]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/isakmp.c
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-245.11.tar.gz
[apple/network_cmds.git] / racoon.tproj / isakmp.c
1 /* $KAME: isakmp.c,v 1.176 2002/08/28 04:08:30 itojun Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/socket.h>
35 #include <sys/queue.h>
36
37 #include <netkey/key_var.h>
38 #include <netinet/in.h>
39
40 #include <stdlib.h>
41 #include <stdio.h>
42 #include <string.h>
43 #include <errno.h>
44 #if TIME_WITH_SYS_TIME
45 # include <sys/time.h>
46 # include <time.h>
47 #else
48 # if HAVE_SYS_TIME_H
49 # include <sys/time.h>
50 # else
51 # include <time.h>
52 # endif
53 #endif
54 #include <netdb.h>
55 #ifdef HAVE_UNISTD_H
56 #include <unistd.h>
57 #endif
58 #include <ctype.h>
59
60 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
61 #include "addrinfo.h"
62 #endif
63
64 #include "var.h"
65 #include "misc.h"
66 #include "vmbuf.h"
67 #include "plog.h"
68 #include "sockmisc.h"
69 #include "schedule.h"
70 #include "debug.h"
71
72 #include "remoteconf.h"
73 #include "localconf.h"
74 #include "grabmyaddr.h"
75 #include "isakmp_var.h"
76 #include "isakmp.h"
77 #include "oakley.h"
78 #include "handler.h"
79 #include "ipsec_doi.h"
80 #include "pfkey.h"
81 #include "crypto_openssl.h"
82 #include "policy.h"
83 #include "isakmp_ident.h"
84 #include "isakmp_agg.h"
85 #include "isakmp_base.h"
86 #include "isakmp_quick.h"
87 #include "isakmp_inf.h"
88 #include "isakmp_newg.h"
89 #include "strnames.h"
90 #ifndef HAVE_ARC4RANDOM
91 #include "arc4random.h"
92 #endif
93
94 static int nostate1 __P((struct ph1handle *, vchar_t *));
95 static int nostate2 __P((struct ph2handle *, vchar_t *));
96
97 extern caddr_t val2str(const char *, size_t);
98
99 static int (*ph1exchange[][2][PHASE1ST_MAX])
100 __P((struct ph1handle *, vchar_t *)) = {
101 /* error */
102 { {}, {}, },
103 /* Identity Protection exchange */
104 {
105 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
106 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
107 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
108 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
109 },
110 /* Aggressive exchange */
111 {
112 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
113 nostate1, nostate1, nostate1, nostate1, nostate1, },
114 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
115 nostate1, nostate1, nostate1, nostate1, nostate1, },
116 },
117 /* Base exchange */
118 {
119 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
120 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
121 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
122 nostate1, nostate1, nostate1, nostate1, nostate1, },
123 },
124 };
125
126 static int (*ph2exchange[][2][PHASE2ST_MAX])
127 __P((struct ph2handle *, vchar_t *)) = {
128 /* error */
129 { {}, {}, },
130 /* Quick mode for IKE*/
131 {
132 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
133 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
134 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
135 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
136 },
137 };
138
139 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
140
141 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
142 static int ph1_main __P((struct ph1handle *, vchar_t *));
143 static int quick_main __P((struct ph2handle *, vchar_t *));
144 static int isakmp_ph1begin_r __P((vchar_t *,
145 struct sockaddr *, struct sockaddr *, u_int8_t));
146 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
147 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
148 static int etypesw1 __P((int));
149 static int etypesw2 __P((int));
150 static void isakmp_free_addrs __P((void));
151
152
153 /*
154 * isakmp packet handler
155 */
156 int
157 isakmp_handler(so_isakmp)
158 int so_isakmp;
159 {
160 struct isakmp isakmp;
161 struct sockaddr_storage remote;
162 struct sockaddr_storage local;
163 int remote_len = sizeof(remote);
164 int local_len = sizeof(local);
165 int len;
166 u_short port;
167 vchar_t *buf = NULL;
168 int error = -1;
169
170 /* read message by MSG_PEEK */
171 while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp),
172 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
173 (struct sockaddr *)&local, &local_len)) < 0) {
174 if (errno == EINTR)
175 continue;
176 plog(LLV_ERROR, LOCATION, NULL,
177 "failed to receive isakmp packet\n");
178 goto end;
179 }
180
181 /* check isakmp header length, as well as sanity of header length */
182 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
183 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
184 "packet shorter than isakmp header size.\n");
185 /* dummy receive */
186 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
187 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
188 plog(LLV_ERROR, LOCATION, NULL,
189 "failed to receive isakmp packet\n");
190 }
191 goto end;
192 }
193
194 /* reject if the size is toooo big */
195 if (ntohl(isakmp.len) > 0xffff) {
196 plog(LLV_ERROR, LOCATION, NULL,
197 "the length in the isakmp header is too big.\n");
198 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
199 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
200 plog(LLV_ERROR, LOCATION, NULL,
201 "failed to receive isakmp packet\n");
202 }
203 goto end;
204 }
205
206 remote_len = sizeof(remote);
207
208 /* read real message */
209 if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
210 plog(LLV_ERROR, LOCATION, NULL,
211 "failed to allocate reading buffer\n");
212 /* dummy receive */
213 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
214 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
215 plog(LLV_ERROR, LOCATION, NULL,
216 "failed to receive isakmp packet\n");
217 }
218 goto end;
219 }
220
221 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
222 0, (struct sockaddr *)&remote, &remote_len,
223 (struct sockaddr *)&local, &local_len)) < 0) {
224 if (errno == EINTR)
225 continue;
226 plog(LLV_ERROR, LOCATION, NULL,
227 "failed to read isakmp packet from socket %d, len=%d\n", so_isakmp, buf->l);
228 error = -2; /* serious problem with socket */
229 goto end;
230 }
231
232 if (len != buf->l) {
233 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
234 "received invalid length, why ?\n");
235 goto end;
236 }
237
238 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
239 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
240 "%d bytes message received from %s\n",
241 len, saddr2str((struct sockaddr *)&remote));
242 plogdump(LLV_DEBUG, buf->v, buf->l);
243
244 /* avoid packets with malicious port/address */
245 switch (remote.ss_family) {
246 case AF_INET:
247 port = ((struct sockaddr_in *)&remote)->sin_port;
248 break;
249 #ifdef INET6
250 case AF_INET6:
251 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
252 break;
253 #endif
254 default:
255 plog(LLV_ERROR, LOCATION, NULL,
256 "invalid family: %d\n", remote.ss_family);
257 goto end;
258 }
259 if (port == 0) {
260 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
261 "src port == 0 (valid as UDP but not with IKE)\n");
262 goto end;
263 }
264
265 /* XXX: check sender whether to be allowed or not to accept */
266
267 /* XXX: I don't know how to check isakmp half connection attack. */
268
269 /* simply reply if the packet was processed. */
270 if (check_recvdpkt((struct sockaddr *)&remote,
271 (struct sockaddr *)&local, buf)) {
272 plog(LLV_NOTIFY, LOCATION, NULL,
273 "the packet is retransmitted by %s.\n",
274 saddr2str((struct sockaddr *)&remote));
275 error = 0;
276 goto end;
277 }
278
279 /* isakmp main routine */
280 if (isakmp_main(buf, (struct sockaddr *)&remote,
281 (struct sockaddr *)&local) != 0) goto end;
282
283 error = 0;
284
285 end:
286 if (buf != NULL)
287 vfree(buf);
288
289 return(error);
290 }
291
292 #ifdef IKE_NAT_T
293 /*
294 * isakmp packet handler for natt port (4500)
295 */
296 int
297 isakmp_natt_handler(so_isakmp)
298 int so_isakmp;
299 {
300 u_char temp_buffer[sizeof(struct isakmp) + 4];
301 struct isakmp *isakmp = (struct isakmp*)(temp_buffer + 4);
302 struct sockaddr_storage remote;
303 struct sockaddr_storage local;
304 int remote_len = sizeof(remote);
305 int local_len = sizeof(local);
306 int len;
307 u_short port;
308 vchar_t *buf = NULL;
309 int error = -1;
310
311 /* read message by MSG_PEEK */
312 while ((len = recvfromto(so_isakmp, temp_buffer, sizeof(temp_buffer),
313 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
314 (struct sockaddr *)&local, &local_len)) < 0) {
315 if (errno == EINTR)
316 continue;
317 plog(LLV_ERROR, LOCATION, NULL,
318 "failed to receive isakmp packet\n");
319 goto end;
320 }
321
322
323 /* check isakmp header length */
324 if (len < sizeof(temp_buffer)) {
325 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
326 "packet shorter than isakmp header size.\n");
327 /* dummy receive */
328 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
329 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
330 plog(LLV_ERROR, LOCATION, NULL,
331 "failed to receive isakmp packet\n");
332 }
333 goto end;
334 }
335
336 /* reject if the size is toooo big */
337 if (ntohl(isakmp->len) > 0xffff) {
338 plog(LLV_ERROR, LOCATION, NULL,
339 "the length in the isakmp header is too big.\n");
340 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
341 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
342 plog(LLV_ERROR, LOCATION, NULL,
343 "failed to receive isakmp packet\n");
344 }
345 goto end;
346 }
347
348 /* remove the four bytes of zeros on nat traversal port */
349 if (*(u_long*)temp_buffer != 0L)
350 {
351 /*
352 * This is a UDP encapsulated IPSec packet,
353 * we should drop it.
354 * The kernel intercepts these packets on Mac OS X
355 * so we should not get here.
356 */
357 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
358 "invalid packet - expected non-ESP marker.\n");
359 /* dummy receive */
360 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
361 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
362 plog(LLV_ERROR, LOCATION, NULL,
363 "failed to receive isakmp packet\n");
364 }
365 goto end;
366 }
367
368 remote_len = sizeof(remote);
369
370 /* read real message */
371 if ((buf = vmalloc(ntohl(isakmp->len) + 4)) == NULL) {
372 plog(LLV_ERROR, LOCATION, NULL,
373 "failed to allocate reading buffer\n");
374 /* dummy receive */
375 if ((len = recvfrom(so_isakmp, (char *)temp_buffer, sizeof(temp_buffer),
376 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
377 plog(LLV_ERROR, LOCATION, NULL,
378 "failed to receive isakmp packet\n");
379 }
380 goto end;
381 }
382
383 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
384 0, (struct sockaddr *)&remote, &remote_len,
385 (struct sockaddr *)&local, &local_len)) < 0) {
386 if (errno == EINTR)
387 continue;
388 plog(LLV_ERROR, LOCATION, NULL,
389 "failed to read isakmp packet from socket %d, len=%d\n", so_isakmp, buf->l);
390 error = -2; /* serious problem with socket */
391 goto end;
392 }
393
394 if (len != buf->l) {
395 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
396 "received invalid length, header says %d, packet is %d bytes why ?\n",
397 len, buf->l);
398 goto end;
399 }
400
401 /*
402 * Discard first 4 bytes, they're either:
403 * 0 - this is IKE traffic
404 * !0 - first four bytes are the SPI of a UDP encapsulated IPSec packet
405 * The seond type of packet should be interecepted by the kernel
406 * or dropped before we get to this point.
