1 /* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */ 2 3 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 #include <arpa/inet.h> 43 44 #include PATH_IPSEC_H 45 46 #include <stdlib.h> 47 #include <stdio.h> 48 #include <string.h> 49 #include <errno.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #ifdef ENABLE_HYBRID 66 #include <resolv.h> 67 #endif 68 69 #include "var.h" 70 #include "misc.h" 71 #include "vmbuf.h" 72 #include "plog.h" 73 #include "sockmisc.h" 74 #include "schedule.h" 75 #include "session.h" 76 #include "debug.h" 77 78 #include "remoteconf.h" 79 #include "localconf.h" 80 #include "grabmyaddr.h" 81 #include "admin.h" 82 #include "privsep.h" 83 #include "isakmp_var.h" 84 #include "isakmp.h" 85 #include "oakley.h" 86 #include "evt.h" 87 #include "handler.h" 88 #include "ipsec_doi.h" 89 #include "pfkey.h" 90 #include "crypto_openssl.h" 91 #include "policy.h" 92 #include "algorithm.h" 93 #include "proposal.h" 94 #include "sainfo.h" 95 #include "isakmp_ident.h" 96 #include "isakmp_agg.h" 97 #include "isakmp_base.h" 98 #include "isakmp_quick.h" 99 #include "isakmp_inf.h" 100 #include "isakmp_newg.h" 101 #ifdef ENABLE_HYBRID 102 #include "vendorid.h" 103 #include "isakmp_xauth.h" 104 #include "isakmp_unity.h" 105 #include "isakmp_cfg.h" 106 #endif 107 #ifdef ENABLE_FRAG 108 #include "isakmp_frag.h" 109 #endif 110 #include "strnames.h" 111 112 #include <fcntl.h> 113 114 #ifdef ENABLE_NATT 115 # include "nattraversal.h" 116 #endif 117 # ifdef __linux__ 118 # include <linux/udp.h> 119 # include <linux/ip.h> 120 # ifndef SOL_UDP 121 # define SOL_UDP 17 122 # endif 123 # endif /* __linux__ */ 124 # if defined(__NetBSD__) || defined(__FreeBSD__) || \ 125 (defined(__APPLE__) && defined(__MACH__)) 126 # include <netinet/in.h> 127 # include <netinet/udp.h> 128 # include <netinet/in_systm.h> 129 # include <netinet/ip.h> 130 # define SOL_UDP IPPROTO_UDP 131 # endif /* __NetBSD__ / __FreeBSD__ */ 132 133 static int nostate1 __P((struct ph1handle *, vchar_t *)); 134 static int nostate2 __P((struct ph2handle *, vchar_t *)); 135 136 extern caddr_t val2str(const char *, size_t); 137 138 static int (*ph1exchange[][2][PHASE1ST_MAX]) 139 __P((struct ph1handle *, vchar_t *)) = { 140 /* error */ 141 { { 0 }, { 0 }, }, 142 /* Identity Protection exchange */ 143 { 144 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send, 145 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, nostate1,}, 146 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send, 147 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, nostate1, }, 148 }, 149 /* Aggressive exchange */ 150 { 151 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, 152 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, }, 153 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, 154 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, }, 155 }, 156 /* Base exchange */ 157 { 158 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send, 159 base_i3recv, base_i3send, nostate1, nostate1, nostate1, nostate1, }, 160 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send, 161 nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, }, 162 }, 163 }; 164 165 static int (*ph2exchange[][2][PHASE2ST_MAX]) 166 __P((struct ph2handle *, vchar_t *)) = { 167 /* error */ 168 { { 0 }, { 0 }, }, 169 /* Quick mode for IKE */ 170 { 171 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send, 172 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, }, 173 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send, 174 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, } 175 }, 176 }; 177 178 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ 179 180 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); 181 static int ph1_main __P((struct ph1handle *, vchar_t *)); 182 static int quick_main __P((struct ph2handle *, vchar_t *)); 183 static int isakmp_ph1begin_r __P((vchar_t *, 184 struct sockaddr *, struct sockaddr *, u_int8_t)); 185 static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); 186 static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); 187 static int etypesw1 __P((int)); 188 static int etypesw2 __P((int)); 189 static int isakmp_ph1resend __P((struct ph1handle *)); 190 static int isakmp_ph2resend __P((struct ph2handle *)); 191 192 #ifdef ENABLE_FRAG 193 static int frag_handler(struct ph1handle *, 194 vchar_t *, struct sockaddr *, struct sockaddr *); 195 #endif 196 197 /* 198 * isakmp packet handler 199 */ 200 static int 201 isakmp_handler(ctx, so_isakmp) 202 void *ctx; 203 int so_isakmp; 204 { 205 struct isakmp isakmp; 206 union { 207 char buf[sizeof (isakmp) + 4]; 208 u_int32_t non_esp[2]; 209 struct { 210 struct udphdr udp; 211 #ifdef __linux 212 struct iphdr ip; 213 #else 214 struct ip ip; 215 #endif 216 char buf[sizeof(isakmp) + 4]; 217 } lbuf; 218 } x; 219 struct sockaddr_storage remote; 220 struct sockaddr_storage local; 221 unsigned int remote_len = sizeof(remote); 222 unsigned int local_len = sizeof(local); 223 int len = 0, extralen = 0; 224 vchar_t *buf = NULL, *tmpbuf = NULL; 225 int error = -1, res; 226 227 /* read message by MSG_PEEK */ 228 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), 229 MSG_PEEK, (struct sockaddr *)&remote, &remote_len, 230 (struct sockaddr *)&local, &local_len)) < 0) { 231 if (errno == EINTR) 232 continue; 233 plog(LLV_ERROR, LOCATION, NULL, 234 "failed to receive isakmp packet: %s\n", 235 strerror (errno)); 236 goto end; 237 } 238 239 /* keep-alive packet - ignore */ 240 if (len == 1 && (x.buf[0]&0xff) == 0xff) { 241 /* Pull the keep-alive packet */ 242 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1, 243 0, (struct sockaddr *)&remote, &remote_len)) != 1) { 244 plog(LLV_ERROR, LOCATION, NULL, 245 "failed to receive keep alive packet: %s\n", 246 strerror (errno)); 247 } 248 goto end; 249 } 250 251 /* Lucent IKE in UDP encapsulation */ 252 { 253 #ifdef __linux__ 254 if (ntohs(x.lbuf.udp.dest) == 501) { 255 extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ihl; 256 } 257 #else 258 if (ntohs(x.lbuf.udp.uh_dport) == 501) { 259 extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; 260 } 261 #endif 262 } 263 264 #ifdef ENABLE_NATT 265 /* we don't know about portchange yet, 266 look for non-esp marker instead */ 267 if (x.non_esp[0] == 0 && x.non_esp[1] != 0) 268 extralen = NON_ESP_MARKER_LEN; 269 #endif 270 271 /* now we know if there is an extra non-esp 272 marker at the beginning or not */ 273 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); 274 275 /* check isakmp header length, as well as sanity of header length */ 276 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { 277 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 278 "packet shorter than isakmp header size (%u, %u, %zu)\n", 279 len, ntohl(isakmp.len), sizeof(isakmp)); 280 /* dummy receive */ 281 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 282 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 283 plog(LLV_ERROR, LOCATION, NULL, 284 "failed to receive isakmp packet: %s\n", 285 strerror (errno)); 286 } 287 goto end; 288 } 289 290 /* reject it if the size is tooooo big. */ 291 if (ntohl(isakmp.len) > 0xffff) { 292 plog(LLV_ERROR, LOCATION, NULL, 293 "the length in the isakmp header is too big.