1 /* $KAME: isakmp_quick.c,v 1.93 2002/05/07 17:47:55 sakane Exp $ */
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/socket.h>
36 #include <netkey/key_var.h>
37 #include <netinet/in.h>
43 #if TIME_WITH_SYS_TIME
44 # include <sys/time.h>
48 # include <sys/time.h>
54 #ifdef IPV6_INRIA_VERSION
55 #include <netinet/ipsec.h>
57 #include <netinet6/ipsec.h>
67 #include "localconf.h"
68 #include "remoteconf.h"
69 #include "isakmp_var.h"
71 #include "isakmp_inf.h"
72 #include "isakmp_quick.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
79 #include "algorithm.h"
87 static vchar_t
*quick_ir1mx
__P((struct ph2handle
*, vchar_t
*, vchar_t
*));
88 static int get_sainfo_r
__P((struct ph2handle
*));
89 static int get_proposal_r
__P((struct ph2handle
*));
90 static u_int32_t setscopeid
__P((struct sockaddr
*, struct sockaddr
*));
96 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
99 quick_i1prep(iph2
, msg
)
100 struct ph2handle
*iph2
;
101 vchar_t
*msg
; /* must be null pointer */
103 int error
= ISAKMP_INTERNAL_ERROR
;
106 if (iph2
->status
!= PHASE2ST_STATUS2
) {
107 plog(LLV_ERROR
, LOCATION
, NULL
,
108 "status mismatched %d.\n", iph2
->status
);
112 iph2
->msgid
= isakmp_newmsgid2(iph2
->ph1
);
113 iph2
->ivm
= oakley_newiv2(iph2
->ph1
, iph2
->msgid
);
114 if (iph2
->ivm
== NULL
)
117 iph2
->status
= PHASE2ST_GETSPISENT
;
119 /* don't anything if local test mode. */
125 /* send getspi message */
126 if (pk_sendgetspi(iph2
) < 0)
129 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey getspi sent.\n");
131 iph2
->sce
= sched_new(lcconf
->wait_ph2complete
,
132 pfkey_timeover_stub
, iph2
);
142 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
145 quick_i1send(iph2
, msg
)
146 struct ph2handle
*iph2
;
147 vchar_t
*msg
; /* must be null pointer */
149 vchar_t
*body
= NULL
;
150 vchar_t
*hash
= NULL
;
151 struct isakmp_gen
*gen
;
154 int error
= ISAKMP_INTERNAL_ERROR
;
155 int pfsgroup
, idci
, idcr
;
157 struct ipsecdoi_id_b
*id
, *id_p
;
161 plog(LLV_ERROR
, LOCATION
, NULL
,
162 "msg has to be NULL in this function.\n");
165 if (iph2
->status
!= PHASE2ST_GETSPIDONE
) {
166 plog(LLV_ERROR
, LOCATION
, NULL
,
167 "status mismatched %d.\n", iph2
->status
);
171 /* create SA payload for my proposal */
172 if (ipsecdoi_setph2proposal(iph2
) < 0)
175 /* generate NONCE value */
176 iph2
->nonce
= eay_set_random(iph2
->ph1
->rmconf
->nonce_size
);
177 if (iph2
->nonce
== NULL
)
181 * DH value calculation is kicked out into cfparse.y.
182 * because pfs group can not be negotiated, it's only to be checked
185 /* generate KE value if need */
186 pfsgroup
= iph2
->proposal
->pfs_group
;
188 /* DH group settting if PFS is required. */
189 if (oakley_setdhgroup(pfsgroup
, &iph2
->pfsgrp
) < 0) {
190 plog(LLV_ERROR
, LOCATION
, NULL
,
191 "failed to set DH value.\n");
194 if (oakley_dh_generate(iph2
->pfsgrp
,
195 &iph2
->dhpub
, &iph2
->dhpriv
) < 0) {
200 /* generate ID value */
201 if (ipsecdoi_setid2(iph2
) < 0) {
202 plog(LLV_ERROR
, LOCATION
, NULL
,
203 "failed to get ID.\n");
206 plog(LLV_DEBUG
, LOCATION
, NULL
, "IDci:");
207 plogdump(LLV_DEBUG
, iph2
->id
->v
, iph2
->id
->l
);
208 plog(LLV_DEBUG
, LOCATION
, NULL
, "IDcr:");
209 plogdump(LLV_DEBUG
, iph2
->id_p
->v
, iph2
->id_p
->l
);
212 * we do not attach IDci nor IDcr, under the following condition:
213 * - all proposals are transport mode
215 * - id payload suggests to encrypt all the traffic (no specific
218 id
= (struct ipsecdoi_id_b
*)iph2
->id
->v
;
219 id_p
= (struct ipsecdoi_id_b
*)iph2
->id_p
->v
;
220 if (id
->proto_id
== 0
221 && id_p
->proto_id
== 0
222 && iph2
->ph1
->rmconf
->support_mip6
== 0
223 && ipsecdoi_transportmode(iph2
)) {
228 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
229 tlen
= + sizeof(*gen
) + iph2
->sa
->l
230 + sizeof(*gen
) + iph2
->nonce
->l
;
232 tlen
+= (sizeof(*gen
) + iph2
->dhpub
->l
);
234 tlen
+= sizeof(*gen
) + iph2
->id
->l
;
236 tlen
+= sizeof(*gen
) + iph2
->id_p
->l
;
238 body
= vmalloc(tlen
);
240 plog(LLV_ERROR
, LOCATION
, NULL
,
241 "failed to get buffer to send.\n");
248 p
= set_isakmp_payload(p
, iph2
->sa
, ISAKMP_NPTYPE_NONCE
);
250 /* add NONCE payload */
252 np
= ISAKMP_NPTYPE_KE
;
253 else if (idci
|| idcr
)
254 np
= ISAKMP_NPTYPE_ID
;
256 np
= ISAKMP_NPTYPE_NONE
;
257 p
= set_isakmp_payload(p
, iph2
->nonce
, np
);
259 /* add KE payload if need. */
260 np
= (idci
|| idcr
) ? ISAKMP_NPTYPE_ID
: ISAKMP_NPTYPE_NONE
;
262 p
= set_isakmp_payload(p
, iph2
->dhpub
, np
);
265 np
= (idcr
) ? ISAKMP_NPTYPE_ID
: ISAKMP_NPTYPE_NONE
;
267 p
= set_isakmp_payload(p
, iph2
->id
, np
);
271 p
= set_isakmp_payload(p
, iph2
->id_p
, ISAKMP_NPTYPE_NONE
);
273 /* generate HASH(1) */
274 hash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, body
);
278 /* send isakmp payload */
279 iph2
->sendbuf
= quick_ir1mx(iph2
, body
, hash
);
280 if (iph2
->sendbuf
== NULL
)
283 /* send the packet, add to the schedule to resend */
284 iph2
->retry_counter
= iph2
->ph1
->rmconf
->retry_counter
;
285 if (isakmp_ph2resend(iph2
) == -1)
288 /* change status of isakmp status entry */
289 iph2
->status
= PHASE2ST_MSG1SENT
;
303 * receive from responder
304 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
307 quick_i2recv(iph2
, msg0
)
308 struct ph2handle
*iph2
;
312 vchar_t
*hbuf
= NULL
; /* for hash computing. */
313 vchar_t
*pbuf
= NULL
; /* for payload parsing */
314 struct isakmp_parse_t
*pa
;
315 struct isakmp
*isakmp
= (struct isakmp
*)msg0
->v
;
316 struct isakmp_pl_hash
*hash
= NULL
;
320 int error
= ISAKMP_INTERNAL_ERROR
;
323 if (iph2
->status
!= PHASE2ST_MSG1SENT
) {
324 plog(LLV_ERROR
, LOCATION
, NULL
,
325 "status mismatched %d.\n", iph2
->status
);
330 if (!ISSET(((struct isakmp
*)msg0
->v
)->flags
, ISAKMP_FLAG_E
)) {
331 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
332 "Packet wasn't encrypted.\n");
335 msg
= oakley_do_decrypt(iph2
->ph1
, msg0
, iph2
->ivm
->iv
, iph2
->ivm
->ive
);
339 /* create buffer for validating HASH(2) */
342 * 1. the first one must be HASH
343 * 2. the second one must be SA (added in isakmp-oakley-05!)