407 */
408 {
409 vchar_t *newbuf = vmalloc(buf->l - 4);
410 if (newbuf == NULL)
411 {
412 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
413 "couldn't allocate smaller buffer.\n");
414 goto end;
415 }
416 memcpy(newbuf->v, buf->v + 4, newbuf->l);
417 vfree(buf);
418 buf = newbuf;
419 len = buf->l;
420 }
421
422 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
423 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
424 "%d bytes message received from %s\n",
425 len, saddr2str((struct sockaddr *)&remote));
426 plogdump(LLV_DEBUG, buf->v, buf->l);
427
428 /* avoid packets with malicious port/address */
429 switch (remote.ss_family) {
430 case AF_INET:
431 port = ((struct sockaddr_in *)&remote)->sin_port;
432 break;
433 #ifdef INET6
434 case AF_INET6:
435 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
436 break;
437 #endif
438 default:
439 plog(LLV_ERROR, LOCATION, NULL,
440 "invalid family: %d\n", remote.ss_family);
441 goto end;
442 }
443 if (port == 0) {
444 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
445 "src port == 0 (valid as UDP but not with IKE)\n");
446 goto end;
447 }
448
449 {
450 struct isakmp *isakmp = (struct isakmp*)buf->v;
451 plog(LLV_DEBUG, LOCATION, (struct sockaddr*)&remote,
452 "natt receiving packet %.8X%.8X:%.8X%.8X %u\n",
453 *(u_long*)isakmp->i_ck, *(u_long*)&isakmp->i_ck[4],
454 *(u_long*)isakmp->r_ck, *(u_long*)&isakmp->r_ck[4],
455 isakmp->msgid);
456 }
457
458 /* XXX: check sender whether to be allowed or not to accept */
459
460 /* XXX: I don't know how to check isakmp half connection attack. */
461
462 /* simply reply if the packet was processed. */
463 if (check_recvdpkt((struct sockaddr *)&remote,
464 (struct sockaddr *)&local, buf)) {
465 plog(LLV_NOTIFY, LOCATION, NULL,
466 "the packet is retransmitted by %s.\n",
467 saddr2str((struct sockaddr *)&remote));
468 error = 0;
469 goto end;
470 }
471
472 /* isakmp main routine */
473 if (isakmp_main(buf, (struct sockaddr *)&remote,
474 (struct sockaddr *)&local) != 0) goto end;
475
476 error = 0;
477
478 end:
479 if (buf != NULL)
480 vfree(buf);
481
482 return(error);
483 }
484 #endif
485
486
487 /*
488 * main processing to handle isakmp payload
489 */
490 static int
491 isakmp_main(msg, remote, local)
492 vchar_t *msg;
493 struct sockaddr *remote, *local;
494 {
495 struct isakmp *isakmp = (struct isakmp *)msg->v;
496 isakmp_index *index = (isakmp_index *)isakmp;
497 u_int32_t msgid = isakmp->msgid;
498 struct ph1handle *iph1;
499
500 #ifdef HAVE_PRINT_ISAKMP_C
501 isakmp_printpacket(msg, remote, local, 0);
502 #endif
503
504 /* the initiator's cookie must not be zero */
505 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
506 plog(LLV_ERROR, LOCATION, remote,
507 "malformed cookie received.\n");
508 return -1;
509 }
510
511 /* Check the Major and Minor Version fields. */
512 /*
513 * XXX Is is right to check version here ?
514 * I think it may no be here because the version depends
515 * on exchange status.
516 */
517 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
518 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
519 plog(LLV_ERROR, LOCATION, remote,
520 "invalid major version %d.\n",
521 ISAKMP_GETMAJORV(isakmp->v));
522 return -1;
523 }
524 #if ISAKMP_MINOR_VERSION > 0
525 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
526 plog(LLV_ERROR, LOCATION, remote,
527 "invalid minor version %d.\n",
528 ISAKMP_GETMINORV(isakmp->v));
529 return -1;
530 }
531 #endif
532 }
533
534 /* check the Flags field. */
535 /* XXX How is the exclusive check, E and A ? */
536 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
537 plog(LLV_ERROR, LOCATION, remote,
538 "invalid flag 0x%02x.\n", isakmp->flags);
539 return -1;
540 }
541
542 /* ignore commit bit. */
543 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
544 if (isakmp->msgid == 0) {
545 isakmp_info_send_nx(isakmp, remote, local,
546 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
547 plog(LLV_ERROR, LOCATION, remote,
548 "Commit bit on phase1 forbidden.\n");
549 return -1;
550 }
551 }
552
553 iph1 = getph1byindex(index);
554 if (iph1 != NULL) {
555 /* validity check */
556 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
557 iph1->side == INITIATOR) {
558 plog(LLV_DEBUG, LOCATION, remote,
559 "malformed cookie received or "
560 "the initiator's cookies collide.\n");
561 return -1;
562 }
563
564 /* must be same addresses in one stream of a phase at least. */
565 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
566 #ifdef IKE_NAT_T
567 if (iph1->side == RESPONDER &&
568 (iph1->natt_flags & NATT_TYPE_MASK) != 0 &&
569 cmpsaddrwop(iph1->remote, remote) == 0)
570 {
571 /*
572 * If the initiator detects a NAT it may switch to a
573 * new port. Technically, the remote address may change
574 * as well, depending on the NAT. Handling that would
575 * require more changes.
576 *
577 * We should record the new remote port so we can
578 * send
579 */
580 plog(LLV_WARNING, LOCATION, remote,
581 "remote port changed from %s\n", saddr2str(iph1->remote));
582 memcpy(iph1->remote, remote, iph1->remote->sa_len);
583 memcpy(iph1->local, local, iph1->local->sa_len);
584 }
585 else
586 #endif
587 {
588 char *saddr_db, *saddr_act;
589
590 saddr_db = strdup(saddr2str(iph1->remote));
591 saddr_act = strdup(saddr2str(remote));
592
593 plog(LLV_WARNING, LOCATION, remote,
594 "remote address mismatched. db=%s, act=%s\n",
595 saddr_db, saddr_act);
596
597 racoon_free(saddr_db);
598 racoon_free(saddr_act);
599 }
600 }
601 /*
602 * don't check of exchange type here because other type will be
603 * with same index, for example, informational exchange.
604 */
605
606 /* XXX more acceptable check */
607 }
608
609 switch (isakmp->etype) {
610 case ISAKMP_ETYPE_IDENT:
611 case ISAKMP_ETYPE_AGG:
612 case ISAKMP_ETYPE_BASE:
613 /* phase 1 validity check */
614 if (isakmp->msgid != 0) {
615 plog(LLV_ERROR, LOCATION, remote,
616 "message id should be zero in phase1.\n");
617 return -1;
618 }
619
620 /* search for isakmp status record of phase 1 */
621 if (iph1 == NULL) {
622 /*
623 * the packet must be the 1st message from a initiator
624 * or the 2nd message from the responder.
625 */
626
627 /* search for phase1 handle by index without r_ck */
628 iph1 = getph1byindex0(index);
629 if (iph1 == NULL) {
630 /*it must be the 1st message from a initiator.*/
631 if (memcmp(&isakmp->r_ck, r_ck0,
632 sizeof(cookie_t)) != 0) {
633
634 plog(LLV_DEBUG, LOCATION, remote,
635 "malformed cookie received "
636 "or the spi expired.\n");
637 return -1;
638 }
639
640 /* it must be responder's 1st exchange. */
641 if (isakmp_ph1begin_r(msg, remote, local,
642 isakmp->etype) < 0)
643 return -1;
644 break;
645
646 /*NOTREACHED*/
647 }
648
649 /* it must be the 2nd message from the responder. */
650 if (iph1->side != INITIATOR) {
651 plog(LLV_DEBUG, LOCATION, remote,
652 "malformed cookie received. "
653 "it has to be as the initiator. %s\n",
654 isakmp_pindex(&iph1->index, 0));
655 return -1;
656 }
657 }
658
659 /*
660 * Don't delete phase 1 handler when the exchange type
661 * in handler is not equal to packet's one because of no
662 * authencication completed.
663 */
664 if (iph1->etype != isakmp->etype) {
665 plog(LLV_ERROR, LOCATION, iph1->remote,
666 "exchange type is mismatched: "
667 "db=%s packet=%s, ignore it.\n",
668 s_isakmp_etype(iph1->etype),
669 s_isakmp_etype(isakmp->etype));
670 return -1;
671 }
672
673 /* call main process of phase 1 */
674 if (ph1_main(iph1, msg) < 0) {
675 plog(LLV_ERROR, LOCATION, iph1->remote,
676 "phase1 negotiation failed.\n");
677 remph1(iph1);
678 delph1(iph1);
679 return -1;
680 }
681 break;
682
683 case ISAKMP_ETYPE_AUTH:
684 plog(LLV_INFO, LOCATION, remote,
685 "unsupported exchange %d received.\n",
686 isakmp->etype);
687 break;
688
689 case ISAKMP_ETYPE_INFO:
690 case ISAKMP_ETYPE_ACKINFO:
691 /*
692 * iph1 must be present for Information message.
693 * if iph1 is null then trying to get the phase1 status
694 * as the packet from responder againt initiator's 1st
695 * exchange in phase 1.
696 * NOTE: We think such informational exchange should be ignored.
