]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_quick.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-332.100.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_quick.c
1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56
57 #ifndef HAVE_NETINET6_IPSEC
58 #include <netinet/ipsec.h>
59 #else
60 #include <netinet6/ipsec.h>
61 #endif
62
63 #include "var.h"
64 #include "vmbuf.h"
65 #include "schedule.h"
66 #include "misc.h"
67 #include "plog.h"
68 #include "debug.h"
69
70 #include "fsm.h"
71 #include "localconf.h"
72 #include "remoteconf.h"
73 #include "handler.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "isakmp_var.h"
77 #include "isakmp.h"
78 #include "isakmp_inf.h"
79 #include "isakmp_quick.h"
80 #include "oakley.h"
81 #include "ipsec_doi.h"
82 #include "crypto_openssl.h"
83 #include "pfkey.h"
84 #include "policy.h"
85 #include "algorithm.h"
86 #include "sockmisc.h"
87 #include "proposal.h"
88 #include "sainfo.h"
89 #include "strnames.h"
90 #include "nattraversal.h"
91 #ifndef HAVE_OPENSSL
92 #include <Security/SecDH.h>
93 #endif
94
95 /* quick mode */
96 static vchar_t *quick_ir1mx (phase2_handle_t *, vchar_t *, vchar_t *);
97 static int get_proposal_r_remote (phase2_handle_t *, int);
98
99 /* \f%%%
100 * Quick Mode
101 */
102 /*
103 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
104 */
105 int
106 quick_iprep(iph2, msg)
107 phase2_handle_t *iph2;
108 vchar_t *msg; /* must be null pointer */
109 {
110 int error = ISAKMP_INTERNAL_ERROR;
111
112 /* validity check */
113 if (iph2->status != IKEV1_STATE_QUICK_I_START) {
114 plog(ASL_LEVEL_ERR,
115 "status mismatched %d.\n", iph2->status);
116 goto end;
117 }
118
119 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
120 if (iph2->ivm != NULL)
121 oakley_delivm(iph2->ivm);
122 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
123 if (iph2->ivm == NULL)
124 return 0;
125
126 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_GETSPISENT);
127
128 /* don't anything if local test mode. */
129 if (f_local) {
130 error = 0;
131 goto end;
132 }
133
134 /* send getspi message */
135 if (pk_sendgetspi(iph2) < 0) {
136 plog(ASL_LEVEL_ERR,
137 "failed to send getspi message");
138 goto end;
139 }
140
141 plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
142
143 iph2->sce = sched_new(lcconf->wait_ph2complete,
144 pfkey_timeover_stub, iph2);
145
146 error = 0;
147
148 end:
149 return error;
150 }
151
152 /*
153 * send to responder
154 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
155 */
156 int
157 quick_i1send(iph2, msg)
158 phase2_handle_t *iph2;
159 vchar_t *msg; /* must be null pointer */
160 {
161 vchar_t *body = NULL;
162 vchar_t *hash = NULL;
163 #ifdef ENABLE_NATT
164 vchar_t *natoa_i = NULL;
165 vchar_t *natoa_r = NULL;
166 #endif /* ENABLE_NATT */
167 int natoa_type = 0;
168 struct isakmp_gen *gen;
169 char *p;
170 int tlen;
171 int error = ISAKMP_INTERNAL_ERROR;
172 int pfsgroup, idci, idcr;
173 int np;
174 struct ipsecdoi_id_b *id, *id_p;
175
176 /* validity check */
177 if (msg != NULL) {
178 plog(ASL_LEVEL_ERR,
179 "msg has to be NULL in this function.\n");
180 goto end;
181 }
182 if (iph2->status != IKEV1_STATE_QUICK_I_GETSPIDONE) {
183 plog(ASL_LEVEL_ERR,
184 "status mismatched %d.\n", iph2->status);
185 goto end;
186 }
187
188 /* create SA payload for my proposal */
189 if (ipsecdoi_setph2proposal(iph2, FALSE) < 0) {
190 plog(ASL_LEVEL_ERR,
191 "failed to set proposal");
192 goto end;
193 }
194
195 /* generate NONCE value */
196 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
197 if (iph2->nonce == NULL) {
198 plog(ASL_LEVEL_ERR,
199 "failed to generate NONCE");
200 goto end;
201 }
202
203 /*
204 * DH value calculation is kicked out into cfparse.y.
205 * because pfs group can not be negotiated, it's only to be checked
206 * acceptable.
207 */
208 /* generate KE value if need */
209 pfsgroup = iph2->proposal->pfs_group;
210 if (pfsgroup) {
211 /* DH group settting if PFS is required. */
212 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
213 plog(ASL_LEVEL_ERR,
214 "failed to set DH value.\n");
215 goto end;
216 }
217 #ifdef HAVE_OPENSSL
218 if (oakley_dh_generate(iph2->pfsgrp,
219 &iph2->dhpub, &iph2->dhpriv) < 0) {
220 #else
221 if (oakley_dh_generate(iph2->pfsgrp,
222 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
223 #endif
224 plog(ASL_LEVEL_ERR,
225 "failed to generate DH");
226 goto end;
227 }
228 }
229
230 /* generate ID value */
231 if (ipsecdoi_setid2(iph2) < 0) {
232 plog(ASL_LEVEL_ERR,
233 "failed to get ID.\n");
234 goto end;
235 }
236 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "IDci:\n");
237 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "IDcr:\n");
238
239 /*
240 * we do not attach IDci nor IDcr, under the following condition:
241 * - all proposals are transport mode
242 * - no MIP6 or proxy
243 * - id payload suggests to encrypt all the traffic (no specific
244 * protocol type)
245 */
246 id = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v;
247 id_p = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v;
248 if (id->proto_id == 0
249 && id_p->proto_id == 0
250 && iph2->ph1->rmconf->support_proxy == 0
251 && ipsecdoi_transportmode(iph2->proposal)) {
252 idci = idcr = 0;
253 } else
254 idci = idcr = 1;
255
256 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
257 tlen = + sizeof(*gen) + iph2->sa->l
258 + sizeof(*gen) + iph2->nonce->l;
259 if (pfsgroup)
260 tlen += (sizeof(*gen) + iph2->dhpub->l);
261 if (idci)
262 tlen += sizeof(*gen) + iph2->id->l;
263 if (idcr)
264 tlen += sizeof(*gen) + iph2->id_p->l;
265
266 #ifdef ENABLE_NATT
267 /*
268 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
269 * we should send NAT-OA
270 */
271 if (ipsecdoi_any_transportmode(iph2->proposal)
272 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
273 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
274 if (natoa_type == -1) {
275 plog(ASL_LEVEL_ERR,
276 "failed to generate NAT-OA payload.\n");
277 goto end;
278 } else if (natoa_type != 0) {
279 tlen += sizeof(*gen) + natoa_i->l;
280 tlen += sizeof(*gen) + natoa_r->l;
281
282 //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "initiator send NAT-OAi:\n");
283 //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "initiator send NAT-OAr:\n");
284 }
285 }
286 #endif
287
288 body = vmalloc(tlen);
289 if (body == NULL) {
290 plog(ASL_LEVEL_ERR,
291 "failed to get buffer to send.\n");
292 goto end;
293 }
294
295 p = body->v;
296
297 /* add SA payload */
298 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
299
300 /* add NONCE payload */
301 if (pfsgroup)
302 np = ISAKMP_NPTYPE_KE;
303 else if (idci || idcr)
304 np = ISAKMP_NPTYPE_ID;
305 else
306 np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
307 p = set_isakmp_payload(p, iph2->nonce, np);
308
309 /* add KE payload if need. */
310 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
311 if (pfsgroup)
312 p = set_isakmp_payload(p, iph2->dhpub, np);
313
314 /* IDci */
315 np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
316 if (idci)
317 p = set_isakmp_payload(p, iph2->id, np);
318
319 /* IDcr */
320 if (idcr)
321 p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
322
323 /* natoa */
324 if (natoa_type) {
325 p = set_isakmp_payload(p, natoa_i, natoa_type);
326 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
327 }
328
329 /* generate HASH(1) */
330 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
331 if (hash == NULL) {
332 plog(ASL_LEVEL_ERR,
333 "failed to compute HASH");
334 goto end;
335 }
336
337 /* send isakmp payload */
338 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
339 if (iph2->sendbuf == NULL) {
340 plog(ASL_LEVEL_ERR,
341 "failed to get send buffer");
342 goto end;
343 }
344
345 /* send the packet, add to the schedule to resend */
346 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
347 if (isakmp_ph2resend(iph2) == -1) {
348 plog(ASL_LEVEL_ERR,
349 "failed to send packet");
350 goto end;
351 }
352
353 /* change status of isakmp status entry */
354 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG1SENT);
355
356 error = 0;
357 end:
358 if (body != NULL)
359 vfree(body);
360 if (hash != NULL)
361 vfree(hash);
362 #ifdef ENABLE_NATT
363 if (natoa_i)
364 vfree(natoa_i);
365 if (natoa_r)
366 vfree(natoa_r);
367 #endif /* ENABLE_NATT */
368
369 return error;
370 }
371
372 /*
373 * receive from responder
374 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
375 */
376 int
377 quick_i2recv(iph2, msg0)
378 phase2_handle_t *iph2;
379 vchar_t *msg0;
380 {
381 vchar_t *msg = NULL;
382 vchar_t *hbuf = NULL; /* for hash computing. */
383 vchar_t *pbuf = NULL; /* for payload parsing */
384 struct isakmp_parse_t *pa;
385 struct isakmp *isakmp = (struct isakmp *)msg0->v;
386 struct isakmp_pl_hash *hash = NULL;
387 int f_id;
388 char *p;
389 int tlen;
390 int error = ISAKMP_INTERNAL_ERROR;
391 struct sockaddr_storage *natoa_i = NULL;
392 struct sockaddr_storage *natoa_r = NULL;
393
394 /* validity check */
395 if (iph2->status != IKEV1_STATE_QUICK_I_MSG1SENT) {
396 plog(ASL_LEVEL_ERR,
397 "status mismatched %d.\n", iph2->status);
398 goto end;
399 }
400
401 /* decrypt packet */
402 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
403 plog(ASL_LEVEL_ERR,
404 "Packet wasn't encrypted.\n");
405 goto end;
406 }
407 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
408 if (msg == NULL) {
409 plog(ASL_LEVEL_ERR,
410 "failed to decrypt");
411 goto end;
412 }
413
414 /* create buffer for validating HASH(2) */
415 /*
416 * ordering rule:
417 * 1. the first one must be HASH
418 * 2. the second one must be SA (added in isakmp-oakley-05!)
