]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_quick.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_quick.c
1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56
57 #ifndef HAVE_NETINET6_IPSEC
58 #include <netinet/ipsec.h>
59 #else
60 #include <netinet6/ipsec.h>
61 #endif
62
63 #include "var.h"
64 #include "vmbuf.h"
65 #include "schedule.h"
66 #include "misc.h"
67 #include "plog.h"
68 #include "debug.h"
69
70 #include "fsm.h"
71 #include "localconf.h"
72 #include "remoteconf.h"
73 #include "handler.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "isakmp_var.h"
77 #include "isakmp.h"
78 #include "isakmp_inf.h"
79 #include "isakmp_quick.h"
80 #include "oakley.h"
81 #include "ipsec_doi.h"
82 #include "crypto_openssl.h"
83 #include "pfkey.h"
84 #include "policy.h"
85 #include "algorithm.h"
86 #include "sockmisc.h"
87 #include "proposal.h"
88 #include "sainfo.h"
89 #include "strnames.h"
90 #include "nattraversal.h"
91 #include "ipsecSessionTracer.h"
92 #include "ipsecMessageTracer.h"
93 #ifndef HAVE_OPENSSL
94 #include <Security/SecDH.h>
95 #endif
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx (phase2_handle_t *, vchar_t *, vchar_t *);
99 static int get_proposal_r_remote (phase2_handle_t *, int);
100
101 /* \f%%%
102 * Quick Mode
103 */
104 /*
105 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
106 */
107 int
108 quick_iprep(iph2, msg)
109 phase2_handle_t *iph2;
110 vchar_t *msg; /* must be null pointer */
111 {
112 int error = ISAKMP_INTERNAL_ERROR;
113
114 /* validity check */
115 if (iph2->status != IKEV1_STATE_QUICK_I_START) {
116 plog(ASL_LEVEL_ERR,
117 "status mismatched %d.\n", iph2->status);
118 goto end;
119 }
120
121 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
122 if (iph2->ivm != NULL)
123 oakley_delivm(iph2->ivm);
124 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
125 if (iph2->ivm == NULL)
126 return 0;
127
128 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_GETSPISENT);
129
130 /* don't anything if local test mode. */
131 if (f_local) {
132 error = 0;
133 goto end;
134 }
135
136 /* send getspi message */
137 if (pk_sendgetspi(iph2) < 0) {
138 plog(ASL_LEVEL_ERR,
139 "failed to send getspi message");
140 goto end;
141 }
142
143 plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
144
145 iph2->sce = sched_new(lcconf->wait_ph2complete,
146 pfkey_timeover_stub, iph2);
147
148 error = 0;
149
150 end:
151 return error;
152 }
153
154 /*
155 * send to responder
156 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
157 */
158 int
159 quick_i1send(iph2, msg)
160 phase2_handle_t *iph2;
161 vchar_t *msg; /* must be null pointer */
162 {
163 vchar_t *body = NULL;
164 vchar_t *hash = NULL;
165 #ifdef ENABLE_NATT
166 vchar_t *natoa_i = NULL;
167 vchar_t *natoa_r = NULL;
168 #endif /* ENABLE_NATT */
169 int natoa_type = 0;
170 struct isakmp_gen *gen;
171 char *p;
172 int tlen;
173 int error = ISAKMP_INTERNAL_ERROR;
174 int pfsgroup, idci, idcr;
175 int np;
176 struct ipsecdoi_id_b *id, *id_p;
177
178 /* validity check */
179 if (msg != NULL) {
180 plog(ASL_LEVEL_ERR,
181 "msg has to be NULL in this function.\n");
182 goto end;
183 }
184 if (iph2->status != IKEV1_STATE_QUICK_I_GETSPIDONE) {
185 plog(ASL_LEVEL_ERR,
186 "status mismatched %d.\n", iph2->status);
187 goto end;
188 }
189
190 /* create SA payload for my proposal */
191 if (ipsecdoi_setph2proposal(iph2, FALSE) < 0) {
192 plog(ASL_LEVEL_ERR,
193 "failed to set proposal");
194 goto end;
195 }
196
197 /* generate NONCE value */
198 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
199 if (iph2->nonce == NULL) {
200 plog(ASL_LEVEL_ERR,
201 "failed to generate NONCE");
202 goto end;
203 }
204
205 /*
206 * DH value calculation is kicked out into cfparse.y.
207 * because pfs group can not be negotiated, it's only to be checked
208 * acceptable.
209 */
210 /* generate KE value if need */
211 pfsgroup = iph2->proposal->pfs_group;
212 if (pfsgroup) {
213 /* DH group settting if PFS is required. */
214 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
215 plog(ASL_LEVEL_ERR,
216 "failed to set DH value.\n");
217 goto end;
218 }
219 #ifdef HAVE_OPENSSL
220 if (oakley_dh_generate(iph2->pfsgrp,
221 &iph2->dhpub, &iph2->dhpriv) < 0) {
222 #else
223 if (oakley_dh_generate(iph2->pfsgrp,
224 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
225 #endif
226 plog(ASL_LEVEL_ERR,
227 "failed to generate DH");
228 goto end;
229 }
230 }
231
232 /* generate ID value */
233 if (ipsecdoi_setid2(iph2) < 0) {
234 plog(ASL_LEVEL_ERR,
235 "failed to get ID.\n");
236 goto end;
237 }
238 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "IDci:\n");
239 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "IDcr:\n");
240
241 /*
242 * we do not attach IDci nor IDcr, under the following condition:
243 * - all proposals are transport mode
244 * - no MIP6 or proxy
245 * - id payload suggests to encrypt all the traffic (no specific
246 * protocol type)
247 */
248 id = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v;
249 id_p = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v;
250 if (id->proto_id == 0
251 && id_p->proto_id == 0
252 && iph2->ph1->rmconf->support_proxy == 0
253 && ipsecdoi_transportmode(iph2->proposal)) {
254 idci = idcr = 0;
255 } else
256 idci = idcr = 1;
257
258 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
259 tlen = + sizeof(*gen) + iph2->sa->l
260 + sizeof(*gen) + iph2->nonce->l;
261 if (pfsgroup)
262 tlen += (sizeof(*gen) + iph2->dhpub->l);
263 if (idci)
264 tlen += sizeof(*gen) + iph2->id->l;
265 if (idcr)
266 tlen += sizeof(*gen) + iph2->id_p->l;
267
268 #ifdef ENABLE_NATT
269 /*
270 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
271 * we should send NAT-OA
272 */
273 if (ipsecdoi_any_transportmode(iph2->proposal)
274 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
275 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
276 if (natoa_type == -1) {
277 plog(ASL_LEVEL_ERR,
278 "failed to generate NAT-OA payload.\n");
279 goto end;
280 } else if (natoa_type != 0) {
281 tlen += sizeof(*gen) + natoa_i->l;
282 tlen += sizeof(*gen) + natoa_r->l;
283
284 //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "initiator send NAT-OAi:\n");
285 //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "initiator send NAT-OAr:\n");
286 }
287 }
288 #endif
289
290 body = vmalloc(tlen);
291 if (body == NULL) {
292 plog(ASL_LEVEL_ERR,
293 "failed to get buffer to send.\n");
294 goto end;
295 }
296
297 p = body->v;
298
299 /* add SA payload */
300 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
301
302 /* add NONCE payload */
303 if (pfsgroup)
304 np = ISAKMP_NPTYPE_KE;
305 else if (idci || idcr)
306 np = ISAKMP_NPTYPE_ID;
307 else
308 np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
309 p = set_isakmp_payload(p, iph2->nonce, np);
310
311 /* add KE payload if need. */
312 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
313 if (pfsgroup)
314 p = set_isakmp_payload(p, iph2->dhpub, np);
315
316 /* IDci */
317 np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
318 if (idci)
319 p = set_isakmp_payload(p, iph2->id, np);
320
321 /* IDcr */
322 if (idcr)
323 p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
324
325 /* natoa */
326 if (natoa_type) {
327 p = set_isakmp_payload(p, natoa_i, natoa_type);
328 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
329 }
330
331 /* generate HASH(1) */
332 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
333 if (hash == NULL) {
334 plog(ASL_LEVEL_ERR,
335 "failed to compute HASH");
336 goto end;
337 }
338
339 /* send isakmp payload */
340 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
341 if (iph2->sendbuf == NULL) {
342 plog(ASL_LEVEL_ERR,
343 "failed to get send buffer");
344 goto end;
345 }
346
347 /* send the packet, add to the schedule to resend */
348 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
349 if (isakmp_ph2resend(iph2) == -1) {
350 plog(ASL_LEVEL_ERR,
351 "failed to send packet");
352 goto end;
353 }
354
355 /* change status of isakmp status entry */
356 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG1SENT);
357
358 error = 0;
359
360 IPSECSESSIONTRACEREVENT(iph2->parent_session,
361 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
362 CONSTSTR("Initiator, Quick-Mode message 1"),
363 CONSTSTR(NULL));
364
365 end:
366 if (error) {
367 IPSECSESSIONTRACEREVENT(iph2->parent_session,
368 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
369 CONSTSTR("Initiator, Quick-Mode Message 1"),
370 CONSTSTR("Failed to transmit Quick-Mode Message 1"));
371 }
372 if (body != NULL)
373 vfree(body);
374 if (hash != NULL)
375 vfree(hash);
376 #ifdef ENABLE_NATT
377 if (natoa_i)
378 vfree(natoa_i);
379 if (natoa_r)
380 vfree(natoa_r);
381 #endif /* ENABLE_NATT */
382
383 return error;
384 }
385
386 /*
387 * receive from responder
388 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
389 */
390 int
391 quick_i2recv(iph2, msg0)
392 phase2_handle_t *iph2;
393 vchar_t *msg0;
394 {
395 vchar_t *msg = NULL;
396 vchar_t *hbuf = NULL; /* for hash computing. */
397 vchar_t *pbuf = NULL; /* for payload parsing */
398 struct isakmp_parse_t *pa;
399 struct isakmp *isakmp = (struct isakmp *)msg0->v;
400 struct isakmp_pl_hash *hash = NULL;
401 int f_id;
402 char *p;
403 int tlen;
404 int error = ISAKMP_INTERNAL_ERROR;
405 struct sockaddr_storage *natoa_i = NULL;
406 struct sockaddr_storage *natoa_r = NULL;
407
408 /* validity check */
409 if (iph2->status != IKEV1_STATE_QUICK_I_MSG1SENT) {
410 plog(ASL_LEVEL_ERR,
411 "status mismatched %d.\n", iph2->status);
412 goto end;
413 }
414
415 /* decrypt packet */
416 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
417 plog(ASL_LEVEL_ERR,
418 "Packet wasn't encrypted.\n");
419 goto end;
420 }
421 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
422 if (msg == NULL) {
423 plog(ASL_LEVEL_ERR,
424 "failed to decrypt");
425 goto end;
426 }
427
428 /* create buffer for validating HASH(2) */
429 /*
430 * ordering rule:
431 * 1. the first one must be HASH
432 * 2. the second one must be SA (added in isakmp-oakley-05!)
