *dst;
3230 caddr_t mhp[SADB_EXT_MAX + 1];
3231 u_int proto_id;
3232 struct ph2handle *iph2;
3233 struct ph1handle *new_iph1;
3234
3235 plog(LLV_INFO, LOCATION, NULL,
3236 "purging ISAKMP-SA spi=%s.\n",
3237 isakmp_pindex(&(iph1->index), iph1->msgid));
3238
3239 /* Mark as expired. */
3240 iph1->status = PHASE1ST_EXPIRED;
3241
3242 /* Check if we have another, still valid, phase1 SA. */
3243 new_iph1 = getph1byaddr(iph1->local, iph1->remote);
3244
3245 /*
3246 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3247 * Keep all others phase2 SAs.
3248 */
3249 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3250 if (buf == NULL) {
3251 plog(LLV_DEBUG, LOCATION, NULL,
3252 "pfkey_dump_sadb returned nothing.\n");
3253 return;
3254 }
3255
3256 msg = (struct sadb_msg *)buf->v;
3257 end = (struct sadb_msg *)(buf->v + buf->l);
3258
3259 while (msg < end) {
3260 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3261 break;
3262 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3263 if (msg->sadb_msg_type != SADB_DUMP) {
3264 msg = next;
3265 continue;
3266 }
3267
3268 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3269 plog(LLV_ERROR, LOCATION, NULL,
3270 "pfkey_check (%s)\n", ipsec_strerror());
3271 msg = next;
3272 continue;
3273 }
3274
3275 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3276 if (!sa ||
3277 !mhp[SADB_EXT_ADDRESS_SRC] ||
3278 !mhp[SADB_EXT_ADDRESS_DST]) {
3279 msg = next;
3280 continue;
3281 }
3282 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3283 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3284
3285 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3286 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3287 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3288 msg = next;
3289 continue;
3290 }
3291
3292 /* check in/outbound SAs */
3293 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
3294 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
3295 msg = next;
3296 continue;
3297 }
3298
3299 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3300 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3301
3302 /* Check if there is another valid ISAKMP-SA */
3303 if (new_iph1 != NULL) {
3304
3305 if (iph2 == NULL) {
3306 /* No handler... still send a pfkey_delete message, but log this !*/
3307 plog(LLV_INFO, LOCATION, NULL,
3308 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3309 ntohl(sa->sadb_sa_spi));
3310 }else{
3311
3312 /*
3313 * If we have a new ph1, do not purge IPsec-SAs binded
3314 * to a different ISAKMP-SA
3315 */
3316 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3317 msg = next;
3318 continue;
3319 }
3320
3321 /* If the ph2handle is established, do not purge IPsec-SA */
3322 if (iph2->status == PHASE2ST_ESTABLISHED ||
3323 iph2->status == PHASE2ST_EXPIRED) {
3324
3325 plog(LLV_INFO, LOCATION, NULL,
3326 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3327 ntohl(sa->sadb_sa_spi),
3328 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3329 msg = next;
3330 continue;
3331 }
3332 }
3333 }
3334
3335
3336 pfkey_send_delete(lcconf->sock_pfkey,
3337 msg->sadb_msg_satype,
3338 IPSEC_MODE_ANY,
3339 src, dst, sa->sadb_sa_spi);
3340
3341 /* delete a relative phase 2 handle. */
3342 if (iph2 != NULL) {
3343 delete_spd(iph2);
3344 unbindph12(iph2);
3345 remph2(iph2);
3346 delph2(iph2);
3347 }
3348
3349 plog(LLV_INFO, LOCATION, NULL,
3350 "purged IPsec-SA spi=%u.\n",
3351 ntohl(sa->sadb_sa_spi));
3352
3353 msg = next;
3354 }
3355
3356 if (buf)
3357 vfree(buf);
3358
3359 /* Mark the phase1 handler as EXPIRED */
3360 plog(LLV_INFO, LOCATION, NULL,
3361 "purged ISAKMP-SA spi=%s.\n",
3362 isakmp_pindex(&(iph1->index), iph1->msgid));
3363
3364 if (iph1->sce)
3365 SCHED_KILL(iph1->sce);
3366
3367 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
3368 }
3369
3370 void
3371 delete_spd(iph2)
3372 struct ph2handle *iph2;
3373 {
3374 if (iph2 == NULL)
3375 return;
3376
3377 /* Delete the SPD entry if we generated it
3378 */
3379 if (iph2->generated_spidx) {
3380 struct policyindex spidx;
3381 struct sockaddr_storage addr;
3382 u_int8_t pref;
3383 struct sockaddr *src = iph2->src;
3384 struct sockaddr *dst = iph2->dst;
3385 int error;
3386 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3387
3388 plog(LLV_INFO, LOCATION, NULL,
3389 "generated policy, deleting it.\n");
3390
3391 memset(&spidx, 0, sizeof(spidx));
3392 iph2->spidx_gen = (caddr_t )&spidx;
3393
3394 /* make inbound policy */
3395 iph2->src = dst;
3396 iph2->dst = src;
3397 spidx.dir = IPSEC_DIR_INBOUND;
3398 spidx.ul_proto = 0;
3399
3400 /*
3401 * Note: code from get_proposal_r
3402 */
3403
3404 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3405
3406 /*
3407 * make destination address in spidx from either ID payload
3408 * or phase 1 address into a address in spidx.
