1 /* $NetBSD: isakmp.c,v 1.20.6.13 2008/09/25 09:34:39 vanhu Exp $ */ 2 3 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 #include <arpa/inet.h> 43 44 #include PATH_IPSEC_H 45 46 #include <stdlib.h> 47 #include <stdio.h> 48 #include <string.h> 49 #include <errno.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #ifdef ENABLE_HYBRID 66 #include <resolv.h> 67 #endif 68 69 #include "var.h" 70 #include "misc.h" 71 #include "vmbuf.h" 72 #include "plog.h" 73 #include "sockmisc.h" 74 #include "schedule.h" 75 #include "debug.h" 76 77 #include "remoteconf.h" 78 #include "localconf.h" 79 #include "grabmyaddr.h" 80 #include "admin.h" 81 #include "privsep.h" 82 #include "isakmp_var.h" 83 #include "isakmp.h" 84 #include "oakley.h" 85 #include "evt.h" 86 #include "handler.h" 87 #include "ipsec_doi.h" 88 #include "pfkey.h" 89 #include "crypto_openssl.h" 90 #include "policy.h" 91 #include "isakmp_ident.h" 92 #include "isakmp_agg.h" 93 #include "isakmp_base.h" 94 #include "isakmp_quick.h" 95 #include "isakmp_inf.h" 96 #include "isakmp_newg.h" 97 #ifdef ENABLE_HYBRID 98 #include "vendorid.h" 99 #include "isakmp_xauth.h" 100 #include "isakmp_unity.h" 101 #include "isakmp_cfg.h" 102 #endif 103 #ifdef ENABLE_FRAG 104 #include "isakmp_frag.h" 105 #endif 106 #include "strnames.h" 107 108 #include <fcntl.h> 109 110 #ifdef ENABLE_NATT 111 # include "nattraversal.h" 112 #endif 113 # ifdef __linux__ 114 # include <linux/udp.h> 115 # include <linux/ip.h> 116 # ifndef SOL_UDP 117 # define SOL_UDP 17 118 # endif 119 #if defined(__ANDROID__) 120 #include <netinet/udp.h> 121 #endif 122 # endif /* __linux__ */ 123 # if defined(__NetBSD__) || defined(__FreeBSD__) || \ 124 (defined(__APPLE__) && defined(__MACH__)) 125 # include <netinet/in.h> 126 # include <netinet/udp.h> 127 # include <netinet/in_systm.h> 128 # include <netinet/ip.h> 129 # define SOL_UDP IPPROTO_UDP 130 # endif /* __NetBSD__ / __FreeBSD__ */ 131 132 #ifdef ANDROID_CHANGES 133 #include "NetdClient.h" 134 #endif 135 136 static int nostate1 __P((struct ph1handle *, vchar_t *)); 137 static int nostate2 __P((struct ph2handle *, vchar_t *)); 138 139 extern caddr_t val2str(const char *, size_t); 140 141 static int (*ph1exchange[][2][PHASE1ST_MAX]) 142 __P((struct ph1handle *, vchar_t *)) = { 143 /* error */ 144 { {}, {}, }, 145 /* Identity Protection exchange */ 146 { 147 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send, 148 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, }, 149 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send, 150 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, }, 151 }, 152 /* Aggressive exchange */ 153 { 154 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, 155 nostate1, nostate1, nostate1, nostate1, nostate1, }, 156 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, 157 nostate1, nostate1, nostate1, nostate1, nostate1, }, 158 }, 159 /* Base exchange */ 160 { 161 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send, 162 base_i3recv, base_i3send, nostate1, nostate1, nostate1, }, 163 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send, 164 nostate1, nostate1, nostate1, nostate1, nostate1, }, 165 }, 166 }; 167 168 static int (*ph2exchange[][2][PHASE2ST_MAX]) 169 __P((struct ph2handle *, vchar_t *)) = { 170 /* error */ 171 { {}, {}, }, 172 /* Quick mode for IKE */ 173 { 174 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send, 175 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, }, 176 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send, 177 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, } 178 }, 179 }; 180 181 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ 182 183 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); 184 static int ph1_main __P((struct ph1handle *, vchar_t *)); 185 static int quick_main __P((struct ph2handle *, vchar_t *)); 186 static int isakmp_ph1begin_r __P((vchar_t *, 187 struct sockaddr *, struct sockaddr *, u_int8_t)); 188 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); 189 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); 190 static int etypesw1 __P((int)); 191 static int etypesw2 __P((int)); 192 #ifdef ENABLE_FRAG 193 static int frag_handler(struct ph1handle *, 194 vchar_t *, struct sockaddr *, struct sockaddr *); 195 #endif 196 197 /* 198 * isakmp packet handler 199 */ 200 int 201 isakmp_handler(so_isakmp) 202 int so_isakmp; 203 { 204 struct isakmp isakmp; 205 union { 206 char buf[sizeof (isakmp) + 4]; 207 u_int32_t non_esp[2]; 208 char lbuf[sizeof(struct udphdr) + 209 #ifdef __linux 210 sizeof(struct iphdr) + 211 #else 212 sizeof(struct ip) + 213 #endif 214 sizeof(isakmp) + 4]; 215 } x; 216 struct sockaddr_storage remote; 217 struct sockaddr_storage local; 218 unsigned int remote_len = sizeof(remote); 219 unsigned int local_len = sizeof(local); 220 int len = 0, extralen = 0; 221 vchar_t *buf = NULL, *tmpbuf = NULL; 222 int error = -1, res; 223 224 /* read message by MSG_PEEK */ 225 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), 226 MSG_PEEK, (struct sockaddr *)&remote, &remote_len, 227 (struct sockaddr *)&local, &local_len)) < 0) { 228 if (errno == EINTR) 229 continue; 230 plog(LLV_ERROR, LOCATION, NULL, 231 "failed to receive isakmp packet: %s\n", 232 strerror (errno)); 233 goto end; 234 } 235 236 /* keep-alive packet - ignore */ 237 if (len == 1 && (x.buf[0]&0xff) == 0xff) { 238 /* Pull the keep-alive packet */ 239 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1, 240 0, (struct sockaddr *)&remote, &remote_len)) != 1) { 241 plog(LLV_ERROR, LOCATION, NULL, 242 "failed to receive keep alive packet: %s\n", 243 strerror (errno)); 244 } 245 goto end; 246 } 247 248 /* Lucent IKE in UDP encapsulation */ 249 { 250 struct udphdr *udp; 251 #ifdef __linux__ 252 struct iphdr *ip; 253 254 udp = (struct udphdr *)&x.lbuf[0]; 255 if (ntohs(udp->dest) == 501) { 256 ip = (struct iphdr *)(x.lbuf + sizeof(*udp)); 257 extralen += sizeof(*udp) + ip->ihl; 258 } 259 #else 260 struct ip *ip; 261 262 udp = (struct udphdr *)&x.lbuf[0]; 263 if (ntohs(udp->uh_dport) == 501) { 264 ip = (struct ip *)(x.lbuf + sizeof(*udp)); 265 extralen += sizeof(*udp) + ip->ip_hl; 266 } 267 #endif 268 } 269 270 #ifdef ENABLE_NATT 271 /* we don't know about portchange yet, 272 look for non-esp marker instead */ 273 if (x.non_esp[0] == 0 && x.non_esp[1] != 0) 274 extralen = NON_ESP_MARKER_LEN; 275 #endif 276 277 /* now we know if there is an extra non-esp 278 marker at the beginning or not */ 279 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); 280 281 /* check isakmp header length, as well as sanity of header length */ 282 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { 283 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 284 "packet shorter than isakmp header size (%u, %u, %zu)\n", 285 len, ntohl(isakmp.len), sizeof(isakmp)); 286 /* dummy receive */ 287 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 288 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 289 plog(LLV_ERROR, LOCATION, NULL, 290 "failed to receive isakmp packet: %s\n", 291 strerror (errno)); 292 } 293 goto end; 294 } 295 296 /* reject it if the size is tooooo big. */ 297 if (ntohl(isakmp.len) > 0xffff) { 298 plog(LLV_ERROR, LOCATION, NULL, 299 "the length in the isakmp header is too big.\n"); 300 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 301 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 302 plog(LLV_ERROR, LOCATION, NULL, 303 "failed to receive isakmp packet: %s\n", 304 strerror (errno)); 305 } 306 goto end; 307 } 308 309 /* read real message */ 310 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) { 311 plog(LLV_ERROR, LOCATION, NULL, 312 "failed to allocate reading buffer (%u Bytes)\n", 313 ntohl(isakmp.len) + extralen); 314 /* dummy receive */ 315 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 316 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 317 plog(LLV_ERROR, LOCATION, NULL, 318 "failed to receive isakmp packet: %s\n", 319 strerror (errno)); 320 } 321 goto end; 322 } 323 324 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l, 325 0, (struct sockaddr *)&remote, &remote_len, 326 (struct sockaddr *)&local, &local_len)) < 0) { 327 if (errno == EINTR) 328 continue; 329 plog(LLV_ERROR, LOCATION, NULL, 330 "failed to receive isakmp packet: %s\n", 331 strerror (errno)); 332 goto end; 333 } 334 335 if ((buf = vmalloc(len - extralen)) == NULL) { 336 plog(LLV_ERROR, LOCATION, NULL, 337 "failed to allocate reading buffer (%u Bytes)\n", 338 (len - extralen)); 339 goto end; 340 } 341 342 memcpy (buf->v, tmpbuf->v + extralen, buf->l); 343 344 len -= extralen; 345 346 if (len != buf->l) { 347 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 348 "received invalid length (%d != %zu), why ?\n", 349 len, buf->l); 350 goto end; 351 } 352 353 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 354 plog(LLV_DEBUG, LOCATION, NULL, 355 "%d bytes message received %s\n", 356 len, saddr2str_fromto("from %s to %s", 357 (struct sockaddr *)&remote, 358 (struct sockaddr *)&local)); 359 plogdump(LLV_DEBUG, buf->v, buf->l); 360 361 /* avoid packets with malicious port/address */ 362 if (extract_port((struct sockaddr *)&remote) == 0) { 363 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 364 "src port == 0 (valid as UDP but not with IKE)\n"); 365 goto end; 366 } 367 368 /* XXX: check sender whether to be allowed or not to accept */ 369 370 /* XXX: I don't know how to check isakmp half connection attack. */ 371 372 /* simply reply if the packet was processed. */ 373 res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf); 374 if (res) { 375 plog(LLV_NOTIFY, LOCATION, NULL, 376 "the packet is retransmitted by %s (%d).\n", 377 saddr2str((struct sockaddr *)&remote), res); 378 error = 0; 379 goto end; 380 } 381 382 /* isakmp main routine */ 383 if (isakmp_main(buf, (struct sockaddr *)&remote, 384 (struct sockaddr *)&local) != 0) goto end; 385 386 error = 0; 387 388 end: 389 if (tmpbuf != NULL) 390 vfree(tmpbuf); 391 if (buf != NULL) 392 vfree(buf); 393 394 return(error); 395 } 396 397 /* 398 * main processing to handle isakmp payload 399 */ 400 static int 401 isakmp_main(msg, remote, local) 402 vchar_t *msg; 403 struct sockaddr *remote, *local; 404 { 405 struct isakmp *isakmp = (struct isakmp *)msg->v; 406 isakmp_index *index = (isakmp_index *)isakmp; 407 u_int32_t msgid = isakmp->msgid; 408 struct ph1handle *iph1; 409 410 #ifdef HAVE_PRINT_ISAKMP_C 411 isakmp_printpacket(msg, remote, local, 0); 412 #endif 413 414 /* the initiator's cookie must not be zero */ 415 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { 416 plog(LLV_ERROR, LOCATION, remote, 417 "malformed cookie received.\n"); 418 return -1; 419 } 420 421 /* Check the Major and Minor Version fields. */ 422 /* 423 * XXX Is is right to check version here ? 424 * I think it may no be here because the version depends 425 * on exchange status. 426 */ 427 if (isakmp->v < ISAKMP_VERSION_NUMBER) { 428 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) { 429 plog(LLV_ERROR, LOCATION, remote, 430 "invalid major version %d.\n", 431 ISAKMP_GETMAJORV(isakmp->v)); 432 return -1; 433 } 434 #if ISAKMP_MINOR_VERSION > 0 435 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { 436 plog(LLV_ERROR, LOCATION, remote, 437 "invalid minor version %d.\n", 438 ISAKMP_GETMINORV(isakmp->v)); 439 return -1; 440 } 441 #endif 442 } 443 444 /* check the Flags field. */ 445 /* XXX How is the exclusive check, E and A ? */ 446 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { 447 plog(LLV_ERROR, LOCATION, remote, 448 "invalid flag 0x%02x.\n", isakmp->flags); 449 return -1; 450 } 451 452 /* ignore commit bit. */ 453 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { 454 if (isakmp->msgid == 0) { 455 isakmp_info_send_nx(isakmp, remote, local, 456 ISAKMP_NTYPE_INVALID_FLAGS, NULL); 457 plog(LLV_ERROR, LOCATION, remote, 458 "Commit bit on phase1 forbidden.