]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-34.0.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp.c
1 /* $Id: isakmp.c,v 1.34.2.21 2006/02/02 10:31:01 vanhu Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31 #ifdef __APPLE__
32 #define __APPLE_API_PRIVATE
33 #endif
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/socket.h>
40 #include <sys/queue.h>
41
42 #include <netinet/in.h>
43 #include <arpa/inet.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55 #if TIME_WITH_SYS_TIME
56 # include <sys/time.h>
57 # include <time.h>
58 #else
59 # if HAVE_SYS_TIME_H
60 # include <sys/time.h>
61 # else
62 # include <time.h>
63 # endif
64 #endif
65 #include <netdb.h>
66 #ifdef HAVE_UNISTD_H
67 #include <unistd.h>
68 #endif
69 #include <ctype.h>
70 #include <fcntl.h>
71
72 #include "var.h"
73 #include "misc.h"
74 #include "vmbuf.h"
75 #include "plog.h"
76 #include "sockmisc.h"
77 #include "schedule.h"
78 #include "debug.h"
79
80 #include "remoteconf.h"
81 #include "localconf.h"
82 #include "grabmyaddr.h"
83 #include "admin.h"
84 #include "privsep.h"
85 #include "isakmp_var.h"
86 #include "isakmp.h"
87 #include "oakley.h"
88 #include "evt.h"
89 #include "handler.h"
90 #include "proposal.h"
91 #include "ipsec_doi.h"
92 #include "pfkey.h"
93 #include "crypto_openssl.h"
94 #include "policy.h"
95 #include "isakmp_ident.h"
96 #include "isakmp_agg.h"
97 #include "isakmp_base.h"
98 #include "isakmp_quick.h"
99 #include "isakmp_inf.h"
100 #include "isakmp_newg.h"
101 #include "vpn_control.h"
102 #include "vpn_control_var.h"
103 #ifdef ENABLE_HYBRID
104 #include "isakmp_xauth.h"
105 #include "isakmp_cfg.h"
106 #endif
107 #ifdef ENABLE_FRAG
108 #include "isakmp_frag.h"
109 #endif
110 #include "strnames.h"
111
112 #ifdef ENABLE_NATT
113 # include "nattraversal.h"
114 # ifdef __linux__
115 # include <linux/udp.h>
116 #include <fcntl.h>
117
118 # ifndef SOL_UDP
119 # define SOL_UDP 17
120 # endif
121 # endif /* __linux__ */
122 # if defined(__NetBSD__) || defined(__FreeBSD__)
123 # include <netinet/in.h>
124 # include <netinet/udp.h>
125 # define SOL_UDP IPPROTO_UDP
126 # endif /* __NetBSD__ / __FreeBSD__ */
127 #endif
128
129 static int nostate1 __P((struct ph1handle *, vchar_t *));
130 static int nostate2 __P((struct ph2handle *, vchar_t *));
131
132 extern caddr_t val2str(const char *, size_t);
133
134 static int (*ph1exchange[][2][PHASE1ST_MAX])
135 __P((struct ph1handle *, vchar_t *)) = {
136 /* error */
137 { {}, {}, },
138 /* Identity Protection exchange */
139 {
140 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
141 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
142 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
143 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
144 },
145 /* Aggressive exchange */
146 {
147 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
148 nostate1, nostate1, nostate1, nostate1, nostate1, },
149 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
150 nostate1, nostate1, nostate1, nostate1, nostate1, },
151 },
152 /* Base exchange */
153 {
154 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
155 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
156 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
157 nostate1, nostate1, nostate1, nostate1, nostate1, },
158 },
159 };
160
161 static int (*ph2exchange[][2][PHASE2ST_MAX])
162 __P((struct ph2handle *, vchar_t *)) = {
163 /* error */
164 { {}, {}, },
165 /* Quick mode for IKE*/
166 {
167 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
168 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
169 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
170 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
171 },
172 };
173
174 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
175
176 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
177 static int ph1_main __P((struct ph1handle *, vchar_t *));
178 static int quick_main __P((struct ph2handle *, vchar_t *));
179 static int isakmp_ph1begin_r __P((vchar_t *,
180 struct sockaddr *, struct sockaddr *, u_int8_t));
181 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
182 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
183 static int etypesw1 __P((int));
184 static int etypesw2 __P((int));
185 #ifdef ENABLE_FRAG
186 static int frag_handler(struct ph1handle *,
187 vchar_t *, struct sockaddr *, struct sockaddr *);
188 #endif
189
190 /*
191 * isakmp packet handler
192 */
193 int
194 isakmp_handler(so_isakmp)
195 int so_isakmp;
196 {
197 struct isakmp isakmp;
198 union {
199 char buf[sizeof (isakmp) + 4];
200 u_int32_t non_esp[2];
201 } x;
202 struct sockaddr_storage remote;
203 struct sockaddr_storage local;
204 unsigned int remote_len = sizeof(remote);
205 unsigned int local_len = sizeof(local);
206 int len = 0, extralen = 0;
207 u_short port;
208 vchar_t *buf = NULL, *tmpbuf = NULL;
209 int error = -1;
210
211 /* read message by MSG_PEEK */
212 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
213 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
214 (struct sockaddr *)&local, &local_len)) < 0) {
215 if (errno == EINTR)
216 continue;
217 plog(LLV_ERROR, LOCATION, NULL,
218 "failed to receive isakmp packet: %s\n",
219 strerror (errno));
220 goto end;
221 }
222
223 /* keep-alive packet - ignore */
224 if (len == 1 && (x.buf[0]&0xff) == 0xff) {
225 /* Pull the keep-alive packet */
226 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
227 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
228 plog(LLV_ERROR, LOCATION, NULL,
229 "failed to receive keep alive packet: %s\n",
230 strerror (errno));
231 }
232 goto end;
233 }
234
235 #ifdef ENABLE_NATT
236 /* we don't know about portchange yet,
237 look for non-esp marker instead */
238 if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
239 extralen = NON_ESP_MARKER_LEN;
240 #endif
241
242 /* now we know if there is an extra non-esp
243 marker at the beginning or not */
244 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
245
246 /* check isakmp header length, as well as sanity of header length */
247 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
248 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
249 "packet shorter than isakmp header size (%u, %u, %zu)\n",
250 len, ntohl(isakmp.len), sizeof(isakmp));
251 /* dummy receive */
252 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
253 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
254 plog(LLV_ERROR, LOCATION, NULL,
255 "failed to receive isakmp packet: %s\n",
256 strerror (errno));
257 }
258 goto end;
259 }
260
261 /* reject it if the size is tooooo big. */
262 if (ntohl(isakmp.len) > 0xffff) {
263 plog(LLV_ERROR, LOCATION, NULL,
264 "the length in the isakmp header is too big.\n");
265 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
266 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
267 plog(LLV_ERROR, LOCATION, NULL,
268 "failed to receive isakmp packet: %s\n",
269 strerror (errno));
270 }
271 goto end;
272 }
273
274 /* read real message */
275 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
276 plog(LLV_ERROR, LOCATION, NULL,
277 "failed to allocate reading buffer (%u Bytes)\n",
278 ntohl(isakmp.len) + extralen);
279 /* dummy receive */
280 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
281 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
282 plog(LLV_ERROR, LOCATION, NULL,
283 "failed to receive isakmp packet: %s\n",
284 strerror (errno));
285 #ifdef __APPLE__
286 error = -2; /* serious problem with socket */
287 #endif
288 }
289 goto end;
290 }
291
292 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
293 0, (struct sockaddr *)&remote, &remote_len,
294 (struct sockaddr *)&local, &local_len)) < 0) {
295 if (errno == EINTR)
296 continue;
297 plog(LLV_ERROR, LOCATION, NULL,
298 "failed to receive isakmp packet: %s\n",
299 strerror (errno));
300 goto end;
301 }
302
303 if ((buf = vmalloc(len - extralen)) == NULL) {
304 plog(LLV_ERROR, LOCATION, NULL,
305 "failed to allocate reading buffer (%u Bytes)\n",
306 (len - extralen));
307 goto end;
308 }
309
310 memcpy (buf->v, tmpbuf->v + extralen, buf->l);
311
312 vfree (tmpbuf);
313
314 len -= extralen;
315
316 if (len != buf->l) {
317 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
318 "received invalid length (%d != %zu), why ?\n",
319 len, buf->l);
320 goto end;
321 }
322
323 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
324 plog(LLV_DEBUG, LOCATION, NULL,
325 "%d bytes message received %s\n",
326 len, saddr2str_fromto("from %s to %s",
327 (struct sockaddr *)&remote,
328 (struct sockaddr *)&local));
329 plogdump(LLV_DEBUG, buf->v, buf->l);
330
331 /* avoid packets with malicious port/address */
332 switch (remote.ss_family) {
333 case AF_INET:
334 port = ((struct sockaddr_in *)&remote)->sin_port;
335 break;
336 #ifdef INET6
337 case AF_INET6:
338 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
339 break;
340 #endif
341 default:
342 plog(LLV_ERROR, LOCATION, NULL,
343 "invalid family: %d\n", remote.ss_family);
344 goto end;
345 }
346 if (port == 0) {
347 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
348 "src port == 0 (valid as UDP but not with IKE)\n");
349 goto end;
350 }
351
352 /* XXX: check sender whether to be allowed or not to accept */
353
354 /* XXX: I don't know how to check isakmp half connection attack. */
355
356 /* simply reply if the packet was processed. */
357 if (check_recvdpkt((struct sockaddr *)&remote,
358 (struct sockaddr *)&local, buf)) {
359 plog(LLV_NOTIFY, LOCATION, NULL,
360 "the packet is retransmitted by %s.\n",
361 saddr2str((struct sockaddr *)&remote));
362 error = 0;
363 goto end;
364 }
365
366 /* isakmp main routine */
367 if (isakmp_main(buf, (struct sockaddr *)&remote,
368 (struct sockaddr *)&local) != 0) goto end;
369
370 error = 0;
371
372 end:
373 if (buf != NULL)
374 vfree(buf);
375
376 return(error);
377 }
378
379 /*
380 * main processing to handle isakmp payload
381 */
382 static int
383 isakmp_main(msg, remote, local)
384 vchar_t *msg;
385 struct sockaddr *remote, *local;
386 {
387 struct isakmp *isakmp = (struct isakmp *)msg->v;
388 isakmp_index *index = (isakmp_index *)isakmp;
389 u_int32_t msgid = isakmp->msgid;
390 struct ph1handle *iph1;
391
392 #ifdef HAVE_PRINT_ISAKMP_C
393 isakmp_printpacket(msg, remote, local, 0);
394 #endif
395
396 /* the initiator's cookie must not be zero */
397 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
398 plog(LLV_ERROR, LOCATION, remote,
399 "malformed cookie received.\n");
400 return -1;
401 }
402
403 /* Check the Major and Minor Version fields. */
404 /*
405 * XXX Is is right to check version here ?
406 * I think it may no be here because the version depends
407 * on exchange status.
408 */
409 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
410 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
411 plog(LLV_ERROR, LOCATION, remote,
412 "invalid major version %d.\n",
413 ISAKMP_GETMAJORV(isakmp->v));
414 return -1;
415 }
416 #if ISAKMP_MINOR_VERSION > 0
417 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
418 plog(LLV_ERROR, LOCATION, remote,
419 "invalid minor version %d.\n",
420 ISAKMP_GETMINORV(isakmp->v));
421 return -1;
422 }
423 #endif
424 }
425
426 /* check the Flags field. */
427 /* XXX How is the exclusive check, E and A ? */
428 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
429 plog(LLV_ERROR, LOCATION, remote,
430 "invalid flag 0x%02x.\n", isakmp->flags);
431 return -1;
432 }
433
434 /* ignore commit bit. */
435 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
436 if (isakmp->msgid == 0) {
437 isakmp_info_send_nx(isakmp, remote, local,
438 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
439 plog(LLV_ERROR, LOCATION, remote,
440 "Commit bit on phase1 forbidden.\n");
441 return -1;
442 }
443 }
444
445 iph1 = getph1byindex(index);
446 if (iph1 != NULL) {
447 /* validity check */
448 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
449 iph1->side == INITIATOR) {
450 plog(LLV_DEBUG, LOCATION, remote,
451 "malformed cookie received or "
452 "the initiator's cookies collide.\n");
453 return -1;
454 }
455
456 #ifdef ENABLE_NATT
457 /* Floating ports for NAT-T */
458 if (NATT_AVAILABLE(iph1) &&
459 ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
460 ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
461 (cmpsaddrstrict(iph1->local, local) != 0)))
462 {
463 /* prevent memory leak */
464 racoon_free(iph1->remote);
465 racoon_free(iph1->local);
466
467 /* copy-in new addresses */
468 iph1->remote = dupsaddr(remote);
469 iph1->local = dupsaddr(local);
470
471 /* set the flag to prevent further port floating
472 (FIXME: should we allow it? E.g. when the NAT gw
473 is rebooted?) */
474 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
475
476 /* print some neat info */
477 plog (LLV_INFO, LOCATION, NULL,
478 "NAT-T: ports changed to: %s\n",
479 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
480 #ifndef __APPLE__
481 natt_keepalive_add_ph1 (iph1);
482 #endif
483 }
484 #endif
485
486 /* must be same addresses in one stream of a phase at least. */
487 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
488 char *saddr_db, *saddr_act;
489
490 saddr_db = strdup(saddr2str(iph1->remote));
491 saddr_act = strdup(saddr2str(remote));
492
493 plog(LLV_WARNING, LOCATION, remote,
494 "remote address mismatched. db=%s, act=%s\n",
495 saddr_db, saddr_act);
496
497 racoon_free(saddr_db);
498 racoon_free(saddr_act);
499 }
500
501 /*
502 * don't check of exchange type here because other type will be
503 * with same index, for example, informational exchange.
