]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/isakmp.c
projects / apple / network_cmds.git / blob
? search:


0f6b38bd5305f0473fdcf47213b1b966ca840d69
[apple/network_cmds.git] / racoon.tproj / isakmp.c
1 /* $KAME: isakmp.c,v 1.176 2002/08/28 04:08:30 itojun Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/socket.h>
35 #include <sys/queue.h>
36
37 #include <netkey/key_var.h>
38 #include <netinet/in.h>
39
40 #include <stdlib.h>
41 #include <stdio.h>
42 #include <string.h>
43 #include <errno.h>
44 #if TIME_WITH_SYS_TIME
45 # include <sys/time.h>
46 # include <time.h>
47 #else
48 # if HAVE_SYS_TIME_H
49 # include <sys/time.h>
50 # else
51 # include <time.h>
52 # endif
53 #endif
54 #include <netdb.h>
55 #ifdef HAVE_UNISTD_H
56 #include <unistd.h>
57 #endif
58 #include <ctype.h>
59
60 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
61 #include "addrinfo.h"
62 #endif
63
64 #include "var.h"
65 #include "misc.h"
66 #include "vmbuf.h"
67 #include "plog.h"
68 #include "sockmisc.h"
69 #include "schedule.h"
70 #include "debug.h"
71
72 #include "remoteconf.h"
73 #include "localconf.h"
74 #include "grabmyaddr.h"
75 #include "isakmp_var.h"
76 #include "isakmp.h"
77 #include "oakley.h"
78 #include "handler.h"
79 #include "ipsec_doi.h"
80 #include "pfkey.h"
81 #include "crypto_openssl.h"
82 #include "policy.h"
83 #include "isakmp_ident.h"
84 #include "isakmp_agg.h"
85 #include "isakmp_base.h"
86 #include "isakmp_quick.h"
87 #include "isakmp_inf.h"
88 #include "isakmp_newg.h"
89 #include "strnames.h"
90 #ifndef HAVE_ARC4RANDOM
91 #include "arc4random.h"
92 #endif
93
94 static int nostate1 __P((struct ph1handle *, vchar_t *));
95 static int nostate2 __P((struct ph2handle *, vchar_t *));
96
97 extern caddr_t val2str(const char *, size_t);
98
99 static int (*ph1exchange[][2][PHASE1ST_MAX])
100 __P((struct ph1handle *, vchar_t *)) = {
101 /* error */
102 { {}, {}, },
103 /* Identity Protection exchange */
104 {
105 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
106 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
107 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
108 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
109 },
110 /* Aggressive exchange */
111 {
112 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
113 nostate1, nostate1, nostate1, nostate1, nostate1, },
114 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
115 nostate1, nostate1, nostate1, nostate1, nostate1, },
116 },
117 /* Base exchange */
118 {
119 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
120 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
121 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
122 nostate1, nostate1, nostate1, nostate1, nostate1, },
123 },
124 };
125
126 static int (*ph2exchange[][2][PHASE2ST_MAX])
127 __P((struct ph2handle *, vchar_t *)) = {
128 /* error */
129 { {}, {}, },
130 /* Quick mode for IKE*/
131 {
132 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
133 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
134 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
135 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
136 },
137 };
138
139 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
140
141 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
142 static int ph1_main __P((struct ph1handle *, vchar_t *));
143 static int quick_main __P((struct ph2handle *, vchar_t *));
144 static int isakmp_ph1begin_r __P((vchar_t *,
145 struct sockaddr *, struct sockaddr *, u_int8_t));
146 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
147 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
148 static int etypesw1 __P((int));
149 static int etypesw2 __P((int));
150
151 /*
152 * isakmp packet handler
153 */
154 int
155 isakmp_handler(so_isakmp)
156 int so_isakmp;
157 {
158 struct isakmp isakmp;
159 struct sockaddr_storage remote;
160 struct sockaddr_storage local;
161 int remote_len = sizeof(remote);
162 int local_len = sizeof(local);
163 int len;
164 u_short port;
165 vchar_t *buf = NULL;
166 int error = -1;
167
168 /* read message by MSG_PEEK */
169 while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp),
170 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
171 (struct sockaddr *)&local, &local_len)) < 0) {
172 if (errno == EINTR)
173 continue;
174 plog(LLV_ERROR, LOCATION, NULL,
175 "failed to receive isakmp packet\n");
176 goto end;
177 }
178
179 /* check isakmp header length, as well as sanity of header length */
180 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
181 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
182 "packet shorter than isakmp header size.\n");
183 /* dummy receive */
184 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
185 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
186 plog(LLV_ERROR, LOCATION, NULL,
187 "failed to receive isakmp packet\n");
188 }
189 goto end;
190 }
191
192 /* reject if the size is toooo big */
193 if (ntohl(isakmp.len) > 0xffff) {
194 plog(LLV_ERROR, LOCATION, NULL,
195 "the length of the isakmp header is too big.\n");
196 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
197 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
198 plog(LLV_ERROR, LOCATION, NULL,
199 "failed to receive isakmp packet\n");
200 }
201 goto end;
202 }
203
204 /* read real message */
205 if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
206 plog(LLV_ERROR, LOCATION, NULL,
207 "failed to allocate reading buffer\n");
208 /* dummy receive */
209 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
210 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
211 plog(LLV_ERROR, LOCATION, NULL,
212 "failed to receive isakmp packet\n");
213 }
214 goto end;
215 }
216
217 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
218 0, (struct sockaddr *)&remote, &remote_len,
219 (struct sockaddr *)&local, &local_len)) < 0) {
220 if (errno == EINTR)
221 continue;
222 plog(LLV_ERROR, LOCATION, NULL,
223 "failed to receive isakmp packet\n");
224 goto end;
225 }
226
227 if (len != buf->l) {
228 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
229 "received invalid length, why ?\n");
230 goto end;
231 }
232
233 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
234 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
235 "%d bytes message received from %s\n",
236 len, saddr2str((struct sockaddr *)&remote));
237 plogdump(LLV_DEBUG, buf->v, buf->l);
238
239 /* avoid packets with malicious port/address */
240 switch (remote.ss_family) {
241 case AF_INET:
242 port = ((struct sockaddr_in *)&remote)->sin_port;
243 break;
244 #ifdef INET6
245 case AF_INET6:
246 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
247 break;
248 #endif
249 default:
250 plog(LLV_ERROR, LOCATION, NULL,
251 "invalid family: %d\n", remote.ss_family);
252 goto end;
253 }
254 if (port == 0) {
255 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
256 "src port == 0 (valid as UDP but not with IKE)\n");
257 goto end;
258 }
259
260 /* XXX: check sender whether to be allowed or not to accept */
261
262 /* XXX: I don't know how to check isakmp half connection attack. */
263
264 /* simply reply if the packet was processed. */
265 if (check_recvdpkt((struct sockaddr *)&remote,
266 (struct sockaddr *)&local, buf)) {
267 plog(LLV_NOTIFY, LOCATION, NULL,
268 "the packet is retransmitted by %s.\n",
269 saddr2str((struct sockaddr *)&remote));
270 error = 0;
271 goto end;
272 }
273
274 /* isakmp main routine */
275 if (isakmp_main(buf, (struct sockaddr *)&remote,
276 (struct sockaddr *)&local) != 0) goto end;
277
278 error = 0;
279
280 end:
281 if (buf != NULL)
282 vfree(buf);
283
284 return(error);
285 }
286
287 #ifdef IKE_NAT_T
288 /*
289 * isakmp packet handler for natt port (4500)
290 */
291 int
292 isakmp_natt_handler(so_isakmp)
293 int so_isakmp;
294 {
295 u_char temp_buffer[sizeof(struct isakmp) + 4];
296 struct isakmp *isakmp = (struct isakmp*)(temp_buffer + 4);
297 struct sockaddr_storage remote;
298 struct sockaddr_storage local;
299 int remote_len = sizeof(remote);
300 int local_len = sizeof(local);
301 int len;
302 u_short port;
303 vchar_t *buf = NULL;
304 int error = -1;
305
306 /* read message by MSG_PEEK */
307 while ((len = recvfromto(so_isakmp, temp_buffer, sizeof(temp_buffer),
308 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
309 (struct sockaddr *)&local, &local_len)) < 0) {
310 if (errno == EINTR)
311 continue;
312 plog(LLV_ERROR, LOCATION, NULL,
313 "failed to receive isakmp packet\n");
314 goto end;
315 }
316
317 /* remove the four bytes of zeros on nat traversal port */
318 if (*(u_long*)temp_buffer != 0L)
319 {
320 /*
321 * This is a UDP encapsulated IPSec packet,
322 * we should drop it.
323 *
324 * TBD: Need a way to read the packet.
325 * The kernel intercepts these packets on Mac OS X
326 * but not all kernels will handle this the same way.
327 */
328 goto end;
329 }
330
331 /* check isakmp header length */
332 if (len < sizeof(temp_buffer)) {
333 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
334 "packet shorter than isakmp header size.\n");
335 /* dummy receive */
336 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
337 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
338 plog(LLV_ERROR, LOCATION, NULL,
339 "failed to receive isakmp packet\n");
340 }
341 goto end;
342 }
343
344 /* read real message */
345 if ((buf = vmalloc(ntohl(isakmp->len) + 4)) == NULL) {
346 plog(LLV_ERROR, LOCATION, NULL,
347 "failed to allocate reading buffer\n");
348 /* dummy receive */
349 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
350 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
351 plog(LLV_ERROR, LOCATION, NULL,
352 "failed to receive isakmp packet\n");
353 }
354 goto end;
355 }
356
357 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
358 0, (struct sockaddr *)&remote, &remote_len,
359 (struct sockaddr *)&local, &local_len)) < 0) {
360 if (errno == EINTR)
361 continue;
362 plog(LLV_ERROR, LOCATION, NULL,
363 "failed to receive isakmp packet\n");
364 goto end;
365 }
366
367 if (len != buf->l) {
368 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
369 "received invalid length, header says %d, packet is %d bytes why ?\n",
370 len, buf->l);
371 goto end;
372 }
373
374 /*
375 * Discard first 4 bytes, they're either:
376 * 0 - this is IKE traffic
377 * !0 - first four bytes are the SPI of a UDP encapsulated IPSec packet
378 * The seond type of packet should be interecepted by the kernel
379 * or dropped before we get to this point.