\n"); 294 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 295 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 296 plog(LLV_ERROR, LOCATION, NULL, 297 "failed to receive isakmp packet: %s\n", 298 strerror (errno)); 299 } 300 goto end; 301 } 302 303 /* read real message */ 304 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) { 305 plog(LLV_ERROR, LOCATION, NULL, 306 "failed to allocate reading buffer (%u Bytes)\n", 307 ntohl(isakmp.len) + extralen); 308 /* dummy receive */ 309 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 310 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 311 plog(LLV_ERROR, LOCATION, NULL, 312 "failed to receive isakmp packet: %s\n", 313 strerror (errno)); 314 } 315 goto end; 316 } 317 318 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l, 319 0, (struct sockaddr *)&remote, &remote_len, 320 (struct sockaddr *)&local, &local_len)) < 0) { 321 if (errno == EINTR) 322 continue; 323 plog(LLV_ERROR, LOCATION, NULL, 324 "failed to receive isakmp packet: %s\n", 325 strerror (errno)); 326 goto end; 327 } 328 329 if ((buf = vmalloc(len - extralen)) == NULL) { 330 plog(LLV_ERROR, LOCATION, NULL, 331 "failed to allocate reading buffer (%u Bytes)\n", 332 (len - extralen)); 333 goto end; 334 } 335 336 memcpy (buf->v, tmpbuf->v + extralen, buf->l); 337 338 len -= extralen; 339 340 if (len != buf->l) { 341 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 342 "received invalid length (%d != %zu), why ?\n", 343 len, buf->l); 344 goto end; 345 } 346 347 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 348 plog(LLV_DEBUG, LOCATION, NULL, 349 "%d bytes message received %s\n", 350 len, saddr2str_fromto("from %s to %s", 351 (struct sockaddr *)&remote, 352 (struct sockaddr *)&local)); 353 plogdump(LLV_DEBUG, buf->v, buf->l); 354 355 /* avoid packets with malicious port/address */ 356 if (extract_port((struct sockaddr *)&remote) == 0) { 357 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, 358 "src port == 0 (valid as UDP but not with IKE)\n"); 359 goto end; 360 } 361 362 /* XXX: check sender whether to be allowed or not to accept */ 363 364 /* XXX: I don't know how to check isakmp half connection attack. */ 365 366 /* simply reply if the packet was processed. */ 367 res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf); 368 if (res) { 369 plog(LLV_NOTIFY, LOCATION, NULL, 370 "the packet is retransmitted by %s (%d).\n", 371 saddr2str((struct sockaddr *)&remote), res); 372 error = 0; 373 goto end; 374 } 375 376 /* isakmp main routine */ 377 if (isakmp_main(buf, (struct sockaddr *)&remote, 378 (struct sockaddr *)&local) != 0) goto end; 379 380 error = 0; 381 382 end: 383 if (tmpbuf != NULL) 384 vfree(tmpbuf); 385 if (buf != NULL) 386 vfree(buf); 387 return error; 388 } 389 390 /* 391 * main processing to handle isakmp payload 392 */ 393 static int 394 isakmp_main(msg, remote, local) 395 vchar_t *msg; 396 struct sockaddr *remote, *local; 397 { 398 struct isakmp *isakmp = (struct isakmp *)msg->v; 399 isakmp_index *index = (isakmp_index *)isakmp; 400 u_int32_t msgid = isakmp->msgid; 401 struct ph1handle *iph1; 402 403 #ifdef HAVE_PRINT_ISAKMP_C 404 isakmp_printpacket(msg, remote, local, 0); 405 #endif 406 407 /* the initiator's cookie must not be zero */ 408 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { 409 plog(LLV_ERROR, LOCATION, remote, 410 "malformed cookie received.\n"); 411 return -1; 412 } 413 414 /* Check the Major and Minor Version fields. */ 415 /* 416 * XXX Is is right to check version here ? 417 * I think it may no be here because the version depends 418 * on exchange status. 419 */ 420 if (isakmp->v < ISAKMP_VERSION_NUMBER) { 421 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) { 422 plog(LLV_ERROR, LOCATION, remote, 423 "invalid major version %d.\n", 424 ISAKMP_GETMAJORV(isakmp->v)); 425 return -1; 426 } 427 #if ISAKMP_MINOR_VERSION > 0 428 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { 429 plog(LLV_ERROR, LOCATION, remote, 430 "invalid minor version %d.\n", 431 ISAKMP_GETMINORV(isakmp->v)); 432 return -1; 433 } 434 #endif 435 } 436 437 /* check the Flags field. */ 438 /* XXX How is the exclusive check, E and A ? */ 439 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { 440 plog(LLV_ERROR, LOCATION, remote, 441 "invalid flag 0x%02x.\n", isakmp->flags); 442 return -1; 443 } 444 445 /* ignore commit bit. */ 446 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { 447 if (isakmp->msgid == 0) { 448 isakmp_info_send_nx(isakmp, remote, local, 449 ISAKMP_NTYPE_INVALID_FLAGS, NULL); 450 plog(LLV_ERROR, LOCATION, remote, 451 "Commit bit on phase1 forbidden.\n"); 452 return -1; 453 } 454 } 455 456 iph1 = getph1byindex(index); 457 if (iph1 != NULL) { 458 /* validity check */ 459 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && 460 iph1->side == INITIATOR) { 461 plog(LLV_DEBUG, LOCATION, remote, 462 "malformed cookie received or " 463 "the initiator's cookies collide.\n"); 464 return -1; 465 } 466 467 #ifdef ENABLE_NATT 468 /* Floating ports for NAT-T */ 469 if (NATT_AVAILABLE(iph1) && 470 ! (iph1->natt_flags & NAT_PORTS_CHANGED) && 471 ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) || 472 (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH))) 473 { 474 /* prevent memory leak */ 475 racoon_free(iph1->remote); 476 racoon_free(iph1->local); 477 iph1->remote = NULL; 478 iph1->local = NULL; 479 480 /* copy-in new addresses */ 481 iph1->remote = dupsaddr(remote); 482 if (iph1->remote == NULL) { 483 plog(LLV_ERROR, LOCATION, iph1->remote, 484 "phase1 failed: dupsaddr failed.\n"); 485 remph1(iph1); 486 delph1(iph1); 487 return -1; 488 } 489 iph1->local = dupsaddr(local); 490 if (iph1->local == NULL) { 491 plog(LLV_ERROR, LOCATION, iph1->remote, 492 "phase1 failed: dupsaddr failed.\n"); 493 remph1(iph1); 494 delph1(iph1); 495 return -1; 496 } 497 498 /* set the flag to prevent further port floating 499 (FIXME: should we allow it? E.g. when the NAT gw 500 is rebooted?) */ 501 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; 502 503 /* print some neat info */ 504 plog (LLV_INFO, LOCATION, NULL, 505 "NAT-T: ports changed to: %s\n", 506 saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); 507 508 natt_keepalive_add_ph1 (iph1); 509 } 510 #endif 511 512 /* must be same addresses in one stream of a phase at least. */ 513 if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { 514 char *saddr_db, *saddr_act; 515 516 saddr_db = racoon_strdup(saddr2str(iph1->remote)); 517 saddr_act = racoon_strdup(saddr2str(remote)); 518 STRDUP_FATAL(saddr_db); 519 STRDUP_FATAL(saddr_act); 520 521 plog(LLV_WARNING, LOCATION, remote, 522 "remote address mismatched. db=%s, act=%s\n", 523 saddr_db, saddr_act); 524 525 racoon_free(saddr_db); 526 racoon_free(saddr_act); 527 } 528 529 /* 530 * don't check of exchange type here because other type will be 531 * with same index, for example, informational exchange. 532 */ 533 534 /* XXX more acceptable check */ 535 } 536 537 switch (isakmp->etype) { 538 case ISAKMP_ETYPE_IDENT: 539 case ISAKMP_ETYPE_AGG: 540 case ISAKMP_ETYPE_BASE: 541 /* phase 1 validity check */ 542 if (isakmp->msgid != 0) { 543 plog(LLV_ERROR, LOCATION, remote, 544 "message id should be zero in phase1.\n"); 545 return -1; 546 } 547 548 /* search for isakmp status record of phase 1 */ 549 if (iph1 == NULL) { 550 /* 551 * the packet must be the 1st message from a initiator 552 * or the 2nd message from the responder. 553 */ 554 555 /* search for phase1 handle by index without r_ck */ 556 iph1 = getph1byindex0(index); 557 if (iph1 == NULL) { 558 /*it must be the 1st message from a initiator.*/ 559 if (memcmp(&isakmp->r_ck, r_ck0, 560 sizeof(cookie_t)) != 0) { 561 562 plog(LLV_DEBUG, LOCATION, remote, 563 "malformed cookie received " 564 "or the spi expired.\n"); 565 return -1; 566 } 567 568 /* it must be responder's 1st exchange. */ 569 if (isakmp_ph1begin_r(msg, remote, local, 570 isakmp->etype) < 0) 571 return -1; 572 break; 573 574 /*NOTREACHED*/ 575 } 576 577 /* it must be the 2nd message from the responder. */ 578 if (iph1->side != INITIATOR) { 579 plog(LLV_DEBUG, LOCATION, remote, 580 "malformed cookie received. " 581 "it has to be as the initiator. %s\n", 582 isakmp_pindex(&iph1->index, 0)); 583 return -1; 584 } 585 } 586 587 /* 588 * Don't delete phase 1 handler when the exchange type 589 * in handler is not equal to packet's one because of no 590 * authencication completed. 591 */ 592 if (iph1->etype != isakmp->etype) { 593 plog(LLV_ERROR, LOCATION, iph1->remote, 594 "exchange type is mismatched: " 595 "db=%s packet=%s, ignore it.