504 */
505
506 /* XXX more acceptable check */
507 }
508
509 switch (isakmp->etype) {
510 case ISAKMP_ETYPE_IDENT:
511 case ISAKMP_ETYPE_AGG:
512 case ISAKMP_ETYPE_BASE:
513 /* phase 1 validity check */
514 if (isakmp->msgid != 0) {
515 plog(LLV_ERROR, LOCATION, remote,
516 "message id should be zero in phase1.\n");
517 return -1;
518 }
519
520 /* search for isakmp status record of phase 1 */
521 if (iph1 == NULL) {
522 /*
523 * the packet must be the 1st message from a initiator
524 * or the 2nd message from the responder.
525 */
526
527 /* search for phase1 handle by index without r_ck */
528 iph1 = getph1byindex0(index);
529 if (iph1 == NULL) {
530 /*it must be the 1st message from a initiator.*/
531 if (memcmp(&isakmp->r_ck, r_ck0,
532 sizeof(cookie_t)) != 0) {
533
534 plog(LLV_DEBUG, LOCATION, remote,
535 "malformed cookie received "
536 "or the spi expired.\n");
537 return -1;
538 }
539
540 /* it must be responder's 1st exchange. */
541 if (isakmp_ph1begin_r(msg, remote, local,
542 isakmp->etype) < 0)
543 return -1;
544 break;
545
546 /*NOTREACHED*/
547 }
548
549 /* it must be the 2nd message from the responder. */
550 if (iph1->side != INITIATOR) {
551 plog(LLV_DEBUG, LOCATION, remote,
552 "malformed cookie received. "
553 "it has to be as the initiator. %s\n",
554 isakmp_pindex(&iph1->index, 0));
555 return -1;
556 }
557 }
558
559 /*
560 * Don't delete phase 1 handler when the exchange type
561 * in handler is not equal to packet's one because of no
562 * authencication completed.
563 */
564 if (iph1->etype != isakmp->etype) {
565 plog(LLV_ERROR, LOCATION, iph1->remote,
566 "exchange type is mismatched: "
567 "db=%s packet=%s, ignore it.\n",
568 s_isakmp_etype(iph1->etype),
569 s_isakmp_etype(isakmp->etype));
570 return -1;
571 }
572
573 #ifdef ENABLE_FRAG
574 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
575 return frag_handler(iph1, msg, remote, local);
576 #endif
577
578 /* call main process of phase 1 */
579 if (ph1_main(iph1, msg) < 0) {
580 plog(LLV_ERROR, LOCATION, iph1->remote,
581 "phase1 negotiation failed.\n");
582 remph1(iph1);
583 delph1(iph1);
584 return -1;
585 }
586 break;
587
588 case ISAKMP_ETYPE_AUTH:
589 plog(LLV_INFO, LOCATION, remote,
590 "unsupported exchange %d received.\n",
591 isakmp->etype);
592 break;
593
594 case ISAKMP_ETYPE_INFO:
595 case ISAKMP_ETYPE_ACKINFO:
596 /*
597 * iph1 must be present for Information message.
598 * if iph1 is null then trying to get the phase1 status
599 * as the packet from responder againt initiator's 1st
600 * exchange in phase 1.
601 * NOTE: We think such informational exchange should be ignored.
602 */
603 if (iph1 == NULL) {
604 iph1 = getph1byindex0(index);
605 if (iph1 == NULL) {
606 plog(LLV_ERROR, LOCATION, remote,
607 "unknown Informational "
608 "exchange received.\n");
609 return -1;
610 }
611 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
612 plog(LLV_WARNING, LOCATION, remote,
613 "remote address mismatched. "
614 "db=%s\n",
615 saddr2str(iph1->remote));
616 }
617 }
618
619 #ifdef ENABLE_FRAG
620 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
621 return frag_handler(iph1, msg, remote, local);
622 #endif
623
624 if (isakmp_info_recv(iph1, msg) < 0)
625 return -1;
626 break;
627
628 case ISAKMP_ETYPE_QUICK:
629 {
630 struct ph2handle *iph2;
631
632 if (iph1 == NULL) {
633 isakmp_info_send_nx(isakmp, remote, local,
634 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
635 plog(LLV_ERROR, LOCATION, remote,
636 "can't start the quick mode, "
637 "there is no ISAKMP-SA, %s\n",
638 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
639 isakmp->msgid));
640 return -1;
641 }
642
643 #ifdef ENABLE_FRAG
644 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
645 return frag_handler(iph1, msg, remote, local);
646 #endif
647
648 /* check status of phase 1 whether negotiated or not. */
649 if (iph1->status != PHASE1ST_ESTABLISHED) {
650 plog(LLV_ERROR, LOCATION, remote,
651 "can't start the quick mode, "
652 "there is no valid ISAKMP-SA, %s\n",
653 isakmp_pindex(&iph1->index, iph1->msgid));
654 return -1;
655 }
656
657 /* search isakmp phase 2 stauts record. */
658 iph2 = getph2bymsgid(iph1, msgid);
659 if (iph2 == NULL) {
660 /* it must be new negotiation as responder */
661 if (isakmp_ph2begin_r(iph1, msg) < 0)
662 return -1;
663 return 0;
664 /*NOTREACHED*/
665 }
666
667 /* commit bit. */
668 /* XXX
669 * we keep to set commit bit during negotiation.
670 * When SA is configured, bit will be reset.
671 * XXX
672 * don't initiate commit bit. should be fixed in the future.
673 */
674 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
675 iph2->flags |= ISAKMP_FLAG_C;
676
677 /* call main process of quick mode */
678 if (quick_main(iph2, msg) < 0) {
679 plog(LLV_ERROR, LOCATION, iph1->remote,
680 "phase2 negotiation failed.\n");
681 unbindph12(iph2);
682 remph2(iph2);
683 delph2(iph2);
684 return -1;
685 }
686 }
687 break;
688
689 case ISAKMP_ETYPE_NEWGRP:
690 if (iph1 == NULL) {
691 plog(LLV_ERROR, LOCATION, remote,
692 "Unknown new group mode exchange, "
693 "there is no ISAKMP-SA.\n");
694 return -1;
695 }
696
697 #ifdef ENABLE_FRAG
698 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
699 return frag_handler(iph1, msg, remote, local);
700 #endif
701
702 isakmp_newgroup_r(iph1, msg);
703 break;
704
705 #ifdef ENABLE_HYBRID
706 case ISAKMP_ETYPE_CFG:
707 if (iph1 == NULL) {
708 plog(LLV_ERROR, LOCATION, NULL,
709 "mode config %d from %s, "
710 "but we have no ISAKMP-SA.\n",
711 isakmp->etype, saddr2str(remote));
712 return -1;
713 }
714
715 #ifdef ENABLE_FRAG
716 if (isakmp->np == ISAKMP_NPTYPE_FRAG)
717 return frag_handler(iph1, msg, remote, local);
718 #endif
719
720 isakmp_cfg_r(iph1, msg);
721 break;
722 #endif
723
724 case ISAKMP_ETYPE_NONE:
725 default:
726 plog(LLV_ERROR, LOCATION, NULL,
727 "Invalid exchange type %d from %s.\n",
728 isakmp->etype, saddr2str(remote));
729 return -1;
730 }
731
732 return 0;
733 }
734
735 /*
736 * main function of phase 1.
737 */
738 static int
739 ph1_main(iph1, msg)
740 struct ph1handle *iph1;
741 vchar_t *msg;
742 {
743 int error;
744 #ifdef ENABLE_STATS
745 struct timeval start, end;
746 #endif
747
748 /* ignore a packet */
749 if (iph1->status == PHASE1ST_ESTABLISHED)
750 return 0;
751
752 #ifdef ENABLE_STATS
753 gettimeofday(&start, NULL);
754 #endif
755 /* receive */
756 if (ph1exchange[etypesw1(iph1->etype)]
757 [iph1->side]
758 [iph1->status] == NULL) {
759 plog(LLV_ERROR, LOCATION, iph1->remote,
760 "why isn't the function defined.\n");
761 return -1;
762 }
763 error = (ph1exchange[etypesw1(iph1->etype)]
764 [iph1->side]
765 [iph1->status])(iph1, msg);
766 if (error != 0) {
767 #if 0
768 /* XXX
769 * When an invalid packet is received on phase1, it should
770 * be selected to process this packet. That is to respond
771 * with a notify and delete phase 1 handler, OR not to respond
772 * and keep phase 1 handler.
773 */
774 plog(LLV_ERROR, LOCATION, iph1->remote,
775 "failed to pre-process packet.\n");
776 return -1;
777 #else
778 /* ignore the error and keep phase 1 handler */
779 return 0;
780 #endif
781 }
782
783 /* free resend buffer */
784 if (iph1->sendbuf == NULL) {
785 plog(LLV_ERROR, LOCATION, NULL,
786 "no buffer found as sendbuf\n");
787 return -1;
788 }
789 VPTRINIT(iph1->sendbuf);
790
791 /* turn off schedule */
792 if (iph1->scr)
793 SCHED_KILL(iph1->scr);
794
795 /* send */
796 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
797 if ((ph1exchange[etypesw1(iph1->etype)]
798 [iph1->side]
799 [iph1->status])(iph1, msg) != 0) {
800 plog(LLV_ERROR, LOCATION, iph1->remote,
801 "failed to process packet.\n");
802 return -1;
803 }
804
805 #ifdef ENABLE_STATS
806 gettimeofday(&end, NULL);
807 syslog(LOG_NOTICE, "%s(%s): %8.6f",
808 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
809 timedelta(&start, &end));
810 #endif
811 if (iph1->status == PHASE1ST_ESTABLISHED) {
812
813 #ifdef ENABLE_STATS
814 gettimeofday(&iph1->end, NULL);
815 syslog(LOG_NOTICE, "%s(%s): %8.6f",
816 "phase1", s_isakmp_etype(iph1->etype),
817 timedelta(&iph1->start, &iph1->end));
818 #endif
819
820 #ifdef ENABLE_VPNCONTROL_PORT
821
822 if (iph1->side == RESPONDER &&
823 iph1->local->sa_family == AF_INET) {
824
825 struct redirect *addr;
826
827 LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) {
828 if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) {
829 vchar_t *raddr = vmalloc(sizeof(u_int32_t));
830
831 if (raddr == NULL) {
832 plog(LLV_ERROR, LOCATION, iph1->remote,
833 "failed to send redirect message - memory error.\n");
834 } else {
835 memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t));
836 (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr);
837 plog(LLV_DEBUG, LOCATION, iph1->remote, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address));
838 vfree(raddr);
839 if (addr->force)
840 isakmp_ph1delete(iph1);
841 }
842 }
843 return 0;
844 }
845 }
846 #endif
847 /* save created date. */
848 (void)time(&iph1->created);
849
850 /* add to the schedule to expire, and save back pointer. */
851 iph1->sce = sched_new(iph1->approval->lifetime,
852 isakmp_ph1expire_stub, iph1);
853 #ifdef ENABLE_HYBRID
854 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
855 switch(iph1->approval->authmethod) {
856 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
857 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
858 xauth_sendreq(iph1);
859 /* XXX Don't process INITIAL_CONTACT */
860 iph1->rmconf->ini_contact = 0;
861 break;
862 default:
863 break;
864 }
865 }
866 #endif
867 #ifdef ENABLE_DPD
868 /* Schedule the r_u_there.... */
869 if(iph1->dpd_support && iph1->rmconf->dpd_interval)
870 isakmp_sched_r_u(iph1, 0);
871 #endif
872
873 /* INITIAL-CONTACT processing */
874 /* don't send anything if local test mode. */
875 if (!f_local
876 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
877 /* send INITIAL-CONTACT */
878 isakmp_info_send_n1(iph1,
879 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
880 /* insert a node into contacted list. */
881 if (inscontacted(iph1->remote) == -1) {
882 plog(LLV_ERROR, LOCATION, iph1->remote,
883 "failed to add contacted list.\n");
884 /* ignore */
885 }
886 }
887
888 log_ph1established(iph1);
889 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
890
891 #ifdef ENABLE_VPNCONTROL_PORT
892 vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
893 #endif
894
895
896 /*
897 * SA up shell script hook: do it now,except if
898 * ISAKMP mode config was requested. In the later
899 * case it is done when we receive the configuration.
900 */
901 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
902 !iph1->rmconf->mode_cfg)
903 script_hook(iph1, SCRIPT_PHASE1_UP);
904 }
905
906 return 0;
907 }
908
909 /*
910 * main function of quick mode.