380 */
381 {
382 vchar_t *newbuf = vmalloc(buf->l - 4);
383 if (newbuf == NULL)
384 {
385 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
386 "couldn't allocate smaller buffer.\n");
387 goto end;
388 }
389 memcpy(newbuf->v, buf->v + 4, newbuf->l);
390 vfree(buf);
391 buf = newbuf;
392 len = buf->l;
393 }
394
395 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
396 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
397 "%d bytes message received from %s\n",
398 len, saddr2str((struct sockaddr *)&remote));
399 plogdump(LLV_DEBUG, buf->v, buf->l);
400
401 /* avoid packets with malicious port/address */
402 switch (remote.ss_family) {
403 case AF_INET:
404 port = ((struct sockaddr_in *)&remote)->sin_port;
405 break;
406 #ifdef INET6
407 case AF_INET6:
408 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
409 break;
410 #endif
411 default:
412 plog(LLV_ERROR, LOCATION, NULL,
413 "invalid family: %d\n", remote.ss_family);
414 goto end;
415 }
416 if (port == 0) {
417 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
418 "src port == 0 (valid as UDP but not with IKE)\n");
419 goto end;
420 }
421
422 {
423 struct isakmp *isakmp = (struct isakmp*)buf->v;
424 plog(LLV_DEBUG, LOCATION, (struct sockaddr*)&remote,
425 "natt receiving packet %.8X%.8X:%.8X%.8X %u\n",
426 *(u_long*)isakmp->i_ck, *(u_long*)&isakmp->i_ck[4],
427 *(u_long*)isakmp->r_ck, *(u_long*)&isakmp->r_ck[4],
428 isakmp->msgid);
429 }
430
431 /* XXX: check sender whether to be allowed or not to accept */
432
433 /* XXX: I don't know how to check isakmp half connection attack. */
434
435 /* simply reply if the packet was processed. */
436 if (check_recvdpkt((struct sockaddr *)&remote,
437 (struct sockaddr *)&local, buf)) {
438 plog(LLV_NOTIFY, LOCATION, NULL,
439 "the packet is retransmitted by %s.\n",
440 saddr2str((struct sockaddr *)&remote));
441 error = 0;
442 goto end;
443 }
444
445 /* isakmp main routine */
446 if (isakmp_main(buf, (struct sockaddr *)&remote,
447 (struct sockaddr *)&local) != 0) goto end;
448
449 error = 0;
450
451 end:
452 if (buf != NULL)
453 vfree(buf);
454
455 return(error);
456 }
457 #endif
458
459
460 /*
461 * main processing to handle isakmp payload
462 */
463 static int
464 isakmp_main(msg, remote, local)
465 vchar_t *msg;
466 struct sockaddr *remote, *local;
467 {
468 struct isakmp *isakmp = (struct isakmp *)msg->v;
469 isakmp_index *index = (isakmp_index *)isakmp;
470 u_int32_t msgid = isakmp->msgid;
471 struct ph1handle *iph1;
472
473 #ifdef HAVE_PRINT_ISAKMP_C
474 isakmp_printpacket(msg, remote, local, 0);
475 #endif
476
477 /* the initiator's cookie must not be zero */
478 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
479 plog(LLV_ERROR, LOCATION, remote,
480 "malformed cookie received.\n");
481 return -1;
482 }
483
484 /* Check the Major and Minor Version fields. */
485 /*
486 * XXX Is is right to check version here ?
487 * I think it may no be here because the version depends
488 * on exchange status.
489 */
490 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
491 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
492 plog(LLV_ERROR, LOCATION, remote,
493 "invalid major version %d.\n",
494 ISAKMP_GETMAJORV(isakmp->v));
495 return -1;
496 }
497 #if ISAKMP_MINOR_VERSION > 0
498 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
499 plog(LLV_ERROR, LOCATION, remote,
500 "invalid minor version %d.\n",
501 ISAKMP_GETMINORV(isakmp->v));
502 return -1;
503 }
504 #endif
505 }
506
507 /* check the Flags field. */
508 /* XXX How is the exclusive check, E and A ? */
509 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
510 plog(LLV_ERROR, LOCATION, remote,
511 "invalid flag 0x%02x.\n", isakmp->flags);
512 return -1;
513 }
514
515 /* ignore commit bit. */
516 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
517 if (isakmp->msgid == 0) {
518 isakmp_info_send_nx(isakmp, remote, local,
519 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
520 plog(LLV_ERROR, LOCATION, remote,
521 "Commit bit on phase1 forbidden.\n");
522 return -1;
523 }
524 }
525
526 iph1 = getph1byindex(index);
527 if (iph1 != NULL) {
528 /* validity check */
529 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
530 iph1->side == INITIATOR) {
531 plog(LLV_DEBUG, LOCATION, remote,
532 "malformed cookie received or "
533 "the initiator's cookies collide.\n");
534 return -1;
535 }
536
537 /* must be same addresses in one stream of a phase at least. */
538 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
539 #ifdef IKE_NAT_T
540 if (iph1->side == RESPONDER &&
541 (iph1->natt_flags & natt_remote_support) != 0 &&
542 cmpsaddrwop(iph1->remote, remote) == 0)
543 {
544 /*
545 * If the initiator detects a NAT it may switch to a
546 * new port. Technically, the remote address may change
547 * as well, depending on the NAT. Handling that would
548 * require more changes.
549 *
550 * We should record the new remote port so we can
551 * send
552 */
553 plog(LLV_WARNING, LOCATION, remote,
554 "remote port changed from %s\n", saddr2str(iph1->remote));
555 memcpy(iph1->remote, remote, iph1->remote->sa_len);
556 memcpy(iph1->local, local, iph1->local->sa_len);
557 }
558 else
559 #endif
560 {
561 char *saddr_db, *saddr_act;
562
563 saddr_db = strdup(saddr2str(iph1->remote));
564 saddr_act = strdup(saddr2str(remote));
565
566 plog(LLV_WARNING, LOCATION, remote,
567 "remote address mismatched. db=%s, act=%s\n",
568 saddr_db, saddr_act);
569
570 racoon_free(saddr_db);
571 racoon_free(saddr_act);
572 }
573 }
574 /*
575 * don't check of exchange type here because other type will be
576 * with same index, for example, informational exchange.
577 */
578
579 /* XXX more acceptable check */
580 }
581
582 switch (isakmp->etype) {
583 case ISAKMP_ETYPE_IDENT:
584 case ISAKMP_ETYPE_AGG:
585 case ISAKMP_ETYPE_BASE:
586 /* phase 1 validity check */
587 if (isakmp->msgid != 0) {
588 plog(LLV_ERROR, LOCATION, remote,
589 "message id should be zero in phase1.\n");
590 return -1;
591 }
592
593 /* search for isakmp status record of phase 1 */
594 if (iph1 == NULL) {
595 /*
596 * the packet must be the 1st message from a initiator
597 * or the 2nd message from the responder.
598 */
599
600 /* search for phase1 handle by index without r_ck */
601 iph1 = getph1byindex0(index);
602 if (iph1 == NULL) {
603 /*it must be the 1st message from a initiator.*/
604 if (memcmp(&isakmp->r_ck, r_ck0,
605 sizeof(cookie_t)) != 0) {
606
607 plog(LLV_DEBUG, LOCATION, remote,
608 "malformed cookie received "
609 "or the spi expired.\n");
610 return -1;
611 }
612
613 /* it must be responder's 1st exchange. */
614 if (isakmp_ph1begin_r(msg, remote, local,
615 isakmp->etype) < 0)
616 return -1;
617 break;
618
619 /*NOTREACHED*/
620 }
621
622 /* it must be the 2nd message from the responder. */
623 if (iph1->side != INITIATOR) {
624 plog(LLV_DEBUG, LOCATION, remote,
625 "malformed cookie received. "
626 "it has to be as the initiator. %s\n",
627 isakmp_pindex(&iph1->index, 0));
628 return -1;
629 }
630 }
631
632 /*
633 * Don't delete phase 1 handler when the exchange type
634 * in handler is not equal to packet's one because of no
635 * authencication completed.
636 */
637 if (iph1->etype != isakmp->etype) {
638 plog(LLV_ERROR, LOCATION, iph1->remote,
639 "exchange type is mismatched: "
640 "db=%s packet=%s, ignore it.\n",
641 s_isakmp_etype(iph1->etype),
642 s_isakmp_etype(isakmp->etype));
643 return -1;
644 }
645
646 /* call main process of phase 1 */
647 if (ph1_main(iph1, msg) < 0) {
648 plog(LLV_ERROR, LOCATION, iph1->remote,
649 "phase1 negotiation failed.\n");
650 remph1(iph1);
651 delph1(iph1);
652 return -1;
653 }
654 break;
655
656 case ISAKMP_ETYPE_AUTH:
657 plog(LLV_INFO, LOCATION, remote,
658 "unsupported exchange %d received.\n",
659 isakmp->etype);
660 break;
661
662 case ISAKMP_ETYPE_INFO:
663 case ISAKMP_ETYPE_ACKINFO:
664 /*
665 * iph1 must be present for Information message.
666 * if iph1 is null then trying to get the phase1 status
667 * as the packet from responder againt initiator's 1st
668 * exchange in phase 1.
669 * NOTE: We think such informational exchange should be ignored.