344 * 3. two IDs must be considered as IDci, then IDcr
346 pbuf
= isakmp_parse(msg
);
349 pa
= (struct isakmp_parse_t
*)pbuf
->v
;
351 /* HASH payload is fixed postion */
352 if (pa
->type
!= ISAKMP_NPTYPE_HASH
) {
353 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
354 "received invalid next payload type %d, "
356 pa
->type
, ISAKMP_NPTYPE_HASH
);
359 hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
363 * this restriction was introduced in isakmp-oakley-05.
364 * we do not check this for backward compatibility.
365 * TODO: command line/config file option to enable/disable this code
367 /* HASH payload is fixed postion */
368 if (pa
->type
!= ISAKMP_NPTYPE_SA
) {
369 plog(LLV_WARNING
, LOCATION
, iph2
->ph1
->remote
,
370 "received invalid next payload type %d, "
372 pa
->type
, ISAKMP_NPTYPE_HASH
);
375 /* allocate buffer for computing HASH(2) */
376 tlen
= iph2
->nonce
->l
377 + ntohl(isakmp
->len
) - sizeof(*isakmp
);
378 hbuf
= vmalloc(tlen
);
380 plog(LLV_ERROR
, LOCATION
, NULL
,
381 "failed to get hash buffer.\n");
384 p
= hbuf
->v
+ iph2
->nonce
->l
; /* retain the space for Ni_b */
387 * parse the payloads.
388 * copy non-HASH payloads into hbuf, so that we can validate HASH.
391 f_id
= 0; /* flag to use checking ID */
392 tlen
= 0; /* count payload length except of HASH payload. */
393 for (; pa
->type
; pa
++) {
395 /* copy to buffer for HASH */
396 /* Don't modify the payload */
397 memcpy(p
, pa
->ptr
, pa
->len
);
400 case ISAKMP_NPTYPE_SA
:
401 if (iph2
->sa_ret
!= NULL
) {
402 plog(LLV_ERROR
, LOCATION
, NULL
,
403 "Ignored, multiple SA "
404 "isn't supported.\n");
407 if (isakmp_p2ph(&iph2
->sa_ret
, pa
->ptr
) < 0)
411 case ISAKMP_NPTYPE_NONCE
:
412 if (isakmp_p2ph(&iph2
->nonce_p
, pa
->ptr
) < 0)
416 case ISAKMP_NPTYPE_KE
:
417 if (isakmp_p2ph(&iph2
->dhpub_p
, pa
->ptr
) < 0)
421 case ISAKMP_NPTYPE_ID
:
435 if (memcmp(vp
->v
, (caddr_t
)pa
->ptr
+ sizeof(struct isakmp_gen
), vp
->l
)) {
437 plog(LLV_ERROR
, LOCATION
, NULL
,
438 "mismatched ID was returned.\n");
439 error
= ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED
;
445 case ISAKMP_NPTYPE_N
:
446 isakmp_check_notify(pa
->ptr
, iph2
->ph1
);
450 /* don't send information, see ident_r1recv() */
451 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
452 "ignore the packet, "
453 "received unexpecting payload type %d.\n",
460 /* compute true length of payload. */
464 /* payload existency check */
465 if (hash
== NULL
|| iph2
->sa_ret
== NULL
|| iph2
->nonce_p
== NULL
) {
466 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
467 "few isakmp message received.\n");
471 /* Fixed buffer for calculating HASH */
472 memcpy(hbuf
->v
, iph2
->nonce
->v
, iph2
->nonce
->l
);
473 plog(LLV_DEBUG
, LOCATION
, NULL
,
474 "HASH allocated:hbuf->l=%d actual:tlen=%d\n",
475 hbuf
->l
, tlen
+ iph2
->nonce
->l
);
476 /* adjust buffer length for HASH */
477 hbuf
->l
= iph2
->nonce
->l
+ tlen
;
479 /* validate HASH(2) */
482 vchar_t
*my_hash
= NULL
;
485 r_hash
= (char *)hash
+ sizeof(*hash
);
487 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(2) received:");
488 plogdump(LLV_DEBUG
, r_hash
, ntohs(hash
->h
.len
) - sizeof(*hash
));
490 my_hash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, hbuf
);
494 result
= memcmp(my_hash
->v
, r_hash
, my_hash
->l
);
498 plog(LLV_DEBUG
, LOCATION
, iph2
->ph1
->remote
,
499 "HASH(2) mismatch.\n");
500 error
= ISAKMP_NTYPE_INVALID_HASH_INFORMATION
;
505 /* validity check SA payload sent from responder */
506 if (ipsecdoi_checkph2proposal(iph2
) < 0) {
507 error
= ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN
;
511 /* change status of isakmp status entry */
512 iph2
->status
= PHASE2ST_STATUS6
;
525 VPTRINIT(iph2
->sa_ret
);
526 VPTRINIT(iph2
->nonce_p
);
527 VPTRINIT(iph2
->dhpub_p
);
529 VPTRINIT(iph2
->id_p
);
540 quick_i2send(iph2
, msg0
)
541 struct ph2handle
*iph2
;
546 vchar_t
*hash
= NULL
;
549 int error
= ISAKMP_INTERNAL_ERROR
;
552 if (iph2
->status
!= PHASE2ST_STATUS6
) {
553 plog(LLV_ERROR
, LOCATION
, NULL
,
554 "status mismatched %d.\n", iph2
->status
);
558 /* generate HASH(3) */
562 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(3) generate\n");
564 tmp
= vmalloc(iph2
->nonce
->l
+ iph2
->nonce_p
->l
);
566 plog(LLV_ERROR
, LOCATION
, NULL
,
567 "failed to get hash buffer.\n");
570 memcpy(tmp
->v
, iph2
->nonce
->v
, iph2
->nonce
->l
);
571 memcpy(tmp
->v
+ iph2
->nonce
->l
, iph2
->nonce_p
->v
, iph2
->nonce_p
->l
);
573 hash
= oakley_compute_hash3(iph2
->ph1
, iph2
->msgid
, tmp
);
580 /* create buffer for isakmp payload */
581 tlen
= sizeof(struct isakmp
)
582 + sizeof(struct isakmp_gen
) + hash
->l
;
585 plog(LLV_ERROR
, LOCATION
, NULL
,
586 "failed to get buffer to send.\n");
590 /* create isakmp header */
591 p
= set_isakmp_header2(buf
, iph2
, ISAKMP_NPTYPE_HASH
);
595 /* add HASH(3) payload */
596 p
= set_isakmp_payload(p
, hash
, ISAKMP_NPTYPE_NONE
);
598 #ifdef HAVE_PRINT_ISAKMP_C
599 isakmp_printpacket(buf
, iph2
->ph1
->local
, iph2
->ph1
->remote
, 1);
603 iph2
->sendbuf
= oakley_do_encrypt(iph2
->ph1
, buf
, iph2
->ivm
->ive
, iph2
->ivm
->iv
);
604 if (iph2
->sendbuf
== NULL
)
607 /* if there is commit bit, need resending */
608 if (ISSET(iph2
->flags
, ISAKMP_FLAG_C
)) {
609 /* send the packet, add to the schedule to resend */
610 iph2
->retry_counter
= iph2
->ph1
->rmconf
->retry_counter
;
611 if (isakmp_ph2resend(iph2
) == -1)
614 /* send the packet */
615 if (isakmp_send(iph2
->ph1
, iph2
->sendbuf
) < 0)
619 /* the sending message is added to the received-list. */
620 if (add_recvdpkt(iph2
->ph1
->remote
, iph2
->ph1
->local
,
621 iph2
->sendbuf
, msg0
) == -1) {
622 plog(LLV_ERROR
, LOCATION
, NULL
,
623 "failed to add a response packet to the tree.\n");