\n"); 459 return -1; 460 } 461 } 462 463 iph1 = getph1byindex(index); 464 if (iph1 != NULL) { 465 /* validity check */ 466 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && 467 iph1->side == INITIATOR) { 468 plog(LLV_DEBUG, LOCATION, remote, 469 "malformed cookie received or " 470 "the initiator's cookies collide.\n"); 471 return -1; 472 } 473 474 #ifdef ENABLE_NATT 475 /* Floating ports for NAT-T */ 476 if (NATT_AVAILABLE(iph1) && 477 ! (iph1->natt_flags & NAT_PORTS_CHANGED) && 478 ((cmpsaddrstrict(iph1->remote, remote) != 0) || 479 (cmpsaddrstrict(iph1->local, local) != 0))) 480 { 481 /* prevent memory leak */ 482 racoon_free(iph1->remote); 483 racoon_free(iph1->local); 484 iph1->remote = NULL; 485 iph1->local = NULL; 486 487 /* copy-in new addresses */ 488 iph1->remote = dupsaddr(remote); 489 if (iph1->remote == NULL) { 490 plog(LLV_ERROR, LOCATION, iph1->remote, 491 "phase1 failed: dupsaddr failed.\n"); 492 remph1(iph1); 493 delph1(iph1); 494 return -1; 495 } 496 iph1->local = dupsaddr(local); 497 if (iph1->local == NULL) { 498 plog(LLV_ERROR, LOCATION, iph1->remote, 499 "phase1 failed: dupsaddr failed.\n"); 500 remph1(iph1); 501 delph1(iph1); 502 return -1; 503 } 504 505 /* set the flag to prevent further port floating 506 (FIXME: should we allow it? E.g. when the NAT gw 507 is rebooted?) */ 508 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; 509 510 /* print some neat info */ 511 plog (LLV_INFO, LOCATION, NULL, 512 "NAT-T: ports changed to: %s\n", 513 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); 514 515 natt_keepalive_add_ph1 (iph1); 516 } 517 #endif 518 519 /* must be same addresses in one stream of a phase at least. */ 520 if (cmpsaddrstrict(iph1->remote, remote) != 0) { 521 char *saddr_db, *saddr_act; 522 523 saddr_db = racoon_strdup(saddr2str(iph1->remote)); 524 saddr_act = racoon_strdup(saddr2str(remote)); 525 STRDUP_FATAL(saddr_db); 526 STRDUP_FATAL(saddr_act); 527 528 plog(LLV_WARNING, LOCATION, remote, 529 "remote address mismatched. db=%s, act=%s\n", 530 saddr_db, saddr_act); 531 532 racoon_free(saddr_db); 533 racoon_free(saddr_act); 534 } 535 536 /* 537 * don't check of exchange type here because other type will be 538 * with same index, for example, informational exchange. 539 */ 540 541 /* XXX more acceptable check */ 542 } 543 544 switch (isakmp->etype) { 545 case ISAKMP_ETYPE_IDENT: 546 case ISAKMP_ETYPE_AGG: 547 case ISAKMP_ETYPE_BASE: 548 /* phase 1 validity check */ 549 if (isakmp->msgid != 0) { 550 plog(LLV_ERROR, LOCATION, remote, 551 "message id should be zero in phase1.\n"); 552 return -1; 553 } 554 555 /* search for isakmp status record of phase 1 */ 556 if (iph1 == NULL) { 557 /* 558 * the packet must be the 1st message from a initiator 559 * or the 2nd message from the responder. 560 */ 561 562 /* search for phase1 handle by index without r_ck */ 563 iph1 = getph1byindex0(index); 564 if (iph1 == NULL) { 565 /*it must be the 1st message from a initiator.*/ 566 if (memcmp(&isakmp->r_ck, r_ck0, 567 sizeof(cookie_t)) != 0) { 568 569 plog(LLV_DEBUG, LOCATION, remote, 570 "malformed cookie received " 571 "or the spi expired.\n"); 572 return -1; 573 } 574 575 /* it must be responder's 1st exchange. */ 576 if (isakmp_ph1begin_r(msg, remote, local, 577 isakmp->etype) < 0) 578 return -1; 579 break; 580 581 /*NOTREACHED*/ 582 } 583 584 /* it must be the 2nd message from the responder. */ 585 if (iph1->side != INITIATOR) { 586 plog(LLV_DEBUG, LOCATION, remote, 587 "malformed cookie received. " 588 "it has to be as the initiator. %s\n", 589 isakmp_pindex(&iph1->index, 0)); 590 return -1; 591 } 592 } 593 594 /* 595 * Don't delete phase 1 handler when the exchange type 596 * in handler is not equal to packet's one because of no 597 * authencication completed. 598 */ 599 if (iph1->etype != isakmp->etype) { 600 plog(LLV_ERROR, LOCATION, iph1->remote, 601 "exchange type is mismatched: " 602 "db=%s packet=%s, ignore it.\n", 603 s_isakmp_etype(iph1->etype), 604 s_isakmp_etype(isakmp->etype)); 605 return -1; 606 } 607 608 #ifdef ENABLE_FRAG 609 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 610 return frag_handler(iph1, msg, remote, local); 611 #endif 612 613 /* call main process of phase 1 */ 614 if (ph1_main(iph1, msg) < 0) { 615 plog(LLV_ERROR, LOCATION, iph1->remote, 616 "phase1 negotiation failed.\n"); 617 remph1(iph1); 618 delph1(iph1); 619 return -1; 620 } 621 break; 622 623 case ISAKMP_ETYPE_AUTH: 624 plog(LLV_INFO, LOCATION, remote, 625 "unsupported exchange %d received.\n", 626 isakmp->etype); 627 break; 628 629 case ISAKMP_ETYPE_INFO: 630 case ISAKMP_ETYPE_ACKINFO: 631 /* 632 * iph1 must be present for Information message. 633 * if iph1 is null then trying to get the phase1 status 634 * as the packet from responder againt initiator's 1st 635 * exchange in phase 1. 636 * NOTE: We think such informational exchange should be ignored. 637 */ 638 if (iph1 == NULL) { 639 iph1 = getph1byindex0(index); 640 if (iph1 == NULL) { 641 plog(LLV_ERROR, LOCATION, remote, 642 "unknown Informational " 643 "exchange received.\n"); 644 return -1; 645 } 646 if (cmpsaddrstrict(iph1->remote, remote) != 0) { 647 plog(LLV_WARNING, LOCATION, remote, 648 "remote address mismatched. " 649 "db=%s\n", 650 saddr2str(iph1->remote)); 651 } 652 } 653 654 #ifdef ENABLE_FRAG 655 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 656 return frag_handler(iph1, msg, remote, local); 657 #endif 658 659 if (isakmp_info_recv(iph1, msg) < 0) 660 return -1; 661 break; 662 663 case ISAKMP_ETYPE_QUICK: 664 { 665 struct ph2handle *iph2; 666 667 if (iph1 == NULL) { 668 isakmp_info_send_nx(isakmp, remote, local, 669 ISAKMP_NTYPE_INVALID_COOKIE, NULL); 670 plog(LLV_ERROR, LOCATION, remote, 671 "can't start the quick mode, " 672 "there is no ISAKMP-SA, %s\n", 673 isakmp_pindex((isakmp_index *)&isakmp->i_ck, 674 isakmp->msgid)); 675 return -1; 676 } 677 #ifdef ENABLE_HYBRID 678 /* Reinit the IVM if it's still there */ 679 if (iph1->mode_cfg && iph1->mode_cfg->ivm) { 680 oakley_delivm(iph1->mode_cfg->ivm); 681 iph1->mode_cfg->ivm = NULL; 682 } 683 #endif 684 #ifdef ENABLE_FRAG 685 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 686 return frag_handler(iph1, msg, remote, local); 687 #endif 688 689 /* check status of phase 1 whether negotiated or not. */ 690 if (iph1->status != PHASE1ST_ESTABLISHED) { 691 plog(LLV_ERROR, LOCATION, remote, 692 "can't start the quick mode, " 693 "there is no valid ISAKMP-SA, %s\n", 694 isakmp_pindex(&iph1->index, iph1->msgid)); 695 return -1; 696 } 697 698 /* search isakmp phase 2 stauts record. */ 699 iph2 = getph2bymsgid(iph1, msgid); 700 if (iph2 == NULL) { 701 /* it must be new negotiation as responder */ 702 if (isakmp_ph2begin_r(iph1, msg) < 0) 703 return -1; 704 return 0; 705 /*NOTREACHED*/ 706 } 707 708 /* commit bit. */ 709 /* XXX 710 * we keep to set commit bit during negotiation. 711 * When SA is configured, bit will be reset. 712 * XXX 713 * don't initiate commit bit. should be fixed in the future. 714 */ 715 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) 716 iph2->flags |= ISAKMP_FLAG_C; 717 718 /* call main process of quick mode */ 719 if (quick_main(iph2, msg) < 0) { 720 plog(LLV_ERROR, LOCATION, iph1->remote, 721 "phase2 negotiation failed.\n"); 722 unbindph12(iph2); 723 remph2(iph2); 724 delph2(iph2); 725 return -1; 726 } 727 } 728 break; 729 730 case ISAKMP_ETYPE_NEWGRP: 731 if (iph1 == NULL) { 732 plog(LLV_ERROR, LOCATION, remote, 733 "Unknown new group mode exchange, " 734 "there is no ISAKMP-SA.\n"); 735 return -1; 736 } 737 738 #ifdef ENABLE_FRAG 739 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 740 return frag_handler(iph1, msg, remote, local); 741 #endif 742 743 isakmp_newgroup_r(iph1, msg); 744 break; 745 746 #ifdef ENABLE_HYBRID 747 case ISAKMP_ETYPE_CFG: 748 if (iph1 == NULL) { 749 plog(LLV_ERROR, LOCATION, NULL, 750 "mode config %d from %s, " 751 "but we have no ISAKMP-SA.\n", 752 isakmp->etype, saddr2str(remote)); 753 return -1; 754 } 755 756 #ifdef ENABLE_FRAG 757 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 758 return frag_handler(iph1, msg, remote, local); 759 #endif 760 761 isakmp_cfg_r(iph1, msg); 762 break; 763 #endif 764 765 case ISAKMP_ETYPE_NONE: 766 default: 767 plog(LLV_ERROR, LOCATION, NULL, 768 "Invalid exchange type %d from %s.\n", 769 isakmp->etype, saddr2str(remote)); 770 return -1; 771 } 772 773 return 0; 774 } 775 776 /* 777 * main function of phase 1. 778 */ 779 static int 780 ph1_main(iph1, msg) 781 struct ph1handle *iph1; 782 vchar_t *msg; 783 { 784 int error; 785 #ifdef ENABLE_STATS 786 struct timeval start, end; 787 #endif 788 789 /* ignore a packet */ 790 if (iph1->status == PHASE1ST_ESTABLISHED) 791 return 0; 792 793 #ifdef ENABLE_STATS 794 gettimeofday(&start, NULL); 795 #endif 796 /* receive */ 797 if (ph1exchange[etypesw1(iph1->etype)] 798 [iph1->side] 799 [iph1->status] == NULL) { 800 plog(LLV_ERROR, LOCATION, iph1->remote, 801 "why isn't the function defined.\n"); 802 return -1; 803 } 804 error = (ph1exchange[etypesw1(iph1->etype)] 805 [iph1->side] 806 [iph1->status])(iph1, msg); 807 if (error != 0) { 808 809 /* XXX 810 * When an invalid packet is received on phase1, it should 811 * be selected to process this packet. That is to respond 812 * with a notify and delete phase 1 handler, OR not to respond 813 * and keep phase 1 handler. However, in PHASE1ST_START when 814 * acting as RESPONDER we must not keep phase 1 handler or else 815 * it will stay forever. 816 */ 817 818 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) { 819 plog(LLV_ERROR, LOCATION, iph1->remote, 820 "failed to pre-process packet.\n"); 821 return -1; 822 } else { 823 /* ignore the error and keep phase 1 handler */ 824 return 0; 825 } 826 } 827 828 #ifndef ENABLE_FRAG 829 /* free resend buffer */ 830 if (iph1->sendbuf == NULL) { 831 plog(LLV_ERROR, LOCATION, NULL, 832 "no buffer found as sendbuf\n"); 833 return -1; 834 } 835 #endif 836 837 VPTRINIT(iph1->sendbuf); 838 839 /* turn off schedule */ 840 SCHED_KILL(iph1->scr); 841 842 /* send */ 843 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 844 if ((ph1exchange[etypesw1(iph1->etype)] 845 [iph1->side] 846 [iph1->status])(iph1, msg) != 0) { 847 plog(LLV_ERROR, LOCATION, iph1->remote, 848 "failed to process packet.\n"); 849 return -1; 850 } 851 852 #ifdef ENABLE_STATS 853 gettimeofday(&end, NULL); 854 syslog(LOG_NOTICE, "%s(%s): %8.6f", 855 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), 856 timedelta(&start, &end)); 857 #endif 858 if (iph1->status == PHASE1ST_ESTABLISHED) { 859 860 #ifdef ENABLE_STATS 861 gettimeofday(&iph1->end, NULL); 862 syslog(LOG_NOTICE, "%s(%s): %8.6f", 863 "phase1", s_isakmp_etype(iph1->etype), 864 timedelta(&iph1->start, &iph1->end)); 865 #endif 866 867 /* save created date. */ 868 (void)time(&iph1->created); 869 870 /* add to the schedule to expire, and seve back pointer. */ 871 iph1->sce = sched_new(iph1->approval->lifetime, 872 isakmp_ph1expire_stub, iph1); 873 #ifdef ENABLE_HYBRID 874 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 875 switch(AUTHMETHOD(iph1)) { 876 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 877 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 878 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 879 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 880 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 881 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 882 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 883 xauth_sendreq(iph1); 884 /* XXX Don't process INITIAL_CONTACT */ 885 iph1->rmconf->ini_contact = 0; 886 break; 887 default: 888 break; 889 } 890 } 891 #endif 892 #ifdef ENABLE_DPD 893 /* Schedule the r_u_there.... */ 894 if(iph1->dpd_support && iph1->rmconf->dpd_interval) 895 isakmp_sched_r_u(iph1, 0); 896 #endif 897 898 /* INITIAL-CONTACT processing */ 899 /* don't anything if local test mode. */ 900 if (!f_local 901 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { 902 /* send INITIAL-CONTACT */ 903 isakmp_info_send_n1(iph1, 904 ISAKMP_NTYPE_INITIAL_CONTACT, NULL); 905 /* insert a node into contacted list. */ 906 if (inscontacted(iph1->remote) == -1) { 907 plog(LLV_ERROR, LOCATION, iph1->remote, 908 "failed to add contacted list.