433 * 3. two IDs must be considered as IDci, then IDcr
434 */
435 pbuf = isakmp_parse(msg);
436 if (pbuf == NULL) {
437 plog(ASL_LEVEL_ERR,
438 "failed to parse msg");
439 goto end;
440 }
441 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
442
443 /* HASH payload is fixed postion */
444 if (pa->type != ISAKMP_NPTYPE_HASH) {
445 plog(ASL_LEVEL_ERR,
446 "received invalid next payload type %d, "
447 "expecting %d.\n",
448 pa->type, ISAKMP_NPTYPE_HASH);
449 goto end;
450 }
451 hash = (struct isakmp_pl_hash *)pa->ptr;
452 pa++;
453
454 /*
455 * this restriction was introduced in isakmp-oakley-05.
456 * we do not check this for backward compatibility.
457 * TODO: command line/config file option to enable/disable this code
458 */
459 /* HASH payload is fixed postion */
460 if (pa->type != ISAKMP_NPTYPE_SA) {
461 plog(ASL_LEVEL_WARNING,
462 "received invalid next payload type %d, "
463 "expecting %d.\n",
464 pa->type, ISAKMP_NPTYPE_HASH);
465 }
466
467 /* allocate buffer for computing HASH(2) */
468 tlen = iph2->nonce->l
469 + ntohl(isakmp->len) - sizeof(*isakmp);
470 if (tlen < 0) {
471 plog(ASL_LEVEL_ERR,
472 "invalid length (%lu,%d) while getting hash buffer.\n",
473 iph2->nonce->l, ntohl(isakmp->len));
474 goto end;
475 }
476 hbuf = vmalloc(tlen);
477 if (hbuf == NULL) {
478 plog(ASL_LEVEL_ERR,
479 "failed to get hash buffer.\n");
480 goto end;
481 }
482 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
483
484 /*
485 * parse the payloads.
486 * copy non-HASH payloads into hbuf, so that we can validate HASH.
487 */
488 iph2->sa_ret = NULL;
489 f_id = 0; /* flag to use checking ID */
490 tlen = 0; /* count payload length except of HASH payload. */
491 for (; pa->type; pa++) {
492
493 /* copy to buffer for HASH */
494 /* Don't modify the payload */
495 memcpy(p, pa->ptr, pa->len);
496
497 switch (pa->type) {
498 case ISAKMP_NPTYPE_SA:
499 if (iph2->sa_ret != NULL) {
500 plog(ASL_LEVEL_ERR,
501 "Ignored, multiple SA "
502 "isn't supported.\n");
503 break;
504 }
505 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
506 plog(ASL_LEVEL_ERR,
507 "failed to process SA payload");
508 goto end;
509 }
510 break;
511
512 case ISAKMP_NPTYPE_NONCE:
513 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
514 plog(ASL_LEVEL_ERR,
515 "failed to process NONCE payload");
516 goto end;
517 }
518 break;
519
520 case ISAKMP_NPTYPE_KE:
521 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
522 plog(ASL_LEVEL_ERR,
523 "failed to process KE payload");
524 goto end;
525 }
526 break;
527
528 case ISAKMP_NPTYPE_ID:
529 {
530 vchar_t *vp;
531
532 if (iph2->id == NULL || iph2->id_p == NULL) {
533 error = ISAKMP_INTERNAL_ERROR; // shouldn't happen
534 goto end;
535 }
536
537 /* check ID value */
538 if (f_id == 0) {
539 /* for IDci */
540 vp = iph2->id;
541 } else {
542 /* for IDcr */
543 vp = iph2->id_p;
544 }
545
546 /* These ids may not match when natt is used with some devices.
547 * RFC 2407 says that the protocol and port fields should be ignored
548 * if they are zero, therefore they need to be checked individually.
549 */
550 struct ipsecdoi_id_b *id_ptr = ALIGNED_CAST(struct ipsecdoi_id_b *)vp->v;
551 struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
552
553 if (id_ptr->type != idp_ptr->b.type
554 || (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
555 || (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
556 || memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
557 vp->l - sizeof(struct ipsecdoi_id_b))) {
558 // to support servers that use our external nat address as our ID
559 if (iph2->ph1->natt_flags & NAT_DETECTED) {
560 plog(ASL_LEVEL_WARNING,
561 "mismatched ID was returned - ignored because nat traversal is being used.\n");
562 /* If I'm behind a nat and the ID is type address - save the address
563 * and port for when the peer rekeys.
564 */
565 if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
566 if (lcconf->ext_nat_id)
567 vfree(lcconf->ext_nat_id);
568 if (idp_ptr->h.len < sizeof(struct isakmp_gen)) {
569 plog(ASL_LEVEL_ERR, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len);
570 goto end;
571 }
572 lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
573 if (lcconf->ext_nat_id == NULL) {
574 plog(ASL_LEVEL_ERR, "memory error while allocating external nat id.\n");
575 goto end;
576 }
577 memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
578 if (iph2->ext_nat_id)
579 vfree(iph2->ext_nat_id);
580 iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
581 if (iph2->ext_nat_id == NULL) {
582 plog(ASL_LEVEL_ERR, "memory error while allocating ph2's external nat id.\n");
583 goto end;
584 }
585 plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l, "external nat address saved.\n");
586 } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
587 if (iph2->ext_nat_id_p)
588 vfree(iph2->ext_nat_id_p);
589 iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
590 if (iph2->ext_nat_id_p == NULL) {
591 plog(ASL_LEVEL_ERR, "memory error while allocating peers ph2's external nat id.\n");
592 goto end;
593 }
594 memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
595 plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l, "peer's external nat address saved.\n");
596 }
597 } else {
598 plog(ASL_LEVEL_ERR, "mismatched ID was returned.\n");
599 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
600 goto end;
601 }
602 }
603 if (f_id == 0)
604 f_id = 1;
605 }
606 break;
607
608 case ISAKMP_NPTYPE_N:
609 isakmp_check_ph2_notify(pa->ptr, iph2);
610 break;
611
612 #ifdef ENABLE_NATT
613 case ISAKMP_NPTYPE_NATOA_DRAFT:
614 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
615 case ISAKMP_NPTYPE_NATOA_RFC:
616 {
617 vchar_t *vp = NULL;
618 struct sockaddr_storage *daddr;
619
620 isakmp_p2ph(&vp, pa->ptr);
621
622 if (vp) {
623 daddr = process_natoa_payload(vp);
624 if (daddr) {
625 if (natoa_i == NULL) {
626 natoa_i = daddr;
627 plog(ASL_LEVEL_DEBUG, "initiaor rcvd NAT-OA i: %s\n",
628 saddr2str((struct sockaddr *)natoa_i));
629 } else if (natoa_r == NULL) {
630 natoa_r = daddr;
631 plog(ASL_LEVEL_DEBUG, "initiator rcvd NAT-OA r: %s\n",
632 saddr2str((struct sockaddr *)natoa_r));
633 } else {
634 racoon_free(daddr);
635 }
636 }
637 vfree(vp);
638 }
639
640 }
641 break;
642 #endif
643
644 default:
645 /* don't send information, see ident_r1recv() */
646 plog(ASL_LEVEL_ERR,
647 "ignore the packet, "
648 "received unexpecting payload type %d.\n",
649 pa->type);
650 goto end;
651 }
652
653 p += pa->len;
654
655 /* compute true length of payload. */
656 tlen += pa->len;
657 }
658
659 /* payload existency check */
660 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
661 plog(ASL_LEVEL_ERR,
662 "few isakmp message received.\n");
663 goto end;
664 }
665
666 /* Fixed buffer for calculating HASH */
667 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
668 plog(ASL_LEVEL_DEBUG,
669 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
670 hbuf->l, tlen + iph2->nonce->l);
671 /* adjust buffer length for HASH */
672 hbuf->l = iph2->nonce->l + tlen;
673
674 /* validate HASH(2) */
675 {
676 char *r_hash;
677 vchar_t *my_hash = NULL;
678 int result;
679
680 r_hash = (char *)hash + sizeof(*hash);
681
682 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(2) received:");
683
684 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
685 if (my_hash == NULL) {
686 plog(ASL_LEVEL_ERR,
687 "failed to compute HASH");
688 goto end;
689 }
690
691 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
692 vfree(my_hash);
693
694 if (result) {
695 plog(ASL_LEVEL_DEBUG,
696 "HASH(2) mismatch.\n");
697 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
698 goto end;
699 }
700 }
701
702 /* validity check SA payload sent from responder */
703 if (ipsecdoi_checkph2proposal(iph2) < 0) {
704 plog(ASL_LEVEL_ERR,
705 "failed to validate SA proposal");
706 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
707 goto end;
708 }
709
710 /* change status of isakmp status entry */
711 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG2RCVD);
712
713 error = 0;
714
715 IPSECSESSIONTRACEREVENT(iph2->parent_session,
716 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
717 CONSTSTR("Initiator, Quick-Mode message 2"),
718 CONSTSTR(NULL));
719
720 end:
721 if (error) {
722 IPSECSESSIONTRACEREVENT(iph2->parent_session,
723 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
724 CONSTSTR("Initiator, Quick-Mode Message 2"),
725 CONSTSTR("Failed to process Quick-Mode Message 2 "));
726 }
727 if (hbuf)
728 vfree(hbuf);
729 if (pbuf)
730 vfree(pbuf);
731 if (msg)
732 vfree(msg);
733
734 #ifdef ENABLE_NATT
735 if (natoa_i) {
736 racoon_free(natoa_i);
737 }
738 if (natoa_r) {
739 racoon_free(natoa_r);
740 }
741 #endif
742 if (error) {
743 VPTRINIT(iph2->sa_ret);
744 VPTRINIT(iph2->nonce_p);
745 VPTRINIT(iph2->dhpub_p);
746 }
747
748 return error;
749 }
750
751 /*
752 * send to responder
753 * HDR*, HASH(3)
754 */
755 int
756 quick_i3send(iph2, msg0)
757 phase2_handle_t *iph2;
758 vchar_t *msg0;
759 {
760 vchar_t *msg = NULL;
761 vchar_t *buf = NULL;
762 vchar_t *hash = NULL;
763 char *p = NULL;
764 int tlen;
765 int error = ISAKMP_INTERNAL_ERROR;
766 int packet_error = -1;
767
768 /* validity check */
769 if (iph2->status != IKEV1_STATE_QUICK_I_MSG2RCVD) {
770 plog(ASL_LEVEL_ERR,
771 "status mismatched %d.\n", iph2->status);
772 goto end;
773 }
774
775 /* generate HASH(3) */
