]> git.saurik.com Git - apple/network_cmds.git/blame - racoon.tproj/isakmp.c
projects / apple / network_cmds.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
network_cmds-176.2.1.tar.gz
[apple/network_cmds.git] / racoon.tproj / isakmp.c
CommitLineData
ac2f15b3 1/* $KAME: isakmp.c,v 1.176 2002/08/28 04:08:30 itojun Exp $ */
7ba0088d
A		 2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include <sys/types.h>
33#include <sys/param.h>
34#include <sys/socket.h>
35#include <sys/queue.h>
36
37#include <netkey/key_var.h>
38#include <netinet/in.h>
39
40#include <stdlib.h>
41#include <stdio.h>
42#include <string.h>
43#include <errno.h>
44#if TIME_WITH_SYS_TIME
45# include <sys/time.h>
46# include <time.h>
47#else
48# if HAVE_SYS_TIME_H
49# include <sys/time.h>
50# else
51# include <time.h>
52# endif
53#endif
54#include <netdb.h>
55#ifdef HAVE_UNISTD_H
56#include <unistd.h>
57#endif
58#include <ctype.h>
59
60#if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
61#include "addrinfo.h"
62#endif
63
64#include "var.h"
65#include "misc.h"
66#include "vmbuf.h"
67#include "plog.h"
68#include "sockmisc.h"
69#include "schedule.h"
70#include "debug.h"
71
72#include "remoteconf.h"
73#include "localconf.h"
74#include "grabmyaddr.h"
75#include "isakmp_var.h"
76#include "isakmp.h"
77#include "oakley.h"
78#include "handler.h"
79#include "ipsec_doi.h"
80#include "pfkey.h"
81#include "crypto_openssl.h"
82#include "policy.h"
83#include "isakmp_ident.h"
84#include "isakmp_agg.h"
85#include "isakmp_base.h"
86#include "isakmp_quick.h"
87#include "isakmp_inf.h"
88#include "isakmp_newg.h"
89#include "strnames.h"
ac2f15b3
A		 90#ifndef HAVE_ARC4RANDOM
91#include "arc4random.h"
92#endif
7ba0088d
A		 93
94static int nostate1 __P((struct ph1handle *, vchar_t *));
95static int nostate2 __P((struct ph2handle *, vchar_t *));
96
97extern caddr_t val2str(const char *, size_t);
98
99static int (*ph1exchange[][2][PHASE1ST_MAX])
100 __P((struct ph1handle *, vchar_t *)) = {
101 /* error */
102 { {}, {}, },
103 /* Identity Protection exchange */
104 {
105 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
106 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
107 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
108 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
109 },
110 /* Aggressive exchange */
111 {
112 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
113 nostate1, nostate1, nostate1, nostate1, nostate1, },
114 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
115 nostate1, nostate1, nostate1, nostate1, nostate1, },
116 },
117 /* Base exchange */
118 {
119 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
120 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
121 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
122 nostate1, nostate1, nostate1, nostate1, nostate1, },
123 },
124};
125
126static int (*ph2exchange[][2][PHASE2ST_MAX])
127 __P((struct ph2handle *, vchar_t *)) = {
128 /* error */
129 { {}, {}, },
130 /* Quick mode for IKE*/
131 {
132 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
133 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
134 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
135 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
136 },
137};
138
139static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
140
141static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
142static int ph1_main __P((struct ph1handle *, vchar_t *));
143static int quick_main __P((struct ph2handle *, vchar_t *));
144static int isakmp_ph1begin_r __P((vchar_t *,
145 struct sockaddr *, struct sockaddr *, u_int8_t));
146static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
147static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
148static int etypesw1 __P((int));
149static int etypesw2 __P((int));
150
151/*
152 * isakmp packet handler
153 */
154int
155isakmp_handler(so_isakmp)
156 int so_isakmp;
157{
158 struct isakmp isakmp;
159 struct sockaddr_storage remote;
160 struct sockaddr_storage local;
161 int remote_len = sizeof(remote);
162 int local_len = sizeof(local);
163 int len;
164 u_short port;
165 vchar_t *buf = NULL;
166 int error = -1;
167
168 /* read message by MSG_PEEK */
169 while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp),
170 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
171 (struct sockaddr *)&local, &local_len)) < 0) {
172 if (errno == EINTR)
173 continue;
174 plog(LLV_ERROR, LOCATION, NULL,
175 "failed to receive isakmp packet\n");
176 goto end;
177 }
178
ac2f15b3
A		 179 /* check isakmp header length, as well as sanity of header length */
180 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
7ba0088d
A		 181 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
182 "packet shorter than isakmp header size.\n");
183 /* dummy receive */
184 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
185 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
186 plog(LLV_ERROR, LOCATION, NULL,
187 "failed to receive isakmp packet\n");
188 }
189 goto end;
190 }
191
192 /* read real message */
193 if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
194 plog(LLV_ERROR, LOCATION, NULL,
195 "failed to allocate reading buffer\n");
196 /* dummy receive */
197 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
198 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
199 plog(LLV_ERROR, LOCATION, NULL,
200 "failed to receive isakmp packet\n");
201 }
202 goto end;
203 }
204
205 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
206 0, (struct sockaddr *)&remote, &remote_len,
207 (struct sockaddr *)&local, &local_len)) < 0) {
208 if (errno == EINTR)
209 continue;
210 plog(LLV_ERROR, LOCATION, NULL,
211 "failed to receive isakmp packet\n");
212 goto end;
213 }
214
215 if (len != buf->l) {
216 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
217 "received invalid length, why ?\n");
218 goto end;
219 }
220
221 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
222 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
223 "%d bytes message received from %s\n",
224 len, saddr2str((struct sockaddr *)&remote));
225 plogdump(LLV_DEBUG, buf->v, buf->l);
226
227 /* avoid packets with malicious port/address */
228 switch (remote.ss_family) {
229 case AF_INET:
230 port = ((struct sockaddr_in *)&remote)->sin_port;
231 break;
232#ifdef INET6
233 case AF_INET6:
234 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
235 break;
236#endif
237 default:
238 plog(LLV_ERROR, LOCATION, NULL,
239 "invalid family: %d\n", remote.ss_family);
240 goto end;
241 }
242 if (port == 0) {
243 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
244 "src port == 0 (valid as UDP but not with IKE)\n");
245 goto end;
246 }
247
248 /* XXX: check sender whether to be allowed or not to accept */
249
250 /* XXX: I don't know how to check isakmp half connection attack. */
251
252 /* simply reply if the packet was processed. */
253 if (check_recvdpkt((struct sockaddr *)&remote,
254 (struct sockaddr *)&local, buf)) {
255 plog(LLV_NOTIFY, LOCATION, NULL,
256 "the packet is retransmitted by %s.\n",
257 saddr2str((struct sockaddr *)&remote));
258 error = 0;
259 goto end;
260 }
261
262 /* isakmp main routine */
263 if (isakmp_main(buf, (struct sockaddr *)&remote,
264 (struct sockaddr *)&local) != 0) goto end;
265
266 error = 0;
267
268end:
269 if (buf != NULL)
270 vfree(buf);
271
272 return(error);
273}
274
ac2f15b3
A		 275#ifdef IKE_NAT_T
276/*
277 * isakmp packet handler for natt port (4500)
278 */
279int
280isakmp_natt_handler(so_isakmp)
281 int so_isakmp;
282{
283 u_char temp_buffer[sizeof(struct isakmp) + 4];
284 struct isakmp *isakmp = (struct isakmp*)(temp_buffer + 4);
285 struct sockaddr_storage remote;
286 struct sockaddr_storage local;
287 int remote_len = sizeof(remote);
288 int local_len = sizeof(local);
289 int len;
290 u_short port;
291 vchar_t *buf = NULL;
292 int error = -1;
293
294 /* read message by MSG_PEEK */
295 while ((len = recvfromto(so_isakmp, temp_buffer, sizeof(temp_buffer),
296 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
297 (struct sockaddr *)&local, &local_len)) < 0) {
298 if (errno == EINTR)
299 continue;
300 plog(LLV_ERROR, LOCATION, NULL,
301 "failed to receive isakmp packet\n");
302 goto end;
303 }
304
305 /* remove the four bytes of zeros on nat traversal port */
306 if (*(u_long*)temp_buffer != 0L)
307 {
308 /*
309 * This is a UDP encapsulated IPSec packet,
310 * we should drop it.
311 *
312 * TBD: Need a way to read the packet.
313 * The kernel intercepts these packets on Mac OS X
314 * but not all kernels will handle this the same way.
315 */
316 goto end;
317 }
318
319 /* check isakmp header length */
320 if (len < sizeof(temp_buffer)) {
321 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
322 "packet shorter than isakmp header size.\n");
323 /* dummy receive */
324 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
325 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
326 plog(LLV_ERROR, LOCATION, NULL,
327 "failed to receive isakmp packet\n");
328 }
329 goto end;
330 }
331
332 /* read real message */
333 if ((buf = vmalloc(ntohl(isakmp->len) + 4)) == NULL) {
334 plog(LLV_ERROR, LOCATION, NULL,
335 "failed to allocate reading buffer\n");
336 /* dummy receive */
337 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
338 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
339 plog(LLV_ERROR, LOCATION, NULL,
340 "failed to receive isakmp packet\n");
341 }
342 goto end;
343 }
344
345 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
346 0, (struct sockaddr *)&remote, &remote_len,
347 (struct sockaddr *)&local, &local_len)) < 0) {
348 if (errno == EINTR)
349 continue;
350 plog(LLV_ERROR, LOCATION, NULL,
351 "failed to receive isakmp packet\n");
352 goto end;
353 }
354
355 if (len != buf->l) {
356 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
357 "received invalid length, header says %d, packet is %d bytes why ?\n",
358 len, buf->l);
359 goto end;
360 }
361
362 /*
363 * Discard first 4 bytes, they're either:
364 * 0 - this is IKE traffic
365 * !0 - first four bytes are the SPI of a UDP encapsulated IPSec packet
366 * The seond type of packet should be interecepted by the kernel
367 * or dropped before we get to this point.