670 */
671 if (iph1 == NULL) {
672 iph1 = getph1byindex0(index);
673 if (iph1 == NULL) {
674 plog(LLV_ERROR, LOCATION, remote,
675 "unknown Informational "
676 "exchange received.\n");
677 return -1;
678 }
679 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
680 plog(LLV_WARNING, LOCATION, remote,
681 "remote address mismatched. "
682 "db=%s\n",
683 saddr2str(iph1->remote));
684 }
685 }
686
687 if (isakmp_info_recv(iph1, msg) < 0)
688 return -1;
689 break;
690
691 case ISAKMP_ETYPE_QUICK:
692 {
693 struct ph2handle *iph2;
694
695 if (iph1 == NULL) {
696 isakmp_info_send_nx(isakmp, remote, local,
697 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
698 plog(LLV_ERROR, LOCATION, remote,
699 "can't start the quick mode, "
700 "there is no ISAKMP-SA, %s\n",
701 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
702 isakmp->msgid));
703 return -1;
704 }
705
706 /* check status of phase 1 whether negotiated or not. */
707 if (iph1->status != PHASE1ST_ESTABLISHED) {
708 plog(LLV_ERROR, LOCATION, remote,
709 "can't start the quick mode, "
710 "there is no valid ISAKMP-SA, %s\n",
711 isakmp_pindex(&iph1->index, iph1->msgid));
712 return -1;
713 }
714
715 /* search isakmp phase 2 stauts record. */
716 iph2 = getph2bymsgid(iph1, msgid);
717 if (iph2 == NULL) {
718 /* it must be new negotiation as responder */
719 if (isakmp_ph2begin_r(iph1, msg) < 0)
720 return -1;
721 return 0;
722 /*NOTREACHED*/
723 }
724
725 /* commit bit. */
726 /* XXX
727 * we keep to set commit bit during negotiation.
728 * When SA is configured, bit will be reset.
729 * XXX
730 * don't initiate commit bit. should be fixed in the future.
731 */
732 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
733 iph2->flags |= ISAKMP_FLAG_C;
734
735 /* call main process of quick mode */
736 if (quick_main(iph2, msg) < 0) {
737 plog(LLV_ERROR, LOCATION, iph1->remote,
738 "phase2 negotiation failed.\n");
739 unbindph12(iph2);
740 remph2(iph2);
741 delph2(iph2);
742 return -1;
743 }
744 }
745 break;
746
747 case ISAKMP_ETYPE_NEWGRP:
748 if (iph1 == NULL) {
749 plog(LLV_ERROR, LOCATION, remote,
750 "Unknown new group mode exchange, "
751 "there is no ISAKMP-SA.\n");
752 return -1;
753 }
754 isakmp_newgroup_r(iph1, msg);
755 break;
756
757 case ISAKMP_ETYPE_NONE:
758 default:
759 plog(LLV_ERROR, LOCATION, NULL,
760 "Invalid exchange type %d from %s.\n",
761 isakmp->etype, saddr2str(remote));
762 return -1;
763 }
764
765 return 0;
766 }
767
768 /*
769 * main function of phase 1.
770 */
771 static int
772 ph1_main(iph1, msg)
773 struct ph1handle *iph1;
774 vchar_t *msg;
775 {
776 int error;
777 #ifdef ENABLE_STATS
778 struct timeval start, end;
779 #endif
780
781 /* ignore a packet */
782 if (iph1->status == PHASE1ST_ESTABLISHED)
783 return 0;
784
785 #ifdef ENABLE_STATS
786 gettimeofday(&start, NULL);
787 #endif
788 /* receive */
789 if (ph1exchange[etypesw1(iph1->etype)]
790 [iph1->side]
791 [iph1->status] == NULL) {
792 plog(LLV_ERROR, LOCATION, iph1->remote,
793 "why isn't the function defined.\n");
794 return -1;
795 }
796 error = (ph1exchange[etypesw1(iph1->etype)]
797 [iph1->side]
798 [iph1->status])(iph1, msg);
799 if (error != 0) {
800 #if 0
801 /* XXX
802 * When an invalid packet is received on phase1, it should
803 * be selected to process this packet. That is to respond
804 * with a notify and delete phase 1 handler, OR not to respond
805 * and keep phase 1 handler.
806 */
807 plog(LLV_ERROR, LOCATION, iph1->remote,
808 "failed to pre-process packet.\n");
809 return -1;
810 #else
811 /* ignore the error and keep phase 1 handler */
812 return 0;
813 #endif
814 }
815
816 /* free resend buffer */
817 if (iph1->sendbuf == NULL) {
818 plog(LLV_ERROR, LOCATION, NULL,
819 "no buffer found as sendbuf\n");
820 return -1;
821 }
822 vfree(iph1->sendbuf);
823 iph1->sendbuf = NULL;
824
825 /* turn off schedule */
826 if (iph1->scr)
827 SCHED_KILL(iph1->scr);
828
829 /* send */
830 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
831 if ((ph1exchange[etypesw1(iph1->etype)]
832 [iph1->side]
833 [iph1->status])(iph1, msg) != 0) {
834 plog(LLV_ERROR, LOCATION, iph1->remote,
835 "failed to process packet.\n");
836 return -1;
837 }
838
839 #ifdef ENABLE_STATS
840 gettimeofday(&end, NULL);
841 syslog(LOG_NOTICE, "%s(%s): %8.6f",
842 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
843 timedelta(&start, &end));
844 #endif
845 if (iph1->status == PHASE1ST_ESTABLISHED) {
846
847 #ifdef ENABLE_STATS
848 gettimeofday(&iph1->end, NULL);
849 syslog(LOG_NOTICE, "%s(%s): %8.6f",
850 "phase1", s_isakmp_etype(iph1->etype),
851 timedelta(&iph1->start, &iph1->end));
852 #endif
853
854 /* save created date. */
855 (void)time(&iph1->created);
856
857 /* add to the schedule to expire, and seve back pointer. */
858 iph1->sce = sched_new(iph1->approval->lifetime,
859 isakmp_ph1expire_stub, iph1);
860
861 /* INITIAL-CONTACT processing */
862 /* don't anything if local test mode. */
863 if (!f_local
864 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
865 /* send INITIAL-CONTACT */
866 isakmp_info_send_n1(iph1,
867 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
868 /* insert a node into contacted list. */
869 if (inscontacted(iph1->remote) == -1) {
870 plog(LLV_ERROR, LOCATION, iph1->remote,
871 "failed to add contacted list.\n");
872 /* ignore */
873 }
874 }
875
876 log_ph1established(iph1);
877 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
878 }
879
880 return 0;
881 }
882
883 /*
884 * main function of quick mode.
885 */
886 static int
887 quick_main(iph2, msg)
888 struct ph2handle *iph2;
889 vchar_t *msg;
890 {
891 struct isakmp *isakmp = (struct isakmp *)msg->v;
892 int error;
893 #ifdef ENABLE_STATS
894 struct timeval start, end;
895 #endif
896
897 /* ignore a packet */
898 if (iph2->status == PHASE2ST_ESTABLISHED
899 || iph2->status == PHASE2ST_GETSPISENT)
900 return 0;
901
902 #ifdef ENABLE_STATS
903 gettimeofday(&start, NULL);
904 #endif
905
906 /* receive */
907 if (ph2exchange[etypesw2(isakmp->etype)]
908 [iph2->side]
909 [iph2->status] == NULL) {
910 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
911 "why isn't the function defined.\n");
912 return -1;
913 }
914 error = (ph2exchange[etypesw2(isakmp->etype)]
915 [iph2->side]
916 [iph2->status])(iph2, msg);
917 if (error != 0) {
918 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
919 "failed to pre-process packet.\n");
920 if (error == ISAKMP_INTERNAL_ERROR)
921 return 0;
922 isakmp_info_send_n1(iph2->ph1, error, NULL);
923 return -1;
924 }
925
926 /* when using commit bit, status will be reached here. */
927 if (iph2->status == PHASE2ST_ADDSA)
928 return 0;
929
930 /* free resend buffer */
931 if (iph2->sendbuf == NULL) {
932 plog(LLV_ERROR, LOCATION, NULL,
933 "no buffer found as sendbuf\n");
934 return -1;
935 }
936 vfree(iph2->sendbuf);
937 iph2->sendbuf = NULL;
938
939 /* turn off schedule */
940 if (iph2->scr)
941 SCHED_KILL(iph2->scr);
942
943 /* send */
944 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
945 if ((ph2exchange[etypesw2(isakmp->etype)]
946 [iph2->side]
947 [iph2->status])(iph2, msg) != 0) {
948 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
949 "failed to process packet.\n");
950 return -1;
951 }
952
953 #ifdef ENABLE_STATS
954 gettimeofday(&end, NULL);
955 syslog(LOG_NOTICE, "%s(%s): %8.6f",
956 "phase2",
957 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
958 timedelta(&start, &end));
959 #endif
960
961 return 0;
962 }
963
964 /* new negotiation of phase 1 for initiator */
965 int
966 isakmp_ph1begin_i(rmconf, remote)
967 struct remoteconf *rmconf;
968 struct sockaddr *remote;
969 {
970 struct ph1handle *iph1;
971 #ifdef ENABLE_STATS
972 struct timeval start, end;
973 #endif
974
975 /* get new entry to isakmp status table. */
976 iph1 = newph1();
977 if (iph1 == NULL)
978 return -1;
979
980 iph1->status = PHASE1ST_START;
981 iph1->rmconf = rmconf;
982 iph1->side = INITIATOR;
983 iph1->version = ISAKMP_VERSION_NUMBER;
984 iph1->msgid = 0;
985 iph1->flags = 0;
986 iph1->ph2cnt = 0;
987 #ifdef HAVE_GSSAPI
988 iph1->gssapi_state = NULL;
989 #endif
990 iph1->approval = NULL;
991
992 /* XXX copy remote address */
993 if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
994 return -1;
995
996 (void)insph1(iph1);
997
998 /* start phase 1 exchange */
999 iph1->etype = rmconf->etypes->type;
1000
1001 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1002 {
1003 char *a;
1004