776 {
777 vchar_t *tmp = NULL;
778
779 plog(ASL_LEVEL_DEBUG, "HASH(3) generate\n");
780
781 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
782 if (tmp == NULL) {
783 plog(ASL_LEVEL_ERR,
784 "failed to get hash buffer.\n");
785 goto end;
786 }
787 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
788 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
789
790 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
791 vfree(tmp);
792
793 if (hash == NULL) {
794 plog(ASL_LEVEL_ERR,
795 "failed to compute HASH");
796 goto end;
797 }
798 }
799
800 /* create buffer for isakmp payload */
801 tlen = sizeof(struct isakmp)
802 + sizeof(struct isakmp_gen) + hash->l;
803 buf = vmalloc(tlen);
804 if (buf == NULL) {
805 plog(ASL_LEVEL_ERR,
806 "failed to get buffer to send.\n");
807 goto end;
808 }
809
810 /* create isakmp header */
811 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
812 if (p == NULL) {
813 plog(ASL_LEVEL_ERR,
814 "failed to create ISAKMP header");
815 goto end;
816 }
817
818 /* add HASH(3) payload */
819 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
820
821 #ifdef HAVE_PRINT_ISAKMP_C
822 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
823 #endif
824
825 /* encoding */
826 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
827 if (iph2->sendbuf == NULL) {
828 plog(ASL_LEVEL_ERR,
829 "failed to encrypt packet");
830 goto end;
831 }
832
833 /* if there is commit bit, need resending */
834 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
835 /* send the packet, add to the schedule to resend */
836 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
837 if (isakmp_ph2resend(iph2) == -1) {
838 plog(ASL_LEVEL_ERR,
839 "failed to send packet, commit-bit");
840 goto end;
841 }
842 } else {
843 /* send the packet */
844 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
845 plog(ASL_LEVEL_ERR,
846 "failed to send packet");
847 goto end;
848 }
849 }
850
851 /* the sending message is added to the received-list. */
852 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
853 iph2->sendbuf, msg0,
854 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
855 plog(ASL_LEVEL_ERR ,
856 "failed to add a response packet to the tree.\n");
857 goto end;
858 }
859
860 IPSECSESSIONTRACEREVENT(iph2->parent_session,
861 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
862 CONSTSTR("Initiator, Quick-Mode message 3"),
863 CONSTSTR(NULL));
864 packet_error = 0;
865
866 /* compute both of KEYMATs */
867 if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
868 plog(ASL_LEVEL_ERR,
869 "failed to compute KEYMAT");
870 goto end;
871 }
872
873 /* if there is commit bit don't set up SA now. */
874 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
875 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG3SENT);
876 error = 0;
877 goto end;
878 }
879
880 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
881
882 /* Do UPDATE for initiator */
883 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
884 if (pk_sendupdate(iph2) < 0) {
885 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
886 goto end;
887 }
888 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
889
890 /* Do ADD for responder */
891 if (pk_sendadd(iph2) < 0) {
892 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
893 goto end;
894 }
895 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
896
897 error = 0;
898
899 end:
900 if (packet_error) {
901 IPSECSESSIONTRACEREVENT(iph2->parent_session,
902 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
903 CONSTSTR("Initiator, Quick-Mode Message 3"),
904 CONSTSTR("Failed to transmit Quick-Mode Message 3"));
905 }
906 if (buf != NULL)
907 vfree(buf);
908 if (msg != NULL)
909 vfree(msg);
910 if (hash != NULL)
911 vfree(hash);
912
913 return error;
914 }
915
916 /*
917 * receive from responder
918 * HDR#*, HASH(4), notify
919 */
920 int
921 quick_i4recv(iph2, msg0)
922 phase2_handle_t *iph2;
923 vchar_t *msg0;
924 {
925 vchar_t *msg = NULL;
926 vchar_t *pbuf = NULL; /* for payload parsing */
927 struct isakmp_parse_t *pa;
928 struct isakmp_pl_hash *hash = NULL;
929 vchar_t *notify = NULL;
930 int error = ISAKMP_INTERNAL_ERROR;
931 int packet_error = -1;
932
933 /* validity check */
934 if (iph2->status != IKEV1_STATE_QUICK_I_MSG3SENT) {
935 plog(ASL_LEVEL_ERR,
936 "status mismatched %d.\n", iph2->status);
937 goto end;
938 }
939
940 /* decrypt packet */
941 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
942 plog(ASL_LEVEL_ERR,
943 "Packet wasn't encrypted.\n");
944 goto end;
945 }
946 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
947 if (msg == NULL) {
948 plog(ASL_LEVEL_ERR,
949 "failed to decrypt packet\n");
950 goto end;
951 }
952
953 /* validate the type of next payload */
954 pbuf = isakmp_parse(msg);
955 if (pbuf == NULL) {
956 plog(ASL_LEVEL_ERR,
957 "failed to parse msg\n");
958 goto end;
959 }
960
961 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
962 pa->type != ISAKMP_NPTYPE_NONE;
963 pa++) {
964
965 switch (pa->type) {
966 case ISAKMP_NPTYPE_HASH:
967 hash = (struct isakmp_pl_hash *)pa->ptr;
968 break;
969 case ISAKMP_NPTYPE_N:
970 if (notify != NULL) {
971 plog(ASL_LEVEL_WARNING,
972 "Ignoring multiple notifications\n");
973 break;
974 }
975 isakmp_check_ph2_notify(pa->ptr, iph2);
976 notify = vmalloc(pa->len);
977 if (notify == NULL) {
978 plog(ASL_LEVEL_ERR,
979 "failed to get notify buffer.\n");
980 goto end;
981 }
982 memcpy(notify->v, pa->ptr, notify->l);
983 break;
984 default:
985 /* don't send information, see ident_r1recv() */
986 plog(ASL_LEVEL_ERR,
987 "ignore the packet, "
988 "received unexpecting payload type %d.\n",
989 pa->type);
990 goto end;
991 }
992 }
993
994 /* payload existency check */
995 if (hash == NULL) {
996 plog(ASL_LEVEL_ERR,
997 "few isakmp message received.\n");
998 goto end;
999 }
1000
1001 /* validate HASH(4) */
1002 {
1003 char *r_hash;
1004 vchar_t *my_hash = NULL;
1005 vchar_t *tmp = NULL;
1006 int result;
1007
1008 r_hash = (char *)hash + sizeof(*hash);
1009
1010 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(4) validate:");
1011
1012 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1013 vfree(tmp);
1014 if (my_hash == NULL) {
1015 plog(ASL_LEVEL_ERR,
1016 "failed to compute HASH\n");
1017 goto end;
1018 }
1019
1020 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
1021 vfree(my_hash);
1022
1023 if (result) {
1024 plog(ASL_LEVEL_DEBUG,
1025 "HASH(4) mismatch.\n");
1026 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1027 goto end;
1028 }
1029 }
1030
1031 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1032 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1033 CONSTSTR("Initiator, Quick-Mode message 4"),
1034 CONSTSTR(NULL));
1035 packet_error = 0;
1036
1037 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
1038
1039 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1040
1041 /* don't anything if local test mode. */
1042 if (f_local) {
1043 error = 0;
1044 goto end;
1045 }
1046
1047 /* Do UPDATE for initiator */
1048 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
1049 if (pk_sendupdate(iph2) < 0) {
1050 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
1051 goto end;
1052 }
1053 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
1054
1055 /* Do ADD for responder */
1056 if (pk_sendadd(iph2) < 0) {
1057 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
1058 goto end;
1059 }
1060 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
1061
1062 error = 0;
1063
1064 end:
1065 if (packet_error) {
1066 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1067 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1068 CONSTSTR("Initiator, Quick-Mode Message 4"),
1069 CONSTSTR("Failed to process Quick-Mode Message 4"));
1070 }
1071 if (msg != NULL)
1072 vfree(msg);
1073 if (pbuf != NULL)
1074 vfree(pbuf);
1075 if (notify != NULL)
1076 vfree(notify);
1077
1078 return error;
1079 }
1080
1081 /*
1082 * receive from initiator
1083 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1084 */
1085 int
1086 quick_r1recv(iph2, msg0)
1087 phase2_handle_t *iph2;
1088 vchar_t *msg0;
1089 {
1090 vchar_t *msg = NULL;
1091 vchar_t *hbuf = NULL; /* for hash computing. */
1092 vchar_t *pbuf = NULL; /* for payload parsing */
1093 struct isakmp_parse_t *pa;
1094 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1095 struct isakmp_pl_hash *hash = NULL;
1096 char *p;
1097 int tlen;
1098 int f_id_order; /* for ID payload detection */
1099 int error = ISAKMP_INTERNAL_ERROR;
1100 struct sockaddr_storage *natoa_i = NULL;
1101 struct sockaddr_storage *natoa_r = NULL;
1102
1103 /* validity check */
1104 if (iph2->status != IKEV1_STATE_QUICK_R_START) {
1105 plog(ASL_LEVEL_ERR,
1106 "status mismatched %d.\n", iph2->status);
1107 goto end;
1108 }
1109
1110 /* decrypting */
1111 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1112 plog(ASL_LEVEL_ERR,
1113 "Packet wasn't encrypted.\n");
1114 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1115 goto end;
1116 }
1117 /* decrypt packet */
1118 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1119 if (msg == NULL) {
1120 plog(ASL_LEVEL_ERR,
1121 "failed to decrypt packet\n");
1122 goto end;
1123 }
1124
1125 /* create buffer for using to validate HASH(1) */
1126 /*
1127 * ordering rule:
1128 * 1. the first one must be HASH
1129 * 2. the second one must be SA (added in isakmp-oakley-05!)
