]> git.saurik.com Git - apple/network_cmds.git/blame - racoon.tproj/isakmp.c
projects / apple / network_cmds.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
network_cmds-245.1.4.tar.gz
[apple/network_cmds.git] / racoon.tproj / isakmp.c
CommitLineData
ac2f15b3 1/* $KAME: isakmp.c,v 1.176 2002/08/28 04:08:30 itojun Exp $ */
7ba0088d
A		 2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include <sys/types.h>
33#include <sys/param.h>
34#include <sys/socket.h>
35#include <sys/queue.h>
36
37#include <netkey/key_var.h>
38#include <netinet/in.h>
39
40#include <stdlib.h>
41#include <stdio.h>
42#include <string.h>
43#include <errno.h>
44#if TIME_WITH_SYS_TIME
45# include <sys/time.h>
46# include <time.h>
47#else
48# if HAVE_SYS_TIME_H
49# include <sys/time.h>
50# else
51# include <time.h>
52# endif
53#endif
54#include <netdb.h>
55#ifdef HAVE_UNISTD_H
56#include <unistd.h>
57#endif
58#include <ctype.h>
59
60#if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
61#include "addrinfo.h"
62#endif
63
64#include "var.h"
65#include "misc.h"
66#include "vmbuf.h"
67#include "plog.h"
68#include "sockmisc.h"
69#include "schedule.h"
70#include "debug.h"
71
72#include "remoteconf.h"
73#include "localconf.h"
74#include "grabmyaddr.h"
75#include "isakmp_var.h"
76#include "isakmp.h"
77#include "oakley.h"
78#include "handler.h"
79#include "ipsec_doi.h"
80#include "pfkey.h"
81#include "crypto_openssl.h"
82#include "policy.h"
83#include "isakmp_ident.h"
84#include "isakmp_agg.h"
85#include "isakmp_base.h"
86#include "isakmp_quick.h"
87#include "isakmp_inf.h"
88#include "isakmp_newg.h"
89#include "strnames.h"
ac2f15b3
A		 90#ifndef HAVE_ARC4RANDOM
91#include "arc4random.h"
92#endif
7ba0088d
A		 93
94static int nostate1 __P((struct ph1handle *, vchar_t *));
95static int nostate2 __P((struct ph2handle *, vchar_t *));
96
97extern caddr_t val2str(const char *, size_t);
98
99static int (*ph1exchange[][2][PHASE1ST_MAX])
100 __P((struct ph1handle *, vchar_t *)) = {
101 /* error */
102 { {}, {}, },
103 /* Identity Protection exchange */
104 {
105 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
106 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
107 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
108 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
109 },
110 /* Aggressive exchange */
111 {
112 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
113 nostate1, nostate1, nostate1, nostate1, nostate1, },
114 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
115 nostate1, nostate1, nostate1, nostate1, nostate1, },
116 },
117 /* Base exchange */
118 {
119 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
120 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
121 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
122 nostate1, nostate1, nostate1, nostate1, nostate1, },
123 },
124};
125
126static int (*ph2exchange[][2][PHASE2ST_MAX])
127 __P((struct ph2handle *, vchar_t *)) = {
128 /* error */
129 { {}, {}, },
130 /* Quick mode for IKE*/
131 {
132 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
133 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
134 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
135 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
136 },
137};
138
139static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
140
141static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
142static int ph1_main __P((struct ph1handle *, vchar_t *));
143static int quick_main __P((struct ph2handle *, vchar_t *));
144static int isakmp_ph1begin_r __P((vchar_t *,
145 struct sockaddr *, struct sockaddr *, u_int8_t));
146static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
147static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
148static int etypesw1 __P((int));
149static int etypesw2 __P((int));
2b484d24
A		 150static void isakmp_free_addrs __P((void));
151
7ba0088d
A		 152
153/*
154 * isakmp packet handler
155 */
156int
157isakmp_handler(so_isakmp)
158 int so_isakmp;
159{
160 struct isakmp isakmp;
161 struct sockaddr_storage remote;
162 struct sockaddr_storage local;
163 int remote_len = sizeof(remote);
164 int local_len = sizeof(local);
165 int len;
166 u_short port;
167 vchar_t *buf = NULL;
168 int error = -1;
169
170 /* read message by MSG_PEEK */
171 while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp),
172 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
173 (struct sockaddr *)&local, &local_len)) < 0) {
174 if (errno == EINTR)
175 continue;
176 plog(LLV_ERROR, LOCATION, NULL,
177 "failed to receive isakmp packet\n");
178 goto end;
179 }
180
ac2f15b3
A		 181 /* check isakmp header length, as well as sanity of header length */
182 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
7ba0088d
A		 183 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
184 "packet shorter than isakmp header size.\n");
185 /* dummy receive */
7902cf7e
A		 186 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
187 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
188 plog(LLV_ERROR, LOCATION, NULL,
189 "failed to receive isakmp packet\n");
190 }
191 goto end;
192 }
193
194 /* reject if the size is toooo big */
195 if (ntohl(isakmp.len) > 0xffff) {
196 plog(LLV_ERROR, LOCATION, NULL,
197 "the length of the isakmp header is too big.\n");
7ba0088d
A		 198 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
199 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
200 plog(LLV_ERROR, LOCATION, NULL,
201 "failed to receive isakmp packet\n");
202 }
203 goto end;
204 }
205
2b484d24
A		 206 remote_len = sizeof(remote);
207
7ba0088d
A		 208 /* read real message */
209 if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
210 plog(LLV_ERROR, LOCATION, NULL,
211 "failed to allocate reading buffer\n");
212 /* dummy receive */
213 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
214 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
215 plog(LLV_ERROR, LOCATION, NULL,
216 "failed to receive isakmp packet\n");
217 }
218 goto end;
219 }
220
221 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
222 0, (struct sockaddr *)&remote, &remote_len,
223 (struct sockaddr *)&local, &local_len)) < 0) {
224 if (errno == EINTR)
225 continue;
226 plog(LLV_ERROR, LOCATION, NULL,
2b484d24
A		 227 "failed to read isakmp packet from socket %d, len=%d\n", so_isakmp, buf->l);
228 error = -2; /* serious problem with socket */
7ba0088d
A		 229 goto end;
230 }
231
232 if (len != buf->l) {
233 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
234 "received invalid length, why ?\n");
235 goto end;
236 }
237
238 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
239 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
240 "%d bytes message received from %s\n",
241 len, saddr2str((struct sockaddr *)&remote));
242 plogdump(LLV_DEBUG, buf->v, buf->l);
243
244 /* avoid packets with malicious port/address */
245 switch (remote.ss_family) {
246 case AF_INET:
247 port = ((struct sockaddr_in *)&remote)->sin_port;
248 break;
249#ifdef INET6
250 case AF_INET6:
251 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
252 break;
253#endif
254 default:
255 plog(LLV_ERROR, LOCATION, NULL,
256 "invalid family: %d\n", remote.ss_family);
257 goto end;
258 }
259 if (port == 0) {
260 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
261 "src port == 0 (valid as UDP but not with IKE)\n");
262 goto end;
263 }
264
265 /* XXX: check sender whether to be allowed or not to accept */
266
267 /* XXX: I don't know how to check isakmp half connection attack. */
268
269 /* simply reply if the packet was processed. */
270 if (check_recvdpkt((struct sockaddr *)&remote,
271 (struct sockaddr *)&local, buf)) {
272 plog(LLV_NOTIFY, LOCATION, NULL,
273 "the packet is retransmitted by %s.\n",
274 saddr2str((struct sockaddr *)&remote));
275 error = 0;
276 goto end;
277 }
278
279 /* isakmp main routine */
280 if (isakmp_main(buf, (struct sockaddr *)&remote,
281 (struct sockaddr *)&local) != 0) goto end;
282
283 error = 0;
284
285end:
286 if (buf != NULL)
287 vfree(buf);
288
289 return(error);
290}
291
ac2f15b3
A		 292#ifdef IKE_NAT_T
293/*
294 * isakmp packet handler for natt port (4500)
295 */
296int
297isakmp_natt_handler(so_isakmp)
298 int so_isakmp;
299{
300 u_char temp_buffer[sizeof(struct isakmp) + 4];
301 struct isakmp *isakmp = (struct isakmp*)(temp_buffer + 4);
302 struct sockaddr_storage remote;
303 struct sockaddr_storage local;
304 int remote_len = sizeof(remote);
305 int local_len = sizeof(local);
306 int len;
307 u_short port;
308 vchar_t *buf = NULL;
309 int error = -1;
310
311 /* read message by MSG_PEEK */
312 while ((len = recvfromto(so_isakmp, temp_buffer, sizeof(temp_buffer),
313 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
314 (struct sockaddr *)&local, &local_len)) < 0) {
315 if (errno == EINTR)
316 continue;
317 plog(LLV_ERROR, LOCATION, NULL,
318 "failed to receive isakmp packet\n");
319 goto end;
320 }
321
322 /* remove the four bytes of zeros on nat traversal port */
323 if (*(u_long*)temp_buffer != 0L)
324 {
325 /*
326 * This is a UDP encapsulated IPSec packet,
327 * we should drop it.
328 *
329 * TBD: Need a way to read the packet.
330 * The kernel intercepts these packets on Mac OS X
331 * but not all kernels will handle this the same way.
332 */
333 goto end;
334 }
335
336 /* check isakmp header length */
337 if (len < sizeof(temp_buffer)) {
338 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
339 "packet shorter than isakmp header size.\n");
340 /* dummy receive */
341 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
342 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
343 plog(LLV_ERROR, LOCATION, NULL,
344 "failed to receive isakmp packet\n");
345 }
346 goto end;
347 }
348
2b484d24
A		 349 remote_len = sizeof(remote);
350
ac2f15b3
A		 351 /* read real message */
352 if ((buf = vmalloc(ntohl(isakmp->len) + 4)) == NULL) {
353 plog(LLV_ERROR, LOCATION, NULL,
354 "failed to allocate reading buffer\n");
355 /* dummy receive */
356 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
357 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
358 plog(LLV_ERROR, LOCATION, NULL,
359 "failed to receive isakmp packet\n");
360 }
361 goto end;
362 }
363
364 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
365 0, (struct sockaddr *)&remote, &remote_len,
366 (struct sockaddr *)&local, &local_len)) < 0) {
367 if (errno == EINTR)
368 continue;
369 plog(LLV_ERROR, LOCATION, NULL,
2b484d24
A		 370 "failed to read isakmp packet from socket %d, len=%d\n", so_isakmp, buf->l);
371 error = -2; /* serious problem with socket */
ac2f15b3
A		 372 goto end;
373 }
374
375 if (len != buf->l) {
376 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
377 "received invalid length, header says %d, packet is %d bytes why ?\n",
378 len, buf->l);
379 goto end;
380 }
381
382 /*
383 * Discard first 4 bytes, they're either:
384 * 0 - this is IKE traffic
385 * !0 - first four bytes are the SPI of a UDP encapsulated IPSec packet
386 * The seond type of packet should be interecepted by the kernel
387 * or dropped before we get to this point.