1005 a = strdup(saddr2str(iph1->local));
1006 plog(LLV_INFO, LOCATION, NULL,
1007 "initiate new phase 1 negotiation: %s<=>%s\n",
1008 a, saddr2str(iph1->remote));
1009 racoon_free(a);
1010 }
1011 plog(LLV_INFO, LOCATION, NULL,
1012 "begin %s mode.\n",
1013 s_isakmp_etype(iph1->etype));
1014
1015 #ifdef ENABLE_STATS
1016 gettimeofday(&iph1->start, NULL);
1017 gettimeofday(&start, NULL);
1018 #endif
1019 /* start exchange */
1020 if ((ph1exchange[etypesw1(iph1->etype)]
1021 [iph1->side]
1022 [iph1->status])(iph1, NULL) != 0) {
1023 /* failed to start phase 1 negotiation */
1024 remph1(iph1);
1025 delph1(iph1);
1026
1027 return -1;
1028 }
1029
1030 #ifdef ENABLE_STATS
1031 gettimeofday(&end, NULL);
1032 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1033 "phase1",
1034 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1035 timedelta(&start, &end));
1036 #endif
1037
1038 return 0;
1039 }
1040
1041 /* new negotiation of phase 1 for responder */
1042 static int
1043 isakmp_ph1begin_r(msg, remote, local, etype)
1044 vchar_t *msg;
1045 struct sockaddr *remote, *local;
1046 u_int8_t etype;
1047 {
1048 struct isakmp *isakmp = (struct isakmp *)msg->v;
1049 struct remoteconf *rmconf;
1050 struct ph1handle *iph1;
1051 struct etypes *etypeok;
1052 #ifdef ENABLE_STATS
1053 struct timeval start, end;
1054 #endif
1055
1056 /* look for my configuration */
1057 rmconf = getrmconf(remote);
1058 if (rmconf == NULL) {
1059 plog(LLV_ERROR, LOCATION, remote,
1060 "couldn't find "
1061 "configuration.\n");
1062 return -1;
1063 }
1064
1065 /* check to be acceptable exchange type */
1066 etypeok = check_etypeok(rmconf, etype);
1067 if (etypeok == NULL) {
1068 plog(LLV_ERROR, LOCATION, remote,
1069 "not acceptable %s mode\n", s_isakmp_etype(etype));
1070 return -1;
1071 }
1072
1073 /* get new entry to isakmp status table. */
1074 iph1 = newph1();
1075 if (iph1 == NULL)
1076 return -1;
1077
1078 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1079 iph1->status = PHASE1ST_START;
1080 iph1->rmconf = rmconf;
1081 iph1->flags = 0;
1082 iph1->side = RESPONDER;
1083 iph1->etype = etypeok->type;
1084 iph1->version = isakmp->v;
1085 iph1->msgid = 0;
1086 #ifdef HAVE_GSSAPI
1087 iph1->gssapi_state = NULL;
1088 #endif
1089 iph1->approval = NULL;
1090
1091 /* copy remote address */
1092 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1093 return -1;
1094
1095 (void)insph1(iph1);
1096
1097 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1098 {
1099 char *a;
1100
1101 a = strdup(saddr2str(iph1->local));
1102 plog(LLV_INFO, LOCATION, NULL,
1103 "respond new phase 1 negotiation: %s<=>%s\n",
1104 a, saddr2str(iph1->remote));
1105 racoon_free(a);
1106 }
1107 plog(LLV_INFO, LOCATION, NULL,
1108 "begin %s mode.\n", s_isakmp_etype(etype));
1109
1110 #ifdef ENABLE_STATS
1111 gettimeofday(&iph1->start, NULL);
1112 gettimeofday(&start, NULL);
1113 #endif
1114 /* start exchange */
1115 if ((ph1exchange[etypesw1(iph1->etype)]
1116 [iph1->side]
1117 [iph1->status])(iph1, msg) < 0
1118 || (ph1exchange[etypesw1(iph1->etype)]
1119 [iph1->side]
1120 [iph1->status])(iph1, msg) < 0) {
1121 plog(LLV_ERROR, LOCATION, remote,
1122 "failed to process packet.\n");
1123 remph1(iph1);
1124 delph1(iph1);
1125 return -1;
1126 }
1127 #ifdef ENABLE_STATS
1128 gettimeofday(&end, NULL);
1129 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1130 "phase1",
1131 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1132 timedelta(&start, &end));
1133 #endif
1134
1135 return 0;
1136 }
1137
1138 /* new negotiation of phase 2 for initiator */
1139 static int
1140 isakmp_ph2begin_i(iph1, iph2)
1141 struct ph1handle *iph1;
1142 struct ph2handle *iph2;
1143 {
1144 /* found ISAKMP-SA. */
1145 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1146 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1147 {
1148 char *a;
1149 a = strdup(saddr2str(iph2->src));
1150 plog(LLV_INFO, LOCATION, NULL,
1151 "initiate new phase 2 negotiation: %s<=>%s\n",
1152 a, saddr2str(iph2->dst));
1153 racoon_free(a);
1154 }
1155
1156 #ifdef ENABLE_STATS
1157 gettimeofday(&iph2->start, NULL);
1158 #endif
1159 /* found isakmp-sa */
1160 bindph12(iph1, iph2);
1161 iph2->status = PHASE2ST_STATUS2;
1162
1163 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1164 [iph2->side]
1165 [iph2->status])(iph2, NULL) < 0) {
1166 unbindph12(iph2);
1167 /* release ipsecsa handler due to internal error. */
1168 remph2(iph2);
1169 delph2(iph2);
1170 return -1;
1171 }
1172 return 0;
1173 }
1174
1175 /* new negotiation of phase 2 for responder */
1176 static int
1177 isakmp_ph2begin_r(iph1, msg)
1178 struct ph1handle *iph1;
1179 vchar_t *msg;
1180 {
1181 struct isakmp *isakmp = (struct isakmp *)msg->v;
1182 struct ph2handle *iph2 = 0;
1183 int error;
1184 #ifdef ENABLE_STATS
1185 struct timeval start, end;
1186 #endif
1187
1188 iph2 = newph2();
1189 if (iph2 == NULL) {
1190 plog(LLV_ERROR, LOCATION, NULL,
1191 "failed to allocate phase2 entry.\n");
1192 return -1;
1193 }
1194
1195 iph2->ph1 = iph1;
1196 iph2->side = RESPONDER;
1197 iph2->status = PHASE2ST_START;
1198 iph2->flags = isakmp->flags;
1199 iph2->msgid = isakmp->msgid;
1200 iph2->seq = pk_getseq();
1201 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1202 if (iph2->ivm == NULL) {
1203 delph2(iph2);
1204 return -1;
1205 }
1206 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1207 if (iph2->dst == NULL) {
1208 delph2(iph2);
1209 return -1;
1210 }
1211 switch (iph2->dst->sa_family) {
1212 case AF_INET:
1213 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1214 break;
1215 #ifdef INET6
1216 case AF_INET6:
1217 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1218 break;
1219 #endif
1220 default:
1221 plog(LLV_ERROR, LOCATION, NULL,
1222 "invalid family: %d\n", iph2->dst->sa_family);
1223 delph2(iph2);
1224 return -1;
1225 }
1226
1227 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1228 if (iph2->src == NULL) {
1229 delph2(iph2);
1230 return -1;
1231 }
1232 switch (iph2->src->sa_family) {
1233 case AF_INET:
1234 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1235 break;
1236 #ifdef INET6
1237 case AF_INET6:
1238 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1239 break;
1240 #endif
1241 default:
1242 plog(LLV_ERROR, LOCATION, NULL,
1243 "invalid family: %d\n", iph2->src->sa_family);
1244 delph2(iph2);
1245 return -1;
1246 }
1247
1248 /* add new entry to isakmp status table */
1249 insph2(iph2);
1250 bindph12(iph1, iph2);
1251
1252 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1253 {
1254 char *a;
1255
1256 a = strdup(saddr2str(iph2->src));
1257 plog(LLV_INFO, LOCATION, NULL,
1258 "respond new phase 2 negotiation: %s<=>%s\n",
1259 a, saddr2str(iph2->dst));
1260 racoon_free(a);
1261 }
1262
1263 #ifdef ENABLE_STATS
1264 gettimeofday(&start, NULL);
1265 #endif
1266
1267 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1268 [iph2->side]
1269 [iph2->status])(iph2, msg);
1270 if (error != 0) {
1271 plog(LLV_ERROR, LOCATION, iph1->remote,
1272 "failed to pre-process packet.\n");
1273 if (error != ISAKMP_INTERNAL_ERROR)
1274 isakmp_info_send_n1(iph2->ph1, error, NULL);
1275 /*
1276 * release handler because it's wrong that ph2handle is kept
1277 * after failed to check message for responder's.
1278 */
1279 unbindph12(iph2);
1280 remph2(iph2);
1281 delph2(iph2);
1282 return -1;
1283 }
1284
1285 /* send */
1286 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1287 if ((ph2exchange[etypesw2(isakmp->etype)]
1288 [iph2->side]
1289 [iph2->status])(iph2, msg) < 0) {
1290 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1291 "failed to process packet.\n");
1292 /* don't release handler */
1293 return -1;
1294 }
1295 #ifdef ENABLE_STATS
1296 gettimeofday(&end, NULL);
1297 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1298 "phase2",
1299 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1300 timedelta(&start, &end));
1301 #endif
1302
1303 return 0;
1304 }
1305
1306 /*
1307 * parse ISAKMP payloads, without ISAKMP base header.
1308 */
1309 vchar_t *
1310 isakmp_parsewoh(np0, gen, len)
1311 int np0;
1312 struct isakmp_gen *gen;
1313 int len;
1314 {
1315 u_char np = np0 & 0xff;
1316 int tlen, plen;
1317 vchar_t *result;
1318 struct isakmp_parse_t *p, *ep;
1319
1320 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1321
1322 /*
1323 * 5 is a magic number, but any value larger than 2 should be fine
1324 * as we do vrealloc() in the following loop.