\n", 596 s_isakmp_etype(iph1->etype), 597 s_isakmp_etype(isakmp->etype)); 598 return -1; 599 } 600 601 #ifdef ENABLE_FRAG 602 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 603 return frag_handler(iph1, msg, remote, local); 604 #endif 605 606 /* call main process of phase 1 */ 607 if (ph1_main(iph1, msg) < 0) { 608 plog(LLV_ERROR, LOCATION, iph1->remote, 609 "phase1 negotiation failed.\n"); 610 remph1(iph1); 611 delph1(iph1); 612 return -1; 613 } 614 break; 615 616 case ISAKMP_ETYPE_AUTH: 617 plog(LLV_INFO, LOCATION, remote, 618 "unsupported exchange %d received.\n", 619 isakmp->etype); 620 break; 621 622 case ISAKMP_ETYPE_INFO: 623 case ISAKMP_ETYPE_ACKINFO: 624 /* 625 * iph1 must be present for Information message. 626 * if iph1 is null then trying to get the phase1 status 627 * as the packet from responder againt initiator's 1st 628 * exchange in phase 1. 629 * NOTE: We think such informational exchange should be ignored. 630 */ 631 if (iph1 == NULL) { 632 iph1 = getph1byindex0(index); 633 if (iph1 == NULL) { 634 plog(LLV_ERROR, LOCATION, remote, 635 "unknown Informational " 636 "exchange received.\n"); 637 return -1; 638 } 639 if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { 640 plog(LLV_WARNING, LOCATION, remote, 641 "remote address mismatched. " 642 "db=%s\n", 643 saddr2str(iph1->remote)); 644 } 645 } 646 647 #ifdef ENABLE_FRAG 648 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 649 return frag_handler(iph1, msg, remote, local); 650 #endif 651 652 if (isakmp_info_recv(iph1, msg) < 0) 653 return -1; 654 break; 655 656 case ISAKMP_ETYPE_QUICK: 657 { 658 struct ph2handle *iph2; 659 660 if (iph1 == NULL) { 661 isakmp_info_send_nx(isakmp, remote, local, 662 ISAKMP_NTYPE_INVALID_COOKIE, NULL); 663 plog(LLV_ERROR, LOCATION, remote, 664 "can't start the quick mode, " 665 "there is no ISAKMP-SA, %s\n", 666 isakmp_pindex((isakmp_index *)&isakmp->i_ck, 667 isakmp->msgid)); 668 return -1; 669 } 670 #ifdef ENABLE_HYBRID 671 /* Reinit the IVM if it's still there */ 672 if (iph1->mode_cfg && iph1->mode_cfg->ivm) { 673 oakley_delivm(iph1->mode_cfg->ivm); 674 iph1->mode_cfg->ivm = NULL; 675 } 676 #endif 677 #ifdef ENABLE_FRAG 678 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 679 return frag_handler(iph1, msg, remote, local); 680 #endif 681 682 /* check status of phase 1 whether negotiated or not. */ 683 if (iph1->status != PHASE1ST_ESTABLISHED && 684 iph1->status != PHASE1ST_DYING) { 685 plog(LLV_ERROR, LOCATION, remote, 686 "can't start the quick mode, " 687 "there is no valid ISAKMP-SA, %s\n", 688 isakmp_pindex(&iph1->index, iph1->msgid)); 689 return -1; 690 } 691 692 /* search isakmp phase 2 stauts record. */ 693 iph2 = getph2bymsgid(iph1, msgid); 694 if (iph2 == NULL) { 695 /* it must be new negotiation as responder */ 696 if (isakmp_ph2begin_r(iph1, msg) < 0) 697 return -1; 698 return 0; 699 /*NOTREACHED*/ 700 } 701 702 /* commit bit. */ 703 /* XXX 704 * we keep to set commit bit during negotiation. 705 * When SA is configured, bit will be reset. 706 * XXX 707 * don't initiate commit bit. should be fixed in the future. 708 */ 709 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) 710 iph2->flags |= ISAKMP_FLAG_C; 711 712 /* call main process of quick mode */ 713 if (quick_main(iph2, msg) < 0) { 714 plog(LLV_ERROR, LOCATION, iph1->remote, 715 "phase2 negotiation failed.\n"); 716 remph2(iph2); 717 delph2(iph2); 718 return -1; 719 } 720 } 721 break; 722 723 case ISAKMP_ETYPE_NEWGRP: 724 if (iph1 == NULL) { 725 plog(LLV_ERROR, LOCATION, remote, 726 "Unknown new group mode exchange, " 727 "there is no ISAKMP-SA.\n"); 728 return -1; 729 } 730 731 #ifdef ENABLE_FRAG 732 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 733 return frag_handler(iph1, msg, remote, local); 734 #endif 735 736 isakmp_newgroup_r(iph1, msg); 737 break; 738 739 #ifdef ENABLE_HYBRID 740 case ISAKMP_ETYPE_CFG: 741 if (iph1 == NULL) { 742 plog(LLV_ERROR, LOCATION, NULL, 743 "mode config %d from %s, " 744 "but we have no ISAKMP-SA.\n", 745 isakmp->etype, saddr2str(remote)); 746 return -1; 747 } 748 749 #ifdef ENABLE_FRAG 750 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 751 return frag_handler(iph1, msg, remote, local); 752 #endif 753 754 isakmp_cfg_r(iph1, msg); 755 break; 756 #endif 757 758 case ISAKMP_ETYPE_NONE: 759 default: 760 plog(LLV_ERROR, LOCATION, NULL, 761 "Invalid exchange type %d from %s.\n", 762 isakmp->etype, saddr2str(remote)); 763 return -1; 764 } 765 766 return 0; 767 } 768 769 /* 770 * main function of phase 1. 771 */ 772 static int 773 ph1_main(iph1, msg) 774 struct ph1handle *iph1; 775 vchar_t *msg; 776 { 777 int error; 778 #ifdef ENABLE_STATS 779 struct timeval start, end; 780 #endif 781 782 /* ignore a packet */ 783 if (iph1->status >= PHASE1ST_ESTABLISHED) 784 return 0; 785 786 #ifdef ENABLE_STATS 787 gettimeofday(&start, NULL); 788 #endif 789 /* receive */ 790 if (ph1exchange[etypesw1(iph1->etype)] 791 [iph1->side] 792 [iph1->status] == NULL) { 793 plog(LLV_ERROR, LOCATION, iph1->remote, 794 "why isn't the function defined.\n"); 795 return -1; 796 } 797 error = (ph1exchange[etypesw1(iph1->etype)] 798 [iph1->side] 799 [iph1->status])(iph1, msg); 800 if (error != 0) { 801 802 /* XXX 803 * When an invalid packet is received on phase1, it should 804 * be selected to process this packet. That is to respond 805 * with a notify and delete phase 1 handler, OR not to respond 806 * and keep phase 1 handler. However, in PHASE1ST_START when 807 * acting as RESPONDER we must not keep phase 1 handler or else 808 * it will stay forever. 809 */ 810 811 if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) { 812 plog(LLV_ERROR, LOCATION, iph1->remote, 813 "failed to pre-process ph1 packet (side: %d, status %d).\n", 814 iph1->side, iph1->status); 815 return -1; 816 } else { 817 /* ignore the error and keep phase 1 handler */ 818 return 0; 819 } 820 } 821 822 #ifndef ENABLE_FRAG 823 /* free resend buffer */ 824 if (iph1->sendbuf == NULL) { 825 plog(LLV_ERROR, LOCATION, NULL, 826 "no buffer found as sendbuf\n"); 827 return -1; 828 } 829 #endif 830 831 VPTRINIT(iph1->sendbuf); 832 833 /* turn off schedule */ 834 sched_cancel(&iph1->scr); 835 836 /* send */ 837 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 838 if ((ph1exchange[etypesw1(iph1->etype)] 839 [iph1->side] 840 [iph1->status])(iph1, msg) != 0) { 841 plog(LLV_ERROR, LOCATION, iph1->remote, 842 "failed to process ph1 packet (side: %d, status: %d).\n", 843 iph1->side, iph1->status); 844 return -1; 845 } 846 847 #ifdef ENABLE_STATS 848 gettimeofday(&end, NULL); 849 syslog(LOG_NOTICE, "%s(%s): %8.6f", 850 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), 851 timedelta(&start, &end)); 852 #endif 853 if (iph1->status == PHASE1ST_ESTABLISHED) { 854 855 #ifdef ENABLE_STATS 856 gettimeofday(&iph1->end, NULL); 857 syslog(LOG_NOTICE, "%s(%s): %8.6f", 858 "phase1", s_isakmp_etype(iph1->etype), 859 timedelta(&iph1->start, &iph1->end)); 860 #endif 861 862 /* save created date. */ 863 (void)time(&iph1->created); 864 865 /* migrate ph2s from dying ph1s */ 866 migrate_dying_ph12(iph1); 867 868 /* add to the schedule to expire, and seve back pointer. */ 869 if (ph1_rekey_enabled(iph1)) { 870 sched_schedule(&iph1->sce, 871 iph1->approval->lifetime * 872 PFKEY_SOFT_LIFETIME_RATE / 100, 873 isakmp_ph1dying_stub); 874 } else { 875 sched_schedule(&iph1->sce, iph1->approval->lifetime, 876 isakmp_ph1expire_stub); 877 } 878 879 #ifdef ENABLE_HYBRID 880 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 881 switch (iph1->approval->authmethod) { 882 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 883 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 884 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 885 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 886 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 887 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 888 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 889 xauth_sendreq(iph1); 890 /* XXX Don't process INITIAL_CONTACT */ 891 iph1->rmconf->ini_contact = 0; 892 break; 893 default: 894 break; 895 } 896 } 897 #endif 898 #ifdef ENABLE_DPD 899 /* Schedule the r_u_there.... */ 900 if(iph1->dpd_support && iph1->rmconf->dpd_interval) 901 isakmp_sched_r_u(iph1, 0); 902 #endif 903 904 /* INITIAL-CONTACT processing */ 905 /* don't anything if local test mode. */ 906 if (!f_local 907 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { 908 /* send INITIAL-CONTACT */ 909 isakmp_info_send_n1(iph1, 910 ISAKMP_NTYPE_INITIAL_CONTACT, NULL); 911 /* insert a node into contacted list. */ 912 if (inscontacted(iph1->remote) == -1) { 913 plog(LLV_ERROR, LOCATION, iph1->remote, 914 "failed to add contacted list.