911 */
912 static int
913 quick_main(iph2, msg)
914 struct ph2handle *iph2;
915 vchar_t *msg;
916 {
917 struct isakmp *isakmp = (struct isakmp *)msg->v;
918 int error;
919 #ifdef ENABLE_STATS
920 struct timeval start, end;
921 #endif
922
923 /* ignore a packet */
924 if (iph2->status == PHASE2ST_ESTABLISHED
925 || iph2->status == PHASE2ST_GETSPISENT)
926 return 0;
927
928 #ifdef ENABLE_STATS
929 gettimeofday(&start, NULL);
930 #endif
931
932 /* receive */
933 if (ph2exchange[etypesw2(isakmp->etype)]
934 [iph2->side]
935 [iph2->status] == NULL) {
936 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
937 "why isn't the function defined.\n");
938 return -1;
939 }
940 error = (ph2exchange[etypesw2(isakmp->etype)]
941 [iph2->side]
942 [iph2->status])(iph2, msg);
943 if (error != 0) {
944 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
945 "failed to pre-process packet.\n");
946 if (error == ISAKMP_INTERNAL_ERROR)
947 return 0;
948 isakmp_info_send_n1(iph2->ph1, error, NULL);
949 return -1;
950 }
951
952 /* when using commit bit, status will be reached here. */
953 //if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - wrong place
954 // return 0;
955
956 /* free resend buffer */
957 if (iph2->sendbuf == NULL) {
958 plog(LLV_ERROR, LOCATION, NULL,
959 "no buffer found as sendbuf\n");
960 return -1;
961 }
962 VPTRINIT(iph2->sendbuf);
963
964 /* turn off schedule */
965 if (iph2->scr)
966 SCHED_KILL(iph2->scr);
967
968 /* when using commit bit, status will be reached here. */
969 if (iph2->status == PHASE2ST_ADDSA) //%%% BUG FIX - moved to here
970 return 0;
971
972 /* send */
973 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
974 if ((ph2exchange[etypesw2(isakmp->etype)]
975 [iph2->side]
976 [iph2->status])(iph2, msg) != 0) {
977 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
978 "failed to process packet.\n");
979 return -1;
980 }
981
982 #ifdef ENABLE_STATS
983 gettimeofday(&end, NULL);
984 syslog(LOG_NOTICE, "%s(%s): %8.6f",
985 "phase2",
986 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
987 timedelta(&start, &end));
988 #endif
989
990 return 0;
991 }
992
993 /* new negotiation of phase 1 for initiator */
994 int
995 isakmp_ph1begin_i(rmconf, remote, local)
996 struct remoteconf *rmconf;
997 struct sockaddr *remote, *local;
998 {
999 struct ph1handle *iph1;
1000 #ifdef ENABLE_STATS
1001 struct timeval start, end;
1002 #endif
1003
1004 /* get new entry to isakmp status table. */
1005 iph1 = newph1();
1006 if (iph1 == NULL)
1007 return -1;
1008
1009 iph1->status = PHASE1ST_START;
1010 iph1->rmconf = rmconf;
1011 iph1->side = INITIATOR;
1012 iph1->version = ISAKMP_VERSION_NUMBER;
1013 iph1->msgid = 0;
1014 iph1->flags = 0;
1015 iph1->ph2cnt = 0;
1016 #ifdef HAVE_GSSAPI
1017 iph1->gssapi_state = NULL;
1018 #endif
1019 #ifdef ENABLE_HYBRID
1020 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
1021 return -1;
1022 #endif
1023 #ifdef ENABLE_FRAG
1024 iph1->frag = 0;
1025 iph1->frag_chain = NULL;
1026 #endif
1027 iph1->approval = NULL;
1028
1029 /* XXX copy remote address */
1030 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1031 return -1;
1032
1033 (void)insph1(iph1);
1034
1035 /* start phase 1 exchange */
1036 iph1->etype = rmconf->etypes->type;
1037
1038 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1039 {
1040 char *a;
1041
1042 a = strdup(saddr2str(iph1->local));
1043 plog(LLV_INFO, LOCATION, NULL,
1044 "initiate new phase 1 negotiation: %s<=>%s\n",
1045 a, saddr2str(iph1->remote));
1046 racoon_free(a);
1047 }
1048 plog(LLV_INFO, LOCATION, NULL,
1049 "begin %s mode.\n",
1050 s_isakmp_etype(iph1->etype));
1051
1052 #ifdef ENABLE_STATS
1053 gettimeofday(&iph1->start, NULL);
1054 gettimeofday(&start, NULL);
1055 #endif
1056 /* start exchange */
1057 if ((ph1exchange[etypesw1(iph1->etype)]
1058 [iph1->side]
1059 [iph1->status])(iph1, NULL) != 0) {
1060 /* failed to start phase 1 negotiation */
1061 remph1(iph1);
1062 delph1(iph1);
1063
1064 return -1;
1065 }
1066
1067 #ifdef ENABLE_STATS
1068 gettimeofday(&end, NULL);
1069 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1070 "phase1",
1071 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1072 timedelta(&start, &end));
1073 #endif
1074
1075 #ifdef ENABLE_VPNCONTROL_PORT
1076 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1077 #endif
1078
1079
1080 return 0;
1081 }
1082
1083 /* new negotiation of phase 1 for responder */
1084 static int
1085 isakmp_ph1begin_r(msg, remote, local, etype)
1086 vchar_t *msg;
1087 struct sockaddr *remote, *local;
1088 u_int8_t etype;
1089 {
1090 struct isakmp *isakmp = (struct isakmp *)msg->v;
1091 struct remoteconf *rmconf;
1092 struct ph1handle *iph1;
1093 struct etypes *etypeok;
1094 #ifdef ENABLE_STATS
1095 struct timeval start, end;
1096 #endif
1097
1098 /* look for my configuration */
1099 rmconf = getrmconf(remote);
1100 if (rmconf == NULL) {
1101 plog(LLV_ERROR, LOCATION, remote,
1102 "couldn't find "
1103 "configuration.\n");
1104 return -1;
1105 }
1106
1107 /* check to be acceptable exchange type */
1108 etypeok = check_etypeok(rmconf, etype);
1109 if (etypeok == NULL) {
1110 plog(LLV_ERROR, LOCATION, remote,
1111 "not acceptable %s mode\n", s_isakmp_etype(etype));
1112 return -1;
1113 }
1114
1115 /* get new entry to isakmp status table. */
1116 iph1 = newph1();
1117 if (iph1 == NULL)
1118 return -1;
1119
1120 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1121 iph1->status = PHASE1ST_START;
1122 iph1->rmconf = rmconf;
1123 iph1->flags = 0;
1124 iph1->side = RESPONDER;
1125 iph1->etype = etypeok->type;
1126 iph1->version = isakmp->v;
1127 iph1->msgid = 0;
1128 #ifdef HAVE_GSSAPI
1129 iph1->gssapi_state = NULL;
1130 #endif
1131 #ifdef ENABLE_HYBRID
1132 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
1133 return -1;
1134 #endif
1135 #ifdef ENABLE_FRAG
1136 iph1->frag = 0;
1137 iph1->frag_chain = NULL;
1138 #endif
1139 iph1->approval = NULL;
1140
1141 #ifdef ENABLE_NATT
1142 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1143 * We have to setup this flag now to correctly generate the first reply.
1144 * Don't know if a better check could be done for that ?
1145 */
1146 if(extract_port(local) == lcconf->port_isakmp_natt)
1147 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1148 #endif
1149
1150 /* copy remote address */
1151 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1152 return -1;
1153
1154 (void)insph1(iph1);
1155
1156 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1157 {
1158 char *a;
1159
1160 a = strdup(saddr2str(iph1->local));
1161 plog(LLV_INFO, LOCATION, NULL,
1162 "respond new phase 1 negotiation: %s<=>%s\n",
1163 a, saddr2str(iph1->remote));
1164 racoon_free(a);
1165 }
1166 plog(LLV_INFO, LOCATION, NULL,
1167 "begin %s mode.\n", s_isakmp_etype(etype));
1168
1169 #ifdef ENABLE_STATS
1170 gettimeofday(&iph1->start, NULL);
1171 gettimeofday(&start, NULL);
1172 #endif
1173 /* start exchange */
1174 if ((ph1exchange[etypesw1(iph1->etype)]
1175 [iph1->side]
1176 [iph1->status])(iph1, msg) < 0
1177 || (ph1exchange[etypesw1(iph1->etype)]
1178 [iph1->side]
1179 [iph1->status])(iph1, msg) < 0) {
1180 plog(LLV_ERROR, LOCATION, remote,
1181 "failed to process packet.\n");
1182 remph1(iph1);
1183 delph1(iph1);
1184 return -1;
1185 }
1186 #ifdef ENABLE_STATS
1187 gettimeofday(&end, NULL);
1188 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1189 "phase1",
1190 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1191 timedelta(&start, &end));
1192 #endif
1193 #ifdef ENABLE_VPNCONTROL_PORT
1194 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
1195 #endif
1196
1197 return 0;
1198 }
1199
1200 /* new negotiation of phase 2 for initiator */
1201 static int
1202 isakmp_ph2begin_i(iph1, iph2)
1203 struct ph1handle *iph1;
1204 struct ph2handle *iph2;
1205 {
1206 #ifdef ENABLE_HYBRID
1207 if (xauth_check(iph1) != 0) {
1208 plog(LLV_ERROR, LOCATION, NULL,
1209 "Attempt to start phase 2 whereas Xauth failed\n");
1210 return -1;
1211 }
1212 #endif
1213
1214 /* found ISAKMP-SA. */
1215 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1216 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1217 {
1218 char *a;
1219 a = strdup(saddr2str(iph2->src));
1220 plog(LLV_INFO, LOCATION, NULL,
1221 "initiate new phase 2 negotiation: %s<=>%s\n",
1222 a, saddr2str(iph2->dst));
1223 racoon_free(a);
1224 }
1225
1226 #ifdef ENABLE_STATS
1227 gettimeofday(&iph2->start, NULL);
1228 #endif
1229 /* found isakmp-sa */
1230 bindph12(iph1, iph2);
1231 iph2->status = PHASE2ST_STATUS2;
1232
1233 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1234 [iph2->side]
1235 [iph2->status])(iph2, NULL) < 0) {
1236 unbindph12(iph2);
1237 /* release ipsecsa handler due to internal error. */
1238 remph2(iph2);
1239 return -1;
1240 }
1241
1242 #ifdef ENABLE_VPNCONTROL_PORT
1243 vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2);
1244 #endif
1245
1246 return 0;
1247 }
1248
1249 /* new negotiation of phase 2 for responder */
1250 static int
1251 isakmp_ph2begin_r(iph1, msg)
1252 struct ph1handle *iph1;
1253 vchar_t *msg;
1254 {
1255 struct isakmp *isakmp = (struct isakmp *)msg->v;
1256 struct ph2handle *iph2 = 0;
1257 int error;
1258 #ifdef ENABLE_STATS
1259 struct timeval start, end;
1260 #endif
1261 #ifdef ENABLE_HYBRID
1262 if (xauth_check(iph1) != 0) {
1263 plog(LLV_ERROR, LOCATION, NULL,
1264 "Attempt to start phase 2 whereas Xauth failed\n");
1265 return -1;
1266 }
1267 #endif
1268
1269 iph2 = newph2();
1270 if (iph2 == NULL) {
1271 plog(LLV_ERROR, LOCATION, NULL,
1272 "failed to allocate phase2 entry.\n");
1273 return -1;
1274 }
1275
1276 iph2->ph1 = iph1;
1277 iph2->side = RESPONDER;
1278 iph2->status = PHASE2ST_START;
1279 iph2->flags = isakmp->flags;
1280 iph2->msgid = isakmp->msgid;
1281 iph2->seq = pk_getseq();
1282 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1283 if (iph2->ivm == NULL) {
1284 delph2(iph2);
1285 return -1;
1286 }
1287 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1288 if (iph2->dst == NULL) {
1289 delph2(iph2);
1290 return -1;
1291 }
1292 switch (iph2->dst->sa_family) {
1293 case AF_INET:
1294 #ifndef ENABLE_NATT
1295 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1296 #endif
1297 break;
1298 #ifdef INET6
1299 case AF_INET6:
1300 #ifndef ENABLE_NATT
1301 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1302 #endif
1303 break;
1304 #endif
1305 default:
1306 plog(LLV_ERROR, LOCATION, NULL,
1307 "invalid family: %d\n", iph2->dst->sa_family);
1308 delph2(iph2);
1309 return -1;
1310 }
1311
1312 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1313 if (iph2->src == NULL) {
1314 delph2(iph2);
1315 return -1;
1316 }
1317 switch (iph2->src->sa_family) {
1318 case AF_INET:
1319 #ifndef ENABLE_NATT
1320 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1321 #endif
1322 break;
1323 #ifdef INET6
1324 case AF_INET6:
1325 #ifndef ENABLE_NATT
1326 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1327 #endif
1328 break;
1329 #endif
1330 default:
1331 plog(LLV_ERROR, LOCATION, NULL,
1332 "invalid family: %d\n", iph2->src->sa_family);
1333 delph2(iph2);
1334 return -1;
1335 }
1336
1337 /* add new entry to isakmp status table */
1338 insph2(iph2);
1339 bindph12(iph1, iph2);
1340
1341 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1342 {
1343 char *a;
1344
1345 a = strdup(saddr2str(iph2->src));
1346 plog(LLV_INFO, LOCATION, NULL,
1347 "respond new phase 2 negotiation: %s<=>%s\n",
1348 a, saddr2str(iph2->dst));
1349 racoon_free(a);
1350 }
1351
1352 #ifdef ENABLE_STATS
1353 gettimeofday(&start, NULL);
1354 #endif
1355
1356 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1357 [iph2->side]
1358 [iph2->status])(iph2, msg);
1359 if (error != 0) {
1360 plog(LLV_ERROR, LOCATION, iph1->remote,
1361 "failed to pre-process packet.\n");
1362 if (error != ISAKMP_INTERNAL_ERROR)
1363 isakmp_info_send_n1(iph2->ph1, error, NULL);
1364 /*
1365 * release handler because it's wrong that ph2handle is kept
1366 * after failed to check message for responder's.