368 */
369 {
370 vchar_t *newbuf = vmalloc(buf->l - 4);
371 if (newbuf == NULL)
372 {
373 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
374 "couldn't allocate smaller buffer.\n");
375 goto end;
376 }
377 memcpy(newbuf->v, buf->v + 4, newbuf->l);
378 vfree(buf);
379 buf = newbuf;
380 len = buf->l;
381 }
382
383 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
384 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
385 "%d bytes message received from %s\n",
386 len, saddr2str((struct sockaddr *)&remote));
387 plogdump(LLV_DEBUG, buf->v, buf->l);
388
389 /* avoid packets with malicious port/address */
390 switch (remote.ss_family) {
391 case AF_INET:
392 port = ((struct sockaddr_in *)&remote)->sin_port;
393 break;
394#ifdef INET6
395 case AF_INET6:
396 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
397 break;
398#endif
399 default:
400 plog(LLV_ERROR, LOCATION, NULL,
401 "invalid family: %d\n", remote.ss_family);
402 goto end;
403 }
404 if (port == 0) {
405 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
406 "src port == 0 (valid as UDP but not with IKE)\n");
407 goto end;
408 }
409
410 {
411 struct isakmp *isakmp = (struct isakmp*)buf->v;
412 plog(LLV_DEBUG, LOCATION, (struct sockaddr*)&remote,
413 "natt receiving packet %.8X%.8X:%.8X%.8X %u\n",
414 *(u_long*)isakmp->i_ck, *(u_long*)&isakmp->i_ck[4],
415 *(u_long*)isakmp->r_ck, *(u_long*)&isakmp->r_ck[4],
416 isakmp->msgid);
417 }
418
419 /* XXX: check sender whether to be allowed or not to accept */
420
421 /* XXX: I don't know how to check isakmp half connection attack. */
422
423 /* simply reply if the packet was processed. */
424 if (check_recvdpkt((struct sockaddr *)&remote,
425 (struct sockaddr *)&local, buf)) {
426 plog(LLV_NOTIFY, LOCATION, NULL,
427 "the packet is retransmitted by %s.\n",
428 saddr2str((struct sockaddr *)&remote));
429 error = 0;
430 goto end;
431 }
432
433 /* isakmp main routine */
434 if (isakmp_main(buf, (struct sockaddr *)&remote,
435 (struct sockaddr *)&local) != 0) goto end;
436
437 error = 0;
438
439end:
440 if (buf != NULL)
441 vfree(buf);
442
443 return(error);
444}
445#endif
446
447
7ba0088d
A		 448/*
449 * main processing to handle isakmp payload
450 */
451static int
452isakmp_main(msg, remote, local)
453 vchar_t *msg;
454 struct sockaddr *remote, *local;
455{
456 struct isakmp *isakmp = (struct isakmp *)msg->v;
457 isakmp_index *index = (isakmp_index *)isakmp;
458 u_int32_t msgid = isakmp->msgid;
459 struct ph1handle *iph1;
460
461#ifdef HAVE_PRINT_ISAKMP_C
462 isakmp_printpacket(msg, remote, local, 0);
463#endif
464
465 /* the initiator's cookie must not be zero */
466 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
467 plog(LLV_ERROR, LOCATION, remote,
468 "malformed cookie received.\n");
469 return -1;
470 }
471
472 /* Check the Major and Minor Version fields. */
473 /*
474 * XXX Is is right to check version here ?
475 * I think it may no be here because the version depends
476 * on exchange status.
477 */
478 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
479 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
480 plog(LLV_ERROR, LOCATION, remote,
481 "invalid major version %d.\n",
482 ISAKMP_GETMAJORV(isakmp->v));
483 return -1;
484 }
485#if ISAKMP_MINOR_VERSION > 0
486 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
487 plog(LLV_ERROR, LOCATION, remote,
488 "invalid minor version %d.\n",
489 ISAKMP_GETMINORV(isakmp->v));
490 return -1;
491 }
492#endif
493 }
494
495 /* check the Flags field. */
496 /* XXX How is the exclusive check, E and A ? */
497 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
498 plog(LLV_ERROR, LOCATION, remote,
499 "invalid flag 0x%02x.\n", isakmp->flags);
500 return -1;
501 }
502
503 /* ignore commit bit. */
504 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
505 if (isakmp->msgid == 0) {
506 isakmp_info_send_nx(isakmp, remote, local,
507 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
508 plog(LLV_ERROR, LOCATION, remote,
509 "Commit bit on phase1 forbidden.\n");
510 return -1;
511 }
512 }
513
514 iph1 = getph1byindex(index);
515 if (iph1 != NULL) {
516 /* validity check */
517 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
518 iph1->side == INITIATOR) {
519 plog(LLV_DEBUG, LOCATION, remote,
520 "malformed cookie received or "
521 "the initiator's cookies collide.\n");
522 return -1;
523 }
524
525 /* must be same addresses in one stream of a phase at least. */
526 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
ac2f15b3
A		 527#ifdef IKE_NAT_T
528 if (iph1->side == RESPONDER &&
529 (iph1->natt_flags & natt_remote_support) != 0 &&
530 cmpsaddrwop(iph1->remote, remote) == 0)
531 {
532 /*
533 * If the initiator detects a NAT it may switch to a
534 * new port. Technically, the remote address may change
535 * as well, depending on the NAT. Handling that would
536 * require more changes.
537 *
538 * We should record the new remote port so we can
539 * send
540 */
541 plog(LLV_WARNING, LOCATION, remote,
542 "remote port changed from %s\n", saddr2str(iph1->remote));
543 memcpy(iph1->remote, remote, iph1->remote->sa_len);
544 memcpy(iph1->local, local, iph1->local->sa_len);
545 }
546 else
547#endif
548 {
549 char *saddr_db, *saddr_act;
550
551 saddr_db = strdup(saddr2str(iph1->remote));
552 saddr_act = strdup(saddr2str(remote));
553
554 plog(LLV_WARNING, LOCATION, remote,
555 "remote address mismatched. db=%s, act=%s\n",
556 saddr_db, saddr_act);
557
558 racoon_free(saddr_db);
559 racoon_free(saddr_act);
560 }
7ba0088d
A		 561 }
562 /*
563 * don't check of exchange type here because other type will be
564 * with same index, for example, informational exchange.
565 */
566
567 /* XXX more acceptable check */
568 }
569
570 switch (isakmp->etype) {
571 case ISAKMP_ETYPE_IDENT:
572 case ISAKMP_ETYPE_AGG:
573 case ISAKMP_ETYPE_BASE:
574 /* phase 1 validity check */
575 if (isakmp->msgid != 0) {
576 plog(LLV_ERROR, LOCATION, remote,
577 "message id should be zero in phase1.\n");
578 return -1;
579 }
580
581 /* search for isakmp status record of phase 1 */
582 if (iph1 == NULL) {
583 /*
584 * the packet must be the 1st message from a initiator
585 * or the 2nd message from the responder.
586 */
587
588 /* search for phase1 handle by index without r_ck */
589 iph1 = getph1byindex0(index);
590 if (iph1 == NULL) {
591 /*it must be the 1st message from a initiator.*/
592 if (memcmp(&isakmp->r_ck, r_ck0,
593 sizeof(cookie_t)) != 0) {
594
595 plog(LLV_DEBUG, LOCATION, remote,
596 "malformed cookie received "
597 "or the spi expired.\n");
598 return -1;
599 }
600
601 /* it must be responder's 1st exchange. */
602 if (isakmp_ph1begin_r(msg, remote, local,
603 isakmp->etype) < 0)
604 return -1;
605 break;
606
607 /*NOTREACHED*/
608 }
609
610 /* it must be the 2nd message from the responder. */
611 if (iph1->side != INITIATOR) {
612 plog(LLV_DEBUG, LOCATION, remote,
613 "malformed cookie received. "
614 "it has to be as the initiator. %s\n",
615 isakmp_pindex(&iph1->index, 0));
616 return -1;
617 }
618 }
619
620 /*
621 * Don't delete phase 1 handler when the exchange type
622 * in handler is not equal to packet's one because of no
623 * authencication completed.
624 */
625 if (iph1->etype != isakmp->etype) {
626 plog(LLV_ERROR, LOCATION, iph1->remote,
627 "exchange type is mismatched: "
628 "db=%s packet=%s, ignore it.\n",
629 s_isakmp_etype(iph1->etype),
630 s_isakmp_etype(isakmp->etype));
631 return -1;
632 }
633
634 /* call main process of phase 1 */
635 if (ph1_main(iph1, msg) < 0) {
636 plog(LLV_ERROR, LOCATION, iph1->remote,
637 "phase1 negotiation failed.\n");
638 remph1(iph1);
639 delph1(iph1);
640 return -1;
641 }
642 break;
643
644 case ISAKMP_ETYPE_AUTH:
645 plog(LLV_INFO, LOCATION, remote,
646 "unsupported exchange %d received.\n",
647 isakmp->etype);
648 break;
649
650 case ISAKMP_ETYPE_INFO:
651 case ISAKMP_ETYPE_ACKINFO:
652 /*
653 * iph1 must be present for Information message.
654 * if iph1 is null then trying to get the phase1 status
655 * as the packet from responder againt initiator's 1st
656 * exchange in phase 1.
657 * NOTE: We think such informational exchange should be ignored.