419 * 3. two IDs must be considered as IDci, then IDcr
420 */
421 pbuf = isakmp_parse(msg);
422 if (pbuf == NULL) {
423 plog(ASL_LEVEL_ERR,
424 "failed to parse msg");
425 goto end;
426 }
427 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
428
429 /* HASH payload is fixed postion */
430 if (pa->type != ISAKMP_NPTYPE_HASH) {
431 plog(ASL_LEVEL_ERR,
432 "received invalid next payload type %d, "
433 "expecting %d.\n",
434 pa->type, ISAKMP_NPTYPE_HASH);
435 goto end;
436 }
437 hash = (struct isakmp_pl_hash *)pa->ptr;
438 pa++;
439
440 /*
441 * this restriction was introduced in isakmp-oakley-05.
442 * we do not check this for backward compatibility.
443 * TODO: command line/config file option to enable/disable this code
444 */
445 /* HASH payload is fixed postion */
446 if (pa->type != ISAKMP_NPTYPE_SA) {
447 plog(ASL_LEVEL_WARNING,
448 "received invalid next payload type %d, "
449 "expecting %d.\n",
450 pa->type, ISAKMP_NPTYPE_HASH);
451 }
452
453 /* allocate buffer for computing HASH(2) */
454 tlen = iph2->nonce->l
455 + ntohl(isakmp->len) - sizeof(*isakmp);
456 if (tlen < 0) {
457 plog(ASL_LEVEL_ERR,
458 "invalid length (%lu,%d) while getting hash buffer.\n",
459 iph2->nonce->l, ntohl(isakmp->len));
460 goto end;
461 }
462 hbuf = vmalloc(tlen);
463 if (hbuf == NULL) {
464 plog(ASL_LEVEL_ERR,
465 "failed to get hash buffer.\n");
466 goto end;
467 }
468 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
469
470 /*
471 * parse the payloads.
472 * copy non-HASH payloads into hbuf, so that we can validate HASH.
473 */
474 iph2->sa_ret = NULL;
475 f_id = 0; /* flag to use checking ID */
476 tlen = 0; /* count payload length except of HASH payload. */
477 for (; pa->type; pa++) {
478
479 /* copy to buffer for HASH */
480 /* Don't modify the payload */
481 memcpy(p, pa->ptr, pa->len);
482
483 switch (pa->type) {
484 case ISAKMP_NPTYPE_SA:
485 if (iph2->sa_ret != NULL) {
486 plog(ASL_LEVEL_ERR,
487 "Ignored, multiple SA "
488 "isn't supported.\n");
489 break;
490 }
491 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
492 plog(ASL_LEVEL_ERR,
493 "failed to process SA payload");
494 goto end;
495 }
496 break;
497
498 case ISAKMP_NPTYPE_NONCE:
499 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
500 plog(ASL_LEVEL_ERR,
501 "failed to process NONCE payload");
502 goto end;
503 }
504 break;
505
506 case ISAKMP_NPTYPE_KE:
507 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
508 plog(ASL_LEVEL_ERR,
509 "failed to process KE payload");
510 goto end;
511 }
512 break;
513
514 case ISAKMP_NPTYPE_ID:
515 {
516 vchar_t *vp;
517
518 if (iph2->id == NULL || iph2->id_p == NULL) {
519 error = ISAKMP_INTERNAL_ERROR; // shouldn't happen
520 goto end;
521 }
522
523 /* check ID value */
524 if (f_id == 0) {
525 /* for IDci */
526 vp = iph2->id;
527 } else {
528 /* for IDcr */
529 vp = iph2->id_p;
530 }
531
532 /* These ids may not match when natt is used with some devices.
533 * RFC 2407 says that the protocol and port fields should be ignored
534 * if they are zero, therefore they need to be checked individually.
535 */
536 struct ipsecdoi_id_b *id_ptr = ALIGNED_CAST(struct ipsecdoi_id_b *)vp->v;
537 struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
538
539 if (id_ptr->type != idp_ptr->b.type
540 || (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
541 || (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
542 || memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
543 vp->l - sizeof(struct ipsecdoi_id_b))) {
544 // to support servers that use our external nat address as our ID
545 if (iph2->ph1->natt_flags & NAT_DETECTED) {
546 plog(ASL_LEVEL_WARNING,
547 "mismatched ID was returned - ignored because nat traversal is being used.\n");
548 /* If I'm behind a nat and the ID is type address - save the address
549 * and port for when the peer rekeys.
550 */
551 if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
552 if (lcconf->ext_nat_id)
553 vfree(lcconf->ext_nat_id);
554 if (idp_ptr->h.len < sizeof(struct isakmp_gen)) {
555 plog(ASL_LEVEL_ERR, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len);
556 goto end;
557 }
558 lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
559 if (lcconf->ext_nat_id == NULL) {
560 plog(ASL_LEVEL_ERR, "memory error while allocating external nat id.\n");
561 goto end;
562 }
563 memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
564 if (iph2->ext_nat_id)
565 vfree(iph2->ext_nat_id);
566 iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
567 if (iph2->ext_nat_id == NULL) {
568 plog(ASL_LEVEL_ERR, "memory error while allocating ph2's external nat id.\n");
569 goto end;
570 }
571 plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l, "external nat address saved.\n");
572 } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
573 if (iph2->ext_nat_id_p)
574 vfree(iph2->ext_nat_id_p);
575 iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
576 if (iph2->ext_nat_id_p == NULL) {
577 plog(ASL_LEVEL_ERR, "memory error while allocating peers ph2's external nat id.\n");
578 goto end;
579 }
580 memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
581 plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l, "peer's external nat address saved.\n");
582 }
583 } else {
584 plog(ASL_LEVEL_ERR, "mismatched ID was returned.\n");
585 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
586 goto end;
587 }
588 }
589 if (f_id == 0)
590 f_id = 1;
591 }
592 break;
593
594 case ISAKMP_NPTYPE_N:
595 isakmp_check_ph2_notify(pa->ptr, iph2);
596 break;
597
598 #ifdef ENABLE_NATT
599 case ISAKMP_NPTYPE_NATOA_DRAFT:
600 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
601 case ISAKMP_NPTYPE_NATOA_RFC:
602 {
603 vchar_t *vp = NULL;
604 struct sockaddr_storage *daddr;
605
606 isakmp_p2ph(&vp, pa->ptr);
607
608 if (vp) {
609 daddr = process_natoa_payload(vp);
610 if (daddr) {
611 if (natoa_i == NULL) {
612 natoa_i = daddr;
613 plog(ASL_LEVEL_DEBUG, "initiaor rcvd NAT-OA i: %s\n",
614 saddr2str((struct sockaddr *)natoa_i));
615 } else if (natoa_r == NULL) {
616 natoa_r = daddr;
617 plog(ASL_LEVEL_DEBUG, "initiator rcvd NAT-OA r: %s\n",
618 saddr2str((struct sockaddr *)natoa_r));
619 } else {
620 racoon_free(daddr);
621 }
622 }
623 vfree(vp);
624 }
625
626 }
627 break;
628 #endif
629
630 default:
631 /* don't send information, see ident_r1recv() */
632 plog(ASL_LEVEL_ERR,
633 "ignore the packet, "
634 "received unexpecting payload type %d.\n",
635 pa->type);
636 goto end;
637 }
638
639 p += pa->len;
640
641 /* compute true length of payload. */
642 tlen += pa->len;
643 }
644
645 /* payload existency check */
646 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
647 plog(ASL_LEVEL_ERR,
648 "few isakmp message received.\n");
649 goto end;
650 }
651
652 /* Fixed buffer for calculating HASH */
653 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
654 plog(ASL_LEVEL_DEBUG,
655 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
656 hbuf->l, tlen + iph2->nonce->l);
657 /* adjust buffer length for HASH */
658 hbuf->l = iph2->nonce->l + tlen;
659
660 /* validate HASH(2) */
661 {
662 char *r_hash;
663 vchar_t *my_hash = NULL;
664 int result;
665
666 r_hash = (char *)hash + sizeof(*hash);
667
668 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(2) received:");
669
670 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
671 if (my_hash == NULL) {
672 plog(ASL_LEVEL_ERR,
673 "failed to compute HASH");
674 goto end;
675 }
676
677 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
678 vfree(my_hash);
679
680 if (result) {
681 plog(ASL_LEVEL_DEBUG,
682 "HASH(2) mismatch.\n");
683 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
684 goto end;
685 }
686 }
687
688 /* validity check SA payload sent from responder */
689 if (ipsecdoi_checkph2proposal(iph2) < 0) {
690 plog(ASL_LEVEL_ERR,
691 "failed to validate SA proposal");
692 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
693 goto end;
694 }
695
696 /* change status of isakmp status entry */
697 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG2RCVD);
698
699 error = 0;
700 end:
701 if (hbuf)
702 vfree(hbuf);
703 if (pbuf)
704 vfree(pbuf);
705 if (msg)
706 vfree(msg);
707
708 #ifdef ENABLE_NATT
709 if (natoa_i) {
710 racoon_free(natoa_i);
711 }
712 if (natoa_r) {
713 racoon_free(natoa_r);
714 }
715 #endif
716 if (error) {
717 VPTRINIT(iph2->sa_ret);
718 VPTRINIT(iph2->nonce_p);
719 VPTRINIT(iph2->dhpub_p);
720 }
721
722 return error;
723 }
724
725 /*
726 * send to responder
727 * HDR*, HASH(3)
728 */
729 int
730 quick_i3send(iph2, msg0)
731 phase2_handle_t *iph2;
732 vchar_t *msg0;
733 {
734 vchar_t *msg = NULL;
735 vchar_t *buf = NULL;
736 vchar_t *hash = NULL;
737 char *p = NULL;
738 int tlen;
739 int error = ISAKMP_INTERNAL_ERROR;