\n"); 915 /* ignore */ 916 } 917 } 918 if (iph1->initial_contact_received) 919 isakmp_info_recv_initialcontact(iph1, NULL); 920 921 log_ph1established(iph1); 922 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 923 924 /* 925 * SA up shell script hook: do it now,except if 926 * ISAKMP mode config was requested. In the later 927 * case it is done when we receive the configuration. 928 */ 929 if ((iph1->status == PHASE1ST_ESTABLISHED) && 930 !iph1->rmconf->mode_cfg) { 931 switch (iph1->approval->authmethod) { 932 #ifdef ENABLE_HYBRID 933 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 934 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 935 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 936 /* Unimplemeted... */ 937 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 938 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 939 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 940 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 941 break; 942 #endif 943 default: 944 script_hook(iph1, SCRIPT_PHASE1_UP); 945 break; 946 } 947 } 948 } 949 950 return 0; 951 } 952 953 /* 954 * main function of quick mode. 955 */ 956 static int 957 quick_main(iph2, msg) 958 struct ph2handle *iph2; 959 vchar_t *msg; 960 { 961 struct isakmp *isakmp = (struct isakmp *)msg->v; 962 int error; 963 #ifdef ENABLE_STATS 964 struct timeval start, end; 965 #endif 966 967 /* ignore a packet */ 968 if (iph2->status == PHASE2ST_ESTABLISHED 969 || iph2->status == PHASE2ST_GETSPISENT) 970 return 0; 971 972 #ifdef ENABLE_STATS 973 gettimeofday(&start, NULL); 974 #endif 975 976 /* receive */ 977 if (ph2exchange[etypesw2(isakmp->etype)] 978 [iph2->side] 979 [iph2->status] == NULL) { 980 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 981 "why isn't the function defined.\n"); 982 return -1; 983 } 984 error = (ph2exchange[etypesw2(isakmp->etype)] 985 [iph2->side] 986 [iph2->status])(iph2, msg); 987 if (error != 0) { 988 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 989 "failed to pre-process ph2 packet (side: %d, status %d).\n", 990 iph2->side, iph2->status); 991 if (error == ISAKMP_INTERNAL_ERROR) 992 return 0; 993 isakmp_info_send_n1(iph2->ph1, error, NULL); 994 return -1; 995 } 996 997 /* when using commit bit, status will be reached here. */ 998 if (iph2->status == PHASE2ST_ADDSA) 999 return 0; 1000 1001 /* free resend buffer */ 1002 if (iph2->sendbuf == NULL) { 1003 plog(LLV_ERROR, LOCATION, NULL, 1004 "no buffer found as sendbuf\n"); 1005 return -1; 1006 } 1007 VPTRINIT(iph2->sendbuf); 1008 1009 /* turn off schedule */ 1010 sched_cancel(&iph2->scr); 1011 1012 /* send */ 1013 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1014 if ((ph2exchange[etypesw2(isakmp->etype)] 1015 [iph2->side] 1016 [iph2->status])(iph2, msg) != 0) { 1017 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1018 "failed to process ph2 packet (side: %d, status: %d).\n", 1019 iph2->side, iph2->status); 1020 return -1; 1021 } 1022 1023 #ifdef ENABLE_STATS 1024 gettimeofday(&end, NULL); 1025 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1026 "phase2", 1027 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 1028 timedelta(&start, &end)); 1029 #endif 1030 1031 return 0; 1032 } 1033 1034 /* new negotiation of phase 1 for initiator */ 1035 struct ph1handle * 1036 isakmp_ph1begin_i(rmconf, remote, local) 1037 struct remoteconf *rmconf; 1038 struct sockaddr *remote, *local; 1039 { 1040 struct ph1handle *iph1; 1041 #ifdef ENABLE_STATS 1042 struct timeval start, end; 1043 #endif 1044 1045 /* get new entry to isakmp status table. */ 1046 iph1 = newph1(); 1047 if (iph1 == NULL) 1048 return NULL; 1049 1050 iph1->status = PHASE1ST_START; 1051 iph1->rmconf = rmconf; 1052 iph1->side = INITIATOR; 1053 iph1->version = ISAKMP_VERSION_NUMBER; 1054 iph1->msgid = 0; 1055 iph1->flags = 0; 1056 iph1->ph2cnt = 0; 1057 #ifdef HAVE_GSSAPI 1058 iph1->gssapi_state = NULL; 1059 #endif 1060 #ifdef ENABLE_HYBRID 1061 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1062 delph1(iph1); 1063 return NULL; 1064 } 1065 #endif 1066 #ifdef ENABLE_FRAG 1067 1068 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE) 1069 iph1->frag = 1; 1070 else 1071 iph1->frag = 0; 1072 iph1->frag_chain = NULL; 1073 #endif 1074 iph1->approval = NULL; 1075 1076 /* XXX copy remote address */ 1077 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 1078 delph1(iph1); 1079 return NULL; 1080 } 1081 1082 (void)insph1(iph1); 1083 1084 /* start phase 1 exchange */ 1085 iph1->etype = rmconf->etypes->type; 1086 1087 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1088 { 1089 char *a; 1090 1091 a = racoon_strdup(saddr2str(iph1->local)); 1092 STRDUP_FATAL(a); 1093 1094 plog(LLV_INFO, LOCATION, NULL, 1095 "initiate new phase 1 negotiation: %s<=>%s\n", 1096 a, saddr2str(iph1->remote)); 1097 racoon_free(a); 1098 } 1099 plog(LLV_INFO, LOCATION, NULL, 1100 "begin %s mode.\n", 1101 s_isakmp_etype(iph1->etype)); 1102 1103 #ifdef ENABLE_STATS 1104 gettimeofday(&iph1->start, NULL); 1105 gettimeofday(&start, NULL); 1106 #endif 1107 /* start exchange */ 1108 if ((ph1exchange[etypesw1(iph1->etype)] 1109 [iph1->side] 1110 [iph1->status])(iph1, NULL) != 0) { 1111 /* failed to start phase 1 negotiation */ 1112 remph1(iph1); 1113 delph1(iph1); 1114 1115 return NULL; 1116 } 1117 1118 #ifdef ENABLE_STATS 1119 gettimeofday(&end, NULL); 1120 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1121 "phase1", 1122 s_isakmp_state(iph1->etype, iph1->side, iph1->status), 1123 timedelta(&start, &end)); 1124 #endif 1125 1126 return iph1; 1127 } 1128 1129 /* new negotiation of phase 1 for responder */ 1130 static int 1131 isakmp_ph1begin_r(msg, remote, local, etype) 1132 vchar_t *msg; 1133 struct sockaddr *remote, *local; 1134 u_int8_t etype; 1135 { 1136 struct isakmp *isakmp = (struct isakmp *)msg->v; 1137 struct ph1handle *iph1; 1138 struct rmconfselector rmsel; 1139 #ifdef ENABLE_STATS 1140 struct timeval start, end; 1141 #endif 1142 1143 /* check if this etype is allowed */ 1144 memset(&rmsel, 0, sizeof(rmsel)); 1145 rmsel.remote = remote; 1146 if (enumrmconf(&rmsel, check_etypeok, (void *) (intptr_t) etype) == 0) { 1147 plog(LLV_ERROR, LOCATION, remote, 1148 "exchange %s not allowed in any applicable rmconf.\n", 1149 s_isakmp_etype(etype)); 1150 return -1; 1151 } 1152 1153 /* get new entry to isakmp status table. */ 1154 iph1 = newph1(); 1155 if (iph1 == NULL) 1156 return -1; 1157 1158 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); 1159 iph1->status = PHASE1ST_START; 1160 iph1->flags = 0; 1161 iph1->side = RESPONDER; 1162 iph1->etype = etype; 1163 iph1->version = isakmp->v; 1164 iph1->msgid = 0; 1165 #ifdef HAVE_GSSAPI 1166 iph1->gssapi_state = NULL; 1167 #endif 1168 #ifdef ENABLE_HYBRID 1169 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1170 delph1(iph1); 1171 return -1; 1172 } 1173 #endif 1174 #ifdef ENABLE_FRAG 1175 iph1->frag = 0; 1176 iph1->frag_chain = NULL; 1177 #endif 1178 iph1->approval = NULL; 1179 1180 #ifdef ENABLE_NATT 1181 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. 