658 */
659 if (iph1 == NULL) {
660 iph1 = getph1byindex0(index);
661 if (iph1 == NULL) {
662 plog(LLV_ERROR, LOCATION, remote,
663 "unknown Informational "
664 "exchange received.\n");
665 return -1;
666 }
667 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
668 plog(LLV_WARNING, LOCATION, remote,
669 "remote address mismatched. "
670 "db=%s\n",
671 saddr2str(iph1->remote));
672 }
673 }
674
675 if (isakmp_info_recv(iph1, msg) < 0)
676 return -1;
677 break;
678
679 case ISAKMP_ETYPE_QUICK:
680 {
681 struct ph2handle *iph2;
682
683 if (iph1 == NULL) {
684 isakmp_info_send_nx(isakmp, remote, local,
685 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
686 plog(LLV_ERROR, LOCATION, remote,
687 "can't start the quick mode, "
688 "there is no ISAKMP-SA, %s\n",
689 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
690 isakmp->msgid));
691 return -1;
692 }
693
694 /* check status of phase 1 whether negotiated or not. */
695 if (iph1->status != PHASE1ST_ESTABLISHED) {
696 plog(LLV_ERROR, LOCATION, remote,
697 "can't start the quick mode, "
698 "there is no valid ISAKMP-SA, %s\n",
699 isakmp_pindex(&iph1->index, iph1->msgid));
700 return -1;
701 }
702
703 /* search isakmp phase 2 stauts record. */
704 iph2 = getph2bymsgid(iph1, msgid);
705 if (iph2 == NULL) {
706 /* it must be new negotiation as responder */
707 if (isakmp_ph2begin_r(iph1, msg) < 0)
708 return -1;
709 return 0;
710 /*NOTREACHED*/
711 }
712
713 /* commit bit. */
714 /* XXX
715 * we keep to set commit bit during negotiation.
716 * When SA is configured, bit will be reset.
717 * XXX
718 * don't initiate commit bit. should be fixed in the future.
719 */
720 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
721 iph2->flags |= ISAKMP_FLAG_C;
722
723 /* call main process of quick mode */
724 if (quick_main(iph2, msg) < 0) {
725 plog(LLV_ERROR, LOCATION, iph1->remote,
726 "phase2 negotiation failed.\n");
727 unbindph12(iph2);
728 remph2(iph2);
729 delph2(iph2);
730 return -1;
731 }
732 }
733 break;
734
735 case ISAKMP_ETYPE_NEWGRP:
736 if (iph1 == NULL) {
737 plog(LLV_ERROR, LOCATION, remote,
738 "Unknown new group mode exchange, "
739 "there is no ISAKMP-SA.\n");
740 return -1;
741 }
742 isakmp_newgroup_r(iph1, msg);
743 break;
744
745 case ISAKMP_ETYPE_NONE:
746 default:
747 plog(LLV_ERROR, LOCATION, NULL,
748 "Invalid exchange type %d from %s.\n",
749 isakmp->etype, saddr2str(remote));
750 return -1;
751 }
752
753 return 0;
754}
755
756/*
757 * main function of phase 1.
758 */
759static int
760ph1_main(iph1, msg)
761 struct ph1handle *iph1;
762 vchar_t *msg;
763{
764 int error;
765#ifdef ENABLE_STATS
766 struct timeval start, end;
767#endif
768
769 /* ignore a packet */
770 if (iph1->status == PHASE1ST_ESTABLISHED)
771 return 0;
772
773#ifdef ENABLE_STATS
774 gettimeofday(&start, NULL);
775#endif
776 /* receive */
777 if (ph1exchange[etypesw1(iph1->etype)]
778 [iph1->side]
779 [iph1->status] == NULL) {
780 plog(LLV_ERROR, LOCATION, iph1->remote,
781 "why isn't the function defined.\n");
782 return -1;
783 }
784 error = (ph1exchange[etypesw1(iph1->etype)]
785 [iph1->side]
786 [iph1->status])(iph1, msg);
787 if (error != 0) {
788#if 0
789 /* XXX
790 * When an invalid packet is received on phase1, it should
791 * be selected to process this packet. That is to respond
792 * with a notify and delete phase 1 handler, OR not to respond
793 * and keep phase 1 handler.
794 */
795 plog(LLV_ERROR, LOCATION, iph1->remote,
796 "failed to pre-process packet.\n");
797 return -1;
798#else
799 /* ignore the error and keep phase 1 handler */
800 return 0;
801#endif
802 }
803
804 /* free resend buffer */
805 if (iph1->sendbuf == NULL) {
806 plog(LLV_ERROR, LOCATION, NULL,
807 "no buffer found as sendbuf\n");
808 return -1;
809 }
810 vfree(iph1->sendbuf);
811 iph1->sendbuf = NULL;
812
813 /* turn off schedule */
814 if (iph1->scr)
815 SCHED_KILL(iph1->scr);
816
817 /* send */
818 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
819 if ((ph1exchange[etypesw1(iph1->etype)]
820 [iph1->side]
821 [iph1->status])(iph1, msg) != 0) {
822 plog(LLV_ERROR, LOCATION, iph1->remote,
823 "failed to process packet.\n");
824 return -1;
825 }
826
827#ifdef ENABLE_STATS
828 gettimeofday(&end, NULL);
829 syslog(LOG_NOTICE, "%s(%s): %8.6f",
830 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
831 timedelta(&start, &end));
832#endif
833 if (iph1->status == PHASE1ST_ESTABLISHED) {
834
835#ifdef ENABLE_STATS
836 gettimeofday(&iph1->end, NULL);
837 syslog(LOG_NOTICE, "%s(%s): %8.6f",
838 "phase1", s_isakmp_etype(iph1->etype),
839 timedelta(&iph1->start, &iph1->end));
840#endif
841
842 /* save created date. */
843 (void)time(&iph1->created);
844
845 /* add to the schedule to expire, and seve back pointer. */
846 iph1->sce = sched_new(iph1->approval->lifetime,
847 isakmp_ph1expire_stub, iph1);
848
849 /* INITIAL-CONTACT processing */
850 /* don't anything if local test mode. */
851 if (!f_local
852 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
853 /* send INITIAL-CONTACT */
854 isakmp_info_send_n1(iph1,
855 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
856 /* insert a node into contacted list. */
857 if (inscontacted(iph1->remote) == -1) {
858 plog(LLV_ERROR, LOCATION, iph1->remote,
859 "failed to add contacted list.\n");
860 /* ignore */
861 }
862 }
863
864 log_ph1established(iph1);
865 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
866 }
867
868 return 0;
869}
870
871/*
872 * main function of quick mode.
873 */
874static int
875quick_main(iph2, msg)
876 struct ph2handle *iph2;
877 vchar_t *msg;
878{
879 struct isakmp *isakmp = (struct isakmp *)msg->v;
880 int error;
881#ifdef ENABLE_STATS
882 struct timeval start, end;
883#endif
884
885 /* ignore a packet */
886 if (iph2->status == PHASE2ST_ESTABLISHED
887 || iph2->status == PHASE2ST_GETSPISENT)
888 return 0;
889
890#ifdef ENABLE_STATS
891 gettimeofday(&start, NULL);
892#endif
893
894 /* receive */
895 if (ph2exchange[etypesw2(isakmp->etype)]
896 [iph2->side]
897 [iph2->status] == NULL) {
898 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
899 "why isn't the function defined.\n");
900 return -1;
901 }
902 error = (ph2exchange[etypesw2(isakmp->etype)]
903 [iph2->side]
904 [iph2->status])(iph2, msg);
905 if (error != 0) {
906 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
907 "failed to pre-process packet.\n");
908 if (error == ISAKMP_INTERNAL_ERROR)
909 return 0;
910 isakmp_info_send_n1(iph2->ph1, error, NULL);
911 return -1;
912 }
913
914 /* when using commit bit, status will be reached here. */
915 if (iph2->status == PHASE2ST_ADDSA)
916 return 0;
917
918 /* free resend buffer */
919 if (iph2->sendbuf == NULL) {
920 plog(LLV_ERROR, LOCATION, NULL,
921 "no buffer found as sendbuf\n");
922 return -1;
923 }
924 vfree(iph2->sendbuf);
925 iph2->sendbuf = NULL;
926
927 /* turn off schedule */
928 if (iph2->scr)
929 SCHED_KILL(iph2->scr);
930
931 /* send */
932 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
933 if ((ph2exchange[etypesw2(isakmp->etype)]
934 [iph2->side]
935 [iph2->status])(iph2, msg) != 0) {
936 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
937 "failed to process packet.\n");
938 return -1;
939 }
940
941#ifdef ENABLE_STATS
942 gettimeofday(&end, NULL);
943 syslog(LOG_NOTICE, "%s(%s): %8.6f",
944 "phase2",
945 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
946 timedelta(&start, &end));
947#endif
948
949 return 0;
950}
951
952/* new negotiation of phase 1 for initiator */
953int
954isakmp_ph1begin_i(rmconf, remote)
955 struct remoteconf *rmconf;
956 struct sockaddr *remote;
957{
958 struct ph1handle *iph1;
959#ifdef ENABLE_STATS
960 struct timeval start, end;
961#endif
962
963 /* get new entry to isakmp status table. */
964 iph1 = newph1();
965 if (iph1 == NULL)
966 return -1;
967
968 iph1->status = PHASE1ST_START;
969 iph1->rmconf = rmconf;
970 iph1->side = INITIATOR;
971 iph1->version = ISAKMP_VERSION_NUMBER;
972 iph1->msgid = 0;
973 iph1->flags = 0;
974 iph1->ph2cnt = 0;
975#ifdef HAVE_GSSAPI
976 iph1->gssapi_state = NULL;
977#endif
978 iph1->approval = NULL;
979
980 /* XXX copy remote address */
981 if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
982 return -1;
983
984 (void)insph1(iph1);
985
986 /* start phase 1 exchange */
987 iph1->etype = rmconf->etypes->type;
988
989 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
990 {
991 char *a;
992
993 a = strdup(saddr2str(iph1->local));
994 plog(LLV_INFO, LOCATION, NULL,
995 "initiate new phase 1 negotiation: %s<=>%s\n",
996 a, saddr2str(iph1->remote));
997 racoon_free(a);
998 }
999 plog(LLV_INFO, LOCATION, NULL,
1000 "begin %s mode.\n",
1001 s_isakmp_etype(iph1->etype));
1002
1003#ifdef ENABLE_STATS
1004 gettimeofday(&iph1->start, NULL);
1005 gettimeofday(&start, NULL);
1006#endif
1007 /* start exchange */
1008 if ((ph1exchange[etypesw1(iph1->etype)]
1009 [iph1->side]
1010 [iph1->status])(iph1, NULL) != 0) {
1011 /* failed to start phase 1 negotiation */
1012 remph1(iph1);
1013 delph1(iph1);
1014
1015 return -1;
1016 }
1017
1018#ifdef ENABLE_STATS
1019 gettimeofday(&end, NULL);
1020 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1021 "phase1",
1022 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1023 timedelta(&start, &end));
1024#endif
1025
1026 return 0;