1130 * 3. two IDs must be considered as IDci, then IDcr
1131 */
1132 pbuf = isakmp_parse(msg);
1133 if (pbuf == NULL) {
1134 plog(ASL_LEVEL_ERR,
1135 "failed to parse msg\n");
1136 goto end;
1137 }
1138 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1139
1140 /* HASH payload is fixed postion */
1141 if (pa->type != ISAKMP_NPTYPE_HASH) {
1142 plog(ASL_LEVEL_ERR,
1143 "received invalid next payload type %d, "
1144 "expecting %d.\n",
1145 pa->type, ISAKMP_NPTYPE_HASH);
1146 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1147 goto end;
1148 }
1149 hash = (struct isakmp_pl_hash *)pa->ptr;
1150 pa++;
1151
1152 /*
1153 * this restriction was introduced in isakmp-oakley-05.
1154 * we do not check this for backward compatibility.
1155 * TODO: command line/config file option to enable/disable this code
1156 */
1157 /* HASH payload is fixed postion */
1158 if (pa->type != ISAKMP_NPTYPE_SA) {
1159 plog(ASL_LEVEL_WARNING,
1160 "received invalid next payload type %d, "
1161 "expecting %d.\n",
1162 pa->type, ISAKMP_NPTYPE_SA);
1163 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1164 }
1165
1166 /* allocate buffer for computing HASH(1) */
1167 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1168 if (tlen < 0) {
1169 plog(ASL_LEVEL_ERR, "invalid length (%d) while extracting hash.\n",
1170 ntohl(isakmp->len));
1171 goto end;
1172 }
1173 hbuf = vmalloc(tlen);
1174 if (hbuf == NULL) {
1175 plog(ASL_LEVEL_ERR,
1176 "failed to get hash buffer.\n");
1177 goto end;
1178 }
1179 p = hbuf->v;
1180
1181 /*
1182 * parse the payloads.
1183 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1184 */
1185 iph2->sa = NULL; /* we don't support multi SAs. */
1186 iph2->nonce_p = NULL;
1187 iph2->dhpub_p = NULL;
1188 iph2->id_p = NULL;
1189 iph2->id = NULL;
1190 tlen = 0; /* count payload length except of HASH payload. */
1191
1192 /*
1193 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1194 * illegal case, but logged. First ID payload is to be IDi2.
1195 * And next ID payload is to be IDr2.
1196 */
1197 f_id_order = 0;
1198
1199 for (; pa->type; pa++) {
1200
1201 /* copy to buffer for HASH */
1202 /* Don't modify the payload */
1203 memcpy(p, pa->ptr, pa->len);
1204
1205 if (pa->type != ISAKMP_NPTYPE_ID)
1206 f_id_order = 0;
1207
1208 switch (pa->type) {
1209 case ISAKMP_NPTYPE_SA:
1210 if (iph2->sa != NULL) {
1211 plog(ASL_LEVEL_ERR,
1212 "Multi SAs isn't supported.\n");
1213 goto end;
1214 }
1215 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1216 plog(ASL_LEVEL_ERR,
1217 "failed to process SA payload\n");
1218 goto end;
1219 }
1220 break;
1221
1222 case ISAKMP_NPTYPE_NONCE:
1223 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1224 plog(ASL_LEVEL_ERR,
1225 "failed to process NONCE payload\n");
1226 goto end;
1227 }
1228 break;
1229
1230 case ISAKMP_NPTYPE_KE:
1231 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1232 plog(ASL_LEVEL_ERR,
1233 "failed to process KE payload\n");
1234 goto end;
1235 }
1236 break;
1237
1238 case ISAKMP_NPTYPE_ID:
1239 if (iph2->id_p == NULL) {
1240 /* for IDci */
1241 f_id_order++;
1242
1243 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
1244 plog(ASL_LEVEL_ERR,
1245 "failed to process IDci2 payload\n");
1246 goto end;
1247 }
1248
1249 } else if (iph2->id == NULL) {
1250 /* for IDcr */
1251 if (f_id_order == 0) {
1252 plog(ASL_LEVEL_ERR,
1253 "IDr2 payload is not "
1254 "immediatelly followed "
1255 "by IDi2. We allowed.\n");
1256 /* XXX we allowed in this case. */
1257 }
1258
1259 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
1260 plog(ASL_LEVEL_ERR,
1261 "failed to process IDcr2 payload\n");
1262 goto end;
1263 }
1264 } else {
1265 plogdump(ASL_LEVEL_ERR, iph2->id->v, iph2->id->l, "received too many ID payloads");
1266 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1267 goto end;
1268 }
1269 break;
1270
1271 case ISAKMP_NPTYPE_N:
1272 isakmp_check_ph2_notify(pa->ptr, iph2);
1273 break;
1274
1275 #ifdef ENABLE_NATT
1276 case ISAKMP_NPTYPE_NATOA_DRAFT:
1277 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
1278 case ISAKMP_NPTYPE_NATOA_RFC:
1279 {
1280 vchar_t *vp = NULL;
1281 struct sockaddr_storage *daddr;
1282
1283 isakmp_p2ph(&vp, pa->ptr);
1284
1285 if (vp) {
1286 daddr = process_natoa_payload(vp);
1287 if (daddr) {
1288 if (natoa_i == NULL) {
1289 natoa_i = daddr;
1290 plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA i: %s\n",
1291 saddr2str((struct sockaddr *)natoa_i));
1292 } else if (natoa_r == NULL) {
1293 natoa_r = daddr;
1294 plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA r: %s\n",
1295 saddr2str((struct sockaddr *)natoa_r));
1296 } else {
1297 racoon_free(daddr);
1298 }
1299 }
1300 vfree(vp);
1301 }
1302
1303 }
1304 break;
1305 #endif
1306
1307 default:
1308 plog(ASL_LEVEL_ERR,
1309 "ignore the packet, "
1310 "received unexpected payload type %d.\n",
1311 pa->type);
1312 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1313 goto end;
1314 }
1315
1316 p += pa->len;
1317
1318 /* compute true length of payload. */
1319 tlen += pa->len;
1320 }
1321
1322 /* payload existency check */
1323 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1324 plog(ASL_LEVEL_ERR,
1325 "expected isakmp payloads missing.\n");
1326 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1327 goto end;
1328 }
1329
1330 if (iph2->id_p) {
1331 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "received IDci2:");
1332 }
1333 if (iph2->id) {
1334 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "received IDcr2:");
1335 }
1336
1337 /* adjust buffer length for HASH */
1338 hbuf->l = tlen;
1339
1340 /* validate HASH(1) */
1341 {
1342 char *r_hash;
1343 vchar_t *my_hash = NULL;
1344 int result;
1345
1346 r_hash = (caddr_t)hash + sizeof(*hash);
1347
1348 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(1) validate:");
1349
1350 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1351 if (my_hash == NULL) {
1352 plog(ASL_LEVEL_ERR,
1353 "failed to compute HASH\n");
1354 goto end;
1355 }
1356
1357 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
1358 vfree(my_hash);
1359
1360 if (result) {
1361 plog(ASL_LEVEL_ERR,
1362 "HASH(1) mismatch.\n");
1363 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1364 goto end;
1365 }
1366 }
1367
1368 /* get sainfo */
1369 error = get_sainfo_r(iph2);
1370 if (error) {
1371 plog(ASL_LEVEL_ERR,
1372 "failed to get sainfo.\n");
1373 goto end;
1374 }
1375
1376 /* check the existence of ID payload and create responder's proposal */
1377 error = get_proposal_r(iph2);
1378 switch (error) {
1379 case -2:
1380 /* generate a policy template from peer's proposal */
1381 if (set_proposal_from_proposal(iph2)) {
1382 plog(ASL_LEVEL_ERR,
1383 "failed to generate a proposal template "
1384 "from client's proposal.\n");
1385 error = ISAKMP_INTERNAL_ERROR;
1386 goto end;
1387 }
1388 /*FALLTHROUGH*/
1389 case 0:
1390 /* select single proposal or reject it. */
1391 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1392 plog(ASL_LEVEL_ERR,
1393 "failed to select proposal.\n");
1394 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1395 goto end;
1396 }
1397 break;
1398 default:
1399 plog(ASL_LEVEL_ERR,
1400 "failed to get proposal for responder.\n");
1401 goto end;
1402 }
1403
1404 /* check KE and attribute of PFS */
1405 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1406 plog(ASL_LEVEL_ERR,
1407 "no PFS is specified, but peer sends KE.\n");
1408 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1409 goto end;
1410 }
1411 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1412 plog(ASL_LEVEL_ERR,
1413 "PFS is specified, but peer doesn't sends KE.\n");
1414 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1415 goto end;
1416 }
1417
1418 ike_session_update_mode(iph2); /* update the mode, now that we have a proposal */
1419
1420 /*
1421 * save the packet from the initiator in order to resend the
1422 * responder's first packet against this packet.