697 */
698 if (iph1 == NULL) {
699 iph1 = getph1byindex0(index);
700 if (iph1 == NULL) {
701 plog(LLV_ERROR, LOCATION, remote,
702 "unknown Informational "
703 "exchange received.\n");
704 return -1;
705 }
706 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
707 plog(LLV_WARNING, LOCATION, remote,
708 "remote address mismatched. "
709 "db=%s\n",
710 saddr2str(iph1->remote));
711 }
712 }
713
714 if (isakmp_info_recv(iph1, msg) < 0)
715 return -1;
716 break;
717
718 case ISAKMP_ETYPE_QUICK:
719 {
720 struct ph2handle *iph2;
721
722 if (iph1 == NULL) {
723 isakmp_info_send_nx(isakmp, remote, local,
724 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
725 plog(LLV_ERROR, LOCATION, remote,
726 "can't start the quick mode, "
727 "there is no ISAKMP-SA, %s\n",
728 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
729 isakmp->msgid));
730 return -1;
731 }
732
733 /* check status of phase 1 whether negotiated or not. */
734 if (iph1->status != PHASE1ST_ESTABLISHED) {
735 plog(LLV_ERROR, LOCATION, remote,
736 "can't start the quick mode, "
737 "there is no valid ISAKMP-SA, %s\n",
738 isakmp_pindex(&iph1->index, iph1->msgid));
739 return -1;
740 }
741
742 /* search isakmp phase 2 stauts record. */
743 iph2 = getph2bymsgid(iph1, msgid);
744 if (iph2 == NULL) {
745 /* it must be new negotiation as responder */
746 if (isakmp_ph2begin_r(iph1, msg) < 0)
747 return -1;
748 return 0;
749 /*NOTREACHED*/
750 }
751
752 /* commit bit. */
753 /* XXX
754 * we keep to set commit bit during negotiation.
755 * When SA is configured, bit will be reset.
756 * XXX
757 * don't initiate commit bit. should be fixed in the future.
758 */
759 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
760 iph2->flags |= ISAKMP_FLAG_C;
761
762 /* call main process of quick mode */
763 if (quick_main(iph2, msg) < 0) {
764 plog(LLV_ERROR, LOCATION, iph1->remote,
765 "phase2 negotiation failed.\n");
766 unbindph12(iph2);
767 remph2(iph2);
768 delph2(iph2);
769 return -1;
770 }
771 }
772 break;
773
774 case ISAKMP_ETYPE_NEWGRP:
775 if (iph1 == NULL) {
776 plog(LLV_ERROR, LOCATION, remote,
777 "Unknown new group mode exchange, "
778 "there is no ISAKMP-SA.\n");
779 return -1;
780 }
781 isakmp_newgroup_r(iph1, msg);
782 break;
783
784 case ISAKMP_ETYPE_NONE:
785 default:
786 plog(LLV_ERROR, LOCATION, NULL,
787 "Invalid exchange type %d from %s.\n",
788 isakmp->etype, saddr2str(remote));
789 return -1;
790 }
791
792 return 0;
793 }
794
795 /*
796 * main function of phase 1.
797 */
798 static int
799 ph1_main(iph1, msg)
800 struct ph1handle *iph1;
801 vchar_t *msg;
802 {
803 int error;
804 #ifdef ENABLE_STATS
805 struct timeval start, end;
806 #endif
807
808 /* ignore a packet */
809 if (iph1->status == PHASE1ST_ESTABLISHED)
810 return 0;
811
812 #ifdef ENABLE_STATS
813 gettimeofday(&start, NULL);
814 #endif
815 /* receive */
816 if (ph1exchange[etypesw1(iph1->etype)]
817 [iph1->side]
818 [iph1->status] == NULL) {
819 plog(LLV_ERROR, LOCATION, iph1->remote,
820 "why isn't the function defined.\n");
821 return -1;
822 }
823 error = (ph1exchange[etypesw1(iph1->etype)]
824 [iph1->side]
825 [iph1->status])(iph1, msg);
826 if (error != 0) {
827 #if 0
828 /* XXX
829 * When an invalid packet is received on phase1, it should
830 * be selected to process this packet. That is to respond
831 * with a notify and delete phase 1 handler, OR not to respond
832 * and keep phase 1 handler.
833 */
834 plog(LLV_ERROR, LOCATION, iph1->remote,
835 "failed to pre-process packet.\n");
836 return -1;
837 #else
838 /* ignore the error and keep phase 1 handler */
839 return 0;
840 #endif
841 }
842
843 /* free resend buffer */
844 if (iph1->sendbuf == NULL) {
845 plog(LLV_ERROR, LOCATION, NULL,
846 "no buffer found as sendbuf\n");
847 return -1;
848 }
849 vfree(iph1->sendbuf);
850 iph1->sendbuf = NULL;
851
852 /* turn off schedule */
853 if (iph1->scr)
854 SCHED_KILL(iph1->scr);
855
856 /* send */
857 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
858 if ((ph1exchange[etypesw1(iph1->etype)]
859 [iph1->side]
860 [iph1->status])(iph1, msg) != 0) {
861 plog(LLV_ERROR, LOCATION, iph1->remote,
862 "failed to process packet.\n");
863 return -1;
864 }
865
866 #ifdef ENABLE_STATS
867 gettimeofday(&end, NULL);
868 syslog(LOG_NOTICE, "%s(%s): %8.6f",
869 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
870 timedelta(&start, &end));
871 #endif
872 if (iph1->status == PHASE1ST_ESTABLISHED) {
873
874 #ifdef ENABLE_STATS
875 gettimeofday(&iph1->end, NULL);
876 syslog(LOG_NOTICE, "%s(%s): %8.6f",
877 "phase1", s_isakmp_etype(iph1->etype),
878 timedelta(&iph1->start, &iph1->end));
879 #endif
880
881 /* save created date. */
882 (void)time(&iph1->created);
883
884 /* add to the schedule to expire, and seve back pointer. */
885 iph1->sce = sched_new(iph1->approval->lifetime,
886 isakmp_ph1expire_stub, iph1);
887
888 /* INITIAL-CONTACT processing */
889 /* don't anything if local test mode. */
890 if (!f_local
891 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
892 /* send INITIAL-CONTACT */
893 isakmp_info_send_n1(iph1,
894 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
895 /* insert a node into contacted list. */
896 if (inscontacted(iph1->remote) == -1) {
897 plog(LLV_ERROR, LOCATION, iph1->remote,
898 "failed to add contacted list.\n");
899 /* ignore */
900 }
901 }
902
903 log_ph1established(iph1);
904 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
905 }
906
907 return 0;
908 }
909
910 /*
911 * main function of quick mode.
912 */
913 static int
914 quick_main(iph2, msg)
915 struct ph2handle *iph2;
916 vchar_t *msg;
917 {
918 struct isakmp *isakmp = (struct isakmp *)msg->v;
919 int error;
920 #ifdef ENABLE_STATS
921 struct timeval start, end;
922 #endif
923
924 /* ignore a packet */
925 if (iph2->status == PHASE2ST_ESTABLISHED
926 || iph2->status == PHASE2ST_GETSPISENT)
927 return 0;
928
929 #ifdef ENABLE_STATS
930 gettimeofday(&start, NULL);
931 #endif
932
933 /* receive */
934 if (ph2exchange[etypesw2(isakmp->etype)]
935 [iph2->side]
936 [iph2->status] == NULL) {
937 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
938 "why isn't the function defined.\n");
939 return -1;
940 }
941 error = (ph2exchange[etypesw2(isakmp->etype)]
942 [iph2->side]
943 [iph2->status])(iph2, msg);
944 if (error != 0) {
945 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
946 "failed to pre-process packet.\n");
947 if (error == ISAKMP_INTERNAL_ERROR)
948 return 0;
949 isakmp_info_send_n1(iph2->ph1, error, NULL);
950 return -1;
951 }
952
953 /* free resend buffer */
954 if (iph2->sendbuf == NULL) {
955 plog(LLV_ERROR, LOCATION, NULL,
956 "no buffer found as sendbuf\n");
957 return -1;
958 }
959 vfree(iph2->sendbuf);
960 iph2->sendbuf = NULL;
961
962 /* turn off schedule */
963 if (iph2->scr)
964 SCHED_KILL(iph2->scr);
965
966 /* when using commit bit, status will be reached here. */
967 if (iph2->status == PHASE2ST_ADDSA)
968 return 0;
969
970 /* send */
971 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
972 if ((ph2exchange[etypesw2(isakmp->etype)]
973 [iph2->side]
974 [iph2->status])(iph2, msg) != 0) {
975 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
976 "failed to process packet.\n");
977 return -1;
978 }
979
980 #ifdef ENABLE_STATS
981 gettimeofday(&end, NULL);
982 syslog(LOG_NOTICE, "%s(%s): %8.6f",
983 "phase2",
984 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
985 timedelta(&start, &end));
986 #endif
987
988 return 0;
989 }
990
991 /* new negotiation of phase 1 for initiator */
992 int
993 isakmp_ph1begin_i(rmconf, remote)
994 struct remoteconf *rmconf;
995 struct sockaddr *remote;
996 {
997 struct ph1handle *iph1;
998 #ifdef ENABLE_STATS
999 struct timeval start, end;
1000 #endif
1001
1002 /* get new entry to isakmp status table. */
1003 iph1 = newph1();
1004 if (iph1 == NULL)
1005 return -1;
1006
1007 iph1->status = PHASE1ST_START;
1008 iph1->rmconf = rmconf;
1009 iph1->side = INITIATOR;
1010 iph1->version = ISAKMP_VERSION_NUMBER;
1011 iph1->msgid = 0;
1012 iph1->flags = 0;
1013 iph1->ph2cnt = 0;
1014 #ifdef HAVE_GSSAPI
1015 iph1->gssapi_state = NULL;
1016 #endif
1017 iph1->approval = NULL;
1018
1019 /* XXX copy remote address */
1020 if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
1021 return -1;
1022
1023 (void)insph1(iph1);
1024
1025 /* start phase 1 exchange */
1026 iph1->etype = rmconf->etypes->type;
1027
1028 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1029 {
1030 char *a;
1031
1032 a = strdup(saddr2str(iph1->local));
1033 plog(LLV_INFO, LOCATION, NULL,
1034 "initiate new phase 1 negotiation: %s<=>%s\n",
1035 a, saddr2str(iph1->remote));
1036 racoon_free(a);
1037 }
1038 plog(LLV_INFO, LOCATION, NULL,
1039 "begin %s mode.\n",
1040 s_isakmp_etype(iph1->etype));
1041
1042 #ifdef ENABLE_STATS
1043 gettimeofday(&iph1->start, NULL);
1044 gettimeofday(&start, NULL);
1045 #endif
1046 /* start exchange */
1047 if ((ph1exchange[etypesw1(iph1->etype)]
1048 [iph1->side]
1049 [iph1->status])(iph1, NULL) != 0) {
1050 /* failed to start phase 1 negotiation */
1051 remph1(iph1);
1052 delph1(iph1);
1053
1054 return -1;
1055 }
1056
1057 #ifdef ENABLE_STATS
1058 gettimeofday(&end, NULL);
1059 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1060 "phase1",
1061 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1062 timedelta(&start, &end));
1063 #endif
1064
1065 return 0;