627 /* compute both of KEYMATs */
628 if (oakley_compute_keymat(iph2
, INITIATOR
) < 0)
631 iph2
->status
= PHASE2ST_ADDSA
;
633 /* don't anything if local test mode. */
639 /* if there is commit bit don't set up SA now. */
640 if (ISSET(iph2
->flags
, ISAKMP_FLAG_C
)) {
641 iph2
->status
= PHASE2ST_COMMIT
;
646 /* Do UPDATE for initiator */
647 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pk_sendupdate\n");
648 if (pk_sendupdate(iph2
) < 0) {
649 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey update failed.\n");
652 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey update sent.\n");
654 /* Do ADD for responder */
655 if (pk_sendadd(iph2
) < 0) {
656 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey add failed.\n");
659 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey add sent.\n");
675 * receive from responder
676 * HDR#*, HASH(4), notify
679 quick_i3recv(iph2
, msg0
)
680 struct ph2handle
*iph2
;
684 vchar_t
*pbuf
= NULL
; /* for payload parsing */
685 struct isakmp_parse_t
*pa
;
686 struct isakmp_pl_hash
*hash
= NULL
;
687 vchar_t
*notify
= NULL
;
688 int error
= ISAKMP_INTERNAL_ERROR
;
691 if (iph2
->status
!= PHASE2ST_COMMIT
) {
692 plog(LLV_ERROR
, LOCATION
, NULL
,
693 "status mismatched %d.\n", iph2
->status
);
698 if (!ISSET(((struct isakmp
*)msg0
->v
)->flags
, ISAKMP_FLAG_E
)) {
699 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
700 "Packet wasn't encrypted.\n");
703 msg
= oakley_do_decrypt(iph2
->ph1
, msg0
, iph2
->ivm
->iv
, iph2
->ivm
->ive
);
707 /* validate the type of next payload */
708 pbuf
= isakmp_parse(msg
);
712 for (pa
= (struct isakmp_parse_t
*)pbuf
->v
;
713 pa
->type
!= ISAKMP_NPTYPE_NONE
;
717 case ISAKMP_NPTYPE_HASH
:
718 hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
720 case ISAKMP_NPTYPE_N
:
721 isakmp_check_notify(pa
->ptr
, iph2
->ph1
);
722 notify
= vmalloc(pa
->len
);
723 if (notify
== NULL
) {
724 plog(LLV_ERROR
, LOCATION
, NULL
,
725 "failed to get notify buffer.\n");
728 memcpy(notify
->v
, pa
->ptr
, notify
->l
);
731 /* don't send information, see ident_r1recv() */
732 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
733 "ignore the packet, "
734 "received unexpecting payload type %d.\n",
740 /* payload existency check */
742 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
743 "few isakmp message received.\n");
747 /* validate HASH(4) */
750 vchar_t
*my_hash
= NULL
;
754 r_hash
= (char *)hash
+ sizeof(*hash
);
756 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(4) validate:");
757 plogdump(LLV_DEBUG
, r_hash
, ntohs(hash
->h
.len
) - sizeof(*hash
));
759 my_hash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, notify
);
764 result
= memcmp(my_hash
->v
, r_hash
, my_hash
->l
);
768 plog(LLV_DEBUG
, LOCATION
, iph2
->ph1
->remote
,
769 "HASH(4) mismatch.\n");
770 error
= ISAKMP_NTYPE_INVALID_HASH_INFORMATION
;
775 iph2
->status
= PHASE2ST_ADDSA
;
776 iph2
->flags
^= ISAKMP_FLAG_C
; /* reset bit */
778 /* don't anything if local test mode. */
784 /* Do UPDATE for initiator */
785 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pk_sendupdate\n");
786 if (pk_sendupdate(iph2
) < 0) {
787 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey update failed.\n");
790 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey update sent.\n");
792 /* Do ADD for responder */
793 if (pk_sendadd(iph2
) < 0) {
794 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey add failed.\n");
797 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey add sent.\n");
813 * receive from initiator
814 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
817 quick_r1recv(iph2
, msg0
)
818 struct ph2handle
*iph2
;
822 vchar_t
*hbuf
= NULL
; /* for hash computing. */
823 vchar_t
*pbuf
= NULL
; /* for payload parsing */
824 struct isakmp_parse_t
*pa
;
825 struct isakmp
*isakmp
= (struct isakmp
*)msg0
->v
;
826 struct isakmp_pl_hash
*hash
= NULL
;
829 int f_id_order
; /* for ID payload detection */
830 int error
= ISAKMP_INTERNAL_ERROR
;
833 if (iph2
->status
!= PHASE2ST_START
) {
834 plog(LLV_ERROR
, LOCATION
, NULL
,
835 "status mismatched %d.\n", iph2
->status
);
840 if (!ISSET(((struct isakmp
*)msg0
->v
)->flags
, ISAKMP_FLAG_E
)) {
841 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
842 "Packet wasn't encrypted.\n");
843 error
= ISAKMP_NTYPE_PAYLOAD_MALFORMED
;
847 msg
= oakley_do_decrypt(iph2
->ph1
, msg0
, iph2
->ivm
->iv
, iph2
->ivm
->ive
);
851 /* create buffer for using to validate HASH(1) */
854 * 1. the first one must be HASH
855 * 2. the second one must be SA (added in isakmp-oakley-05!)
856 * 3. two IDs must be considered as IDci, then IDcr
858 pbuf
= isakmp_parse(msg
);
861 pa
= (struct isakmp_parse_t
*)pbuf
->v
;
863 /* HASH payload is fixed postion */
864 if (pa
->type
!= ISAKMP_NPTYPE_HASH
) {
865 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
866 "received invalid next payload type %d, "
868 pa
->type
, ISAKMP_NPTYPE_HASH
);
869 error
= ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX
;
872 hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
876 * this restriction was introduced in isakmp-oakley-05.
877 * we do not check this for backward compatibility.
878 * TODO: command line/config file option to enable/disable this code
880 /* HASH payload is fixed postion */
881 if (pa
->type
!= ISAKMP_NPTYPE_SA
) {
882 plog(LLV_WARNING
, LOCATION
, iph2
->ph1
->remote
,
883 "received invalid next payload type %d, "
885 pa
->type
, ISAKMP_NPTYPE_HASH
);
886 error
= ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX
;
889 /* allocate buffer for computing HASH(1) */
890 tlen
= ntohl(isakmp
->len
) - sizeof(*isakmp
);
891 hbuf
= vmalloc(tlen
);
893 plog(LLV_ERROR
, LOCATION
, NULL
,
894 "failed to get hash buffer.\n");
900 * parse the payloads.