1182 * We have to setup this flag now to correctly generate the first reply. 1183 * Don't know if a better check could be done for that ? 1184 */ 1185 if(extract_port(local) == lcconf->port_isakmp_natt) 1186 iph1->natt_flags |= (NAT_PORTS_CHANGED); 1187 #endif 1188 1189 /* copy remote address; remote and local always contain 1190 * port numbers so rmconf is not needed */ 1191 if (copy_ph1addresses(iph1, NULL, remote, local) < 0) { 1192 delph1(iph1); 1193 return -1; 1194 } 1195 (void)insph1(iph1); 1196 1197 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1198 { 1199 char *a; 1200 1201 a = racoon_strdup(saddr2str(iph1->local)); 1202 STRDUP_FATAL(a); 1203 1204 plog(LLV_INFO, LOCATION, NULL, 1205 "respond new phase 1 negotiation: %s<=>%s\n", 1206 a, saddr2str(iph1->remote)); 1207 racoon_free(a); 1208 } 1209 plog(LLV_INFO, LOCATION, NULL, 1210 "begin %s mode.\n", s_isakmp_etype(etype)); 1211 1212 #ifdef ENABLE_STATS 1213 gettimeofday(&iph1->start, NULL); 1214 gettimeofday(&start, NULL); 1215 #endif 1216 1217 #ifndef ENABLE_FRAG 1218 1219 /* start exchange */ 1220 if ((ph1exchange[etypesw1(iph1->etype)] 1221 [iph1->side] 1222 [iph1->status])(iph1, msg) < 0 1223 || (ph1exchange[etypesw1(iph1->etype)] 1224 [iph1->side] 1225 [iph1->status])(iph1, msg) < 0) { 1226 plog(LLV_ERROR, LOCATION, remote, 1227 "failed to process ph1 packet (side: %d, status: %d).\n", 1228 iph1->side, iph1->status); 1229 remph1(iph1); 1230 delph1(iph1); 1231 return -1; 1232 } 1233 1234 #ifdef ENABLE_STATS 1235 gettimeofday(&end, NULL); 1236 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1237 "phase1", 1238 s_isakmp_state(iph1->etype, iph1->side, iph1->status), 1239 timedelta(&start, &end)); 1240 #endif 1241 1242 return 0; 1243 1244 #else /* ENABLE_FRAG */ 1245 1246 /* now that we have a phase1 handle, feed back into our 1247 * main receive function to catch fragmented packets 1248 */ 1249 1250 return isakmp_main(msg, remote, local); 1251 1252 #endif /* ENABLE_FRAG */ 1253 1254 } 1255 1256 /* new negotiation of phase 2 for initiator */ 1257 static int 1258 isakmp_ph2begin_i(iph1, iph2) 1259 struct ph1handle *iph1; 1260 struct ph2handle *iph2; 1261 { 1262 #ifdef ENABLE_HYBRID 1263 if (xauth_check(iph1) != 0) { 1264 plog(LLV_ERROR, LOCATION, NULL, 1265 "Attempt to start phase 2 whereas Xauth failed\n"); 1266 return -1; 1267 } 1268 #endif 1269 1270 /* fixup ph2 ports for this ph1 */ 1271 if (extract_port(iph2->src) == 0) 1272 set_port(iph2->src, extract_port(iph1->local)); 1273 if (extract_port(iph2->dst) == 0) 1274 set_port(iph2->dst, extract_port(iph1->remote)); 1275 1276 /* found ISAKMP-SA. */ 1277 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1278 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); 1279 { 1280 char *a; 1281 a = racoon_strdup(saddr2str(iph2->src)); 1282 STRDUP_FATAL(a); 1283 1284 plog(LLV_INFO, LOCATION, NULL, 1285 "initiate new phase 2 negotiation: %s<=>%s\n", 1286 a, saddr2str(iph2->dst)); 1287 racoon_free(a); 1288 } 1289 1290 #ifdef ENABLE_STATS 1291 gettimeofday(&iph2->start, NULL); 1292 #endif 1293 if (iph2->status != PHASE2ST_EXPIRED) /* Phase 1 is already bound (ongoing rekeying) */ 1294 bindph12(iph1, iph2); 1295 iph2->status = PHASE2ST_STATUS2; 1296 1297 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 1298 [iph2->side] 1299 [iph2->status])(iph2, NULL) < 0) { 1300 /* release ipsecsa handler due to internal error. */ 1301 remph2(iph2); 1302 return -1; 1303 } 1304 return 0; 1305 } 1306 1307 /* new negotiation of phase 2 for responder */ 1308 static int 1309 isakmp_ph2begin_r(iph1, msg) 1310 struct ph1handle *iph1; 1311 vchar_t *msg; 1312 { 1313 struct isakmp *isakmp = (struct isakmp *)msg->v; 1314 struct ph2handle *iph2 = 0; 1315 int error; 1316 #ifdef ENABLE_STATS 1317 struct timeval start, end; 1318 #endif 1319 #ifdef ENABLE_HYBRID 1320 if (xauth_check(iph1) != 0) { 1321 plog(LLV_ERROR, LOCATION, NULL, 1322 "Attempt to start phase 2 whereas Xauth failed\n"); 1323 return -1; 1324 } 1325 #endif 1326 1327 iph2 = newph2(); 1328 if (iph2 == NULL) { 1329 plog(LLV_ERROR, LOCATION, NULL, 1330 "failed to allocate phase2 entry.\n"); 1331 return -1; 1332 } 1333 1334 iph2->side = RESPONDER; 1335 iph2->status = PHASE2ST_START; 1336 iph2->flags = isakmp->flags; 1337 iph2->msgid = isakmp->msgid; 1338 iph2->seq = pk_getseq(); 1339 iph2->ivm = oakley_newiv2(iph1, iph2->msgid); 1340 if (iph2->ivm == NULL) { 1341 delph2(iph2); 1342 return -1; 1343 } 1344 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ 1345 if (iph2->dst == NULL) { 1346 delph2(iph2); 1347 return -1; 1348 } 1349 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ 1350 if (iph2->src == NULL) { 1351 delph2(iph2); 1352 return -1; 1353 } 1354 1355 /* add new entry to isakmp status table */ 1356 insph2(iph2); 1357 bindph12(iph1, iph2); 1358 1359 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1360 { 1361 char *a; 1362 1363 a = racoon_strdup(saddr2str(iph2->src)); 1364 STRDUP_FATAL(a); 1365 1366 plog(LLV_INFO, LOCATION, NULL, 1367 "respond new phase 2 negotiation: %s<=>%s\n", 1368 a, saddr2str(iph2->dst)); 1369 racoon_free(a); 1370 } 1371 1372 #ifdef ENABLE_STATS 1373 gettimeofday(&start, NULL); 1374 #endif 1375 1376 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 1377 [iph2->side] 1378 [iph2->status])(iph2, msg); 1379 if (error != 0) { 1380 plog(LLV_ERROR, LOCATION, iph1->remote, 1381 "failed to pre-process ph2 packet (side: %d, status: %d).\n", 1382 iph2->side, iph2->status); 1383 if (error != ISAKMP_INTERNAL_ERROR) 1384 isakmp_info_send_n1(iph2->ph1, error, NULL); 1385 /* 1386 * release handler because it's wrong that ph2handle is kept 1387 * after failed to check message for responder's. 1388 */ 1389 remph2(iph2); 1390 delph2(iph2); 1391 return -1; 1392 } 1393 1394 /* send */ 1395 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1396 if ((ph2exchange[etypesw2(isakmp->etype)] 1397 [iph2->side] 1398 [iph2->status])(iph2, msg) < 0) { 1399 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1400 "failed to process ph2 packet (side: %d, status: %d).\n", 1401 iph2->side, iph2->status); 1402 /* don't release handler */ 1403 return -1; 1404 } 1405 #ifdef ENABLE_STATS 1406 gettimeofday(&end, NULL); 1407 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1408 "phase2", 1409 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 1410 timedelta(&start, &end)); 1411 #endif 1412 1413 return 0; 1414 } 1415 1416 /* 1417 * parse ISAKMP payloads, without ISAKMP base header. 1418 */ 1419 vchar_t * 1420 isakmp_parsewoh(np0, gen, len) 1421 int np0; 1422 struct isakmp_gen *gen; 1423 int len; 1424 { 1425 u_char np = np0 & 0xff; 1426 int tlen, plen; 1427 vchar_t *result; 1428 struct isakmp_parse_t *p, *ep; 1429 1430 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); 1431 1432 /* 1433 * 5 is a magic number, but any value larger than 2 should be fine 1434 * as we do vrealloc() in the following loop. 1435 */ 1436 result = vmalloc(sizeof(struct isakmp_parse_t) * 5); 1437 if (result == NULL) { 1438 plog(LLV_ERROR, LOCATION, NULL, 1439 "failed to get buffer.\n"); 1440 return NULL; 1441 } 1442 p = (struct isakmp_parse_t *)result->v; 1443 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); 1444 1445 tlen = len; 1446 1447 /* parse through general headers */ 1448 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { 1449 if (tlen <= sizeof(struct isakmp_gen)) { 1450 /* don't send information, see isakmp_ident_r1() */ 1451 plog(LLV_ERROR, LOCATION, NULL, 1452 "invalid length of payload\n"); 1453 vfree(result); 1454 return NULL; 1455 } 1456 1457 plog(LLV_DEBUG, LOCATION, NULL, 1458 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); 1459 1460 p->type = np; 1461 p->len = ntohs(gen->len); 1462 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { 1463 plog(LLV_DEBUG, LOCATION, NULL, 1464 "invalid length of payload\n"); 1465 vfree(result); 1466 return NULL; 1467 } 1468 p->ptr = gen; 1469 p++; 1470 if (ep <= p) { 1471 int off; 1472 1473 off = p - (struct isakmp_parse_t *)result->v; 1474 result = vrealloc(result, result->l * 2); 1475 if (result == NULL) { 1476 plog(LLV_DEBUG, LOCATION, NULL, 1477 "failed to realloc buffer.