1325 */
1326 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1327 if (result == NULL) {
1328 plog(LLV_ERROR, LOCATION, NULL,
1329 "failed to get buffer.\n");
1330 return NULL;
1331 }
1332 p = (struct isakmp_parse_t *)result->v;
1333 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1334
1335 tlen = len;
1336
1337 /* parse through general headers */
1338 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1339 if (tlen <= sizeof(struct isakmp_gen)) {
1340 /* don't send information, see isakmp_ident_r1() */
1341 plog(LLV_ERROR, LOCATION, NULL,
1342 "invalid length of payload\n");
1343 vfree(result);
1344 return NULL;
1345 }
1346
1347 plog(LLV_DEBUG, LOCATION, NULL,
1348 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1349
1350 p->type = np;
1351 p->len = ntohs(gen->len);
1352 if (p->len == 0 || p->len > tlen) {
1353 plog(LLV_DEBUG, LOCATION, NULL,
1354 "invalid length of payload\n");
1355 vfree(result);
1356 return NULL;
1357 }
1358 p->ptr = gen;
1359 p++;
1360 if (ep <= p) {
1361 int off;
1362
1363 off = p - (struct isakmp_parse_t *)result->v;
1364 result = vrealloc(result, result->l * 2);
1365 if (result == NULL) {
1366 plog(LLV_DEBUG, LOCATION, NULL,
1367 "failed to realloc buffer.\n");
1368 vfree(result);
1369 return NULL;
1370 }
1371 ep = (struct isakmp_parse_t *)
1372 (result->v + result->l - sizeof(*ep));
1373 p = (struct isakmp_parse_t *)result->v;
1374 p += off;
1375 }
1376
1377 np = gen->np;
1378 plen = ntohs(gen->len);
1379 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1380 tlen -= plen;
1381 }
1382 p->type = ISAKMP_NPTYPE_NONE;
1383 p->len = 0;
1384 p->ptr = NULL;
1385
1386 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1387
1388 return result;
1389 }
1390
1391 /*
1392 * parse ISAKMP payloads, including ISAKMP base header.
1393 */
1394 vchar_t *
1395 isakmp_parse(buf)
1396 vchar_t *buf;
1397 {
1398 struct isakmp *isakmp = (struct isakmp *)buf->v;
1399 struct isakmp_gen *gen;
1400 int tlen;
1401 vchar_t *result;
1402 u_char np;
1403
1404 np = isakmp->np;
1405 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1406 tlen = buf->l - sizeof(struct isakmp);
1407 result = isakmp_parsewoh(np, gen, tlen);
1408
1409 return result;
1410 }
1411
1412 /* %%% */
1413 int
1414 isakmp_init()
1415 {
1416 /* initialize a isakmp status table */
1417 initph1tree();
1418 initph2tree();
1419 initctdtree();
1420 init_recvdpkt();
1421
1422 if (isakmp_open() < 0)
1423 goto err;
1424
1425 return(0);
1426
1427 err:
1428 isakmp_close();
1429 return(-1);
1430 }
1431
1432 /*
1433 * make strings containing i_cookie + r_cookie + msgid
1434 */
1435 const char *
1436 isakmp_pindex(index, msgid)
1437 const isakmp_index *index;
1438 const u_int32_t msgid;
1439 {
1440 static char buf[64];
1441 const u_char *p;
1442 int i, j;
1443
1444 memset(buf, 0, sizeof(buf));
1445
1446 /* copy index */
1447 p = (const u_char *)index;
1448 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1449 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1450 j += 2;
1451 switch (i) {
1452 case 7:
1453 buf[j++] = ':';
1454 }
1455 }
1456
1457 if (msgid == 0)
1458 return buf;
1459
1460 /* copy msgid */
1461 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1462
1463 return buf;
1464 }
1465
1466 int
1467 isakmp_setup_socket(struct sockaddr* in_addr)
1468 {
1469 int sock = -1;
1470 const int yes = 1;
1471 #ifdef INET6
1472 int pktinfo;
1473 #endif
1474 if ((sock = socket(in_addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1475 plog(LLV_ERROR, LOCATION, NULL,
1476 "socket (%s)\n", strerror(errno));
1477 return -1;
1478 }
1479
1480 /* receive my interface address on inbound packets. */
1481 switch (in_addr->sa_family) {
1482 case AF_INET:
1483 if (setsockopt(sock, IPPROTO_IP, IP_RECVDSTADDR,
1484 (const void *)&yes, sizeof(yes)) < 0) {
1485 plog(LLV_ERROR, LOCATION, NULL,
1486 "setsockopt (%s)\n", strerror(errno));
1487 close(sock);
1488 return -1;
1489 }
1490 break;
1491 #ifdef INET6
1492 case AF_INET6:
1493 #ifdef ADVAPI
1494 #ifdef IPV6_RECVPKTINFO
1495 pktinfo = IPV6_RECVPKTINFO;
1496 #else /* old adv. API */
1497 pktinfo = IPV6_PKTINFO;
1498 #endif /* IPV6_RECVPKTINFO */
1499 #else
1500 pktinfo = IPV6_RECVDSTADDR;
1501 #endif
1502 if (setsockopt(sock, IPPROTO_IPV6, pktinfo,
1503 (const void *)&yes, sizeof(yes)) < 0)
1504 {
1505 plog(LLV_ERROR, LOCATION, NULL,
1506 "setsockopt(%d): %s\n",
1507 pktinfo, strerror(errno));
1508 close(sock);
1509 return -1;
1510 }
1511 break;
1512 #endif
1513 }
1514
1515 #ifdef IPV6_USE_MIN_MTU
1516 if (in_addr->sa_family == AF_INET6 &&
1517 setsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1518 (void *)&yes, sizeof(yes)) < 0) {
1519 plog(LLV_ERROR, LOCATION, NULL,
1520 "setsockopt (%s)\n", strerror(errno));
1521 close(sock);
1522 return -1;
1523 }
1524 #endif
1525
1526 if (setsockopt_bypass(sock, in_addr->sa_family) < 0) {
1527 close(sock);
1528 return -1;
1529 }
1530
1531 if (bind(sock, in_addr, in_addr->sa_len) < 0) {
1532 plog(LLV_ERROR, LOCATION, in_addr,
1533 "failed to bind (%s).\n", strerror(errno));
1534 close(sock);
1535 return -1;
1536 }
1537
1538 return sock;
1539 }
1540
1541 /* open ISAKMP sockets. */
1542 int
1543 isakmp_open()
1544 {
1545 int ifnum;
1546 struct myaddrs *p;
1547
1548 ifnum = 0;
1549 for (p = lcconf->myaddrs; p; p = p->next) {
1550 if (!p->addr)
1551 continue;
1552
1553 /* warn if wildcard address - should we forbid this? */
1554 switch (p->addr->sa_family) {
1555 case AF_INET:
1556 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1557 plog(LLV_WARNING, LOCATION, NULL,
1558 "listening to wildcard address,"
1559 "broadcast IKE packet may kill you\n");
1560 break;
1561 #ifdef INET6
1562 case AF_INET6:
1563 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1564 plog(LLV_WARNING, LOCATION, NULL,
1565 "listening to wildcard address, "
1566 "broadcast IKE packet may kill you\n");
1567 break;
1568 #endif
1569 default:
1570 plog(LLV_ERROR, LOCATION, NULL,
1571 "unsupported address family %d\n",
1572 lcconf->default_af);
1573 goto err_and_next;
1574 }
1575
1576 p->sock = isakmp_setup_socket(p->addr);
1577 if (p->sock < 0) goto err_and_next;
1578
1579 plog(LLV_DEBUG, LOCATION, NULL,
1580 "%s used as isakmp port (fd=%d)\n",
1581 saddr2str(p->addr), p->sock);
1582
1583 ifnum++;
1584
1585 #ifdef IKE_NAT_T
1586 /*
1587 * We have to listen on 4500 in addition to 500 with IPv4
1588 * to support NAT traversal.