1027}
1028
1029/* new negotiation of phase 1 for responder */
1030static int
1031isakmp_ph1begin_r(msg, remote, local, etype)
1032 vchar_t *msg;
1033 struct sockaddr *remote, *local;
1034 u_int8_t etype;
1035{
1036 struct isakmp *isakmp = (struct isakmp *)msg->v;
1037 struct remoteconf *rmconf;
1038 struct ph1handle *iph1;
1039 struct etypes *etypeok;
1040#ifdef ENABLE_STATS
1041 struct timeval start, end;
1042#endif
1043
1044 /* look for my configuration */
1045 rmconf = getrmconf(remote);
1046 if (rmconf == NULL) {
1047 plog(LLV_ERROR, LOCATION, remote,
1048 "couldn't find "
1049 "configuration.\n");
1050 return -1;
1051 }
1052
1053 /* check to be acceptable exchange type */
1054 etypeok = check_etypeok(rmconf, etype);
1055 if (etypeok == NULL) {
1056 plog(LLV_ERROR, LOCATION, remote,
1057 "not acceptable %s mode\n", s_isakmp_etype(etype));
1058 return -1;
1059 }
1060
1061 /* get new entry to isakmp status table. */
1062 iph1 = newph1();
1063 if (iph1 == NULL)
1064 return -1;
1065
1066 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1067 iph1->status = PHASE1ST_START;
1068 iph1->rmconf = rmconf;
1069 iph1->flags = 0;
1070 iph1->side = RESPONDER;
1071 iph1->etype = etypeok->type;
1072 iph1->version = isakmp->v;
1073 iph1->msgid = 0;
1074#ifdef HAVE_GSSAPI
1075 iph1->gssapi_state = NULL;
1076#endif
1077 iph1->approval = NULL;
1078
1079 /* copy remote address */
1080 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1081 return -1;
1082
1083 (void)insph1(iph1);
1084
1085 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1086 {
1087 char *a;
1088
1089 a = strdup(saddr2str(iph1->local));
1090 plog(LLV_INFO, LOCATION, NULL,
1091 "respond new phase 1 negotiation: %s<=>%s\n",
1092 a, saddr2str(iph1->remote));
1093 racoon_free(a);
1094 }
1095 plog(LLV_INFO, LOCATION, NULL,
1096 "begin %s mode.\n", s_isakmp_etype(etype));
1097
1098#ifdef ENABLE_STATS
1099 gettimeofday(&iph1->start, NULL);
1100 gettimeofday(&start, NULL);
1101#endif
1102 /* start exchange */
1103 if ((ph1exchange[etypesw1(iph1->etype)]
1104 [iph1->side]
1105 [iph1->status])(iph1, msg) < 0
1106 || (ph1exchange[etypesw1(iph1->etype)]
1107 [iph1->side]
1108 [iph1->status])(iph1, msg) < 0) {
1109 plog(LLV_ERROR, LOCATION, remote,
1110 "failed to process packet.\n");
1111 remph1(iph1);
1112 delph1(iph1);
1113 return -1;
1114 }
1115#ifdef ENABLE_STATS
1116 gettimeofday(&end, NULL);
1117 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1118 "phase1",
1119 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1120 timedelta(&start, &end));
1121#endif
1122
1123 return 0;
1124}
1125
1126/* new negotiation of phase 2 for initiator */
1127static int
1128isakmp_ph2begin_i(iph1, iph2)
1129 struct ph1handle *iph1;
1130 struct ph2handle *iph2;
1131{
1132 /* found ISAKMP-SA. */
1133 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1134 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1135 {
1136 char *a;
1137 a = strdup(saddr2str(iph2->src));
1138 plog(LLV_INFO, LOCATION, NULL,
1139 "initiate new phase 2 negotiation: %s<=>%s\n",
1140 a, saddr2str(iph2->dst));
1141 racoon_free(a);
1142 }
1143
1144#ifdef ENABLE_STATS
1145 gettimeofday(&iph2->start, NULL);
1146#endif
1147 /* found isakmp-sa */
1148 bindph12(iph1, iph2);
1149 iph2->status = PHASE2ST_STATUS2;
1150
1151 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1152 [iph2->side]
1153 [iph2->status])(iph2, NULL) < 0) {
1154 unbindph12(iph2);
1155 /* release ipsecsa handler due to internal error. */
1156 remph2(iph2);
1157 delph2(iph2);
1158 return -1;
1159 }
1160 return 0;
1161}
1162
1163/* new negotiation of phase 2 for responder */
1164static int
1165isakmp_ph2begin_r(iph1, msg)
1166 struct ph1handle *iph1;
1167 vchar_t *msg;
1168{
1169 struct isakmp *isakmp = (struct isakmp *)msg->v;
1170 struct ph2handle *iph2 = 0;
1171 int error;
1172#ifdef ENABLE_STATS
1173 struct timeval start, end;
1174#endif
1175
1176 iph2 = newph2();
1177 if (iph2 == NULL) {
1178 plog(LLV_ERROR, LOCATION, NULL,
1179 "failed to allocate phase2 entry.\n");
1180 return -1;
1181 }
1182
1183 iph2->ph1 = iph1;
1184 iph2->side = RESPONDER;
1185 iph2->status = PHASE2ST_START;
1186 iph2->flags = isakmp->flags;
1187 iph2->msgid = isakmp->msgid;
1188 iph2->seq = pk_getseq();
1189 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1190 if (iph2->ivm == NULL) {
1191 delph2(iph2);
1192 return -1;
1193 }
1194 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1195 if (iph2->dst == NULL) {
1196 delph2(iph2);
1197 return -1;
1198 }
1199 switch (iph2->dst->sa_family) {
1200 case AF_INET:
1201 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1202 break;
1203#ifdef INET6
1204 case AF_INET6:
1205 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1206 break;
1207#endif
1208 default:
1209 plog(LLV_ERROR, LOCATION, NULL,
1210 "invalid family: %d\n", iph2->dst->sa_family);
1211 delph2(iph2);
1212 return -1;
1213 }
1214
1215 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1216 if (iph2->src == NULL) {
1217 delph2(iph2);
1218 return -1;
1219 }
1220 switch (iph2->src->sa_family) {
1221 case AF_INET:
1222 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1223 break;
1224#ifdef INET6
1225 case AF_INET6:
1226 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1227 break;
1228#endif
1229 default:
1230 plog(LLV_ERROR, LOCATION, NULL,
1231 "invalid family: %d\n", iph2->src->sa_family);
1232 delph2(iph2);
1233 return -1;
1234 }
1235
1236 /* add new entry to isakmp status table */
1237 insph2(iph2);
1238 bindph12(iph1, iph2);
1239
1240 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1241 {
1242 char *a;
1243
1244 a = strdup(saddr2str(iph2->src));
1245 plog(LLV_INFO, LOCATION, NULL,
1246 "respond new phase 2 negotiation: %s<=>%s\n",
1247 a, saddr2str(iph2->dst));
1248 racoon_free(a);
1249 }
1250
1251#ifdef ENABLE_STATS
1252 gettimeofday(&start, NULL);
1253#endif
1254
1255 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1256 [iph2->side]
1257 [iph2->status])(iph2, msg);
1258 if (error != 0) {
1259 plog(LLV_ERROR, LOCATION, iph1->remote,
1260 "failed to pre-process packet.\n");
1261 if (error != ISAKMP_INTERNAL_ERROR)
1262 isakmp_info_send_n1(iph2->ph1, error, NULL);
1263 /*
1264 * release handler because it's wrong that ph2handle is kept
1265 * after failed to check message for responder's.
1266 */
1267 unbindph12(iph2);
1268 remph2(iph2);
1269 delph2(iph2);
1270 return -1;
1271 }
1272
1273 /* send */
1274 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1275 if ((ph2exchange[etypesw2(isakmp->etype)]
1276 [iph2->side]
1277 [iph2->status])(iph2, msg) < 0) {
1278 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1279 "failed to process packet.\n");
1280 /* don't release handler */
1281 return -1;
1282 }
1283#ifdef ENABLE_STATS
1284 gettimeofday(&end, NULL);
1285 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1286 "phase2",
1287 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1288 timedelta(&start, &end));
1289#endif
1290
1291 return 0;
1292}
1293
1294/*
1295 * parse ISAKMP payloads, without ISAKMP base header.
1296 */
1297vchar_t *
1298isakmp_parsewoh(np0, gen, len)
1299 int np0;
1300 struct isakmp_gen *gen;
1301 int len;
1302{
1303 u_char np = np0 & 0xff;
1304 int tlen, plen;
1305 vchar_t *result;
1306 struct isakmp_parse_t *p, *ep;
1307
1308 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1309
1310 /*
1311 * 5 is a magic number, but any value larger than 2 should be fine
1312 * as we do vrealloc() in the following loop.
1313 */
1314 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1315 if (result == NULL) {
1316 plog(LLV_ERROR, LOCATION, NULL,
1317 "failed to get buffer.\n");
1318 return NULL;
1319 }
1320 p = (struct isakmp_parse_t *)result->v;
1321 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1322
1323 tlen = len;
1324
1325 /* parse through general headers */
1326 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1327 if (tlen <= sizeof(struct isakmp_gen)) {
1328 /* don't send information, see isakmp_ident_r1() */
1329 plog(LLV_ERROR, LOCATION, NULL,
1330 "invalid length of payload\n");
1331 vfree(result);
1332 return NULL;
1333 }
1334
1335 plog(LLV_DEBUG, LOCATION, NULL,
1336 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1337
1338 p->type = np;
1339 p->len = ntohs(gen->len);
1340 if (p->len == 0 || p->len > tlen) {
1341 plog(LLV_DEBUG, LOCATION, NULL,
1342 "invalid length of payload\n");
1343 vfree(result);
1344 return NULL;
1345 }
1346 p->ptr = gen;
1347 p++;
1348 if (ep <= p) {
1349 int off;
1350
1351 off = p - (struct isakmp_parse_t *)result->v;
1352 result = vrealloc(result, result->l * 2);
1353 if (result == NULL) {
1354 plog(LLV_DEBUG, LOCATION, NULL,
1355 "failed to realloc buffer.\n");
1356 vfree(result);
1357 return NULL;
1358 }
1359 ep = (struct isakmp_parse_t *)
1360 (result->v + result->l - sizeof(*ep));
1361 p = (struct isakmp_parse_t *)result->v;
1362 p += off;
1363 }
1364
1365 np = gen->np;
1366 plen = ntohs(gen->len);
1367 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1368 tlen -= plen;
1369 }
1370 p->type = ISAKMP_NPTYPE_NONE;
1371 p->len = 0;
1372 p->ptr = NULL;
1373
1374 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1375
1376 return result;
1377}
1378
1379/*
1380 * parse ISAKMP payloads, including ISAKMP base header.