3409 */
3410 if (iph2->id != NULL
3411 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3412 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3413 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3414 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3415 /* get a destination address of a policy */
3416 error = ipsecdoi_id2sockaddr(iph2->id,
3417 (struct sockaddr *)&spidx.dst,
3418 &spidx.prefd, &spidx.ul_proto);
3419 if (error)
3420 goto purge;
3421
3422 #ifdef INET6
3423 /*
3424 * get scopeid from the SA address.
3425 * note that the phase 1 source address is used as
3426 * a destination address to search for a inbound
3427 * policy entry because rcoon is responder.
3428 */
3429 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3430 if ((error =
3431 setscopeid((struct sockaddr *)&spidx.dst,
3432 iph2->src)) != 0)
3433 goto purge;
3434 }
3435 #endif
3436
3437 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3438 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3439 idi2type = _XIDT(iph2->id);
3440
3441 } else {
3442
3443 plog(LLV_DEBUG, LOCATION, NULL,
3444 "get a destination address of SP index "
3445 "from phase1 address "
3446 "due to no ID payloads found "
3447 "OR because ID type is not address.\n");
3448
3449 /*
3450 * copy the SOURCE address of IKE into the
3451 * DESTINATION address of the key to search the
3452 * SPD because the direction of policy is inbound.
3453 */
3454 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3455 switch (spidx.dst.ss_family) {
3456 case AF_INET:
3457 spidx.prefd =
3458 sizeof(struct in_addr) << 3;
3459 break;
3460 #ifdef INET6
3461 case AF_INET6:
3462 spidx.prefd =
3463 sizeof(struct in6_addr) << 3;
3464 break;
3465 #endif
3466 default:
3467 spidx.prefd = 0;
3468 break;
3469 }
3470 }
3471
3472 /* make source address in spidx */
3473 if (iph2->id_p != NULL
3474 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3475 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3476 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3477 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3478 /* get a source address of inbound SA */
3479 error = ipsecdoi_id2sockaddr(iph2->id_p,
3480 (struct sockaddr *)&spidx.src,
3481 &spidx.prefs, &spidx.ul_proto);
3482 if (error)
3483 goto purge;
3484
3485 #ifdef INET6
3486 /*
3487 * get scopeid from the SA address.
3488 * for more detail, see above of this function.