\n"); 909 /* ignore */ 910 } 911 } 912 913 log_ph1established(iph1); 914 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 915 916 /* 917 * SA up shell script hook: do it now,except if 918 * ISAKMP mode config was requested. In the later 919 * case it is done when we receive the configuration. 920 */ 921 if ((iph1->status == PHASE1ST_ESTABLISHED) && 922 !iph1->rmconf->mode_cfg) { 923 switch (AUTHMETHOD(iph1)) { 924 #ifdef ENABLE_HYBRID 925 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 926 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 927 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 928 /* Unimplemeted... */ 929 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 930 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 931 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 932 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 933 break; 934 #endif 935 default: 936 script_hook(iph1, SCRIPT_PHASE1_UP); 937 break; 938 } 939 } 940 } 941 942 return 0; 943 } 944 945 /* 946 * main function of quick mode. 947 */ 948 static int 949 quick_main(iph2, msg) 950 struct ph2handle *iph2; 951 vchar_t *msg; 952 { 953 struct isakmp *isakmp = (struct isakmp *)msg->v; 954 int error; 955 #ifdef ENABLE_STATS 956 struct timeval start, end; 957 #endif 958 959 /* ignore a packet */ 960 if (iph2->status == PHASE2ST_ESTABLISHED 961 || iph2->status == PHASE2ST_GETSPISENT) 962 return 0; 963 964 #ifdef ENABLE_STATS 965 gettimeofday(&start, NULL); 966 #endif 967 968 /* receive */ 969 if (ph2exchange[etypesw2(isakmp->etype)] 970 [iph2->side] 971 [iph2->status] == NULL) { 972 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 973 "why isn't the function defined.\n"); 974 return -1; 975 } 976 error = (ph2exchange[etypesw2(isakmp->etype)] 977 [iph2->side] 978 [iph2->status])(iph2, msg); 979 if (error != 0) { 980 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 981 "failed to pre-process packet.\n"); 982 if (error == ISAKMP_INTERNAL_ERROR) 983 return 0; 984 isakmp_info_send_n1(iph2->ph1, error, NULL); 985 return -1; 986 } 987 988 /* when using commit bit, status will be reached here. */ 989 if (iph2->status == PHASE2ST_ADDSA) 990 return 0; 991 992 /* free resend buffer */ 993 if (iph2->sendbuf == NULL) { 994 plog(LLV_ERROR, LOCATION, NULL, 995 "no buffer found as sendbuf\n"); 996 return -1; 997 } 998 VPTRINIT(iph2->sendbuf); 999 1000 /* turn off schedule */ 1001 SCHED_KILL(iph2->scr); 1002 1003 /* send */ 1004 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1005 if ((ph2exchange[etypesw2(isakmp->etype)] 1006 [iph2->side] 1007 [iph2->status])(iph2, msg) != 0) { 1008 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1009 "failed to process packet.\n"); 1010 return -1; 1011 } 1012 1013 #ifdef ENABLE_STATS 1014 gettimeofday(&end, NULL); 1015 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1016 "phase2", 1017 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 1018 timedelta(&start, &end)); 1019 #endif 1020 1021 return 0; 1022 } 1023 1024 /* new negotiation of phase 1 for initiator */ 1025 int 1026 isakmp_ph1begin_i(rmconf, remote, local) 1027 struct remoteconf *rmconf; 1028 struct sockaddr *remote, *local; 1029 { 1030 struct ph1handle *iph1; 1031 #ifdef ENABLE_STATS 1032 struct timeval start, end; 1033 #endif 1034 1035 /* get new entry to isakmp status table. */ 1036 iph1 = newph1(); 1037 if (iph1 == NULL) 1038 return -1; 1039 1040 iph1->status = PHASE1ST_START; 1041 iph1->rmconf = rmconf; 1042 iph1->side = INITIATOR; 1043 iph1->version = ISAKMP_VERSION_NUMBER; 1044 iph1->msgid = 0; 1045 iph1->flags = 0; 1046 iph1->ph2cnt = 0; 1047 #ifdef HAVE_GSSAPI 1048 iph1->gssapi_state = NULL; 1049 #endif 1050 #ifdef ENABLE_HYBRID 1051 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1052 delph1(iph1); 1053 return -1; 1054 } 1055 #endif 1056 #ifdef ENABLE_FRAG 1057 1058 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE) 1059 iph1->frag = 1; 1060 else 1061 iph1->frag = 0; 1062 iph1->frag_chain = NULL; 1063 #endif 1064 iph1->approval = NULL; 1065 1066 /* XXX copy remote address */ 1067 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 1068 delph1(iph1); 1069 return -1; 1070 } 1071 1072 (void)insph1(iph1); 1073 1074 /* start phase 1 exchange */ 1075 iph1->etype = rmconf->etypes->type; 1076 1077 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1078 { 1079 char *a; 1080 1081 a = racoon_strdup(saddr2str(iph1->local)); 1082 STRDUP_FATAL(a); 1083 1084 plog(LLV_INFO, LOCATION, NULL, 1085 "initiate new phase 1 negotiation: %s<=>%s\n", 1086 a, saddr2str(iph1->remote)); 1087 racoon_free(a); 1088 } 1089 plog(LLV_INFO, LOCATION, NULL, 1090 "begin %s mode.\n", 1091 s_isakmp_etype(iph1->etype)); 1092 1093 #ifdef ENABLE_STATS 1094 gettimeofday(&iph1->start, NULL); 1095 gettimeofday(&start, NULL); 1096 #endif 1097 /* start exchange */ 1098 if ((ph1exchange[etypesw1(iph1->etype)] 1099 [iph1->side] 1100 [iph1->status])(iph1, NULL) != 0) { 1101 /* failed to start phase 1 negotiation */ 1102 remph1(iph1); 1103 delph1(iph1); 1104 1105 return -1; 1106 } 1107 1108 #ifdef ENABLE_STATS 1109 gettimeofday(&end, NULL); 1110 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1111 "phase1", 1112 s_isakmp_state(iph1->etype, iph1->side, iph1->status), 1113 timedelta(&start, &end)); 1114 #endif 1115 1116 return 0; 1117 } 1118 1119 /* new negotiation of phase 1 for responder */ 1120 static int 1121 isakmp_ph1begin_r(vchar_t *msg, struct sockaddr *remote, 1122 struct sockaddr *local, u_int8_t etype) 1123 { 1124 struct isakmp *isakmp = (struct isakmp *)msg->v; 1125 struct remoteconf *rmconf; 1126 struct ph1handle *iph1; 1127 struct etypes *etypeok; 1128 #ifdef ENABLE_STATS 1129 struct timeval start, end; 1130 #endif 1131 1132 /* look for my configuration */ 1133 rmconf = getrmconf(remote); 1134 if (rmconf == NULL) { 1135 plog(LLV_ERROR, LOCATION, remote, 1136 "couldn't find " 1137 "configuration.\n"); 1138 return -1; 1139 } 1140 1141 /* check to be acceptable exchange type */ 1142 etypeok = check_etypeok(rmconf, etype); 1143 if (etypeok == NULL) { 1144 plog(LLV_ERROR, LOCATION, remote, 1145 "not acceptable %s mode\n", s_isakmp_etype(etype)); 1146 return -1; 1147 } 1148 1149 /* get new entry to isakmp status table. */ 1150 iph1 = newph1(); 1151 if (iph1 == NULL) 1152 return -1; 1153 1154 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); 1155 iph1->status = PHASE1ST_START; 1156 iph1->rmconf = rmconf; 1157 iph1->flags = 0; 1158 iph1->side = RESPONDER; 1159 iph1->etype = etypeok->type; 1160 iph1->version = isakmp->v; 1161 iph1->msgid = 0; 1162 #ifdef HAVE_GSSAPI 1163 iph1->gssapi_state = NULL; 1164 #endif 1165 #ifdef ENABLE_HYBRID 1166 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1167 delph1(iph1); 1168 return -1; 1169 } 1170 #endif 1171 #ifdef ENABLE_FRAG 1172 iph1->frag = 0; 1173 iph1->frag_chain = NULL; 1174 #endif 1175 iph1->approval = NULL; 1176 1177 #ifdef ENABLE_NATT 1178 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. 1179 * We have to setup this flag now to correctly generate the first reply. 1180 * Don't know if a better check could be done for that ? 1181 */ 1182 if(extract_port(local) == lcconf->port_isakmp_natt) 1183 iph1->natt_flags |= (NAT_PORTS_CHANGED); 1184 #endif 1185 1186 /* copy remote address */ 1187 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 1188 delph1(iph1); 1189 return -1; 1190 } 1191 (void)insph1(iph1); 1192 1193 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1194 { 1195 char *a; 1196 1197 a = racoon_strdup(saddr2str(iph1->local)); 1198 STRDUP_FATAL(a); 1199 1200 plog(LLV_INFO, LOCATION, NULL, 1201 "respond new phase 1 negotiation: %s<=>%s\n", 1202 a, saddr2str(iph1->remote)); 1203 racoon_free(a); 1204 } 1205 plog(LLV_INFO, LOCATION, NULL, 1206 "begin %s mode.\n", s_isakmp_etype(etype)); 1207 1208 #ifdef ENABLE_STATS 1209 gettimeofday(&iph1->start, NULL); 1210 gettimeofday(&start, NULL); 1211 #endif 1212 1213 #ifndef ENABLE_FRAG 1214 1215 /* start exchange */ 1216 if ((ph1exchange[etypesw1(iph1->etype)] 1217 [iph1->side] 1218 [iph1->status])(iph1, msg) < 0 1219 || (ph1exchange[etypesw1(iph1->etype)] 1220 [iph1->side] 1221 [iph1->status])(iph1, msg) < 0) { 1222 plog(LLV_ERROR, LOCATION, remote, 1223 "failed to process packet.\n"); 1224 remph1(iph1); 1225 delph1(iph1); 1226 return -1; 1227 } 1228 1229 #ifdef ENABLE_STATS 1230 gettimeofday(&end, NULL); 1231 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1232 "phase1", 1233 s_isakmp_state(iph1->etype, iph1->side, iph1->status), 1234 timedelta(&start, &end)); 1235 #endif 1236 1237 return 0; 1238 1239 #else /* ENABLE_FRAG */ 1240 1241 /* now that we have a phase1 handle, feed back into our 1242 * main receive function to catch fragmented packets 1243 */ 1244 1245 return isakmp_main(msg, remote, local); 1246 1247 #endif /* ENABLE_FRAG */ 1248 1249 } 1250 1251 /* new negotiation of phase 2 for initiator */ 1252 static int 1253 isakmp_ph2begin_i(iph1, iph2) 1254 struct ph1handle *iph1; 1255 struct ph2handle *iph2; 1256 { 1257 #ifdef ENABLE_HYBRID 1258 if (xauth_check(iph1) != 0) { 1259 plog(LLV_ERROR, LOCATION, NULL, 1260 "Attempt to start phase 2 whereas Xauth failed\n"); 1261 return -1; 1262 } 1263 #endif 1264 1265 /* found ISAKMP-SA. */ 1266 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1267 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); 1268 { 1269 char *a; 1270 a = racoon_strdup(saddr2str(iph2->src)); 1271 STRDUP_FATAL(a); 1272 1273 plog(LLV_INFO, LOCATION, NULL, 1274 "initiate new phase 2 negotiation: %s<=>%s\n", 1275 a, saddr2str(iph2->dst)); 1276 racoon_free(a); 1277 } 1278 1279 #ifdef ENABLE_STATS 1280 gettimeofday(&iph2->start, NULL); 1281 #endif 1282 /* found isakmp-sa */ 1283 bindph12(iph1, iph2); 1284 iph2->status = PHASE2ST_STATUS2; 1285 1286 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 1287 [iph2->side] 1288 [iph2->status])(iph2, NULL) < 0) { 1289 unbindph12(iph2); 1290 /* release ipsecsa handler due to internal error. */ 1291 remph2(iph2); 1292 return -1; 1293 } 1294 return 0; 1295 } 1296 1297 /* new negotiation of phase 2 for responder */ 1298 static int 1299 isakmp_ph2begin_r(iph1, msg) 1300 struct ph1handle *iph1; 1301 vchar_t *msg; 1302 { 1303 struct isakmp *isakmp = (struct isakmp *)msg->v; 1304 struct ph2handle *iph2 = 0; 1305 int error; 1306 #ifdef ENABLE_STATS 1307 struct timeval start, end; 1308 #endif 1309 #ifdef ENABLE_HYBRID 1310 if (xauth_check(iph1) != 0) { 1311 plog(LLV_ERROR, LOCATION, NULL, 1312 "Attempt to start phase 2 whereas Xauth failed\n"); 1313 return -1; 1314 } 1315 #endif 1316 1317 iph2 = newph2(); 1318 if (iph2 == NULL) { 1319 plog(LLV_ERROR, LOCATION, NULL, 1320 "failed to allocate phase2 entry.