1589 */
1590 if (p->addr->sa_family == AF_INET)
1591 {
1592 struct sockaddr_in sin = *(struct sockaddr_in*)p->addr;
1593
1594 sin.sin_port = ntohs(PORT_ISAKMP_NATT);
1595 p->nattsock = isakmp_setup_socket((struct sockaddr*)&sin);
1596 if (p->nattsock >= 0)
1597 {
1598 plog(LLV_DEBUG, LOCATION, NULL,
1599 "%s used as nat-t isakmp port (fd=%d)\n",
1600 saddr2str((struct sockaddr*)&sin), p->nattsock);
1601 }
1602 }
1603 #endif
1604
1605 continue;
1606
1607 err_and_next:
1608 racoon_free(p->addr);
1609 p->addr = NULL;
1610 if (! lcconf->autograbaddr && lcconf->strict_address)
1611 return -1;
1612 continue;
1613 }
1614
1615 if (!ifnum) {
1616 plog(LLV_ERROR, LOCATION, NULL,
1617 "no address could be bound.\n");
1618 return -1;
1619 }
1620
1621 return 0;
1622 }
1623
1624 void
1625 isakmp_close()
1626 {
1627 struct myaddrs *p, *next;
1628
1629 for (p = lcconf->myaddrs; p; p = next) {
1630 next = p->next;
1631
1632 if (!p->addr) {
1633 racoon_free(p);
1634 continue;
1635 }
1636 close(p->sock);
1637 #ifdef IKE_NAT_T
1638 if (p->nattsock >= 0) close(p->nattsock);
1639 #endif
1640 racoon_free(p->addr);
1641 racoon_free(p);
1642 }
1643
1644 lcconf->myaddrs = NULL;
1645 }
1646
1647 int
1648 isakmp_send(iph1, sbuf)
1649 struct ph1handle *iph1;
1650 vchar_t *sbuf;
1651 {
1652 int len = 0;
1653 int s;
1654 vchar_t *newbuf = NULL;
1655
1656 /* select the socket to be sent */
1657 s = getsockmyaddr(iph1->local);
1658 if (s == -1)
1659 return -1;
1660
1661 #ifdef IKE_NAT_T
1662 /* prepend four bytes of zeros if source or destination port is PORT_ISAKMP_NATT */
1663 if (iph1->remote->sa_family == AF_INET &&
1664 (((struct sockaddr_in*)(iph1->remote))->sin_port == htons(PORT_ISAKMP_NATT)) ||
1665 ((struct sockaddr_in*)(iph1->local))->sin_port == htons(PORT_ISAKMP_NATT))
1666 {
1667
1668 /* There's probably a better way to do this */
1669 newbuf = vmalloc(sbuf->l + 4);
1670 if (newbuf == NULL) {
1671 plog(LLV_ERROR, LOCATION, NULL, "sendfromto natt prepend failed\n");
1672 return -1;
1673 }
1674
1675 memset(newbuf->v, 0, 4);
1676 memcpy(newbuf->v + 4, sbuf->v, sbuf->l);
1677 sbuf = newbuf;
1678 }
1679 #endif
1680
1681 len = sendfromto(s, sbuf->v, sbuf->l,
1682 iph1->local, iph1->remote, lcconf->count_persend);
1683 if (len == -1) {
1684 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1685 return -1;
1686 }
1687
1688 if (newbuf) vfree(newbuf);
1689
1690 return 0;
1691 }
1692
1693 /* called from scheduler */
1694 void
1695 isakmp_ph1resend_stub(p)
1696 void *p;
1697 {
1698 (void)isakmp_ph1resend((struct ph1handle *)p);
1699 }
1700
1701 int
1702 isakmp_ph1resend(iph1)
1703 struct ph1handle *iph1;
1704 {
1705 if (iph1->retry_counter < 0) {
1706 plog(LLV_ERROR, LOCATION, NULL,
1707 "phase1 negotiation failed due to time up. %s\n",
1708 isakmp_pindex(&iph1->index, iph1->msgid));
1709
1710 remph1(iph1);
1711 delph1(iph1);
1712 return -1;
1713 }
1714
1715 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1716 return -1;
1717
1718 plog(LLV_DEBUG, LOCATION, NULL,
1719 "resend phase1 packet %s\n",
1720 isakmp_pindex(&iph1->index, iph1->msgid));
1721
1722 iph1->retry_counter--;
1723
1724 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1725 isakmp_ph1resend_stub, iph1);
1726
1727 return 0;
1728 }
1729
1730 /* called from scheduler */
1731 void
1732 isakmp_ph2resend_stub(p)
1733 void *p;
1734 {
1735
1736 (void)isakmp_ph2resend((struct ph2handle *)p);
1737 }
1738
1739 int
1740 isakmp_ph2resend(iph2)
1741 struct ph2handle *iph2;
1742 {
1743 if (iph2->retry_counter < 0) {
1744 plog(LLV_ERROR, LOCATION, NULL,
1745 "phase2 negotiation failed due to time up. %s\n",
1746 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1747 unbindph12(iph2);
1748 remph2(iph2);
1749 delph2(iph2);
1750 return -1;
1751 }
1752
1753 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1754 return -1;
1755
1756 plog(LLV_DEBUG, LOCATION, NULL,
1757 "resend phase2 packet %s\n",
1758 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1759
1760 iph2->retry_counter--;
1761
1762 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1763 isakmp_ph2resend_stub, iph2);
1764
1765 return 0;
1766 }
1767
1768 /* called from scheduler */
1769 void
1770 isakmp_ph1expire_stub(p)
1771 void *p;
1772 {
1773
1774 isakmp_ph1expire((struct ph1handle *)p);
1775 }
1776
1777 void
1778 isakmp_ph1expire(iph1)
1779 struct ph1handle *iph1;
1780 {
1781 char *src, *dst;
1782
1783 src = strdup(saddr2str(iph1->local));
1784 dst = strdup(saddr2str(iph1->remote));
1785 plog(LLV_INFO, LOCATION, NULL,
1786 "ISAKMP-SA expired %s-%s spi:%s\n",
1787 src, dst,
1788 isakmp_pindex(&iph1->index, 0));
1789 racoon_free(src);
1790 racoon_free(dst);
1791
1792 SCHED_KILL(iph1->sce);
1793
1794 iph1->status = PHASE1ST_EXPIRED;
1795
1796 /*
1797 * the phase1 deletion is postponed until there is no phase2.
1798 */
1799 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1800 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1801 return;
1802 }
1803
1804 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1805 }
1806
1807 /* called from scheduler */
1808 void
1809 isakmp_ph1delete_stub(p)
1810 void *p;
1811 {
1812
1813 isakmp_ph1delete((struct ph1handle *)p);
1814 }
1815
1816 void
1817 isakmp_ph1delete(iph1)
1818 struct ph1handle *iph1;
1819 {
1820 char *src, *dst;
1821
1822 SCHED_KILL(iph1->sce);
1823
1824 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1825 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1826 return;
1827 }
1828
1829 /* don't re-negosiation when the phase 1 SA expires. */
1830
1831 src = strdup(saddr2str(iph1->local));
1832 dst = strdup(saddr2str(iph1->remote));
1833 plog(LLV_INFO, LOCATION, NULL,
1834 "ISAKMP-SA deleted %s-%s spi:%s\n",
1835 src, dst, isakmp_pindex(&iph1->index, 0));
1836 racoon_free(src);
1837 racoon_free(dst);
1838
1839 remph1(iph1);
1840 delph1(iph1);
1841
1842 return;
1843 }
1844
1845 /* called from scheduler.
1846 * this function will call only isakmp_ph2delete().
1847 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
1848 * by something cause. That's why this function is called after phase 2 SA
1849 * expires in the userland.
1850 */
1851 void
1852 isakmp_ph2expire_stub(p)
1853 void *p;
1854 {
1855
1856 isakmp_ph2expire((struct ph2handle *)p);
1857 }
1858
1859 void
1860 isakmp_ph2expire(iph2)
1861 struct ph2handle *iph2;
1862 {
1863 char *src, *dst;
1864
1865 SCHED_KILL(iph2->sce);
1866
1867 src = strdup(saddrwop2str(iph2->src));
1868 dst = strdup(saddrwop2str(iph2->dst));
1869 plog(LLV_INFO, LOCATION, NULL,
1870 "phase2 sa expired %s-%s\n", src, dst);
1871 racoon_free(src);
1872 racoon_free(dst);
1873
1874 iph2->status = PHASE2ST_EXPIRED;
1875
1876 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1877
1878 return;
1879 }
1880
1881 /* called from scheduler */
1882 void
1883 isakmp_ph2delete_stub(p)
1884 void *p;
1885 {
1886
1887 isakmp_ph2delete((struct ph2handle *)p);
1888 }
1889
1890 void
1891 isakmp_ph2delete(iph2)
1892 struct ph2handle *iph2;
1893 {
1894 char *src, *dst;
1895
1896 SCHED_KILL(iph2->sce);
1897
1898 src = strdup(saddrwop2str(iph2->src));
1899 dst = strdup(saddrwop2str(iph2->dst));
1900 plog(LLV_INFO, LOCATION, NULL,
1901 "phase2 sa deleted %s-%s\n", src, dst);
1902 racoon_free(src);
1903 racoon_free(dst);
1904
1905 unbindph12(iph2);
1906 remph2(iph2);
1907 delph2(iph2);
1908
1909 return;
1910 }
1911
1912 /* \f%%%
1913 * Interface between PF_KEYv2 and ISAKMP
1914 */
1915 /*
1916 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
1917 * if phase1 has been finished, begin phase2.
1918 */
1919 int
1920 isakmp_post_acquire(iph2)
1921 struct ph2handle *iph2;
1922 {
1923 struct remoteconf *rmconf;
1924 struct ph1handle *iph1 = NULL;
1925
1926 /* search appropreate configuration with masking port. */
1927 rmconf = getrmconf(iph2->dst);
1928 if (rmconf == NULL) {
1929 plog(LLV_ERROR, LOCATION, NULL,
1930 "no configuration found for %s.\n",
1931 saddrwop2str(iph2->dst));
1932 return -1;
1933 }
1934
1935 /* if passive mode, ignore the acquire message */
1936 if (rmconf->passive) {
1937 plog(LLV_DEBUG, LOCATION, NULL,
1938 "because of passive mode, "
1939 "ignore the acquire message for %s.\n",
1940 saddrwop2str(iph2->dst));
1941 return 0;
1942 }
1943
1944 /* search isakmp status table by address with masking port */
1945 iph1 = getph1byaddr(iph2->src, iph2->dst);
1946
1947 /* no ISAKMP-SA found. */
1948 if (iph1 == NULL) {
1949 struct sched *sc;
1950
1951 iph2->retry_checkph1 = lcconf->retry_checkph1;
1952 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
1953 plog(LLV_INFO, LOCATION, NULL,
1954 "IPsec-SA request for %s queued "
1955 "due to no phase1 found.\n",
1956 saddrwop2str(iph2->dst));
1957
1958 /* start phase 1 negotiation as a initiator. */
1959 if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
1960 SCHED_KILL(sc);
1961 return -1;
1962 }
1963
1964 return 0;
1965 /*NOTREACHED*/
1966 }
1967
1968 /* found ISAKMP-SA, but on negotiation. */
1969 if (iph1->status != PHASE1ST_ESTABLISHED) {
1970 iph2->retry_checkph1 = lcconf->retry_checkph1;
1971 sched_new(1, isakmp_chkph1there_stub, iph2);
1972 plog(LLV_INFO, LOCATION, iph2->dst,
1973 "request for establishing IPsec-SA was queued "
1974 "due to no phase1 found.\n");
1975 return 0;
1976 /*NOTREACHED*/
1977 }
1978
1979 /* found established ISAKMP-SA */
1980 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
1981
1982 /* found ISAKMP-SA. */
1983 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1984
1985 /* begin quick mode */
1986 if (isakmp_ph2begin_i(iph1, iph2))
1987 return -1;
1988
1989 return 0;
1990 }
1991
1992 /*
1993 * receive GETSPI from kernel.