1066 }
1067
1068 /* new negotiation of phase 1 for responder */
1069 static int
1070 isakmp_ph1begin_r(msg, remote, local, etype)
1071 vchar_t *msg;
1072 struct sockaddr *remote, *local;
1073 u_int8_t etype;
1074 {
1075 struct isakmp *isakmp = (struct isakmp *)msg->v;
1076 struct remoteconf *rmconf;
1077 struct ph1handle *iph1;
1078 struct etypes *etypeok;
1079 #ifdef ENABLE_STATS
1080 struct timeval start, end;
1081 #endif
1082
1083 /* look for my configuration */
1084 rmconf = getrmconf(remote);
1085 if (rmconf == NULL) {
1086 plog(LLV_ERROR, LOCATION, remote,
1087 "couldn't find "
1088 "configuration.\n");
1089 return -1;
1090 }
1091
1092 /* check to be acceptable exchange type */
1093 etypeok = check_etypeok(rmconf, etype);
1094 if (etypeok == NULL) {
1095 plog(LLV_ERROR, LOCATION, remote,
1096 "not acceptable %s mode\n", s_isakmp_etype(etype));
1097 return -1;
1098 }
1099
1100 /* get new entry to isakmp status table. */
1101 iph1 = newph1();
1102 if (iph1 == NULL)
1103 return -1;
1104
1105 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1106 iph1->status = PHASE1ST_START;
1107 iph1->rmconf = rmconf;
1108 iph1->flags = 0;
1109 iph1->side = RESPONDER;
1110 iph1->etype = etypeok->type;
1111 iph1->version = isakmp->v;
1112 iph1->msgid = 0;
1113 #ifdef HAVE_GSSAPI
1114 iph1->gssapi_state = NULL;
1115 #endif
1116 iph1->approval = NULL;
1117
1118 /* copy remote address */
1119 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1120 return -1;
1121
1122 (void)insph1(iph1);
1123
1124 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1125 {
1126 char *a;
1127
1128 a = strdup(saddr2str(iph1->local));
1129 plog(LLV_INFO, LOCATION, NULL,
1130 "respond new phase 1 negotiation: %s<=>%s\n",
1131 a, saddr2str(iph1->remote));
1132 racoon_free(a);
1133 }
1134 plog(LLV_INFO, LOCATION, NULL,
1135 "begin %s mode.\n", s_isakmp_etype(etype));
1136
1137 #ifdef ENABLE_STATS
1138 gettimeofday(&iph1->start, NULL);
1139 gettimeofday(&start, NULL);
1140 #endif
1141 /* start exchange */
1142 if ((ph1exchange[etypesw1(iph1->etype)]
1143 [iph1->side]
1144 [iph1->status])(iph1, msg) < 0
1145 || (ph1exchange[etypesw1(iph1->etype)]
1146 [iph1->side]
1147 [iph1->status])(iph1, msg) < 0) {
1148 plog(LLV_ERROR, LOCATION, remote,
1149 "failed to process packet.\n");
1150 remph1(iph1);
1151 delph1(iph1);
1152 return -1;
1153 }
1154 #ifdef ENABLE_STATS
1155 gettimeofday(&end, NULL);
1156 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1157 "phase1",
1158 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1159 timedelta(&start, &end));
1160 #endif
1161
1162 return 0;
1163 }
1164
1165 /* new negotiation of phase 2 for initiator */
1166 static int
1167 isakmp_ph2begin_i(iph1, iph2)
1168 struct ph1handle *iph1;
1169 struct ph2handle *iph2;
1170 {
1171 /* found ISAKMP-SA. */
1172 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1173 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1174 {
1175 char *a;
1176 a = strdup(saddr2str(iph2->src));
1177 plog(LLV_INFO, LOCATION, NULL,
1178 "initiate new phase 2 negotiation: %s<=>%s\n",
1179 a, saddr2str(iph2->dst));
1180 racoon_free(a);
1181 }
1182
1183 #ifdef ENABLE_STATS
1184 gettimeofday(&iph2->start, NULL);
1185 #endif
1186 /* found isakmp-sa */
1187 bindph12(iph1, iph2);
1188 iph2->status = PHASE2ST_STATUS2;
1189
1190 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1191 [iph2->side]
1192 [iph2->status])(iph2, NULL) < 0) {
1193 unbindph12(iph2);
1194 /* release ipsecsa handler due to internal error. */
1195 remph2(iph2);
1196 delph2(iph2);
1197 return -1;
1198 }
1199 return 0;
1200 }
1201
1202 /* new negotiation of phase 2 for responder */
1203 static int
1204 isakmp_ph2begin_r(iph1, msg)
1205 struct ph1handle *iph1;
1206 vchar_t *msg;
1207 {
1208 struct isakmp *isakmp = (struct isakmp *)msg->v;
1209 struct ph2handle *iph2 = 0;
1210 int error;
1211 #ifdef ENABLE_STATS
1212 struct timeval start, end;
1213 #endif
1214
1215 iph2 = newph2();
1216 if (iph2 == NULL) {
1217 plog(LLV_ERROR, LOCATION, NULL,
1218 "failed to allocate phase2 entry.\n");
1219 return -1;
1220 }
1221
1222 iph2->ph1 = iph1;
1223 iph2->side = RESPONDER;
1224 iph2->status = PHASE2ST_START;
1225 iph2->flags = isakmp->flags;
1226 iph2->msgid = isakmp->msgid;
1227 iph2->seq = pk_getseq();
1228 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1229 if (iph2->ivm == NULL) {
1230 delph2(iph2);
1231 return -1;
1232 }
1233 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1234 if (iph2->dst == NULL) {
1235 delph2(iph2);
1236 return -1;
1237 }
1238 switch (iph2->dst->sa_family) {
1239 case AF_INET:
1240 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
1241 break;
1242 #ifdef INET6
1243 case AF_INET6:
1244 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
1245 break;
1246 #endif
1247 default:
1248 plog(LLV_ERROR, LOCATION, NULL,
1249 "invalid family: %d\n", iph2->dst->sa_family);
1250 delph2(iph2);
1251 return -1;
1252 }
1253
1254 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1255 if (iph2->src == NULL) {
1256 delph2(iph2);
1257 return -1;
1258 }
1259 switch (iph2->src->sa_family) {
1260 case AF_INET:
1261 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
1262 break;
1263 #ifdef INET6
1264 case AF_INET6:
1265 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
1266 break;
1267 #endif
1268 default:
1269 plog(LLV_ERROR, LOCATION, NULL,
1270 "invalid family: %d\n", iph2->src->sa_family);
1271 delph2(iph2);
1272 return -1;
1273 }
1274
1275 /* add new entry to isakmp status table */
1276 insph2(iph2);
1277 bindph12(iph1, iph2);
1278
1279 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1280 {
1281 char *a;
1282
1283 a = strdup(saddr2str(iph2->src));
1284 plog(LLV_INFO, LOCATION, NULL,
1285 "respond new phase 2 negotiation: %s<=>%s\n",
1286 a, saddr2str(iph2->dst));
1287 racoon_free(a);
1288 }
1289
1290 #ifdef ENABLE_STATS
1291 gettimeofday(&start, NULL);
1292 #endif
1293
1294 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1295 [iph2->side]
1296 [iph2->status])(iph2, msg);
1297 if (error != 0) {
1298 plog(LLV_ERROR, LOCATION, iph1->remote,
1299 "failed to pre-process packet.\n");
1300 if (error != ISAKMP_INTERNAL_ERROR)
1301 isakmp_info_send_n1(iph2->ph1, error, NULL);
1302 /*
1303 * release handler because it's wrong that ph2handle is kept
1304 * after failed to check message for responder's.
1305 */
1306 unbindph12(iph2);
1307 remph2(iph2);
1308 delph2(iph2);
1309 return -1;
1310 }
1311
1312 /* send */
1313 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1314 if ((ph2exchange[etypesw2(isakmp->etype)]
1315 [iph2->side]
1316 [iph2->status])(iph2, msg) < 0) {
1317 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1318 "failed to process packet.\n");
1319 /* don't release handler */
1320 return -1;
1321 }
1322 #ifdef ENABLE_STATS
1323 gettimeofday(&end, NULL);
1324 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1325 "phase2",
1326 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1327 timedelta(&start, &end));
1328 #endif
1329
1330 return 0;
1331 }
1332
1333 /*
1334 * parse ISAKMP payloads, without ISAKMP base header.
1335 */
1336 vchar_t *
1337 isakmp_parsewoh(np0, gen, len)
1338 int np0;
1339 struct isakmp_gen *gen;
1340 int len;
1341 {
1342 u_char np = np0 & 0xff;
1343 int tlen, plen;
1344 vchar_t *result;
1345 struct isakmp_parse_t *p, *ep;
1346
1347 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1348
1349 /*
1350 * 5 is a magic number, but any value larger than 2 should be fine
1351 * as we do vrealloc() in the following loop.
1352 */
1353 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1354 if (result == NULL) {
1355 plog(LLV_ERROR, LOCATION, NULL,
1356 "failed to get buffer.\n");
1357 return NULL;
1358 }
1359 p = (struct isakmp_parse_t *)result->v;
1360 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1361
1362 tlen = len;
1363
1364 /* parse through general headers */
1365 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1366 if (tlen <= sizeof(struct isakmp_gen)) {
1367 /* don't send information, see isakmp_ident_r1() */
1368 plog(LLV_ERROR, LOCATION, NULL,
1369 "invalid length of payload\n");
1370 vfree(result);
1371 return NULL;
1372 }
1373
1374 plog(LLV_DEBUG, LOCATION, NULL,
1375 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1376
1377 p->type = np;
1378 p->len = ntohs(gen->len);
1379 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1380 plog(LLV_DEBUG, LOCATION, NULL,
1381 "invalid length of payload\n");
1382 vfree(result);
1383 return NULL;
1384 }
1385 p->ptr = gen;
1386 p++;
1387 if (ep <= p) {
1388 int off;
1389
1390 off = p - (struct isakmp_parse_t *)result->v;
1391 result = vrealloc(result, result->l * 2);
1392 if (result == NULL) {
1393 plog(LLV_DEBUG, LOCATION, NULL,
1394 "failed to realloc buffer.\n");
1395 vfree(result);
1396 return NULL;
1397 }
1398 ep = (struct isakmp_parse_t *)
1399 (result->v + result->l - sizeof(*ep));
1400 p = (struct isakmp_parse_t *)result->v;
1401 p += off;
1402 }
1403
1404 np = gen->np;
1405 plen = ntohs(gen->len);
1406 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1407 tlen -= plen;
1408 }
1409 p->type = ISAKMP_NPTYPE_NONE;
1410 p->len = 0;
1411 p->ptr = NULL;
1412
1413 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1414
1415 return result;
1416 }
1417
1418 /*
1419 * parse ISAKMP payloads, including ISAKMP base header.