1367 */
1368 unbindph12(iph2);
1369 remph2(iph2);
1370 delph2(iph2);
1371 return -1;
1372 }
1373
1374 /* send */
1375 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1376 if ((ph2exchange[etypesw2(isakmp->etype)]
1377 [iph2->side]
1378 [iph2->status])(iph2, msg) < 0) {
1379 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1380 "failed to process packet.\n");
1381 /* don't release handler */
1382 return -1;
1383 }
1384 #ifdef ENABLE_STATS
1385 gettimeofday(&end, NULL);
1386 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1387 "phase2",
1388 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1389 timedelta(&start, &end));
1390 #endif
1391
1392 #ifdef ENABLE_VPNCONTROL_PORT
1393 vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2);
1394 #endif
1395
1396
1397 return 0;
1398 }
1399
1400 /*
1401 * parse ISAKMP payloads, without ISAKMP base header.
1402 */
1403 vchar_t *
1404 isakmp_parsewoh(np0, gen, len)
1405 int np0;
1406 struct isakmp_gen *gen;
1407 int len;
1408 {
1409 u_char np = np0 & 0xff;
1410 int tlen, plen;
1411 vchar_t *result;
1412 struct isakmp_parse_t *p, *ep;
1413
1414 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1415
1416 /*
1417 * 5 is a magic number, but any value larger than 2 should be fine
1418 * as we do vrealloc() in the following loop.
1419 */
1420 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1421 if (result == NULL) {
1422 plog(LLV_ERROR, LOCATION, NULL,
1423 "failed to get buffer.\n");
1424 return NULL;
1425 }
1426 p = (struct isakmp_parse_t *)result->v;
1427 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1428
1429 tlen = len;
1430
1431 /* parse through general headers */
1432 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1433 if (tlen <= sizeof(struct isakmp_gen)) {
1434 /* don't send information, see isakmp_ident_r1() */
1435 plog(LLV_ERROR, LOCATION, NULL,
1436 "invalid length of payload\n");
1437 vfree(result);
1438 return NULL;
1439 }
1440
1441 plog(LLV_DEBUG, LOCATION, NULL,
1442 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1443
1444 p->type = np;
1445 p->len = ntohs(gen->len);
1446 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1447 plog(LLV_DEBUG, LOCATION, NULL,
1448 "invalid length of payload\n");
1449 vfree(result);
1450 return NULL;
1451 }
1452 p->ptr = gen;
1453 p++;
1454 if (ep <= p) {
1455 int off;
1456
1457 off = p - (struct isakmp_parse_t *)result->v;
1458 result = vrealloc(result, result->l * 2);
1459 if (result == NULL) {
1460 plog(LLV_DEBUG, LOCATION, NULL,
1461 "failed to realloc buffer.\n");
1462 vfree(result);
1463 return NULL;
1464 }
1465 ep = (struct isakmp_parse_t *)
1466 (result->v + result->l - sizeof(*ep));
1467 p = (struct isakmp_parse_t *)result->v;
1468 p += off;
1469 }
1470
1471 np = gen->np;
1472 plen = ntohs(gen->len);
1473 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1474 tlen -= plen;
1475 }
1476 p->type = ISAKMP_NPTYPE_NONE;
1477 p->len = 0;
1478 p->ptr = NULL;
1479
1480 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1481
1482 return result;
1483 }
1484
1485 /*
1486 * parse ISAKMP payloads, including ISAKMP base header.
1487 */
1488 vchar_t *
1489 isakmp_parse(buf)
1490 vchar_t *buf;
1491 {
1492 struct isakmp *isakmp = (struct isakmp *)buf->v;
1493 struct isakmp_gen *gen;
1494 int tlen;
1495 vchar_t *result;
1496 u_char np;
1497
1498 np = isakmp->np;
1499 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1500 tlen = buf->l - sizeof(struct isakmp);
1501 result = isakmp_parsewoh(np, gen, tlen);
1502
1503 return result;
1504 }
1505
1506 /* %%% */
1507 int
1508 isakmp_init()
1509 {
1510 /* initialize a isakmp status table */
1511 initph1tree();
1512 initph2tree();
1513 initctdtree();
1514 init_recvdpkt();
1515
1516 if (isakmp_open() < 0)
1517 goto err;
1518
1519 return(0);
1520
1521 err:
1522 isakmp_close();
1523 return(-1);
1524 }
1525
1526 void
1527 isakmp_cleanup()
1528 {
1529 clear_recvdpkt();
1530 clear_contacted();
1531 }
1532
1533 /*
1534 * make strings containing i_cookie + r_cookie + msgid
1535 */
1536 const char *
1537 isakmp_pindex(index, msgid)
1538 const isakmp_index *index;
1539 const u_int32_t msgid;
1540 {
1541 static char buf[64];
1542 const u_char *p;
1543 int i, j;
1544
1545 memset(buf, 0, sizeof(buf));
1546
1547 /* copy index */
1548 p = (const u_char *)index;
1549 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1550 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1551 j += 2;
1552 switch (i) {
1553 case 7:
1554 buf[j++] = ':';
1555 }
1556 }
1557
1558 if (msgid == 0)
1559 return buf;
1560
1561 /* copy msgid */
1562 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1563
1564 return buf;
1565 }
1566
1567 /* open ISAKMP sockets. */
1568 int
1569 isakmp_open()
1570 {
1571 const int yes = 1;
1572 int ifnum = 0, encap_ifnum = 0;
1573 #ifdef INET6
1574 int pktinfo;
1575 #endif
1576 struct myaddrs *p;
1577
1578 for (p = lcconf->myaddrs; p; p = p->next) {
1579 if (!p->addr)
1580 continue;
1581
1582 #ifdef __APPLE__
1583 if (p->sock != -1) {
1584 ifnum++;
1585 if (p->udp_encap)
1586 encap_ifnum++;
1587 continue; // socket already open
1588 }
1589 #endif
1590
1591 /* warn if wildcard address - should we forbid this? */
1592 switch (p->addr->sa_family) {
1593 case AF_INET:
1594 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1595 plog(LLV_WARNING, LOCATION, NULL,
1596 "listening to wildcard address,"
1597 "broadcast IKE packet may kill you\n");
1598 break;
1599 #ifdef INET6
1600 case AF_INET6:
1601 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1602 plog(LLV_WARNING, LOCATION, NULL,
1603 "listening to wildcard address, "
1604 "broadcast IKE packet may kill you\n");
1605 break;
1606 #endif
1607 default:
1608 plog(LLV_ERROR, LOCATION, NULL,
1609 "unsupported address family %d\n",
1610 lcconf->default_af);
1611 goto err_and_next;
1612 }
1613
1614 #ifdef INET6
1615 if (p->addr->sa_family == AF_INET6 &&
1616 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
1617 p->addr)->sin6_addr))
1618 {
1619 plog(LLV_DEBUG, LOCATION, NULL,
1620 "Ignoring multicast address %s\n",
1621 saddr2str(p->addr));
1622 racoon_free(p->addr);
1623 p->addr = NULL;
1624 continue;
1625 }
1626 #endif
1627
1628 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1629 plog(LLV_ERROR, LOCATION, NULL,
1630 "socket (%s)\n", strerror(errno));
1631 goto err_and_next;
1632 }
1633
1634 /* receive my interface address on inbound packets. */
1635 switch (p->addr->sa_family) {
1636 case AF_INET:
1637 if (setsockopt(p->sock, IPPROTO_IP,
1638 #ifdef __linux__
1639 IP_PKTINFO,
1640 #else
1641 IP_RECVDSTADDR,
1642 #endif
1643 (const void *)&yes, sizeof(yes)) < 0) {
1644 plog(LLV_ERROR, LOCATION, NULL,
1645 "setsockopt (%s)\n", strerror(errno));
1646 goto err_and_next;
1647 }
1648 break;
1649 #ifdef INET6
1650 case AF_INET6:
1651 #ifdef INET6_ADVAPI
1652 #ifdef IPV6_RECVPKTINFO
1653 pktinfo = IPV6_RECVPKTINFO;
1654 #else /* old adv. API */
1655 pktinfo = IPV6_PKTINFO;
1656 #endif /* IPV6_RECVPKTINFO */
1657 #else
1658 pktinfo = IPV6_RECVDSTADDR;
1659 #endif
1660 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1661 (const void *)&yes, sizeof(yes)) < 0)
1662 {
1663 plog(LLV_ERROR, LOCATION, NULL,
1664 "setsockopt(%d): %s\n",
1665 pktinfo, strerror(errno));
1666 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
1667 plog(LLV_WARNING, LOCATION, NULL,
1668 "failed to put socket in non-blocking mode\n");
1669
1670 goto err_and_next;
1671 }
1672 break;
1673 #endif
1674 }
1675
1676 #ifdef IPV6_USE_MIN_MTU
1677 if (p->addr->sa_family == AF_INET6 &&
1678 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1679 (void *)&yes, sizeof(yes)) < 0) {
1680 plog(LLV_ERROR, LOCATION, NULL,
1681 "setsockopt (%s)\n", strerror(errno));
1682 return -1;
1683 }
1684 #endif
1685
1686 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
1687 goto err_and_next;
1688
1689 #ifdef __APPLE__
1690 if (extract_port(p->addr) == PORT_ISAKMP) {
1691 if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT,
1692 (void *)&yes, sizeof(yes)) < 0) {
1693 plog(LLV_ERROR, LOCATION, p->addr,
1694 "setsockopt (%s)\n", strerror(errno));
1695 goto err_and_next;
1696 }
1697 }
1698 #endif
1699
1700 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
1701 plog(LLV_ERROR, LOCATION, p->addr,
1702 "failed to bind to address %s (%s).\n",
1703 saddr2str(p->addr), strerror(errno));
1704 close(p->sock);
1705 p->sock = -1;
1706 goto err_and_next;
1707 }
1708
1709 ifnum++;
1710 #ifdef __APPLE__
1711 if (p->udp_encap)
1712 encap_ifnum++;
1713 #endif
1714
1715 plog(LLV_INFO, LOCATION, NULL,
1716 "%s used as isakmp port (fd=%d)\n",
1717 saddr2str(p->addr), p->sock);
1718
1719 #ifndef __APPLE__
1720 #ifdef ENABLE_NATT
1721 if (p->addr->sa_family == AF_INET) {
1722 int option = -1;
1723
1724 if(p->udp_encap)
1725 option = UDP_ENCAP_ESPINUDP;
1726 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1727 else
1728 option = UDP_ENCAP_ESPINUDP_NON_IKE;
1729 #endif
1730 if(option != -1){
1731 if (setsockopt (p->sock, SOL_UDP, UDP_ENCAP,
1732 &option, sizeof (option)) < 0) {
1733 plog(LLV_WARNING, LOCATION, NULL,
1734 "setsockopt(%s): %s\n",
1735 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1736 strerror(errno));
1737 goto skip_encap;
1738 }
1739 else {
1740 plog(LLV_INFO, LOCATION, NULL,
1741 "%s used for NAT-T\n",
1742 saddr2str(p->addr));
1743 encap_ifnum++;
1744 }
1745 }
1746 }
1747 skip_encap:
1748 #endif
1749 #endif /* __APPLE__ */
1750
1751 continue;
1752
1753 err_and_next:
1754 racoon_free(p->addr);
1755 p->addr = NULL;
1756 if (! lcconf->autograbaddr && lcconf->strict_address)
1757 return -1;
1758 continue;
1759 }
1760
1761 if (!ifnum) {
1762 plog(LLV_ERROR, LOCATION, NULL,
1763 "no address could be bound.\n");
1764 return -1;
1765 }
1766
1767 #ifdef ENABLE_NATT
1768 if (natt_enabled_in_rmconf() && !encap_ifnum) {
1769 plog(LLV_WARNING, LOCATION, NULL,
1770 "NAT-T is enabled in at least one remote{} section,\n");
1771 plog(LLV_WARNING, LOCATION, NULL,
1772 "but no 'isakmp_natt' address was specified!\n");
1773 }
1774 #endif
1775
1776 return 0;
1777 }
1778
1779 void
1780 isakmp_close()
1781 {
1782 isakmp_close_sockets();
1783 clear_myaddr();
1784 }
1785
1786 void
1787 isakmp_close_sockets()
1788 {
1789 struct myaddrs *p;
1790
1791 for (p = lcconf->myaddrs; p; p = p->next) {
1792
1793 if (!p->addr)
1794 continue;
1795
1796 if (p->sock >= 0) {
1797 close(p->sock);
1798 p->sock = -1;
1799 }
1800 }
1801
1802 }
1803
1804
1805 // close sockets for addresses that have gone away
1806 void
1807 isakmp_close_unused()
1808 {
1809 struct myaddrs *p, *next, **prev;
1810
1811 prev = &(lcconf->myaddrs);
1812 for (p = lcconf->myaddrs; p; p = next) {
1813 next = p->next;
1814 if (p->in_use == 0) { // not in use ?