1994 */
1995 int
1996 isakmp_post_getspi(iph2)
1997 struct ph2handle *iph2;
1998 {
1999 #ifdef ENABLE_STATS
2000 struct timeval start, end;
2001 #endif
2002
2003 /* don't process it because there is no suitable phase1-sa. */
2004 if (iph2->ph1->status == PHASE2ST_EXPIRED) {
2005 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2006 "the negotiation is stopped, "
2007 "because there is no suitable ISAKMP-SA.\n");
2008 return -1;
2009 }
2010
2011 #ifdef ENABLE_STATS
2012 gettimeofday(&start, NULL);
2013 #endif
2014 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2015 [iph2->side]
2016 [iph2->status])(iph2, NULL) != 0)
2017 return -1;
2018 #ifdef ENABLE_STATS
2019 gettimeofday(&end, NULL);
2020 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2021 "phase2",
2022 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2023 timedelta(&start, &end));
2024 #endif
2025
2026 return 0;
2027 }
2028
2029 /* called by scheduler */
2030 void
2031 isakmp_chkph1there_stub(p)
2032 void *p;
2033 {
2034 isakmp_chkph1there((struct ph2handle *)p);
2035 }
2036
2037 void
2038 isakmp_chkph1there(iph2)
2039 struct ph2handle *iph2;
2040 {
2041 struct ph1handle *iph1;
2042
2043 iph2->retry_checkph1--;
2044 if (iph2->retry_checkph1 < 0) {
2045 plog(LLV_ERROR, LOCATION, iph2->dst,
2046 "phase2 negotiation failed "
2047 "due to time up waiting for phase1. %s\n",
2048 sadbsecas2str(iph2->dst, iph2->src,
2049 iph2->satype, 0, 0));
2050 plog(LLV_INFO, LOCATION, NULL,
2051 "delete phase 2 handler.\n");
2052
2053 /* send acquire to kernel as error */
2054 pk_sendeacquire(iph2);
2055
2056 unbindph12(iph2);
2057 remph2(iph2);
2058 delph2(iph2);
2059
2060 return;
2061 }
2062
2063 iph1 = getph1byaddr(iph2->src, iph2->dst);
2064
2065 /* XXX Even if ph1 as responder is there, should we not start
2066 * phase 2 negotiation ? */
2067 if (iph1 != NULL
2068 && iph1->status == PHASE1ST_ESTABLISHED) {
2069 /* found isakmp-sa */
2070 /* begin quick mode */
2071 (void)isakmp_ph2begin_i(iph1, iph2);
2072 return;
2073 }
2074
2075 /* no isakmp-sa found */
2076 sched_new(1, isakmp_chkph1there_stub, iph2);
2077
2078 return;
2079 }
2080
2081 /* copy variable data into ALLOCATED buffer. */
2082 caddr_t
2083 isakmp_set_attr_v(buf, type, val, len)
2084 caddr_t buf;
2085 int type;
2086 caddr_t val;
2087 int len;
2088 {
2089 struct isakmp_data *data;
2090
2091 data = (struct isakmp_data *)buf;
2092 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2093 data->lorv = htons((u_int16_t)len);
2094 memcpy(data + 1, val, len);
2095
2096 return buf + sizeof(*data) + len;
2097 }
2098
2099 /* copy fixed length data into ALLOCATED buffer. */
2100 caddr_t
2101 isakmp_set_attr_l(buf, type, val)
2102 caddr_t buf;
2103 int type;
2104 u_int32_t val;
2105 {
2106 struct isakmp_data *data;
2107
2108 data = (struct isakmp_data *)buf;
2109 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2110 data->lorv = htons((u_int16_t)val);
2111
2112 return buf + sizeof(*data);
2113 }
2114
2115 /* add a variable data attribute to the buffer by reallocating it. */
2116 vchar_t *
2117 isakmp_add_attr_v(buf0, type, val, len)
2118 vchar_t *buf0;
2119 int type;
2120 caddr_t val;
2121 int len;
2122 {
2123 vchar_t *buf = NULL;
2124 struct isakmp_data *data;
2125 int tlen;
2126 int oldlen = 0;
2127
2128 tlen = sizeof(*data) + len;
2129
2130 if (buf0) {
2131 oldlen = buf0->l;
2132 buf = vrealloc(buf0, oldlen + tlen);
2133 } else
2134 buf = vmalloc(tlen);
2135 if (!buf) {
2136 plog(LLV_ERROR, LOCATION, NULL,
2137 "failed to get a attribute buffer.\n");
2138 return NULL;
2139 }
2140
2141 data = (struct isakmp_data *)(buf->v + oldlen);
2142 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2143 data->lorv = htons((u_int16_t)len);
2144 memcpy(data + 1, val, len);
2145
2146 return buf;
2147 }
2148
2149 /* add a fixed data attribute to the buffer by reallocating it. */
2150 vchar_t *
2151 isakmp_add_attr_l(buf0, type, val)
2152 vchar_t *buf0;
2153 int type;
2154 u_int32_t val;
2155 {
2156 vchar_t *buf = NULL;
2157 struct isakmp_data *data;
2158 int tlen;
2159 int oldlen = 0;
2160
2161 tlen = sizeof(*data);
2162
2163 if (buf0) {
2164 oldlen = buf0->l;
2165 buf = vrealloc(buf0, oldlen + tlen);
2166 } else
2167 buf = vmalloc(tlen);
2168 if (!buf) {
2169 plog(LLV_ERROR, LOCATION, NULL,
2170 "failed to get a attribute buffer.\n");
2171 return NULL;
2172 }
2173
2174 data = (struct isakmp_data *)(buf->v + oldlen);
2175 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2176 data->lorv = htons((u_int16_t)val);
2177
2178 return buf;
2179 }
2180
2181 /*
2182 * calculate cookie and set.
2183 */
2184 int
2185 isakmp_newcookie(place, remote, local)
2186 caddr_t place;
2187 struct sockaddr *remote;
2188 struct sockaddr *local;
2189 {
2190 vchar_t *buf = NULL, *buf2 = NULL;
2191 char *p;
2192 int blen;
2193 int alen;
2194 caddr_t sa1, sa2;
2195 time_t t;
2196 int error = -1;
2197 u_short port;
2198
2199
2200 if (remote->sa_family != local->sa_family) {
2201 plog(LLV_ERROR, LOCATION, NULL,
2202 "address family mismatch, remote:%d local:%d\n",
2203 remote->sa_family, local->sa_family);
2204 goto end;
2205 }
2206 switch (remote->sa_family) {
2207 case AF_INET:
2208 alen = sizeof(struct in_addr);
2209 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2210 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2211 break;
2212 #ifdef INET6
2213 case AF_INET6:
2214 alen = sizeof(struct in_addr);
2215 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2216 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2217 break;
2218 #endif
2219 default:
2220 plog(LLV_ERROR, LOCATION, NULL,
2221 "invalid family: %d\n", remote->sa_family);
2222 goto end;
2223 }
2224 blen = (alen + sizeof(u_short)) * 2
2225 + sizeof(time_t) + lcconf->secret_size;
2226 buf = vmalloc(blen);
2227 if (buf == NULL) {
2228 plog(LLV_ERROR, LOCATION, NULL,
2229 "failed to get a cookie.\n");
2230 goto end;
2231 }
2232 p = buf->v;
2233
2234 /* copy my address */
2235 memcpy(p, sa1, alen);
2236 p += alen;
2237 port = ((struct sockaddr_in *)remote)->sin_port;
2238 memcpy(p, &port, sizeof(u_short));
2239 p += sizeof(u_short);
2240
2241 /* copy target address */
2242 memcpy(p, sa2, alen);
2243 p += alen;
2244 port = ((struct sockaddr_in *)local)->sin_port;
2245 memcpy(p, &port, sizeof(u_short));
2246 p += sizeof(u_short);
2247
2248 /* copy time */
2249 t = time(0);
2250 memcpy(p, (caddr_t)&t, sizeof(t));
2251 p += sizeof(t);
2252
2253 /* copy random value */
2254 buf2 = eay_set_random(lcconf->secret_size);
2255 if (buf2 == NULL)
2256 goto end;
2257 memcpy(p, buf2->v, lcconf->secret_size);
2258 p += lcconf->secret_size;
2259 vfree(buf2);
2260
2261 buf2 = eay_sha1_one(buf);
2262 memcpy(place, buf2->v, sizeof(cookie_t));
2263
2264 sa1 = val2str(place, sizeof (cookie_t));
2265 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2266 racoon_free(sa1);
2267
2268 error = 0;
2269 end:
2270 if (buf != NULL)
2271 vfree(buf);
2272 if (buf2 != NULL)
2273 vfree(buf2);
2274 return error;
2275 }
2276
2277 /*
2278 * save partner's(payload) data into phhandle.
2279 */
2280 int
2281 isakmp_p2ph(buf, gen)
2282 vchar_t **buf;
2283 struct isakmp_gen *gen;
2284 {
2285 /* XXX to be checked in each functions for logging. */
2286 if (*buf) {
2287 plog(LLV_WARNING, LOCATION, NULL,
2288 "ignore this payload, same payload type exist.\n");
2289 return -1;
2290 }
2291
2292 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2293 if (*buf == NULL) {
2294 plog(LLV_ERROR, LOCATION, NULL,
2295 "failed to get buffer.\n");
2296 return -1;
2297 }
2298 memcpy((*buf)->v, gen + 1, (*buf)->l);
2299
2300 return 0;
2301 }
2302
2303 u_int32_t
2304 isakmp_newmsgid2(iph1)
2305 struct ph1handle *iph1;
2306 {
2307 u_int32_t msgid2;
2308
2309 do {
2310 msgid2 = arc4random();
2311 } while (getph2bymsgid(iph1, msgid2));
2312
2313 return msgid2;
2314 }
2315
2316 /*
2317 * set values into allocated buffer of isakmp header for phase 1
2318 */
2319 caddr_t
2320 set_isakmp_header(vbuf, iph1, nptype)
2321 vchar_t *vbuf;
2322 struct ph1handle *iph1;
2323 int nptype;
2324 {
2325 struct isakmp *isakmp;
2326
2327 if (vbuf->l < sizeof(*isakmp))
2328 return NULL;
2329
2330 isakmp = (struct isakmp *)vbuf->v;
2331 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2332 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2333 isakmp->np = nptype;
2334 isakmp->v = iph1->version;
2335 isakmp->etype = iph1->etype;
2336 isakmp->flags = iph1->flags;
2337 isakmp->msgid = iph1->msgid;
2338 isakmp->len = htonl(vbuf->l);
2339
2340 return vbuf->v + sizeof(*isakmp);
2341 }
2342
2343 /*
2344 * set values into allocated buffer of isakmp header for phase 2
2345 */
2346 caddr_t
2347 set_isakmp_header2(vbuf, iph2, nptype)
2348 vchar_t *vbuf;
2349 struct ph2handle *iph2;
2350 int nptype;
2351 {
2352 struct isakmp *isakmp;
2353
2354 if (vbuf->l < sizeof(*isakmp))
2355 return NULL;
2356
2357 isakmp = (struct isakmp *)vbuf->v;
2358 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t));
2359 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t));
2360 isakmp->np = nptype;
2361 isakmp->v = iph2->ph1->version;
2362 isakmp->etype = ISAKMP_ETYPE_QUICK;
2363 isakmp->flags = iph2->flags;
2364 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
2365 isakmp->len = htonl(vbuf->l);
2366
2367 return vbuf->v + sizeof(*isakmp);
2368 }
2369
2370 /*
2371 * set values into allocated buffer of isakmp payload.