740 int packet_error = -1;
741
742 /* validity check */
743 if (iph2->status != IKEV1_STATE_QUICK_I_MSG2RCVD) {
744 plog(ASL_LEVEL_ERR,
745 "status mismatched %d.\n", iph2->status);
746 goto end;
747 }
748
749 /* generate HASH(3) */
750 {
751 vchar_t *tmp = NULL;
752
753 plog(ASL_LEVEL_DEBUG, "HASH(3) generate\n");
754
755 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
756 if (tmp == NULL) {
757 plog(ASL_LEVEL_ERR,
758 "failed to get hash buffer.\n");
759 goto end;
760 }
761 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
762 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
763
764 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
765 vfree(tmp);
766
767 if (hash == NULL) {
768 plog(ASL_LEVEL_ERR,
769 "failed to compute HASH");
770 goto end;
771 }
772 }
773
774 /* create buffer for isakmp payload */
775 tlen = sizeof(struct isakmp)
776 + sizeof(struct isakmp_gen) + hash->l;
777 buf = vmalloc(tlen);
778 if (buf == NULL) {
779 plog(ASL_LEVEL_ERR,
780 "failed to get buffer to send.\n");
781 goto end;
782 }
783
784 /* create isakmp header */
785 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
786 if (p == NULL) {
787 plog(ASL_LEVEL_ERR,
788 "failed to create ISAKMP header");
789 goto end;
790 }
791
792 /* add HASH(3) payload */
793 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
794
795 #ifdef HAVE_PRINT_ISAKMP_C
796 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
797 #endif
798
799 /* encoding */
800 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
801 if (iph2->sendbuf == NULL) {
802 plog(ASL_LEVEL_ERR,
803 "failed to encrypt packet");
804 goto end;
805 }
806
807 /* if there is commit bit, need resending */
808 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
809 /* send the packet, add to the schedule to resend */
810 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
811 if (isakmp_ph2resend(iph2) == -1) {
812 plog(ASL_LEVEL_ERR,
813 "failed to send packet, commit-bit");
814 goto end;
815 }
816 } else {
817 /* send the packet */
818 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
819 plog(ASL_LEVEL_ERR,
820 "failed to send packet");
821 goto end;
822 }
823 }
824
825 /* the sending message is added to the received-list. */
826 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
827 iph2->sendbuf, msg0,
828 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
829 plog(ASL_LEVEL_ERR ,
830 "failed to add a response packet to the tree.\n");
831 goto end;
832 }
833
834 packet_error = 0;
835
836 /* compute both of KEYMATs */
837 if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
838 plog(ASL_LEVEL_ERR,
839 "failed to compute KEYMAT");
840 goto end;
841 }
842
843 /* if there is commit bit don't set up SA now. */
844 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
845 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG3SENT);
846 error = 0;
847 goto end;
848 }
849
850 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
851
852 /* Do UPDATE for initiator */
853 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
854 if (pk_sendupdate(iph2) < 0) {
855 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
856 goto end;
857 }
858 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
859
860 /* Do ADD for responder */
861 if (pk_sendadd(iph2) < 0) {
862 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
863 goto end;
864 }
865 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
866
867 error = 0;
868
869 end:
870 if (buf != NULL)
871 vfree(buf);
872 if (msg != NULL)
873 vfree(msg);
874 if (hash != NULL)
875 vfree(hash);
876
877 return error;
878 }
879
880 /*
881 * receive from responder
882 * HDR#*, HASH(4), notify
883 */
884 int
885 quick_i4recv(iph2, msg0)
886 phase2_handle_t *iph2;
887 vchar_t *msg0;
888 {
889 vchar_t *msg = NULL;
890 vchar_t *pbuf = NULL; /* for payload parsing */
891 struct isakmp_parse_t *pa;
892 struct isakmp_pl_hash *hash = NULL;
893 vchar_t *notify = NULL;
894 int error = ISAKMP_INTERNAL_ERROR;
895 int packet_error = -1;
896
897 /* validity check */
898 if (iph2->status != IKEV1_STATE_QUICK_I_MSG3SENT) {
899 plog(ASL_LEVEL_ERR,
900 "status mismatched %d.\n", iph2->status);
901 goto end;
902 }
903
904 /* decrypt packet */
905 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
906 plog(ASL_LEVEL_ERR,
907 "Packet wasn't encrypted.\n");
908 goto end;
909 }
910 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
911 if (msg == NULL) {
912 plog(ASL_LEVEL_ERR,
913 "failed to decrypt packet\n");
914 goto end;
915 }
916
917 /* validate the type of next payload */
918 pbuf = isakmp_parse(msg);
919 if (pbuf == NULL) {
920 plog(ASL_LEVEL_ERR,
921 "failed to parse msg\n");
922 goto end;
923 }
924
925 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
926 pa->type != ISAKMP_NPTYPE_NONE;
927 pa++) {
928
929 switch (pa->type) {
930 case ISAKMP_NPTYPE_HASH:
931 hash = (struct isakmp_pl_hash *)pa->ptr;
932 break;
933 case ISAKMP_NPTYPE_N:
934 if (notify != NULL) {
935 plog(ASL_LEVEL_WARNING,
936 "Ignoring multiple notifications\n");
937 break;
938 }
939 isakmp_check_ph2_notify(pa->ptr, iph2);
940 notify = vmalloc(pa->len);
941 if (notify == NULL) {
942 plog(ASL_LEVEL_ERR,
943 "failed to get notify buffer.\n");
944 goto end;
945 }
946 memcpy(notify->v, pa->ptr, notify->l);
947 break;
948 default:
949 /* don't send information, see ident_r1recv() */
950 plog(ASL_LEVEL_ERR,
951 "ignore the packet, "
952 "received unexpecting payload type %d.\n",
953 pa->type);
954 goto end;
955 }
956 }
957
958 /* payload existency check */
959 if (hash == NULL) {
960 plog(ASL_LEVEL_ERR,
961 "few isakmp message received.\n");
962 goto end;
963 }
964
965 /* validate HASH(4) */
966 {
967 char *r_hash;
968 vchar_t *my_hash = NULL;
969 vchar_t *tmp = NULL;
970 int result;
971
972 r_hash = (char *)hash + sizeof(*hash);
973
974 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(4) validate:");
975
976 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
977 vfree(tmp);
978 if (my_hash == NULL) {
979 plog(ASL_LEVEL_ERR,
980 "failed to compute HASH\n");
981 goto end;
982 }
983
984 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
985 vfree(my_hash);
986
987 if (result) {
988 plog(ASL_LEVEL_DEBUG,
989 "HASH(4) mismatch.\n");
990 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
991 goto end;
992 }
993 }
994
995 packet_error = 0;
996
997 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
998
999 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1000
1001 /* don't anything if local test mode. */
1002 if (f_local) {
1003 error = 0;
1004 goto end;
1005 }
1006
1007 /* Do UPDATE for initiator */
1008 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
1009 if (pk_sendupdate(iph2) < 0) {
1010 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
1011 goto end;
1012 }
1013 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
1014
1015 /* Do ADD for responder */
1016 if (pk_sendadd(iph2) < 0) {
1017 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
1018 goto end;
1019 }
1020 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
1021
1022 error = 0;
1023
1024 end:
1025 if (msg != NULL)
1026 vfree(msg);
1027 if (pbuf != NULL)
1028 vfree(pbuf);
1029 if (notify != NULL)
1030 vfree(notify);
1031
1032 return error;
1033 }
1034
1035 /*
1036 * receive from initiator
1037 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1038 */
1039 int
1040 quick_r1recv(iph2, msg0)
1041 phase2_handle_t *iph2;
1042 vchar_t *msg0;
1043 {
1044 vchar_t *msg = NULL;
1045 vchar_t *hbuf = NULL; /* for hash computing. */
1046 vchar_t *pbuf = NULL; /* for payload parsing */
1047 struct isakmp_parse_t *pa;
1048 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1049 struct isakmp_pl_hash *hash = NULL;
1050 char *p;
1051 int tlen;
1052 int f_id_order; /* for ID payload detection */
1053 int error = ISAKMP_INTERNAL_ERROR;
1054 struct sockaddr_storage *natoa_i = NULL;
1055 struct sockaddr_storage *natoa_r = NULL;
1056
1057 /* validity check */
1058 if (iph2->status != IKEV1_STATE_QUICK_R_START) {
1059 plog(ASL_LEVEL_ERR,
1060 "status mismatched %d.\n", iph2->status);
1061 goto end;
1062 }
1063
1064 /* decrypting */
1065 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1066 plog(ASL_LEVEL_ERR,
1067 "Packet wasn't encrypted.\n");
1068 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1069 goto end;
1070 }
1071 /* decrypt packet */
1072 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1073 if (msg == NULL) {
1074 plog(ASL_LEVEL_ERR,
1075 "failed to decrypt packet\n");
1076 goto end;
1077 }
1078
1079 /* create buffer for using to validate HASH(1) */
1080 /*
1081 * ordering rule:
1082 * 1. the first one must be HASH
1083 * 2. the second one must be SA (added in isakmp-oakley-05!)