1815
1816 if (p->sock >= 0)
1817 close(p->sock);
1818 if (p->addr)
1819 racoon_free(p->addr);
1820 *prev = p->next;
1821 racoon_free(p);
1822 } else
1823 prev = &(p->next);
1824 }
1825 }
1826
1827 int
1828 isakmp_send(iph1, sbuf)
1829 struct ph1handle *iph1;
1830 vchar_t *sbuf;
1831 {
1832 int len = 0;
1833 int s;
1834 vchar_t *vbuf = NULL;
1835
1836 #ifdef ENABLE_NATT
1837 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1838
1839 #ifdef ENABLE_FRAG
1840 /*
1841 * Do not add the non ESP marker for a packet that will
1842 * be fragmented. The non ESP marker should appear in
1843 * all fragment's packets, but not in the fragmented packet
1844 */
1845 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1846 extralen = 0;
1847 #endif
1848 if (extralen)
1849 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1850
1851 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1852 must added just before the packet itself. For this we must
1853 allocate a new buffer and release it at the end. */
1854 if (extralen) {
1855 vbuf = vmalloc (sbuf->l + extralen);
1856 *(u_int32_t *)vbuf->v = 0;
1857 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1858 sbuf = vbuf;
1859 }
1860 #endif
1861
1862 /* select the socket to be sent */
1863 s = getsockmyaddr(iph1->local);
1864 if (s == -1){
1865 if ( vbuf != NULL )
1866 vfree(vbuf);
1867 return -1;
1868 }
1869
1870 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1871 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1872
1873 #ifdef ENABLE_FRAG
1874 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1875 if (isakmp_sendfrags(iph1, sbuf) == -1) {
1876 plog(LLV_ERROR, LOCATION, NULL,
1877 "isakmp_sendfrags failed\n");
1878 if ( vbuf != NULL )
1879 vfree(vbuf);
1880 return -1;
1881 }
1882 } else
1883 #endif
1884 {
1885 len = sendfromto(s, sbuf->v, sbuf->l,
1886 iph1->local, iph1->remote, lcconf->count_persend);
1887 if (len == -1) {
1888 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1889 if ( vbuf != NULL )
1890 vfree(vbuf);
1891 return -1;
1892 }
1893 }
1894
1895 if ( vbuf != NULL )
1896 vfree(vbuf);
1897
1898 return 0;
1899 }
1900
1901 /* called from scheduler */
1902 void
1903 isakmp_ph1resend_stub(p)
1904 void *p;
1905 {
1906 (void)isakmp_ph1resend((struct ph1handle *)p);
1907 }
1908
1909 int
1910 isakmp_ph1resend(iph1)
1911 struct ph1handle *iph1;
1912 {
1913 if (iph1->retry_counter < 0) {
1914 plog(LLV_ERROR, LOCATION, NULL,
1915 "phase1 negotiation failed due to time up. %s\n",
1916 isakmp_pindex(&iph1->index, iph1->msgid));
1917 EVT_PUSH(iph1->local, iph1->remote,
1918 EVTT_PEER_NO_RESPONSE, NULL);
1919
1920 remph1(iph1);
1921 delph1(iph1);
1922 return -1;
1923 }
1924
1925 if (isakmp_send(iph1, iph1->sendbuf) < 0){
1926 iph1->retry_counter--;
1927
1928 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1929 isakmp_ph1resend_stub, iph1);
1930 return -1;
1931 }
1932
1933 plog(LLV_DEBUG, LOCATION, NULL,
1934 "resend phase1 packet %s\n",
1935 isakmp_pindex(&iph1->index, iph1->msgid));
1936
1937 iph1->retry_counter--;
1938
1939 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1940 isakmp_ph1resend_stub, iph1);
1941
1942 return 0;
1943 }
1944
1945 /* called from scheduler */
1946 void
1947 isakmp_ph2resend_stub(p)
1948 void *p;
1949 {
1950
1951 (void)isakmp_ph2resend((struct ph2handle *)p);
1952 }
1953
1954 int
1955 isakmp_ph2resend(iph2)
1956 struct ph2handle *iph2;
1957 {
1958 if (iph2->retry_counter < 0) {
1959 plog(LLV_ERROR, LOCATION, NULL,
1960 "phase2 negotiation failed due to time up. %s\n",
1961 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1962 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
1963 unbindph12(iph2);
1964 remph2(iph2);
1965 delph2(iph2);
1966 return -1;
1967 }
1968
1969 //%%% BUG FIX - related to commit bit usage - crash happened here
1970 if (iph2->ph1 == 0) {
1971 plog(LLV_ERROR, LOCATION, NULL,
1972 "internal error - attempt to re-send phase2 with no phase1 bound.\n");
1973 iph2->retry_counter = -1;
1974 remph2(iph2);
1975 delph2(iph2);
1976 return -1;
1977 }
1978
1979 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1980 return -1;
1981
1982 plog(LLV_DEBUG, LOCATION, NULL,
1983 "resend phase2 packet %s\n",
1984 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1985
1986 iph2->retry_counter--;
1987
1988 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1989 isakmp_ph2resend_stub, iph2);
1990
1991 return 0;
1992 }
1993
1994 /* called from scheduler */
1995 void
1996 isakmp_ph1expire_stub(p)
1997 void *p;
1998 {
1999
2000 isakmp_ph1expire((struct ph1handle *)p);
2001 }
2002
2003 void
2004 isakmp_ph1expire(iph1)
2005 struct ph1handle *iph1;
2006 {
2007 char *src, *dst;
2008
2009 SCHED_KILL(iph1->sce);
2010
2011 if(iph1->status != PHASE1ST_EXPIRED){
2012 src = strdup(saddr2str(iph1->local));
2013 dst = strdup(saddr2str(iph1->remote));
2014 plog(LLV_INFO, LOCATION, NULL,
2015 "ISAKMP-SA expired %s-%s spi:%s\n",
2016 src, dst,
2017 isakmp_pindex(&iph1->index, 0));
2018 racoon_free(src);
2019 racoon_free(dst);
2020 iph1->status = PHASE1ST_EXPIRED;
2021 }
2022
2023 /*
2024 * the phase1 deletion is postponed until there is no phase2.
2025 */
2026 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2027 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
2028 return;
2029 }
2030
2031 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2032 }
2033
2034 /* called from scheduler */
2035 void
2036 isakmp_ph1delete_stub(p)
2037 void *p;
2038 {
2039
2040 isakmp_ph1delete((struct ph1handle *)p);
2041 }
2042
2043 void
2044 isakmp_ph1delete(iph1)
2045 struct ph1handle *iph1;
2046 {
2047 char *src, *dst;
2048
2049 if (iph1->sce)
2050 SCHED_KILL(iph1->sce);
2051
2052 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
2053 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
2054 return;
2055 }
2056
2057 /* don't re-negosiation when the phase 1 SA expires. */
2058
2059 src = strdup(saddr2str(iph1->local));
2060 dst = strdup(saddr2str(iph1->remote));
2061 plog(LLV_INFO, LOCATION, NULL,
2062 "ISAKMP-SA deleted %s-%s spi:%s\n",
2063 src, dst, isakmp_pindex(&iph1->index, 0));
2064 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
2065 racoon_free(src);
2066 racoon_free(dst);
2067
2068 remph1(iph1);
2069 delph1(iph1);
2070
2071 return;
2072 }
2073
2074 /* called from scheduler.
2075 * this function will call only isakmp_ph2delete().
2076 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2077 * by something cause. That's why this function is called after phase 2 SA
2078 * expires in the userland.
2079 */
2080 void
2081 isakmp_ph2expire_stub(p)
2082 void *p;
2083 {
2084
2085 isakmp_ph2expire((struct ph2handle *)p);
2086 }
2087
2088 void
2089 isakmp_ph2expire(iph2)
2090 struct ph2handle *iph2;
2091 {
2092 char *src, *dst;
2093
2094 SCHED_KILL(iph2->sce);
2095
2096 src = strdup(saddrwop2str(iph2->src));
2097 dst = strdup(saddrwop2str(iph2->dst));
2098 plog(LLV_INFO, LOCATION, NULL,
2099 "phase2 sa expired %s-%s\n", src, dst);
2100 racoon_free(src);
2101 racoon_free(dst);
2102
2103 iph2->status = PHASE2ST_EXPIRED;
2104
2105 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
2106
2107 return;
2108 }
2109
2110 /* called from scheduler */
2111 void
2112 isakmp_ph2delete_stub(p)
2113 void *p;
2114 {
2115
2116 isakmp_ph2delete((struct ph2handle *)p);
2117 }
2118
2119 void
2120 isakmp_ph2delete(iph2)
2121 struct ph2handle *iph2;
2122 {
2123 char *src, *dst;
2124
2125 SCHED_KILL(iph2->sce);
2126
2127 src = strdup(saddrwop2str(iph2->src));
2128 dst = strdup(saddrwop2str(iph2->dst));
2129 plog(LLV_INFO, LOCATION, NULL,
2130 "phase2 sa deleted %s-%s\n", src, dst);
2131 racoon_free(src);
2132 racoon_free(dst);
2133
2134 unbindph12(iph2);
2135 remph2(iph2);
2136 delph2(iph2);
2137
2138 return;
2139 }
2140
2141 /* \f%%%
2142 * Interface between PF_KEYv2 and ISAKMP
2143 */
2144 /*
2145 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2146 * if phase1 has been finished, begin phase2.
2147 */
2148 int
2149 isakmp_post_acquire(iph2)
2150 struct ph2handle *iph2;
2151 {
2152 struct remoteconf *rmconf;
2153 struct ph1handle *iph1 = NULL;
2154
2155 /* search appropreate configuration with masking port. */
2156 rmconf = getrmconf(iph2->dst);
2157 if (rmconf == NULL) {
2158 plog(LLV_ERROR, LOCATION, NULL,
2159 "no configuration found for %s.\n",
2160 saddrwop2str(iph2->dst));
2161 return -1;
2162 }
2163
2164 /* if passive mode, ignore the acquire message */
2165 if (rmconf->passive) {
2166 plog(LLV_DEBUG, LOCATION, NULL,
2167 "because of passive mode, "
2168 "ignore the acquire message for %s.\n",
2169 saddrwop2str(iph2->dst));
2170 return 0;
2171 }
2172
2173 /*
2174 * Search isakmp status table by address and port
2175 * If NAT-T is in use, consider null ports as a
2176 * wildcard and use IKE ports instead.
2177 */
2178 #ifdef ENABLE_NATT
2179 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2180 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2181 set_port(iph2->src, extract_port(iph1->local));
2182 set_port(iph2->dst, extract_port(iph1->remote));
2183 }
2184 } else {
2185 iph1 = getph1byaddr(iph2->src, iph2->dst);
2186 }
2187 #else
2188 iph1 = getph1byaddr(iph2->src, iph2->dst);
2189 #endif
2190
2191 /* no ISAKMP-SA found. */
2192 if (iph1 == NULL) {
2193 struct sched *sc;
2194
2195 iph2->retry_checkph1 = lcconf->retry_checkph1;
2196 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2197 plog(LLV_INFO, LOCATION, NULL,
2198 "IPsec-SA request for %s queued "
2199 "due to no phase1 found.\n",
2200 saddrwop2str(iph2->dst));
2201
2202 /* start phase 1 negotiation as a initiator. */
2203 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
2204 SCHED_KILL(sc);
2205 return -1;
2206 }
2207
2208 return 0;
2209 /*NOTREACHED*/
2210 }
2211
2212 /* found ISAKMP-SA, but on negotiation. */
2213 if (iph1->status != PHASE1ST_ESTABLISHED) {
2214 iph2->retry_checkph1 = lcconf->retry_checkph1;
2215 sched_new(1, isakmp_chkph1there_stub, iph2);
2216 plog(LLV_INFO, LOCATION, iph2->dst,
2217 "request for establishing IPsec-SA was queued "
2218 "due to no phase1 found.\n");
2219 return 0;
2220 /*NOTREACHED*/
2221 }
2222
2223 /* found established ISAKMP-SA */
2224 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2225
2226 /* found ISAKMP-SA. */
2227 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2228
2229 /* begin quick mode */
2230 if (isakmp_ph2begin_i(iph1, iph2))
2231 return -1;
2232
2233 return 0;
2234 }
2235
2236 /*
2237 * receive GETSPI from kernel.