388 */
389 {
390 vchar_t *newbuf = vmalloc(buf->l - 4);
391 if (newbuf == NULL)
392 {
393 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
394 "couldn't allocate smaller buffer.\n");
395 goto end;
396 }
397 memcpy(newbuf->v, buf->v + 4, newbuf->l);
398 vfree(buf);
399 buf = newbuf;
400 len = buf->l;
401 }
402
403 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
404 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
405 "%d bytes message received from %s\n",
406 len, saddr2str((struct sockaddr *)&remote));
407 plogdump(LLV_DEBUG, buf->v, buf->l);
408
409 /* avoid packets with malicious port/address */
410 switch (remote.ss_family) {
411 case AF_INET:
412 port = ((struct sockaddr_in *)&remote)->sin_port;
413 break;
414#ifdef INET6
415 case AF_INET6:
416 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
417 break;
418#endif
419 default:
420 plog(LLV_ERROR, LOCATION, NULL,
421 "invalid family: %d\n", remote.ss_family);
422 goto end;
423 }
424 if (port == 0) {
425 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
426 "src port == 0 (valid as UDP but not with IKE)\n");
427 goto end;
428 }
429
430 {
431 struct isakmp *isakmp = (struct isakmp*)buf->v;
432 plog(LLV_DEBUG, LOCATION, (struct sockaddr*)&remote,
433 "natt receiving packet %.8X%.8X:%.8X%.8X %u\n",
434 *(u_long*)isakmp->i_ck, *(u_long*)&isakmp->i_ck[4],
435 *(u_long*)isakmp->r_ck, *(u_long*)&isakmp->r_ck[4],
436 isakmp->msgid);
437 }
438
439 /* XXX: check sender whether to be allowed or not to accept */
440
441 /* XXX: I don't know how to check isakmp half connection attack. */
442
443 /* simply reply if the packet was processed. */
444 if (check_recvdpkt((struct sockaddr *)&remote,
445 (struct sockaddr *)&local, buf)) {
446 plog(LLV_NOTIFY, LOCATION, NULL,
447 "the packet is retransmitted by %s.\n",
448 saddr2str((struct sockaddr *)&remote));
449 error = 0;
450 goto end;
451 }
452
453 /* isakmp main routine */
454 if (isakmp_main(buf, (struct sockaddr *)&remote,
455 (struct sockaddr *)&local) != 0) goto end;
456
457 error = 0;
458
459end:
460 if (buf != NULL)
461 vfree(buf);
462
463 return(error);
464}
465#endif
466
467
7ba0088d
A		 468/*
469 * main processing to handle isakmp payload
470 */
471static int
472isakmp_main(msg, remote, local)
473 vchar_t *msg;
474 struct sockaddr *remote, *local;
475{
476 struct isakmp *isakmp = (struct isakmp *)msg->v;
477 isakmp_index *index = (isakmp_index *)isakmp;
478 u_int32_t msgid = isakmp->msgid;
479 struct ph1handle *iph1;
480
481#ifdef HAVE_PRINT_ISAKMP_C
482 isakmp_printpacket(msg, remote, local, 0);
483#endif
484
485 /* the initiator's cookie must not be zero */
486 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
487 plog(LLV_ERROR, LOCATION, remote,
488 "malformed cookie received.\n");
489 return -1;
490 }
491
492 /* Check the Major and Minor Version fields. */
493 /*
494 * XXX Is is right to check version here ?
495 * I think it may no be here because the version depends
496 * on exchange status.
497 */
498 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
499 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
500 plog(LLV_ERROR, LOCATION, remote,
501 "invalid major version %d.\n",
502 ISAKMP_GETMAJORV(isakmp->v));
503 return -1;
504 }
505#if ISAKMP_MINOR_VERSION > 0
506 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
507 plog(LLV_ERROR, LOCATION, remote,
508 "invalid minor version %d.\n",
509 ISAKMP_GETMINORV(isakmp->v));
510 return -1;
511 }
512#endif
513 }
514
515 /* check the Flags field. */
516 /* XXX How is the exclusive check, E and A ? */
517 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
518 plog(LLV_ERROR, LOCATION, remote,
519 "invalid flag 0x%02x.\n", isakmp->flags);
520 return -1;
521 }
522
523 /* ignore commit bit. */
524 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
525 if (isakmp->msgid == 0) {
526 isakmp_info_send_nx(isakmp, remote, local,
527 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
528 plog(LLV_ERROR, LOCATION, remote,
529 "Commit bit on phase1 forbidden.\n");
530 return -1;
531 }
532 }
533
534 iph1 = getph1byindex(index);
535 if (iph1 != NULL) {
536 /* validity check */
537 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
538 iph1->side == INITIATOR) {
539 plog(LLV_DEBUG, LOCATION, remote,
540 "malformed cookie received or "
541 "the initiator's cookies collide.\n");
542 return -1;
543 }
544
545 /* must be same addresses in one stream of a phase at least. */
546 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
ac2f15b3
A		 547#ifdef IKE_NAT_T
548 if (iph1->side == RESPONDER &&
ffda1f4a 549 (iph1->natt_flags & NATT_TYPE_MASK) != 0 &&
ac2f15b3
A		 550 cmpsaddrwop(iph1->remote, remote) == 0)
551 {
552 /*
553 * If the initiator detects a NAT it may switch to a
554 * new port. Technically, the remote address may change
555 * as well, depending on the NAT. Handling that would
556 * require more changes.
557 *
558 * We should record the new remote port so we can
559 * send
560 */
561 plog(LLV_WARNING, LOCATION, remote,
562 "remote port changed from %s\n", saddr2str(iph1->remote));
563 memcpy(iph1->remote, remote, iph1->remote->sa_len);
564 memcpy(iph1->local, local, iph1->local->sa_len);
565 }
566 else
567#endif
568 {
569 char *saddr_db, *saddr_act;
570
571 saddr_db = strdup(saddr2str(iph1->remote));
572 saddr_act = strdup(saddr2str(remote));
573
574 plog(LLV_WARNING, LOCATION, remote,
575 "remote address mismatched. db=%s, act=%s\n",
576 saddr_db, saddr_act);
577
578 racoon_free(saddr_db);
579 racoon_free(saddr_act);
580 }
7ba0088d
A		 581 }
582 /*
583 * don't check of exchange type here because other type will be
584 * with same index, for example, informational exchange.
585 */
586
587 /* XXX more acceptable check */
588 }
589
590 switch (isakmp->etype) {
591 case ISAKMP_ETYPE_IDENT:
592 case ISAKMP_ETYPE_AGG:
593 case ISAKMP_ETYPE_BASE:
594 /* phase 1 validity check */
595 if (isakmp->msgid != 0) {
596 plog(LLV_ERROR, LOCATION, remote,
597 "message id should be zero in phase1.\n");
598 return -1;
599 }
600
601 /* search for isakmp status record of phase 1 */
602 if (iph1 == NULL) {
603 /*
604 * the packet must be the 1st message from a initiator
605 * or the 2nd message from the responder.
606 */
607
608 /* search for phase1 handle by index without r_ck */
609 iph1 = getph1byindex0(index);
610 if (iph1 == NULL) {
611 /*it must be the 1st message from a initiator.*/
612 if (memcmp(&isakmp->r_ck, r_ck0,
613 sizeof(cookie_t)) != 0) {
614
615 plog(LLV_DEBUG, LOCATION, remote,
616 "malformed cookie received "
617 "or the spi expired.\n");
618 return -1;
619 }
620
621 /* it must be responder's 1st exchange. */
622 if (isakmp_ph1begin_r(msg, remote, local,
623 isakmp->etype) < 0)
624 return -1;
625 break;
626
627 /*NOTREACHED*/
628 }
629
630 /* it must be the 2nd message from the responder. */
631 if (iph1->side != INITIATOR) {
632 plog(LLV_DEBUG, LOCATION, remote,
633 "malformed cookie received. "
634 "it has to be as the initiator. %s\n",
635 isakmp_pindex(&iph1->index, 0));
636 return -1;
637 }
638 }
639
640 /*
641 * Don't delete phase 1 handler when the exchange type
642 * in handler is not equal to packet's one because of no
643 * authencication completed.
644 */
645 if (iph1->etype != isakmp->etype) {
646 plog(LLV_ERROR, LOCATION, iph1->remote,
647 "exchange type is mismatched: "
648 "db=%s packet=%s, ignore it.\n",
649 s_isakmp_etype(iph1->etype),
650 s_isakmp_etype(isakmp->etype));
651 return -1;
652 }
653
654 /* call main process of phase 1 */
655 if (ph1_main(iph1, msg) < 0) {
656 plog(LLV_ERROR, LOCATION, iph1->remote,
657 "phase1 negotiation failed.\n");
658 remph1(iph1);
659 delph1(iph1);
660 return -1;
661 }
662 break;
663
664 case ISAKMP_ETYPE_AUTH:
665 plog(LLV_INFO, LOCATION, remote,
666 "unsupported exchange %d received.\n",
667 isakmp->etype);
668 break;
669
670 case ISAKMP_ETYPE_INFO:
671 case ISAKMP_ETYPE_ACKINFO:
672 /*
673 * iph1 must be present for Information message.
674 * if iph1 is null then trying to get the phase1 status
675 * as the packet from responder againt initiator's 1st
676 * exchange in phase 1.
677 * NOTE: We think such informational exchange should be ignored.