1420 */
1421 vchar_t *
1422 isakmp_parse(buf)
1423 vchar_t *buf;
1424 {
1425 struct isakmp *isakmp = (struct isakmp *)buf->v;
1426 struct isakmp_gen *gen;
1427 int tlen;
1428 vchar_t *result;
1429 u_char np;
1430
1431 np = isakmp->np;
1432 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1433 tlen = buf->l - sizeof(struct isakmp);
1434 result = isakmp_parsewoh(np, gen, tlen);
1435
1436 return result;
1437 }
1438
1439 /* %%% */
1440 int
1441 isakmp_init()
1442 {
1443 /* initialize a isakmp status table */
1444 initph1tree();
1445 initph2tree();
1446 initctdtree();
1447 init_recvdpkt();
1448
1449 if (isakmp_open() < 0)
1450 goto err;
1451
1452 return(0);
1453
1454 err:
1455 isakmp_close();
1456 return(-1);
1457 }
1458
1459 /*
1460 * make strings containing i_cookie + r_cookie + msgid
1461 */
1462 const char *
1463 isakmp_pindex(index, msgid)
1464 const isakmp_index *index;
1465 const u_int32_t msgid;
1466 {
1467 static char buf[64];
1468 const u_char *p;
1469 int i, j;
1470
1471 memset(buf, 0, sizeof(buf));
1472
1473 /* copy index */
1474 p = (const u_char *)index;
1475 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1476 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1477 j += 2;
1478 switch (i) {
1479 case 7:
1480 buf[j++] = ':';
1481 }
1482 }
1483
1484 if (msgid == 0)
1485 return buf;
1486
1487 /* copy msgid */
1488 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1489
1490 return buf;
1491 }
1492
1493 int
1494 isakmp_setup_socket(struct sockaddr* in_addr)
1495 {
1496 int sock = -1;
1497 const int yes = 1;
1498 #ifdef INET6
1499 int pktinfo;
1500 #endif
1501 if ((sock = socket(in_addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1502 plog(LLV_ERROR, LOCATION, NULL,
1503 "socket (%s)\n", strerror(errno));
1504 return -1;
1505 }
1506
1507 /* receive my interface address on inbound packets. */
1508 switch (in_addr->sa_family) {
1509 case AF_INET:
1510 if (setsockopt(sock, IPPROTO_IP, IP_RECVDSTADDR,
1511 (const void *)&yes, sizeof(yes)) < 0) {
1512 plog(LLV_ERROR, LOCATION, NULL,
1513 "setsockopt (%s)\n", strerror(errno));
1514 close(sock);
1515 return -1;
1516 }
1517 break;
1518 #ifdef INET6
1519 case AF_INET6:
1520 #ifdef ADVAPI
1521 #ifdef IPV6_RECVPKTINFO
1522 pktinfo = IPV6_RECVPKTINFO;
1523 #else /* old adv. API */
1524 pktinfo = IPV6_PKTINFO;
1525 #endif /* IPV6_RECVPKTINFO */
1526 #else
1527 pktinfo = IPV6_RECVDSTADDR;
1528 #endif
1529 if (setsockopt(sock, IPPROTO_IPV6, pktinfo,
1530 (const void *)&yes, sizeof(yes)) < 0)
1531 {
1532 plog(LLV_ERROR, LOCATION, NULL,
1533 "setsockopt(%d): %s\n",
1534 pktinfo, strerror(errno));
1535 close(sock);
1536 return -1;
1537 }
1538 break;
1539 #endif
1540 }
1541
1542 #ifdef IPV6_USE_MIN_MTU
1543 if (in_addr->sa_family == AF_INET6 &&
1544 setsockopt(sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1545 (void *)&yes, sizeof(yes)) < 0) {
1546 plog(LLV_ERROR, LOCATION, NULL,
1547 "setsockopt (%s)\n", strerror(errno));
1548 close(sock);
1549 return -1;
1550 }
1551 #endif
1552
1553 if (setsockopt_bypass(sock, in_addr->sa_family) < 0) {
1554 close(sock);
1555 return -1;
1556 }
1557
1558 if (bind(sock, in_addr, in_addr->sa_len) < 0) {
1559 plog(LLV_ERROR, LOCATION, in_addr,
1560 "failed to bind (%s).\n", strerror(errno));
1561 close(sock);
1562 return -1;
1563 }
1564
1565 return sock;
1566 }
1567
1568 /* open ISAKMP sockets. */
1569 int
1570 isakmp_open()
1571 {
1572 int ifnum;
1573 struct myaddrs *p;
1574
1575 ifnum = 0;
1576 for (p = lcconf->myaddrs; p; p = p->next) {
1577 if (!p->addr)
1578 continue;
1579
1580 if (p->sock != -1) {
1581 ifnum++;
1582 continue; // socket already open
1583 }
1584
1585 /* warn if wildcard address - should we forbid this? */
1586 switch (p->addr->sa_family) {
1587 case AF_INET:
1588 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1589 plog(LLV_WARNING, LOCATION, NULL,
1590 "listening to wildcard address,"
1591 "broadcast IKE packet may kill you\n");
1592 break;
1593 #ifdef INET6
1594 case AF_INET6:
1595 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1596 plog(LLV_WARNING, LOCATION, NULL,
1597 "listening to wildcard address, "
1598 "broadcast IKE packet may kill you\n");
1599 break;
1600 #endif
1601 default:
1602 plog(LLV_ERROR, LOCATION, NULL,
1603 "unsupported address family %d\n",
1604 lcconf->default_af);
1605 goto err_and_next;
1606 }
1607
1608 p->sock = isakmp_setup_socket(p->addr);
1609 if (p->sock < 0) goto err_and_next;
1610
1611 plog(LLV_DEBUG, LOCATION, NULL,
1612 "%s used as isakmp port (fd=%d)\n",
1613 saddr2str(p->addr), p->sock);
1614
1615 ifnum++;
1616
1617 #ifdef IKE_NAT_T
1618 /*
1619 * We have to listen on 4500 in addition to 500 with IPv4
1620 * to support NAT traversal.
1621 */
1622 if (p->addr->sa_family == AF_INET)
1623 {
1624 struct sockaddr_in sin = *(struct sockaddr_in*)p->addr;
1625
1626 sin.sin_port = htons(PORT_ISAKMP_NATT);
1627 p->nattsock = isakmp_setup_socket((struct sockaddr*)&sin);
1628 if (p->nattsock >= 0)
1629 plog(LLV_DEBUG, LOCATION, NULL,
1630 "%s used as nat-t isakmp port (fd=%d)\n",
1631 saddr2str((struct sockaddr*)&sin), p->nattsock);
1632 }
1633 #endif
1634
1635 continue;
1636
1637 err_and_next:
1638 racoon_free(p->addr);
1639 p->addr = NULL;
1640 if (! lcconf->autograbaddr && lcconf->strict_address)
1641 return -1;
1642 continue;
1643 }
1644
1645 if (!ifnum) {
1646 plog(LLV_ERROR, LOCATION, NULL,
1647 "no address could be bound.\n");
1648 return -1;
1649 }
1650
1651 return 0;
1652 }
1653
1654 void
1655 isakmp_close()
1656 {
1657 isakmp_close_sockets();
1658 isakmp_free_addrs();
1659 }
1660
1661 void
1662 isakmp_close_sockets()
1663 {
1664 struct myaddrs *p;
1665
1666 for (p = lcconf->myaddrs; p; p = p->next) {
1667
1668 if (!p->addr)
1669 continue;
1670
1671 if (p->sock >= 0) {
1672 close(p->sock);
1673 p->sock = -1;
1674 }
1675
1676 #ifdef IKE_NAT_T
1677 if (p->nattsock >= 0) {
1678 close(p->nattsock);
1679 p->nattsock = -1;
1680 }
1681 #endif
1682
1683 }
1684
1685 }
1686
1687 void
1688 isakmp_free_addrs()
1689 {
1690 struct myaddrs *p, *next;
1691
1692 for (p = lcconf->myaddrs; p; p = next) {
1693 next = p->next;
1694
1695 if (p->addr)
1696 racoon_free(p->addr);
1697 racoon_free(p);
1698 }
1699
1700 lcconf->myaddrs = NULL;
1701
1702 }
1703
1704
1705 // close sockets for addresses that have gone away
1706 void
1707 isakmp_close_unused()
1708 {
1709 struct myaddrs *p, *next, **prev;
1710
1711 prev = &(lcconf->myaddrs);
1712 for (p = lcconf->myaddrs; p; p = next) {
1713 next = p->next;
1714 if (p->addrcount == 0) { // not in use ?