1381 */
1382vchar_t *
1383isakmp_parse(buf)
1384 vchar_t *buf;
1385{
1386 struct isakmp *isakmp = (struct isakmp *)buf->v;
1387 struct isakmp_gen *gen;
1388 int tlen;
1389 vchar_t *result;
1390 u_char np;
1391
1392 np = isakmp->np;
1393 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1394 tlen = buf->l - sizeof(struct isakmp);
1395 result = isakmp_parsewoh(np, gen, tlen);
1396
1397 return result;
1398}
1399
1400/* %%% */
1401int
1402isakmp_init()
1403{
1404 /* initialize a isakmp status table */
1405 initph1tree();
1406 initph2tree();
1407 initctdtree();
1408 init_recvdpkt();
1409
7ba0088d
A		 1410 if (isakmp_open() < 0)
1411 goto err;
1412
1413 return(0);
1414
1415err:
1416 isakmp_close();
1417 return(-1);
1418}
1419
1420/*
1421 * make strings containing i_cookie + r_cookie + msgid
1422 */
1423const char *
1424isakmp_pindex(index, msgid)
1425 const isakmp_index *index;
1426 const u_int32_t msgid;
1427{
1428 static char buf[64];
1429 const u_char *p;
1430 int i, j;
1431
1432 memset(buf, 0, sizeof(buf));
1433
1434 /* copy index */
1435 p = (const u_char *)index;
1436 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1437 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1438 j += 2;
1439 switch (i) {
1440 case 7:
1441 buf[j++] = ':';
1442 }
1443 }
1444
1445 if (msgid == 0)
1446 return buf;
1447
1448 /* copy msgid */
1449 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1450
1451 return buf;
1452}
1453
7ba0088d 1454int
ac2f15b3 1455isakmp_setup_socket(struct sockaddr* in_addr)
7ba0088d 1456{
ac2f15b3 1457 int sock = -1;
7ba0088d 1458 const int yes = 1;
7ba0088d
A		 1459#ifdef INET6
1460 int pktinfo;
1461#endif
ac2f15b3
A		 1462 if ((sock = socket(in_addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1463 plog(LLV_ERROR, LOCATION, NULL,
1464 "socket (%s)\n", strerror(errno));
1465 return -1;
1466 }
1467
1468 /* receive my interface address on inbound packets. */
1469 switch (in_addr->sa_family) {
1470 case AF_INET:
1471 if (setsockopt(sock, IPPROTO_IP, IP_RECVDSTADDR,
1472 (const void *)&yes, sizeof(yes)) < 0) {
1473 plog(LLV_ERROR, LOCATION, NULL,
1474 "setsockopt (%s)\n", strerror(errno));
1475 close(sock);
1476 return -1;
1477 }
1478 break;
1479#ifdef INET6
1480 case AF_INET6:
1481#ifdef ADVAPI
1482#ifdef IPV6_RECVPKTINFO
1483 pktinfo = IPV6_RECVPKTINFO;
1484#else /* old adv. API */
1485 pktinfo = IPV6_PKTINFO;
1486#endif /* IPV6_RECVPKTINFO */
1487#else
1488 pktinfo = IPV6_RECVDSTADDR;
1489#endif
1490 if (setsockopt(sock, IPPROTO_IPV6, pktinfo,
1491 (const void *)&yes, sizeof(yes)) < 0)
1492 {
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "setsockopt(%d): %s\n",
1495 pktinfo, strerror(errno));
1496 close(sock);
1497 return -1;
1498 }
1499 break;
1500#endif
1501 }
1502
1503#ifdef IPV6_USE_MIN_MTU
1504 if (in_addr->sa_family == AF_INET6 &&
1505 setsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1506 (void *)&yes, sizeof(yes)) < 0) {
1507 plog(LLV_ERROR, LOCATION, NULL,
1508 "setsockopt (%s)\n", strerror(errno));
1509 close(sock);
1510 return -1;
1511 }
1512#endif
1513
1514 if (setsockopt_bypass(sock, in_addr->sa_family) < 0) {
1515 close(sock);
1516 return -1;
1517 }
1518
1519 if (bind(sock, in_addr, in_addr->sa_len) < 0) {
1520 plog(LLV_ERROR, LOCATION, in_addr,
1521 "failed to bind (%s).\n", strerror(errno));
1522 close(sock);
1523 return -1;
1524 }
1525
1526 return sock;
1527}
1528
1529/* open ISAKMP sockets. */
1530int
1531isakmp_open()
1532{
1533 int ifnum;
7ba0088d
A		 1534 struct myaddrs *p;
1535
1536 ifnum = 0;
1537 for (p = lcconf->myaddrs; p; p = p->next) {
1538 if (!p->addr)
1539 continue;
1540
1541 /* warn if wildcard address - should we forbid this? */
1542 switch (p->addr->sa_family) {
1543 case AF_INET:
1544 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1545 plog(LLV_WARNING, LOCATION, NULL,
1546 "listening to wildcard address,"
1547 "broadcast IKE packet may kill you\n");
1548 break;
1549#ifdef INET6
1550 case AF_INET6:
1551 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1552 plog(LLV_WARNING, LOCATION, NULL,
1553 "listening to wildcard address, "
1554 "broadcast IKE packet may kill you\n");
1555 break;
1556#endif
1557 default:
1558 plog(LLV_ERROR, LOCATION, NULL,
1559 "unsupported address family %d\n",
1560 lcconf->default_af);
1561 goto err_and_next;
1562 }
ac2f15b3
A		 1563
1564 p->sock = isakmp_setup_socket(p->addr);
1565 if (p->sock < 0) goto err_and_next;
7ba0088d 1566
ac2f15b3
A		 1567 plog(LLV_DEBUG, LOCATION, NULL,
1568 "%s used as isakmp port (fd=%d)\n",
1569 saddr2str(p->addr), p->sock);
7ba0088d 1570
ac2f15b3
A		 1571 ifnum++;
1572
1573#ifdef IKE_NAT_T
1574 /*
1575 * We have to listen on 4500 in addition to 500 with IPv4
1576 * to support NAT traversal.
1577 */
1578 if (p->addr->sa_family == AF_INET)
1579 {
1580 struct sockaddr_in sin = *(struct sockaddr_in*)p->addr;
1581
1582 sin.sin_port = ntohs(PORT_ISAKMP_NATT);
1583 p->nattsock = isakmp_setup_socket((struct sockaddr*)&sin);
1584 if (p->nattsock >= 0)
7ba0088d 1585 {
ac2f15b3
A		 1586 plog(LLV_DEBUG, LOCATION, NULL,
1587 "%s used as nat-t isakmp port (fd=%d)\n",
1588 saddr2str((struct sockaddr*)&sin), p->nattsock);
7ba0088d 1589 }
7ba0088d
A		 1590 }
1591#endif
1592
7ba0088d
A		 1593 continue;
1594
1595 err_and_next:
1596 racoon_free(p->addr);
1597 p->addr = NULL;
1598 if (! lcconf->autograbaddr && lcconf->strict_address)
1599 return -1;
1600 continue;
1601 }
1602
1603 if (!ifnum) {
1604 plog(LLV_ERROR, LOCATION, NULL,
1605 "no address could be bound.\n");
1606 return -1;
1607 }
1608
1609 return 0;
1610}
1611
1612void
1613isakmp_close()
1614{
1615 struct myaddrs *p, *next;
1616
1617 for (p = lcconf->myaddrs; p; p = next) {
1618 next = p->next;
1619
ac2f15b3
A		 1620 if (!p->addr) {
1621 racoon_free(p);
7ba0088d 1622 continue;
ac2f15b3 1623 }
7ba0088d 1624 close(p->sock);
ac2f15b3
A		 1625#ifdef IKE_NAT_T
1626 if (p->nattsock >= 0) close(p->nattsock);
1627#endif
7ba0088d
A		 1628 racoon_free(p->addr);
1629 racoon_free(p);
1630 }
1631
1632 lcconf->myaddrs = NULL;
1633}
1634
1635int
1636isakmp_send(iph1, sbuf)
1637 struct ph1handle *iph1;
1638 vchar_t *sbuf;
1639{
1640 int len = 0;
1641 int s;
ac2f15b3 1642 vchar_t *newbuf = NULL;
7ba0088d
A		 1643
1644 /* select the socket to be sent */
1645 s = getsockmyaddr(iph1->local);
1646 if (s == -1)
1647 return -1;
ac2f15b3
A		 1648
1649#ifdef IKE_NAT_T
1650 /* prepend four bytes of zeros if source or destination port is PORT_ISAKMP_NATT */
1651 if (iph1->remote->sa_family == AF_INET &&
1652 (((struct sockaddr_in*)(iph1->remote))->sin_port == htons(PORT_ISAKMP_NATT)) ||
1653 ((struct sockaddr_in*)(iph1->local))->sin_port == htons(PORT_ISAKMP_NATT))
1654 {
1655
1656 /* There's probably a better way to do this */
1657 newbuf = vmalloc(sbuf->l + 4);
1658 if (newbuf == NULL) {
1659 plog(LLV_ERROR, LOCATION, NULL, "sendfromto natt prepend failed\n");
1660 return -1;
1661 }
1662
1663 memset(newbuf->v, 0, 4);
1664 memcpy(newbuf->v + 4, sbuf->v, sbuf->l);
1665 sbuf = newbuf;
1666 }
1667#endif
7ba0088d
A		 1668
1669 len = sendfromto(s, sbuf->v, sbuf->l,
1670 iph1->local, iph1->remote, lcconf->count_persend);
1671 if (len == -1) {
1672 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1673 return -1;
1674 }
ac2f15b3