678 */
679 if (iph1 == NULL) {
680 iph1 = getph1byindex0(index);
681 if (iph1 == NULL) {
682 plog(LLV_ERROR, LOCATION, remote,
683 "unknown Informational "
684 "exchange received.\n");
685 return -1;
686 }
687 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
688 plog(LLV_WARNING, LOCATION, remote,
689 "remote address mismatched. "
690 "db=%s\n",
691 saddr2str(iph1->remote));
692 }
693 }
694
695 if (isakmp_info_recv(iph1, msg) < 0)
696 return -1;
697 break;
698
699 case ISAKMP_ETYPE_QUICK:
700 {
701 struct ph2handle *iph2;
702
703 if (iph1 == NULL) {
704 isakmp_info_send_nx(isakmp, remote, local,
705 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
706 plog(LLV_ERROR, LOCATION, remote,
707 "can't start the quick mode, "
708 "there is no ISAKMP-SA, %s\n",
709 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
710 isakmp->msgid));
711 return -1;
712 }
713
714 /* check status of phase 1 whether negotiated or not. */
715 if (iph1->status != PHASE1ST_ESTABLISHED) {
716 plog(LLV_ERROR, LOCATION, remote,
717 "can't start the quick mode, "
718 "there is no valid ISAKMP-SA, %s\n",
719 isakmp_pindex(&iph1->index, iph1->msgid));
720 return -1;
721 }
722
723 /* search isakmp phase 2 stauts record. */
724 iph2 = getph2bymsgid(iph1, msgid);
725 if (iph2 == NULL) {
726 /* it must be new negotiation as responder */
727 if (isakmp_ph2begin_r(iph1, msg) < 0)
728 return -1;
729 return 0;
730 /*NOTREACHED*/
731 }
732
733 /* commit bit. */
734 /* XXX
735 * we keep to set commit bit during negotiation.
736 * When SA is configured, bit will be reset.
737 * XXX
738 * don't initiate commit bit. should be fixed in the future.
739 */
740 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
741 iph2->flags |= ISAKMP_FLAG_C;
742
743 /* call main process of quick mode */
744 if (quick_main(iph2, msg) < 0) {
745 plog(LLV_ERROR, LOCATION, iph1->remote,
746 "phase2 negotiation failed.\n");
747 unbindph12(iph2);
748 remph2(iph2);
749 delph2(iph2);
750 return -1;
751 }
752 }
753 break;
754
755 case ISAKMP_ETYPE_NEWGRP:
756 if (iph1 == NULL) {
757 plog(LLV_ERROR, LOCATION, remote,
758 "Unknown new group mode exchange, "
759 "there is no ISAKMP-SA.\n");
760 return -1;
761 }
762 isakmp_newgroup_r(iph1, msg);
763 break;
764
765 case ISAKMP_ETYPE_NONE:
766 default:
767 plog(LLV_ERROR, LOCATION, NULL,
768 "Invalid exchange type %d from %s.\n",
769 isakmp->etype, saddr2str(remote));
770 return -1;
771 }
772
773 return 0;
774}
775
776/*
777 * main function of phase 1.
778 */
779static int
780ph1_main(iph1, msg)
781 struct ph1handle *iph1;
782 vchar_t *msg;
783{
784 int error;
785#ifdef ENABLE_STATS
786 struct timeval start, end;
787#endif
788
789 /* ignore a packet */
790 if (iph1->status == PHASE1ST_ESTABLISHED)
791 return 0;
792
793#ifdef ENABLE_STATS
794 gettimeofday(&start, NULL);
795#endif
796 /* receive */
797 if (ph1exchange[etypesw1(iph1->etype)]
798 [iph1->side]
799 [iph1->status] == NULL) {
800 plog(LLV_ERROR, LOCATION, iph1->remote,
801 "why isn't the function defined.\n");
802 return -1;
803 }
804 error = (ph1exchange[etypesw1(iph1->etype)]
805 [iph1->side]
806 [iph1->status])(iph1, msg);
807 if (error != 0) {
808#if 0
809 /* XXX
810 * When an invalid packet is received on phase1, it should
811 * be selected to process this packet. That is to respond
812 * with a notify and delete phase 1 handler, OR not to respond
813 * and keep phase 1 handler.
814 */
815 plog(LLV_ERROR, LOCATION, iph1->remote,
816 "failed to pre-process packet.\n");
817 return -1;
818#else
819 /* ignore the error and keep phase 1 handler */
820 return 0;
821#endif
822 }
823
824 /* free resend buffer */
825 if (iph1->sendbuf == NULL) {
826 plog(LLV_ERROR, LOCATION, NULL,
827 "no buffer found as sendbuf\n");
828 return -1;
829 }
830 vfree(iph1->sendbuf);
831 iph1->sendbuf = NULL;
832
833 /* turn off schedule */
834 if (iph1->scr)
835 SCHED_KILL(iph1->scr);
836
837 /* send */
838 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
839 if ((ph1exchange[etypesw1(iph1->etype)]
840 [iph1->side]
841 [iph1->status])(iph1, msg) != 0) {
842 plog(LLV_ERROR, LOCATION, iph1->remote,
843 "failed to process packet.\n");
844 return -1;
845 }
846
847#ifdef ENABLE_STATS
848 gettimeofday(&end, NULL);
849 syslog(LOG_NOTICE, "%s(%s): %8.6f",
850 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
851 timedelta(&start, &end));
852#endif
853 if (iph1->status == PHASE1ST_ESTABLISHED) {
854
855#ifdef ENABLE_STATS
856 gettimeofday(&iph1->end, NULL);
857 syslog(LOG_NOTICE, "%s(%s): %8.6f",
858 "phase1", s_isakmp_etype(iph1->etype),
859 timedelta(&iph1->start, &iph1->end));
860#endif
861
862 /* save created date. */
863 (void)time(&iph1->created);
864
865 /* add to the schedule to expire, and seve back pointer. */
866 iph1->sce = sched_new(iph1->approval->lifetime,
867 isakmp_ph1expire_stub, iph1);
868
869 /* INITIAL-CONTACT processing */
870 /* don't anything if local test mode. */
871 if (!f_local
872 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
873 /* send INITIAL-CONTACT */
874 isakmp_info_send_n1(iph1,
875 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
876 /* insert a node into contacted list. */
877 if (inscontacted(iph1->remote) == -1) {
878 plog(LLV_ERROR, LOCATION, iph1->remote,
879 "failed to add contacted list.\n");
880 /* ignore */
881 }
882 }
883
884 log_ph1established(iph1);
885 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
886 }
887
888 return 0;
889}
890
891/*
892 * main function of quick mode.
893 */
894static int
895quick_main(iph2, msg)
896 struct ph2handle *iph2;
897 vchar_t *msg;
898{
899 struct isakmp *isakmp = (struct isakmp *)msg->v;
900 int error;
901#ifdef ENABLE_STATS
902 struct timeval start, end;
903#endif
904
905 /* ignore a packet */
906 if (iph2->status == PHASE2ST_ESTABLISHED
907 || iph2->status == PHASE2ST_GETSPISENT)
908 return 0;
909
910#ifdef ENABLE_STATS
911 gettimeofday(&start, NULL);
912#endif
913
914 /* receive */
915 if (ph2exchange[etypesw2(isakmp->etype)]
916 [iph2->side]
917 [iph2->status] == NULL) {
918 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
919 "why isn't the function defined.\n");
920 return -1;
921 }
922 error = (ph2exchange[etypesw2(isakmp->etype)]
923 [iph2->side]
924 [iph2->status])(iph2, msg);
925 if (error != 0) {
926 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
927 "failed to pre-process packet.\n");
928 if (error == ISAKMP_INTERNAL_ERROR)
929 return 0;
930 isakmp_info_send_n1(iph2->ph1, error, NULL);
931 return -1;
932 }
933
7ba0088d
A		 934 /* free resend buffer */
935 if (iph2->sendbuf == NULL) {
936 plog(LLV_ERROR, LOCATION, NULL,
937 "no buffer found as sendbuf\n");
938 return -1;
939 }
940 vfree(iph2->sendbuf);
941 iph2->sendbuf = NULL;
942
943 /* turn off schedule */
944 if (iph2->scr)
945 SCHED_KILL(iph2->scr);
2b484d24
A		 946
947 /* when using commit bit, status will be reached here. */
948 if (iph2->status == PHASE2ST_ADDSA)
949 return 0;
7ba0088d
A		 950
951 /* send */
952 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
953 if ((ph2exchange[etypesw2(isakmp->etype)]
954 [iph2->side]
955 [iph2->status])(iph2, msg) != 0) {
956 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
957 "failed to process packet.\n");
958 return -1;
959 }
960
961#ifdef ENABLE_STATS
962 gettimeofday(&end, NULL);
963 syslog(LOG_NOTICE, "%s(%s): %8.6f",
964 "phase2",
965 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
966 timedelta(&start, &end));
967#endif
968
969 return 0;
970}
971
972/* new negotiation of phase 1 for initiator */
973int
974isakmp_ph1begin_i(rmconf, remote)
975 struct remoteconf *rmconf;
976 struct sockaddr *remote;
977{
978 struct ph1handle *iph1;
979#ifdef ENABLE_STATS
980 struct timeval start, end;
981#endif
982
983 /* get new entry to isakmp status table. */
984 iph1 = newph1();
985 if (iph1 == NULL)
986 return -1;
987
988 iph1->status = PHASE1ST_START;
989 iph1->rmconf = rmconf;
990 iph1->side = INITIATOR;
991 iph1->version = ISAKMP_VERSION_NUMBER;
992 iph1->msgid = 0;
993 iph1->flags = 0;
994 iph1->ph2cnt = 0;
995#ifdef HAVE_GSSAPI
996 iph1->gssapi_state = NULL;
997#endif
998 iph1->approval = NULL;
999
1000 /* XXX copy remote address */
1001 if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
1002 return -1;
1003
1004 (void)insph1(iph1);
1005
1006 /* start phase 1 exchange */
1007 iph1->etype = rmconf->etypes->type;
1008
1009 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1010 {
1011 char *a;
1012
1013 a = strdup(saddr2str(iph1->local));
1014 plog(LLV_INFO, LOCATION, NULL,
1015 "initiate new phase 1 negotiation: %s<=>%s\n",
1016 a, saddr2str(iph1->remote));
1017 racoon_free(a);
1018 }
1019 plog(LLV_INFO, LOCATION, NULL,
1020 "begin %s mode.\n",
1021 s_isakmp_etype(iph1->etype));
1022
1023#ifdef ENABLE_STATS
1024 gettimeofday(&iph1->start, NULL);
1025 gettimeofday(&start, NULL);
1026#endif
1027 /* start exchange */
1028 if ((ph1exchange[etypesw1(iph1->etype)]
1029 [iph1->side]
1030 [iph1->status])(iph1, NULL) != 0) {
1031 /* failed to start phase 1 negotiation */
1032 remph1(iph1);
1033 delph1(iph1);
1034
1035 return -1;
1036 }
1037
1038#ifdef ENABLE_STATS
1039 gettimeofday(&end, NULL);
1040 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1041 "phase1",
1042 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1043 timedelta(&start, &end));