901 * copy non-HASH payloads into hbuf, so that we can validate HASH.
903 iph2
->sa
= NULL
; /* we don't support multi SAs. */
904 iph2
->nonce_p
= NULL
;
905 iph2
->dhpub_p
= NULL
;
908 tlen
= 0; /* count payload length except of HASH payload. */
911 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
912 * illegal case, but logged. First ID payload is to be IDi2.
913 * And next ID payload is to be IDr2.
917 for (; pa
->type
; pa
++) {
919 /* copy to buffer for HASH */
920 /* Don't modify the payload */
921 memcpy(p
, pa
->ptr
, pa
->len
);
923 if (pa
->type
!= ISAKMP_NPTYPE_ID
)
927 case ISAKMP_NPTYPE_SA
:
928 if (iph2
->sa
!= NULL
) {
929 plog(LLV_ERROR
, LOCATION
, NULL
,
930 "Multi SAs isn't supported.\n");
933 if (isakmp_p2ph(&iph2
->sa
, pa
->ptr
) < 0)
937 case ISAKMP_NPTYPE_NONCE
:
938 if (isakmp_p2ph(&iph2
->nonce_p
, pa
->ptr
) < 0)
942 case ISAKMP_NPTYPE_KE
:
943 if (isakmp_p2ph(&iph2
->dhpub_p
, pa
->ptr
) < 0)
947 case ISAKMP_NPTYPE_ID
:
948 if (iph2
->id_p
== NULL
) {
952 if (isakmp_p2ph(&iph2
->id_p
, pa
->ptr
) < 0)
955 } else if (iph2
->id
== NULL
) {
957 if (f_id_order
== 0) {
958 plog(LLV_ERROR
, LOCATION
, NULL
,
959 "IDr2 payload is not "
960 "immediatelly followed "
961 "by IDi2. We allowed.\n");
962 /* XXX we allowed in this case. */
965 if (isakmp_p2ph(&iph2
->id
, pa
->ptr
) < 0)
968 plog(LLV_ERROR
, LOCATION
, NULL
,
969 "received too many ID payloads.\n");
970 plogdump(LLV_ERROR
, iph2
->id
->v
, iph2
->id
->l
);
971 error
= ISAKMP_NTYPE_INVALID_ID_INFORMATION
;
976 case ISAKMP_NPTYPE_N
:
977 isakmp_check_notify(pa
->ptr
, iph2
->ph1
);
981 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
982 "ignore the packet, "
983 "received unexpecting payload type %d.\n",
985 error
= ISAKMP_NTYPE_PAYLOAD_MALFORMED
;
991 /* compute true length of payload. */
995 /* payload existency check */
996 if (hash
== NULL
|| iph2
->sa
== NULL
|| iph2
->nonce_p
== NULL
) {
997 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
998 "few isakmp message received.\n");
999 error
= ISAKMP_NTYPE_PAYLOAD_MALFORMED
;
1004 plog(LLV_DEBUG
, LOCATION
, NULL
, "received IDci2:");
1005 plogdump(LLV_DEBUG
, iph2
->id_p
->v
, iph2
->id_p
->l
);
1008 plog(LLV_DEBUG
, LOCATION
, NULL
, "received IDcr2:");
1009 plogdump(LLV_DEBUG
, iph2
->id
->v
, iph2
->id
->l
);
1012 /* adjust buffer length for HASH */
1015 /* validate HASH(1) */
1018 vchar_t
*my_hash
= NULL
;
1021 r_hash
= (caddr_t
)hash
+ sizeof(*hash
);
1023 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(1) validate:");
1024 plogdump(LLV_DEBUG
, r_hash
, ntohs(hash
->h
.len
) - sizeof(*hash
));
1026 my_hash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, hbuf
);
1027 if (my_hash
== NULL
)
1030 result
= memcmp(my_hash
->v
, r_hash
, my_hash
->l
);
1034 plog(LLV_DEBUG
, LOCATION
, iph2
->ph1
->remote
,
1035 "HASH(1) mismatch.\n");
1036 error
= ISAKMP_NTYPE_INVALID_HASH_INFORMATION
;
1042 error
= get_sainfo_r(iph2
);
1044 plog(LLV_ERROR
, LOCATION
, NULL
,
1045 "failed to get sainfo.\n");
1049 /* check the existence of ID payload and create responder's proposal */
1050 error
= get_proposal_r(iph2
);
1053 /* generate a policy template from peer's proposal */
1054 if (set_proposal_from_proposal(iph2
)) {
1055 plog(LLV_ERROR
, LOCATION
, NULL
,
1056 "failed to generate a proposal template "
1057 "from client's proposal.\n");
1058 return ISAKMP_INTERNAL_ERROR
;
1062 /* select single proposal or reject it. */
1063 if (ipsecdoi_selectph2proposal(iph2
) < 0) {
1064 error
= ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN
;
1069 plog(LLV_ERROR
, LOCATION
, NULL
,
1070 "failed to get proposal for responder.\n");
1074 /* check KE and attribute of PFS */
1075 if (iph2
->dhpub_p
!= NULL
&& iph2
->approval
->pfs_group
== 0) {
1076 plog(LLV_ERROR
, LOCATION
, NULL
,
1077 "no PFS is specified, but peer sends KE.\n");
1078 error
= ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN
;
1081 if (iph2
->dhpub_p
== NULL
&& iph2
->approval
->pfs_group
!= 0) {
1082 plog(LLV_ERROR
, LOCATION
, NULL
,
1083 "PFS is specified, but peer doesn't sends KE.\n");
1084 error
= ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN
;
1089 * save the packet from the initiator in order to resend the
1090 * responder's first packet against this packet.
1092 iph2
->msg1
= vdup(msg0
);
1094 /* change status of isakmp status entry */
1095 iph2
->status
= PHASE2ST_STATUS2
;
1109 VPTRINIT(iph2
->nonce_p
);
1110 VPTRINIT(iph2
->dhpub_p
);
1112 VPTRINIT(iph2
->id_p
);
1119 * call pfkey_getspi.