A		 1675
1676 if (newbuf) vfree(newbuf);
7ba0088d
A		 1677
1678 return 0;
1679}
1680
1681/* called from scheduler */
1682void
1683isakmp_ph1resend_stub(p)
1684 void *p;
1685{
1686 (void)isakmp_ph1resend((struct ph1handle *)p);
1687}
1688
1689int
1690isakmp_ph1resend(iph1)
1691 struct ph1handle *iph1;
1692{
1693 if (iph1->retry_counter < 0) {
1694 plog(LLV_ERROR, LOCATION, NULL,
1695 "phase1 negotiation failed due to time up. %s\n",
1696 isakmp_pindex(&iph1->index, iph1->msgid));
1697
1698 remph1(iph1);
1699 delph1(iph1);
1700 return -1;
1701 }
1702
1703 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1704 return -1;
1705
1706 plog(LLV_DEBUG, LOCATION, NULL,
1707 "resend phase1 packet %s\n",
1708 isakmp_pindex(&iph1->index, iph1->msgid));
1709
1710 iph1->retry_counter--;
1711
1712 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1713 isakmp_ph1resend_stub, iph1);
1714
1715 return 0;
1716}
1717
1718/* called from scheduler */
1719void
1720isakmp_ph2resend_stub(p)
1721 void *p;
1722{
1723
1724 (void)isakmp_ph2resend((struct ph2handle *)p);
1725}
1726
1727int
1728isakmp_ph2resend(iph2)
1729 struct ph2handle *iph2;
1730{
1731 if (iph2->retry_counter < 0) {
1732 plog(LLV_ERROR, LOCATION, NULL,
1733 "phase2 negotiation failed due to time up. %s\n",
1734 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1735 unbindph12(iph2);
1736 remph2(iph2);
1737 delph2(iph2);
1738 return -1;
1739 }
1740
1741 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1742 return -1;
1743
1744 plog(LLV_DEBUG, LOCATION, NULL,
1745 "resend phase2 packet %s\n",
1746 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1747
1748 iph2->retry_counter--;
1749
1750 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1751 isakmp_ph2resend_stub, iph2);
1752
1753 return 0;
1754}
1755
1756/* called from scheduler */
1757void
1758isakmp_ph1expire_stub(p)
1759 void *p;
1760{
1761
1762 isakmp_ph1expire((struct ph1handle *)p);
1763}
1764
1765void
1766isakmp_ph1expire(iph1)
1767 struct ph1handle *iph1;
1768{
1769 char *src, *dst;
1770
1771 src = strdup(saddr2str(iph1->local));
1772 dst = strdup(saddr2str(iph1->remote));
1773 plog(LLV_INFO, LOCATION, NULL,
1774 "ISAKMP-SA expired %s-%s spi:%s\n",
1775 src, dst,
1776 isakmp_pindex(&iph1->index, 0));
1777 racoon_free(src);
1778 racoon_free(dst);
1779
1780 SCHED_KILL(iph1->sce);
1781
1782 iph1->status = PHASE1ST_EXPIRED;
1783
1784 /*
1785 * the phase1 deletion is postponed until there is no phase2.
1786 */
1787 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1788 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1789 return;
1790 }
1791
1792 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1793}
1794
1795/* called from scheduler */
1796void
1797isakmp_ph1delete_stub(p)
1798 void *p;
1799{
1800
1801 isakmp_ph1delete((struct ph1handle *)p);
1802}
1803
1804void
1805isakmp_ph1delete(iph1)
1806 struct ph1handle *iph1;
1807{
1808 char *src, *dst;
1809
1810 SCHED_KILL(iph1->sce);
1811
1812 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1813 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1814 return;
1815 }
1816
1817 /* don't re-negosiation when the phase 1 SA expires. */
1818
1819 src = strdup(saddr2str(iph1->local));
1820 dst = strdup(saddr2str(iph1->remote));
1821 plog(LLV_INFO, LOCATION, NULL,
1822 "ISAKMP-SA deleted %s-%s spi:%s\n",
1823 src, dst, isakmp_pindex(&iph1->index, 0));
1824 racoon_free(src);
1825 racoon_free(dst);
1826
1827 remph1(iph1);
1828 delph1(iph1);
1829
1830 return;
1831}
1832
1833/* called from scheduler.
1834 * this function will call only isakmp_ph2delete().
1835 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
1836 * by something cause. That's why this function is called after phase 2 SA
1837 * expires in the userland.
1838 */
1839void
1840isakmp_ph2expire_stub(p)
1841 void *p;
1842{
1843
1844 isakmp_ph2expire((struct ph2handle *)p);
1845}
1846
1847void
1848isakmp_ph2expire(iph2)
1849 struct ph2handle *iph2;
1850{
1851 char *src, *dst;
1852
1853 SCHED_KILL(iph2->sce);
1854
1855 src = strdup(saddrwop2str(iph2->src));
1856 dst = strdup(saddrwop2str(iph2->dst));
1857 plog(LLV_INFO, LOCATION, NULL,
1858 "phase2 sa expired %s-%s\n", src, dst);
1859 racoon_free(src);
1860 racoon_free(dst);
1861
1862 iph2->status = PHASE2ST_EXPIRED;
1863
1864 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1865
1866 return;
1867}
1868
1869/* called from scheduler */
1870void
1871isakmp_ph2delete_stub(p)
1872 void *p;
1873{
1874
1875 isakmp_ph2delete((struct ph2handle *)p);
1876}
1877
1878void
1879isakmp_ph2delete(iph2)
1880 struct ph2handle *iph2;
1881{
1882 char *src, *dst;
1883
1884 SCHED_KILL(iph2->sce);
1885
1886 src = strdup(saddrwop2str(iph2->src));
1887 dst = strdup(saddrwop2str(iph2->dst));
1888 plog(LLV_INFO, LOCATION, NULL,
1889 "phase2 sa deleted %s-%s\n", src, dst);
1890 racoon_free(src);
1891 racoon_free(dst);
1892
1893 unbindph12(iph2);
1894 remph2(iph2);
1895 delph2(iph2);
1896
1897 return;
1898}
1899
1900/* \f%%%
1901 * Interface between PF_KEYv2 and ISAKMP
1902 */
1903/*
1904 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
1905 * if phase1 has been finished, begin phase2.
1906 */
1907int
1908isakmp_post_acquire(iph2)
1909 struct ph2handle *iph2;
1910{
1911 struct remoteconf *rmconf;
1912 struct ph1handle *iph1 = NULL;
1913
1914 /* search appropreate configuration with masking port. */
1915 rmconf = getrmconf(iph2->dst);
1916 if (rmconf == NULL) {
1917 plog(LLV_ERROR, LOCATION, NULL,
1918 "no configuration found for %s.\n",
1919 saddrwop2str(iph2->dst));
1920 return -1;
1921 }
1922
1923 /* if passive mode, ignore the acquire message */
1924 if (rmconf->passive) {
1925 plog(LLV_DEBUG, LOCATION, NULL,
1926 "because of passive mode, "
1927 "ignore the acquire message for %s.\n",
1928 saddrwop2str(iph2->dst));
1929 return 0;
1930 }
1931
1932 /* search isakmp status table by address with masking port */
1933 iph1 = getph1byaddr(iph2->src, iph2->dst);
1934
1935 /* no ISAKMP-SA found. */
1936 if (iph1 == NULL) {
1937 struct sched *sc;
1938
1939 iph2->retry_checkph1 = lcconf->retry_checkph1;
1940 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
1941 plog(LLV_INFO, LOCATION, NULL,
1942 "IPsec-SA request for %s queued "
1943 "due to no phase1 found.\n",
1944 saddrwop2str(iph2->dst));
1945
1946 /* start phase 1 negotiation as a initiator. */
1947 if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
1948 SCHED_KILL(sc);
1949 return -1;
1950 }
1951
1952 return 0;
1953 /*NOTREACHED*/
1954 }
1955
1956 /* found ISAKMP-SA, but on negotiation. */
1957 if (iph1->status != PHASE1ST_ESTABLISHED) {
1958 iph2->retry_checkph1 = lcconf->retry_checkph1;
1959 sched_new(1, isakmp_chkph1there_stub, iph2);
1960 plog(LLV_INFO, LOCATION, iph2->dst,
1961 "request for establishing IPsec-SA was queued "
1962 "due to no phase1 found.\n");
1963 return 0;
1964 /*NOTREACHED*/
1965 }
1966
1967 /* found established ISAKMP-SA */
1968 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
1969
1970 /* found ISAKMP-SA. */
1971 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1972
1973 /* begin quick mode */
1974 if (isakmp_ph2begin_i(iph1, iph2))
1975 return -1;
1976
1977 return 0;
1978}
1979
1980/*
1981 * receive GETSPI from kernel.