1044#endif
1045
1046 return 0;
1047}
1048
1049/* new negotiation of phase 1 for responder */
1050static int
1051isakmp_ph1begin_r(msg, remote, local, etype)
1052 vchar_t *msg;
1053 struct sockaddr *remote, *local;
1054 u_int8_t etype;
1055{
1056 struct isakmp *isakmp = (struct isakmp *)msg->v;
1057 struct remoteconf *rmconf;
1058 struct ph1handle *iph1;
1059 struct etypes *etypeok;
1060#ifdef ENABLE_STATS
1061 struct timeval start, end;
1062#endif
1063
1064 /* look for my configuration */
1065 rmconf = getrmconf(remote);
1066 if (rmconf == NULL) {
1067 plog(LLV_ERROR, LOCATION, remote,
1068 "couldn't find "
1069 "configuration.\n");
1070 return -1;
1071 }
1072
1073 /* check to be acceptable exchange type */
1074 etypeok = check_etypeok(rmconf, etype);
1075 if (etypeok == NULL) {
1076 plog(LLV_ERROR, LOCATION, remote,
1077 "not acceptable %s mode\n", s_isakmp_etype(etype));
1078 return -1;
1079 }
1080
1081 /* get new entry to isakmp status table. */
1082 iph1 = newph1();
1083 if (iph1 == NULL)
1084 return -1;
1085
1086 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1087 iph1->status = PHASE1ST_START;
1088 iph1->rmconf = rmconf;
1089 iph1->flags = 0;
1090 iph1->side = RESPONDER;
1091 iph1->etype = etypeok->type;
1092 iph1->version = isakmp->v;
1093 iph1->msgid = 0;
1094#ifdef HAVE_GSSAPI
1095 iph1->gssapi_state = NULL;
1096#endif
1097 iph1->approval = NULL;
1098
1099 /* copy remote address */
1100 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1101 return -1;
1102
1103 (void)insph1(iph1);
1104
1105 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1106 {
1107 char *a;
1108
1109 a = strdup(saddr2str(iph1->local));
1110 plog(LLV_INFO, LOCATION, NULL,
1111 "respond new phase 1 negotiation: %s<=>%s\n",
1112 a, saddr2str(iph1->remote));
1113 racoon_free(a);
1114 }
1115 plog(LLV_INFO, LOCATION, NULL,
1116 "begin %s mode.\n", s_isakmp_etype(etype));
1117
1118#ifdef ENABLE_STATS
1119 gettimeofday(&iph1->start, NULL);
1120 gettimeofday(&start, NULL);
1121#endif
1122 /* start exchange */
1123 if ((ph1exchange[etypesw1(iph1->etype)]
1124 [iph1->side]
1125 [iph1->status])(iph1, msg) < 0
1126 || (ph1exchange[etypesw1(iph1->etype)]
1127 [iph1->side]
1128 [iph1->status])(iph1, msg) < 0) {
1129 plog(LLV_ERROR, LOCATION, remote,
1130 "failed to process packet.\n");
1131 remph1(iph1);
1132 delph1(iph1);
1133 return -1;
1134 }
1135#ifdef ENABLE_STATS
1136 gettimeofday(&end, NULL);
1137 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1138 "phase1",
1139 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1140 timedelta(&start, &end));
1141#endif
1142
1143 return 0;
1144}
1145
1146/* new negotiation of phase 2 for initiator */
1147static int
1148isakmp_ph2begin_i(iph1, iph2)
1149 struct ph1handle *iph1;
1150 struct ph2handle *iph2;
1151{
1152 /* found ISAKMP-SA. */
1153 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1154 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1155 {
1156 char *a;
1157 a = strdup(saddr2str(iph2->src));
1158 plog(LLV_INFO, LOCATION, NULL,
1159 "initiate new phase 2 negotiation: %s<=>%s\n",
1160 a, saddr2str(iph2->dst));
1161 racoon_free(a);
1162 }
1163
1164#ifdef ENABLE_STATS
1165 gettimeofday(&iph2->start, NULL);
1166#endif
1167 /* found isakmp-sa */
1168 bindph12(iph1, iph2);
1169 iph2->status = PHASE2ST_STATUS2;
1170
1171 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1172 [iph2->side]
1173 [iph2->status])(iph2, NULL) < 0) {
1174 unbindph12(iph2);
1175 /* release ipsecsa handler due to internal error. */
1176 remph2(iph2);
1177 delph2(iph2);
1178 return -1;
1179 }
1180 return 0;
1181}
1182
1183/* new negotiation of phase 2 for responder */
1184static int
1185isakmp_ph2begin_r(iph1, msg)
1186 struct ph1handle *iph1;
1187 vchar_t *msg;
1188{
1189 struct isakmp *isakmp = (struct isakmp *)msg->v;
1190 struct ph2handle *iph2 = 0;
1191 int error;
1192#ifdef ENABLE_STATS
1193 struct timeval start, end;
1194#endif
1195
1196 iph2 = newph2();
1197 if (iph2 == NULL) {
1198 plog(LLV_ERROR, LOCATION, NULL,
1199 "failed to allocate phase2 entry.\n");
1200 return -1;
1201 }
1202
1203 iph2->ph1 = iph1;
1204 iph2->side = RESPONDER;
1205 iph2->status = PHASE2ST_START;
1206 iph2->flags = isakmp->flags;
1207 iph2->msgid = isakmp->msgid;
1208 iph2->seq = pk_getseq();
1209 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1210 if (iph2->ivm == NULL) {
1211 delph2(iph2);
1212 return -1;
1213 }
1214 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1215 if (iph2->dst == NULL) {
1216 delph2(iph2);
1217 return -1;
1218 }
1219 switch (iph2->dst->sa_family) {
1220 case AF_INET:
1221 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1222 break;
1223#ifdef INET6
1224 case AF_INET6:
1225 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1226 break;
1227#endif
1228 default:
1229 plog(LLV_ERROR, LOCATION, NULL,
1230 "invalid family: %d\n", iph2->dst->sa_family);
1231 delph2(iph2);
1232 return -1;
1233 }
1234
1235 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1236 if (iph2->src == NULL) {
1237 delph2(iph2);
1238 return -1;
1239 }
1240 switch (iph2->src->sa_family) {
1241 case AF_INET:
1242 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1243 break;
1244#ifdef INET6
1245 case AF_INET6:
1246 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1247 break;
1248#endif
1249 default:
1250 plog(LLV_ERROR, LOCATION, NULL,
1251 "invalid family: %d\n", iph2->src->sa_family);
1252 delph2(iph2);
1253 return -1;
1254 }
1255
1256 /* add new entry to isakmp status table */
1257 insph2(iph2);
1258 bindph12(iph1, iph2);
1259
1260 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1261 {
1262 char *a;
1263
1264 a = strdup(saddr2str(iph2->src));
1265 plog(LLV_INFO, LOCATION, NULL,
1266 "respond new phase 2 negotiation: %s<=>%s\n",
1267 a, saddr2str(iph2->dst));
1268 racoon_free(a);
1269 }
1270
1271#ifdef ENABLE_STATS
1272 gettimeofday(&start, NULL);
1273#endif
1274
1275 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1276 [iph2->side]
1277 [iph2->status])(iph2, msg);
1278 if (error != 0) {
1279 plog(LLV_ERROR, LOCATION, iph1->remote,
1280 "failed to pre-process packet.\n");
1281 if (error != ISAKMP_INTERNAL_ERROR)
1282 isakmp_info_send_n1(iph2->ph1, error, NULL);
1283 /*
1284 * release handler because it's wrong that ph2handle is kept
1285 * after failed to check message for responder's.
1286 */
1287 unbindph12(iph2);
1288 remph2(iph2);
1289 delph2(iph2);
1290 return -1;
1291 }
1292
1293 /* send */
1294 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1295 if ((ph2exchange[etypesw2(isakmp->etype)]
1296 [iph2->side]
1297 [iph2->status])(iph2, msg) < 0) {
1298 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1299 "failed to process packet.\n");
1300 /* don't release handler */
1301 return -1;
1302 }
1303#ifdef ENABLE_STATS
1304 gettimeofday(&end, NULL);
1305 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1306 "phase2",
1307 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1308 timedelta(&start, &end));
1309#endif
1310
1311 return 0;
1312}
1313
1314/*
1315 * parse ISAKMP payloads, without ISAKMP base header.
1316 */
1317vchar_t *
1318isakmp_parsewoh(np0, gen, len)
1319 int np0;
1320 struct isakmp_gen *gen;
1321 int len;
1322{
1323 u_char np = np0 & 0xff;
1324 int tlen, plen;
1325 vchar_t *result;
1326 struct isakmp_parse_t *p, *ep;
1327
1328 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1329
1330 /*
1331 * 5 is a magic number, but any value larger than 2 should be fine
1332 * as we do vrealloc() in the following loop.
1333 */
1334 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1335 if (result == NULL) {
1336 plog(LLV_ERROR, LOCATION, NULL,
1337 "failed to get buffer.\n");
1338 return NULL;
1339 }
1340 p = (struct isakmp_parse_t *)result->v;
1341 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1342
1343 tlen = len;
1344
1345 /* parse through general headers */
1346 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1347 if (tlen <= sizeof(struct isakmp_gen)) {
1348 /* don't send information, see isakmp_ident_r1() */
1349 plog(LLV_ERROR, LOCATION, NULL,
1350 "invalid length of payload\n");
1351 vfree(result);
1352 return NULL;
1353 }
1354
1355 plog(LLV_DEBUG, LOCATION, NULL,
1356 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1357
1358 p->type = np;
1359 p->len = ntohs(gen->len);
1360 if (p->len == 0 || p->len > tlen) {
1361 plog(LLV_DEBUG, LOCATION, NULL,
1362 "invalid length of payload\n");
1363 vfree(result);
1364 return NULL;
1365 }
1366 p->ptr = gen;
1367 p++;
1368 if (ep <= p) {
1369 int off;
1370
1371 off = p - (struct isakmp_parse_t *)result->v;
1372 result = vrealloc(result, result->l * 2);
1373 if (result == NULL) {
1374 plog(LLV_DEBUG, LOCATION, NULL,
1375 "failed to realloc buffer.\n");
1376 vfree(result);
1377 return NULL;
1378 }
1379 ep = (struct isakmp_parse_t *)
1380 (result->v + result->l - sizeof(*ep));
1381 p = (struct isakmp_parse_t *)result->v;
1382 p += off;
1383 }
1384
1385 np = gen->np;
1386 plen = ntohs(gen->len);
1387 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1388 tlen -= plen;
1389 }
1390 p->type = ISAKMP_NPTYPE_NONE;
1391 p->len = 0;
1392 p->ptr = NULL;
1393
1394 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1395
1396 return result;
1397}
1398
1399/*
1400 * parse ISAKMP payloads, including ISAKMP base header.