2238 */
2239 int
2240 isakmp_post_getspi(iph2)
2241 struct ph2handle *iph2;
2242 {
2243 #ifdef ENABLE_STATS
2244 struct timeval start, end;
2245 #endif
2246
2247 /* don't process it because there is no suitable phase1-sa. */
2248 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
2249 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2250 "the negotiation is stopped, "
2251 "because there is no suitable ISAKMP-SA.\n");
2252 return -1;
2253 }
2254
2255 #ifdef ENABLE_STATS
2256 gettimeofday(&start, NULL);
2257 #endif
2258 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2259 [iph2->side]
2260 [iph2->status])(iph2, NULL) != 0)
2261 return -1;
2262 #ifdef ENABLE_STATS
2263 gettimeofday(&end, NULL);
2264 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2265 "phase2",
2266 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2267 timedelta(&start, &end));
2268 #endif
2269
2270 return 0;
2271 }
2272
2273 /* called by scheduler */
2274 void
2275 isakmp_chkph1there_stub(p)
2276 void *p;
2277 {
2278 isakmp_chkph1there((struct ph2handle *)p);
2279 }
2280
2281 void
2282 isakmp_chkph1there(iph2)
2283 struct ph2handle *iph2;
2284 {
2285 struct ph1handle *iph1;
2286
2287 iph2->retry_checkph1--;
2288 if (iph2->retry_checkph1 < 0) {
2289 plog(LLV_ERROR, LOCATION, iph2->dst,
2290 "phase2 negotiation failed "
2291 "due to time up waiting for phase1. %s\n",
2292 sadbsecas2str(iph2->dst, iph2->src,
2293 iph2->satype, 0, 0));
2294 plog(LLV_INFO, LOCATION, NULL,
2295 "delete phase 2 handler.\n");
2296
2297 /* send acquire to kernel as error */
2298 pk_sendeacquire(iph2);
2299
2300 unbindph12(iph2);
2301 remph2(iph2);
2302 delph2(iph2);
2303
2304 return;
2305 }
2306
2307 /*
2308 * Search isakmp status table by address and port
2309 * If NAT-T is in use, consider null ports as a
2310 * wildcard and use IKE ports instead.
2311 */
2312 #ifdef ENABLE_NATT
2313 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
2314 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
2315 /*
2316 * cannot set ph2 ports until after switch to natt port
2317 * otherwise this function will never again find phase 1
2318 */
2319 if (iph1->status == PHASE1ST_ESTABLISHED) {
2320 set_port(iph2->src, extract_port(iph1->local));
2321 set_port(iph2->dst, extract_port(iph1->remote));
2322 }
2323 }
2324 } else {
2325 iph1 = getph1byaddr(iph2->src, iph2->dst);
2326 }
2327 #else
2328 iph1 = getph1byaddr(iph2->src, iph2->dst);
2329 #endif
2330
2331 /* XXX Even if ph1 as responder is there, should we not start
2332 * phase 2 negotiation ? */
2333 if (iph1 != NULL
2334 && iph1->status == PHASE1ST_ESTABLISHED) {
2335 /* found isakmp-sa */
2336 /* begin quick mode */
2337 (void)isakmp_ph2begin_i(iph1, iph2);
2338 return;
2339 }
2340
2341 /* no isakmp-sa found */
2342 sched_new(1, isakmp_chkph1there_stub, iph2);
2343
2344 return;
2345 }
2346
2347 /* copy variable data into ALLOCATED buffer. */
2348 caddr_t
2349 isakmp_set_attr_v(buf, type, val, len)
2350 caddr_t buf;
2351 int type;
2352 caddr_t val;
2353 int len;
2354 {
2355 struct isakmp_data *data;
2356
2357 data = (struct isakmp_data *)buf;
2358 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2359 data->lorv = htons((u_int16_t)len);
2360 memcpy(data + 1, val, len);
2361
2362 return buf + sizeof(*data) + len;
2363 }
2364
2365 /* copy fixed length data into ALLOCATED buffer. */
2366 caddr_t
2367 isakmp_set_attr_l(buf, type, val)
2368 caddr_t buf;
2369 int type;
2370 u_int32_t val;
2371 {
2372 struct isakmp_data *data;
2373
2374 data = (struct isakmp_data *)buf;
2375 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2376 data->lorv = htons((u_int16_t)val);
2377
2378 return buf + sizeof(*data);
2379 }
2380
2381 /* add a variable data attribute to the buffer by reallocating it. */
2382 vchar_t *
2383 isakmp_add_attr_v(buf0, type, val, len)
2384 vchar_t *buf0;
2385 int type;
2386 caddr_t val;
2387 int len;
2388 {
2389 vchar_t *buf = NULL;
2390 struct isakmp_data *data;
2391 int tlen;
2392 int oldlen = 0;
2393
2394 tlen = sizeof(*data) + len;
2395
2396 if (buf0) {
2397 oldlen = buf0->l;
2398 buf = vrealloc(buf0, oldlen + tlen);
2399 } else
2400 buf = vmalloc(tlen);
2401 if (!buf) {
2402 plog(LLV_ERROR, LOCATION, NULL,
2403 "failed to get a attribute buffer.\n");
2404 return NULL;
2405 }
2406
2407 data = (struct isakmp_data *)(buf->v + oldlen);
2408 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2409 data->lorv = htons((u_int16_t)len);
2410 memcpy(data + 1, val, len);
2411
2412 return buf;
2413 }
2414
2415 /* add a fixed data attribute to the buffer by reallocating it. */
2416 vchar_t *
2417 isakmp_add_attr_l(buf0, type, val)
2418 vchar_t *buf0;
2419 int type;
2420 u_int32_t val;
2421 {
2422 vchar_t *buf = NULL;
2423 struct isakmp_data *data;
2424 int tlen;
2425 int oldlen = 0;
2426
2427 tlen = sizeof(*data);
2428
2429 if (buf0) {
2430 oldlen = buf0->l;
2431 buf = vrealloc(buf0, oldlen + tlen);
2432 } else
2433 buf = vmalloc(tlen);
2434 if (!buf) {
2435 plog(LLV_ERROR, LOCATION, NULL,
2436 "failed to get a attribute buffer.\n");
2437 return NULL;
2438 }
2439
2440 data = (struct isakmp_data *)(buf->v + oldlen);
2441 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2442 data->lorv = htons((u_int16_t)val);
2443
2444 return buf;
2445 }
2446
2447 /*
2448 * calculate cookie and set.
2449 */
2450 int
2451 isakmp_newcookie(place, remote, local)
2452 caddr_t place;
2453 struct sockaddr *remote;
2454 struct sockaddr *local;
2455 {
2456 vchar_t *buf = NULL, *buf2 = NULL;
2457 char *p;
2458 int blen;
2459 int alen;
2460 caddr_t sa1, sa2;
2461 time_t t;
2462 int error = -1;
2463 u_short port;
2464
2465
2466 if (remote->sa_family != local->sa_family) {
2467 plog(LLV_ERROR, LOCATION, NULL,
2468 "address family mismatch, remote:%d local:%d\n",
2469 remote->sa_family, local->sa_family);
2470 goto end;
2471 }
2472 switch (remote->sa_family) {
2473 case AF_INET:
2474 alen = sizeof(struct in_addr);
2475 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2476 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2477 break;
2478 #ifdef INET6
2479 case AF_INET6:
2480 alen = sizeof(struct in_addr);
2481 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2482 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2483 break;
2484 #endif
2485 default:
2486 plog(LLV_ERROR, LOCATION, NULL,
2487 "invalid family: %d\n", remote->sa_family);
2488 goto end;
2489 }
2490 blen = (alen + sizeof(u_short)) * 2
2491 + sizeof(time_t) + lcconf->secret_size;
2492 buf = vmalloc(blen);
2493 if (buf == NULL) {
2494 plog(LLV_ERROR, LOCATION, NULL,
2495 "failed to get a cookie.\n");
2496 goto end;
2497 }
2498 p = buf->v;
2499
2500 /* copy my address */
2501 memcpy(p, sa1, alen);
2502 p += alen;
2503 port = ((struct sockaddr_in *)remote)->sin_port;
2504 memcpy(p, &port, sizeof(u_short));
2505 p += sizeof(u_short);
2506
2507 /* copy target address */
2508 memcpy(p, sa2, alen);
2509 p += alen;
2510 port = ((struct sockaddr_in *)local)->sin_port;
2511 memcpy(p, &port, sizeof(u_short));
2512 p += sizeof(u_short);
2513
2514 /* copy time */
2515 t = time(0);
2516 memcpy(p, (caddr_t)&t, sizeof(t));
2517 p += sizeof(t);
2518
2519 /* copy random value */
2520 buf2 = eay_set_random(lcconf->secret_size);
2521 if (buf2 == NULL)
2522 goto end;
2523 memcpy(p, buf2->v, lcconf->secret_size);
2524 p += lcconf->secret_size;
2525 vfree(buf2);
2526
2527 buf2 = eay_sha1_one(buf);
2528 memcpy(place, buf2->v, sizeof(cookie_t));
2529
2530 sa1 = val2str(place, sizeof (cookie_t));
2531 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2532 racoon_free(sa1);
2533
2534 error = 0;
2535 end:
2536 if (buf != NULL)
2537 vfree(buf);
2538 if (buf2 != NULL)
2539 vfree(buf2);
2540 return error;
2541 }
2542
2543 /*
2544 * save partner's(payload) data into phhandle.
2545 */
2546 int
2547 isakmp_p2ph(buf, gen)
2548 vchar_t **buf;
2549 struct isakmp_gen *gen;
2550 {
2551 /* XXX to be checked in each functions for logging. */
2552 if (*buf) {
2553 plog(LLV_WARNING, LOCATION, NULL,
2554 "ignore this payload, same payload type exist.\n");
2555 return -1;
2556 }
2557
2558 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2559 if (*buf == NULL) {
2560 plog(LLV_ERROR, LOCATION, NULL,
2561 "failed to get buffer.\n");
2562 return -1;
2563 }
2564 memcpy((*buf)->v, gen + 1, (*buf)->l);
2565
2566 return 0;
2567 }
2568
2569 u_int32_t
2570 isakmp_newmsgid2(iph1)
2571 struct ph1handle *iph1;
2572 {
2573 u_int32_t msgid2;
2574
2575 do {
2576 msgid2 = eay_random();
2577 } while (getph2bymsgid(iph1, msgid2));
2578
2579 return msgid2;
2580 }
2581
2582 /*
2583 * set values into allocated buffer of isakmp header for phase 1
2584 */
2585 static caddr_t
2586 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2587 vchar_t *vbuf;
2588 struct ph1handle *iph1;
2589 int nptype;
2590 u_int8_t etype;
2591 u_int8_t flags;
2592 u_int32_t msgid;
2593 {
2594 struct isakmp *isakmp;
2595
2596 if (vbuf->l < sizeof(*isakmp))
2597 return NULL;
2598
2599 isakmp = (struct isakmp *)vbuf->v;
2600
2601 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2602 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2603 isakmp->np = nptype;
2604 isakmp->v = iph1->version;
2605 isakmp->etype = etype;
2606 isakmp->flags = flags;
2607 isakmp->msgid = msgid;
2608 isakmp->len = htonl(vbuf->l);
2609
2610 return vbuf->v + sizeof(*isakmp);
2611 }
2612
2613 /*
2614 * set values into allocated buffer of isakmp header for phase 1
2615 */
2616 caddr_t
2617 set_isakmp_header1(vbuf, iph1, nptype)
2618 vchar_t *vbuf;
2619 struct ph1handle *iph1;
2620 int nptype;
2621 {
2622 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2623 }
2624
2625 /*
2626 * set values into allocated buffer of isakmp header for phase 2
2627 */
2628 caddr_t
2629 set_isakmp_header2(vbuf, iph2, nptype)
2630 vchar_t *vbuf;
2631 struct ph2handle *iph2;
2632 int nptype;
2633 {
2634 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2635 }
2636
2637 /*
2638 * set values into allocated buffer of isakmp payload.
2639 */
2640 caddr_t
2641 set_isakmp_payload(buf, src, nptype)
2642 caddr_t buf;
2643 vchar_t *src;
2644 int nptype;
2645 {
2646 struct isakmp_gen *gen;
2647 caddr_t p = buf;
2648
2649 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2650 src->l, nptype);
2651
2652 gen = (struct isakmp_gen *)p;
2653 gen->np = nptype;
2654 gen->len = htons(sizeof(*gen) + src->l);
2655 p += sizeof(*gen);
2656 memcpy(p, src->v, src->l);
2657 p += src->l;
2658
2659 return p;
2660 }
2661
2662 static int
2663 etypesw1(etype)
2664 int etype;
2665 {
2666 switch (etype) {
2667 case ISAKMP_ETYPE_IDENT:
2668 return 1;
2669 case ISAKMP_ETYPE_AGG:
2670 return 2;
2671 case ISAKMP_ETYPE_BASE:
2672 return 3;
2673 default:
2674 return 0;
2675 }
2676 /*NOTREACHED*/
2677 }
2678
2679 static int
2680 etypesw2(etype)
2681 int etype;
2682 {
2683 switch (etype) {
2684 case ISAKMP_ETYPE_QUICK:
2685 return 1;
2686 default:
2687 return 0;
2688 }
2689 /*NOTREACHED*/
2690 }
2691
2692 #ifdef HAVE_PRINT_ISAKMP_C
2693 /* for print-isakmp.c */
2694 char *snapend;
2695 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2696
2697 char *getname __P((const u_char *));
2698 #ifdef INET6
2699 char *getname6 __P((const u_char *));
2700 #endif
2701 int safeputchar __P((int));
2702
2703 /*
2704 * Return a name for the IP address pointed to by ap. This address
2705 * is assumed to be in network byte order.
2706 */
2707 char *
2708 getname(ap)
2709 const u_char *ap;
2710 {
2711 struct sockaddr_in addr;
2712 static char ntop_buf[NI_MAXHOST];
2713
2714 memset(&addr, 0, sizeof(addr));
2715 #ifndef __linux__
2716 addr.sin_len = sizeof(struct sockaddr_in);
2717 #endif
2718 addr.sin_family = AF_INET;
2719 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2720 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2721 ntop_buf, sizeof(ntop_buf), NULL, 0,
2722 NI_NUMERICHOST | niflags))
2723 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2724
2725 return ntop_buf;
2726 }
2727
2728 #ifdef INET6
2729 /*
2730 * Return a name for the IP6 address pointed to by ap. This address
2731 * is assumed to be in network byte order.