\n"); 1321 return -1; 1322 } 1323 1324 iph2->ph1 = iph1; 1325 iph2->side = RESPONDER; 1326 iph2->status = PHASE2ST_START; 1327 iph2->flags = isakmp->flags; 1328 iph2->msgid = isakmp->msgid; 1329 iph2->seq = pk_getseq(); 1330 iph2->ivm = oakley_newiv2(iph1, iph2->msgid); 1331 if (iph2->ivm == NULL) { 1332 delph2(iph2); 1333 return -1; 1334 } 1335 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ 1336 if (iph2->dst == NULL) { 1337 delph2(iph2); 1338 return -1; 1339 } 1340 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ 1341 if (iph2->src == NULL) { 1342 delph2(iph2); 1343 return -1; 1344 } 1345 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) 1346 if (set_port(iph2->dst, 0) == NULL || 1347 set_port(iph2->src, 0) == NULL) { 1348 plog(LLV_ERROR, LOCATION, NULL, 1349 "invalid family: %d\n", iph2->dst->sa_family); 1350 delph2(iph2); 1351 return -1; 1352 } 1353 #endif 1354 1355 /* add new entry to isakmp status table */ 1356 insph2(iph2); 1357 bindph12(iph1, iph2); 1358 1359 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1360 { 1361 char *a; 1362 1363 a = racoon_strdup(saddr2str(iph2->src)); 1364 STRDUP_FATAL(a); 1365 1366 plog(LLV_INFO, LOCATION, NULL, 1367 "respond new phase 2 negotiation: %s<=>%s\n", 1368 a, saddr2str(iph2->dst)); 1369 racoon_free(a); 1370 } 1371 1372 #ifdef ENABLE_STATS 1373 gettimeofday(&start, NULL); 1374 #endif 1375 1376 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 1377 [iph2->side] 1378 [iph2->status])(iph2, msg); 1379 if (error != 0) { 1380 plog(LLV_ERROR, LOCATION, iph1->remote, 1381 "failed to pre-process packet.\n"); 1382 if (error != ISAKMP_INTERNAL_ERROR) 1383 isakmp_info_send_n1(iph2->ph1, error, NULL); 1384 /* 1385 * release handler because it's wrong that ph2handle is kept 1386 * after failed to check message for responder's. 1387 */ 1388 unbindph12(iph2); 1389 remph2(iph2); 1390 delph2(iph2); 1391 return -1; 1392 } 1393 1394 /* send */ 1395 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1396 if ((ph2exchange[etypesw2(isakmp->etype)] 1397 [iph2->side] 1398 [iph2->status])(iph2, msg) < 0) { 1399 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1400 "failed to process packet.\n"); 1401 /* don't release handler */ 1402 return -1; 1403 } 1404 #ifdef ENABLE_STATS 1405 gettimeofday(&end, NULL); 1406 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1407 "phase2", 1408 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 1409 timedelta(&start, &end)); 1410 #endif 1411 1412 return 0; 1413 } 1414 1415 /* 1416 * parse ISAKMP payloads, without ISAKMP base header. 1417 */ 1418 vchar_t * 1419 isakmp_parsewoh(np0, gen, len) 1420 int np0; 1421 struct isakmp_gen *gen; 1422 int len; 1423 { 1424 u_char np = np0 & 0xff; 1425 int tlen, plen; 1426 vchar_t *result; 1427 struct isakmp_parse_t *p, *ep; 1428 1429 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); 1430 1431 /* 1432 * 5 is a magic number, but any value larger than 2 should be fine 1433 * as we do vrealloc() in the following loop. 1434 */ 1435 result = vmalloc(sizeof(struct isakmp_parse_t) * 5); 1436 if (result == NULL) { 1437 plog(LLV_ERROR, LOCATION, NULL, 1438 "failed to get buffer.\n"); 1439 return NULL; 1440 } 1441 p = (struct isakmp_parse_t *)result->v; 1442 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); 1443 1444 tlen = len; 1445 1446 /* parse through general headers */ 1447 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { 1448 if (tlen <= sizeof(struct isakmp_gen)) { 1449 /* don't send information, see isakmp_ident_r1() */ 1450 plog(LLV_ERROR, LOCATION, NULL, 1451 "invalid length of payload\n"); 1452 vfree(result); 1453 return NULL; 1454 } 1455 1456 plog(LLV_DEBUG, LOCATION, NULL, 1457 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); 1458 1459 p->type = np; 1460 p->len = ntohs(gen->len); 1461 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { 1462 plog(LLV_DEBUG, LOCATION, NULL, 1463 "invalid length of payload\n"); 1464 vfree(result); 1465 return NULL; 1466 } 1467 p->ptr = gen; 1468 p++; 1469 if (ep <= p) { 1470 int off; 1471 1472 off = p - (struct isakmp_parse_t *)result->v; 1473 result = vrealloc(result, result->l * 2); 1474 if (result == NULL) { 1475 plog(LLV_DEBUG, LOCATION, NULL, 1476 "failed to realloc buffer.\n"); 1477 vfree(result); 1478 return NULL; 1479 } 1480 ep = (struct isakmp_parse_t *) 1481 (result->v + result->l - sizeof(*ep)); 1482 p = (struct isakmp_parse_t *)result->v; 1483 p += off; 1484 } 1485 1486 np = gen->np; 1487 plen = ntohs(gen->len); 1488 gen = (struct isakmp_gen *)((caddr_t)gen + plen); 1489 tlen -= plen; 1490 } 1491 p->type = ISAKMP_NPTYPE_NONE; 1492 p->len = 0; 1493 p->ptr = NULL; 1494 1495 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n"); 1496 1497 return result; 1498 } 1499 1500 /* 1501 * parse ISAKMP payloads, including ISAKMP base header. 1502 */ 1503 vchar_t * 1504 isakmp_parse(buf) 1505 vchar_t *buf; 1506 { 1507 struct isakmp *isakmp = (struct isakmp *)buf->v; 1508 struct isakmp_gen *gen; 1509 int tlen; 1510 vchar_t *result; 1511 u_char np; 1512 1513 np = isakmp->np; 1514 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp)); 1515 tlen = buf->l - sizeof(struct isakmp); 1516 result = isakmp_parsewoh(np, gen, tlen); 1517 1518 return result; 1519 } 1520 1521 /* %%% */ 1522 int 1523 isakmp_init() 1524 { 1525 /* initialize a isakmp status table */ 1526 initph1tree(); 1527 initph2tree(); 1528 initctdtree(); 1529 init_recvdpkt(); 1530 1531 if (isakmp_open() < 0) 1532 goto err; 1533 1534 return(0); 1535 1536 err: 1537 isakmp_close(); 1538 return(-1); 1539 } 1540 1541 /* 1542 * make strings containing i_cookie + r_cookie + msgid 1543 */ 1544 const char * 1545 isakmp_pindex(index, msgid) 1546 const isakmp_index *index; 1547 const u_int32_t msgid; 1548 { 1549 static char buf[64]; 1550 const u_char *p; 1551 int i, j; 1552 1553 memset(buf, 0, sizeof(buf)); 1554 1555 /* copy index */ 1556 p = (const u_char *)index; 1557 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { 1558 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); 1559 j += 2; 1560 switch (i) { 1561 case 7: 1562 buf[j++] = ':'; 1563 } 1564 } 1565 1566 if (msgid == 0) 1567 return buf; 1568 1569 /* copy msgid */ 1570 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid)); 1571 1572 return buf; 1573 } 1574 1575 /* open ISAKMP sockets. */ 1576 int 1577 isakmp_open() 1578 { 1579 const int yes = 1; 1580 int ifnum = 0, encap_ifnum = 0; 1581 #ifdef INET6 1582 int pktinfo; 1583 #endif 1584 struct myaddrs *p; 1585 1586 for (p = lcconf->myaddrs; p; p = p->next) { 1587 if (!p->addr) 1588 continue; 1589 1590 /* warn if wildcard address - should we forbid this? */ 1591 switch (p->addr->sa_family) { 1592 case AF_INET: 1593 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) 1594 plog(LLV_WARNING, LOCATION, NULL, 1595 "listening to wildcard address," 1596 "broadcast IKE packet may kill you\n"); 1597 break; 1598 #ifdef INET6 1599 case AF_INET6: 1600 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr)) 1601 plog(LLV_WARNING, LOCATION, NULL, 1602 "listening to wildcard address, " 1603 "broadcast IKE packet may kill you\n"); 1604 break; 1605 #endif 1606 default: 1607 plog(LLV_ERROR, LOCATION, NULL, 1608 "unsupported address family %d\n", 1609 lcconf->default_af); 1610 goto err_and_next; 1611 } 1612 1613 #ifdef INET6 1614 if (p->addr->sa_family == AF_INET6 && 1615 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) 1616 p->addr)->sin6_addr)) 1617 { 1618 plog(LLV_DEBUG, LOCATION, NULL, 1619 "Ignoring multicast address %s\n", 1620 saddr2str(p->addr)); 1621 racoon_free(p->addr); 1622 p->addr = NULL; 1623 continue; 1624 } 1625 #endif 1626 1627 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) { 1628 plog(LLV_ERROR, LOCATION, NULL, 1629 "socket (%s)\n", strerror(errno)); 1630 goto err_and_next; 1631 } 1632 #ifdef ANDROID_CHANGES 1633 protectFromVpn(p->sock); 1634 #endif 1635 1636 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) 1637 plog(LLV_WARNING, LOCATION, NULL, 1638 "failed to put socket in non-blocking mode\n"); 1639 1640 /* receive my interface address on inbound packets. */ 1641 switch (p->addr->sa_family) { 1642 case AF_INET: 1643 if (setsockopt(p->sock, IPPROTO_IP, 1644 #ifdef __linux__ 1645 IP_PKTINFO, 1646 #else 1647 IP_RECVDSTADDR, 1648 #endif 1649 (const void *)&yes, sizeof(yes)) < 0) { 1650 plog(LLV_ERROR, LOCATION, NULL, 1651 "setsockopt IP_RECVDSTADDR (%s)\n", 1652 strerror(errno)); 1653 goto err_and_next; 1654 } 1655 break; 1656 #ifdef INET6 1657 case AF_INET6: 1658 #ifdef INET6_ADVAPI 1659 #ifdef IPV6_RECVPKTINFO 1660 pktinfo = IPV6_RECVPKTINFO; 1661 #else /* old adv. API */ 1662 pktinfo = IPV6_PKTINFO; 1663 #endif /* IPV6_RECVPKTINFO */ 1664 #else 1665 pktinfo = IPV6_RECVDSTADDR; 1666 #endif 1667 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, 1668 (const void *)&yes, sizeof(yes)) < 0) 1669 { 1670 plog(LLV_ERROR, LOCATION, NULL, 1671 "setsockopt IPV6_RECVDSTADDR (%d):%s\n", 1672 pktinfo, strerror(errno)); 1673 goto err_and_next; 1674 } 1675 break; 1676 #endif 1677 } 1678 1679 #ifdef IPV6_USE_MIN_MTU 1680 if (p->addr->sa_family == AF_INET6 && 1681 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, 1682 (void *)&yes, sizeof(yes)) < 0) { 1683 plog(LLV_ERROR, LOCATION, NULL, 1684 "setsockopt IPV6_USE_MIN_MTU (%s)\n", 1685 strerror(errno)); 1686 return -1; 1687 } 1688 #endif 1689 1690 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0) 1691 goto err_and_next; 1692 1693 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) { 1694 plog(LLV_ERROR, LOCATION, p->addr, 1695 "failed to bind to address %s (%s).\n", 1696 saddr2str(p->addr), strerror(errno)); 1697 close(p->sock); 1698 goto err_and_next; 1699 } 1700 1701 ifnum++; 1702 1703 plog(LLV_INFO, LOCATION, NULL, 1704 "%s used as isakmp port (fd=%d)\n", 1705 saddr2str(p->addr), p->sock); 1706 1707 #ifdef ENABLE_NATT 1708 if (p->addr->sa_family == AF_INET) { 1709 int option = -1; 1710 1711 1712 if(p->udp_encap) 1713 option = UDP_ENCAP_ESPINUDP; 1714 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01) 1715 else 1716 option = UDP_ENCAP_ESPINUDP_NON_IKE; 1717 #endif 1718 if(option != -1){ 1719 if (setsockopt (p->sock, SOL_UDP, 1720 UDP_ENCAP, &option, sizeof (option)) < 0) { 1721 plog(LLV_WARNING, LOCATION, NULL, 1722 "setsockopt(%s): UDP_ENCAP %s\n", 1723 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE", 1724 strerror(errno)); 1725 goto skip_encap; 1726 } 1727 else { 1728 plog(LLV_INFO, LOCATION, NULL, 1729 "%s used for NAT-T\n", 1730 saddr2str(p->addr)); 1731 encap_ifnum++; 1732 } 1733 } 1734 } 1735 skip_encap: 1736 #endif 1737 continue; 1738 1739 err_and_next: 1740 racoon_free(p->addr); 1741 p->addr = NULL; 1742 if (! lcconf->autograbaddr && lcconf->strict_address) 1743 return -1; 1744 continue; 1745 } 1746 1747 if (!ifnum) { 1748 plog(LLV_ERROR, LOCATION, NULL, 1749 "no address could be bound.\n"); 1750 return -1; 1751 } 1752 1753 #ifdef ENABLE_NATT 1754 if (natt_enabled_in_rmconf() && !encap_ifnum) { 1755 plog(LLV_WARNING, LOCATION, NULL, 1756 "NAT-T is enabled in at least one remote{} section,\n"); 1757 plog(LLV_WARNING, LOCATION, NULL, 1758 "but no 'isakmp_natt' address was specified!