3489 */
3490 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3491 error =
3492 setscopeid((struct sockaddr *)&spidx.src,
3493 iph2->dst);
3494 if (error)
3495 goto purge;
3496 }
3497 #endif
3498
3499 /* make id[src,dst] if both ID types are IP address and same */
3500 if (_XIDT(iph2->id_p) == idi2type
3501 && spidx.dst.ss_family == spidx.src.ss_family) {
3502 iph2->src_id =
3503 dupsaddr((struct sockaddr *)&spidx.dst);
3504 iph2->dst_id =
3505 dupsaddr((struct sockaddr *)&spidx.src);
3506 }
3507
3508 } else {
3509 plog(LLV_DEBUG, LOCATION, NULL,
3510 "get a source address of SP index "
3511 "from phase1 address "
3512 "due to no ID payloads found "
3513 "OR because ID type is not address.\n");
3514
3515 /* see above comment. */
3516 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3517 switch (spidx.src.ss_family) {
3518 case AF_INET:
3519 spidx.prefs =
3520 sizeof(struct in_addr) << 3;
3521 break;
3522 #ifdef INET6
3523 case AF_INET6:
3524 spidx.prefs =
3525 sizeof(struct in6_addr) << 3;
3526 break;
3527 #endif
3528 default:
3529 spidx.prefs = 0;
3530 break;
3531 }
3532 }
3533
3534 #undef _XIDT
3535
3536 plog(LLV_DEBUG, LOCATION, NULL,
3537 "get a src address from ID payload "
3538 "%s prefixlen=%u ul_proto=%u\n",
3539 saddr2str((struct sockaddr *)&spidx.src),
3540 spidx.prefs, spidx.ul_proto);
3541 plog(LLV_DEBUG, LOCATION, NULL,
3542 "get dst address from ID payload "
3543 "%s prefixlen=%u ul_proto=%u\n",
3544 saddr2str((struct sockaddr *)&spidx.dst),
3545 spidx.prefd, spidx.ul_proto);
3546
3547 /*
3548 * convert the ul_proto if it is 0
3549 * because 0 in ID payload means a wild card.
3550 */
3551 if (spidx.ul_proto == 0)
3552 spidx.ul_proto = IPSEC_ULPROTO_ANY;
3553
3554 #undef _XIDT
3555
3556 /* End of code from get_proposal_r
3557 */
3558
3559 if (pk_sendspddelete(iph2) < 0) {
3560 plog(LLV_ERROR, LOCATION, NULL,
3561 "pfkey spddelete(inbound) failed.\n");
3562 }else{
3563 plog(LLV_DEBUG, LOCATION, NULL,
3564 "pfkey spddelete(inbound) sent.\n");
3565 }
3566
3567 #ifdef HAVE_POLICY_FWD
3568 /* make forward policy if required */
3569 if (tunnel_mode_prop(iph2->approval)) {
3570 spidx.dir = IPSEC_DIR_FWD;
3571 if (pk_sendspddelete(iph2) < 0) {
3572 plog(LLV_ERROR, LOCATION, NULL,
3573 "pfkey spddelete(forward) failed.\n");
3574 }else{
3575 plog(LLV_DEBUG, LOCATION, NULL,
3576 "pfkey spddelete(forward) sent.\n");
3577 }
3578 }
3579 #endif
3580
3581 /* make outbound policy */
3582 iph2->src = src;
3583 iph2->dst = dst;
3584 spidx.dir = IPSEC_DIR_OUTBOUND;
3585 addr = spidx.src;
3586 spidx.src = spidx.dst;
3587 spidx.dst = addr;
3588 pref = spidx.prefs;
3589 spidx.prefs = spidx.prefd;
3590 spidx.prefd = pref;
3591
3592 if (pk_sendspddelete(iph2) < 0) {
3593 plog(LLV_ERROR, LOCATION, NULL,
3594 "pfkey spddelete(outbound) failed.\n");
3595 }else{
3596 plog(LLV_DEBUG, LOCATION, NULL,
3597 "pfkey spddelete(outbound) sent.\n");
3598 }
3599 purge:
3600 iph2->spidx_gen=NULL;
3601 }
3602 }
3603
3604 #ifdef INET6
3605 u_int32_t
3606 setscopeid(sp_addr0, sa_addr0)
3607 struct sockaddr *sp_addr0, *sa_addr0;
3608 {
3609 struct sockaddr_in6 *sp_addr, *sa_addr;
3610
3611 sp_addr = (struct sockaddr_in6 *)sp_addr0;
3612 sa_addr = (struct sockaddr_in6 *)sa_addr0;
3613
3614 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3615 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3616 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3617 return 0;
3618
3619 /* this check should not be here ? */
3620 if (sa_addr->sin6_family != AF_INET6) {
3621 plog(LLV_ERROR, LOCATION, NULL,
3622 "can't get scope ID: family mismatch\n");
3623 return -1;
3624 }
3625
3626 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3627 plog(LLV_ERROR, LOCATION, NULL,
3628 "scope ID is not supported except of lladdr.\n");
3629 return -1;
3630 }
3631
3632 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3633
3634 return 0;
3635 }
3636 #endif
mirror of ipsec