2732 */
2733 char *
2734 getname6(ap)
2735 const u_char *ap;
2736 {
2737 struct sockaddr_in6 addr;
2738 static char ntop_buf[NI_MAXHOST];
2739
2740 memset(&addr, 0, sizeof(addr));
2741 addr.sin6_len = sizeof(struct sockaddr_in6);
2742 addr.sin6_family = AF_INET6;
2743 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2744 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2745 ntop_buf, sizeof(ntop_buf), NULL, 0,
2746 NI_NUMERICHOST | niflags))
2747 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2748
2749 return ntop_buf;
2750 }
2751 #endif /* INET6 */
2752
2753 int
2754 safeputchar(c)
2755 int c;
2756 {
2757 unsigned char ch;
2758
2759 ch = (unsigned char)(c & 0xff);
2760 if (c < 0x80 && isprint(c))
2761 return printf("%c", c & 0xff);
2762 else
2763 return printf("\\%03o", c & 0xff);
2764 }
2765
2766 void
2767 isakmp_printpacket(msg, from, my, decoded)
2768 vchar_t *msg;
2769 struct sockaddr *from;
2770 struct sockaddr *my;
2771 int decoded;
2772 {
2773 #ifdef YIPS_DEBUG
2774 struct timeval tv;
2775 int s;
2776 char hostbuf[NI_MAXHOST];
2777 char portbuf[NI_MAXSERV];
2778 struct isakmp *isakmp;
2779 vchar_t *buf;
2780 #endif
2781
2782 if (loglevel < LLV_DEBUG)
2783 return;
2784
2785 #ifdef YIPS_DEBUG
2786 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2787
2788 gettimeofday(&tv, NULL);
2789 s = tv.tv_sec % 3600;
2790 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2791
2792 if (from) {
2793 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2794 portbuf, sizeof(portbuf),
2795 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2796 strlcpy(hostbuf, "?", sizeof(hostbuf));
2797 strlcpy(portbuf, "?", sizeof(portbuf));
2798 }
2799 printf("%s:%s", hostbuf, portbuf);
2800 } else
2801 printf("?");
2802 printf(" -> ");
2803 if (my) {
2804 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2805 portbuf, sizeof(portbuf),
2806 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2807 strlcpy(hostbuf, "?", sizeof(hostbuf));
2808 strlcpy(portbuf, "?", sizeof(portbuf));
2809 }
2810 printf("%s:%s", hostbuf, portbuf);
2811 } else
2812 printf("?");
2813 printf(": ");
2814
2815 buf = vdup(msg);
2816 if (!buf) {
2817 printf("(malloc fail)\n");
2818 return;
2819 }
2820 if (decoded) {
2821 isakmp = (struct isakmp *)buf->v;
2822 if (isakmp->flags & ISAKMP_FLAG_E) {
2823 #if 0
2824 int pad;
2825 pad = *(u_char *)(buf->v + buf->l - 1);
2826 if (buf->l < pad && 2 < vflag)
2827 printf("(wrong padding)");
2828 #endif
2829 isakmp->flags &= ~ISAKMP_FLAG_E;
2830 }
2831 }
2832
2833 snapend = buf->v + buf->l;
2834 isakmp_print(buf->v, buf->l, NULL);
2835 vfree(buf);
2836 printf("\n");
2837 fflush(stdout);
2838
2839 return;
2840 #endif
2841 }
2842 #endif /*HAVE_PRINT_ISAKMP_C*/
2843
2844 int
2845 copy_ph1addresses(iph1, rmconf, remote, local)
2846 struct ph1handle *iph1;
2847 struct remoteconf *rmconf;
2848 struct sockaddr *remote, *local;
2849 {
2850 u_short *port = NULL;
2851
2852 /* address portion must be grabbed from real remote address "remote" */
2853 iph1->remote = dupsaddr(remote);
2854 if (iph1->remote == NULL) {
2855 delph1(iph1);
2856 return -1;
2857 }
2858
2859 /*
2860 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2861 * - if remote.conf specifies port #, use that
2862 * - if remote.conf does not, use 500
2863 * if remote has port # (in case of responder - from recvfrom(2))
2864 * respect content of "remote".
2865 */
2866 switch (iph1->remote->sa_family) {
2867 case AF_INET:
2868 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2869 if (*port)
2870 break;
2871 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2872 if (*port)
2873 break;
2874 *port = htons(PORT_ISAKMP);
2875 break;
2876 #ifdef INET6
2877 case AF_INET6:
2878 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2879 if (*port)
2880 break;
2881 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2882 if (*port)
2883 break;
2884 *port = htons(PORT_ISAKMP);
2885 break;
2886 #endif
2887 default:
2888 plog(LLV_ERROR, LOCATION, NULL,
2889 "invalid family: %d\n", iph1->remote->sa_family);
2890 return -1;
2891 }
2892
2893 if (local == NULL)
2894 iph1->local = getlocaladdr(iph1->remote);
2895 else
2896 iph1->local = dupsaddr(local);
2897 if (iph1->local == NULL) {
2898 delph1(iph1);
2899 return -1;
2900 }
2901 port = NULL;
2902 switch (iph1->local->sa_family) {
2903 case AF_INET:
2904 port = &((struct sockaddr_in *)iph1->local)->sin_port;
2905 if (*port)
2906 break;
2907 *port = ((struct sockaddr_in *)local)->sin_port;
2908 if (*port)
2909 break;
2910 *port = getmyaddrsport(iph1->local);
2911 break;
2912 #ifdef INET6
2913 case AF_INET6:
2914 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port;
2915 if (*port)
2916 break;
2917 *port = ((struct sockaddr_in6 *)local)->sin6_port;
2918 if (*port)
2919 break;
2920 *port = getmyaddrsport(iph1->local);
2921 break;
2922 #endif
2923 default:
2924 plog(LLV_ERROR, LOCATION, NULL,
2925 "invalid family: %d\n", iph1->local->sa_family);
2926 delph1(iph1);
2927 return -1;
2928 }
2929 #ifdef ENABLE_NATT
2930 if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) {
2931 plog (LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2932 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2933 }
2934 #endif
2935
2936 return 0;
2937 }
2938
2939 static int
2940 nostate1(iph1, msg)
2941 struct ph1handle *iph1;
2942 vchar_t *msg;
2943 {
2944 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2945 iph1->status);
2946 return -1;
2947 }
2948
2949 static int
2950 nostate2(iph2, msg)
2951 struct ph2handle *iph2;
2952 vchar_t *msg;
2953 {
2954 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2955 iph2->status);
2956 return -1;
2957 }
2958
2959 void
2960 log_ph1established(iph1)
2961 const struct ph1handle *iph1;
2962 {
2963 char *src, *dst;
2964
2965 src = strdup(saddr2str(iph1->local));
2966 dst = strdup(saddr2str(iph1->remote));
2967 plog(LLV_INFO, LOCATION, NULL,
2968 "ISAKMP-SA established %s-%s spi:%s\n",
2969 src, dst,
2970 isakmp_pindex(&iph1->index, 0));
2971 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
2972 racoon_free(src);
2973 racoon_free(dst);
2974
2975 return;
2976 }
2977
2978 struct payload_list *
2979 isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
2980 {
2981 if (! plist) {
2982 plist = racoon_malloc (sizeof (struct payload_list));
2983 plist->prev = NULL;
2984 }
2985 else {
2986 plist->next = racoon_malloc (sizeof (struct payload_list));
2987 plist->next->prev = plist;
2988 plist = plist->next;
2989 }
2990
2991 plist->next = NULL;
2992 plist->payload = payload;
2993 plist->payload_type = payload_type;
2994
2995 return plist;
2996 }
2997
2998 vchar_t *
2999 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
3000 {
3001 struct payload_list *ptr, *first;
3002 size_t tlen = sizeof (struct isakmp), n = 0;
3003 vchar_t *buf;
3004 char *p;
3005
3006 if (plist == NULL) {
3007 plog(LLV_ERROR, LOCATION, NULL,
3008 "in isakmp_plist_set_all: plist == NULL\n");
3009 return NULL;
3010 }
3011
3012 /* Seek to the first item. */
3013 ptr = *plist;
3014 while (ptr->prev)
3015 ptr = ptr->prev;
3016 first = ptr;
3017
3018 /* Compute the whole length. */
3019 while (ptr) {
3020 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3021 ptr = ptr->next;
3022 }
3023
3024 buf = vmalloc(tlen);
3025 if (buf == NULL) {
3026 plog(LLV_ERROR, LOCATION, NULL,
3027 "failed to get buffer to send.\n");
3028 goto end;
3029 }
3030
3031 ptr = first;
3032
3033 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3034 if (p == NULL)
3035 goto end;
3036
3037 while (ptr)
3038 {
3039 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3040 first = ptr;
3041 ptr = ptr->next;
3042 racoon_free (first);
3043 /* ptr->prev = NULL; first = NULL; ... omitted. */
3044 n++;
3045 }
3046
3047 *plist = NULL;
3048
3049 return buf;
3050 end:
3051 return NULL;
3052 }
3053
3054 #ifdef ENABLE_FRAG
3055 int
3056 frag_handler(iph1, msg, remote, local)
3057 struct ph1handle *iph1;
3058 vchar_t *msg;
3059 struct sockaddr *remote;
3060 struct sockaddr *local;
3061 {
3062 vchar_t *newmsg;
3063
3064 if (isakmp_frag_extract(iph1, msg) == 1) {
3065 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3066 plog(LLV_ERROR, LOCATION, remote,
3067 "Packet reassembly failed\n");
3068 return -1;
3069 }
3070 return isakmp_main(newmsg, remote, local);
3071 }
3072
3073 return 0;
3074 }
3075 #endif
3076
3077 void
3078 script_hook(iph1, script)
3079 struct ph1handle *iph1;
3080 int script;
3081 {
3082 #define IP_MAX 40
3083 #define PORT_MAX 6
3084 char addrstr[IP_MAX];
3085 char portstr[PORT_MAX];
3086 char **envp = NULL;
3087 int envc = 1;
3088 struct sockaddr_in *sin;
3089 char **c;
3090
3091 if (iph1->rmconf->script[script] == -1)
3092 return;
3093
3094 #ifdef ENABLE_HYBRID
3095 (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3096 #endif
3097
3098 /* local address */
3099 sin = (struct sockaddr_in *)iph1->local;
3100 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3101 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3102
3103 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3104 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3105 goto out;
3106 }
3107
3108 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3109 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3110 goto out;
3111 }
3112
3113 /* Peer address */
3114 sin = (struct sockaddr_in *)iph1->remote;
3115 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
3116 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
3117
3118 if (script_env_append(&envp, &envc, "REMOTE_ADDR", addrstr) != 0) {
3119 plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTE_ADDR\n");
3120 goto out;
3121 }
3122
3123 if (script_env_append(&envp, &envc, "REMOTE_PORT", portstr) != 0) {
3124 plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTEL_PORT\n");
3125 goto out;
3126 }
3127
3128 if (privsep_script_exec(iph1->rmconf->script[script],
3129 script, envp) != 0)
3130 plog(LLV_ERROR, LOCATION, NULL,
3131 "Script %s execution failed\n", script_names[script]);
3132
3133 out:
3134 for (c = envp; *c; c++)
3135 racoon_free(*c);
3136
3137 racoon_free(envp);
3138
3139 return;
3140 }
3141
3142 int
3143 script_env_append(envp, envc, name, value)
3144 char ***envp;
3145 int *envc;
3146 char *name;
3147 char *value;
3148 {
3149 char *envitem;
3150 char **newenvp;
3151 int newenvc;
3152 int envitemlen = strlen(name) + 1 + strlen(value) + 1;
3153
3154 envitem = racoon_malloc(envitemlen);
3155 if (envitem == NULL) {
3156 plog(LLV_ERROR, LOCATION, NULL,
3157 "Cannot allocate memory: %s\n", strerror(errno));
3158 return -1;
3159 }
3160 snprintf(envitem, envitemlen, "%s=%s", name, value);
3161
3162 newenvc = (*envc) + 1;
3163 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3164 if (newenvp == NULL) {
3165 plog(LLV_ERROR, LOCATION, NULL,
3166 "Cannot allocate memory: %s\n", strerror(errno));
3167 return -1;
3168 }
3169
3170 newenvp[newenvc - 2] = envitem;
3171 newenvp[newenvc - 1] = NULL;
3172
3173 *envp = newenvp;
3174 *envc = newenvc;
3175 return 0;
3176 }
3177
3178 int
3179 script_exec(script, name, envp)
3180 int script;
3181 int name;
3182 char *const envp[];
3183 {
3184 char *argv[] = { NULL, NULL, NULL };
3185 vchar_t **sp;
3186
3187 if (script_paths == NULL) {
3188 plog(LLV_ERROR, LOCATION, NULL,
3189 "privsep_script_exec: script_paths was not initialized\n");
3190 return -1;
3191 }
3192
3193 sp = (vchar_t **)(script_paths->v);
3194
3195 argv[0] = sp[script]->v;
3196 argv[1] = script_names[name];
3197 argv[2] = NULL;
3198
3199 switch (fork()) {
3200 case 0:
3201 execve(argv[0], argv, envp);
3202 plog(LLV_ERROR2, LOCATION, NULL,
3203 "execve(\"%s\") failed: %s\n",
3204 argv[0], strerror(errno));
3205 _exit(1);
3206 break;
3207 case -1:
3208 plog(LLV_ERROR, LOCATION, NULL,
3209 "Cannot fork: %s\n", strerror(errno));
3210 return -1;
3211 break;
3212 default:
3213 break;
3214 }
3215
3216 return 0;
3217 }
3218
3219 void
3220 purge_remote(iph1)
3221 struct ph1handle *iph1;
3222 {
3223 vchar_t *buf = NULL;
3224 struct sadb_msg *msg, *next, *end;
3225 struct sadb_sa *sa;
3226 struct sockaddr *src, *dst;
3227 caddr_t mhp[SADB_EXT_MAX + 1];
3228 u_int proto_id;
3229 struct ph2handle *iph2;
3230 struct ph1handle *new_iph1;
3231
3232 plog(LLV_INFO, LOCATION, NULL,
3233 "purging ISAKMP-SA spi=%s.\n",
3234 isakmp_pindex(&(iph1->index), iph1->msgid));
3235
3236 /* Mark as expired. */
3237 iph1->status = PHASE1ST_EXPIRED;
3238
3239 /* Check if we have another, still valid, phase1 SA. */
3240 new_iph1 = getph1byaddr(iph1->local, iph1->remote);
3241
3242 /*
3243 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3244 * Keep all others phase2 SAs.