\n"); 1759 } 1760 #endif 1761 1762 return 0; 1763 } 1764 1765 void 1766 isakmp_close() 1767 { 1768 #ifndef ANDROID_PATCHED 1769 struct myaddrs *p, *next; 1770 1771 for (p = lcconf->myaddrs; p; p = next) { 1772 next = p->next; 1773 1774 if (!p->addr) { 1775 racoon_free(p); 1776 continue; 1777 } 1778 close(p->sock); 1779 racoon_free(p->addr); 1780 racoon_free(p); 1781 } 1782 1783 lcconf->myaddrs = NULL; 1784 #endif 1785 } 1786 1787 int 1788 isakmp_send(iph1, sbuf) 1789 struct ph1handle *iph1; 1790 vchar_t *sbuf; 1791 { 1792 int len = 0; 1793 int s; 1794 vchar_t *vbuf = NULL, swap; 1795 1796 #ifdef ENABLE_NATT 1797 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; 1798 1799 /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets) 1800 */ 1801 if(extralen == NON_ESP_MARKER_LEN && 1802 *(u_int32_t *)sbuf->v == 0) 1803 extralen = 0; 1804 1805 #ifdef ENABLE_FRAG 1806 /* 1807 * Do not add the non ESP marker for a packet that will 1808 * be fragmented. The non ESP marker should appear in 1809 * all fragment's packets, but not in the fragmented packet 1810 */ 1811 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) 1812 extralen = 0; 1813 #endif 1814 if (extralen) 1815 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); 1816 1817 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) 1818 must added just before the packet itself. For this we must 1819 allocate a new buffer and release it at the end. */ 1820 if (extralen) { 1821 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { 1822 plog(LLV_ERROR, LOCATION, NULL, 1823 "vbuf allocation failed\n"); 1824 return -1; 1825 } 1826 *(u_int32_t *)vbuf->v = 0; 1827 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); 1828 /* ensures that the modified buffer will be sent back to the caller, so 1829 * add_recvdpkt() will add the correct buffer 1830 */ 1831 swap = *sbuf; 1832 *sbuf = *vbuf; 1833 *vbuf = swap; 1834 vfree(vbuf); 1835 } 1836 #endif 1837 1838 /* select the socket to be sent */ 1839 s = getsockmyaddr(iph1->local); 1840 if (s == -1){ 1841 return -1; 1842 } 1843 1844 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, 1845 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); 1846 1847 #ifdef ENABLE_FRAG 1848 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { 1849 if (isakmp_sendfrags(iph1, sbuf) == -1) { 1850 plog(LLV_ERROR, LOCATION, NULL, 1851 "isakmp_sendfrags failed\n"); 1852 return -1; 1853 } 1854 } else 1855 #endif 1856 { 1857 len = sendfromto(s, sbuf->v, sbuf->l, 1858 iph1->local, iph1->remote, lcconf->count_persend); 1859 1860 if (len == -1) { 1861 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); 1862 return -1; 1863 } 1864 } 1865 1866 return 0; 1867 } 1868 1869 /* called from scheduler */ 1870 void 1871 isakmp_ph1resend_stub(p) 1872 void *p; 1873 { 1874 struct ph1handle *iph1; 1875 1876 iph1=(struct ph1handle *)p; 1877 if(isakmp_ph1resend(iph1) < 0){ 1878 if(iph1->scr != NULL){ 1879 /* Should not happen... 1880 */ 1881 sched_kill(iph1->scr); 1882 iph1->scr=NULL; 1883 } 1884 1885 remph1(iph1); 1886 delph1(iph1); 1887 } 1888 } 1889 1890 int 1891 isakmp_ph1resend(iph1) 1892 struct ph1handle *iph1; 1893 { 1894 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function 1895 */ 1896 if (iph1->retry_counter <= 0) { 1897 plog(LLV_ERROR, LOCATION, NULL, 1898 "phase1 negotiation failed due to time up. %s\n", 1899 isakmp_pindex(&iph1->index, iph1->msgid)); 1900 EVT_PUSH(iph1->local, iph1->remote, 1901 EVTT_PEER_NO_RESPONSE, NULL); 1902 1903 return -1; 1904 } 1905 1906 if (isakmp_send(iph1, iph1->sendbuf) < 0){ 1907 plog(LLV_ERROR, LOCATION, NULL, 1908 "phase1 negotiation failed due to send error. %s\n", 1909 isakmp_pindex(&iph1->index, iph1->msgid)); 1910 EVT_PUSH(iph1->local, iph1->remote, 1911 EVTT_PEER_NO_RESPONSE, NULL); 1912 return -1; 1913 } 1914 1915 plog(LLV_DEBUG, LOCATION, NULL, 1916 "resend phase1 packet %s\n", 1917 isakmp_pindex(&iph1->index, iph1->msgid)); 1918 1919 iph1->retry_counter--; 1920 1921 iph1->scr = sched_new(iph1->rmconf->retry_interval, 1922 isakmp_ph1resend_stub, iph1); 1923 1924 return 0; 1925 } 1926 1927 /* called from scheduler */ 1928 void 1929 isakmp_ph2resend_stub(p) 1930 void *p; 1931 { 1932 struct ph2handle *iph2; 1933 1934 iph2=(struct ph2handle *)p; 1935 1936 if(isakmp_ph2resend(iph2) < 0){ 1937 unbindph12(iph2); 1938 remph2(iph2); 1939 delph2(iph2); 1940 } 1941 } 1942 1943 int 1944 isakmp_ph2resend(iph2) 1945 struct ph2handle *iph2; 1946 { 1947 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function 1948 */ 1949 if (iph2->ph1->status == PHASE1ST_EXPIRED){ 1950 plog(LLV_ERROR, LOCATION, NULL, 1951 "phase2 negotiation failed due to phase1 expired. %s\n", 1952 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1953 return -1; 1954 } 1955 1956 if (iph2->retry_counter <= 0) { 1957 plog(LLV_ERROR, LOCATION, NULL, 1958 "phase2 negotiation failed due to time up. %s\n", 1959 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1960 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); 1961 unbindph12(iph2); 1962 return -1; 1963 } 1964 1965 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){ 1966 plog(LLV_ERROR, LOCATION, NULL, 1967 "phase2 negotiation failed due to send error. %s\n", 1968 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1969 EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); 1970 1971 return -1; 1972 } 1973 1974 plog(LLV_DEBUG, LOCATION, NULL, 1975 "resend phase2 packet %s\n", 1976 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1977 1978 iph2->retry_counter--; 1979 1980 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval, 1981 isakmp_ph2resend_stub, iph2); 1982 1983 return 0; 1984 } 1985 1986 /* called from scheduler */ 1987 void 1988 isakmp_ph1expire_stub(p) 1989 void *p; 1990 { 1991 1992 isakmp_ph1expire((struct ph1handle *)p); 1993 } 1994 1995 void 1996 isakmp_ph1expire(iph1) 1997 struct ph1handle *iph1; 1998 { 1999 char *src, *dst; 2000 2001 SCHED_KILL(iph1->sce); 2002 2003 if(iph1->status != PHASE1ST_EXPIRED){ 2004 src = racoon_strdup(saddr2str(iph1->local)); 2005 dst = racoon_strdup(saddr2str(iph1->remote)); 2006 STRDUP_FATAL(src); 2007 STRDUP_FATAL(dst); 2008 2009 plog(LLV_INFO, LOCATION, NULL, 2010 "ISAKMP-SA expired %s-%s spi:%s\n", 2011 src, dst, 2012 isakmp_pindex(&iph1->index, 0)); 2013 racoon_free(src); 2014 racoon_free(dst); 2015 iph1->status = PHASE1ST_EXPIRED; 2016 } 2017 2018 /* 2019 * the phase1 deletion is postponed until there is no phase2. 2020 */ 2021 if (LIST_FIRST(&iph1->ph2tree) != NULL) { 2022 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); 2023 return; 2024 } 2025 2026 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 2027 } 2028 2029 /* called from scheduler */ 2030 void 2031 isakmp_ph1delete_stub(p) 2032 void *p; 2033 { 2034 2035 isakmp_ph1delete((struct ph1handle *)p); 2036 } 2037 2038 void 2039 isakmp_ph1delete(iph1) 2040 struct ph1handle *iph1; 2041 { 2042 char *src, *dst; 2043 2044 SCHED_KILL(iph1->sce); 2045 2046 if (LIST_FIRST(&iph1->ph2tree) != NULL) { 2047 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 2048 return; 2049 } 2050 2051 /* don't re-negosiation when the phase 1 SA expires. */ 2052 2053 src = racoon_strdup(saddr2str(iph1->local)); 2054 dst = racoon_strdup(saddr2str(iph1->remote)); 2055 STRDUP_FATAL(src); 2056 STRDUP_FATAL(dst); 2057 2058 plog(LLV_INFO, LOCATION, NULL, 2059 "ISAKMP-SA deleted %s-%s spi:%s\n", 2060 src, dst, isakmp_pindex(&iph1->index, 0)); 2061 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); 2062 racoon_free(src); 2063 racoon_free(dst); 2064 2065 remph1(iph1); 2066 delph1(iph1); 2067 2068 return; 2069 } 2070 2071 /* called from scheduler. 2072 * this function will call only isakmp_ph2delete(). 2073 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA 2074 * by something cause. That's why this function is called after phase 2 SA 2075 * expires in the userland. 2076 */ 2077 void 2078 isakmp_ph2expire_stub(p) 2079 void *p; 2080 { 2081 2082 isakmp_ph2expire((struct ph2handle *)p); 2083 } 2084 2085 void 2086 isakmp_ph2expire(iph2) 2087 struct ph2handle *iph2; 2088 { 2089 char *src, *dst; 2090 2091 SCHED_KILL(iph2->sce); 2092 2093 src = racoon_strdup(saddrwop2str(iph2->src)); 2094 dst = racoon_strdup(saddrwop2str(iph2->dst)); 2095 STRDUP_FATAL(src); 2096 STRDUP_FATAL(dst); 2097 2098 plog(LLV_INFO, LOCATION, NULL, 2099 "phase2 sa expired %s-%s\n", src, dst); 2100 racoon_free(src); 2101 racoon_free(dst); 2102 2103 iph2->status = PHASE2ST_EXPIRED; 2104 2105 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); 2106 2107 return; 2108 } 2109 2110 /* called from scheduler */ 2111 void 2112 isakmp_ph2delete_stub(p) 2113 void *p; 2114 { 2115 2116 isakmp_ph2delete((struct ph2handle *)p); 2117 } 2118 2119 void 2120 isakmp_ph2delete(iph2) 2121 struct ph2handle *iph2; 2122 { 2123 char *src, *dst; 2124 2125 SCHED_KILL(iph2->sce); 2126 2127 src = racoon_strdup(saddrwop2str(iph2->src)); 2128 dst = racoon_strdup(saddrwop2str(iph2->dst)); 2129 STRDUP_FATAL(src); 2130 STRDUP_FATAL(dst); 2131 2132 plog(LLV_INFO, LOCATION, NULL, 2133 "phase2 sa deleted %s-%s\n", src, dst); 2134 racoon_free(src); 2135 racoon_free(dst); 2136 2137 unbindph12(iph2); 2138 remph2(iph2); 2139 delph2(iph2); 2140 2141 return; 2142 } 2143 2144 /* %%% 2146 * Interface between PF_KEYv2 and ISAKMP 2147 */ 2148 /* 2149 * receive ACQUIRE from kernel, and begin either phase1 or phase2. 2150 * if phase1 has been finished, begin phase2. 2151 */ 2152 int 2153 isakmp_post_acquire(iph2) 2154 struct ph2handle *iph2; 2155 { 2156 struct remoteconf *rmconf; 2157 struct ph1handle *iph1 = NULL; 2158 2159 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); 2160 2161 /* search appropreate configuration with masking port. */ 2162 rmconf = getrmconf(iph2->dst); 2163 if (rmconf == NULL) { 2164 plog(LLV_ERROR, LOCATION, NULL, 2165 "no configuration found for %s.\n", 2166 saddrwop2str(iph2->dst)); 2167 return -1; 2168 } 2169 2170 /* if passive mode, ignore the acquire message */ 2171 if (rmconf->passive) { 2172 plog(LLV_DEBUG, LOCATION, NULL, 2173 "because of passive mode, " 2174 "ignore the acquire message for %s.\n", 2175 saddrwop2str(iph2->dst)); 2176 return 0; 2177 } 2178 2179 /* 2180 * Search isakmp status table by address and port 2181 * If NAT-T is in use, consider null ports as a 2182 * wildcard and use IKE ports instead. 2183 */ 2184 #ifdef ENABLE_NATT 2185 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { 2186 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { 2187 set_port(iph2->src, extract_port(iph1->local)); 2188 set_port(iph2->dst, extract_port(iph1->remote)); 2189 } 2190 } else { 2191 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 2192 } 2193 #else 2194 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 2195 #endif 2196 2197 /* no ISAKMP-SA found. */ 2198 if (iph1 == NULL) { 2199 struct sched *sc; 2200 2201 iph2->retry_checkph1 = lcconf->retry_checkph1; 2202 sc = sched_new(1, isakmp_chkph1there_stub, iph2); 2203 plog(LLV_INFO, LOCATION, NULL, 2204 "IPsec-SA request for %s queued " 2205 "due to no phase1 found.\n", 2206 saddrwop2str(iph2->dst)); 2207 2208 /* start phase 1 negotiation as a initiator. */ 2209 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) { 2210 SCHED_KILL(sc); 2211 return -1; 2212 } 2213 2214 return 0; 2215 /*NOTREACHED*/ 2216 } 2217 2218 /* found ISAKMP-SA, but on negotiation. */ 2219 if (iph1->status != PHASE1ST_ESTABLISHED) { 2220 iph2->retry_checkph1 = lcconf->retry_checkph1; 2221 sched_new(1, isakmp_chkph1there_stub, iph2); 2222 plog(LLV_INFO, LOCATION, iph2->dst, 2223 "request for establishing IPsec-SA was queued " 2224 "due to no phase1 found.\n"); 2225 return 0; 2226 /*NOTREACHED*/ 2227 } 2228 2229 /* found established ISAKMP-SA */ 2230 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ 2231 2232 /* found ISAKMP-SA. */ 2233 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); 2234 2235 /* begin quick mode */ 2236 if (isakmp_ph2begin_i(iph1, iph2)) 2237 return -1; 2238 2239 return 0; 2240 } 2241 2242 /* 2243 * receive GETSPI from kernel. 2244 */ 2245 int 2246 isakmp_post_getspi(iph2) 2247 struct ph2handle *iph2; 2248 { 2249 #ifdef ENABLE_STATS 2250 struct timeval start, end; 2251 #endif 2252 2253 /* don't process it because there is no suitable phase1-sa. */ 2254 if (iph2->ph1->status == PHASE1ST_EXPIRED) { 2255 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 2256 "the negotiation is stopped, " 2257 "because there is no suitable ISAKMP-SA.