1982 */
1983int
1984isakmp_post_getspi(iph2)
1985 struct ph2handle *iph2;
1986{
1987#ifdef ENABLE_STATS
1988 struct timeval start, end;
1989#endif
1990
1991 /* don't process it because there is no suitable phase1-sa. */
1992 if (iph2->ph1->status == PHASE2ST_EXPIRED) {
1993 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1994 "the negotiation is stopped, "
1995 "because there is no suitable ISAKMP-SA.\n");
1996 return -1;
1997 }
1998
1999#ifdef ENABLE_STATS
2000 gettimeofday(&start, NULL);
2001#endif
2002 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2003 [iph2->side]
2004 [iph2->status])(iph2, NULL) != 0)
2005 return -1;
2006#ifdef ENABLE_STATS
2007 gettimeofday(&end, NULL);
2008 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2009 "phase2",
2010 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2011 timedelta(&start, &end));
2012#endif
2013
2014 return 0;
2015}
2016
2017/* called by scheduler */
2018void
2019isakmp_chkph1there_stub(p)
2020 void *p;
2021{
2022 isakmp_chkph1there((struct ph2handle *)p);
2023}
2024
2025void
2026isakmp_chkph1there(iph2)
2027 struct ph2handle *iph2;
2028{
2029 struct ph1handle *iph1;
2030
2031 iph2->retry_checkph1--;
2032 if (iph2->retry_checkph1 < 0) {
2033 plog(LLV_ERROR, LOCATION, iph2->dst,
2034 "phase2 negotiation failed "
2035 "due to time up waiting for phase1. %s\n",
2036 sadbsecas2str(iph2->dst, iph2->src,
2037 iph2->satype, 0, 0));
2038 plog(LLV_INFO, LOCATION, NULL,
2039 "delete phase 2 handler.\n");
2040
2041 /* send acquire to kernel as error */
2042 pk_sendeacquire(iph2);
2043
2044 unbindph12(iph2);
2045 remph2(iph2);
2046 delph2(iph2);
2047
2048 return;
2049 }
2050
2051 iph1 = getph1byaddr(iph2->src, iph2->dst);
2052
2053 /* XXX Even if ph1 as responder is there, should we not start
2054 * phase 2 negotiation ? */
2055 if (iph1 != NULL
2056 && iph1->status == PHASE1ST_ESTABLISHED) {
2057 /* found isakmp-sa */
2058 /* begin quick mode */
2059 (void)isakmp_ph2begin_i(iph1, iph2);
2060 return;
2061 }
2062
2063 /* no isakmp-sa found */
2064 sched_new(1, isakmp_chkph1there_stub, iph2);
2065
2066 return;
2067}
2068
2069/* copy variable data into ALLOCATED buffer. */
2070caddr_t
2071isakmp_set_attr_v(buf, type, val, len)
2072 caddr_t buf;
2073 int type;
2074 caddr_t val;
2075 int len;
2076{
2077 struct isakmp_data *data;
2078
2079 data = (struct isakmp_data *)buf;
2080 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2081 data->lorv = htons((u_int16_t)len);
2082 memcpy(data + 1, val, len);
2083
2084 return buf + sizeof(*data) + len;
2085}
2086
2087/* copy fixed length data into ALLOCATED buffer. */
2088caddr_t
2089isakmp_set_attr_l(buf, type, val)
2090 caddr_t buf;
2091 int type;
2092 u_int32_t val;
2093{
2094 struct isakmp_data *data;
2095
2096 data = (struct isakmp_data *)buf;
2097 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2098 data->lorv = htons((u_int16_t)val);
2099
2100 return buf + sizeof(*data);
2101}
2102
2103/* add a variable data attribute to the buffer by reallocating it. */
2104vchar_t *
2105isakmp_add_attr_v(buf0, type, val, len)
2106 vchar_t *buf0;
2107 int type;
2108 caddr_t val;
2109 int len;
2110{
2111 vchar_t *buf = NULL;
2112 struct isakmp_data *data;
2113 int tlen;
2114 int oldlen = 0;
2115
2116 tlen = sizeof(*data) + len;
2117
2118 if (buf0) {
2119 oldlen = buf0->l;
2120 buf = vrealloc(buf0, oldlen + tlen);
2121 } else
2122 buf = vmalloc(tlen);
2123 if (!buf) {
2124 plog(LLV_ERROR, LOCATION, NULL,
2125 "failed to get a attribute buffer.\n");
2126 return NULL;
2127 }
2128
2129 data = (struct isakmp_data *)(buf->v + oldlen);
2130 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2131 data->lorv = htons((u_int16_t)len);
2132 memcpy(data + 1, val, len);
2133
2134 return buf;
2135}
2136
2137/* add a fixed data attribute to the buffer by reallocating it. */
2138vchar_t *
2139isakmp_add_attr_l(buf0, type, val)
2140 vchar_t *buf0;
2141 int type;
2142 u_int32_t val;
2143{
2144 vchar_t *buf = NULL;
2145 struct isakmp_data *data;
2146 int tlen;
2147 int oldlen = 0;
2148
2149 tlen = sizeof(*data);
2150
2151 if (buf0) {
2152 oldlen = buf0->l;
2153 buf = vrealloc(buf0, oldlen + tlen);
2154 } else
2155 buf = vmalloc(tlen);
2156 if (!buf) {
2157 plog(LLV_ERROR, LOCATION, NULL,
2158 "failed to get a attribute buffer.\n");
2159 return NULL;
2160 }
2161
2162 data = (struct isakmp_data *)(buf->v + oldlen);
2163 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2164 data->lorv = htons((u_int16_t)val);
2165
2166 return buf;
2167}
2168
2169/*
2170 * calculate cookie and set.
2171 */
2172int
2173isakmp_newcookie(place, remote, local)
2174 caddr_t place;
2175 struct sockaddr *remote;
2176 struct sockaddr *local;
2177{
2178 vchar_t *buf = NULL, *buf2 = NULL;
2179 char *p;
2180 int blen;
2181 int alen;
2182 caddr_t sa1, sa2;
2183 time_t t;
2184 int error = -1;
2185 u_short port;
2186
2187
2188 if (remote->sa_family != local->sa_family) {
2189 plog(LLV_ERROR, LOCATION, NULL,
2190 "address family mismatch, remote:%d local:%d\n",
2191 remote->sa_family, local->sa_family);
2192 goto end;
2193 }
2194 switch (remote->sa_family) {
2195 case AF_INET:
2196 alen = sizeof(struct in_addr);
2197 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2198 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2199 break;
2200#ifdef INET6
2201 case AF_INET6:
2202 alen = sizeof(struct in_addr);
2203 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2204 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2205 break;
2206#endif
2207 default:
2208 plog(LLV_ERROR, LOCATION, NULL,
2209 "invalid family: %d\n", remote->sa_family);
2210 goto end;
2211 }
2212 blen = (alen + sizeof(u_short)) * 2
2213 + sizeof(time_t) + lcconf->secret_size;
2214 buf = vmalloc(blen);
2215 if (buf == NULL) {
2216 plog(LLV_ERROR, LOCATION, NULL,
2217 "failed to get a cookie.\n");
2218 goto end;
2219 }
2220 p = buf->v;
2221
2222 /* copy my address */
2223 memcpy(p, sa1, alen);
2224 p += alen;
2225 port = ((struct sockaddr_in *)remote)->sin_port;
2226 memcpy(p, &port, sizeof(u_short));
2227 p += sizeof(u_short);
2228
2229 /* copy target address */
2230 memcpy(p, sa2, alen);
2231 p += alen;
2232 port = ((struct sockaddr_in *)local)->sin_port;
2233 memcpy(p, &port, sizeof(u_short));
2234 p += sizeof(u_short);
2235
2236 /* copy time */
2237 t = time(0);
2238 memcpy(p, (caddr_t)&t, sizeof(t));
2239 p += sizeof(t);
2240
2241 /* copy random value */
2242 buf2 = eay_set_random(lcconf->secret_size);
2243 if (buf2 == NULL)
2244 goto end;
2245 memcpy(p, buf2->v, lcconf->secret_size);
2246 p += lcconf->secret_size;
2247 vfree(buf2);
2248
2249 buf2 = eay_sha1_one(buf);
2250 memcpy(place, buf2->v, sizeof(cookie_t));
2251
2252 sa1 = val2str(place, sizeof (cookie_t));
2253 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2254 racoon_free(sa1);
2255
2256 error = 0;
2257end:
2258 if (buf != NULL)
2259 vfree(buf);
2260 if (buf2 != NULL)
2261 vfree(buf2);
2262 return error;
2263}
2264
2265/*
2266 * save partner's(payload) data into phhandle.
2267 */
2268int
2269isakmp_p2ph(buf, gen)
2270 vchar_t **buf;
2271 struct isakmp_gen *gen;
2272{
2273 /* XXX to be checked in each functions for logging. */
2274 if (*buf) {
2275 plog(LLV_WARNING, LOCATION, NULL,
2276 "ignore this payload, same payload type exist.\n");
2277 return -1;
2278 }
2279
2280 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2281 if (*buf == NULL) {
2282 plog(LLV_ERROR, LOCATION, NULL,
2283 "failed to get buffer.\n");
2284 return -1;
2285 }
2286 memcpy((*buf)->v, gen + 1, (*buf)->l);
2287
2288 return 0;
2289}
2290
2291u_int32_t
2292isakmp_newmsgid2(iph1)
2293 struct ph1handle *iph1;
2294{
2295 u_int32_t msgid2;
2296
2297 do {
ac2f15b3 2298 msgid2 = arc4random();
7ba0088d
A		 2299 } while (getph2bymsgid(iph1, msgid2));
2300
2301 return msgid2;
2302}
2303
2304/*
2305 * set values into allocated buffer of isakmp header for phase 1
2306 */
2307caddr_t
2308set_isakmp_header(vbuf, iph1, nptype)
2309 vchar_t *vbuf;
2310 struct ph1handle *iph1;
2311 int nptype;
2312{
2313 struct isakmp *isakmp;
2314
2315 if (vbuf->l < sizeof(*isakmp))
2316 return NULL;
2317
2318 isakmp = (struct isakmp *)vbuf->v;
2319 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2320 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2321 isakmp->np = nptype;
2322 isakmp->v = iph1->version;
2323 isakmp->etype = iph1->etype;
2324 isakmp->flags = iph1->flags;
2325 isakmp->msgid = iph1->msgid;
2326 isakmp->len = htonl(vbuf->l);
2327
2328 return vbuf->v + sizeof(*isakmp);
2329}
2330
2331/*
2332 * set values into allocated buffer of isakmp header for phase 2
2333 */
2334caddr_t
2335set_isakmp_header2(vbuf, iph2, nptype)
2336 vchar_t *vbuf;
2337 struct ph2handle *iph2;
2338 int nptype;
2339{
2340 struct isakmp *isakmp;
2341
2342 if (vbuf->l < sizeof(*isakmp))
2343 return NULL;
2344
2345 isakmp = (struct isakmp *)vbuf->v;
2346 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t));
2347 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t));
2348 isakmp->np = nptype;
2349 isakmp->v = iph2->ph1->version;
2350 isakmp->etype = ISAKMP_ETYPE_QUICK;
2351 isakmp->flags = iph2->flags;
2352 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
2353 isakmp->len = htonl(vbuf->l);
2354
2355 return vbuf->v + sizeof(*isakmp);
2356}
2357
2358/*
2359 * set values into allocated buffer of isakmp payload.