1401 */
1402vchar_t *
1403isakmp_parse(buf)
1404 vchar_t *buf;
1405{
1406 struct isakmp *isakmp = (struct isakmp *)buf->v;
1407 struct isakmp_gen *gen;
1408 int tlen;
1409 vchar_t *result;
1410 u_char np;
1411
1412 np = isakmp->np;
1413 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1414 tlen = buf->l - sizeof(struct isakmp);
1415 result = isakmp_parsewoh(np, gen, tlen);
1416
1417 return result;
1418}
1419
1420/* %%% */
1421int
1422isakmp_init()
1423{
1424 /* initialize a isakmp status table */
1425 initph1tree();
1426 initph2tree();
1427 initctdtree();
1428 init_recvdpkt();
1429
7ba0088d
A		 1430 if (isakmp_open() < 0)
1431 goto err;
1432
1433 return(0);
1434
1435err:
1436 isakmp_close();
1437 return(-1);
1438}
1439
1440/*
1441 * make strings containing i_cookie + r_cookie + msgid
1442 */
1443const char *
1444isakmp_pindex(index, msgid)
1445 const isakmp_index *index;
1446 const u_int32_t msgid;
1447{
1448 static char buf[64];
1449 const u_char *p;
1450 int i, j;
1451
1452 memset(buf, 0, sizeof(buf));
1453
1454 /* copy index */
1455 p = (const u_char *)index;
1456 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1457 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1458 j += 2;
1459 switch (i) {
1460 case 7:
1461 buf[j++] = ':';
1462 }
1463 }
1464
1465 if (msgid == 0)
1466 return buf;
1467
1468 /* copy msgid */
1469 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1470
1471 return buf;
1472}
1473
7ba0088d 1474int
ac2f15b3 1475isakmp_setup_socket(struct sockaddr* in_addr)
7ba0088d 1476{
ac2f15b3 1477 int sock = -1;
7ba0088d 1478 const int yes = 1;
7ba0088d
A		 1479#ifdef INET6
1480 int pktinfo;
1481#endif
ac2f15b3
A		 1482 if ((sock = socket(in_addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1483 plog(LLV_ERROR, LOCATION, NULL,
1484 "socket (%s)\n", strerror(errno));
1485 return -1;
1486 }
1487
1488 /* receive my interface address on inbound packets. */
1489 switch (in_addr->sa_family) {
1490 case AF_INET:
1491 if (setsockopt(sock, IPPROTO_IP, IP_RECVDSTADDR,
1492 (const void *)&yes, sizeof(yes)) < 0) {
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "setsockopt (%s)\n", strerror(errno));
1495 close(sock);
1496 return -1;
1497 }
1498 break;
1499#ifdef INET6
1500 case AF_INET6:
1501#ifdef ADVAPI
1502#ifdef IPV6_RECVPKTINFO
1503 pktinfo = IPV6_RECVPKTINFO;
1504#else /* old adv. API */
1505 pktinfo = IPV6_PKTINFO;
1506#endif /* IPV6_RECVPKTINFO */
1507#else
1508 pktinfo = IPV6_RECVDSTADDR;
1509#endif
1510 if (setsockopt(sock, IPPROTO_IPV6, pktinfo,
1511 (const void *)&yes, sizeof(yes)) < 0)
1512 {
1513 plog(LLV_ERROR, LOCATION, NULL,
1514 "setsockopt(%d): %s\n",
1515 pktinfo, strerror(errno));
1516 close(sock);
1517 return -1;
1518 }
1519 break;
1520#endif
1521 }
1522
1523#ifdef IPV6_USE_MIN_MTU
1524 if (in_addr->sa_family == AF_INET6 &&
1525 setsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1526 (void *)&yes, sizeof(yes)) < 0) {
1527 plog(LLV_ERROR, LOCATION, NULL,
1528 "setsockopt (%s)\n", strerror(errno));
1529 close(sock);
1530 return -1;
1531 }
1532#endif
1533
1534 if (setsockopt_bypass(sock, in_addr->sa_family) < 0) {
1535 close(sock);
1536 return -1;
1537 }
1538
1539 if (bind(sock, in_addr, in_addr->sa_len) < 0) {
1540 plog(LLV_ERROR, LOCATION, in_addr,
1541 "failed to bind (%s).\n", strerror(errno));
1542 close(sock);
1543 return -1;
1544 }
1545
1546 return sock;
1547}
1548
1549/* open ISAKMP sockets. */
1550int
1551isakmp_open()
1552{
1553 int ifnum;
7ba0088d
A		 1554 struct myaddrs *p;
1555
1556 ifnum = 0;
1557 for (p = lcconf->myaddrs; p; p = p->next) {
1558 if (!p->addr)
1559 continue;
07f47057
A		 1560
1561 if (p->sock != -1) {
1562 ifnum++;
1563 continue; // socket already open
1564 }
1565
7ba0088d
A		 1566 /* warn if wildcard address - should we forbid this? */
1567 switch (p->addr->sa_family) {
1568 case AF_INET:
1569 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1570 plog(LLV_WARNING, LOCATION, NULL,
1571 "listening to wildcard address,"
1572 "broadcast IKE packet may kill you\n");
1573 break;
1574#ifdef INET6
1575 case AF_INET6:
1576 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1577 plog(LLV_WARNING, LOCATION, NULL,
1578 "listening to wildcard address, "
1579 "broadcast IKE packet may kill you\n");
1580 break;
1581#endif
1582 default:
1583 plog(LLV_ERROR, LOCATION, NULL,
1584 "unsupported address family %d\n",
1585 lcconf->default_af);
1586 goto err_and_next;
1587 }
ac2f15b3
A		 1588
1589 p->sock = isakmp_setup_socket(p->addr);
1590 if (p->sock < 0) goto err_and_next;
7ba0088d 1591
ac2f15b3
A		 1592 plog(LLV_DEBUG, LOCATION, NULL,
1593 "%s used as isakmp port (fd=%d)\n",
1594 saddr2str(p->addr), p->sock);
7ba0088d 1595
ac2f15b3
A		 1596 ifnum++;
1597
1598#ifdef IKE_NAT_T
1599 /*
1600 * We have to listen on 4500 in addition to 500 with IPv4
1601 * to support NAT traversal.
1602 */
1603 if (p->addr->sa_family == AF_INET)
1604 {
1605 struct sockaddr_in sin = *(struct sockaddr_in*)p->addr;
1606
07f47057 1607 sin.sin_port = htons(PORT_ISAKMP_NATT);
ac2f15b3
A		 1608 p->nattsock = isakmp_setup_socket((struct sockaddr*)&sin);
1609 if (p->nattsock >= 0)
ac2f15b3
A		 1610 plog(LLV_DEBUG, LOCATION, NULL,
1611 "%s used as nat-t isakmp port (fd=%d)\n",
1612 saddr2str((struct sockaddr*)&sin), p->nattsock);
7ba0088d
A		 1613 }
1614#endif
1615
7ba0088d
A		 1616 continue;
1617
1618 err_and_next:
1619 racoon_free(p->addr);
1620 p->addr = NULL;
1621 if (! lcconf->autograbaddr && lcconf->strict_address)
1622 return -1;
1623 continue;
1624 }
1625
1626 if (!ifnum) {
1627 plog(LLV_ERROR, LOCATION, NULL,
1628 "no address could be bound.\n");
1629 return -1;
1630 }
1631
1632 return 0;
1633}
1634
1635void
1636isakmp_close()
1637{
2b484d24
A		 1638 isakmp_close_sockets();
1639 isakmp_free_addrs();
1640}
7ba0088d 1641
2b484d24
A		 1642void
1643isakmp_close_sockets()
1644{
1645 struct myaddrs *p;
7ba0088d 1646
2b484d24
A		 1647 for (p = lcconf->myaddrs; p; p = p->next) {
1648
1649 if (!p->addr)
7ba0088d 1650 continue;
2b484d24
A		 1651
1652 if (p->sock >= 0) {
1653 close(p->sock);
1654 p->sock = -1;
ac2f15b3 1655 }
2b484d24 1656
ac2f15b3 1657#ifdef IKE_NAT_T
2b484d24
A		 1658 if (p->nattsock >= 0) {
1659 close(p->nattsock);
1660 p->nattsock = -1;
1661 }
ac2f15b3 1662#endif
2b484d24
A		 1663
1664 }
1665
1666}
1667
1668void
1669isakmp_free_addrs()
1670{
1671 struct myaddrs *p, *next;
1672
1673 for (p = lcconf->myaddrs; p; p = next) {
1674 next = p->next;
1675
1676 if (p->addr)
1677 racoon_free(p->addr);
7ba0088d
A		 1678 racoon_free(p);
1679 }
1680
1681 lcconf->myaddrs = NULL;
2b484d24 1682
7ba0088d
A		 1683}
1684
2b484d24 1685
07f47057
A		 1686// close sockets for addresses that have gone away
1687void
1688isakmp_close_unused()
1689{
1690 struct myaddrs *p, *next, **prev;
1691
1692 prev = &(lcconf->myaddrs);
1693 for (p = lcconf->myaddrs; p; p = next) {
1694 next = p->next;
1695 if (p->addrcount == 0) { // not in use ?