\n"); 2258 return -1; 2259 } 2260 2261 #ifdef ENABLE_STATS 2262 gettimeofday(&start, NULL); 2263 #endif 2264 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 2265 [iph2->side] 2266 [iph2->status])(iph2, NULL) != 0) 2267 return -1; 2268 #ifdef ENABLE_STATS 2269 gettimeofday(&end, NULL); 2270 syslog(LOG_NOTICE, "%s(%s): %8.6f", 2271 "phase2", 2272 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 2273 timedelta(&start, &end)); 2274 #endif 2275 2276 return 0; 2277 } 2278 2279 /* called by scheduler */ 2280 void 2281 isakmp_chkph1there_stub(p) 2282 void *p; 2283 { 2284 isakmp_chkph1there((struct ph2handle *)p); 2285 } 2286 2287 void 2288 isakmp_chkph1there(iph2) 2289 struct ph2handle *iph2; 2290 { 2291 struct ph1handle *iph1; 2292 2293 iph2->retry_checkph1--; 2294 if (iph2->retry_checkph1 < 0) { 2295 plog(LLV_ERROR, LOCATION, iph2->dst, 2296 "phase2 negotiation failed " 2297 "due to time up waiting for phase1. %s\n", 2298 sadbsecas2str(iph2->dst, iph2->src, 2299 iph2->satype, 0, 0)); 2300 plog(LLV_INFO, LOCATION, NULL, 2301 "delete phase 2 handler.\n"); 2302 2303 /* send acquire to kernel as error */ 2304 pk_sendeacquire(iph2); 2305 2306 unbindph12(iph2); 2307 remph2(iph2); 2308 delph2(iph2); 2309 2310 return; 2311 } 2312 2313 /* 2314 * Search isakmp status table by address and port 2315 * If NAT-T is in use, consider null ports as a 2316 * wildcard and use IKE ports instead. 2317 */ 2318 #ifdef ENABLE_NATT 2319 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { 2320 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n"); 2321 if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){ 2322 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n"); 2323 } 2324 } else { 2325 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n"); 2326 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 2327 if(iph1 != NULL) 2328 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n"); 2329 } 2330 #else 2331 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 2332 #endif 2333 2334 /* XXX Even if ph1 as responder is there, should we not start 2335 * phase 2 negotiation ? */ 2336 if (iph1 != NULL 2337 && iph1->status == PHASE1ST_ESTABLISHED) { 2338 /* found isakmp-sa */ 2339 2340 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); 2341 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local)); 2342 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote)); 2343 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n"); 2344 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); 2345 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); 2346 set_port(iph2->src, extract_port(iph1->local)); 2347 set_port(iph2->dst, extract_port(iph1->remote)); 2348 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n"); 2349 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); 2350 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); 2351 2352 /* begin quick mode */ 2353 (void)isakmp_ph2begin_i(iph1, iph2); 2354 return; 2355 } 2356 2357 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n"); 2358 2359 /* no isakmp-sa found */ 2360 sched_new(1, isakmp_chkph1there_stub, iph2); 2361 2362 return; 2363 } 2364 2365 /* copy variable data into ALLOCATED buffer. */ 2366 caddr_t 2367 isakmp_set_attr_v(buf, type, val, len) 2368 caddr_t buf; 2369 int type; 2370 caddr_t val; 2371 int len; 2372 { 2373 struct isakmp_data *data; 2374 2375 data = (struct isakmp_data *)buf; 2376 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2377 data->lorv = htons((u_int16_t)len); 2378 memcpy(data + 1, val, len); 2379 2380 return buf + sizeof(*data) + len; 2381 } 2382 2383 /* copy fixed length data into ALLOCATED buffer. */ 2384 caddr_t 2385 isakmp_set_attr_l(buf, type, val) 2386 caddr_t buf; 2387 int type; 2388 u_int32_t val; 2389 { 2390 struct isakmp_data *data; 2391 2392 data = (struct isakmp_data *)buf; 2393 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2394 data->lorv = htons((u_int16_t)val); 2395 2396 return buf + sizeof(*data); 2397 } 2398 2399 /* add a variable data attribute to the buffer by reallocating it. */ 2400 vchar_t * 2401 isakmp_add_attr_v(buf0, type, val, len) 2402 vchar_t *buf0; 2403 int type; 2404 caddr_t val; 2405 int len; 2406 { 2407 vchar_t *buf = NULL; 2408 struct isakmp_data *data; 2409 int tlen; 2410 int oldlen = 0; 2411 2412 tlen = sizeof(*data) + len; 2413 2414 if (buf0) { 2415 oldlen = buf0->l; 2416 buf = vrealloc(buf0, oldlen + tlen); 2417 } else 2418 buf = vmalloc(tlen); 2419 if (!buf) { 2420 plog(LLV_ERROR, LOCATION, NULL, 2421 "failed to get a attribute buffer.\n"); 2422 return NULL; 2423 } 2424 2425 data = (struct isakmp_data *)(buf->v + oldlen); 2426 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2427 data->lorv = htons((u_int16_t)len); 2428 memcpy(data + 1, val, len); 2429 2430 return buf; 2431 } 2432 2433 /* add a fixed data attribute to the buffer by reallocating it. */ 2434 vchar_t * 2435 isakmp_add_attr_l(buf0, type, val) 2436 vchar_t *buf0; 2437 int type; 2438 u_int32_t val; 2439 { 2440 vchar_t *buf = NULL; 2441 struct isakmp_data *data; 2442 int tlen; 2443 int oldlen = 0; 2444 2445 tlen = sizeof(*data); 2446 2447 if (buf0) { 2448 oldlen = buf0->l; 2449 buf = vrealloc(buf0, oldlen + tlen); 2450 } else 2451 buf = vmalloc(tlen); 2452 if (!buf) { 2453 plog(LLV_ERROR, LOCATION, NULL, 2454 "failed to get a attribute buffer.\n"); 2455 return NULL; 2456 } 2457 2458 data = (struct isakmp_data *)(buf->v + oldlen); 2459 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2460 data->lorv = htons((u_int16_t)val); 2461 2462 return buf; 2463 } 2464 2465 /* 2466 * calculate cookie and set. 2467 */ 2468 int 2469 isakmp_newcookie(place, remote, local) 2470 caddr_t place; 2471 struct sockaddr *remote; 2472 struct sockaddr *local; 2473 { 2474 vchar_t *buf = NULL, *buf2 = NULL; 2475 char *p; 2476 int blen; 2477 int alen; 2478 caddr_t sa1, sa2; 2479 time_t t; 2480 int error = -1; 2481 u_short port; 2482 2483 2484 if (remote->sa_family != local->sa_family) { 2485 plog(LLV_ERROR, LOCATION, NULL, 2486 "address family mismatch, remote:%d local:%d\n", 2487 remote->sa_family, local->sa_family); 2488 goto end; 2489 } 2490 switch (remote->sa_family) { 2491 case AF_INET: 2492 alen = sizeof(struct in_addr); 2493 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; 2494 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr; 2495 break; 2496 #ifdef INET6 2497 case AF_INET6: 2498 alen = sizeof(struct in6_addr); 2499 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr; 2500 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr; 2501 break; 2502 #endif 2503 default: 2504 plog(LLV_ERROR, LOCATION, NULL, 2505 "invalid family: %d\n", remote->sa_family); 2506 goto end; 2507 } 2508 blen = (alen + sizeof(u_short)) * 2 2509 + sizeof(time_t) + lcconf->secret_size; 2510 buf = vmalloc(blen); 2511 if (buf == NULL) { 2512 plog(LLV_ERROR, LOCATION, NULL, 2513 "failed to get a cookie.\n"); 2514 goto end; 2515 } 2516 p = buf->v; 2517 2518 /* copy my address */ 2519 memcpy(p, sa1, alen); 2520 p += alen; 2521 port = ((struct sockaddr_in *)remote)->sin_port; 2522 memcpy(p, &port, sizeof(u_short)); 2523 p += sizeof(u_short); 2524 2525 /* copy target address */ 2526 memcpy(p, sa2, alen); 2527 p += alen; 2528 port = ((struct sockaddr_in *)local)->sin_port; 2529 memcpy(p, &port, sizeof(u_short)); 2530 p += sizeof(u_short); 2531 2532 /* copy time */ 2533 t = time(0); 2534 memcpy(p, (caddr_t)&t, sizeof(t)); 2535 p += sizeof(t); 2536 2537 /* copy random value */ 2538 buf2 = eay_set_random(lcconf->secret_size); 2539 if (buf2 == NULL) 2540 goto end; 2541 memcpy(p, buf2->v, lcconf->secret_size); 2542 p += lcconf->secret_size; 2543 vfree(buf2); 2544 2545 buf2 = eay_sha1_one(buf); 2546 memcpy(place, buf2->v, sizeof(cookie_t)); 2547 2548 sa1 = val2str(place, sizeof (cookie_t)); 2549 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1); 2550 racoon_free(sa1); 2551 2552 error = 0; 2553 end: 2554 if (buf != NULL) 2555 vfree(buf); 2556 if (buf2 != NULL) 2557 vfree(buf2); 2558 return error; 2559 } 2560 2561 /* 2562 * save partner's(payload) data into phhandle. 2563 */ 2564 int 2565 isakmp_p2ph(buf, gen) 2566 vchar_t **buf; 2567 struct isakmp_gen *gen; 2568 { 2569 /* XXX to be checked in each functions for logging. */ 2570 if (*buf) { 2571 plog(LLV_WARNING, LOCATION, NULL, 2572 "ignore this payload, same payload type exist.\n"); 2573 return -1; 2574 } 2575 2576 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); 2577 if (*buf == NULL) { 2578 plog(LLV_ERROR, LOCATION, NULL, 2579 "failed to get buffer.\n"); 2580 return -1; 2581 } 2582 memcpy((*buf)->v, gen + 1, (*buf)->l); 2583 2584 return 0; 2585 } 2586 2587 u_int32_t 2588 isakmp_newmsgid2(iph1) 2589 struct ph1handle *iph1; 2590 { 2591 u_int32_t msgid2; 2592 2593 do { 2594 msgid2 = eay_random(); 2595 } while (getph2bymsgid(iph1, msgid2)); 2596 2597 return msgid2; 2598 } 2599 2600 /* 2601 * set values into allocated buffer of isakmp header for phase 1 2602 */ 2603 static caddr_t 2604 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) 2605 vchar_t *vbuf; 2606 struct ph1handle *iph1; 2607 int nptype; 2608 u_int8_t etype; 2609 u_int8_t flags; 2610 u_int32_t msgid; 2611 { 2612 struct isakmp *isakmp; 2613 2614 if (vbuf->l < sizeof(*isakmp)) 2615 return NULL; 2616 2617 isakmp = (struct isakmp *)vbuf->v; 2618 2619 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 2620 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 2621 isakmp->np = nptype; 2622 isakmp->v = iph1->version; 2623 isakmp->etype = etype; 2624 isakmp->flags = flags; 2625 isakmp->msgid = msgid; 2626 isakmp->len = htonl(vbuf->l); 2627 2628 return vbuf->v + sizeof(*isakmp); 2629 } 2630 2631 /* 2632 * set values into allocated buffer of isakmp header for phase 1 2633 */ 2634 caddr_t 2635 set_isakmp_header1(vbuf, iph1, nptype) 2636 vchar_t *vbuf; 2637 struct ph1handle *iph1; 2638 int nptype; 2639 { 2640 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid); 2641 } 2642 2643 /* 2644 * set values into allocated buffer of isakmp header for phase 2 2645 */ 2646 caddr_t 2647 set_isakmp_header2(vbuf, iph2, nptype) 2648 vchar_t *vbuf; 2649 struct ph2handle *iph2; 2650 int nptype; 2651 { 2652 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid); 2653 } 2654 2655 /* 2656 * set values into allocated buffer of isakmp payload. 2657 */ 2658 caddr_t 2659 set_isakmp_payload(buf, src, nptype) 2660 caddr_t buf; 2661 vchar_t *src; 2662 int nptype; 2663 { 2664 struct isakmp_gen *gen; 2665 caddr_t p = buf; 2666 2667 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n", 2668 src->l, nptype); 2669 2670 gen = (struct isakmp_gen *)p; 2671 gen->np = nptype; 2672 gen->len = htons(sizeof(*gen) + src->l); 2673 p += sizeof(*gen); 2674 memcpy(p, src->v, src->l); 2675 p += src->l; 2676 2677 return p; 2678 } 2679 2680 static int 2681 etypesw1(etype) 2682 int etype; 2683 { 2684 switch (etype) { 2685 case ISAKMP_ETYPE_IDENT: 2686 return 1; 2687 case ISAKMP_ETYPE_AGG: 2688 return 2; 2689 case ISAKMP_ETYPE_BASE: 2690 return 3; 2691 default: 2692 return 0; 2693 } 2694 /*NOTREACHED*/ 2695 } 2696 2697 static int 2698 etypesw2(etype) 2699 int etype; 2700 { 2701 switch (etype) { 2702 case ISAKMP_ETYPE_QUICK: 2703 return 1; 2704 default: 2705 return 0; 2706 } 2707 /*NOTREACHED*/ 2708 } 2709 2710 #ifdef HAVE_PRINT_ISAKMP_C 2711 /* for print-isakmp.c */ 2712 char *snapend; 2713 extern void isakmp_print __P((const u_char *, u_int, const u_char *)); 2714 2715 char *getname __P((const u_char *)); 2716 #ifdef INET6 2717 char *getname6 __P((const u_char *)); 2718 #endif 2719 int safeputchar __P((int)); 2720 2721 /* 2722 * Return a name for the IP address pointed to by ap. This address 2723 * is assumed to be in network byte order. 