1423 */
1424 iph2->msg1 = vdup(msg0);
1425
1426 /* change status of isakmp status entry */
1427 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG1RCVD);
1428
1429 error = 0;
1430
1431 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1432 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1433 CONSTSTR("Responder, Quick-Mode message 1"),
1434 CONSTSTR(NULL));
1435
1436 end:
1437 if (error) {
1438 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1439 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1440 CONSTSTR("Responder, Quick-Mode Message 1"),
1441 CONSTSTR("Failed to process Quick-Mode Message 1"));
1442 }
1443 if (hbuf)
1444 vfree(hbuf);
1445 if (msg)
1446 vfree(msg);
1447 if (pbuf)
1448 vfree(pbuf);
1449
1450 #ifdef ENABLE_NATT
1451 if (natoa_i) {
1452 racoon_free(natoa_i);
1453 }
1454 if (natoa_r) {
1455 racoon_free(natoa_r);
1456 }
1457 #endif
1458
1459 if (error) {
1460 VPTRINIT(iph2->sa);
1461 VPTRINIT(iph2->nonce_p);
1462 VPTRINIT(iph2->dhpub_p);
1463 VPTRINIT(iph2->id);
1464 VPTRINIT(iph2->id_p);
1465 }
1466
1467 return error;
1468 }
1469
1470 /*
1471 * call pfkey_getspi.
1472 */
1473 int
1474 quick_rprep(iph2, msg)
1475 phase2_handle_t *iph2;
1476 vchar_t *msg;
1477 {
1478 int error = ISAKMP_INTERNAL_ERROR;
1479
1480 /* validity check */
1481 if (iph2->status != IKEV1_STATE_QUICK_R_MSG1RCVD) {
1482 plog(ASL_LEVEL_ERR,
1483 "status mismatched %d.\n", iph2->status);
1484 goto end;
1485 }
1486
1487 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_GETSPISENT);
1488
1489 /* send getspi message */
1490 if (pk_sendgetspi(iph2) < 0) {
1491 plog(ASL_LEVEL_ERR,
1492 "failed to send getspi");
1493 goto end;
1494 }
1495
1496 plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
1497
1498 iph2->sce = sched_new(lcconf->wait_ph2complete,
1499 pfkey_timeover_stub, iph2);
1500
1501 error = 0;
1502
1503 end:
1504 return error;
1505 }
1506
1507 /*
1508 * send to initiator
1509 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1510 */
1511 int
1512 quick_r2send(iph2, msg)
1513 phase2_handle_t *iph2;
1514 vchar_t *msg;
1515 {
1516 vchar_t *body = NULL;
1517 vchar_t *hash = NULL;
1518 vchar_t *natoa_i = NULL;
1519 vchar_t *natoa_r = NULL;
1520 int natoa_type = 0;
1521 struct isakmp_gen *gen;
1522 char *p;
1523 int tlen;
1524 int error = ISAKMP_INTERNAL_ERROR;
1525 int pfsgroup;
1526 u_int8_t *np_p = NULL;
1527
1528 /* validity check */
1529 if (msg != NULL) {
1530 plog(ASL_LEVEL_ERR,
1531 "msg has to be NULL in this function.\n");
1532 goto end;
1533 }
1534 if (iph2->status != IKEV1_STATE_QUICK_R_GETSPIDONE) {
1535 plog(ASL_LEVEL_ERR,
1536 "status mismatched %d.\n", iph2->status);
1537 goto end;
1538 }
1539
1540 /* update responders SPI */
1541 if (ipsecdoi_updatespi(iph2) < 0) {
1542 plog(ASL_LEVEL_ERR, "failed to update spi.\n");
1543 goto end;
1544 }
1545
1546 /* generate NONCE value */
1547 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1548 if (iph2->nonce == NULL) {
1549 plog(ASL_LEVEL_ERR,
1550 "failed to generate NONCE");
1551 goto end;
1552 }
1553
1554 /* generate KE value if need */
1555 pfsgroup = iph2->approval->pfs_group;
1556 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1557 /* DH group settting if PFS is required. */
1558 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1559 plog(ASL_LEVEL_ERR,
1560 "failed to set DH value.\n");
1561 goto end;
1562 }
1563 /* generate DH public value */
1564 #ifdef HAVE_OPENSSL
1565 if (oakley_dh_generate(iph2->pfsgrp,
1566 &iph2->dhpub, &iph2->dhpriv) < 0) {
1567 #else
1568 if (oakley_dh_generate(iph2->pfsgrp,
1569 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
1570 #endif
1571 plog(ASL_LEVEL_ERR,
1572 "failed to generate DH public");
1573 goto end;
1574 }
1575 }
1576
1577 /* create SA;NONCE payload, and KE and ID if need */
1578 tlen = sizeof(*gen) + iph2->sa_ret->l
1579 + sizeof(*gen) + iph2->nonce->l;
1580 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1581 tlen += (sizeof(*gen) + iph2->dhpub->l);
1582 if (iph2->id_p != NULL)
1583 tlen += (sizeof(*gen) + iph2->id_p->l
1584 + sizeof(*gen) + iph2->id->l);
1585
1586 #ifdef ENABLE_NATT
1587 /*
1588 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1589 * we should send NAT-OA
1590 */
1591 if (ipsecdoi_any_transportmode(iph2->approval)
1592 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1593 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
1594 if (natoa_type == -1) {
1595 plog(ASL_LEVEL_ERR,
1596 "failed to create NATOA payloads");
1597 goto end;
1598 }
1599 else if (natoa_type != 0) {
1600 tlen += sizeof(*gen) + natoa_i->l;
1601 tlen += sizeof(*gen) + natoa_r->l;
1602
1603 //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "responder send NAT-OAi:");
1604 //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "responder send NAT-OAr:");
1605 }
1606 }
1607 #endif
1608
1609 plog(ASL_LEVEL_DEBUG, "Approved SA\n");
1610 printsaprop0(ASL_LEVEL_DEBUG, iph2->approval);
1611
1612 body = vmalloc(tlen);
1613 if (body == NULL) {
1614 plog(ASL_LEVEL_ERR,
1615 "failed to get buffer to send.\n");
1616 goto end;
1617 }
1618 p = body->v;
1619
1620 /* make SA payload */
1621 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1622
1623 /* add NONCE payload */
1624 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1625 p = set_isakmp_payload(p, iph2->nonce,
1626 (iph2->dhpub_p != NULL && pfsgroup != 0)
1627 ? ISAKMP_NPTYPE_KE
1628 : (iph2->id_p != NULL
1629 ? ISAKMP_NPTYPE_ID
1630 : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
1631
1632 /* add KE payload if need. */
1633 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1634 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1635 p = set_isakmp_payload(p, iph2->dhpub,
1636 (iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
1637 }
1638
1639 /* add ID payloads received. */
1640 if (iph2->id_p != NULL) {
1641 /* IDci */
1642 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1643 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "sending IDci2:");
1644 /* IDcr */
1645 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1646 p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
1647 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "sending IDcr2:");
1648 }
1649
1650 /* add a RESPONDER-LIFETIME notify payload if needed */
1651 {
1652 vchar_t *data = NULL;
1653 struct saprop *pp = iph2->approval;
1654 struct saproto *pr;
1655
1656 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1657 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1658 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1659 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1660 if (!data) {
1661 plog(ASL_LEVEL_ERR,
1662 "failed to add RESPONDER-LIFETIME notify (type) payload");
1663 goto end;
1664 }
1665 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1666 (caddr_t)&v, sizeof(v));
1667 if (!data) {
1668 plog(ASL_LEVEL_ERR,
1669 "failed to add RESPONDER-LIFETIME notify (value) payload");
1670 goto end;
1671 }
1672 }
1673 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1674 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1675 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1676 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1677 if (!data) {
1678 plog(ASL_LEVEL_ERR,
1679 "failed to add RESPONDER-LIFETIME notify (type) payload");
1680 goto end;
1681 }
1682 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1683 (caddr_t)&v, sizeof(v));
1684 if (!data) {
1685 plog(ASL_LEVEL_ERR,
1686 "failed to add RESPONDER-LIFETIME notify (value) payload");
1687 goto end;
1688 }
1689 }
1690
1691 /*
1692 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1693 * in the case of SA bundle ?