1122 quick_r1prep(iph2
, msg
)
1123 struct ph2handle
*iph2
;
1126 int error
= ISAKMP_INTERNAL_ERROR
;
1128 /* validity check */
1129 if (iph2
->status
!= PHASE2ST_STATUS2
) {
1130 plog(LLV_ERROR
, LOCATION
, NULL
,
1131 "status mismatched %d.\n", iph2
->status
);
1135 iph2
->status
= PHASE2ST_GETSPISENT
;
1137 /* send getspi message */
1138 if (pk_sendgetspi(iph2
) < 0)
1141 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey getspi sent.\n");
1143 iph2
->sce
= sched_new(lcconf
->wait_ph2complete
,
1144 pfkey_timeover_stub
, iph2
);
1154 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
1157 quick_r2send(iph2
, msg
)
1158 struct ph2handle
*iph2
;
1161 vchar_t
*body
= NULL
;
1162 vchar_t
*hash
= NULL
;
1163 struct isakmp_gen
*gen
;
1166 int error
= ISAKMP_INTERNAL_ERROR
;
1168 u_int8_t
*np_p
= NULL
;
1170 /* validity check */
1172 plog(LLV_ERROR
, LOCATION
, NULL
,
1173 "msg has to be NULL in this function.\n");
1176 if (iph2
->status
!= PHASE2ST_GETSPIDONE
) {
1177 plog(LLV_ERROR
, LOCATION
, NULL
,
1178 "status mismatched %d.\n", iph2
->status
);
1182 /* update responders SPI */
1183 if (ipsecdoi_updatespi(iph2
) < 0) {
1184 plog(LLV_ERROR
, LOCATION
, NULL
, "failed to update spi.\n");
1188 /* generate NONCE value */
1189 iph2
->nonce
= eay_set_random(iph2
->ph1
->rmconf
->nonce_size
);
1190 if (iph2
->nonce
== NULL
)
1193 /* generate KE value if need */
1194 pfsgroup
= iph2
->approval
->pfs_group
;
1195 if (iph2
->dhpub_p
!= NULL
&& pfsgroup
!= 0) {
1196 /* DH group settting if PFS is required. */
1197 if (oakley_setdhgroup(pfsgroup
, &iph2
->pfsgrp
) < 0) {
1198 plog(LLV_ERROR
, LOCATION
, NULL
,
1199 "failed to set DH value.\n");
1202 /* generate DH public value */
1203 if (oakley_dh_generate(iph2
->pfsgrp
,
1204 &iph2
->dhpub
, &iph2
->dhpriv
) < 0) {
1209 /* create SA;NONCE payload, and KE and ID if need */
1210 tlen
= sizeof(*gen
) + iph2
->sa_ret
->l
1211 + sizeof(*gen
) + iph2
->nonce
->l
;
1212 if (iph2
->dhpub_p
!= NULL
&& pfsgroup
!= 0)
1213 tlen
+= (sizeof(*gen
) + iph2
->dhpub
->l
);
1214 if (iph2
->id_p
!= NULL
)
1215 tlen
+= (sizeof(*gen
) + iph2
->id_p
->l
1216 + sizeof(*gen
) + iph2
->id
->l
);
1218 body
= vmalloc(tlen
);
1220 plog(LLV_ERROR
, LOCATION
, NULL
,
1221 "failed to get buffer to send.\n");
1226 /* make SA payload */
1227 p
= set_isakmp_payload(body
->v
, iph2
->sa_ret
, ISAKMP_NPTYPE_NONCE
);
1229 /* add NONCE payload */
1230 np_p
= &((struct isakmp_gen
*)p
)->np
; /* XXX */
1231 p
= set_isakmp_payload(p
, iph2
->nonce
,
1232 (iph2
->dhpub_p
!= NULL
&& pfsgroup
!= 0)
1234 : (iph2
->id_p
!= NULL
1236 : ISAKMP_NPTYPE_NONE
));
1238 /* add KE payload if need. */
1239 if (iph2
->dhpub_p
!= NULL
&& pfsgroup
!= 0) {
1240 np_p
= &((struct isakmp_gen
*)p
)->np
; /* XXX */
1241 p
= set_isakmp_payload(p
, iph2
->dhpub
,
1242 (iph2
->id_p
== NULL
)
1243 ? ISAKMP_NPTYPE_NONE
1244 : ISAKMP_NPTYPE_ID
);
1247 /* add ID payloads received. */
1248 if (iph2
->id_p
!= NULL
) {
1250 p
= set_isakmp_payload(p
, iph2
->id_p
, ISAKMP_NPTYPE_ID
);
1252 np_p
= &((struct isakmp_gen
*)p
)->np
; /* XXX */
1253 p
= set_isakmp_payload(p
, iph2
->id
, ISAKMP_NPTYPE_NONE
);
1256 /* add a RESPONDER-LIFETIME notify payload if needed */
1258 vchar_t
*data
= NULL
;
1259 struct saprop
*pp
= iph2
->approval
;
1262 if (pp
->claim
& IPSECDOI_ATTR_SA_LD_TYPE_SEC
) {
1263 u_int32_t v
= htonl((u_int32_t
)pp
->lifetime
);
1264 data
= isakmp_add_attr_l(data
, IPSECDOI_ATTR_SA_LD_TYPE
,
1265 IPSECDOI_ATTR_SA_LD_TYPE_SEC
);
1268 data
= isakmp_add_attr_v(data
, IPSECDOI_ATTR_SA_LD
,
1269 (caddr_t
)&v
, sizeof(v
));
1273 if (pp
->claim
& IPSECDOI_ATTR_SA_LD_TYPE_KB
) {
1274 u_int32_t v
= htonl((u_int32_t
)pp
->lifebyte
);
1275 data
= isakmp_add_attr_l(data
, IPSECDOI_ATTR_SA_LD_TYPE
,
1276 IPSECDOI_ATTR_SA_LD_TYPE_KB
);
1279 data
= isakmp_add_attr_v(data
, IPSECDOI_ATTR_SA_LD
,
1280 (caddr_t
)&v
, sizeof(v
));
1286 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1287 * in the case of SA bundle ?
1290 for (pr
= pp
->head
; pr
; pr
= pr
->next
) {
1291 body
= isakmp_add_pl_n(body
, &np_p
,
1292 ISAKMP_NTYPE_RESPONDER_LIFETIME
, pr
, data
);
1295 return error
; /* XXX */
1302 /* generate HASH(2) */
1306 tmp
= vmalloc(iph2
->nonce_p
->l
+ body
->l
);
1308 plog(LLV_ERROR
, LOCATION
, NULL
,
1309 "failed to get hash buffer.\n");
1312 memcpy(tmp
->v
, iph2
->nonce_p
->v
, iph2
->nonce_p
->l
);
1313 memcpy(tmp
->v
+ iph2
->nonce_p
->l
, body
->v
, body
->l
);
1315 hash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, tmp
);
1322 /* send isakmp payload */
1323 iph2
->sendbuf
= quick_ir1mx(iph2
, body
, hash
);
1324 if (iph2
->sendbuf
== NULL
)
1327 /* send the packet, add to the schedule to resend */
1328 iph2
->retry_counter
= iph2
->ph1
->rmconf
->retry_counter
;
1329 if (isakmp_ph2resend(iph2
) == -1)
1332 /* the sending message is added to the received-list. */
1333 if (add_recvdpkt(iph2
->ph1
->remote
, iph2
->ph1
->local
, iph2
->sendbuf
, iph2
->msg1
) == -1) {
1334 plog(LLV_ERROR
, LOCATION
, NULL
,
1335 "failed to add a response packet to the tree.\n");
1339 /* change status of isakmp status entry */
1340 iph2
->status
= PHASE2ST_MSG1SENT
;
1354 * receive from initiator
1358 quick_r3recv(iph2
, msg0
)
1359 struct ph2handle
*iph2
;
1362 vchar_t
*msg
= NULL
;
1363 vchar_t
*pbuf
= NULL
; /* for payload parsing */
1364 struct isakmp_parse_t
*pa
;
1365 struct isakmp_pl_hash
*hash
= NULL
;
1366 int error
= ISAKMP_INTERNAL_ERROR
;
1368 /* validity check */
1369 if (iph2
->status
!= PHASE2ST_MSG1SENT
) {
1370 plog(LLV_ERROR
, LOCATION
, NULL
,
1371 "status mismatched %d.\n", iph2