2724 */ 2725 char * 2726 getname(ap) 2727 const u_char *ap; 2728 { 2729 struct sockaddr_in addr; 2730 static char ntop_buf[NI_MAXHOST]; 2731 2732 memset(&addr, 0, sizeof(addr)); 2733 #ifndef __linux__ 2734 addr.sin_len = sizeof(struct sockaddr_in); 2735 #endif 2736 addr.sin_family = AF_INET; 2737 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); 2738 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr), 2739 ntop_buf, sizeof(ntop_buf), NULL, 0, 2740 NI_NUMERICHOST | niflags)) 2741 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2742 2743 return ntop_buf; 2744 } 2745 2746 #ifdef INET6 2747 /* 2748 * Return a name for the IP6 address pointed to by ap. This address 2749 * is assumed to be in network byte order. 2750 */ 2751 char * 2752 getname6(ap) 2753 const u_char *ap; 2754 { 2755 struct sockaddr_in6 addr; 2756 static char ntop_buf[NI_MAXHOST]; 2757 2758 memset(&addr, 0, sizeof(addr)); 2759 addr.sin6_len = sizeof(struct sockaddr_in6); 2760 addr.sin6_family = AF_INET6; 2761 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); 2762 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len, 2763 ntop_buf, sizeof(ntop_buf), NULL, 0, 2764 NI_NUMERICHOST | niflags)) 2765 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2766 2767 return ntop_buf; 2768 } 2769 #endif /* INET6 */ 2770 2771 int 2772 safeputchar(c) 2773 int c; 2774 { 2775 unsigned char ch; 2776 2777 ch = (unsigned char)(c & 0xff); 2778 if (c < 0x80 && isprint(c)) 2779 return printf("%c", c & 0xff); 2780 else 2781 return printf("\\%03o", c & 0xff); 2782 } 2783 2784 void 2785 isakmp_printpacket(msg, from, my, decoded) 2786 vchar_t *msg; 2787 struct sockaddr *from; 2788 struct sockaddr *my; 2789 int decoded; 2790 { 2791 #ifdef YIPS_DEBUG 2792 struct timeval tv; 2793 int s; 2794 char hostbuf[NI_MAXHOST]; 2795 char portbuf[NI_MAXSERV]; 2796 struct isakmp *isakmp; 2797 vchar_t *buf; 2798 #endif 2799 2800 if (loglevel < LLV_DEBUG) 2801 return; 2802 2803 #ifdef YIPS_DEBUG 2804 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); 2805 2806 gettimeofday(&tv, NULL); 2807 s = tv.tv_sec % 3600; 2808 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); 2809 2810 if (from) { 2811 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf), 2812 portbuf, sizeof(portbuf), 2813 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2814 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2815 strlcpy(portbuf, "?", sizeof(portbuf)); 2816 } 2817 printf("%s:%s", hostbuf, portbuf); 2818 } else 2819 printf("?"); 2820 printf(" -> "); 2821 if (my) { 2822 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf), 2823 portbuf, sizeof(portbuf), 2824 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2825 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2826 strlcpy(portbuf, "?", sizeof(portbuf)); 2827 } 2828 printf("%s:%s", hostbuf, portbuf); 2829 } else 2830 printf("?"); 2831 printf(": "); 2832 2833 buf = vdup(msg); 2834 if (!buf) { 2835 printf("(malloc fail)\n"); 2836 return; 2837 } 2838 if (decoded) { 2839 isakmp = (struct isakmp *)buf->v; 2840 if (isakmp->flags & ISAKMP_FLAG_E) { 2841 #if 0 2842 int pad; 2843 pad = *(u_char *)(buf->v + buf->l - 1); 2844 if (buf->l < pad && 2 < vflag) 2845 printf("(wrong padding)"); 2846 #endif 2847 isakmp->flags &= ~ISAKMP_FLAG_E; 2848 } 2849 } 2850 2851 snapend = buf->v + buf->l; 2852 isakmp_print(buf->v, buf->l, NULL); 2853 vfree(buf); 2854 printf("\n"); 2855 fflush(stdout); 2856 2857 return; 2858 #endif 2859 } 2860 #endif /*HAVE_PRINT_ISAKMP_C*/ 2861 2862 int 2863 copy_ph1addresses(iph1, rmconf, remote, local) 2864 struct ph1handle *iph1; 2865 struct remoteconf *rmconf; 2866 struct sockaddr *remote, *local; 2867 { 2868 u_int16_t port; 2869 2870 /* address portion must be grabbed from real remote address "remote" */ 2871 iph1->remote = dupsaddr(remote); 2872 if (iph1->remote == NULL) 2873 return -1; 2874 2875 /* 2876 * if remote has no port # (in case of initiator - from ACQUIRE msg) 2877 * - if remote.conf specifies port #, use that 2878 * - if remote.conf does not, use 500 2879 * if remote has port # (in case of responder - from recvfrom(2)) 2880 * respect content of "remote". 2881 */ 2882 if (extract_port(iph1->remote) == 0) { 2883 port = extract_port(rmconf->remote); 2884 if (port == 0) 2885 port = PORT_ISAKMP; 2886 set_port(iph1->remote, port); 2887 } 2888 2889 if (local == NULL) 2890 iph1->local = getlocaladdr(iph1->remote); 2891 else 2892 iph1->local = dupsaddr(local); 2893 if (iph1->local == NULL) 2894 return -1; 2895 2896 if (extract_port(iph1->local) == 0) 2897 set_port(iph1->local, PORT_ISAKMP); 2898 2899 #ifdef ENABLE_NATT 2900 if (extract_port(iph1->local) == lcconf->port_isakmp_natt) { 2901 plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n"); 2902 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; 2903 } 2904 #endif 2905 2906 return 0; 2907 } 2908 2909 static int 2910 nostate1(iph1, msg) 2911 struct ph1handle *iph1; 2912 vchar_t *msg; 2913 { 2914 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n", 2915 iph1->status); 2916 return -1; 2917 } 2918 2919 static int 2920 nostate2(iph2, msg) 2921 struct ph2handle *iph2; 2922 vchar_t *msg; 2923 { 2924 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n", 2925 iph2->status); 2926 return -1; 2927 } 2928 2929 void 2930 log_ph1established(iph1) 2931 const struct ph1handle *iph1; 2932 { 2933 char *src, *dst; 2934 2935 src = racoon_strdup(saddr2str(iph1->local)); 2936 dst = racoon_strdup(saddr2str(iph1->remote)); 2937 STRDUP_FATAL(src); 2938 STRDUP_FATAL(dst); 2939 2940 plog(LLV_INFO, LOCATION, NULL, 2941 "ISAKMP-SA established %s-%s spi:%s\n", 2942 src, dst, 2943 isakmp_pindex(&iph1->index, 0)); 2944 2945 EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL); 2946 if(!iph1->rmconf->mode_cfg) { 2947 EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL); 2948 } 2949 2950 racoon_free(src); 2951 racoon_free(dst); 2952 2953 return; 2954 } 2955 2956 struct payload_list * 2957 isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type) 2958 { 2959 if (! plist) { 2960 plist = racoon_malloc (sizeof (struct payload_list)); 2961 plist->prev = NULL; 2962 } 2963 else { 2964 plist->next = racoon_malloc (sizeof (struct payload_list)); 2965 plist->next->prev = plist; 2966 plist = plist->next; 2967 } 2968 2969 plist->next = NULL; 2970 plist->payload = payload; 2971 plist->payload_type = payload_type; 2972 2973 return plist; 2974 } 2975 2976 vchar_t * 2977 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) 2978 { 2979 struct payload_list *ptr = *plist, *first; 2980 size_t tlen = sizeof (struct isakmp), n = 0; 2981 vchar_t *buf = NULL; 2982 char *p; 2983 2984 /* Seek to the first item. */ 2985 while (ptr->prev) ptr = ptr->prev; 2986 first = ptr; 2987 2988 /* Compute the whole length. */ 2989 while (ptr) { 2990 tlen += ptr->payload->l + sizeof (struct isakmp_gen); 2991 ptr = ptr->next; 2992 } 2993 2994 buf = vmalloc(tlen); 2995 if (buf == NULL) { 2996 plog(LLV_ERROR, LOCATION, NULL, 2997 "failed to get buffer to send.\n"); 2998 goto end; 2999 } 3000 3001 ptr = first; 3002 3003 p = set_isakmp_header1(buf, iph1, ptr->payload_type); 3004 if (p == NULL) 3005 goto end; 3006 3007 while (ptr) 3008 { 3009 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE); 3010 first = ptr; 3011 ptr = ptr->next; 3012 racoon_free (first); 3013 /* ptr->prev = NULL; first = NULL; ... omitted. */ 3014 n++; 3015 } 3016 3017 *plist = NULL; 3018 3019 return buf; 3020 end: 3021 if (buf != NULL) 3022 vfree(buf); 3023 return NULL; 3024 } 3025 3026 #ifdef ENABLE_FRAG 3027 int 3028 frag_handler(iph1, msg, remote, local) 3029 struct ph1handle *iph1; 3030 vchar_t *msg; 3031 struct sockaddr *remote; 3032 struct sockaddr *local; 3033 { 3034 vchar_t *newmsg; 3035 3036 if (isakmp_frag_extract(iph1, msg) == 1) { 3037 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { 3038 plog(LLV_ERROR, LOCATION, remote, 3039 "Packet reassembly failed\n"); 3040 return -1; 3041 } 3042 return isakmp_main(newmsg, remote, local); 3043 } 3044 3045 return 0; 3046 } 3047 #endif 3048 3049 void 3050 script_hook(iph1, script) 3051 struct ph1handle *iph1; 3052 int script; 3053 { 3054 #define IP_MAX 40 3055 #define PORT_MAX 6 3056 char addrstr[IP_MAX]; 3057 char portstr[PORT_MAX]; 3058 char **envp = NULL; 3059 int envc = 1; 3060 struct sockaddr_in *sin; 3061 char **c; 3062 3063 if (iph1 == NULL || 3064 iph1->rmconf == NULL || 3065 iph1->rmconf->script[script] == NULL) 3066 return; 3067 3068 #ifdef ENABLE_HYBRID 3069 (void)isakmp_cfg_setenv(iph1, &envp, &envc); 3070 #endif 3071 3072 /* local address */ 3073 sin = (struct sockaddr_in *)iph1->local; 3074 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); 3075 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port)); 3076 3077 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) { 3078 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n"); 3079 goto out; 3080 } 3081 3082 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) { 3083 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n"); 3084 goto out; 3085 } 3086 3087 /* Peer address */ 3088 if (iph1->remote != NULL) { 3089 sin = (struct sockaddr_in *)iph1->remote; 3090 inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX); 3091 snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port)); 3092 3093 if (script_env_append(&envp, &envc, 3094 "REMOTE_ADDR", addrstr) != 0) { 3095 plog(LLV_ERROR, LOCATION, NULL, 3096 "Cannot set REMOTE_ADDR\n"); 3097 goto out; 3098 } 3099 3100 if (script_env_append(&envp, &envc, 3101 "REMOTE_PORT", portstr) != 0) { 3102 plog(LLV_ERROR, LOCATION, NULL, 3103 "Cannot set REMOTEL_PORT\n"); 3104 goto out; 3105 } 3106 } 3107 3108 if (privsep_script_exec(iph1->rmconf->script[script]->v, 3109 script, envp) != 0) 3110 plog(LLV_ERROR, LOCATION, NULL, 3111 "Script %s execution failed\n", script_names[script]); 3112 3113 out: 3114 for (c = envp; *c; c++) 3115 racoon_free(*c); 3116 3117 racoon_free(envp); 3118 3119 return; 3120 } 3121 3122 int 3123 script_env_append(envp, envc, name, value) 3124 char ***envp; 3125 int *envc; 3126 char *name; 3127 char *value; 3128 { 3129 char *envitem; 3130 char **newenvp; 3131 int newenvc; 3132 3133 if (value == NULL) { 3134 value = ""; 3135 } 3136 3137 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1); 3138 if (envitem == NULL) { 3139 plog(LLV_ERROR, LOCATION, NULL, 3140 "Cannot allocate memory: %s\n", strerror(errno)); 3141 return -1; 3142 } 3143 sprintf(envitem, "%s=%s", name, value); 3144 3145 newenvc = (*envc) + 1; 3146 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *)); 3147 if (newenvp == NULL) { 3148 plog(LLV_ERROR, LOCATION, NULL, 3149 "Cannot allocate memory: %s\n", strerror(errno)); 3150 racoon_free(envitem); 3151 return -1; 3152 } 3153 3154 newenvp[newenvc - 2] = envitem; 3155 newenvp[newenvc - 1] = NULL; 3156 3157 *envp = newenvp; 3158 *envc = newenvc; 3159 return 0; 3160 } 3161 3162 int 3163 script_exec(script, name, envp) 3164 char *script; 3165 int name; 3166 char *const envp[]; 3167 { 3168 char *argv[] = { NULL, NULL, NULL }; 3169 3170 argv[0] = script; 3171 argv[1] = script_names[name]; 3172 argv[2] = NULL; 3173 3174 switch (fork()) { 3175 case 0: 3176 execve(argv[0], argv, envp); 3177 plog(LLV_ERROR, LOCATION, NULL, 3178 "execve(\"%s\") failed: %s\n", 3179 argv[0], strerror(errno)); 3180 _exit(1); 3181 break; 3182 case -1: 3183 plog(LLV_ERROR, LOCATION, NULL, 3184 "Cannot fork: %s\n", strerror(errno)); 3185 return -1; 3186 break; 3187 default: 3188 break; 3189 } 3190 return 0; 3191 3192 } 3193 3194 void 3195 purge_remote(iph1) 3196 struct ph1handle *iph1; 3197 { 3198 vchar_t *buf = NULL; 3199 struct sadb_msg *msg, *next, *end; 3200 struct sadb_sa *sa; 3201 struct sockaddr *src, *dst; 3202 caddr_t mhp[SADB_EXT_MAX + 1]; 3203 u_int proto_id; 3204 struct ph2handle *iph2; 3205 struct ph1handle *new_iph1; 3206 3207 plog(LLV_INFO, LOCATION, NULL, 3208 "purging ISAKMP-SA spi=%s.\n", 3209 isakmp_pindex(&(iph1->index), iph1->msgid)); 3210 3211 /* Mark as expired. */ 3212 iph1->status = PHASE1ST_EXPIRED; 3213 3214 /* Check if we have another, still valid, phase1 SA. */ 3215 new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); 3216 3217 /* 3218 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. 