1694 */
1695 if (data) {
1696 for (pr = pp->head; pr; pr = pr->next) {
1697 body = isakmp_add_pl_n(body, &np_p,
1698 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1699 if (!body) {
1700 plog(ASL_LEVEL_ERR,
1701 "invalid RESPONDER-LIFETIME payload");
1702 vfree(data);
1703 return error; /* XXX */
1704 }
1705 }
1706 vfree(data);
1707 }
1708 }
1709
1710 /* natoa */
1711 if (natoa_type) {
1712 p = set_isakmp_payload(p, natoa_i, natoa_type);
1713 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
1714 }
1715
1716 /* generate HASH(2) */
1717 {
1718 vchar_t *tmp;
1719
1720 tmp = vmalloc(iph2->nonce_p->l + body->l);
1721 if (tmp == NULL) {
1722 plog(ASL_LEVEL_ERR,
1723 "failed to get hash buffer.\n");
1724 goto end;
1725 }
1726 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1727 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1728
1729 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1730 vfree(tmp);
1731
1732 if (hash == NULL) {
1733 plog(ASL_LEVEL_ERR,
1734 "failed to compute HASH");
1735 goto end;
1736 }
1737 }
1738
1739 /* send isakmp payload */
1740 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1741 if (iph2->sendbuf == NULL) {
1742 plog(ASL_LEVEL_ERR,
1743 "failed to get send buffer");
1744 goto end;
1745 }
1746
1747 /* send the packet, add to the schedule to resend */
1748 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1749 if (isakmp_ph2resend(iph2) == -1) {
1750 plog(ASL_LEVEL_ERR,
1751 "failed to send packet");
1752 goto end;
1753 }
1754
1755 /* the sending message is added to the received-list. */
1756 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
1757 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
1758 plog(ASL_LEVEL_ERR,
1759 "failed to add a response packet to the tree.\n");
1760 goto end;
1761 }
1762
1763 /* change status of isakmp status entry */
1764 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG2SENT);
1765
1766 error = 0;
1767
1768 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1769 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1770 CONSTSTR("Responder, Quick-Mode message 2"),
1771 CONSTSTR(NULL));
1772
1773 end:
1774 if (error) {
1775 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1776 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1777 CONSTSTR("Responder, Quick-Mode Message 2"),
1778 CONSTSTR("Failed to transmit Quick-Mode Message 2"));
1779 }
1780 if (body != NULL)
1781 vfree(body);
1782 if (hash != NULL)
1783 vfree(hash);
1784 if (natoa_i)
1785 vfree(natoa_i);
1786 if (natoa_r)
1787 vfree(natoa_r);
1788
1789 return error;
1790 }
1791
1792 /*
1793 * receive from initiator
1794 * HDR*, HASH(3)
1795 */
1796 int
1797 quick_r3recv(iph2, msg0)
1798 phase2_handle_t *iph2;
1799 vchar_t *msg0;
1800 {
1801 vchar_t *msg = NULL;
1802 vchar_t *pbuf = NULL; /* for payload parsing */
1803 struct isakmp_parse_t *pa;
1804 struct isakmp_pl_hash *hash = NULL;
1805 int error = ISAKMP_INTERNAL_ERROR;
1806
1807 /* validity check */
1808 if (iph2->status != IKEV1_STATE_QUICK_R_MSG2SENT) {
1809 plog(ASL_LEVEL_ERR,
1810 "status mismatched %d.\n", iph2->status);
1811 goto end;
1812 }
1813
1814 /* decrypt packet */
1815 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1816 plog(ASL_LEVEL_ERR,
1817 "Packet wasn't encrypted.\n");
1818 goto end;
1819 }
1820 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1821 if (msg == NULL) {
1822 plog(ASL_LEVEL_ERR,
1823 "failed to decrypt packet\n");
1824 goto end;
1825 }
1826
1827 /* validate the type of next payload */
1828 pbuf = isakmp_parse(msg);
1829 if (pbuf == NULL) {
1830 plog(ASL_LEVEL_ERR,
1831 "failed to parse msg\n");
1832 goto end;
1833 }
1834
1835 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1836 pa->type != ISAKMP_NPTYPE_NONE;
1837 pa++) {
1838
1839 switch (pa->type) {
1840 case ISAKMP_NPTYPE_HASH:
1841 hash = (struct isakmp_pl_hash *)pa->ptr;
1842 break;
1843 case ISAKMP_NPTYPE_N:
1844 isakmp_check_ph2_notify(pa->ptr, iph2);
1845 break;
1846 default:
1847 /* don't send information, see ident_r1recv() */
1848 plog(ASL_LEVEL_ERR,
1849 "ignore the packet, "
1850 "received unexpecting payload type %d.\n",
1851 pa->type);
1852 goto end;
1853 }
1854 }
1855
1856 /* payload existency check */
1857 if (hash == NULL) {
1858 plog(ASL_LEVEL_ERR,
1859 "few isakmp message received.\n");
1860 goto end;
1861 }
1862
1863 /* validate HASH(3) */
1864 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1865 {
1866 char *r_hash;
1867 vchar_t *my_hash = NULL;
1868 vchar_t *tmp = NULL;
1869 int result;
1870
1871 r_hash = (char *)hash + sizeof(*hash);
1872
1873 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(3) validate:");
1874
1875 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1876 if (tmp == NULL) {
1877 plog(ASL_LEVEL_ERR,
1878 "failed to get hash buffer.\n");
1879 goto end;
1880 }
1881 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1882 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1883
1884 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1885 vfree(tmp);
1886 if (my_hash == NULL) {
1887 plog(ASL_LEVEL_ERR,
1888 "failed to compute HASH\n");
1889 goto end;
1890 }
1891
1892 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
1893 vfree(my_hash);
1894
1895 if (result) {
1896 plog(ASL_LEVEL_ERR,
1897 "HASH(3) mismatch.\n");
1898 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1899 goto end;
1900 }
1901 }
1902
1903 /* if there is commit bit, don't set up SA now. */
1904 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1905 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG3RCVD);
1906 } else
1907 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
1908
1909 error = 0;
1910
1911 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1912 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1913 CONSTSTR("Responder, Quick-Mode message 3"),
1914 CONSTSTR(NULL));
1915
1916 end:
1917 if (error) {
1918 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1919 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1920 CONSTSTR("Responder, Quick-Mode Message 3"),
1921 CONSTSTR("Failed to process Quick-Mode Message 3"));
1922 }
1923 if (pbuf != NULL)
1924 vfree(pbuf);
1925 if (msg != NULL)
1926 vfree(msg);
1927
1928 return error;
1929 }
1930
1931 /*
1932 * send to initiator
1933 * HDR#*, HASH(4), notify
1934 */
1935 int
1936 quick_r4send(iph2, msg0)
1937 phase2_handle_t *iph2;
1938 vchar_t *msg0;
1939 {
1940 vchar_t *buf = NULL;
1941 vchar_t *myhash = NULL;
1942 struct isakmp_pl_n *n;
1943 vchar_t *notify = NULL;
1944 char *p;
1945 int tlen;
1946 int error = ISAKMP_INTERNAL_ERROR;
1947
1948 /* validity check */
1949 if (iph2->status != IKEV1_STATE_QUICK_R_MSG3RCVD) {
1950 plog(ASL_LEVEL_ERR,
1951 "status mismatched %d.\n", iph2->status);
1952 goto end;
1953 }
1954
1955 /* generate HASH(4) */
1956 /* XXX What can I do in the case of multiple different SA */
1957 plog(ASL_LEVEL_DEBUG, "HASH(4) generate\n");
1958
1959 /* XXX What should I do if there are multiple SAs ? */
1960 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1961 notify = vmalloc(tlen);
1962 if (notify == NULL) {
1963 plog(ASL_LEVEL_ERR,
1964 "failed to get notify buffer.\n");
1965 goto end;
1966 }
1967 n = (struct isakmp_pl_n *)notify->v;
1968 n->h.np = ISAKMP_NPTYPE_NONE;
1969 n->h.len = htons(tlen);
1970 n->doi = htonl(IPSEC_DOI);
1971 n->proto_id = iph2->approval->head->proto_id;
1972 n->spi_size = sizeof(iph2->approval->head->spisize);
1973 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1974 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1975
1976 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1977 if (myhash == NULL) {
1978 plog(ASL_LEVEL_ERR,
1979 "failed to compute HASH");
1980 goto end;
1981 }
1982
1983 /* create buffer for isakmp payload */
1984 tlen = sizeof(struct isakmp)
1985 + sizeof(struct isakmp_gen) + myhash->l
1986 + notify->l;
1987 buf = vmalloc(tlen);
1988 if (buf == NULL) {
1989 plog(ASL_LEVEL_ERR,
1990 "failed to get buffer to send.\n");
1991 goto end;
1992 }
1993
1994 /* create isakmp header */
1995 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1996 if (p == NULL) {
1997 plog(ASL_LEVEL_ERR,
1998 "failed to set ISAKMP header");
1999 goto end;
2000 }
2001
2002 /* add HASH(4) payload */
2003 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
2004
2005 /* add notify payload */
2006 memcpy(p, notify->v, notify->l);
2007
2008 #ifdef HAVE_PRINT_ISAKMP_C
2009 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2010 #endif
2011
2012 /* encoding */
2013 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2014 if (iph2->sendbuf == NULL) {
2015 plog(ASL_LEVEL_ERR,
2016 "failed to encrypt packet");
2017 goto end;
2018 }
2019
2020 /* send the packet */
2021 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
2022 plog(ASL_LEVEL_ERR,
2023 "failed to send packet");
2024 goto end;
2025 }
2026
2027 /* the sending message is added to the received-list. */
2028 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
2029 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
2030 plog(ASL_LEVEL_ERR ,
2031 "failed to add a response packet to the tree.\n");
2032 goto end;
2033 }
2034
2035 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
2036
2037 error = 0;
2038
2039 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2040 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2041 CONSTSTR("Responder, Quick-Mode message 4"),
2042 CONSTSTR(NULL));
2043
2044 end:
2045 if (error) {
2046 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2047 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2048 CONSTSTR("Responder, Quick-Mode Message 4"),
2049 CONSTSTR("Failed to transmit Quick-Mode Message 4"));
2050 }
2051 if (buf != NULL)
2052 vfree(buf);
2053 if (myhash != NULL)
2054 vfree(myhash);
2055 if (notify != NULL)
2056 vfree(notify);
2057
2058 return error;
2059 }
2060
2061
2062 /*
2063 * set SA to kernel.