1084 * 3. two IDs must be considered as IDci, then IDcr
1085 */
1086 pbuf = isakmp_parse(msg);
1087 if (pbuf == NULL) {
1088 plog(ASL_LEVEL_ERR,
1089 "failed to parse msg\n");
1090 goto end;
1091 }
1092 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1093
1094 /* HASH payload is fixed postion */
1095 if (pa->type != ISAKMP_NPTYPE_HASH) {
1096 plog(ASL_LEVEL_ERR,
1097 "received invalid next payload type %d, "
1098 "expecting %d.\n",
1099 pa->type, ISAKMP_NPTYPE_HASH);
1100 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1101 goto end;
1102 }
1103 hash = (struct isakmp_pl_hash *)pa->ptr;
1104 pa++;
1105
1106 /*
1107 * this restriction was introduced in isakmp-oakley-05.
1108 * we do not check this for backward compatibility.
1109 * TODO: command line/config file option to enable/disable this code
1110 */
1111 /* HASH payload is fixed postion */
1112 if (pa->type != ISAKMP_NPTYPE_SA) {
1113 plog(ASL_LEVEL_WARNING,
1114 "received invalid next payload type %d, "
1115 "expecting %d.\n",
1116 pa->type, ISAKMP_NPTYPE_SA);
1117 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1118 }
1119
1120 /* allocate buffer for computing HASH(1) */
1121 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1122 if (tlen < 0) {
1123 plog(ASL_LEVEL_ERR, "invalid length (%d) while extracting hash.\n",
1124 ntohl(isakmp->len));
1125 goto end;
1126 }
1127 hbuf = vmalloc(tlen);
1128 if (hbuf == NULL) {
1129 plog(ASL_LEVEL_ERR,
1130 "failed to get hash buffer.\n");
1131 goto end;
1132 }
1133 p = hbuf->v;
1134
1135 /*
1136 * parse the payloads.
1137 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1138 */
1139 iph2->sa = NULL; /* we don't support multi SAs. */
1140 iph2->nonce_p = NULL;
1141 iph2->dhpub_p = NULL;
1142 iph2->id_p = NULL;
1143 iph2->id = NULL;
1144 tlen = 0; /* count payload length except of HASH payload. */
1145
1146 /*
1147 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1148 * illegal case, but logged. First ID payload is to be IDi2.
1149 * And next ID payload is to be IDr2.
1150 */
1151 f_id_order = 0;
1152
1153 for (; pa->type; pa++) {
1154
1155 /* copy to buffer for HASH */
1156 /* Don't modify the payload */
1157 memcpy(p, pa->ptr, pa->len);
1158
1159 if (pa->type != ISAKMP_NPTYPE_ID)
1160 f_id_order = 0;
1161
1162 switch (pa->type) {
1163 case ISAKMP_NPTYPE_SA:
1164 if (iph2->sa != NULL) {
1165 plog(ASL_LEVEL_ERR,
1166 "Multi SAs isn't supported.\n");
1167 goto end;
1168 }
1169 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1170 plog(ASL_LEVEL_ERR,
1171 "failed to process SA payload\n");
1172 goto end;
1173 }
1174 break;
1175
1176 case ISAKMP_NPTYPE_NONCE:
1177 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1178 plog(ASL_LEVEL_ERR,
1179 "failed to process NONCE payload\n");
1180 goto end;
1181 }
1182 break;
1183
1184 case ISAKMP_NPTYPE_KE:
1185 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1186 plog(ASL_LEVEL_ERR,
1187 "failed to process KE payload\n");
1188 goto end;
1189 }
1190 break;
1191
1192 case ISAKMP_NPTYPE_ID:
1193 if (iph2->id_p == NULL) {
1194 /* for IDci */
1195 f_id_order++;
1196
1197 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
1198 plog(ASL_LEVEL_ERR,
1199 "failed to process IDci2 payload\n");
1200 goto end;
1201 }
1202
1203 } else if (iph2->id == NULL) {
1204 /* for IDcr */
1205 if (f_id_order == 0) {
1206 plog(ASL_LEVEL_ERR,
1207 "IDr2 payload is not "
1208 "immediatelly followed "
1209 "by IDi2. We allowed.\n");
1210 /* XXX we allowed in this case. */
1211 }
1212
1213 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
1214 plog(ASL_LEVEL_ERR,
1215 "failed to process IDcr2 payload\n");
1216 goto end;
1217 }
1218 } else {
1219 plogdump(ASL_LEVEL_ERR, iph2->id->v, iph2->id->l, "received too many ID payloads");
1220 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1221 goto end;
1222 }
1223 break;
1224
1225 case ISAKMP_NPTYPE_N:
1226 isakmp_check_ph2_notify(pa->ptr, iph2);
1227 break;
1228
1229 #ifdef ENABLE_NATT
1230 case ISAKMP_NPTYPE_NATOA_DRAFT:
1231 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
1232 case ISAKMP_NPTYPE_NATOA_RFC:
1233 {
1234 vchar_t *vp = NULL;
1235 struct sockaddr_storage *daddr;
1236
1237 isakmp_p2ph(&vp, pa->ptr);
1238
1239 if (vp) {
1240 daddr = process_natoa_payload(vp);
1241 if (daddr) {
1242 if (natoa_i == NULL) {
1243 natoa_i = daddr;
1244 plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA i: %s\n",
1245 saddr2str((struct sockaddr *)natoa_i));
1246 } else if (natoa_r == NULL) {
1247 natoa_r = daddr;
1248 plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA r: %s\n",
1249 saddr2str((struct sockaddr *)natoa_r));
1250 } else {
1251 racoon_free(daddr);
1252 }
1253 }
1254 vfree(vp);
1255 }
1256
1257 }
1258 break;
1259 #endif
1260
1261 default:
1262 plog(ASL_LEVEL_ERR,
1263 "ignore the packet, "
1264 "received unexpected payload type %d.\n",
1265 pa->type);
1266 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1267 goto end;
1268 }
1269
1270 p += pa->len;
1271
1272 /* compute true length of payload. */
1273 tlen += pa->len;
1274 }
1275
1276 /* payload existency check */
1277 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1278 plog(ASL_LEVEL_ERR,
1279 "expected isakmp payloads missing.\n");
1280 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1281 goto end;
1282 }
1283
1284 if (iph2->id_p) {
1285 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "received IDci2:");
1286 }
1287 if (iph2->id) {
1288 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "received IDcr2:");
1289 }
1290
1291 /* adjust buffer length for HASH */
1292 hbuf->l = tlen;
1293
1294 /* validate HASH(1) */
1295 {
1296 char *r_hash;
1297 vchar_t *my_hash = NULL;
1298 int result;
1299
1300 r_hash = (caddr_t)hash + sizeof(*hash);
1301
1302 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(1) validate:");
1303
1304 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1305 if (my_hash == NULL) {
1306 plog(ASL_LEVEL_ERR,
1307 "failed to compute HASH\n");
1308 goto end;
1309 }
1310
1311 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
1312 vfree(my_hash);
1313
1314 if (result) {
1315 plog(ASL_LEVEL_ERR,
1316 "HASH(1) mismatch.\n");
1317 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1318 goto end;
1319 }
1320 }
1321
1322 /* get sainfo */
1323 error = get_sainfo_r(iph2);
1324 if (error) {
1325 plog(ASL_LEVEL_ERR,
1326 "failed to get sainfo.\n");
1327 goto end;
1328 }
1329
1330 /* check the existence of ID payload and create responder's proposal */
1331 error = get_proposal_r(iph2);
1332 switch (error) {
1333 case -2:
1334 /* generate a policy template from peer's proposal */
1335 if (set_proposal_from_proposal(iph2)) {
1336 plog(ASL_LEVEL_ERR,
1337 "failed to generate a proposal template "
1338 "from client's proposal.\n");
1339 error = ISAKMP_INTERNAL_ERROR;
1340 goto end;
1341 }
1342 /*FALLTHROUGH*/
1343 case 0:
1344 /* select single proposal or reject it. */
1345 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1346 plog(ASL_LEVEL_ERR,
1347 "failed to select proposal.\n");
1348 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1349 goto end;
1350 }
1351 break;
1352 default:
1353 plog(ASL_LEVEL_ERR,
1354 "failed to get proposal for responder.\n");
1355 goto end;
1356 }
1357
1358 /* check KE and attribute of PFS */
1359 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1360 plog(ASL_LEVEL_ERR,
1361 "no PFS is specified, but peer sends KE.\n");
1362 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1363 goto end;
1364 }
1365 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1366 plog(ASL_LEVEL_ERR,
1367 "PFS is specified, but peer doesn't sends KE.\n");
1368 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1369 goto end;
1370 }
1371
1372 ike_session_update_mode(iph2); /* update the mode, now that we have a proposal */
1373
1374 /*
1375 * save the packet from the initiator in order to resend the
1376 * responder's first packet against this packet.