1696
1697 if (p->sock >= 0)
1698 close(p->sock);
1699
1700 #ifdef IKE_NAT_T
1701 if (p->nattsock >= 0)
1702 close(p->nattsock);
1703 #endif
1704 *prev = p->next;
1705 if (p->addr)
1706 racoon_free(p->addr);
1707 racoon_free(p);
1708 } else
1709 prev = &(p->next);
1710 }
1711}
1712
7ba0088d
A		 1713int
1714isakmp_send(iph1, sbuf)
1715 struct ph1handle *iph1;
1716 vchar_t *sbuf;
1717{
1718 int len = 0;
1719 int s;
ac2f15b3 1720 vchar_t *newbuf = NULL;
7ba0088d
A		 1721
1722 /* select the socket to be sent */
1723 s = getsockmyaddr(iph1->local);
1724 if (s == -1)
1725 return -1;
ac2f15b3
A		 1726
1727#ifdef IKE_NAT_T
1728 /* prepend four bytes of zeros if source or destination port is PORT_ISAKMP_NATT */
1729 if (iph1->remote->sa_family == AF_INET &&
1730 (((struct sockaddr_in*)(iph1->remote))->sin_port == htons(PORT_ISAKMP_NATT)) ||
1731 ((struct sockaddr_in*)(iph1->local))->sin_port == htons(PORT_ISAKMP_NATT))
1732 {
1733
1734 /* There's probably a better way to do this */
1735 newbuf = vmalloc(sbuf->l + 4);
1736 if (newbuf == NULL) {
1737 plog(LLV_ERROR, LOCATION, NULL, "sendfromto natt prepend failed\n");
1738 return -1;
1739 }
1740
1741 memset(newbuf->v, 0, 4);
1742 memcpy(newbuf->v + 4, sbuf->v, sbuf->l);
1743 sbuf = newbuf;
1744 }
1745#endif
7ba0088d
A		 1746
1747 len = sendfromto(s, sbuf->v, sbuf->l,
1748 iph1->local, iph1->remote, lcconf->count_persend);
1749 if (len == -1) {
1750 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1751 return -1;
1752 }
ac2f15b3
A		 1753
1754 if (newbuf) vfree(newbuf);
7ba0088d
A		 1755
1756 return 0;
1757}
1758
1759/* called from scheduler */
1760void
1761isakmp_ph1resend_stub(p)
1762 void *p;
1763{
1764 (void)isakmp_ph1resend((struct ph1handle *)p);
1765}
1766
1767int
1768isakmp_ph1resend(iph1)
1769 struct ph1handle *iph1;
1770{
1771 if (iph1->retry_counter < 0) {
1772 plog(LLV_ERROR, LOCATION, NULL,
1773 "phase1 negotiation failed due to time up. %s\n",
1774 isakmp_pindex(&iph1->index, iph1->msgid));
1775
1776 remph1(iph1);
1777 delph1(iph1);
1778 return -1;
1779 }
1780
1781 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1782 return -1;
1783
1784 plog(LLV_DEBUG, LOCATION, NULL,
1785 "resend phase1 packet %s\n",
1786 isakmp_pindex(&iph1->index, iph1->msgid));
1787
1788 iph1->retry_counter--;
1789
1790 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1791 isakmp_ph1resend_stub, iph1);
1792
1793 return 0;
1794}
1795
1796/* called from scheduler */
1797void
1798isakmp_ph2resend_stub(p)
1799 void *p;
1800{
1801
1802 (void)isakmp_ph2resend((struct ph2handle *)p);
1803}
1804
1805int
1806isakmp_ph2resend(iph2)
1807 struct ph2handle *iph2;
1808{
1809 if (iph2->retry_counter < 0) {
1810 plog(LLV_ERROR, LOCATION, NULL,
1811 "phase2 negotiation failed due to time up. %s\n",
1812 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1813 unbindph12(iph2);
1814 remph2(iph2);
1815 delph2(iph2);
1816 return -1;
1817 }
1818
2b484d24
A		 1819 if (iph2->ph1 == 0) {
1820 plog(LLV_ERROR, LOCATION, NULL,
1821 "internal error - attempt to re-send phase2 with no phase1 bound.\n");
1822 iph2->retry_counter = -1;
1823 remph2(iph2);
1824 delph2(iph2);
1825 return -1;
1826 }
1827
7ba0088d
A		 1828 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1829 return -1;
1830
1831 plog(LLV_DEBUG, LOCATION, NULL,
1832 "resend phase2 packet %s\n",
1833 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1834
1835 iph2->retry_counter--;
1836
1837 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1838 isakmp_ph2resend_stub, iph2);
1839
1840 return 0;
1841}
1842
1843/* called from scheduler */
1844void
1845isakmp_ph1expire_stub(p)
1846 void *p;
1847{
1848
1849 isakmp_ph1expire((struct ph1handle *)p);
1850}
1851
1852void
1853isakmp_ph1expire(iph1)
1854 struct ph1handle *iph1;
1855{
1856 char *src, *dst;
1857
1858 src = strdup(saddr2str(iph1->local));
1859 dst = strdup(saddr2str(iph1->remote));
1860 plog(LLV_INFO, LOCATION, NULL,
1861 "ISAKMP-SA expired %s-%s spi:%s\n",
1862 src, dst,
1863 isakmp_pindex(&iph1->index, 0));
1864 racoon_free(src);
1865 racoon_free(dst);
1866
1867 SCHED_KILL(iph1->sce);
1868
1869 iph1->status = PHASE1ST_EXPIRED;
1870
1871 /*
1872 * the phase1 deletion is postponed until there is no phase2.
1873 */
1874 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1875 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1876 return;
1877 }
1878
1879 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1880}
1881
1882/* called from scheduler */
1883void
1884isakmp_ph1delete_stub(p)
1885 void *p;
1886{
1887
1888 isakmp_ph1delete((struct ph1handle *)p);
1889}
1890
1891void
1892isakmp_ph1delete(iph1)
1893 struct ph1handle *iph1;
1894{
1895 char *src, *dst;
1896
1897 SCHED_KILL(iph1->sce);
1898
1899 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1900 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1901 return;
1902 }
1903
1904 /* don't re-negosiation when the phase 1 SA expires. */
1905
1906 src = strdup(saddr2str(iph1->local));
1907 dst = strdup(saddr2str(iph1->remote));
1908 plog(LLV_INFO, LOCATION, NULL,
1909 "ISAKMP-SA deleted %s-%s spi:%s\n",
1910 src, dst, isakmp_pindex(&iph1->index, 0));
1911 racoon_free(src);
1912 racoon_free(dst);
1913
1914 remph1(iph1);
1915 delph1(iph1);
1916
1917 return;
1918}
1919
1920/* called from scheduler.
1921 * this function will call only isakmp_ph2delete().
1922 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
1923 * by something cause. That's why this function is called after phase 2 SA
1924 * expires in the userland.
1925 */
1926void
1927isakmp_ph2expire_stub(p)
1928 void *p;
1929{
1930
1931 isakmp_ph2expire((struct ph2handle *)p);
1932}
1933
1934void
1935isakmp_ph2expire(iph2)
1936 struct ph2handle *iph2;
1937{
1938 char *src, *dst;
1939
1940 SCHED_KILL(iph2->sce);
1941
1942 src = strdup(saddrwop2str(iph2->src));
1943 dst = strdup(saddrwop2str(iph2->dst));
1944 plog(LLV_INFO, LOCATION, NULL,
1945 "phase2 sa expired %s-%s\n", src, dst);
1946 racoon_free(src);
1947 racoon_free(dst);
1948
1949 iph2->status = PHASE2ST_EXPIRED;
1950
1951 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1952
1953 return;
1954}
1955
1956/* called from scheduler */
1957void
1958isakmp_ph2delete_stub(p)
1959 void *p;
1960{
1961
1962 isakmp_ph2delete((struct ph2handle *)p);
1963}
1964
1965void
1966isakmp_ph2delete(iph2)
1967 struct ph2handle *iph2;
1968{
1969 char *src, *dst;
1970
1971 SCHED_KILL(iph2->sce);
1972
1973 src = strdup(saddrwop2str(iph2->src));
1974 dst = strdup(saddrwop2str(iph2->dst));
1975 plog(LLV_INFO, LOCATION, NULL,
1976 "phase2 sa deleted %s-%s\n", src, dst);
1977 racoon_free(src);
1978 racoon_free(dst);
1979
1980 unbindph12(iph2);
1981 remph2(iph2);
1982 delph2(iph2);
1983
1984 return;
1985}
1986
1987/* \f%%%
1988 * Interface between PF_KEYv2 and ISAKMP
1989 */
1990/*
1991 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
1992 * if phase1 has been finished, begin phase2.
1993 */
1994int
1995isakmp_post_acquire(iph2)
1996 struct ph2handle *iph2;
1997{
1998 struct remoteconf *rmconf;
1999 struct ph1handle *iph1 = NULL;
2000
2001 /* search appropreate configuration with masking port. */
2002 rmconf = getrmconf(iph2->dst);
2003 if (rmconf == NULL) {
2004 plog(LLV_ERROR, LOCATION, NULL,
2005 "no configuration found for %s.\n",
2006 saddrwop2str(iph2->dst));
2007 return -1;
2008 }
2009
2010 /* if passive mode, ignore the acquire message */
2011 if (rmconf->passive) {
2012 plog(LLV_DEBUG, LOCATION, NULL,
2013 "because of passive mode, "
2014 "ignore the acquire message for %s.\n",
2015 saddrwop2str(iph2->dst));
2016 return 0;
2017 }
2018
2019 /* search isakmp status table by address with masking port */
2020 iph1 = getph1byaddr(iph2->src, iph2->dst);
2021
2022 /* no ISAKMP-SA found. */
2023 if (iph1 == NULL) {
2024 struct sched *sc;
2025
2026 iph2->retry_checkph1 = lcconf->retry_checkph1;
2027 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2028 plog(LLV_INFO, LOCATION, NULL,
2029 "IPsec-SA request for %s queued "
2030 "due to no phase1 found.\n",
2031 saddrwop2str(iph2->dst));
2032
2033 /* start phase 1 negotiation as a initiator. */
2034 if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
2035 SCHED_KILL(sc);
2036 return -1;
2037 }
2038
2039 return 0;
2040 /*NOTREACHED*/
2041 }
2042
2043 /* found ISAKMP-SA, but on negotiation. */
2044 if (iph1->status != PHASE1ST_ESTABLISHED) {
2045 iph2->retry_checkph1 = lcconf->retry_checkph1;
2046 sched_new(1, isakmp_chkph1there_stub, iph2);
2047 plog(LLV_INFO, LOCATION, iph2->dst,
2048 "request for establishing IPsec-SA was queued "
2049 "due to no phase1 found.\n");
2050 return 0;
2051 /*NOTREACHED*/
2052 }
2053
2054 /* found established ISAKMP-SA */
2055 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2056
2057 /* found ISAKMP-SA. */
2058 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2059
2060 /* begin quick mode */
2061 if (isakmp_ph2begin_i(iph1, iph2))
2062 return -1;
2063
2064 return 0;
2065}
2066
2067/*
2068 * receive GETSPI from kernel.