1715
1716 if (p->sock >= 0)
1717 close(p->sock);
1718
1719 #ifdef IKE_NAT_T
1720 if (p->nattsock >= 0)
1721 close(p->nattsock);
1722 #endif
1723 *prev = p->next;
1724 if (p->addr)
1725 racoon_free(p->addr);
1726 racoon_free(p);
1727 } else
1728 prev = &(p->next);
1729 }
1730 }
1731
1732 int
1733 isakmp_send(iph1, sbuf)
1734 struct ph1handle *iph1;
1735 vchar_t *sbuf;
1736 {
1737 int len = 0;
1738 int s;
1739 vchar_t *newbuf = NULL;
1740
1741 /* select the socket to be sent */
1742 s = getsockmyaddr(iph1->local);
1743 if (s == -1)
1744 return -1;
1745
1746 #ifdef IKE_NAT_T
1747 /* prepend four bytes of zeros if source or destination port is PORT_ISAKMP_NATT */
1748 if (iph1->remote->sa_family == AF_INET &&
1749 (((struct sockaddr_in*)(iph1->remote))->sin_port == htons(PORT_ISAKMP_NATT)) ||
1750 ((struct sockaddr_in*)(iph1->local))->sin_port == htons(PORT_ISAKMP_NATT))
1751 {
1752
1753 /* There's probably a better way to do this */
1754 newbuf = vmalloc(sbuf->l + 4);
1755 if (newbuf == NULL) {
1756 plog(LLV_ERROR, LOCATION, NULL, "sendfromto natt prepend failed\n");
1757 return -1;
1758 }
1759
1760 memset(newbuf->v, 0, 4);
1761 memcpy(newbuf->v + 4, sbuf->v, sbuf->l);
1762 sbuf = newbuf;
1763 }
1764 #endif
1765
1766 len = sendfromto(s, sbuf->v, sbuf->l,
1767 iph1->local, iph1->remote, lcconf->count_persend);
1768 if (len == -1) {
1769 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1770 return -1;
1771 }
1772
1773 if (newbuf) vfree(newbuf);
1774
1775 return 0;
1776 }
1777
1778 /* called from scheduler */
1779 void
1780 isakmp_ph1resend_stub(p)
1781 void *p;
1782 {
1783 (void)isakmp_ph1resend((struct ph1handle *)p);
1784 }
1785
1786 int
1787 isakmp_ph1resend(iph1)
1788 struct ph1handle *iph1;
1789 {
1790 if (iph1->retry_counter < 0) {
1791 plog(LLV_ERROR, LOCATION, NULL,
1792 "phase1 negotiation failed due to time up. %s\n",
1793 isakmp_pindex(&iph1->index, iph1->msgid));
1794
1795 remph1(iph1);
1796 delph1(iph1);
1797 return -1;
1798 }
1799
1800 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1801 return -1;
1802
1803 plog(LLV_DEBUG, LOCATION, NULL,
1804 "resend phase1 packet %s\n",
1805 isakmp_pindex(&iph1->index, iph1->msgid));
1806
1807 iph1->retry_counter--;
1808
1809 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1810 isakmp_ph1resend_stub, iph1);
1811
1812 return 0;
1813 }
1814
1815 /* called from scheduler */
1816 void
1817 isakmp_ph2resend_stub(p)
1818 void *p;
1819 {
1820
1821 (void)isakmp_ph2resend((struct ph2handle *)p);
1822 }
1823
1824 int
1825 isakmp_ph2resend(iph2)
1826 struct ph2handle *iph2;
1827 {
1828 if (iph2->retry_counter < 0) {
1829 plog(LLV_ERROR, LOCATION, NULL,
1830 "phase2 negotiation failed due to time up. %s\n",
1831 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1832 unbindph12(iph2);
1833 remph2(iph2);
1834 delph2(iph2);
1835 return -1;
1836 }
1837
1838 if (iph2->ph1 == 0) {
1839 plog(LLV_ERROR, LOCATION, NULL,
1840 "internal error - attempt to re-send phase2 with no phase1 bound.\n");
1841 iph2->retry_counter = -1;
1842 remph2(iph2);
1843 delph2(iph2);
1844 return -1;
1845 }
1846
1847 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1848 return -1;
1849
1850 plog(LLV_DEBUG, LOCATION, NULL,
1851 "resend phase2 packet %s\n",
1852 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1853
1854 iph2->retry_counter--;
1855
1856 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1857 isakmp_ph2resend_stub, iph2);
1858
1859 return 0;
1860 }
1861
1862 /* called from scheduler */
1863 void
1864 isakmp_ph1expire_stub(p)
1865 void *p;
1866 {
1867
1868 isakmp_ph1expire((struct ph1handle *)p);
1869 }
1870
1871 void
1872 isakmp_ph1expire(iph1)
1873 struct ph1handle *iph1;
1874 {
1875 char *src, *dst;
1876
1877 src = strdup(saddr2str(iph1->local));
1878 dst = strdup(saddr2str(iph1->remote));
1879 plog(LLV_INFO, LOCATION, NULL,
1880 "ISAKMP-SA expired %s-%s spi:%s\n",
1881 src, dst,
1882 isakmp_pindex(&iph1->index, 0));
1883 racoon_free(src);
1884 racoon_free(dst);
1885
1886 SCHED_KILL(iph1->sce);
1887
1888 iph1->status = PHASE1ST_EXPIRED;
1889
1890 /*
1891 * the phase1 deletion is postponed until there is no phase2.
1892 */
1893 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1894 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1895 return;
1896 }
1897
1898 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1899 }
1900
1901 /* called from scheduler */
1902 void
1903 isakmp_ph1delete_stub(p)
1904 void *p;
1905 {
1906
1907 isakmp_ph1delete((struct ph1handle *)p);
1908 }
1909
1910 void
1911 isakmp_ph1delete(iph1)
1912 struct ph1handle *iph1;
1913 {
1914 char *src, *dst;
1915
1916 SCHED_KILL(iph1->sce);
1917
1918 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1919 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1920 return;
1921 }
1922
1923 /* don't re-negosiation when the phase 1 SA expires. */
1924
1925 src = strdup(saddr2str(iph1->local));
1926 dst = strdup(saddr2str(iph1->remote));
1927 plog(LLV_INFO, LOCATION, NULL,
1928 "ISAKMP-SA deleted %s-%s spi:%s\n",
1929 src, dst, isakmp_pindex(&iph1->index, 0));
1930 racoon_free(src);
1931 racoon_free(dst);
1932
1933 remph1(iph1);
1934 delph1(iph1);
1935
1936 return;
1937 }
1938
1939 /* called from scheduler.
1940 * this function will call only isakmp_ph2delete().
1941 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
1942 * by something cause. That's why this function is called after phase 2 SA
1943 * expires in the userland.
1944 */
1945 void
1946 isakmp_ph2expire_stub(p)
1947 void *p;
1948 {
1949
1950 isakmp_ph2expire((struct ph2handle *)p);
1951 }
1952
1953 void
1954 isakmp_ph2expire(iph2)
1955 struct ph2handle *iph2;
1956 {
1957 char *src, *dst;
1958
1959 SCHED_KILL(iph2->sce);
1960
1961 src = strdup(saddrwop2str(iph2->src));
1962 dst = strdup(saddrwop2str(iph2->dst));
1963 plog(LLV_INFO, LOCATION, NULL,
1964 "phase2 sa expired %s-%s\n", src, dst);
1965 racoon_free(src);
1966 racoon_free(dst);
1967
1968 iph2->status = PHASE2ST_EXPIRED;
1969
1970 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1971
1972 return;
1973 }
1974
1975 /* called from scheduler */
1976 void
1977 isakmp_ph2delete_stub(p)
1978 void *p;
1979 {
1980
1981 isakmp_ph2delete((struct ph2handle *)p);
1982 }
1983
1984 void
1985 isakmp_ph2delete(iph2)
1986 struct ph2handle *iph2;
1987 {
1988 char *src, *dst;
1989
1990 SCHED_KILL(iph2->sce);
1991
1992 src = strdup(saddrwop2str(iph2->src));
1993 dst = strdup(saddrwop2str(iph2->dst));
1994 plog(LLV_INFO, LOCATION, NULL,
1995 "phase2 sa deleted %s-%s\n", src, dst);
1996 racoon_free(src);
1997 racoon_free(dst);
1998
1999 unbindph12(iph2);
2000 remph2(iph2);
2001 delph2(iph2);
2002
2003 return;
2004 }
2005
2006 /* \f%%%
2007 * Interface between PF_KEYv2 and ISAKMP
2008 */
2009 /*
2010 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2011 * if phase1 has been finished, begin phase2.
2012 */
2013 int
2014 isakmp_post_acquire(iph2)
2015 struct ph2handle *iph2;
2016 {
2017 struct remoteconf *rmconf;
2018 struct ph1handle *iph1 = NULL;
2019
2020 /* search appropreate configuration with masking port. */
2021 rmconf = getrmconf(iph2->dst);
2022 if (rmconf == NULL) {
2023 plog(LLV_ERROR, LOCATION, NULL,
2024 "no configuration found for %s.\n",
2025 saddrwop2str(iph2->dst));
2026 return -1;
2027 }
2028
2029 /* if passive mode, ignore the acquire message */
2030 if (rmconf->passive) {
2031 plog(LLV_DEBUG, LOCATION, NULL,
2032 "because of passive mode, "
2033 "ignore the acquire message for %s.\n",
2034 saddrwop2str(iph2->dst));
2035 return 0;
2036 }
2037
2038 /* search isakmp status table by address with masking port */
2039 iph1 = getph1byaddr(iph2->src, iph2->dst);
2040
2041 /* no ISAKMP-SA found. */
2042 if (iph1 == NULL) {
2043 struct sched *sc;
2044
2045 iph2->retry_checkph1 = lcconf->retry_checkph1;
2046 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
2047 plog(LLV_INFO, LOCATION, NULL,
2048 "IPsec-SA request for %s queued "
2049 "due to no phase1 found.\n",
2050 saddrwop2str(iph2->dst));
2051
2052 /* start phase 1 negotiation as a initiator. */
2053 if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
2054 SCHED_KILL(sc);
2055 return -1;
2056 }
2057
2058 return 0;
2059 /*NOTREACHED*/
2060 }
2061
2062 /* found ISAKMP-SA, but on negotiation. */
2063 if (iph1->status != PHASE1ST_ESTABLISHED) {
2064 iph2->retry_checkph1 = lcconf->retry_checkph1;
2065 sched_new(1, isakmp_chkph1there_stub, iph2);
2066 plog(LLV_INFO, LOCATION, iph2->dst,
2067 "request for establishing IPsec-SA was queued "
2068 "due to no phase1 found.\n");
2069 return 0;
2070 /*NOTREACHED*/
2071 }
2072
2073 /* found established ISAKMP-SA */
2074 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2075
2076 /* found ISAKMP-SA. */
2077 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2078
2079 /* begin quick mode */
2080 if (isakmp_ph2begin_i(iph1, iph2))
2081 return -1;
2082
2083 return 0;
2084 }
2085
2086 /*
2087 * receive GETSPI from kernel.