1377 */
1378 iph2->msg1 = vdup(msg0);
1379
1380 /* change status of isakmp status entry */
1381 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG1RCVD);
1382
1383 error = 0;
1384 end:
1385 if (hbuf)
1386 vfree(hbuf);
1387 if (msg)
1388 vfree(msg);
1389 if (pbuf)
1390 vfree(pbuf);
1391
1392 #ifdef ENABLE_NATT
1393 if (natoa_i) {
1394 racoon_free(natoa_i);
1395 }
1396 if (natoa_r) {
1397 racoon_free(natoa_r);
1398 }
1399 #endif
1400
1401 if (error) {
1402 VPTRINIT(iph2->sa);
1403 VPTRINIT(iph2->nonce_p);
1404 VPTRINIT(iph2->dhpub_p);
1405 VPTRINIT(iph2->id);
1406 VPTRINIT(iph2->id_p);
1407 }
1408
1409 return error;
1410 }
1411
1412 /*
1413 * call pfkey_getspi.
1414 */
1415 int
1416 quick_rprep(iph2, msg)
1417 phase2_handle_t *iph2;
1418 vchar_t *msg;
1419 {
1420 int error = ISAKMP_INTERNAL_ERROR;
1421
1422 /* validity check */
1423 if (iph2->status != IKEV1_STATE_QUICK_R_MSG1RCVD) {
1424 plog(ASL_LEVEL_ERR,
1425 "status mismatched %d.\n", iph2->status);
1426 goto end;
1427 }
1428
1429 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_GETSPISENT);
1430
1431 /* send getspi message */
1432 if (pk_sendgetspi(iph2) < 0) {
1433 plog(ASL_LEVEL_ERR,
1434 "failed to send getspi");
1435 goto end;
1436 }
1437
1438 plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
1439
1440 iph2->sce = sched_new(lcconf->wait_ph2complete,
1441 pfkey_timeover_stub, iph2);
1442
1443 error = 0;
1444
1445 end:
1446 return error;
1447 }
1448
1449 /*
1450 * send to initiator
1451 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1452 */
1453 int
1454 quick_r2send(iph2, msg)
1455 phase2_handle_t *iph2;
1456 vchar_t *msg;
1457 {
1458 vchar_t *body = NULL;
1459 vchar_t *hash = NULL;
1460 vchar_t *natoa_i = NULL;
1461 vchar_t *natoa_r = NULL;
1462 int natoa_type = 0;
1463 struct isakmp_gen *gen;
1464 char *p;
1465 int tlen;
1466 int error = ISAKMP_INTERNAL_ERROR;
1467 int pfsgroup;
1468 u_int8_t *np_p = NULL;
1469
1470 /* validity check */
1471 if (msg != NULL) {
1472 plog(ASL_LEVEL_ERR,
1473 "msg has to be NULL in this function.\n");
1474 goto end;
1475 }
1476 if (iph2->status != IKEV1_STATE_QUICK_R_GETSPIDONE) {
1477 plog(ASL_LEVEL_ERR,
1478 "status mismatched %d.\n", iph2->status);
1479 goto end;
1480 }
1481
1482 /* update responders SPI */
1483 if (ipsecdoi_updatespi(iph2) < 0) {
1484 plog(ASL_LEVEL_ERR, "failed to update spi.\n");
1485 goto end;
1486 }
1487
1488 /* generate NONCE value */
1489 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1490 if (iph2->nonce == NULL) {
1491 plog(ASL_LEVEL_ERR,
1492 "failed to generate NONCE");
1493 goto end;
1494 }
1495
1496 /* generate KE value if need */
1497 pfsgroup = iph2->approval->pfs_group;
1498 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1499 /* DH group settting if PFS is required. */
1500 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1501 plog(ASL_LEVEL_ERR,
1502 "failed to set DH value.\n");
1503 goto end;
1504 }
1505 /* generate DH public value */
1506 #ifdef HAVE_OPENSSL
1507 if (oakley_dh_generate(iph2->pfsgrp,
1508 &iph2->dhpub, &iph2->dhpriv) < 0) {
1509 #else
1510 if (oakley_dh_generate(iph2->pfsgrp,
1511 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
1512 #endif
1513 plog(ASL_LEVEL_ERR,
1514 "failed to generate DH public");
1515 goto end;
1516 }
1517 }
1518
1519 /* create SA;NONCE payload, and KE and ID if need */
1520 tlen = sizeof(*gen) + iph2->sa_ret->l
1521 + sizeof(*gen) + iph2->nonce->l;
1522 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1523 tlen += (sizeof(*gen) + iph2->dhpub->l);
1524 if (iph2->id_p != NULL)
1525 tlen += (sizeof(*gen) + iph2->id_p->l
1526 + sizeof(*gen) + iph2->id->l);
1527
1528 #ifdef ENABLE_NATT
1529 /*
1530 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1531 * we should send NAT-OA
1532 */
1533 if (ipsecdoi_any_transportmode(iph2->approval)
1534 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1535 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
1536 if (natoa_type == -1) {
1537 plog(ASL_LEVEL_ERR,
1538 "failed to create NATOA payloads");
1539 goto end;
1540 }
1541 else if (natoa_type != 0) {
1542 tlen += sizeof(*gen) + natoa_i->l;
1543 tlen += sizeof(*gen) + natoa_r->l;
1544
1545 //plogdump(ASL_LEVEL_DEBUG, natoa_i->v, natoa_i->l, "responder send NAT-OAi:");
1546 //plogdump(ASL_LEVEL_DEBUG, natoa_r->v, natoa_r->l, "responder send NAT-OAr:");
1547 }
1548 }
1549 #endif
1550
1551 plog(ASL_LEVEL_DEBUG, "Approved SA\n");
1552 printsaprop0(ASL_LEVEL_DEBUG, iph2->approval);
1553
1554 body = vmalloc(tlen);
1555 if (body == NULL) {
1556 plog(ASL_LEVEL_ERR,
1557 "failed to get buffer to send.\n");
1558 goto end;
1559 }
1560 p = body->v;
1561
1562 /* make SA payload */
1563 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1564
1565 /* add NONCE payload */
1566 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1567 p = set_isakmp_payload(p, iph2->nonce,
1568 (iph2->dhpub_p != NULL && pfsgroup != 0)
1569 ? ISAKMP_NPTYPE_KE
1570 : (iph2->id_p != NULL
1571 ? ISAKMP_NPTYPE_ID
1572 : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
1573
1574 /* add KE payload if need. */
1575 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1576 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1577 p = set_isakmp_payload(p, iph2->dhpub,
1578 (iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
1579 }
1580
1581 /* add ID payloads received. */
1582 if (iph2->id_p != NULL) {
1583 /* IDci */
1584 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1585 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "sending IDci2:");
1586 /* IDcr */
1587 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1588 p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
1589 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "sending IDcr2:");
1590 }
1591
1592 /* add a RESPONDER-LIFETIME notify payload if needed */
1593 {
1594 vchar_t *data = NULL;
1595 struct saprop *pp = iph2->approval;
1596 struct saproto *pr;
1597
1598 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1599 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1600 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1601 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1602 if (!data) {
1603 plog(ASL_LEVEL_ERR,
1604 "failed to add RESPONDER-LIFETIME notify (type) payload");
1605 goto end;
1606 }
1607 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1608 (caddr_t)&v, sizeof(v));
1609 if (!data) {
1610 plog(ASL_LEVEL_ERR,
1611 "failed to add RESPONDER-LIFETIME notify (value) payload");
1612 goto end;
1613 }
1614 }
1615 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1616 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1617 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1618 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1619 if (!data) {
1620 plog(ASL_LEVEL_ERR,
1621 "failed to add RESPONDER-LIFETIME notify (type) payload");
1622 goto end;
1623 }
1624 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1625 (caddr_t)&v, sizeof(v));
1626 if (!data) {
1627 plog(ASL_LEVEL_ERR,
1628 "failed to add RESPONDER-LIFETIME notify (value) payload");
1629 goto end;
1630 }
1631 }
1632
1633 /*
1634 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1635 * in the case of SA bundle ?