\n"); 1478 vfree(result); 1479 return NULL; 1480 } 1481 ep = (struct isakmp_parse_t *) 1482 (result->v + result->l - sizeof(*ep)); 1483 p = (struct isakmp_parse_t *)result->v; 1484 p += off; 1485 } 1486 1487 np = gen->np; 1488 plen = ntohs(gen->len); 1489 gen = (struct isakmp_gen *)((caddr_t)gen + plen); 1490 tlen -= plen; 1491 } 1492 p->type = ISAKMP_NPTYPE_NONE; 1493 p->len = 0; 1494 p->ptr = NULL; 1495 1496 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n"); 1497 1498 return result; 1499 } 1500 1501 /* 1502 * parse ISAKMP payloads, including ISAKMP base header. 1503 */ 1504 vchar_t * 1505 isakmp_parse(buf) 1506 vchar_t *buf; 1507 { 1508 struct isakmp *isakmp = (struct isakmp *)buf->v; 1509 struct isakmp_gen *gen; 1510 int tlen; 1511 vchar_t *result; 1512 u_char np; 1513 1514 np = isakmp->np; 1515 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp)); 1516 tlen = buf->l - sizeof(struct isakmp); 1517 result = isakmp_parsewoh(np, gen, tlen); 1518 1519 return result; 1520 } 1521 1522 /* %%% */ 1523 int 1524 isakmp_init() 1525 { 1526 /* initialize a isakmp status table */ 1527 initph1tree(); 1528 initph2tree(); 1529 initctdtree(); 1530 init_recvdpkt(); 1531 1532 return 0; 1533 } 1534 1535 /* 1536 * make strings containing i_cookie + r_cookie + msgid 1537 */ 1538 const char * 1539 isakmp_pindex(index, msgid) 1540 const isakmp_index *index; 1541 const u_int32_t msgid; 1542 { 1543 static char buf[64]; 1544 const u_char *p; 1545 int i, j; 1546 1547 memset(buf, 0, sizeof(buf)); 1548 1549 /* copy index */ 1550 p = (const u_char *)index; 1551 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { 1552 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); 1553 j += 2; 1554 switch (i) { 1555 case 7: 1556 buf[j++] = ':'; 1557 } 1558 } 1559 1560 if (msgid == 0) 1561 return buf; 1562 1563 /* copy msgid */ 1564 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid)); 1565 1566 return buf; 1567 } 1568 1569 /* open ISAKMP sockets. */ 1570 int 1571 isakmp_open(struct sockaddr *addr, int udp_encap) 1572 { 1573 const int yes = 1; 1574 int ifnum = 0, encap_ifnum = 0, fd; 1575 struct sockaddr_in *sin = (struct sockaddr_in *) addr; 1576 #ifdef INET6 1577 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) addr; 1578 int pktinfo; 1579 #endif 1580 #ifdef ENABLE_NATT 1581 int option = -1; 1582 #endif 1583 1584 /* warn if wildcard address - should we forbid this? */ 1585 switch (addr->sa_family) { 1586 case AF_INET: 1587 if (sin->sin_addr.s_addr == 0) 1588 plog(LLV_WARNING, LOCATION, NULL, 1589 "listening to wildcard address," 1590 "broadcast IKE packet may kill you\n"); 1591 break; 1592 #ifdef INET6 1593 case AF_INET6: 1594 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { 1595 plog(LLV_DEBUG, LOCATION, NULL, 1596 "ignoring multicast address %s\n", 1597 saddr2str(addr)); 1598 return -1; 1599 } 1600 1601 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) 1602 plog(LLV_WARNING, LOCATION, NULL, 1603 "listening to wildcard address, " 1604 "broadcast IKE packet may kill you\n"); 1605 break; 1606 #endif 1607 default: 1608 plog(LLV_ERROR, LOCATION, NULL, 1609 "unsupported address family %d\n", 1610 addr->sa_family); 1611 return -1; 1612 } 1613 1614 if ((fd = privsep_socket(addr->sa_family, SOCK_DGRAM, 0)) < 0) { 1615 plog(LLV_ERROR, LOCATION, NULL, 1616 "socket(%s)\n", strerror(errno)); 1617 return -1; 1618 } 1619 close_on_exec(fd); 1620 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) 1621 plog(LLV_WARNING, LOCATION, NULL, 1622 "failed to put socket in non-blocking mode\n"); 1623 1624 /* receive my interface address on inbound packets. */ 1625 switch (addr->sa_family) { 1626 case AF_INET: 1627 if (setsockopt(fd, IPPROTO_IP, 1628 #ifdef __linux__ 1629 IP_PKTINFO, 1630 #else 1631 IP_RECVDSTADDR, 1632 #endif 1633 (const void *) &yes, sizeof(yes)) < 0) { 1634 plog(LLV_ERROR, LOCATION, NULL, 1635 "setsockopt IP_RECVDSTADDR (%s)\n", 1636 strerror(errno)); 1637 goto err; 1638 } 1639 1640 #ifdef ENABLE_NATT 1641 if (udp_encap) 1642 option = UDP_ENCAP_ESPINUDP; 1643 #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01) 1644 else 1645 option = UDP_ENCAP_ESPINUDP_NON_IKE; 1646 #endif 1647 if (option == -1) 1648 break; 1649 1650 if (setsockopt(fd, SOL_UDP, 1651 UDP_ENCAP, &option, 1652 sizeof(option)) < 0) { 1653 plog(LLV_WARNING, LOCATION, NULL, 1654 "setsockopt(%s): UDP_ENCAP %s\n", 1655 option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE", 1656 strerror(errno)); 1657 } else { 1658 plog(LLV_INFO, LOCATION, NULL, 1659 "%s used for NAT-T\n", 1660 saddr2str(addr)); 1661 } 1662 #endif 1663 break; 1664 1665 #ifdef INET6 1666 case AF_INET6: 1667 #if defined(INET6_ADVAPI) 1668 #ifdef IPV6_RECVPKTINFO 1669 pktinfo = IPV6_RECVPKTINFO; 1670 #else /* old adv. API */ 1671 pktinfo = IPV6_PKTINFO; 1672 #endif /* IPV6_RECVPKTINFO */ 1673 #else 1674 pktinfo = IPV6_RECVDSTADDR; 1675 #endif 1676 if (setsockopt(fd, IPPROTO_IPV6, pktinfo, 1677 (const void *) &yes, sizeof(yes)) < 0) { 1678 plog(LLV_ERROR, LOCATION, NULL, 1679 "setsockopt IPV6_RECVDSTADDR (%d):%s\n", 1680 pktinfo, strerror(errno)); 1681 goto err; 1682 } 1683 1684 #ifdef IPV6_USE_MIN_MTU 1685 if (setsockopt(fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU, 1686 (void *) &yes, sizeof(yes)) < 0) { 1687 plog(LLV_ERROR, LOCATION, NULL, 1688 "setsockopt IPV6_USE_MIN_MTU (%s)\n", 1689 strerror(errno)); 1690 goto err; 1691 } 1692 #endif 1693 break; 1694 #endif 1695 } 1696 1697 if (setsockopt(fd, SOL_SOCKET, 1698 #ifdef __linux__ 1699 SO_REUSEADDR, 1700 #else 1701 SO_REUSEPORT, 1702 #endif 1703 (void *) &yes, sizeof(yes)) < 0) { 1704 plog(LLV_ERROR, LOCATION, NULL, 1705 "failed to set REUSE flag on %s (%s).\n", 1706 saddr2str(addr), strerror(errno)); 1707 goto err; 1708 } 1709 1710 if (setsockopt_bypass(fd, addr->sa_family) < 0) 1711 goto err; 1712 1713 if (privsep_bind(fd, addr, sysdep_sa_len(addr)) < 0) { 1714 plog(LLV_ERROR, LOCATION, addr, 1715 "failed to bind to address %s (%s).\n", 1716 saddr2str(addr), strerror(errno)); 1717 goto err; 1718 } 1719 1720 plog(LLV_INFO, LOCATION, NULL, 1721 "%s used as isakmp port (fd=%d)\n", 1722 saddr2str(addr), fd); 1723 1724 monitor_fd(fd, isakmp_handler, NULL, 1); 1725 return fd; 1726 1727 err: 1728 close(fd); 1729 return -1; 1730 } 1731 1732 void 1733 isakmp_close(int fd) 1734 { 1735 unmonitor_fd(fd); 1736 close(fd); 1737 } 1738 1739 int 1740 isakmp_send(iph1, sbuf) 1741 struct ph1handle *iph1; 1742 vchar_t *sbuf; 1743 { 1744 int len = 0; 1745 int s; 1746 vchar_t *vbuf = NULL, swap; 1747 1748 #ifdef ENABLE_NATT 1749 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; 1750 1751 /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets) 1752 */ 1753 if(extralen == NON_ESP_MARKER_LEN && 1754 *(u_int32_t *)sbuf->v == 0) 1755 extralen = 0; 1756 1757 #ifdef ENABLE_FRAG 1758 /* 1759 * Do not add the non ESP marker for a packet that will 1760 * be fragmented. The non ESP marker should appear in 1761 * all fragment's packets, but not in the fragmented packet 1762 */ 1763 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) 1764 extralen = 0; 1765 #endif 1766 if (extralen) 1767 plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); 1768 1769 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) 1770 must added just before the packet itself. For this we must 1771 allocate a new buffer and release it at the end. */ 1772 if (extralen) { 1773 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { 1774 plog(LLV_ERROR, LOCATION, NULL, 1775 "vbuf allocation failed\n"); 1776 return -1; 1777 } 1778 *(u_int32_t *)vbuf->v = 0; 1779 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); 1780 /* ensures that the modified buffer will be sent back to the caller, so 1781 * add_recvdpkt() will