2088 */
2089 int
2090 isakmp_post_getspi(iph2)
2091 struct ph2handle *iph2;
2092 {
2093 #ifdef ENABLE_STATS
2094 struct timeval start, end;
2095 #endif
2096
2097 /* don't process it because there is no suitable phase1-sa. */
2098 if (iph2->ph1->status == PHASE2ST_EXPIRED) {
2099 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2100 "the negotiation is stopped, "
2101 "because there is no suitable ISAKMP-SA.\n");
2102 return -1;
2103 }
2104
2105 #ifdef ENABLE_STATS
2106 gettimeofday(&start, NULL);
2107 #endif
2108 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2109 [iph2->side]
2110 [iph2->status])(iph2, NULL) != 0)
2111 return -1;
2112 #ifdef ENABLE_STATS
2113 gettimeofday(&end, NULL);
2114 syslog(LOG_NOTICE, "%s(%s): %8.6f",
2115 "phase2",
2116 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2117 timedelta(&start, &end));
2118 #endif
2119
2120 return 0;
2121 }
2122
2123 /* called by scheduler */
2124 void
2125 isakmp_chkph1there_stub(p)
2126 void *p;
2127 {
2128 isakmp_chkph1there((struct ph2handle *)p);
2129 }
2130
2131 void
2132 isakmp_chkph1there(iph2)
2133 struct ph2handle *iph2;
2134 {
2135 struct ph1handle *iph1;
2136
2137 iph2->retry_checkph1--;
2138 if (iph2->retry_checkph1 < 0) {
2139 plog(LLV_ERROR, LOCATION, iph2->dst,
2140 "phase2 negotiation failed "
2141 "due to time up waiting for phase1. %s\n",
2142 sadbsecas2str(iph2->dst, iph2->src,
2143 iph2->satype, 0, 0));
2144 plog(LLV_INFO, LOCATION, NULL,
2145 "delete phase 2 handler.\n");
2146
2147 /* send acquire to kernel as error */
2148 pk_sendeacquire(iph2);
2149
2150 unbindph12(iph2);
2151 remph2(iph2);
2152 delph2(iph2);
2153
2154 return;
2155 }
2156
2157 iph1 = getph1byaddr(iph2->src, iph2->dst);
2158
2159 /* XXX Even if ph1 as responder is there, should we not start
2160 * phase 2 negotiation ? */
2161 if (iph1 != NULL
2162 && iph1->status == PHASE1ST_ESTABLISHED) {
2163 /* found isakmp-sa */
2164 /* begin quick mode */
2165 (void)isakmp_ph2begin_i(iph1, iph2);
2166 return;
2167 }
2168
2169 /* no isakmp-sa found */
2170 sched_new(1, isakmp_chkph1there_stub, iph2);
2171
2172 return;
2173 }
2174
2175 /* copy variable data into ALLOCATED buffer. */
2176 caddr_t
2177 isakmp_set_attr_v(buf, type, val, len)
2178 caddr_t buf;
2179 int type;
2180 caddr_t val;
2181 int len;
2182 {
2183 struct isakmp_data *data;
2184
2185 data = (struct isakmp_data *)buf;
2186 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2187 data->lorv = htons((u_int16_t)len);
2188 memcpy(data + 1, val, len);
2189
2190 return buf + sizeof(*data) + len;
2191 }
2192
2193 /* copy fixed length data into ALLOCATED buffer. */
2194 caddr_t
2195 isakmp_set_attr_l(buf, type, val)
2196 caddr_t buf;
2197 int type;
2198 u_int32_t val;
2199 {
2200 struct isakmp_data *data;
2201
2202 data = (struct isakmp_data *)buf;
2203 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2204 data->lorv = htons((u_int16_t)val);
2205
2206 return buf + sizeof(*data);
2207 }
2208
2209 /* add a variable data attribute to the buffer by reallocating it. */
2210 vchar_t *
2211 isakmp_add_attr_v(buf0, type, val, len)
2212 vchar_t *buf0;
2213 int type;
2214 caddr_t val;
2215 int len;
2216 {
2217 vchar_t *buf = NULL;
2218 struct isakmp_data *data;
2219 int tlen;
2220 int oldlen = 0;
2221
2222 tlen = sizeof(*data) + len;
2223
2224 if (buf0) {
2225 oldlen = buf0->l;
2226 buf = vrealloc(buf0, oldlen + tlen);
2227 } else
2228 buf = vmalloc(tlen);
2229 if (!buf) {
2230 plog(LLV_ERROR, LOCATION, NULL,
2231 "failed to get a attribute buffer.\n");
2232 return NULL;
2233 }
2234
2235 data = (struct isakmp_data *)(buf->v + oldlen);
2236 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2237 data->lorv = htons((u_int16_t)len);
2238 memcpy(data + 1, val, len);
2239
2240 return buf;
2241 }
2242
2243 /* add a fixed data attribute to the buffer by reallocating it. */
2244 vchar_t *
2245 isakmp_add_attr_l(buf0, type, val)
2246 vchar_t *buf0;
2247 int type;
2248 u_int32_t val;
2249 {
2250 vchar_t *buf = NULL;
2251 struct isakmp_data *data;
2252 int tlen;
2253 int oldlen = 0;
2254
2255 tlen = sizeof(*data);
2256
2257 if (buf0) {
2258 oldlen = buf0->l;
2259 buf = vrealloc(buf0, oldlen + tlen);
2260 } else
2261 buf = vmalloc(tlen);
2262 if (!buf) {
2263 plog(LLV_ERROR, LOCATION, NULL,
2264 "failed to get a attribute buffer.\n");
2265 return NULL;
2266 }
2267
2268 data = (struct isakmp_data *)(buf->v + oldlen);
2269 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2270 data->lorv = htons((u_int16_t)val);
2271
2272 return buf;
2273 }
2274
2275 /*
2276 * calculate cookie and set.
2277 */
2278 int
2279 isakmp_newcookie(place, remote, local)
2280 caddr_t place;
2281 struct sockaddr *remote;
2282 struct sockaddr *local;
2283 {
2284 vchar_t *buf = NULL, *buf2 = NULL;
2285 char *p;
2286 int blen;
2287 int alen;
2288 caddr_t sa1, sa2;
2289 time_t t;
2290 int error = -1;
2291 u_short port;
2292
2293
2294 if (remote->sa_family != local->sa_family) {
2295 plog(LLV_ERROR, LOCATION, NULL,
2296 "address family mismatch, remote:%d local:%d\n",
2297 remote->sa_family, local->sa_family);
2298 goto end;
2299 }
2300 switch (remote->sa_family) {
2301 case AF_INET:
2302 alen = sizeof(struct in_addr);
2303 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2304 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2305 break;
2306 #ifdef INET6
2307 case AF_INET6:
2308 alen = sizeof(struct in_addr);
2309 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2310 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2311 break;
2312 #endif
2313 default:
2314 plog(LLV_ERROR, LOCATION, NULL,
2315 "invalid family: %d\n", remote->sa_family);
2316 goto end;
2317 }
2318 blen = (alen + sizeof(u_short)) * 2
2319 + sizeof(time_t) + lcconf->secret_size;
2320 buf = vmalloc(blen);
2321 if (buf == NULL) {
2322 plog(LLV_ERROR, LOCATION, NULL,
2323 "failed to get a cookie.\n");
2324 goto end;
2325 }
2326 p = buf->v;
2327
2328 /* copy my address */
2329 memcpy(p, sa1, alen);
2330 p += alen;
2331 port = ((struct sockaddr_in *)remote)->sin_port;
2332 memcpy(p, &port, sizeof(u_short));
2333 p += sizeof(u_short);
2334
2335 /* copy target address */
2336 memcpy(p, sa2, alen);
2337 p += alen;
2338 port = ((struct sockaddr_in *)local)->sin_port;
2339 memcpy(p, &port, sizeof(u_short));
2340 p += sizeof(u_short);
2341
2342 /* copy time */
2343 t = time(0);
2344 memcpy(p, (caddr_t)&t, sizeof(t));
2345 p += sizeof(t);
2346
2347 /* copy random value */
2348 buf2 = eay_set_random(lcconf->secret_size);
2349 if (buf2 == NULL)
2350 goto end;
2351 memcpy(p, buf2->v, lcconf->secret_size);
2352 p += lcconf->secret_size;
2353 vfree(buf2);
2354
2355 buf2 = eay_sha1_one(buf);
2356 memcpy(place, buf2->v, sizeof(cookie_t));
2357
2358 sa1 = val2str(place, sizeof (cookie_t));
2359 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2360 racoon_free(sa1);
2361
2362 error = 0;
2363 end:
2364 if (buf != NULL)
2365 vfree(buf);
2366 if (buf2 != NULL)
2367 vfree(buf2);
2368 return error;
2369 }
2370
2371 /*
2372 * save partner's(payload) data into phhandle.
2373 */
2374 int
2375 isakmp_p2ph(buf, gen)
2376 vchar_t **buf;
2377 struct isakmp_gen *gen;
2378 {
2379 /* XXX to be checked in each functions for logging. */
2380 if (*buf) {
2381 plog(LLV_WARNING, LOCATION, NULL,
2382 "ignore this payload, same payload type exist.\n");
2383 return -1;
2384 }
2385
2386 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2387 if (*buf == NULL) {
2388 plog(LLV_ERROR, LOCATION, NULL,
2389 "failed to get buffer.\n");
2390 return -1;
2391 }
2392 memcpy((*buf)->v, gen + 1, (*buf)->l);
2393
2394 return 0;
2395 }
2396
2397 u_int32_t
2398 isakmp_newmsgid2(iph1)
2399 struct ph1handle *iph1;
2400 {
2401 u_int32_t msgid2;
2402
2403 do {
2404 msgid2 = arc4random();
2405 } while (getph2bymsgid(iph1, msgid2));
2406
2407 return msgid2;
2408 }
2409
2410 /*
2411 * set values into allocated buffer of isakmp header for phase 1
2412 */
2413 caddr_t
2414 set_isakmp_header(vbuf, iph1, nptype)
2415 vchar_t *vbuf;
2416 struct ph1handle *iph1;
2417 int nptype;
2418 {
2419 struct isakmp *isakmp;
2420
2421 if (vbuf->l < sizeof(*isakmp))
2422 return NULL;
2423
2424 isakmp = (struct isakmp *)vbuf->v;
2425 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2426 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2427 isakmp->np = nptype;
2428 isakmp->v = iph1->version;
2429 isakmp->etype = iph1->etype;
2430 isakmp->flags = iph1->flags;
2431 isakmp->msgid = iph1->msgid;
2432 isakmp->len = htonl(vbuf->l);
2433
2434 return vbuf->v + sizeof(*isakmp);
2435 }
2436
2437 /*
2438 * set values into allocated buffer of isakmp header for phase 2
2439 */
2440 caddr_t
2441 set_isakmp_header2(vbuf, iph2, nptype)
2442 vchar_t *vbuf;
2443 struct ph2handle *iph2;
2444 int nptype;
2445 {
2446 struct isakmp *isakmp;
2447
2448 if (vbuf->l < sizeof(*isakmp))
2449 return NULL;
2450
2451 isakmp = (struct isakmp *)vbuf->v;
2452 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t));
2453 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t));
2454 isakmp->np = nptype;
2455 isakmp->v = iph2->ph1->version;
2456 isakmp->etype = ISAKMP_ETYPE_QUICK;
2457 isakmp->flags = iph2->flags;
2458 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
2459 isakmp->len = htonl(vbuf->l);
2460
2461 return vbuf->v + sizeof(*isakmp);
2462 }
2463
2464 /*
2465 * set values into allocated buffer of isakmp payload.