2069 */
2070int
2071isakmp_post_getspi(iph2)
2072 struct ph2handle *iph2;
2073{
2074#ifdef ENABLE_STATS
2075 struct timeval start, end;
2076#endif
2077
2078 /* don't process it because there is no suitable phase1-sa. */
2079 if (iph2->ph1->status == PHASE2ST_EXPIRED) {
2080 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2081 "the negotiation is stopped, "
2082 "because there is no suitable ISAKMP-SA.\n");
2083 return -1;
2084 }
2085
2086#ifdef ENABLE_STATS
2087 gettimeofday(&start, NULL);
2088#endif
2089 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2090 [iph2->side]
2091 [iph2->status])(iph2, NULL) != 0)
2092 return -1;
2093#ifdef ENABLE_STATS
2094 gettimeofday(&end, NULL);
2095 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2096 "phase2",
2097 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2098 timedelta(&start, &end));
2099#endif
2100
2101 return 0;
2102}
2103
2104/* called by scheduler */
2105void
2106isakmp_chkph1there_stub(p)
2107 void *p;
2108{
2109 isakmp_chkph1there((struct ph2handle *)p);
2110}
2111
2112void
2113isakmp_chkph1there(iph2)
2114 struct ph2handle *iph2;
2115{
2116 struct ph1handle *iph1;
2117
2118 iph2->retry_checkph1--;
2119 if (iph2->retry_checkph1 < 0) {
2120 plog(LLV_ERROR, LOCATION, iph2->dst,
2121 "phase2 negotiation failed "
2122 "due to time up waiting for phase1. %s\n",
2123 sadbsecas2str(iph2->dst, iph2->src,
2124 iph2->satype, 0, 0));
2125 plog(LLV_INFO, LOCATION, NULL,
2126 "delete phase 2 handler.\n");
2127
2128 /* send acquire to kernel as error */
2129 pk_sendeacquire(iph2);
2130
2131 unbindph12(iph2);
2132 remph2(iph2);
2133 delph2(iph2);
2134
2135 return;
2136 }
2137
2138 iph1 = getph1byaddr(iph2->src, iph2->dst);
2139
2140 /* XXX Even if ph1 as responder is there, should we not start
2141 * phase 2 negotiation ? */
2142 if (iph1 != NULL
2143 && iph1->status == PHASE1ST_ESTABLISHED) {
2144 /* found isakmp-sa */
2145 /* begin quick mode */
2146 (void)isakmp_ph2begin_i(iph1, iph2);
2147 return;
2148 }
2149
2150 /* no isakmp-sa found */
2151 sched_new(1, isakmp_chkph1there_stub, iph2);
2152
2153 return;
2154}
2155
2156/* copy variable data into ALLOCATED buffer. */
2157caddr_t
2158isakmp_set_attr_v(buf, type, val, len)
2159 caddr_t buf;
2160 int type;
2161 caddr_t val;
2162 int len;
2163{
2164 struct isakmp_data *data;
2165
2166 data = (struct isakmp_data *)buf;
2167 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2168 data->lorv = htons((u_int16_t)len);
2169 memcpy(data + 1, val, len);
2170
2171 return buf + sizeof(*data) + len;
2172}
2173
2174/* copy fixed length data into ALLOCATED buffer. */
2175caddr_t
2176isakmp_set_attr_l(buf, type, val)
2177 caddr_t buf;
2178 int type;
2179 u_int32_t val;
2180{
2181 struct isakmp_data *data;
2182
2183 data = (struct isakmp_data *)buf;
2184 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2185 data->lorv = htons((u_int16_t)val);
2186
2187 return buf + sizeof(*data);
2188}
2189
2190/* add a variable data attribute to the buffer by reallocating it. */
2191vchar_t *
2192isakmp_add_attr_v(buf0, type, val, len)
2193 vchar_t *buf0;
2194 int type;
2195 caddr_t val;
2196 int len;
2197{
2198 vchar_t *buf = NULL;
2199 struct isakmp_data *data;
2200 int tlen;
2201 int oldlen = 0;
2202
2203 tlen = sizeof(*data) + len;
2204
2205 if (buf0) {
2206 oldlen = buf0->l;
2207 buf = vrealloc(buf0, oldlen + tlen);
2208 } else
2209 buf = vmalloc(tlen);
2210 if (!buf) {
2211 plog(LLV_ERROR, LOCATION, NULL,
2212 "failed to get a attribute buffer.\n");
2213 return NULL;
2214 }
2215
2216 data = (struct isakmp_data *)(buf->v + oldlen);
2217 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2218 data->lorv = htons((u_int16_t)len);
2219 memcpy(data + 1, val, len);
2220
2221 return buf;
2222}
2223
2224/* add a fixed data attribute to the buffer by reallocating it. */
2225vchar_t *
2226isakmp_add_attr_l(buf0, type, val)
2227 vchar_t *buf0;
2228 int type;
2229 u_int32_t val;
2230{
2231 vchar_t *buf = NULL;
2232 struct isakmp_data *data;
2233 int tlen;
2234 int oldlen = 0;
2235
2236 tlen = sizeof(*data);
2237
2238 if (buf0) {
2239 oldlen = buf0->l;
2240 buf = vrealloc(buf0, oldlen + tlen);
2241 } else
2242 buf = vmalloc(tlen);
2243 if (!buf) {
2244 plog(LLV_ERROR, LOCATION, NULL,
2245 "failed to get a attribute buffer.\n");
2246 return NULL;
2247 }
2248
2249 data = (struct isakmp_data *)(buf->v + oldlen);
2250 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2251 data->lorv = htons((u_int16_t)val);
2252
2253 return buf;
2254}
2255
2256/*
2257 * calculate cookie and set.
2258 */
2259int
2260isakmp_newcookie(place, remote, local)
2261 caddr_t place;
2262 struct sockaddr *remote;
2263 struct sockaddr *local;
2264{
2265 vchar_t *buf = NULL, *buf2 = NULL;
2266 char *p;
2267 int blen;
2268 int alen;
2269 caddr_t sa1, sa2;
2270 time_t t;
2271 int error = -1;
2272 u_short port;
2273
2274
2275 if (remote->sa_family != local->sa_family) {
2276 plog(LLV_ERROR, LOCATION, NULL,
2277 "address family mismatch, remote:%d local:%d\n",
2278 remote->sa_family, local->sa_family);
2279 goto end;
2280 }
2281 switch (remote->sa_family) {
2282 case AF_INET:
2283 alen = sizeof(struct in_addr);
2284 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2285 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2286 break;
2287#ifdef INET6
2288 case AF_INET6:
2289 alen = sizeof(struct in_addr);
2290 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2291 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2292 break;
2293#endif
2294 default:
2295 plog(LLV_ERROR, LOCATION, NULL,
2296 "invalid family: %d\n", remote->sa_family);
2297 goto end;
2298 }
2299 blen = (alen + sizeof(u_short)) * 2
2300 + sizeof(time_t) + lcconf->secret_size;
2301 buf = vmalloc(blen);
2302 if (buf == NULL) {
2303 plog(LLV_ERROR, LOCATION, NULL,
2304 "failed to get a cookie.\n");
2305 goto end;
2306 }
2307 p = buf->v;
2308
2309 /* copy my address */
2310 memcpy(p, sa1, alen);
2311 p += alen;
2312 port = ((struct sockaddr_in *)remote)->sin_port;
2313 memcpy(p, &port, sizeof(u_short));
2314 p += sizeof(u_short);
2315
2316 /* copy target address */
2317 memcpy(p, sa2, alen);
2318 p += alen;
2319 port = ((struct sockaddr_in *)local)->sin_port;
2320 memcpy(p, &port, sizeof(u_short));
2321 p += sizeof(u_short);
2322
2323 /* copy time */
2324 t = time(0);
2325 memcpy(p, (caddr_t)&t, sizeof(t));
2326 p += sizeof(t);
2327
2328 /* copy random value */
2329 buf2 = eay_set_random(lcconf->secret_size);
2330 if (buf2 == NULL)
2331 goto end;
2332 memcpy(p, buf2->v, lcconf->secret_size);
2333 p += lcconf->secret_size;
2334 vfree(buf2);
2335
2336 buf2 = eay_sha1_one(buf);
2337 memcpy(place, buf2->v, sizeof(cookie_t));
2338
2339 sa1 = val2str(place, sizeof (cookie_t));
2340 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2341 racoon_free(sa1);
2342
2343 error = 0;
2344end:
2345 if (buf != NULL)
2346 vfree(buf);
2347 if (buf2 != NULL)
2348 vfree(buf2);
2349 return error;
2350}
2351
2352/*
2353 * save partner's(payload) data into phhandle.
2354 */
2355int
2356isakmp_p2ph(buf, gen)
2357 vchar_t **buf;
2358 struct isakmp_gen *gen;
2359{
2360 /* XXX to be checked in each functions for logging. */
2361 if (*buf) {
2362 plog(LLV_WARNING, LOCATION, NULL,
2363 "ignore this payload, same payload type exist.\n");
2364 return -1;
2365 }
2366
2367 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2368 if (*buf == NULL) {
2369 plog(LLV_ERROR, LOCATION, NULL,
2370 "failed to get buffer.\n");
2371 return -1;
2372 }
2373 memcpy((*buf)->v, gen + 1, (*buf)->l);
2374
2375 return 0;
2376}
2377
2378u_int32_t
2379isakmp_newmsgid2(iph1)
2380 struct ph1handle *iph1;
2381{
2382 u_int32_t msgid2;
2383
2384 do {
ac2f15b3 2385 msgid2 = arc4random();
7ba0088d
A		 2386 } while (getph2bymsgid(iph1, msgid2));
2387
2388 return msgid2;
2389}
2390
2391/*
2392 * set values into allocated buffer of isakmp header for phase 1
2393 */
2394caddr_t
2395set_isakmp_header(vbuf, iph1, nptype)
2396 vchar_t *vbuf;
2397 struct ph1handle *iph1;
2398 int nptype;
2399{
2400 struct isakmp *isakmp;
2401
2402 if (vbuf->l < sizeof(*isakmp))
2403 return NULL;
2404
2405 isakmp = (struct isakmp *)vbuf->v;
2406 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2407 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2408 isakmp->np = nptype;
2409 isakmp->v = iph1->version;
2410 isakmp->etype = iph1->etype;
2411 isakmp->flags = iph1->flags;
2412 isakmp->msgid = iph1->msgid;
2413 isakmp->len = htonl(vbuf->l);
2414
2415 return vbuf->v + sizeof(*isakmp);
2416}
2417
2418/*
2419 * set values into allocated buffer of isakmp header for phase 2
2420 */
2421caddr_t
2422set_isakmp_header2(vbuf, iph2, nptype)
2423 vchar_t *vbuf;
2424 struct ph2handle *iph2;
2425 int nptype;
2426{
2427 struct isakmp *isakmp;
2428
2429 if (vbuf->l < sizeof(*isakmp))
2430 return NULL;
2431
2432 isakmp = (struct isakmp *)vbuf->v;
2433 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t));
2434 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t));
2435 isakmp->np = nptype;
2436 isakmp->v = iph2->ph1->version;
2437 isakmp->etype = ISAKMP_ETYPE_QUICK;
2438 isakmp->flags = iph2->flags;
2439 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
2440 isakmp->len = htonl(vbuf->l);
2441
2442 return vbuf->v + sizeof(*isakmp);
2443}
2444
2445/*
2446 * set values into allocated buffer of isakmp payload.