1636 */
1637 if (data) {
1638 for (pr = pp->head; pr; pr = pr->next) {
1639 body = isakmp_add_pl_n(body, &np_p,
1640 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1641 if (!body) {
1642 plog(ASL_LEVEL_ERR,
1643 "invalid RESPONDER-LIFETIME payload");
1644 vfree(data);
1645 return error; /* XXX */
1646 }
1647 }
1648 vfree(data);
1649 }
1650 }
1651
1652 /* natoa */
1653 if (natoa_type) {
1654 p = set_isakmp_payload(p, natoa_i, natoa_type);
1655 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
1656 }
1657
1658 /* generate HASH(2) */
1659 {
1660 vchar_t *tmp;
1661
1662 tmp = vmalloc(iph2->nonce_p->l + body->l);
1663 if (tmp == NULL) {
1664 plog(ASL_LEVEL_ERR,
1665 "failed to get hash buffer.\n");
1666 goto end;
1667 }
1668 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1669 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1670
1671 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1672 vfree(tmp);
1673
1674 if (hash == NULL) {
1675 plog(ASL_LEVEL_ERR,
1676 "failed to compute HASH");
1677 goto end;
1678 }
1679 }
1680
1681 /* send isakmp payload */
1682 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1683 if (iph2->sendbuf == NULL) {
1684 plog(ASL_LEVEL_ERR,
1685 "failed to get send buffer");
1686 goto end;
1687 }
1688
1689 /* send the packet, add to the schedule to resend */
1690 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1691 if (isakmp_ph2resend(iph2) == -1) {
1692 plog(ASL_LEVEL_ERR,
1693 "failed to send packet");
1694 goto end;
1695 }
1696
1697 /* the sending message is added to the received-list. */
1698 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
1699 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
1700 plog(ASL_LEVEL_ERR,
1701 "failed to add a response packet to the tree.\n");
1702 goto end;
1703 }
1704
1705 /* change status of isakmp status entry */
1706 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG2SENT);
1707
1708 error = 0;
1709 end:
1710 if (body != NULL)
1711 vfree(body);
1712 if (hash != NULL)
1713 vfree(hash);
1714 if (natoa_i)
1715 vfree(natoa_i);
1716 if (natoa_r)
1717 vfree(natoa_r);
1718
1719 return error;
1720 }
1721
1722 /*
1723 * receive from initiator
1724 * HDR*, HASH(3)
1725 */
1726 int
1727 quick_r3recv(iph2, msg0)
1728 phase2_handle_t *iph2;
1729 vchar_t *msg0;
1730 {
1731 vchar_t *msg = NULL;
1732 vchar_t *pbuf = NULL; /* for payload parsing */
1733 struct isakmp_parse_t *pa;
1734 struct isakmp_pl_hash *hash = NULL;
1735 int error = ISAKMP_INTERNAL_ERROR;
1736
1737 /* validity check */
1738 if (iph2->status != IKEV1_STATE_QUICK_R_MSG2SENT) {
1739 plog(ASL_LEVEL_ERR,
1740 "status mismatched %d.\n", iph2->status);
1741 goto end;
1742 }
1743
1744 /* decrypt packet */
1745 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1746 plog(ASL_LEVEL_ERR,
1747 "Packet wasn't encrypted.\n");
1748 goto end;
1749 }
1750 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1751 if (msg == NULL) {
1752 plog(ASL_LEVEL_ERR,
1753 "failed to decrypt packet\n");
1754 goto end;
1755 }
1756
1757 /* validate the type of next payload */
1758 pbuf = isakmp_parse(msg);
1759 if (pbuf == NULL) {
1760 plog(ASL_LEVEL_ERR,
1761 "failed to parse msg\n");
1762 goto end;
1763 }
1764
1765 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1766 pa->type != ISAKMP_NPTYPE_NONE;
1767 pa++) {
1768
1769 switch (pa->type) {
1770 case ISAKMP_NPTYPE_HASH:
1771 hash = (struct isakmp_pl_hash *)pa->ptr;
1772 break;
1773 case ISAKMP_NPTYPE_N:
1774 isakmp_check_ph2_notify(pa->ptr, iph2);
1775 break;
1776 default:
1777 /* don't send information, see ident_r1recv() */
1778 plog(ASL_LEVEL_ERR,
1779 "ignore the packet, "
1780 "received unexpecting payload type %d.\n",
1781 pa->type);
1782 goto end;
1783 }
1784 }
1785
1786 /* payload existency check */
1787 if (hash == NULL) {
1788 plog(ASL_LEVEL_ERR,
1789 "few isakmp message received.\n");
1790 goto end;
1791 }
1792
1793 /* validate HASH(3) */
1794 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1795 {
1796 char *r_hash;
1797 vchar_t *my_hash = NULL;
1798 vchar_t *tmp = NULL;
1799 int result;
1800
1801 r_hash = (char *)hash + sizeof(*hash);
1802
1803 //plogdump(ASL_LEVEL_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash), "HASH(3) validate:");
1804
1805 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1806 if (tmp == NULL) {
1807 plog(ASL_LEVEL_ERR,
1808 "failed to get hash buffer.\n");
1809 goto end;
1810 }
1811 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1812 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1813
1814 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1815 vfree(tmp);
1816 if (my_hash == NULL) {
1817 plog(ASL_LEVEL_ERR,
1818 "failed to compute HASH\n");
1819 goto end;
1820 }
1821
1822 result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
1823 vfree(my_hash);
1824
1825 if (result) {
1826 plog(ASL_LEVEL_ERR,
1827 "HASH(3) mismatch.\n");
1828 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1829 goto end;
1830 }
1831 }
1832
1833 /* if there is commit bit, don't set up SA now. */
1834 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1835 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG3RCVD);
1836 } else
1837 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
1838
1839 error = 0;
1840 end:
1841 if (pbuf != NULL)
1842 vfree(pbuf);
1843 if (msg != NULL)
1844 vfree(msg);
1845
1846 return error;
1847 }
1848
1849 /*
1850 * send to initiator
1851 * HDR#*, HASH(4), notify
1852 */
1853 int
1854 quick_r4send(iph2, msg0)
1855 phase2_handle_t *iph2;
1856 vchar_t *msg0;
1857 {
1858 vchar_t *buf = NULL;
1859 vchar_t *myhash = NULL;
1860 struct isakmp_pl_n *n;
1861 vchar_t *notify = NULL;
1862 char *p;
1863 int tlen;
1864 int error = ISAKMP_INTERNAL_ERROR;
1865
1866 /* validity check */
1867 if (iph2->status != IKEV1_STATE_QUICK_R_MSG3RCVD) {
1868 plog(ASL_LEVEL_ERR,
1869 "status mismatched %d.\n", iph2->status);
1870 goto end;
1871 }
1872
1873 /* generate HASH(4) */
1874 /* XXX What can I do in the case of multiple different SA */
1875 plog(ASL_LEVEL_DEBUG, "HASH(4) generate\n");
1876
1877 /* XXX What should I do if there are multiple SAs ? */
1878 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1879 notify = vmalloc(tlen);
1880 if (notify == NULL) {
1881 plog(ASL_LEVEL_ERR,
1882 "failed to get notify buffer.\n");
1883 goto end;
1884 }
1885 n = (struct isakmp_pl_n *)notify->v;
1886 n->h.np = ISAKMP_NPTYPE_NONE;
1887 n->h.len = htons(tlen);
1888 n->doi = htonl(IPSEC_DOI);
1889 n->proto_id = iph2->approval->head->proto_id;
1890 n->spi_size = sizeof(iph2->approval->head->spisize);
1891 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1892 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1893
1894 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1895 if (myhash == NULL) {
1896 plog(ASL_LEVEL_ERR,
1897 "failed to compute HASH");
1898 goto end;
1899 }
1900
1901 /* create buffer for isakmp payload */
1902 tlen = sizeof(struct isakmp)
1903 + sizeof(struct isakmp_gen) + myhash->l
1904 + notify->l;
1905 buf = vmalloc(tlen);
1906 if (buf == NULL) {
1907 plog(ASL_LEVEL_ERR,
1908 "failed to get buffer to send.\n");
1909 goto end;
1910 }
1911
1912 /* create isakmp header */
1913 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1914 if (p == NULL) {
1915 plog(ASL_LEVEL_ERR,
1916 "failed to set ISAKMP header");
1917 goto end;
1918 }
1919
1920 /* add HASH(4) payload */
1921 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1922
1923 /* add notify payload */
1924 memcpy(p, notify->v, notify->l);
1925
1926 #ifdef HAVE_PRINT_ISAKMP_C
1927 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1928 #endif
1929
1930 /* encoding */
1931 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1932 if (iph2->sendbuf == NULL) {
1933 plog(ASL_LEVEL_ERR,
1934 "failed to encrypt packet");
1935 goto end;
1936 }
1937
1938 /* send the packet */
1939 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
1940 plog(ASL_LEVEL_ERR,
1941 "failed to send packet");
1942 goto end;
1943 }
1944
1945 /* the sending message is added to the received-list. */
1946 if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
1947 PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
1948 plog(ASL_LEVEL_ERR ,
1949 "failed to add a response packet to the tree.\n");
1950 goto end;
1951 }
1952
1953 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
1954
1955 error = 0;
1956 end:
1957 if (buf != NULL)
1958 vfree(buf);
1959 if (myhash != NULL)
1960 vfree(myhash);
1961 if (notify != NULL)
1962 vfree(notify);
1963
1964 return error;
1965 }
1966
1967
1968 /*
1969 * set SA to kernel.
1970 */
1971 int
1972 quick_rfinalize(iph2, msg0)
1973 phase2_handle_t *iph2;
1974 vchar_t *msg0;
1975 {
1976 vchar_t *msg = NULL;
1977 int error = ISAKMP_INTERNAL_ERROR;
1978
1979 /* validity check */
1980 if (iph2->status != IKEV1_STATE_QUICK_R_COMMIT) {
1981 plog(ASL_LEVEL_ERR,
1982 "status mismatched %d.\n", iph2->status);
1983 goto end;
1984 }
1985
1986 /* compute both of KEYMATs */
1987 if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
1988 plog(ASL_LEVEL_ERR,
1989 "failed to compute KEYMAT");
1990 goto end;
1991 }
1992
1993 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_ADDSA);
1994
1995 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1996
1997 /* don't anything if local test mode. */
1998 if (f_local) {
1999 error = 0;
2000 goto end;
2001 }
2002
2003 /* Do UPDATE as responder */
2004 plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
2005 if (pk_sendupdate(iph2) < 0) {
2006 plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
2007 goto end;
2008 }
2009 plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
2010
2011 /* Do ADD for responder */
2012 if (pk_sendadd(iph2) < 0) {
2013 plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
2014 goto end;
2015 }
2016 plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
2017
2018 /*
2019 * set policies into SPD if the policy is generated
2020 * from peer's policy.