2360 */
2361caddr_t
2362set_isakmp_payload(buf, src, nptype)
2363 caddr_t buf;
2364 vchar_t *src;
2365 int nptype;
2366{
2367 struct isakmp_gen *gen;
2368 caddr_t p = buf;
2369
2370 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n",
2371 src->l, nptype);
2372
2373 gen = (struct isakmp_gen *)p;
2374 gen->np = nptype;
2375 gen->len = htons(sizeof(*gen) + src->l);
2376 p += sizeof(*gen);
2377 memcpy(p, src->v, src->l);
2378 p += src->l;
2379
2380 return p;
2381}
2382
2383static int
2384etypesw1(etype)
2385 int etype;
2386{
2387 switch (etype) {
2388 case ISAKMP_ETYPE_IDENT:
2389 return 1;
2390 case ISAKMP_ETYPE_AGG:
2391 return 2;
2392 case ISAKMP_ETYPE_BASE:
2393 return 3;
2394 default:
2395 return 0;
2396 }
2397 /*NOTREACHED*/
2398}
2399
2400static int
2401etypesw2(etype)
2402 int etype;
2403{
2404 switch (etype) {
2405 case ISAKMP_ETYPE_QUICK:
2406 return 1;
2407 default:
2408 return 0;
2409 }
2410 /*NOTREACHED*/
2411}
2412
2413#ifdef HAVE_PRINT_ISAKMP_C
2414/* for print-isakmp.c */
2415char *snapend;
2416extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2417
2418char *getname __P((const u_char *));
2419#ifdef INET6
2420char *getname6 __P((const u_char *));
2421#endif
2422int safeputchar __P((int));
2423
2424/*
2425 * Return a name for the IP address pointed to by ap. This address
2426 * is assumed to be in network byte order.
2427 */
2428char *
2429getname(ap)
2430 const u_char *ap;
2431{
2432 struct sockaddr_in addr;
2433 static char ntop_buf[NI_MAXHOST];
2434
2435 memset(&addr, 0, sizeof(addr));
2436 addr.sin_len = sizeof(struct sockaddr_in);
2437 addr.sin_family = AF_INET;
2438 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2439 if (getnameinfo((struct sockaddr *)&addr, addr.sin_len,
2440 ntop_buf, sizeof(ntop_buf), NULL, 0,
2441 NI_NUMERICHOST | niflags))
ac2f15b3 2442 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
7ba0088d
A		 2443
2444 return ntop_buf;
2445}
2446
2447#ifdef INET6
2448/*
2449 * Return a name for the IP6 address pointed to by ap. This address
2450 * is assumed to be in network byte order.
2451 */
2452char *
2453getname6(ap)
2454 const u_char *ap;
2455{
2456 struct sockaddr_in6 addr;
2457 static char ntop_buf[NI_MAXHOST];
2458
2459 memset(&addr, 0, sizeof(addr));
2460 addr.sin6_len = sizeof(struct sockaddr_in6);
2461 addr.sin6_family = AF_INET6;
2462 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2463 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2464 ntop_buf, sizeof(ntop_buf), NULL, 0,
2465 NI_NUMERICHOST | niflags))
ac2f15b3 2466 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
7ba0088d
A		 2467
2468 return ntop_buf;
2469}
2470#endif /* INET6 */
2471
2472int
2473safeputchar(c)
2474 int c;
2475{
2476 unsigned char ch;
2477
2478 ch = (unsigned char)(c & 0xff);
2479 if (c < 0x80 && isprint(c))
2480 return printf("%c", c & 0xff);
2481 else
2482 return printf("\\%03o", c & 0xff);
2483}
2484
2485void
2486isakmp_printpacket(msg, from, my, decoded)
2487 vchar_t *msg;
2488 struct sockaddr *from;
2489 struct sockaddr *my;
2490 int decoded;
2491{
2492#ifdef YIPS_DEBUG
2493 struct timeval tv;
2494 int s;
2495 char hostbuf[NI_MAXHOST];
2496 char portbuf[NI_MAXSERV];
2497 struct isakmp *isakmp;
2498 vchar_t *buf;
2499#endif
2500
2501 if (loglevel < LLV_DEBUG)
2502 return;
2503
2504#ifdef YIPS_DEBUG
2505 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2506
2507 gettimeofday(&tv, NULL);
2508 s = tv.tv_sec % 3600;
2509 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2510
2511 if (from) {
2512 if (getnameinfo(from, from->sa_len, hostbuf, sizeof(hostbuf),
2513 portbuf, sizeof(portbuf),
2514 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
ac2f15b3
A		 2515 strlcpy(hostbuf, "?", sizeof(hostbuf));
2516 strlcpy(portbuf, "?", sizeof(portbuf));
7ba0088d
A		 2517 }
2518 printf("%s:%s", hostbuf, portbuf);
2519 } else
2520 printf("?");
2521 printf(" -> ");
2522 if (my) {
2523 if (getnameinfo(my, my->sa_len, hostbuf, sizeof(hostbuf),
2524 portbuf, sizeof(portbuf),
2525 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
ac2f15b3
A		 2526 strlcpy(hostbuf, "?", sizeof(hostbuf));
2527 strlcpy(portbuf, "?", sizeof(portbuf));
7ba0088d
A		 2528 }
2529 printf("%s:%s", hostbuf, portbuf);
2530 } else
2531 printf("?");
2532 printf(": ");
2533
2534 buf = vdup(msg);
2535 if (!buf) {
2536 printf("(malloc fail)\n");
2537 return;
2538 }
2539 if (decoded) {
2540 isakmp = (struct isakmp *)buf->v;
2541 if (isakmp->flags & ISAKMP_FLAG_E) {
2542#if 0
2543 int pad;
2544 pad = *(u_char *)(buf->v + buf->l - 1);
2545 if (buf->l < pad && 2 < vflag)
2546 printf("(wrong padding)");
2547#endif
2548 isakmp->flags &= ~ISAKMP_FLAG_E;
2549 }
2550 }
2551
2552 snapend = buf->v + buf->l;
2553 isakmp_print(buf->v, buf->l, NULL);
2554 vfree(buf);
2555 printf("\n");
2556 fflush(stdout);
2557
2558 return;
2559#endif
2560}
2561#endif /*HAVE_PRINT_ISAKMP_C*/
2562
2563int
2564copy_ph1addresses(iph1, rmconf, remote, local)
2565 struct ph1handle *iph1;
2566 struct remoteconf *rmconf;
2567 struct sockaddr *remote, *local;
2568{
2569 u_short *port = NULL;
2570
2571 /* address portion must be grabbed from real remote address "remote" */
2572 iph1->remote = dupsaddr(remote);
2573 if (iph1->remote == NULL) {
2574 delph1(iph1);
2575 return -1;
2576 }
2577
2578 /*
2579 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2580 * - if remote.conf specifies port #, use that
2581 * - if remote.conf does not, use 500
2582 * if remote has port # (in case of responder - from recvfrom(2))
2583 * respect content of "remote".
2584 */
2585 switch (iph1->remote->sa_family) {
2586 case AF_INET:
2587 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2588 if (*port)
2589 break;
2590 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2591 if (*port)
2592 break;
2593 *port = htons(PORT_ISAKMP);
2594 break;
2595#ifdef INET6
2596 case AF_INET6:
2597 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2598 if (*port)
2599 break;
2600 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2601 if (*port)
2602 break;
2603 *port = htons(PORT_ISAKMP);
2604 break;
2605#endif
2606 default:
2607 plog(LLV_ERROR, LOCATION, NULL,
2608 "invalid family: %d\n", iph1->remote->sa_family);
2609 return -1;
2610 }
2611
2612 if (local == NULL)
2613 iph1->local = getlocaladdr(iph1->remote);
2614 else
2615 iph1->local = dupsaddr(local);
2616 if (iph1->local == NULL) {
2617 delph1(iph1);
2618 return -1;
2619 }
2620 switch (iph1->local->sa_family) {
2621 case AF_INET:
2622 ((struct sockaddr_in *)iph1->local)->sin_port
2623 = getmyaddrsport(iph1->local);
2624 break;
2625#ifdef INET6
2626 case AF_INET6:
2627 ((struct sockaddr_in6 *)iph1->local)->sin6_port
2628 = getmyaddrsport(iph1->local);
2629 break;
2630#endif
2631 default:
2632 plog(LLV_ERROR, LOCATION, NULL,
2633 "invalid family: %d\n", iph1->remote->sa_family);
2634 delph1(iph1);
2635 return -1;
2636 }
2637
2638 return 0;
2639}
2640
2641static int
2642nostate1(iph1, msg)
2643 struct ph1handle *iph1;
2644 vchar_t *msg;
2645{
2646 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2647 iph1->status);
2648 return -1;
2649}
2650
2651static int
2652nostate2(iph2, msg)
2653 struct ph2handle *iph2;
2654 vchar_t *msg;
2655{
2656 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2657 iph2->status);
2658 return -1;
2659}
2660
2661void
2662log_ph1established(iph1)
2663 const struct ph1handle *iph1;
2664{
2665 char *src, *dst;
2666
2667 src = strdup(saddr2str(iph1->local));
2668 dst = strdup(saddr2str(iph1->remote));
2669 plog(LLV_INFO, LOCATION, NULL,
2670 "ISAKMP-SA established %s-%s spi:%s\n",
2671 src, dst,
2672 isakmp_pindex(&iph1->index, 0));
2673 racoon_free(src);
2674 racoon_free(dst);
2675
2676 return;
2677}
2678
mirror of network_cmds