3219 * Keep all others phase2 SAs. 3220 */ 3221 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); 3222 if (buf == NULL) { 3223 plog(LLV_DEBUG, LOCATION, NULL, 3224 "pfkey_dump_sadb returned nothing.\n"); 3225 return; 3226 } 3227 3228 msg = (struct sadb_msg *)buf->v; 3229 end = (struct sadb_msg *)(buf->v + buf->l); 3230 3231 while (msg < end) { 3232 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 3233 break; 3234 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 3235 if (msg->sadb_msg_type != SADB_DUMP) { 3236 msg = next; 3237 continue; 3238 } 3239 3240 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 3241 plog(LLV_ERROR, LOCATION, NULL, 3242 "pfkey_check (%s)\n", ipsec_strerror()); 3243 msg = next; 3244 continue; 3245 } 3246 3247 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); 3248 if (!sa || 3249 !mhp[SADB_EXT_ADDRESS_SRC] || 3250 !mhp[SADB_EXT_ADDRESS_DST]) { 3251 msg = next; 3252 continue; 3253 } 3254 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 3255 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 3256 3257 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && 3258 sa->sadb_sa_state != SADB_SASTATE_MATURE && 3259 sa->sadb_sa_state != SADB_SASTATE_DYING) { 3260 msg = next; 3261 continue; 3262 } 3263 3264 /* 3265 * check in/outbound SAs. 3266 * Select only SAs where src == local and dst == remote (outgoing) 3267 * or src == remote and dst == local (incoming). 3268 */ 3269 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && 3270 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { 3271 msg = next; 3272 continue; 3273 } 3274 3275 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 3276 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 3277 3278 /* Check if there is another valid ISAKMP-SA */ 3279 if (new_iph1 != NULL) { 3280 3281 if (iph2 == NULL) { 3282 /* No handler... still send a pfkey_delete message, but log this !*/ 3283 plog(LLV_INFO, LOCATION, NULL, 3284 "Unknown IPsec-SA spi=%u, hmmmm?\n", 3285 ntohl(sa->sadb_sa_spi)); 3286 }else{ 3287 3288 /* 3289 * If we have a new ph1, do not purge IPsec-SAs binded 3290 * to a different ISAKMP-SA 3291 */ 3292 if (iph2->ph1 != NULL && iph2->ph1 != iph1){ 3293 msg = next; 3294 continue; 3295 } 3296 3297 /* If the ph2handle is established, do not purge IPsec-SA */ 3298 if (iph2->status == PHASE2ST_ESTABLISHED || 3299 iph2->status == PHASE2ST_EXPIRED) { 3300 3301 plog(LLV_INFO, LOCATION, NULL, 3302 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", 3303 ntohl(sa->sadb_sa_spi), 3304 isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); 3305 msg = next; 3306 continue; 3307 } 3308 } 3309 } 3310 3311 3312 pfkey_send_delete(lcconf->sock_pfkey, 3313 msg->sadb_msg_satype, 3314 IPSEC_MODE_ANY, 3315 src, dst, sa->sadb_sa_spi); 3316 3317 /* delete a relative phase 2 handle. */ 3318 if (iph2 != NULL) { 3319 delete_spd(iph2, 0); 3320 unbindph12(iph2); 3321 remph2(iph2); 3322 delph2(iph2); 3323 } 3324 3325 plog(LLV_INFO, LOCATION, NULL, 3326 "purged IPsec-SA spi=%u.\n", 3327 ntohl(sa->sadb_sa_spi)); 3328 3329 msg = next; 3330 } 3331 3332 if (buf) 3333 vfree(buf); 3334 3335 /* Mark the phase1 handler as EXPIRED */ 3336 plog(LLV_INFO, LOCATION, NULL, 3337 "purged ISAKMP-SA spi=%s.\n", 3338 isakmp_pindex(&(iph1->index), iph1->msgid)); 3339 3340 SCHED_KILL(iph1->sce); 3341 3342 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 3343 } 3344 3345 void 3346 delete_spd(iph2, created) 3347 struct ph2handle *iph2; 3348 u_int64_t created; 3349 { 3350 struct policyindex spidx; 3351 struct sockaddr_storage addr; 3352 u_int8_t pref; 3353 struct sockaddr *src; 3354 struct sockaddr *dst; 3355 int error; 3356 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ 3357 3358 if (iph2 == NULL) 3359 return; 3360 3361 /* Delete the SPD entry if we generated it 3362 */ 3363 if (! iph2->generated_spidx ) 3364 return; 3365 3366 src = iph2->src; 3367 dst = iph2->dst; 3368 3369 plog(LLV_INFO, LOCATION, NULL, 3370 "generated policy, deleting it.\n"); 3371 3372 memset(&spidx, 0, sizeof(spidx)); 3373 iph2->spidx_gen = (caddr_t )&spidx; 3374 3375 /* make inbound policy */ 3376 iph2->src = dst; 3377 iph2->dst = src; 3378 spidx.dir = IPSEC_DIR_INBOUND; 3379 spidx.ul_proto = 0; 3380 3381 /* 3382 * Note: code from get_proposal_r 3383 */ 3384 3385 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 3386 3387 /* 3388 * make destination address in spidx from either ID payload 3389 * or phase 1 address into a address in spidx. 3390 */ 3391 if (iph2->id != NULL 3392 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3393 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 3394 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3395 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3396 /* get a destination address of a policy */ 3397 error = ipsecdoi_id2sockaddr(iph2->id, 3398 (struct sockaddr *)&spidx.dst, 3399 &spidx.prefd, &spidx.ul_proto); 3400 if (error) 3401 goto purge; 3402 3403 #ifdef INET6 3404 /* 3405 * get scopeid from the SA address. 3406 * note that the phase 1 source address is used as 3407 * a destination address to search for a inbound 3408 * policy entry because rcoon is responder. 3409 */ 3410 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 3411 if ((error = 3412 setscopeid((struct sockaddr *)&spidx.dst, 3413 iph2->src)) != 0) 3414 goto purge; 3415 } 3416 #endif 3417 3418 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3419 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 3420 idi2type = _XIDT(iph2->id); 3421 3422 } else { 3423 3424 plog(LLV_DEBUG, LOCATION, NULL, 3425 "get a destination address of SP index " 3426 "from phase1 address " 3427 "due to no ID payloads found " 3428 "OR because ID type is not address.\n"); 3429 3430 /* 3431 * copy the SOURCE address of IKE into the 3432 * DESTINATION address of the key to search the 3433 * SPD because the direction of policy is inbound. 3434 */ 3435 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 3436 switch (spidx.dst.ss_family) { 3437 case AF_INET: 3438 spidx.prefd = 3439 sizeof(struct in_addr) << 3; 3440 break; 3441 #ifdef INET6 3442 case AF_INET6: 3443 spidx.prefd = 3444 sizeof(struct in6_addr) << 3; 3445 break; 3446 #endif 3447 default: 3448 spidx.prefd = 0; 3449 break; 3450 } 3451 } 3452 3453 /* make source address in spidx */ 3454 if (iph2->id_p != NULL 3455 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 3456 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 3457 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3458 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3459 /* get a source address of inbound SA */ 3460 error = ipsecdoi_id2sockaddr(iph2->id_p, 3461 (struct sockaddr *)&spidx.src, 3462 &spidx.prefs, &spidx.ul_proto); 3463 if (error) 3464 goto purge; 3465 3466 #ifdef INET6 3467 /* 3468 * get scopeid from the SA address. 3469 * for more detail, see above of this function. 3470 */ 3471 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 3472 error = 3473 setscopeid((struct sockaddr *)&spidx.src, 3474 iph2->dst); 3475 if (error) 3476 goto purge; 3477 } 3478 #endif 3479 3480 /* make id[src,dst] if both ID types are IP address and same */ 3481 if (_XIDT(iph2->id_p) == idi2type 3482 && spidx.dst.ss_family == spidx.src.ss_family) { 3483 iph2->src_id = 3484 dupsaddr((struct sockaddr *)&spidx.dst); 3485 if (iph2->src_id == NULL) { 3486 plog(LLV_ERROR, LOCATION, NULL, 3487 "allocation failed\n"); 3488 goto purge; 3489 } 3490 iph2->dst_id = 3491 dupsaddr((struct sockaddr *)&spidx.src); 3492 if (iph2->dst_id == NULL) { 3493 plog(LLV_ERROR, LOCATION, NULL, 3494 "allocation failed\n"); 3495 goto purge; 3496 } 3497 } 3498 3499 } else { 3500 plog(LLV_DEBUG, LOCATION, NULL, 3501 "get a source address of SP index " 3502 "from phase1 address " 3503 "due to no ID payloads found " 3504 "OR because ID type is not address.\n"); 3505 3506 /* see above comment. */ 3507 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 3508 switch (spidx.src.ss_family) { 3509 case AF_INET: 3510 spidx.prefs = 3511 sizeof(struct in_addr) << 3; 3512 break; 3513 #ifdef INET6 3514 case AF_INET6: 3515 spidx.prefs = 3516 sizeof(struct in6_addr) << 3; 3517 break; 3518 #endif 3519 default: 3520 spidx.prefs = 0; 3521 break; 3522 } 3523 } 3524 3525 #undef _XIDT 3526 3527 plog(LLV_DEBUG, LOCATION, NULL, 3528 "get a src address from ID payload " 3529 "%s prefixlen=%u ul_proto=%u\n", 3530 saddr2str((struct sockaddr *)&spidx.src), 3531 spidx.prefs, spidx.ul_proto); 3532 plog(LLV_DEBUG, LOCATION, NULL, 3533 "get dst address from ID payload " 3534 "%s prefixlen=%u ul_proto=%u\n", 3535 saddr2str((struct sockaddr *)&spidx.dst), 3536 spidx.prefd, spidx.ul_proto); 3537 3538 /* 3539 * convert the ul_proto if it is 0 3540 * because 0 in ID payload means a wild card. 3541 */ 3542 if (spidx.ul_proto == 0) 3543 spidx.ul_proto = IPSEC_ULPROTO_ANY; 3544 3545 #undef _XIDT 3546 3547 /* Check if the generated SPD has the same timestamp as the SA. 3548 * If timestamps are different, this means that the SPD entry has been 3549 * refreshed by another SA, and should NOT be deleted with the current SA. 3550 */ 3551 if( created ){ 3552 struct secpolicy *p; 3553 3554 p = getsp(&spidx); 3555 if(p != NULL){ 3556 /* just do no test if p is NULL, because this probably just means 3557 * that the policy has already be deleted for some reason. 3558 */ 3559 if(p->spidx.created != created) 3560 goto purge; 3561 } 3562 } 3563 3564 /* End of code from get_proposal_r 3565 */ 3566 3567 if (pk_sendspddelete(iph2) < 0) { 3568 plog(LLV_ERROR, LOCATION, NULL, 3569 "pfkey spddelete(inbound) failed.\n"); 3570 }else{ 3571 plog(LLV_DEBUG, LOCATION, NULL, 3572 "pfkey spddelete(inbound) sent.\n"); 3573 } 3574 3575 #ifdef HAVE_POLICY_FWD 3576 /* make forward policy if required */ 3577 if (tunnel_mode_prop(iph2->approval)) { 3578 spidx.dir = IPSEC_DIR_FWD; 3579 if (pk_sendspddelete(iph2) < 0) { 3580 plog(LLV_ERROR, LOCATION, NULL, 3581 "pfkey spddelete(forward) failed.\n"); 3582 }else{ 3583 plog(LLV_DEBUG, LOCATION, NULL, 3584 "pfkey spddelete(forward) sent.\n"); 3585 } 3586 } 3587 #endif 3588 3589 /* make outbound policy */ 3590 iph2->src = src; 3591 iph2->dst = dst; 3592 spidx.dir = IPSEC_DIR_OUTBOUND; 3593 addr = spidx.src; 3594 spidx.src = spidx.dst; 3595 spidx.dst = addr; 3596 pref = spidx.prefs; 3597 spidx.prefs = spidx.prefd; 3598 spidx.prefd = pref; 3599 3600 if (pk_sendspddelete(iph2) < 0) { 3601 plog(LLV_ERROR, LOCATION, NULL, 3602 "pfkey spddelete(outbound) failed.\n"); 3603 }else{ 3604 plog(LLV_DEBUG, LOCATION, NULL, 3605 "pfkey spddelete(outbound) sent.\n"); 3606 } 3607 purge: 3608 iph2->spidx_gen=NULL; 3609 } 3610 3611 3612 #ifdef INET6 3613 u_int32_t 3614 setscopeid(sp_addr0, sa_addr0) 3615 struct sockaddr *sp_addr0, *sa_addr0; 3616 { 3617 struct sockaddr_in6 *sp_addr, *sa_addr; 3618 3619 sp_addr = (struct sockaddr_in6 *)sp_addr0; 3620 sa_addr = (struct sockaddr_in6 *)sa_addr0; 3621 3622 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr) 3623 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr) 3624 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr)) 3625 return 0; 3626 3627 /* this check should not be here ? */ 3628 if (sa_addr->sin6_family != AF_INET6) { 3629 plog(LLV_ERROR, LOCATION, NULL, 3630 "can't get scope ID: family mismatch\n"); 3631 return -1; 3632 } 3633 3634 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { 3635 plog(LLV_ERROR, LOCATION, NULL, 3636 "scope ID is not supported except of lladdr.\n"); 3637 return -1; 3638 } 3639 3640 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id; 3641 3642 return 0; 3643 } 3644 #endif 3645