add the correct buffer 1782 */ 1783 swap = *sbuf; 1784 *sbuf = *vbuf; 1785 *vbuf = swap; 1786 vfree(vbuf); 1787 } 1788 #endif 1789 1790 /* select the socket to be sent */ 1791 s = myaddr_getfd(iph1->local); 1792 if (s == -1) 1793 return -1; 1794 1795 plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, 1796 saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); 1797 1798 #ifdef ENABLE_FRAG 1799 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { 1800 if (isakmp_sendfrags(iph1, sbuf) == -1) { 1801 plog(LLV_ERROR, LOCATION, NULL, 1802 "isakmp_sendfrags failed\n"); 1803 return -1; 1804 } 1805 } else 1806 #endif 1807 { 1808 len = sendfromto(s, sbuf->v, sbuf->l, 1809 iph1->local, iph1->remote, lcconf->count_persend); 1810 1811 if (len == -1) { 1812 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); 1813 return -1; 1814 } 1815 } 1816 1817 return 0; 1818 } 1819 1820 /* called from scheduler */ 1821 static void 1822 isakmp_ph1resend_stub(p) 1823 struct sched *p; 1824 { 1825 struct ph1handle *iph1 = container_of(p, struct ph1handle, scr); 1826 1827 if (isakmp_ph1resend(iph1) < 0) { 1828 remph1(iph1); 1829 delph1(iph1); 1830 } 1831 } 1832 1833 static int 1834 isakmp_ph1resend(iph1) 1835 struct ph1handle *iph1; 1836 { 1837 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function 1838 */ 1839 if (iph1->retry_counter <= 0) { 1840 plog(LLV_ERROR, LOCATION, NULL, 1841 "phase1 negotiation failed due to time up. %s\n", 1842 isakmp_pindex(&iph1->index, iph1->msgid)); 1843 /* XXX is the peer really "dead" here ??? */ 1844 script_hook(iph1, SCRIPT_PHASE1_DEAD); 1845 evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL); 1846 1847 return -1; 1848 } 1849 1850 if (isakmp_send(iph1, iph1->sendbuf) < 0){ 1851 plog(LLV_ERROR, LOCATION, NULL, 1852 "phase1 negotiation failed due to send error. %s\n", 1853 isakmp_pindex(&iph1->index, iph1->msgid)); 1854 evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL); 1855 return -1; 1856 } 1857 1858 plog(LLV_DEBUG, LOCATION, NULL, 1859 "resend phase1 packet %s\n", 1860 isakmp_pindex(&iph1->index, iph1->msgid)); 1861 1862 iph1->retry_counter--; 1863 1864 sched_schedule(&iph1->scr, lcconf->retry_interval, 1865 isakmp_ph1resend_stub); 1866 1867 return 0; 1868 } 1869 1870 int 1871 isakmp_ph1send(iph1) 1872 struct ph1handle *iph1; 1873 { 1874 iph1->retry_counter = lcconf->retry_counter; 1875 return isakmp_ph1resend(iph1); 1876 } 1877 1878 /* called from scheduler */ 1879 static void 1880 isakmp_ph2resend_stub(p) 1881 struct sched *p; 1882 { 1883 struct ph2handle *iph2 = container_of(p, struct ph2handle, scr); 1884 1885 if (isakmp_ph2resend(iph2) < 0) { 1886 remph2(iph2); 1887 delph2(iph2); 1888 } 1889 } 1890 1891 static int 1892 isakmp_ph2resend(iph2) 1893 struct ph2handle *iph2; 1894 { 1895 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function 1896 */ 1897 if (iph2->ph1->status >= PHASE1ST_EXPIRED) { 1898 plog(LLV_ERROR, LOCATION, NULL, 1899 "phase2 negotiation failed due to phase1 expired. %s\n", 1900 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1901 return -1; 1902 } 1903 1904 if (iph2->retry_counter <= 0) { 1905 plog(LLV_ERROR, LOCATION, NULL, 1906 "phase2 negotiation failed due to time up. %s\n", 1907 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1908 evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL); 1909 unbindph12(iph2); 1910 return -1; 1911 } 1912 1913 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){ 1914 plog(LLV_ERROR, LOCATION, NULL, 1915 "phase2 negotiation failed due to send error. %s\n", 1916 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1917 evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL); 1918 return -1; 1919 } 1920 1921 plog(LLV_DEBUG, LOCATION, NULL, 1922 "resend phase2 packet %s\n", 1923 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1924 1925 iph2->retry_counter--; 1926 1927 sched_schedule(&iph2->scr, lcconf->retry_interval, 1928 isakmp_ph2resend_stub); 1929 1930 return 0; 1931 } 1932 1933 int 1934 isakmp_ph2send(iph2) 1935 struct ph2handle *iph2; 1936 { 1937 iph2->retry_counter = lcconf->retry_counter; 1938 return isakmp_ph2resend(iph2); 1939 } 1940 1941 /* called from scheduler */ 1942 void 1943 isakmp_ph1dying_stub(p) 1944 struct sched *p; 1945 { 1946 1947 isakmp_ph1dying(container_of(p, struct ph1handle, sce)); 1948 } 1949 1950 void 1951 isakmp_ph1dying(iph1) 1952 struct ph1handle *iph1; 1953 { 1954 struct ph1handle *new_iph1; 1955 struct ph2handle *p; 1956 struct remoteconf *rmconf; 1957 1958 if (iph1->status >= PHASE1ST_DYING) 1959 return; 1960 1961 /* Going away in after a while... */ 1962 iph1->status = PHASE1ST_DYING; 1963 1964 /* Any fresh phase1s? */ 1965 new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); 1966 if (new_iph1 == NULL) { 1967 LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { 1968 if (p->status != PHASE2ST_ESTABLISHED) 1969 continue; 1970 1971 plog(LLV_INFO, LOCATION, NULL, 1972 "renegotiating phase1 to %s due to " 1973 "active phase2\n", 1974 saddrwop2str(iph1->remote)); 1975 1976 if (iph1->side == INITIATOR) 1977 isakmp_ph1begin_i(iph1->rmconf, iph1->remote, 1978 iph1->local); 1979 1980 break; 1981 } 1982 } else { 1983 migrate_ph12(iph1, new_iph1); 1984 } 1985 1986 /* Schedule for expiration */ 1987 sched_schedule(&iph1->sce, iph1->approval->lifetime * 1988 (100 - PFKEY_SOFT_LIFETIME_RATE) / 100, 1989 isakmp_ph1expire_stub); 1990 } 1991 1992 /* called from scheduler */ 1993 void 1994 isakmp_ph1expire_stub(p) 1995 struct sched *p; 1996 { 1997 isakmp_ph1expire(container_of(p, struct ph1handle, sce)); 1998 } 1999 2000 void 2001 isakmp_ph1expire(iph1) 2002 struct ph1handle *iph1; 2003 { 2004 char *src, *dst; 2005 2006 if (iph1->status < PHASE1ST_EXPIRED) { 2007 src = racoon_strdup(saddr2str(iph1->local)); 2008 dst = racoon_strdup(saddr2str(iph1->remote)); 2009 STRDUP_FATAL(src); 2010 STRDUP_FATAL(dst); 2011 2012 plog(LLV_INFO, LOCATION, NULL, 2013 "ISAKMP-SA expired %s-%s spi:%s\n", 2014 src, dst, 2015 isakmp_pindex(&iph1->index, 0)); 2016 racoon_free(src); 2017 racoon_free(dst); 2018 iph1->status = PHASE1ST_EXPIRED; 2019 } 2020 2021 isakmp_ph1delete(iph1); 2022 } 2023 2024 /* called from scheduler */ 2025 void 2026 isakmp_ph1delete_stub(p) 2027 struct sched *p; 2028 { 2029 2030 isakmp_ph1delete(container_of(p, struct ph1handle, sce)); 2031 } 2032 2033 void 2034 isakmp_ph1delete(iph1) 2035 struct ph1handle *iph1; 2036 { 2037 struct ph2handle *p, *next; 2038 struct ph1handle *new_iph1; 2039 char *src, *dst; 2040 2041 /* Migrate established phase2s. Any fresh phase1s? */ 2042 new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); 2043 if (new_iph1 != NULL) 2044 migrate_ph12(iph1, new_iph1); 2045 2046 /* Discard any left phase2s */ 2047 for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) { 2048 next = LIST_NEXT(p, ph1bind); 2049 if (p->status == PHASE2ST_ESTABLISHED) 2050 isakmp_info_send_d2(p); 2051 /* remove all ph2 handles, 2052 * as ph1handle will be expired soon 2053 */ 2054 delete_spd(p, 1); 2055 remph2(p); 2056 delph2(p); 2057 } 2058 2059 src = racoon_strdup(saddr2str(iph1->local)); 2060 dst = racoon_strdup(saddr2str(iph1->remote)); 2061 STRDUP_FATAL(src); 2062 STRDUP_FATAL(dst); 2063 2064 plog(LLV_INFO, LOCATION, NULL, 2065 "ISAKMP-SA deleted %s-%s spi:%s\n", 2066 src, dst, isakmp_pindex(&iph1->index, 0)); 2067 2068 evt_phase1(iph1, EVT_PHASE1_DOWN, NULL); 2069 if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) 2070 script_hook(iph1, SCRIPT_PHASE1_DEAD); 2071 2072 racoon_free(src); 2073 racoon_free(dst); 2074 2075 remph1(iph1); 2076 delph1(iph1); 2077 } 2078 2079 /* called from scheduler. 2080 * this function will call only isakmp_ph2delete(). 2081 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA 2082 * by something cause. That's why this function is called after phase 2 SA 2083 * expires in the userland. 