->status
);
1375 /* decrypt packet */
1376 if (!ISSET(((struct isakmp
*)msg0
->v
)->flags
, ISAKMP_FLAG_E
)) {
1377 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
1378 "Packet wasn't encrypted.\n");
1381 msg
= oakley_do_decrypt(iph2
->ph1
, msg0
, iph2
->ivm
->iv
, iph2
->ivm
->ive
);
1385 /* validate the type of next payload */
1386 pbuf
= isakmp_parse(msg
);
1390 for (pa
= (struct isakmp_parse_t
*)pbuf
->v
;
1391 pa
->type
!= ISAKMP_NPTYPE_NONE
;
1395 case ISAKMP_NPTYPE_HASH
:
1396 hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
1398 case ISAKMP_NPTYPE_N
:
1399 isakmp_check_notify(pa
->ptr
, iph2
->ph1
);
1402 /* don't send information, see ident_r1recv() */
1403 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
1404 "ignore the packet, "
1405 "received unexpecting payload type %d.\n",
1411 /* payload existency check */
1413 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
1414 "few isakmp message received.\n");
1418 /* validate HASH(3) */
1419 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1422 vchar_t
*my_hash
= NULL
;
1423 vchar_t
*tmp
= NULL
;
1426 r_hash
= (char *)hash
+ sizeof(*hash
);
1428 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(3) validate:");
1429 plogdump(LLV_DEBUG
, r_hash
, ntohs(hash
->h
.len
) - sizeof(*hash
));
1431 tmp
= vmalloc(iph2
->nonce_p
->l
+ iph2
->nonce
->l
);
1433 plog(LLV_ERROR
, LOCATION
, NULL
,
1434 "failed to get hash buffer.\n");
1437 memcpy(tmp
->v
, iph2
->nonce_p
->v
, iph2
->nonce_p
->l
);
1438 memcpy(tmp
->v
+ iph2
->nonce_p
->l
, iph2
->nonce
->v
, iph2
->nonce
->l
);
1440 my_hash
= oakley_compute_hash3(iph2
->ph1
, iph2
->msgid
, tmp
);
1442 if (my_hash
== NULL
)
1445 result
= memcmp(my_hash
->v
, r_hash
, my_hash
->l
);
1449 plog(LLV_ERROR
, LOCATION
, iph2
->ph1
->remote
,
1450 "HASH(3) mismatch.\n");
1451 error
= ISAKMP_NTYPE_INVALID_HASH_INFORMATION
;
1456 /* if there is commit bit, don't set up SA now. */
1457 if (ISSET(iph2
->flags
, ISAKMP_FLAG_C
)) {
1458 iph2
->status
= PHASE2ST_COMMIT
;
1460 iph2
->status
= PHASE2ST_STATUS6
;
1475 * HDR#*, HASH(4), notify
1478 quick_r3send(iph2
, msg0
)
1479 struct ph2handle
*iph2
;
1482 vchar_t
*buf
= NULL
;
1483 vchar_t
*myhash
= NULL
;
1484 struct isakmp_pl_n
*n
;
1485 vchar_t
*notify
= NULL
;
1488 int error
= ISAKMP_INTERNAL_ERROR
;
1490 /* validity check */
1491 if (iph2
->status
!= PHASE2ST_COMMIT
) {
1492 plog(LLV_ERROR
, LOCATION
, NULL
,
1493 "status mismatched %d.\n", iph2
->status
);
1497 /* generate HASH(4) */
1498 /* XXX What can I do in the case of multiple different SA */
1499 plog(LLV_DEBUG
, LOCATION
, NULL
, "HASH(4) generate\n");
1501 /* XXX What should I do if there are multiple SAs ? */
1502 tlen
= sizeof(struct isakmp_pl_n
) + iph2
->approval
->head
->spisize
;
1503 notify
= vmalloc(tlen
);
1504 if (notify
== NULL
) {
1505 plog(LLV_ERROR
, LOCATION
, NULL
,
1506 "failed to get notify buffer.\n");
1509 n
= (struct isakmp_pl_n
*)notify
->v
;
1510 n
->h
.np
= ISAKMP_NPTYPE_NONE
;
1511 n
->h
.len
= htons(tlen
);
1513 n
->proto_id
= iph2
->approval
->head
->proto_id
;
1514 n
->spi_size
= sizeof(iph2
->approval
->head
->spisize
);
1515 n
->type
= htons(ISAKMP_NTYPE_CONNECTED
);
1516 memcpy(n
+ 1, &iph2
->approval
->head
->spi
, iph2
->approval
->head
->spisize
);
1518 myhash
= oakley_compute_hash1(iph2
->ph1
, iph2
->msgid
, notify
);
1522 /* create buffer for isakmp payload */
1523 tlen
= sizeof(struct isakmp
)
1524 + sizeof(struct isakmp_gen
) + myhash
->l
1526 buf
= vmalloc(tlen
);
1528 plog(LLV_ERROR
, LOCATION
, NULL
,
1529 "failed to get buffer to send.\n");
1533 /* create isakmp header */
1534 p
= set_isakmp_header2(buf
, iph2
, ISAKMP_NPTYPE_HASH
);
1538 /* add HASH(4) payload */
1539 p
= set_isakmp_payload(p
, myhash
, ISAKMP_NPTYPE_N
);
1541 /* add notify payload */
1542 memcpy(p
, notify
->v
, notify
->l
);
1544 #ifdef HAVE_PRINT_ISAKMP_C
1545 isakmp_printpacket(buf
, iph2
->ph1
->local
, iph2
->ph1
->remote
, 1);
1549 iph2
->sendbuf
= oakley_do_encrypt(iph2
->ph1
, buf
, iph2
->ivm
->ive
, iph2
->ivm
->iv
);
1550 if (iph2
->sendbuf
== NULL
)
1553 /* send the packet */
1554 if (isakmp_send(iph2
->ph1
, iph2
->sendbuf
) < 0)
1557 /* the sending message is added to the received-list. */
1558 if (add_recvdpkt(iph2
->ph1
->remote
, iph2
->ph1
->local
, iph2
->sendbuf
, msg0
) == -1) {
1559 plog(LLV_ERROR
, LOCATION
, NULL
,
1560 "failed to add a response packet to the tree.\n");
1564 iph2
->status
= PHASE2ST_COMMIT
;
1583 quick_r3prep(iph2
, msg0
)
1584 struct ph2handle
*iph2
;
1587 vchar_t
*msg
= NULL
;
1588 int error
= ISAKMP_INTERNAL_ERROR
;
1590 /* validity check */
1591 if (iph2
->status
!= PHASE2ST_STATUS6
) {
1592 plog(LLV_ERROR
, LOCATION
, NULL
,
1593 "status mismatched %d.\n", iph2
->status
);
1597 /* compute both of KEYMATs */
1598 if (oakley_compute_keymat(iph2
, RESPONDER
) < 0)
1601 iph2
->status
= PHASE2ST_ADDSA
;
1602 iph2
->flags
^= ISAKMP_FLAG_C
; /* reset bit */
1604 /* don't anything if local test mode. */
1610 /* Do UPDATE as responder */
1611 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pk_sendupdate\n");
1612 if (pk_sendupdate(iph2
) < 0) {
1613 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey update failed.\n");
1616 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey update sent.\n");
1618 /* Do ADD for responder */
1619 if (pk_sendadd(iph2
) < 0) {
1620 plog(LLV_ERROR
, LOCATION
, NULL
, "pfkey add failed.\n");
1623 plog(LLV_DEBUG
, LOCATION
, NULL
, "pfkey add sent.\n");
1626 * set policies into SPD if the policy is generated
1627 * from peer's policy.