2021 */
2022 if (iph2->spidx_gen) {
2023
2024 struct policyindex *spidx;
2025 struct sockaddr_storage addr;
2026 u_int8_t pref;
2027 struct sockaddr_storage *src = iph2->src;
2028 struct sockaddr_storage *dst = iph2->dst;
2029
2030 /* make inbound policy */
2031 iph2->src = dst;
2032 iph2->dst = src;
2033 if (pk_sendspdupdate2(iph2) < 0) {
2034 plog(ASL_LEVEL_ERR,
2035 "pfkey spdupdate2(inbound) failed.\n");
2036 goto end;
2037 }
2038 plog(ASL_LEVEL_DEBUG,
2039 "pfkey spdupdate2(inbound) sent.\n");
2040
2041 spidx = iph2->spidx_gen;
2042 #ifdef HAVE_POLICY_FWD
2043 /* make forward policy if required */
2044 if (tunnel_mode_prop(iph2->approval)) {
2045 spidx->dir = IPSEC_DIR_FWD;
2046 if (pk_sendspdupdate2(iph2) < 0) {
2047 plog(ASL_LEVEL_ERR,
2048 "pfkey spdupdate2(forward) failed.\n");
2049 goto end;
2050 }
2051 plog(ASL_LEVEL_DEBUG,
2052 "pfkey spdupdate2(forward) sent.\n");
2053 }
2054 #endif
2055
2056 /* make outbound policy */
2057 iph2->src = src;
2058 iph2->dst = dst;
2059 spidx->dir = IPSEC_DIR_OUTBOUND;
2060 addr = spidx->src;
2061 spidx->src = spidx->dst;
2062 spidx->dst = addr;
2063 pref = spidx->prefs;
2064 spidx->prefs = spidx->prefd;
2065 spidx->prefd = pref;
2066
2067 if (pk_sendspdupdate2(iph2) < 0) {
2068 plog(ASL_LEVEL_ERR,
2069 "pfkey spdupdate2(outbound) failed.\n");
2070 goto end;
2071 }
2072 plog(ASL_LEVEL_DEBUG,
2073 "pfkey spdupdate2(outbound) sent.\n");
2074
2075 /* spidx_gen is unnecessary any more */
2076 delsp_bothdir(iph2->spidx_gen);
2077 racoon_free(iph2->spidx_gen);
2078 iph2->spidx_gen = NULL;
2079 iph2->generated_spidx=1;
2080 }
2081
2082 error = 0;
2083
2084 end:
2085 if (msg != NULL)
2086 vfree(msg);
2087
2088 return error;
2089 }
2090
2091 /*
2092 * create HASH, body (SA, NONCE) payload with isakmp header.
2093 */
2094 static vchar_t *
2095 quick_ir1mx(iph2, body, hash)
2096 phase2_handle_t *iph2;
2097 vchar_t *body, *hash;
2098 {
2099 struct isakmp *isakmp;
2100 vchar_t *buf = NULL, *new = NULL;
2101 char *p;
2102 int tlen;
2103 struct isakmp_gen *gen;
2104 int error = ISAKMP_INTERNAL_ERROR;
2105
2106 /* create buffer for isakmp payload */
2107 tlen = sizeof(*isakmp)
2108 + sizeof(*gen) + hash->l
2109 + body->l;
2110 buf = vmalloc(tlen);
2111 if (buf == NULL) {
2112 plog(ASL_LEVEL_ERR,
2113 "failed to get buffer to send.\n");
2114 goto end;
2115 }
2116
2117 /* re-set encryption flag, for serurity. */
2118 iph2->flags |= ISAKMP_FLAG_E;
2119
2120 /* set isakmp header */
2121 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2122 if (p == NULL) {
2123 plog(ASL_LEVEL_ERR,
2124 "failed to set ISAKMP header");
2125 goto end;
2126 }
2127
2128 /* add HASH payload */
2129 /* XXX is next type always SA ? */
2130 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2131
2132 /* add body payload */
2133 memcpy(p, body->v, body->l);
2134
2135 #ifdef HAVE_PRINT_ISAKMP_C
2136 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2137 #endif
2138
2139 /* encoding */
2140 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2141 if (new == NULL) {
2142 plog(ASL_LEVEL_ERR,
2143 "failed to encrypt packet");
2144 goto end;
2145 }
2146
2147 vfree(buf);
2148
2149 buf = new;
2150
2151 error = 0;
2152
2153 end:
2154 if (error && buf != NULL) {
2155 vfree(buf);
2156 buf = NULL;
2157 }
2158
2159 return buf;
2160 }
2161
2162 /*
2163 * get remote's sainfo.
2164 * NOTE: this function is for responder.
2165 */
2166 int
2167 get_sainfo_r(iph2)
2168 phase2_handle_t *iph2;
2169 {
2170 vchar_t *idsrc = NULL, *iddst = NULL;
2171 int prefixlen;
2172 int error = ISAKMP_INTERNAL_ERROR;
2173 struct sainfo *anonymous = NULL;
2174
2175 if (iph2->id == NULL) {
2176 switch (iph2->src->ss_family) {
2177 case AF_INET:
2178 prefixlen = sizeof(struct in_addr) << 3;
2179 break;
2180 case AF_INET6:
2181 prefixlen = sizeof(struct in6_addr) << 3;
2182 break;
2183 default:
2184 plog(ASL_LEVEL_ERR,
2185 "invalid family: %d\n", iph2->src->ss_family);
2186 goto end;
2187 }
2188 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
2189 IPSEC_ULPROTO_ANY);
2190 } else {
2191 idsrc = vdup(iph2->id);
2192 }
2193 if (idsrc == NULL) {
2194 plog(ASL_LEVEL_ERR,
2195 "failed to set ID for source.\n");
2196 goto end;
2197 }
2198
2199 if (iph2->id_p == NULL) {
2200 switch (iph2->dst->ss_family) {
2201 case AF_INET:
2202 prefixlen = sizeof(struct in_addr) << 3;
2203 break;
2204 case AF_INET6:
2205 prefixlen = sizeof(struct in6_addr) << 3;
2206 break;
2207 default:
2208 plog(ASL_LEVEL_ERR,
2209 "invalid family: %d\n", iph2->dst->ss_family);
2210 goto end;
2211 }
2212 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
2213 IPSEC_ULPROTO_ANY);
2214 } else {
2215 iddst = vdup(iph2->id_p);
2216 }
2217 if (iddst == NULL) {
2218 plog(ASL_LEVEL_ERR,
2219 "failed to set ID for destination.\n");
2220 goto end;
2221 }
2222
2223 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
2224 // track anonymous sainfo, because we'll try to find a better sainfo if this is a client
2225 if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
2226 anonymous = iph2->sainfo;
2227
2228 if (iph2->sainfo == NULL ||
2229 (anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
2230 if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
2231 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
2232 if (iph2->sainfo) {
2233 plog(ASL_LEVEL_DEBUG,
2234 "get_sainfo_r case 1.\n");
2235 }
2236 // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2
2237 if (iph2->sainfo == NULL ||
2238 (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
2239 ike_session_get_sainfo_r(iph2);
2240 if (iph2->sainfo) {
2241 plog(ASL_LEVEL_DEBUG,
2242 "get_sainfo_r case 2.\n");
2243 }
2244 // still no sainfo (or anonymous): fallback to sainfo picked by dst id
2245 if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) {
2246 plog(ASL_LEVEL_DEBUG,
2247 "get_sainfo_r about to try dst id only.\n");
2248 iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p);
2249 if (iph2->sainfo) {
2250 plog(ASL_LEVEL_DEBUG,
2251 "get_sainfo_r case 3.\n");
2252 if (iph2->sainfo->idsrc == NULL)
2253 anonymous = iph2->sainfo;
2254 }
2255 }
2256 }
2257 }
2258 if (iph2->sainfo == NULL) {
2259 if (anonymous == NULL) {
2260 plog(ASL_LEVEL_ERR,
2261 "failed to get sainfo.\n");
2262 goto end;
2263 }
2264 iph2->sainfo = anonymous;
2265 }
2266 retain_sainfo(iph2->sainfo);
2267
2268 #ifdef ENABLE_HYBRID
2269 /* xauth group inclusion check */
2270 if (iph2->sainfo->group != NULL)
2271 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
2272 plog(ASL_LEVEL_ERR,
2273 "failed to group check");
2274 goto end;
2275 }
2276 #endif
2277
2278 plog(ASL_LEVEL_DEBUG,
2279 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2280
2281 error = 0;
2282 end:
2283 if (idsrc)
2284 vfree(idsrc);
2285 if (iddst)
2286 vfree(iddst);
2287
2288 return error;
2289 }
2290
2291 int
2292 get_proposal_r(iph2)
2293 phase2_handle_t *iph2;
2294 {
2295 int error = get_proposal_r_remote(iph2, 0);
2296 if (error != -2 && error != 0 &&
2297 (((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
2298 (iph2->parent_session && iph2->parent_session->is_client))) {
2299 if (iph2->parent_session && iph2->parent_session->is_client)
2300 error = ike_session_get_proposal_r(iph2);
2301 if (error != -2 && error != 0)
2302 error = get_proposal_r_remote(iph2, 1);
2303 }
2304 return error;
2305 }
2306
2307 /*
2308 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2309 * are IP address and same address family.