2064 */
2065 int
2066 quick_rfinalize(iph2, msg0)
2067 phase2_handle_t *iph2;
2068 vchar_t *msg0;
2069 {
2070 vchar_t *msg = NULL;
2071 int error = ISAKMP_INTERNAL_ERROR;
2072
2073 /* validity check */
2074 if (iph2->status != IKEV1_STATE_QUICK_R_COMMIT) {
2075 plog(ASL_LEVEL_ERR,
2076 "status mismatched %d.\n", iph2->status);
2077 goto end;
2078 }
2079
2080 /* compute both of KEYMATs */
2081 if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
2082 plog(ASL_LEVEL_ERR,
2083 "failed to compute KEYMAT");
2084 goto end;
2085 }
2086
2087 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_ADDSA);
2088
2089 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
2090
2091 /* don't anything if local test mode. */
2092 if (f_local) {
2093 error = 0;
2094 goto end;
2095 }
2096
2097 /* Do UPDATE as responder */
2098 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
2099 if (pk_sendupdate(iph2) < 0) {
2100 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
2101 goto end;
2102 }
2103 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
2104
2105 /* Do ADD for responder */
2106 if (pk_sendadd(iph2) < 0) {
2107 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
2108 goto end;
2109 }
2110 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
2111
2112 /*
2113 * set policies into SPD if the policy is generated
2114 * from peer's policy.
2115 */
2116 if (iph2->spidx_gen) {
2117
2118 struct policyindex *spidx;
2119 struct sockaddr_storage addr;
2120 u_int8_t pref;
2121 struct sockaddr_storage *src = iph2->src;
2122 struct sockaddr_storage *dst = iph2->dst;
2123
2124 /* make inbound policy */
2125 iph2->src = dst;
2126 iph2->dst = src;
2127 if (pk_sendspdupdate2(iph2) < 0) {
2128 plog(ASL_LEVEL_ERR,
2129 "pfkey spdupdate2(inbound) failed.\n");
2130 goto end;
2131 }
2132 plog(ASL_LEVEL_DEBUG,
2133 "pfkey spdupdate2(inbound) sent.\n");
2134
2135 spidx = iph2->spidx_gen;
2136 #ifdef HAVE_POLICY_FWD
2137 /* make forward policy if required */
2138 if (tunnel_mode_prop(iph2->approval)) {
2139 spidx->dir = IPSEC_DIR_FWD;
2140 if (pk_sendspdupdate2(iph2) < 0) {
2141 plog(ASL_LEVEL_ERR,
2142 "pfkey spdupdate2(forward) failed.\n");
2143 goto end;
2144 }
2145 plog(ASL_LEVEL_DEBUG,
2146 "pfkey spdupdate2(forward) sent.\n");
2147 }
2148 #endif
2149
2150 /* make outbound policy */
2151 iph2->src = src;
2152 iph2->dst = dst;
2153 spidx->dir = IPSEC_DIR_OUTBOUND;
2154 addr = spidx->src;
2155 spidx->src = spidx->dst;
2156 spidx->dst = addr;
2157 pref = spidx->prefs;
2158 spidx->prefs = spidx->prefd;
2159 spidx->prefd = pref;
2160
2161 if (pk_sendspdupdate2(iph2) < 0) {
2162 plog(ASL_LEVEL_ERR,
2163 "pfkey spdupdate2(outbound) failed.\n");
2164 goto end;
2165 }
2166 plog(ASL_LEVEL_DEBUG,
2167 "pfkey spdupdate2(outbound) sent.\n");
2168
2169 /* spidx_gen is unnecessary any more */
2170 delsp_bothdir(iph2->spidx_gen);
2171 racoon_free(iph2->spidx_gen);
2172 iph2->spidx_gen = NULL;
2173 iph2->generated_spidx=1;
2174 }
2175
2176 error = 0;
2177
2178 end:
2179 if (msg != NULL)
2180 vfree(msg);
2181
2182 return error;
2183 }
2184
2185 /*
2186 * create HASH, body (SA, NONCE) payload with isakmp header.
2187 */
2188 static vchar_t *
2189 quick_ir1mx(iph2, body, hash)
2190 phase2_handle_t *iph2;
2191 vchar_t *body, *hash;
2192 {
2193 struct isakmp *isakmp;
2194 vchar_t *buf = NULL, *new = NULL;
2195 char *p;
2196 int tlen;
2197 struct isakmp_gen *gen;
2198 int error = ISAKMP_INTERNAL_ERROR;
2199
2200 /* create buffer for isakmp payload */
2201 tlen = sizeof(*isakmp)
2202 + sizeof(*gen) + hash->l
2203 + body->l;
2204 buf = vmalloc(tlen);
2205 if (buf == NULL) {
2206 plog(ASL_LEVEL_ERR,
2207 "failed to get buffer to send.\n");
2208 goto end;
2209 }
2210
2211 /* re-set encryption flag, for serurity. */
2212 iph2->flags |= ISAKMP_FLAG_E;
2213
2214 /* set isakmp header */
2215 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2216 if (p == NULL) {
2217 plog(ASL_LEVEL_ERR,
2218 "failed to set ISAKMP header");
2219 goto end;
2220 }
2221
2222 /* add HASH payload */
2223 /* XXX is next type always SA ? */
2224 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2225
2226 /* add body payload */
2227 memcpy(p, body->v, body->l);
2228
2229 #ifdef HAVE_PRINT_ISAKMP_C
2230 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2231 #endif
2232
2233 /* encoding */
2234 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2235 if (new == NULL) {
2236 plog(ASL_LEVEL_ERR,
2237 "failed to encrypt packet");
2238 goto end;
2239 }
2240
2241 vfree(buf);
2242
2243 buf = new;
2244
2245 error = 0;
2246
2247 end:
2248 if (error && buf != NULL) {
2249 vfree(buf);
2250 buf = NULL;
2251 }
2252
2253 return buf;
2254 }
2255
2256 /*
2257 * get remote's sainfo.
2258 * NOTE: this function is for responder.
2259 */
2260 int
2261 get_sainfo_r(iph2)
2262 phase2_handle_t *iph2;
2263 {
2264 vchar_t *idsrc = NULL, *iddst = NULL;
2265 int prefixlen;
2266 int error = ISAKMP_INTERNAL_ERROR;
2267 struct sainfo *anonymous = NULL;
2268
2269 if (iph2->id == NULL) {
2270 switch (iph2->src->ss_family) {
2271 case AF_INET:
2272 prefixlen = sizeof(struct in_addr) << 3;
2273 break;
2274 case AF_INET6:
2275 prefixlen = sizeof(struct in6_addr) << 3;
2276 break;
2277 default:
2278 plog(ASL_LEVEL_ERR,
2279 "invalid family: %d\n", iph2->src->ss_family);
2280 goto end;
2281 }
2282 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
2283 IPSEC_ULPROTO_ANY);
2284 } else {
2285 idsrc = vdup(iph2->id);
2286 }
2287 if (idsrc == NULL) {
2288 plog(ASL_LEVEL_ERR,
2289 "failed to set ID for source.\n");
2290 goto end;
2291 }
2292
2293 if (iph2->id_p == NULL) {
2294 switch (iph2->dst->ss_family) {
2295 case AF_INET:
2296 prefixlen = sizeof(struct in_addr) << 3;
2297 break;
2298 case AF_INET6:
2299 prefixlen = sizeof(struct in6_addr) << 3;
2300 break;
2301 default:
2302 plog(ASL_LEVEL_ERR,
2303 "invalid family: %d\n", iph2->dst->ss_family);
2304 goto end;
2305 }
2306 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
2307 IPSEC_ULPROTO_ANY);
2308 } else {
2309 iddst = vdup(iph2->id_p);
2310 }
2311 if (iddst == NULL) {
2312 plog(ASL_LEVEL_ERR,
2313 "failed to set ID for destination.\n");
2314 goto end;
2315 }
2316
2317 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
2318 // track anonymous sainfo, because we'll try to find a better sainfo if this is a client
2319 if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
2320 anonymous = iph2->sainfo;
2321
2322 if (iph2->sainfo == NULL ||
2323 (anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
2324 if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
2325 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
2326 if (iph2->sainfo) {
2327 plog(ASL_LEVEL_DEBUG,
2328 "get_sainfo_r case 1.\n");
2329 }
2330 // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2
2331 if (iph2->sainfo == NULL ||
2332 (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
2333 ike_session_get_sainfo_r(iph2);
2334 if (iph2->sainfo) {
2335 plog(ASL_LEVEL_DEBUG,
2336 "get_sainfo_r case 2.\n");
2337 }
2338 // still no sainfo (or anonymous): fallback to sainfo picked by dst id
2339 if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) {
2340 plog(ASL_LEVEL_DEBUG,
2341 "get_sainfo_r about to try dst id only.\n");
2342 iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p);
2343 if (iph2->sainfo) {
2344 plog(ASL_LEVEL_DEBUG,
2345 "get_sainfo_r case 3.\n");
2346 if (iph2->sainfo->idsrc == NULL)
2347 anonymous = iph2->sainfo;
2348 }
2349 }
2350 }
2351 }
2352 if (iph2->sainfo == NULL) {
2353 if (anonymous == NULL) {
2354 plog(ASL_LEVEL_ERR,
2355 "failed to get sainfo.\n");
2356 goto end;
2357 }
2358 iph2->sainfo = anonymous;
2359 }
2360 retain_sainfo(iph2->sainfo);
2361
2362 #ifdef ENABLE_HYBRID
2363 /* xauth group inclusion check */
2364 if (iph2->sainfo->group != NULL)
2365 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
2366 plog(ASL_LEVEL_ERR,
2367 "failed to group check");
2368 goto end;
2369 }
2370 #endif
2371
2372 plog(ASL_LEVEL_DEBUG,
2373 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2374
2375 error = 0;
2376 end:
2377 if (idsrc)
2378 vfree(idsrc);
2379 if (iddst)
2380 vfree(iddst);
2381
2382 return error;
2383 }
2384
2385 int
2386 get_proposal_r(iph2)
2387 phase2_handle_t *iph2;
2388 {
2389 int error = get_proposal_r_remote(iph2, 0);
2390 if (error != -2 && error != 0 &&
2391 (((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
2392 (iph2->parent_session && iph2->parent_session->is_client))) {
2393 if (iph2->parent_session && iph2->parent_session->is_client)
2394 error = ike_session_get_proposal_r(iph2);
2395 if (error != -2 && error != 0)
2396 error = get_proposal_r_remote(iph2, 1);
2397 }
2398 return error;
2399 }
2400
2401 /*
2402 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2403 * are IP address and same address family.