1629 if (iph2
->spidx_gen
) {
1631 struct policyindex
*spidx
;
1632 struct sockaddr_storage addr
;
1634 struct sockaddr
*src
= iph2
->src
;
1635 struct sockaddr
*dst
= iph2
->dst
;
1637 /* make inbound policy */
1640 if (pk_sendspdupdate2(iph2
) < 0) {
1641 plog(LLV_ERROR
, LOCATION
, NULL
,
1642 "pfkey spdupdate2(inbound) failed.\n");
1645 plog(LLV_DEBUG
, LOCATION
, NULL
,
1646 "pfkey spdupdate2(inbound) sent.\n");
1648 /* make outbound policy */
1651 spidx
= (struct policyindex
*)iph2
->spidx_gen
;
1652 spidx
->dir
= IPSEC_DIR_OUTBOUND
;
1654 spidx
->src
= spidx
->dst
;
1656 pref
= spidx
->prefs
;
1657 spidx
->prefs
= spidx
->prefd
;
1658 spidx
->prefd
= pref
;
1660 if (pk_sendspdupdate2(iph2
) < 0) {
1661 plog(LLV_ERROR
, LOCATION
, NULL
,
1662 "pfkey spdupdate2(outbound) failed.\n");
1665 plog(LLV_DEBUG
, LOCATION
, NULL
,
1666 "pfkey spdupdate2(outbound) sent.\n");
1668 /* spidx_gen is unnecessary any more */
1669 delsp_bothdir((struct policyindex
*)iph2
->spidx_gen
);
1670 racoon_free(iph2
->spidx_gen
);
1671 iph2
->spidx_gen
= NULL
;
1684 * create HASH, body (SA, NONCE) payload with isakmp header.
1687 quick_ir1mx(iph2
, body
, hash
)
1688 struct ph2handle
*iph2
;
1689 vchar_t
*body
, *hash
;
1691 struct isakmp
*isakmp
;
1692 vchar_t
*buf
= NULL
, *new = NULL
;
1695 struct isakmp_gen
*gen
;
1696 int error
= ISAKMP_INTERNAL_ERROR
;
1698 /* create buffer for isakmp payload */
1699 tlen
= sizeof(*isakmp
)
1700 + sizeof(*gen
) + hash
->l
1702 buf
= vmalloc(tlen
);
1704 plog(LLV_ERROR
, LOCATION
, NULL
,
1705 "failed to get buffer to send.\n");
1709 /* re-set encryption flag, for serurity. */
1710 iph2
->flags
|= ISAKMP_FLAG_E
;
1712 /* set isakmp header */
1713 p
= set_isakmp_header2(buf
, iph2
, ISAKMP_NPTYPE_HASH
);
1717 /* add HASH payload */
1718 /* XXX is next type always SA ? */
1719 p
= set_isakmp_payload(p
, hash
, ISAKMP_NPTYPE_SA
);
1721 /* add body payload */
1722 memcpy(p
, body
->v
, body
->l
);
1724 #ifdef HAVE_PRINT_ISAKMP_C
1725 isakmp_printpacket(buf
, iph2
->ph1
->local
, iph2
->ph1
->remote
, 1);
1729 new = oakley_do_encrypt(iph2
->ph1
, buf
, iph2
->ivm
->ive
, iph2
->ivm
->iv
);
1740 if (error
&& buf
!= NULL
) {
1749 * get remote's sainfo.
1750 * NOTE: this function is for responder.
1754 struct ph2handle
*iph2
;
1756 vchar_t
*idsrc
= NULL
, *iddst
= NULL
;
1758 int error
= ISAKMP_INTERNAL_ERROR
;
1760 if (iph2
->id_p
== NULL
) {
1761 switch (iph2
->src
->sa_family
) {
1763 prefixlen
= sizeof(struct in_addr
) << 3;
1766 prefixlen
= sizeof(struct in6_addr
) << 3;
1769 plog(LLV_ERROR
, LOCATION
, NULL
,
1770 "invalid family: %d\n", iph2
->src
->sa_family
);
1773 idsrc
= ipsecdoi_sockaddr2id(iph2
->src
, prefixlen
,
1776 idsrc
= vdup(iph2
->id
);
1778 if (idsrc
== NULL
) {
1779 plog(LLV_ERROR
, LOCATION
, NULL
,
1780 "failed to set ID for source.\n");
1784 if (iph2
->id
== NULL
) {
1785 switch (iph2
->dst
->sa_family
) {
1787 prefixlen
= sizeof(struct in_addr
) << 3;
1790 prefixlen
= sizeof(struct in6_addr
) << 3;
1793 plog(LLV_ERROR
, LOCATION
, NULL
,
1794 "invalid family: %d\n", iph2
->dst
->sa_family
);
1797 iddst
= ipsecdoi_sockaddr2id(iph2
->dst
, prefixlen
,
1800 iddst
= vdup(iph2
->id_p
);
1802 if (iddst
== NULL
) {
1803 plog(LLV_ERROR
, LOCATION
, NULL
,
1804 "failed to set ID for destination.\n");
1808 iph2
->sainfo
= getsainfo(idsrc
, iddst
);
1809 if (iph2
->sainfo
== NULL
) {
1810 plog(LLV_ERROR
, LOCATION
, NULL
,
1811 "failed to get sainfo.\n");
1815 plog(LLV_DEBUG
, LOCATION
, NULL
,
1816 "get sa info: %s\n", sainfo2str(iph2
->sainfo
));
1829 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
1830 * are IP address and same address family.
1831 * Then get remote's policy from SPD copied from kernel.
1832 * If the type of ID payload is address or subnet type, then the index is
1833 * made from the payload. If there is no ID payload, or the type of ID
1834 * payload is NOT address type, then the index is made from the address
1836 * NOTE: This function is only for responder.
1839 get_proposal_r(iph2
)
1840 struct ph2handle
*iph2
;
1842 struct policyindex spidx
;
1843 struct secpolicy
*sp_in
, *sp_out
;
1844 int idi2type
= 0; /* switch whether copy IDs into id[src,dst]. */
1845 int error
= ISAKMP_INTERNAL_ERROR
;
1847 /* check the existence of ID payload */
1848 if ((iph2
->id_p
!= NULL
&& iph2
->id
== NULL
)
1849 || (iph2
->id_p
== NULL
&& iph2
->id
!= NULL
)) {
1850 plog(LLV_ERROR
, LOCATION
, NULL
,
1851 "Both IDs wasn't found in payload.\n");
1852 return ISAKMP_NTYPE_INVALID_ID_INFORMATION
;
1855 /* make sure if id[src,dst] is null. */
1856 if (iph2
->src_id
|| iph2
->dst_id
) {
1857 plog(LLV_ERROR
, LOCATION
, NULL
,
1858 "Why do ID[src,dst] exist already.\n");
1859 return ISAKMP_INTERNAL_ERROR
;
1862 memset(&spidx
, 0, sizeof(spidx
));
1864 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
1866 /* make a spidx; a key to search SPD */
1867 spidx
.dir
= IPSEC_DIR_INBOUND
;
1871 * make destination address in spidx from either ID payload
1872 * or phase 1 address into a address in spidx.
1874 if (iph2
->id
!= NULL
1875 && (_XIDT(iph2
->id
) == IPSECDOI_ID_IPV4_ADDR
1876 || _XIDT(iph2
->id
) == IPSECDOI_ID_IPV6_ADDR
1877 || _XIDT(iph2
->id
) == IPSECDOI_ID_IPV4_ADDR_SUBNET
1878 || _XIDT(iph2
->id
) == IPSECDOI_ID_IPV6_ADDR_SUBNET
)) {
1879 /* get a destination address of a policy */
1880 error
= ipsecdoi_id2sockaddr(iph2
->id
,
1881 (struct sockaddr
*)&spidx
.dst
,
1882 &spidx
.prefd
, &spidx
.ul_proto
);
1888 * get scopeid from the SA address.