3245 */
3246 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3247 if (buf == NULL) {
3248 plog(LLV_DEBUG, LOCATION, NULL,
3249 "pfkey_dump_sadb returned nothing.\n");
3250 return;
3251 }
3252
3253 msg = (struct sadb_msg *)buf->v;
3254 end = (struct sadb_msg *)(buf->v + buf->l);
3255
3256 while (msg < end) {
3257 if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3258 break;
3259 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3260 if (msg->sadb_msg_type != SADB_DUMP) {
3261 msg = next;
3262 continue;
3263 }
3264
3265 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3266 plog(LLV_ERROR, LOCATION, NULL,
3267 "pfkey_check (%s)\n", ipsec_strerror());
3268 msg = next;
3269 continue;
3270 }
3271
3272 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3273 if (!sa ||
3274 !mhp[SADB_EXT_ADDRESS_SRC] ||
3275 !mhp[SADB_EXT_ADDRESS_DST]) {
3276 msg = next;
3277 continue;
3278 }
3279 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3280 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3281
3282 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3283 sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3284 sa->sadb_sa_state != SADB_SASTATE_DYING) {
3285 msg = next;
3286 continue;
3287 }
3288
3289 /* check in/outbound SAs */
3290 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
3291 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
3292 msg = next;
3293 continue;
3294 }
3295
3296 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3297 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3298
3299 /* Check if there is another valid ISAKMP-SA */
3300 if (new_iph1 != NULL) {
3301
3302 if (iph2 == NULL) {
3303 /* No handler... still send a pfkey_delete message, but log this !*/
3304 plog(LLV_INFO, LOCATION, NULL,
3305 "Unknown IPsec-SA spi=%u, hmmmm?\n",
3306 ntohl(sa->sadb_sa_spi));
3307 }else{
3308
3309 /*
3310 * If we have a new ph1, do not purge IPsec-SAs binded
3311 * to a different ISAKMP-SA
3312 */
3313 if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3314 msg = next;
3315 continue;
3316 }
3317
3318 /* If the ph2handle is established, do not purge IPsec-SA */
3319 if (iph2->status == PHASE2ST_ESTABLISHED ||
3320 iph2->status == PHASE2ST_EXPIRED) {
3321
3322 plog(LLV_INFO, LOCATION, NULL,
3323 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3324 ntohl(sa->sadb_sa_spi),
3325 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3326 msg = next;
3327 continue;
3328 }
3329 }
3330 }
3331
3332
3333 pfkey_send_delete(lcconf->sock_pfkey,
3334 msg->sadb_msg_satype,
3335 IPSEC_MODE_ANY,
3336 src, dst, sa->sadb_sa_spi);
3337
3338 /* delete a relative phase 2 handle. */
3339 if (iph2 != NULL) {
3340 delete_spd(iph2);
3341 unbindph12(iph2);
3342 remph2(iph2);
3343 delph2(iph2);
3344 }
3345
3346 plog(LLV_INFO, LOCATION, NULL,
3347 "purged IPsec-SA spi=%u.\n",
3348 ntohl(sa->sadb_sa_spi));
3349
3350 msg = next;
3351 }
3352
3353 if (buf)
3354 vfree(buf);
3355
3356 /* Mark the phase1 handler as EXPIRED */
3357 plog(LLV_INFO, LOCATION, NULL,
3358 "purged ISAKMP-SA spi=%s.\n",
3359 isakmp_pindex(&(iph1->index), iph1->msgid));
3360
3361 if (iph1->sce)
3362 SCHED_KILL(iph1->sce);
3363
3364 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
3365 }
3366
3367 void
3368 delete_spd(iph2)
3369 struct ph2handle *iph2;
3370 {
3371 if (iph2 == NULL)
3372 return;
3373
3374 /* Delete the SPD entry if we generated it
3375 */
3376 if (iph2->generated_spidx) {
3377 struct policyindex spidx;
3378 struct sockaddr_storage addr;
3379 u_int8_t pref;
3380 struct sockaddr *src = iph2->src;
3381 struct sockaddr *dst = iph2->dst;
3382 int error;
3383 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3384
3385 plog(LLV_INFO, LOCATION, NULL,
3386 "generated policy, deleting it.\n");
3387
3388 memset(&spidx, 0, sizeof(spidx));
3389 iph2->spidx_gen = (caddr_t )&spidx;
3390
3391 /* make inbound policy */
3392 iph2->src = dst;
3393 iph2->dst = src;
3394 spidx.dir = IPSEC_DIR_INBOUND;
3395 spidx.ul_proto = 0;
3396
3397 /*
3398 * Note: code from get_proposal_r
3399 */
3400
3401 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3402
3403 /*
3404 * make destination address in spidx from either ID payload
3405 * or phase 1 address into a address in spidx.
3406 */
3407 if (iph2->id != NULL
3408 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3409 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3410 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3411 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3412 /* get a destination address of a policy */
3413 error = ipsecdoi_id2sockaddr(iph2->id,
3414 (struct sockaddr *)&spidx.dst,
3415 &spidx.prefd, &spidx.ul_proto);
3416 if (error)
3417 goto purge;
3418
3419 #ifdef INET6
3420 /*
3421 * get scopeid from the SA address.
3422 * note that the phase 1 source address is used as
3423 * a destination address to search for a inbound
3424 * policy entry because rcoon is responder.
3425 */
3426 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3427 if ((error =
3428 setscopeid((struct sockaddr *)&spidx.dst,
3429 iph2->src)) != 0)
3430 goto purge;
3431 }
3432 #endif
3433
3434 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3435 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3436 idi2type = _XIDT(iph2->id);
3437
3438 } else {
3439
3440 plog(LLV_DEBUG, LOCATION, NULL,
3441 "get a destination address of SP index "
3442 "from phase1 address "
3443 "due to no ID payloads found "
3444 "OR because ID type is not address.\n");
3445
3446 /*
3447 * copy the SOURCE address of IKE into the
3448 * DESTINATION address of the key to search the
3449 * SPD because the direction of policy is inbound.
3450 */
3451 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3452 switch (spidx.dst.ss_family) {
3453 case AF_INET:
3454 spidx.prefd =
3455 sizeof(struct in_addr) << 3;
3456 break;
3457 #ifdef INET6
3458 case AF_INET6:
3459 spidx.prefd =
3460 sizeof(struct in6_addr) << 3;
3461 break;
3462 #endif
3463 default:
3464 spidx.prefd = 0;
3465 break;
3466 }
3467 }
3468
3469 /* make source address in spidx */
3470 if (iph2->id_p != NULL
3471 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3472 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3473 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3474 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3475 /* get a source address of inbound SA */
3476 error = ipsecdoi_id2sockaddr(iph2->id_p,
3477 (struct sockaddr *)&spidx.src,
3478 &spidx.prefs, &spidx.ul_proto);
3479 if (error)
3480 goto purge;
3481
3482 #ifdef INET6
3483 /*
3484 * get scopeid from the SA address.
3485 * for more detail, see above of this function.
3486 */
3487 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3488 error =
3489 setscopeid((struct sockaddr *)&spidx.src,
3490 iph2->dst);
3491 if (error)
3492 goto purge;
3493 }
3494 #endif
3495
3496 /* make id[src,dst] if both ID types are IP address and same */
3497 if (_XIDT(iph2->id_p) == idi2type
3498 && spidx.dst.ss_family == spidx.src.ss_family) {
3499 iph2->src_id =
3500 dupsaddr((struct sockaddr *)&spidx.dst);
3501 iph2->dst_id =
3502 dupsaddr((struct sockaddr *)&spidx.src);
3503 }
3504
3505 } else {
3506 plog(LLV_DEBUG, LOCATION, NULL,
3507 "get a source address of SP index "
3508 "from phase1 address "
3509 "due to no ID payloads found "
3510 "OR because ID type is not address.\n");
3511
3512 /* see above comment. */
3513 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3514 switch (spidx.src.ss_family) {
3515 case AF_INET:
3516 spidx.prefs =
3517 sizeof(struct in_addr) << 3;
3518 break;
3519 #ifdef INET6
3520 case AF_INET6:
3521 spidx.prefs =
3522 sizeof(struct in6_addr) << 3;
3523 break;
3524 #endif
3525 default:
3526 spidx.prefs = 0;
3527 break;
3528 }
3529 }
3530
3531 #undef _XIDT
3532
3533 plog(LLV_DEBUG, LOCATION, NULL,
3534 "get a src address from ID payload "
3535 "%s prefixlen=%u ul_proto=%u\n",
3536 saddr2str((struct sockaddr *)&spidx.src),
3537 spidx.prefs, spidx.ul_proto);
3538 plog(LLV_DEBUG, LOCATION, NULL,
3539 "get dst address from ID payload "
3540 "%s prefixlen=%u ul_proto=%u\n",
3541 saddr2str((struct sockaddr *)&spidx.dst),
3542 spidx.prefd, spidx.ul_proto);
3543
3544 /*
3545 * convert the ul_proto if it is 0
3546 * because 0 in ID payload means a wild card.
3547 */
3548 if (spidx.ul_proto == 0)
3549 spidx.ul_proto = IPSEC_ULPROTO_ANY;
3550
3551 #undef _XIDT
3552
3553 /* End of code from get_proposal_r
3554 */
3555
3556 if (pk_sendspddelete(iph2) < 0) {
3557 plog(LLV_ERROR, LOCATION, NULL,
3558 "pfkey spddelete(inbound) failed.\n");
3559 }else{
3560 plog(LLV_DEBUG, LOCATION, NULL,
3561 "pfkey spddelete(inbound) sent.\n");
3562 }
3563
3564 #ifdef HAVE_POLICY_FWD
3565 /* make forward policy if required */
3566 if (tunnel_mode_prop(iph2->approval)) {
3567 spidx.dir = IPSEC_DIR_FWD;
3568 if (pk_sendspddelete(iph2) < 0) {
3569 plog(LLV_ERROR, LOCATION, NULL,
3570 "pfkey spddelete(forward) failed.\n");
3571 }else{
3572 plog(LLV_DEBUG, LOCATION, NULL,
3573 "pfkey spddelete(forward) sent.\n");
3574 }
3575 }
3576 #endif
3577
3578 /* make outbound policy */
3579 iph2->src = src;
3580 iph2->dst = dst;
3581 spidx.dir = IPSEC_DIR_OUTBOUND;
3582 addr = spidx.src;
3583 spidx.src = spidx.dst;
3584 spidx.dst = addr;
3585 pref = spidx.prefs;
3586 spidx.prefs = spidx.prefd;
3587 spidx.prefd = pref;
3588
3589 if (pk_sendspddelete(iph2) < 0) {
3590 plog(LLV_ERROR, LOCATION, NULL,
3591 "pfkey spddelete(outbound) failed.\n");
3592 }else{
3593 plog(LLV_DEBUG, LOCATION, NULL,
3594 "pfkey spddelete(outbound) sent.\n");
3595 }
3596 purge:
3597 iph2->spidx_gen=NULL;
3598 }
3599 }
3600
3601 #ifdef INET6
3602 u_int32_t
3603 setscopeid(sp_addr0, sa_addr0)
3604 struct sockaddr *sp_addr0, *sa_addr0;
3605 {
3606 struct sockaddr_in6 *sp_addr, *sa_addr;
3607
3608 sp_addr = (struct sockaddr_in6 *)sp_addr0;
3609 sa_addr = (struct sockaddr_in6 *)sa_addr0;
3610
3611 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3612 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3613 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3614 return 0;
3615
3616 /* this check should not be here ? */
3617 if (sa_addr->sin6_family != AF_INET6) {
3618 plog(LLV_ERROR, LOCATION, NULL,
3619 "can't get scope ID: family mismatch\n");
3620 return -1;
3621 }
3622
3623 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3624 plog(LLV_ERROR, LOCATION, NULL,
3625 "scope ID is not supported except of lladdr.\n");
3626 return -1;
3627 }
3628
3629 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3630
3631 return 0;
3632 }
3633 #endif
mirror of ipsec