2404 * Then get remote's policy from SPD copied from kernel.
2405 * If the type of ID payload is address or subnet type, then the index is
2406 * made from the payload. If there is no ID payload, or the type of ID
2407 * payload is NOT address type, then the index is made from the address
2408 * pair of phase 1.
2409 * NOTE: This function is only for responder.
2410 */
2411 static int
2412 get_proposal_r_remote(iph2, ignore_id)
2413 phase2_handle_t *iph2;
2414 int ignore_id;
2415 {
2416 struct policyindex spidx;
2417 struct secpolicy *sp_in, *sp_out;
2418 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2419 int error = ISAKMP_INTERNAL_ERROR;
2420 int generated_policy_exit_early = 0;
2421
2422 /* check the existence of ID payload */
2423 if ((iph2->id_p != NULL && iph2->id == NULL)
2424 || (iph2->id_p == NULL && iph2->id != NULL)) {
2425 plog(ASL_LEVEL_ERR,
2426 "Both IDs wasn't found in payload.\n");
2427 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2428 }
2429
2430 /* make sure if id[src,dst] is null (if use_remote_addr == 0). */
2431 if (!ignore_id && (iph2->src_id || iph2->dst_id)) {
2432 plog(ASL_LEVEL_ERR,
2433 "Why do ID[src,dst] exist already.\n");
2434 return ISAKMP_INTERNAL_ERROR;
2435 }
2436
2437 plog(ASL_LEVEL_DEBUG,
2438 "%s: ignore_id %x.\n", __FUNCTION__, ignore_id);
2439
2440 memset(&spidx, 0, sizeof(spidx));
2441
2442 #define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
2443 /* make a spidx; a key to search SPD */
2444 spidx.dir = IPSEC_DIR_INBOUND;
2445 spidx.ul_proto = 0;
2446
2447 /*
2448 * make destination address in spidx from either ID payload
2449 * or phase 1 address into a address in spidx.
2450 * If behind a nat - use phase1 address because server's
2451 * use the nat's address in the ID payload.
2452 */
2453 if (iph2->id != NULL
2454 && ignore_id == 0
2455 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2456 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2457 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2458 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2459 /* get a destination address of a policy */
2460 error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst,
2461 &spidx.prefd, &spidx.ul_proto, iph2->version);
2462 if (error)
2463 return error;
2464
2465 #ifdef INET6
2466 /*
2467 * get scopeid from the SA address.
2468 * note that the phase 1 source address is used as
2469 * a destination address to search for a inbound policy entry
2470 * because rcoon is responder.
2471 */
2472 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2473 error = setscopeid(&spidx.dst, iph2->src);
2474 if (error)
2475 return error;
2476 }
2477 #endif
2478
2479 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2480 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2481 idi2type = _XIDT(iph2->id);
2482
2483 } else {
2484
2485 plog(ASL_LEVEL_DEBUG,
2486 "Get a destination address of SP index "
2487 "from Phase 1 address "
2488 "due to no ID payloads found "
2489 "OR because ID type is not address.\n");
2490
2491 /*
2492 * copy the SOURCE address of IKE into the DESTINATION address
2493 * of the key to search the SPD because the direction of policy
2494 * is inbound.
2495 */
2496 memcpy(&spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
2497 switch (spidx.dst.ss_family) {
2498 case AF_INET:
2499 {
2500 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
2501 spidx.prefd = sizeof(struct in_addr) << 3;
2502 s->sin_port = htons(0);
2503 }
2504 break;
2505 #ifdef INET6
2506 case AF_INET6:
2507 spidx.prefd = sizeof(struct in6_addr) << 3;
2508 break;
2509 #endif
2510 default:
2511 spidx.prefd = 0;
2512 break;
2513 }
2514 }
2515
2516 /* make source address in spidx */
2517 if (iph2->id_p != NULL
2518 && ignore_id == 0
2519 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2520 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2521 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2522 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2523 /* get a source address of inbound SA */
2524 error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src,
2525 &spidx.prefs, &spidx.ul_proto, iph2->version);
2526 if (error)
2527 return error;
2528
2529 #ifdef INET6
2530 /*
2531 * get scopeid from the SA address.
2532 * for more detail, see above of this function.
2533 */
2534 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2535 error = setscopeid(&spidx.src, iph2->dst);
2536 if (error)
2537 return error;
2538 }
2539 #endif
2540
2541 /* make id[src,dst] if both ID types are IP address and same */
2542 if (_XIDT(iph2->id_p) == idi2type
2543 && spidx.dst.ss_family == spidx.src.ss_family) {
2544 iph2->src_id = dupsaddr(&spidx.dst);
2545 if (iph2->src_id == NULL) {
2546 plog(ASL_LEVEL_ERR,
2547 "buffer allocation failed.\n");
2548 return ISAKMP_INTERNAL_ERROR;
2549 }
2550 iph2->dst_id = dupsaddr(&spidx.src);
2551 if (iph2->dst_id == NULL) {
2552 plog(ASL_LEVEL_ERR,
2553 "buffer allocation failed.\n");
2554 return ISAKMP_INTERNAL_ERROR;
2555 }
2556 }
2557
2558 } else {
2559 plog(ASL_LEVEL_DEBUG,
2560 "Get a source address of SP index "
2561 "from Phase 1 address "
2562 "due to no ID payloads found "
2563 "OR because ID type is not address.\n");
2564
2565 /* see above comment. */
2566 memcpy(&spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
2567 switch (spidx.src.ss_family) {
2568 case AF_INET:
2569 {
2570 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
2571 spidx.prefs = sizeof(struct in_addr) << 3;
2572 s->sin_port = htons(0);
2573 }
2574 break;
2575 #ifdef INET6
2576 case AF_INET6:
2577 spidx.prefs = sizeof(struct in6_addr) << 3;
2578 break;
2579 #endif
2580 default:
2581 spidx.prefs = 0;
2582 break;
2583 }
2584 }
2585
2586 #undef _XIDT
2587
2588 plog(ASL_LEVEL_DEBUG,
2589 "get a src address from ID payload "
2590 "%s prefixlen=%u ul_proto=%u\n",
2591 saddr2str((struct sockaddr *)&spidx.src),
2592 spidx.prefs, spidx.ul_proto);
2593 plog(ASL_LEVEL_DEBUG,
2594 "get dst address from ID payload "
2595 "%s prefixlen=%u ul_proto=%u\n",
2596 saddr2str((struct sockaddr *)&spidx.dst),
2597 spidx.prefd, spidx.ul_proto);
2598
2599 /*
2600 * convert the ul_proto if it is 0
2601 * because 0 in ID payload means a wild card.
2602 */
2603 if (spidx.ul_proto == 0)
2604 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2605
2606 /* get inbound policy */
2607 sp_in = getsp_r(&spidx, iph2);
2608 if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
2609 if (iph2->ph1->rmconf->gen_policy) {
2610 if (sp_in)
2611 plog(ASL_LEVEL_NOTICE,
2612 "Update the generated policy : %s\n",
2613 spidx2str(&spidx));
2614 else
2615 plog(ASL_LEVEL_NOTICE,
2616 "no policy found, "
2617 "try to generate the policy : %s\n",
2618 spidx2str(&spidx));
2619 iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx));
2620 if (!iph2->spidx_gen) {
2621 plog(ASL_LEVEL_ERR,
2622 "buffer allocation failed.\n");
2623 return ISAKMP_INTERNAL_ERROR;
2624 }
2625 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2626 generated_policy_exit_early = 1; /* special value */
2627 } else {
2628 plog(ASL_LEVEL_ERR,
2629 "no policy found: %s\n", spidx2str(&spidx));
2630 return ISAKMP_INTERNAL_ERROR;
2631 }
2632 }
2633
2634 /* get outbound policy */
2635 {
2636 struct sockaddr_storage addr;
2637 u_int8_t pref;
2638
2639 spidx.dir = IPSEC_DIR_OUTBOUND;
2640 addr = spidx.src;
2641 spidx.src = spidx.dst;
2642 spidx.dst = addr;
2643 pref = spidx.prefs;
2644 spidx.prefs = spidx.prefd;
2645 spidx.prefd = pref;
2646
2647 sp_out = getsp_r(&spidx, iph2);
2648 if (!sp_out) {
2649 plog(ASL_LEVEL_WARNING,
2650 "no outbound policy found: %s\n",
2651 spidx2str(&spidx));
2652 } else {
2653
2654 if (!iph2->spid) {
2655 iph2->spid = sp_out->id;
2656 }
2657 }
2658 }
2659
2660 plog(ASL_LEVEL_DEBUG,
2661 "suitable SP found:%s\n", spidx2str(&spidx));
2662
2663 if (generated_policy_exit_early) {
2664 return -2;
2665 }
2666
2667 /*
2668 * In the responder side, the inbound policy should be using IPsec.
2669 * outbound policy is not checked currently.
2670 */
2671 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2672 plog(ASL_LEVEL_ERR,
2673 "policy found, but no IPsec required: %s\n",
2674 spidx2str(&spidx));
2675 return ISAKMP_INTERNAL_ERROR;
2676 }
2677
2678 /* set new proposal derived from a policy into the iph2->proposal. */
2679 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2680 plog(ASL_LEVEL_ERR,
2681 "failed to create saprop.\n");
2682 return ISAKMP_INTERNAL_ERROR;
2683 }
2684
2685 return 0;
2686 }
mirror of ipsec