2372 */
2373 caddr_t
2374 set_isakmp_payload(buf, src, nptype)
2375 caddr_t buf;
2376 vchar_t *src;
2377 int nptype;
2378 {
2379 struct isakmp_gen *gen;
2380 caddr_t p = buf;
2381
2382 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n",
2383 src->l, nptype);
2384
2385 gen = (struct isakmp_gen *)p;
2386 gen->np = nptype;
2387 gen->len = htons(sizeof(*gen) + src->l);
2388 p += sizeof(*gen);
2389 memcpy(p, src->v, src->l);
2390 p += src->l;
2391
2392 return p;
2393 }
2394
2395 static int
2396 etypesw1(etype)
2397 int etype;
2398 {
2399 switch (etype) {
2400 case ISAKMP_ETYPE_IDENT:
2401 return 1;
2402 case ISAKMP_ETYPE_AGG:
2403 return 2;
2404 case ISAKMP_ETYPE_BASE:
2405 return 3;
2406 default:
2407 return 0;
2408 }
2409 /*NOTREACHED*/
2410 }
2411
2412 static int
2413 etypesw2(etype)
2414 int etype;
2415 {
2416 switch (etype) {
2417 case ISAKMP_ETYPE_QUICK:
2418 return 1;
2419 default:
2420 return 0;
2421 }
2422 /*NOTREACHED*/
2423 }
2424
2425 #ifdef HAVE_PRINT_ISAKMP_C
2426 /* for print-isakmp.c */
2427 char *snapend;
2428 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2429
2430 char *getname __P((const u_char *));
2431 #ifdef INET6
2432 char *getname6 __P((const u_char *));
2433 #endif
2434 int safeputchar __P((int));
2435
2436 /*
2437 * Return a name for the IP address pointed to by ap. This address
2438 * is assumed to be in network byte order.
2439 */
2440 char *
2441 getname(ap)
2442 const u_char *ap;
2443 {
2444 struct sockaddr_in addr;
2445 static char ntop_buf[NI_MAXHOST];
2446
2447 memset(&addr, 0, sizeof(addr));
2448 addr.sin_len = sizeof(struct sockaddr_in);
2449 addr.sin_family = AF_INET;
2450 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2451 if (getnameinfo((struct sockaddr *)&addr, addr.sin_len,
2452 ntop_buf, sizeof(ntop_buf), NULL, 0,
2453 NI_NUMERICHOST | niflags))
2454 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2455
2456 return ntop_buf;
2457 }
2458
2459 #ifdef INET6
2460 /*
2461 * Return a name for the IP6 address pointed to by ap. This address
2462 * is assumed to be in network byte order.
2463 */
2464 char *
2465 getname6(ap)
2466 const u_char *ap;
2467 {
2468 struct sockaddr_in6 addr;
2469 static char ntop_buf[NI_MAXHOST];
2470
2471 memset(&addr, 0, sizeof(addr));
2472 addr.sin6_len = sizeof(struct sockaddr_in6);
2473 addr.sin6_family = AF_INET6;
2474 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2475 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2476 ntop_buf, sizeof(ntop_buf), NULL, 0,
2477 NI_NUMERICHOST | niflags))
2478 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2479
2480 return ntop_buf;
2481 }
2482 #endif /* INET6 */
2483
2484 int
2485 safeputchar(c)
2486 int c;
2487 {
2488 unsigned char ch;
2489
2490 ch = (unsigned char)(c & 0xff);
2491 if (c < 0x80 && isprint(c))
2492 return printf("%c", c & 0xff);
2493 else
2494 return printf("\\%03o", c & 0xff);
2495 }
2496
2497 void
2498 isakmp_printpacket(msg, from, my, decoded)
2499 vchar_t *msg;
2500 struct sockaddr *from;
2501 struct sockaddr *my;
2502 int decoded;
2503 {
2504 #ifdef YIPS_DEBUG
2505 struct timeval tv;
2506 int s;
2507 char hostbuf[NI_MAXHOST];
2508 char portbuf[NI_MAXSERV];
2509 struct isakmp *isakmp;
2510 vchar_t *buf;
2511 #endif
2512
2513 if (loglevel < LLV_DEBUG)
2514 return;
2515
2516 #ifdef YIPS_DEBUG
2517 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2518
2519 gettimeofday(&tv, NULL);
2520 s = tv.tv_sec % 3600;
2521 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2522
2523 if (from) {
2524 if (getnameinfo(from, from->sa_len, hostbuf, sizeof(hostbuf),
2525 portbuf, sizeof(portbuf),
2526 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2527 strlcpy(hostbuf, "?", sizeof(hostbuf));
2528 strlcpy(portbuf, "?", sizeof(portbuf));
2529 }
2530 printf("%s:%s", hostbuf, portbuf);
2531 } else
2532 printf("?");
2533 printf(" -> ");
2534 if (my) {
2535 if (getnameinfo(my, my->sa_len, hostbuf, sizeof(hostbuf),
2536 portbuf, sizeof(portbuf),
2537 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2538 strlcpy(hostbuf, "?", sizeof(hostbuf));
2539 strlcpy(portbuf, "?", sizeof(portbuf));
2540 }
2541 printf("%s:%s", hostbuf, portbuf);
2542 } else
2543 printf("?");
2544 printf(": ");
2545
2546 buf = vdup(msg);
2547 if (!buf) {
2548 printf("(malloc fail)\n");
2549 return;
2550 }
2551 if (decoded) {
2552 isakmp = (struct isakmp *)buf->v;
2553 if (isakmp->flags & ISAKMP_FLAG_E) {
2554 #if 0
2555 int pad;
2556 pad = *(u_char *)(buf->v + buf->l - 1);
2557 if (buf->l < pad && 2 < vflag)
2558 printf("(wrong padding)");
2559 #endif
2560 isakmp->flags &= ~ISAKMP_FLAG_E;
2561 }
2562 }
2563
2564 snapend = buf->v + buf->l;
2565 isakmp_print(buf->v, buf->l, NULL);
2566 vfree(buf);
2567 printf("\n");
2568 fflush(stdout);
2569
2570 return;
2571 #endif
2572 }
2573 #endif /*HAVE_PRINT_ISAKMP_C*/
2574
2575 int
2576 copy_ph1addresses(iph1, rmconf, remote, local)
2577 struct ph1handle *iph1;
2578 struct remoteconf *rmconf;
2579 struct sockaddr *remote, *local;
2580 {
2581 u_short *port = NULL;
2582
2583 /* address portion must be grabbed from real remote address "remote" */
2584 iph1->remote = dupsaddr(remote);
2585 if (iph1->remote == NULL) {
2586 delph1(iph1);
2587 return -1;
2588 }
2589
2590 /*
2591 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2592 * - if remote.conf specifies port #, use that
2593 * - if remote.conf does not, use 500
2594 * if remote has port # (in case of responder - from recvfrom(2))
2595 * respect content of "remote".
2596 */
2597 switch (iph1->remote->sa_family) {
2598 case AF_INET:
2599 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2600 if (*port)
2601 break;
2602 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2603 if (*port)
2604 break;
2605 *port = htons(PORT_ISAKMP);
2606 break;
2607 #ifdef INET6
2608 case AF_INET6:
2609 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2610 if (*port)
2611 break;
2612 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2613 if (*port)
2614 break;
2615 *port = htons(PORT_ISAKMP);
2616 break;
2617 #endif
2618 default:
2619 plog(LLV_ERROR, LOCATION, NULL,
2620 "invalid family: %d\n", iph1->remote->sa_family);
2621 return -1;
2622 }
2623
2624 if (local == NULL)
2625 iph1->local = getlocaladdr(iph1->remote);
2626 else
2627 iph1->local = dupsaddr(local);
2628 if (iph1->local == NULL) {
2629 delph1(iph1);
2630 return -1;
2631 }
2632 switch (iph1->local->sa_family) {
2633 case AF_INET:
2634 ((struct sockaddr_in *)iph1->local)->sin_port
2635 = getmyaddrsport(iph1->local);
2636 break;
2637 #ifdef INET6
2638 case AF_INET6:
2639 ((struct sockaddr_in6 *)iph1->local)->sin6_port
2640 = getmyaddrsport(iph1->local);
2641 break;
2642 #endif
2643 default:
2644 plog(LLV_ERROR, LOCATION, NULL,
2645 "invalid family: %d\n", iph1->remote->sa_family);
2646 delph1(iph1);
2647 return -1;
2648 }
2649
2650 return 0;
2651 }
2652
2653 static int
2654 nostate1(iph1, msg)
2655 struct ph1handle *iph1;
2656 vchar_t *msg;
2657 {
2658 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2659 iph1->status);
2660 return -1;
2661 }
2662
2663 static int
2664 nostate2(iph2, msg)
2665 struct ph2handle *iph2;
2666 vchar_t *msg;
2667 {
2668 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2669 iph2->status);
2670 return -1;
2671 }
2672
2673 void
2674 log_ph1established(iph1)
2675 const struct ph1handle *iph1;
2676 {
2677 char *src, *dst;
2678
2679 src = strdup(saddr2str(iph1->local));
2680 dst = strdup(saddr2str(iph1->remote));
2681 plog(LLV_INFO, LOCATION, NULL,
2682 "ISAKMP-SA established %s-%s spi:%s\n",
2683 src, dst,
2684 isakmp_pindex(&iph1->index, 0));
2685 racoon_free(src);
2686 racoon_free(dst);
2687
2688 return;
2689 }
2690
mirror of network_cmds