2466 */
2467 caddr_t
2468 set_isakmp_payload(buf, src, nptype)
2469 caddr_t buf;
2470 vchar_t *src;
2471 int nptype;
2472 {
2473 struct isakmp_gen *gen;
2474 caddr_t p = buf;
2475
2476 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n",
2477 src->l, nptype);
2478
2479 gen = (struct isakmp_gen *)p;
2480 gen->np = nptype;
2481 gen->len = htons(sizeof(*gen) + src->l);
2482 p += sizeof(*gen);
2483 memcpy(p, src->v, src->l);
2484 p += src->l;
2485
2486 return p;
2487 }
2488
2489 static int
2490 etypesw1(etype)
2491 int etype;
2492 {
2493 switch (etype) {
2494 case ISAKMP_ETYPE_IDENT:
2495 return 1;
2496 case ISAKMP_ETYPE_AGG:
2497 return 2;
2498 case ISAKMP_ETYPE_BASE:
2499 return 3;
2500 default:
2501 return 0;
2502 }
2503 /*NOTREACHED*/
2504 }
2505
2506 static int
2507 etypesw2(etype)
2508 int etype;
2509 {
2510 switch (etype) {
2511 case ISAKMP_ETYPE_QUICK:
2512 return 1;
2513 default:
2514 return 0;
2515 }
2516 /*NOTREACHED*/
2517 }
2518
2519 #ifdef HAVE_PRINT_ISAKMP_C
2520 /* for print-isakmp.c */
2521 char *snapend;
2522 extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2523
2524 char *getname __P((const u_char *));
2525 #ifdef INET6
2526 char *getname6 __P((const u_char *));
2527 #endif
2528 int safeputchar __P((int));
2529
2530 /*
2531 * Return a name for the IP address pointed to by ap. This address
2532 * is assumed to be in network byte order.
2533 */
2534 char *
2535 getname(ap)
2536 const u_char *ap;
2537 {
2538 struct sockaddr_in addr;
2539 static char ntop_buf[NI_MAXHOST];
2540
2541 memset(&addr, 0, sizeof(addr));
2542 addr.sin_len = sizeof(struct sockaddr_in);
2543 addr.sin_family = AF_INET;
2544 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2545 if (getnameinfo((struct sockaddr *)&addr, addr.sin_len,
2546 ntop_buf, sizeof(ntop_buf), NULL, 0,
2547 NI_NUMERICHOST | niflags))
2548 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2549
2550 return ntop_buf;
2551 }
2552
2553 #ifdef INET6
2554 /*
2555 * Return a name for the IP6 address pointed to by ap. This address
2556 * is assumed to be in network byte order.
2557 */
2558 char *
2559 getname6(ap)
2560 const u_char *ap;
2561 {
2562 struct sockaddr_in6 addr;
2563 static char ntop_buf[NI_MAXHOST];
2564
2565 memset(&addr, 0, sizeof(addr));
2566 addr.sin6_len = sizeof(struct sockaddr_in6);
2567 addr.sin6_family = AF_INET6;
2568 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2569 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2570 ntop_buf, sizeof(ntop_buf), NULL, 0,
2571 NI_NUMERICHOST | niflags))
2572 strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2573
2574 return ntop_buf;
2575 }
2576 #endif /* INET6 */
2577
2578 int
2579 safeputchar(c)
2580 int c;
2581 {
2582 unsigned char ch;
2583
2584 ch = (unsigned char)(c & 0xff);
2585 if (c < 0x80 && isprint(c))
2586 return printf("%c", c & 0xff);
2587 else
2588 return printf("\\%03o", c & 0xff);
2589 }
2590
2591 void
2592 isakmp_printpacket(msg, from, my, decoded)
2593 vchar_t *msg;
2594 struct sockaddr *from;
2595 struct sockaddr *my;
2596 int decoded;
2597 {
2598 #ifdef YIPS_DEBUG
2599 struct timeval tv;
2600 int s;
2601 char hostbuf[NI_MAXHOST];
2602 char portbuf[NI_MAXSERV];
2603 struct isakmp *isakmp;
2604 vchar_t *buf;
2605 #endif
2606
2607 if (loglevel < LLV_DEBUG)
2608 return;
2609
2610 #ifdef YIPS_DEBUG
2611 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2612
2613 gettimeofday(&tv, NULL);
2614 s = tv.tv_sec % 3600;
2615 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2616
2617 if (from) {
2618 if (getnameinfo(from, from->sa_len, hostbuf, sizeof(hostbuf),
2619 portbuf, sizeof(portbuf),
2620 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2621 strlcpy(hostbuf, "?", sizeof(hostbuf));
2622 strlcpy(portbuf, "?", sizeof(portbuf));
2623 }
2624 printf("%s:%s", hostbuf, portbuf);
2625 } else
2626 printf("?");
2627 printf(" -> ");
2628 if (my) {
2629 if (getnameinfo(my, my->sa_len, hostbuf, sizeof(hostbuf),
2630 portbuf, sizeof(portbuf),
2631 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2632 strlcpy(hostbuf, "?", sizeof(hostbuf));
2633 strlcpy(portbuf, "?", sizeof(portbuf));
2634 }
2635 printf("%s:%s", hostbuf, portbuf);
2636 } else
2637 printf("?");
2638 printf(": ");
2639
2640 buf = vdup(msg);
2641 if (!buf) {
2642 printf("(malloc fail)\n");
2643 return;
2644 }
2645 if (decoded) {
2646 isakmp = (struct isakmp *)buf->v;
2647 if (isakmp->flags & ISAKMP_FLAG_E) {
2648 #if 0
2649 int pad;
2650 pad = *(u_char *)(buf->v + buf->l - 1);
2651 if (buf->l < pad && 2 < vflag)
2652 printf("(wrong padding)");
2653 #endif
2654 isakmp->flags &= ~ISAKMP_FLAG_E;
2655 }
2656 }
2657
2658 snapend = buf->v + buf->l;
2659 isakmp_print(buf->v, buf->l, NULL);
2660 vfree(buf);
2661 printf("\n");
2662 fflush(stdout);
2663
2664 return;
2665 #endif
2666 }
2667 #endif /*HAVE_PRINT_ISAKMP_C*/
2668
2669 int
2670 copy_ph1addresses(iph1, rmconf, remote, local)
2671 struct ph1handle *iph1;
2672 struct remoteconf *rmconf;
2673 struct sockaddr *remote, *local;
2674 {
2675 u_short *port = NULL;
2676
2677 /* address portion must be grabbed from real remote address "remote" */
2678 iph1->remote = dupsaddr(remote);
2679 if (iph1->remote == NULL) {
2680 delph1(iph1);
2681 return -1;
2682 }
2683
2684 /*
2685 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2686 * - if remote.conf specifies port #, use that
2687 * - if remote.conf does not, use 500
2688 * if remote has port # (in case of responder - from recvfrom(2))
2689 * respect content of "remote".
2690 */
2691 switch (iph1->remote->sa_family) {
2692 case AF_INET:
2693 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2694 if (*port)
2695 break;
2696 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2697 if (*port)
2698 break;
2699 *port = htons(PORT_ISAKMP);
2700 break;
2701 #ifdef INET6
2702 case AF_INET6:
2703 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2704 if (*port)
2705 break;
2706 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2707 if (*port)
2708 break;
2709 *port = htons(PORT_ISAKMP);
2710 break;
2711 #endif
2712 default:
2713 plog(LLV_ERROR, LOCATION, NULL,
2714 "invalid family: %d\n", iph1->remote->sa_family);
2715 return -1;
2716 }
2717
2718 if (local == NULL)
2719 iph1->local = getlocaladdr(iph1->remote);
2720 else
2721 iph1->local = dupsaddr(local);
2722 if (iph1->local == NULL) {
2723 delph1(iph1);
2724 return -1;
2725 }
2726 switch (iph1->local->sa_family) {
2727 case AF_INET:
2728 ((struct sockaddr_in *)iph1->local)->sin_port
2729 = getmyaddrsport(iph1->local);
2730 break;
2731 #ifdef INET6
2732 case AF_INET6:
2733 ((struct sockaddr_in6 *)iph1->local)->sin6_port
2734 = getmyaddrsport(iph1->local);
2735 break;
2736 #endif
2737 default:
2738 plog(LLV_ERROR, LOCATION, NULL,
2739 "invalid family: %d\n", iph1->remote->sa_family);
2740 delph1(iph1);
2741 return -1;
2742 }
2743
2744 return 0;
2745 }
2746
2747 static int
2748 nostate1(iph1, msg)
2749 struct ph1handle *iph1;
2750 vchar_t *msg;
2751 {
2752 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2753 iph1->status);
2754 return -1;
2755 }
2756
2757 static int
2758 nostate2(iph2, msg)
2759 struct ph2handle *iph2;
2760 vchar_t *msg;
2761 {
2762 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2763 iph2->status);
2764 return -1;
2765 }
2766
2767 void
2768 log_ph1established(iph1)
2769 const struct ph1handle *iph1;
2770 {
2771 char *src, *dst;
2772
2773 src = strdup(saddr2str(iph1->local));
2774 dst = strdup(saddr2str(iph1->remote));
2775 plog(LLV_INFO, LOCATION, NULL,
2776 "ISAKMP-SA established %s-%s spi:%s\n",
2777 src, dst,
2778 isakmp_pindex(&iph1->index, 0));
2779 racoon_free(src);
2780 racoon_free(dst);
2781
2782 return;
2783 }
2784
mirror of network_cmds