2310 * Then get remote's policy from SPD copied from kernel.
2311 * If the type of ID payload is address or subnet type, then the index is
2312 * made from the payload. If there is no ID payload, or the type of ID
2313 * payload is NOT address type, then the index is made from the address
2314 * pair of phase 1.
2315 * NOTE: This function is only for responder.
2316 */
2317 static int
2318 get_proposal_r_remote(iph2, ignore_id)
2319 phase2_handle_t *iph2;
2320 int ignore_id;
2321 {
2322 struct policyindex spidx;
2323 struct secpolicy *sp_in, *sp_out;
2324 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2325 int error = ISAKMP_INTERNAL_ERROR;
2326 int generated_policy_exit_early = 0;
2327
2328 /* check the existence of ID payload */
2329 if ((iph2->id_p != NULL && iph2->id == NULL)
2330 || (iph2->id_p == NULL && iph2->id != NULL)) {
2331 plog(ASL_LEVEL_ERR,
2332 "Both IDs wasn't found in payload.\n");
2333 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2334 }
2335
2336 /* make sure if id[src,dst] is null (if use_remote_addr == 0). */
2337 if (!ignore_id && (iph2->src_id || iph2->dst_id)) {
2338 plog(ASL_LEVEL_ERR,
2339 "Why do ID[src,dst] exist already.\n");
2340 return ISAKMP_INTERNAL_ERROR;
2341 }
2342
2343 plog(ASL_LEVEL_DEBUG,
2344 "%s: ignore_id %x.\n", __FUNCTION__, ignore_id);
2345
2346 memset(&spidx, 0, sizeof(spidx));
2347
2348 #define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
2349 /* make a spidx; a key to search SPD */
2350 spidx.dir = IPSEC_DIR_INBOUND;
2351 spidx.ul_proto = 0;
2352
2353 /*
2354 * make destination address in spidx from either ID payload
2355 * or phase 1 address into a address in spidx.
2356 * If behind a nat - use phase1 address because server's
2357 * use the nat's address in the ID payload.
2358 */
2359 if (iph2->id != NULL
2360 && ignore_id == 0
2361 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2362 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2363 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2364 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2365 /* get a destination address of a policy */
2366 error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst,
2367 &spidx.prefd, &spidx.ul_proto, iph2->version);
2368 if (error)
2369 return error;
2370
2371 #ifdef INET6
2372 /*
2373 * get scopeid from the SA address.
2374 * note that the phase 1 source address is used as
2375 * a destination address to search for a inbound policy entry
2376 * because rcoon is responder.
2377 */
2378 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2379 error = setscopeid(&spidx.dst, iph2->src);
2380 if (error)
2381 return error;
2382 }
2383 #endif
2384
2385 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2386 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2387 idi2type = _XIDT(iph2->id);
2388
2389 } else {
2390
2391 plog(ASL_LEVEL_DEBUG,
2392 "Get a destination address of SP index "
2393 "from Phase 1 address "
2394 "due to no ID payloads found "
2395 "OR because ID type is not address.\n");
2396
2397 /*
2398 * copy the SOURCE address of IKE into the DESTINATION address
2399 * of the key to search the SPD because the direction of policy
2400 * is inbound.
2401 */
2402 memcpy(&spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
2403 switch (spidx.dst.ss_family) {
2404 case AF_INET:
2405 {
2406 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
2407 spidx.prefd = sizeof(struct in_addr) << 3;
2408 s->sin_port = htons(0);
2409 }
2410 break;
2411 #ifdef INET6
2412 case AF_INET6:
2413 spidx.prefd = sizeof(struct in6_addr) << 3;
2414 break;
2415 #endif
2416 default:
2417 spidx.prefd = 0;
2418 break;
2419 }
2420 }
2421
2422 /* make source address in spidx */
2423 if (iph2->id_p != NULL
2424 && ignore_id == 0
2425 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2426 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2427 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2428 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2429 /* get a source address of inbound SA */
2430 error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src,
2431 &spidx.prefs, &spidx.ul_proto, iph2->version);
2432 if (error)
2433 return error;
2434
2435 #ifdef INET6
2436 /*
2437 * get scopeid from the SA address.
2438 * for more detail, see above of this function.
2439 */
2440 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2441 error = setscopeid(&spidx.src, iph2->dst);
2442 if (error)
2443 return error;
2444 }
2445 #endif
2446
2447 /* make id[src,dst] if both ID types are IP address and same */
2448 if (_XIDT(iph2->id_p) == idi2type
2449 && spidx.dst.ss_family == spidx.src.ss_family) {
2450 iph2->src_id = dupsaddr(&spidx.dst);
2451 if (iph2->src_id == NULL) {
2452 plog(ASL_LEVEL_ERR,
2453 "buffer allocation failed.\n");
2454 return ISAKMP_INTERNAL_ERROR;
2455 }
2456 iph2->dst_id = dupsaddr(&spidx.src);
2457 if (iph2->dst_id == NULL) {
2458 plog(ASL_LEVEL_ERR,
2459 "buffer allocation failed.\n");
2460 return ISAKMP_INTERNAL_ERROR;
2461 }
2462 }
2463
2464 } else {
2465 plog(ASL_LEVEL_DEBUG,
2466 "Get a source address of SP index "
2467 "from Phase 1 address "
2468 "due to no ID payloads found "
2469 "OR because ID type is not address.\n");
2470
2471 /* see above comment. */
2472 memcpy(&spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
2473 switch (spidx.src.ss_family) {
2474 case AF_INET:
2475 {
2476 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
2477 spidx.prefs = sizeof(struct in_addr) << 3;
2478 s->sin_port = htons(0);
2479 }
2480 break;
2481 #ifdef INET6
2482 case AF_INET6:
2483 spidx.prefs = sizeof(struct in6_addr) << 3;
2484 break;
2485 #endif
2486 default:
2487 spidx.prefs = 0;
2488 break;
2489 }
2490 }
2491
2492 #undef _XIDT
2493
2494 plog(ASL_LEVEL_DEBUG,
2495 "get a src address from ID payload "
2496 "%s prefixlen=%u ul_proto=%u\n",
2497 saddr2str((struct sockaddr *)&spidx.src),
2498 spidx.prefs, spidx.ul_proto);
2499 plog(ASL_LEVEL_DEBUG,
2500 "get dst address from ID payload "
2501 "%s prefixlen=%u ul_proto=%u\n",
2502 saddr2str((struct sockaddr *)&spidx.dst),
2503 spidx.prefd, spidx.ul_proto);
2504
2505 /*
2506 * convert the ul_proto if it is 0
2507 * because 0 in ID payload means a wild card.
2508 */
2509 if (spidx.ul_proto == 0)
2510 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2511
2512 /* get inbound policy */
2513 sp_in = getsp_r(&spidx, iph2);
2514 if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
2515 if (iph2->ph1->rmconf->gen_policy) {
2516 if (sp_in)
2517 plog(ASL_LEVEL_NOTICE,
2518 "Update the generated policy : %s\n",
2519 spidx2str(&spidx));
2520 else
2521 plog(ASL_LEVEL_NOTICE,
2522 "no policy found, "
2523 "try to generate the policy : %s\n",
2524 spidx2str(&spidx));
2525 iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx));
2526 if (!iph2->spidx_gen) {
2527 plog(ASL_LEVEL_ERR,
2528 "buffer allocation failed.\n");
2529 return ISAKMP_INTERNAL_ERROR;
2530 }
2531 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2532 generated_policy_exit_early = 1; /* special value */
2533 } else {
2534 plog(ASL_LEVEL_ERR,
2535 "no policy found: %s\n", spidx2str(&spidx));
2536 return ISAKMP_INTERNAL_ERROR;
2537 }
2538 }
2539
2540 /* get outbound policy */
2541 {
2542 struct sockaddr_storage addr;
2543 u_int8_t pref;
2544
2545 spidx.dir = IPSEC_DIR_OUTBOUND;
2546 addr = spidx.src;
2547 spidx.src = spidx.dst;
2548 spidx.dst = addr;
2549 pref = spidx.prefs;
2550 spidx.prefs = spidx.prefd;
2551 spidx.prefd = pref;
2552
2553 sp_out = getsp_r(&spidx, iph2);
2554 if (!sp_out) {
2555 plog(ASL_LEVEL_WARNING,
2556 "no outbound policy found: %s\n",
2557 spidx2str(&spidx));
2558 } else {
2559
2560 if (!iph2->spid) {
2561 iph2->spid = sp_out->id;
2562 }
2563 }
2564 }
2565
2566 plog(ASL_LEVEL_DEBUG,
2567 "suitable SP found:%s\n", spidx2str(&spidx));
2568
2569 if (generated_policy_exit_early) {
2570 return -2;
2571 }
2572
2573 /*
2574 * In the responder side, the inbound policy should be using IPsec.
2575 * outbound policy is not checked currently.
2576 */
2577 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2578 plog(ASL_LEVEL_ERR,
2579 "policy found, but no IPsec required: %s\n",
2580 spidx2str(&spidx));
2581 return ISAKMP_INTERNAL_ERROR;
2582 }
2583
2584 /* set new proposal derived from a policy into the iph2->proposal. */
2585 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2586 plog(ASL_LEVEL_ERR,
2587 "failed to create saprop.\n");
2588 return ISAKMP_INTERNAL_ERROR;
2589 }
2590
2591 return 0;
2592 }
mirror of ipsec