2447 */
2448caddr_t
2449set_isakmp_payload(buf, src, nptype)
2450 caddr_t buf;
2451 vchar_t *src;
2452 int nptype;
2453{
2454 struct isakmp_gen *gen;
2455 caddr_t p = buf;
2456
2457 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n",
2458 src->l, nptype);
2459
2460 gen = (struct isakmp_gen *)p;
2461 gen->np = nptype;
2462 gen->len = htons(sizeof(*gen) + src->l);
2463 p += sizeof(*gen);
2464 memcpy(p, src->v, src->l);
2465 p += src->l;
2466
2467 return p;
2468}
2469
2470static int
2471etypesw1(etype)
2472 int etype;
2473{
2474 switch (etype) {
2475 case ISAKMP_ETYPE_IDENT:
2476 return 1;
2477 case ISAKMP_ETYPE_AGG:
2478 return 2;
2479 case ISAKMP_ETYPE_BASE:
2480 return 3;
2481 default:
2482 return 0;
2483 }
2484 /*NOTREACHED*/
2485}
2486
2487static int
2488etypesw2(etype)
2489 int etype;
2490{
2491 switch (etype) {
2492 case ISAKMP_ETYPE_QUICK:
2493 return 1;
2494 default:
2495 return 0;
2496 }
2497 /*NOTREACHED*/
2498}
2499
2500#ifdef HAVE_PRINT_ISAKMP_C
2501/* for print-isakmp.c */
2502char *snapend;
2503extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2504
2505char *getname __P((const u_char *));
2506#ifdef INET6
2507char *getname6 __P((const u_char *));
2508#endif
2509int safeputchar __P((int));
2510
2511/*
2512 * Return a name for the IP address pointed to by ap. This address
2513 * is assumed to be in network byte order.
2514 */
2515char *
2516getname(ap)
2517 const u_char *ap;
2518{
2519 struct sockaddr_in addr;
2520 static char ntop_buf[NI_MAXHOST];
2521
2522 memset(&addr, 0, sizeof(addr));
2523 addr.sin_len = sizeof(struct sockaddr_in);
2524 addr.sin_family = AF_INET;
2525 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2526 if (getnameinfo((struct sockaddr *)&addr, addr.sin_len,
2527 ntop_buf, sizeof(ntop_buf), NULL, 0,
2528 NI_NUMERICHOST | niflags))
ac2f15b3 2529 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
7ba0088d
A		 2530
2531 return ntop_buf;
2532}
2533
2534#ifdef INET6
2535/*
2536 * Return a name for the IP6 address pointed to by ap. This address
2537 * is assumed to be in network byte order.
2538 */
2539char *
2540getname6(ap)
2541 const u_char *ap;
2542{
2543 struct sockaddr_in6 addr;
2544 static char ntop_buf[NI_MAXHOST];
2545
2546 memset(&addr, 0, sizeof(addr));
2547 addr.sin6_len = sizeof(struct sockaddr_in6);
2548 addr.sin6_family = AF_INET6;
2549 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2550 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2551 ntop_buf, sizeof(ntop_buf), NULL, 0,
2552 NI_NUMERICHOST | niflags))
ac2f15b3 2553 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
7ba0088d
A		 2554
2555 return ntop_buf;
2556}
2557#endif /* INET6 */
2558
2559int
2560safeputchar(c)
2561 int c;
2562{
2563 unsigned char ch;
2564
2565 ch = (unsigned char)(c & 0xff);
2566 if (c < 0x80 && isprint(c))
2567 return printf("%c", c & 0xff);
2568 else
2569 return printf("\\%03o", c & 0xff);
2570}
2571
2572void
2573isakmp_printpacket(msg, from, my, decoded)
2574 vchar_t *msg;
2575 struct sockaddr *from;
2576 struct sockaddr *my;
2577 int decoded;
2578{
2579#ifdef YIPS_DEBUG
2580 struct timeval tv;
2581 int s;
2582 char hostbuf[NI_MAXHOST];
2583 char portbuf[NI_MAXSERV];
2584 struct isakmp *isakmp;
2585 vchar_t *buf;
2586#endif
2587
2588 if (loglevel < LLV_DEBUG)
2589 return;
2590
2591#ifdef YIPS_DEBUG
2592 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2593
2594 gettimeofday(&tv, NULL);
2595 s = tv.tv_sec % 3600;
2596 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2597
2598 if (from) {
2599 if (getnameinfo(from, from->sa_len, hostbuf, sizeof(hostbuf),
2600 portbuf, sizeof(portbuf),
2601 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
ac2f15b3
A		 2602 strlcpy(hostbuf, "?", sizeof(hostbuf));
2603 strlcpy(portbuf, "?", sizeof(portbuf));
7ba0088d
A		 2604 }
2605 printf("%s:%s", hostbuf, portbuf);
2606 } else
2607 printf("?");
2608 printf(" -> ");
2609 if (my) {
2610 if (getnameinfo(my, my->sa_len, hostbuf, sizeof(hostbuf),
2611 portbuf, sizeof(portbuf),
2612 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
ac2f15b3
A		 2613 strlcpy(hostbuf, "?", sizeof(hostbuf));
2614 strlcpy(portbuf, "?", sizeof(portbuf));
7ba0088d
A		 2615 }
2616 printf("%s:%s", hostbuf, portbuf);
2617 } else
2618 printf("?");
2619 printf(": ");
2620
2621 buf = vdup(msg);
2622 if (!buf) {
2623 printf("(malloc fail)\n");
2624 return;
2625 }
2626 if (decoded) {
2627 isakmp = (struct isakmp *)buf->v;
2628 if (isakmp->flags & ISAKMP_FLAG_E) {
2629#if 0
2630 int pad;
2631 pad = *(u_char *)(buf->v + buf->l - 1);
2632 if (buf->l < pad && 2 < vflag)
2633 printf("(wrong padding)");
2634#endif
2635 isakmp->flags &= ~ISAKMP_FLAG_E;
2636 }
2637 }
2638
2639 snapend = buf->v + buf->l;
2640 isakmp_print(buf->v, buf->l, NULL);
2641 vfree(buf);
2642 printf("\n");
2643 fflush(stdout);
2644
2645 return;
2646#endif
2647}
2648#endif /*HAVE_PRINT_ISAKMP_C*/
2649
2650int
2651copy_ph1addresses(iph1, rmconf, remote, local)
2652 struct ph1handle *iph1;
2653 struct remoteconf *rmconf;
2654 struct sockaddr *remote, *local;
2655{
2656 u_short *port = NULL;
2657
2658 /* address portion must be grabbed from real remote address "remote" */
2659 iph1->remote = dupsaddr(remote);
2660 if (iph1->remote == NULL) {
2661 delph1(iph1);
2662 return -1;
2663 }
2664
2665 /*
2666 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2667 * - if remote.conf specifies port #, use that
2668 * - if remote.conf does not, use 500
2669 * if remote has port # (in case of responder - from recvfrom(2))
2670 * respect content of "remote".
2671 */
2672 switch (iph1->remote->sa_family) {
2673 case AF_INET:
2674 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2675 if (*port)
2676 break;
2677 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2678 if (*port)
2679 break;
2680 *port = htons(PORT_ISAKMP);
2681 break;
2682#ifdef INET6
2683 case AF_INET6:
2684 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2685 if (*port)
2686 break;
2687 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2688 if (*port)
2689 break;
2690 *port = htons(PORT_ISAKMP);
2691 break;
2692#endif
2693 default:
2694 plog(LLV_ERROR, LOCATION, NULL,
2695 "invalid family: %d\n", iph1->remote->sa_family);
2696 return -1;
2697 }
2698
2699 if (local == NULL)
2700 iph1->local = getlocaladdr(iph1->remote);
2701 else
2702 iph1->local = dupsaddr(local);
2703 if (iph1->local == NULL) {
2704 delph1(iph1);
2705 return -1;
2706 }
2707 switch (iph1->local->sa_family) {
2708 case AF_INET:
2709 ((struct sockaddr_in *)iph1->local)->sin_port
2710 = getmyaddrsport(iph1->local);
2711 break;
2712#ifdef INET6
2713 case AF_INET6:
2714 ((struct sockaddr_in6 *)iph1->local)->sin6_port
2715 = getmyaddrsport(iph1->local);
2716 break;
2717#endif
2718 default:
2719 plog(LLV_ERROR, LOCATION, NULL,
2720 "invalid family: %d\n", iph1->remote->sa_family);
2721 delph1(iph1);
2722 return -1;
2723 }
2724
2725 return 0;
2726}
2727
2728static int
2729nostate1(iph1, msg)
2730 struct ph1handle *iph1;
2731 vchar_t *msg;
2732{
2733 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2734 iph1->status);
2735 return -1;
2736}
2737
2738static int
2739nostate2(iph2, msg)
2740 struct ph2handle *iph2;
2741 vchar_t *msg;
2742{
2743 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2744 iph2->status);
2745 return -1;
2746}
2747
2748void
2749log_ph1established(iph1)
2750 const struct ph1handle *iph1;
2751{
2752 char *src, *dst;
2753
2754 src = strdup(saddr2str(iph1->local));
2755 dst = strdup(saddr2str(iph1->remote));
2756 plog(LLV_INFO, LOCATION, NULL,
2757 "ISAKMP-SA established %s-%s spi:%s\n",
2758 src, dst,
2759 isakmp_pindex(&iph1->index, 0));
2760 racoon_free(src);
2761 racoon_free(dst);
2762
2763 return;
2764}
2765
mirror of network_cmds