1889 * note that the phase 1 source address is used as
1890 * a destination address to search for a inbound policy entry
1891 * because rcoon is responder.
1893 if (_XIDT(iph2
->id
) == IPSECDOI_ID_IPV6_ADDR
) {
1894 error
= setscopeid((struct sockaddr
*)&spidx
.dst
,
1901 if (_XIDT(iph2
->id
) == IPSECDOI_ID_IPV4_ADDR
1902 || _XIDT(iph2
->id
) == IPSECDOI_ID_IPV6_ADDR
)
1903 idi2type
= _XIDT(iph2
->id
);
1907 plog(LLV_DEBUG
, LOCATION
, NULL
,
1908 "get a destination address of SP index "
1909 "from phase1 address "
1910 "due to no ID payloads found "
1911 "OR because ID type is not address.\n");
1914 * copy the SOURCE address of IKE into the DESTINATION address
1915 * of the key to search the SPD because the direction of policy
1918 memcpy(&spidx
.dst
, iph2
->src
, iph2
->src
->sa_len
);
1919 switch (spidx
.dst
.ss_family
) {
1921 spidx
.prefd
= sizeof(struct in_addr
) << 3;
1925 spidx
.prefd
= sizeof(struct in6_addr
) << 3;
1934 /* make source address in spidx */
1935 if (iph2
->id_p
!= NULL
1936 && (_XIDT(iph2
->id_p
) == IPSECDOI_ID_IPV4_ADDR
1937 || _XIDT(iph2
->id_p
) == IPSECDOI_ID_IPV6_ADDR
1938 || _XIDT(iph2
->id_p
) == IPSECDOI_ID_IPV4_ADDR_SUBNET
1939 || _XIDT(iph2
->id_p
) == IPSECDOI_ID_IPV6_ADDR_SUBNET
)) {
1940 /* get a source address of inbound SA */
1941 error
= ipsecdoi_id2sockaddr(iph2
->id_p
,
1942 (struct sockaddr
*)&spidx
.src
,
1943 &spidx
.prefs
, &spidx
.ul_proto
);
1949 * get scopeid from the SA address.
1950 * for more detail, see above of this function.
1952 if (_XIDT(iph2
->id_p
) == IPSECDOI_ID_IPV6_ADDR
) {
1953 error
= setscopeid((struct sockaddr
*)&spidx
.src
,
1960 /* make id[src,dst] if both ID types are IP address and same */
1961 if (_XIDT(iph2
->id_p
) == idi2type
1962 && spidx
.dst
.ss_family
== spidx
.src
.ss_family
) {
1963 iph2
->src_id
= dupsaddr((struct sockaddr
*)&spidx
.dst
);
1964 iph2
->dst_id
= dupsaddr((struct sockaddr
*)&spidx
.src
);
1968 plog(LLV_DEBUG
, LOCATION
, NULL
,
1969 "get a source address of SP index "
1970 "from phase1 address "
1971 "due to no ID payloads found "
1972 "OR because ID type is not address.\n");
1974 /* see above comment. */
1975 memcpy(&spidx
.src
, iph2
->dst
, iph2
->dst
->sa_len
);
1976 switch (spidx
.src
.ss_family
) {
1978 spidx
.prefs
= sizeof(struct in_addr
) << 3;
1982 spidx
.prefs
= sizeof(struct in6_addr
) << 3;
1993 plog(LLV_DEBUG
, LOCATION
, NULL
,
1994 "get a src address from ID payload "
1995 "%s prefixlen=%u ul_proto=%u\n",
1996 saddr2str((struct sockaddr
*)&spidx
.src
),
1997 spidx
.prefs
, spidx
.ul_proto
);
1998 plog(LLV_DEBUG
, LOCATION
, NULL
,
1999 "get dst address from ID payload "
2000 "%s prefixlen=%u ul_proto=%u\n",
2001 saddr2str((struct sockaddr
*)&spidx
.dst
),
2002 spidx
.prefd
, spidx
.ul_proto
);
2005 * convert the ul_proto if it is 0
2006 * because 0 in ID payload means a wild card.
2008 if (spidx
.ul_proto
== 0)
2009 spidx
.ul_proto
= IPSEC_ULPROTO_ANY
;
2011 /* get inbound policy */
2012 sp_in
= getsp_r(&spidx
);
2013 if (sp_in
== NULL
) {
2014 if (iph2
->ph1
->rmconf
->gen_policy
) {
2015 plog(LLV_INFO
, LOCATION
, NULL
,
2017 "try to generate the policy : %s\n",
2019 iph2
->spidx_gen
= racoon_malloc(sizeof(spidx
));
2020 if (!iph2
->spidx_gen
) {
2021 plog(LLV_ERROR
, LOCATION
, NULL
,
2022 "buffer allocation failed.\n");
2023 return ISAKMP_INTERNAL_ERROR
;
2025 memcpy(iph2
->spidx_gen
, &spidx
, sizeof(spidx
));
2026 return -2; /* special value */
2028 plog(LLV_ERROR
, LOCATION
, NULL
,
2029 "no policy found: %s\n", spidx2str(&spidx
));
2030 return ISAKMP_INTERNAL_ERROR
;
2033 /* get outbound policy */
2035 struct sockaddr_storage addr
;
2038 spidx
.dir
= IPSEC_DIR_OUTBOUND
;
2040 spidx
.src
= spidx
.dst
;
2043 spidx
.prefs
= spidx
.prefd
;
2046 sp_out
= getsp_r(&spidx
);
2048 plog(LLV_WARNING
, LOCATION
, NULL
,
2049 "no outbound policy found: %s\n",
2054 plog(LLV_DEBUG
, LOCATION
, NULL
,
2055 "suitable SP found:%s\n", spidx2str(&spidx
));
2058 * In the responder side, the inbound policy should be using IPsec.
2059 * outbound policy is not checked currently.
2061 if (sp_in
->policy
!= IPSEC_POLICY_IPSEC
) {
2062 plog(LLV_ERROR
, LOCATION
, NULL
,
2063 "policy found, but no IPsec required: %s\n",
2065 return ISAKMP_INTERNAL_ERROR
;
2068 /* set new proposal derived from a policy into the iph2->proposal. */
2069 if (set_proposal_from_policy(iph2
, sp_in
, sp_out
) < 0) {
2070 plog(LLV_ERROR
, LOCATION
, NULL
,
2071 "failed to create saprop.\n");
2072 return ISAKMP_INTERNAL_ERROR
;
2080 setscopeid(sp_addr0
, sa_addr0
)
2081 struct sockaddr
*sp_addr0
, *sa_addr0
;
2083 struct sockaddr_in6
*sp_addr
, *sa_addr
;
2085 sp_addr
= (struct sockaddr_in6
*)sp_addr0
;
2086 sa_addr
= (struct sockaddr_in6
*)sa_addr0
;
2088 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr
->sin6_addr
)
2089 && !IN6_IS_ADDR_SITELOCAL(&sp_addr
->sin6_addr
)
2090 && !IN6_IS_ADDR_MULTICAST(&sp_addr
->sin6_addr
))
2093 /* this check should not be here ? */
2094 if (sa_addr
->sin6_family
!= AF_INET6
) {
2095 plog(LLV_ERROR
, LOCATION
, NULL
,
2096 "can't get scope ID: family mismatch\n");
2100 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr
->sin6_addr
)) {
2101 plog(LLV_ERROR
, LOCATION
, NULL
,
2102 "scope ID is not supported except of lladdr.\n");
2106 sp_addr
->sin6_scope_id
= sa_addr
->sin6_scope_id
;