2084 */ 2085 void 2086 isakmp_ph2expire_stub(p) 2087 struct sched *p; 2088 { 2089 2090 isakmp_ph2expire(container_of(p, struct ph2handle, sce)); 2091 } 2092 2093 void 2094 isakmp_ph2expire(iph2) 2095 struct ph2handle *iph2; 2096 { 2097 char *src, *dst; 2098 2099 src = racoon_strdup(saddrwop2str(iph2->src)); 2100 dst = racoon_strdup(saddrwop2str(iph2->dst)); 2101 STRDUP_FATAL(src); 2102 STRDUP_FATAL(dst); 2103 2104 plog(LLV_INFO, LOCATION, NULL, 2105 "phase2 sa expired %s-%s\n", src, dst); 2106 racoon_free(src); 2107 racoon_free(dst); 2108 2109 iph2->status = PHASE2ST_EXPIRED; 2110 sched_schedule(&iph2->sce, 1, isakmp_ph2delete_stub); 2111 } 2112 2113 /* called from scheduler */ 2114 void 2115 isakmp_ph2delete_stub(p) 2116 struct sched *p; 2117 { 2118 2119 isakmp_ph2delete(container_of(p, struct ph2handle, sce)); 2120 } 2121 2122 void 2123 isakmp_ph2delete(iph2) 2124 struct ph2handle *iph2; 2125 { 2126 char *src, *dst; 2127 2128 src = racoon_strdup(saddrwop2str(iph2->src)); 2129 dst = racoon_strdup(saddrwop2str(iph2->dst)); 2130 STRDUP_FATAL(src); 2131 STRDUP_FATAL(dst); 2132 2133 plog(LLV_INFO, LOCATION, NULL, 2134 "phase2 sa deleted %s-%s\n", src, dst); 2135 racoon_free(src); 2136 racoon_free(dst); 2137 2138 remph2(iph2); 2139 delph2(iph2); 2140 2141 return; 2142 } 2143 2144 /* %%% 2146 * Interface between PF_KEYv2 and ISAKMP 2147 */ 2148 /* 2149 * receive ACQUIRE from kernel, and begin either phase1 or phase2. 2150 * if phase1 has been finished, begin phase2. 2151 */ 2152 int 2153 isakmp_post_acquire(iph2, iph1hint, nopassive) 2154 struct ph2handle *iph2; 2155 struct ph1handle *iph1hint; 2156 int nopassive; 2157 { 2158 struct remoteconf *rmconf; 2159 struct ph1handle *iph1 = NULL; 2160 2161 plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); 2162 2163 /* Search appropriate configuration with masking port. Note that 2164 * we always use iph2->dst, and not iph2->sa_dst. 2165 * 2166 * XXX One possible need for using iph2->sa_dst if not NULL would 2167 * be for selecting a remote configuration based on a stable 2168 * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS 2169 * as iph2->dst hint). This scenario would require additional changes, 2170 * so no need to bother yet. --arno */ 2171 2172 if (iph1hint == NULL || iph1hint->rmconf == NULL) { 2173 rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0); 2174 if (rmconf == NULL) { 2175 plog(LLV_ERROR, LOCATION, NULL, 2176 "no configuration found for %s.\n", 2177 saddrwop2str(iph2->dst)); 2178 return -1; 2179 } 2180 } else { 2181 rmconf = iph1hint->rmconf; 2182 } 2183 2184 /* if passive mode, ignore the acquire message */ 2185 if (nopassive && rmconf->passive) { 2186 plog(LLV_DEBUG, LOCATION, NULL, 2187 "because of passive mode, " 2188 "ignore the acquire message for %s.\n", 2189 saddrwop2str(iph2->dst)); 2190 return 0; 2191 } 2192 2193 /* 2194 * XXX Searching by IP addresses + ports might fail on 2195 * some cases, we should use the ISAKMP identity to search 2196 * matching ISAKMP. 2197 */ 2198 iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); 2199 2200 /* no ISAKMP-SA found. */ 2201 if (iph1 == NULL) { 2202 iph2->retry_checkph1 = lcconf->retry_checkph1; 2203 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub); 2204 plog(LLV_INFO, LOCATION, NULL, 2205 "IPsec-SA request for %s queued " 2206 "due to no phase1 found.\n", 2207 saddrwop2str(iph2->dst)); 2208 2209 /* start phase 1 negotiation as a initiator. */ 2210 if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) { 2211 sched_cancel(&iph2->sce); 2212 return -1; 2213 } 2214 2215 return 0; 2216 /*NOTREACHED*/ 2217 } 2218 2219 /* found ISAKMP-SA, but on negotiation. */ 2220 if (iph1->status < PHASE1ST_ESTABLISHED) { 2221 iph2->retry_checkph1 = lcconf->retry_checkph1; 2222 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub); 2223 plog(LLV_INFO, LOCATION, iph2->dst, 2224 "request for establishing IPsec-SA was queued " 2225 "due to no phase1 found.\n"); 2226 return 0; 2227 /*NOTREACHED*/ 2228 } 2229 2230 /* found established ISAKMP-SA */ 2231 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ 2232 2233 /* found ISAKMP-SA. */ 2234 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); 2235 2236 /* begin quick mode */ 2237 if (isakmp_ph2begin_i(iph1, iph2)) 2238 return -1; 2239 2240 return 0; 2241 } 2242 2243 int 2244 isakmp_get_sainfo(iph2, sp_out, sp_in) 2245 struct ph2handle *iph2; 2246 struct secpolicy *sp_out, *sp_in; 2247 { 2248 struct remoteconf *conf; 2249 uint32_t remoteid = 0; 2250 2251 plog(LLV_DEBUG, LOCATION, NULL, 2252 "new acquire %s\n", spidx2str(&sp_out->spidx)); 2253 2254 /* get sainfo */ 2255 { 2256 vchar_t *idsrc, *iddst; 2257 2258 idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, 2259 sp_out->spidx.prefs, sp_out->spidx.ul_proto); 2260 if (idsrc == NULL) { 2261 plog(LLV_ERROR, LOCATION, NULL, 2262 "failed to get ID for %s\n", 2263 spidx2str(&sp_out->spidx)); 2264 return -1; 2265 } 2266 iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, 2267 sp_out->spidx.prefd, sp_out->spidx.ul_proto); 2268 if (iddst == NULL) { 2269 plog(LLV_ERROR, LOCATION, NULL, 2270 "failed to get ID for %s\n", 2271 spidx2str(&sp_out->spidx)); 2272 vfree(idsrc); 2273 return -1; 2274 } 2275 2276 conf = getrmconf(iph2->dst, 0); 2277 if (conf != NULL) 2278 remoteid = conf->ph1id; 2279 else 2280 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n"); 2281 2282 iph2->sainfo = getsainfo(idsrc, iddst, NULL, NULL, remoteid); 2283 vfree(idsrc); 2284 vfree(iddst); 2285 if (iph2->sainfo == NULL) { 2286 plog(LLV_ERROR, LOCATION, NULL, 2287 "failed to get sainfo.\n"); 2288 return -1; 2289 /* XXX should use the algorithm list from register message */ 2290 } 2291 2292 plog(LLV_DEBUG, LOCATION, NULL, 2293 "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); 2294 } 2295 2296 if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) { 2297 plog(LLV_ERROR, LOCATION, NULL, 2298 "failed to create saprop.\n"); 2299 return -1; 2300 } 2301 2302 return 0; 2303 } 2304 2305 2306 /* 2307 * receive GETSPI from kernel. 2308 */ 2309 int 2310 isakmp_post_getspi(iph2) 2311 struct ph2handle *iph2; 2312 { 2313 #ifdef ENABLE_STATS 2314 struct timeval start, end; 2315 #endif 2316 2317 /* don't process it because there is no suitable phase1-sa. */ 2318 if (iph2->ph1->status >= PHASE1ST_EXPIRED) { 2319 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 2320 "the negotiation is stopped, " 2321 "because there is no suitable ISAKMP-SA.\n"); 2322 return -1; 2323 } 2324 2325 #ifdef ENABLE_STATS 2326 gettimeofday(&start, NULL); 2327 #endif 2328 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] 2329 [iph2->side] 2330 [iph2->status])(iph2, NULL) != 0) 2331 return -1; 2332 #ifdef ENABLE_STATS 2333 gettimeofday(&end, NULL); 2334 syslog(LOG_NOTICE, "%s(%s): %8.6f", 2335 "phase2", 2336 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 2337 timedelta(&start, &end)); 2338 #endif 2339 2340 return 0; 2341 } 2342 2343 /* called by scheduler */ 2344 void 2345 isakmp_chkph1there_stub(p) 2346 struct sched *p; 2347 { 2348 isakmp_chkph1there(container_of(p, struct ph2handle, sce)); 2349 } 2350 2351 void 2352 isakmp_chkph1there(iph2) 2353 struct ph2handle *iph2; 2354 { 2355 struct ph1handle *iph1; 2356 2357 iph2->retry_checkph1--; 2358 if (iph2->retry_checkph1 < 0) { 2359 plog(LLV_ERROR, LOCATION, iph2->dst, 2360 "phase2 negotiation failed " 2361 "due to time up waiting for phase1. %s\n", 2362 sadbsecas2str(iph2->dst, iph2->src, 2363 iph2->satype, 0, 0)); 2364 plog(LLV_INFO, LOCATION, NULL, 2365 "delete phase 2 handler.\n"); 2366 2367 /* send acquire to kernel as error */ 2368 pk_sendeacquire(iph2); 2369 2370 remph2(iph2); 2371 delph2(iph2); 2372 2373 return; 2374 } 2375 2376 /* Search isakmp status table by address and port */ 2377 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 2378 2379 /* XXX Even if ph1 as responder is there, should we not start 2380 * phase 2 negotiation ? */ 2381 if (iph1 != NULL 2382 && iph1->status == PHASE1ST_ESTABLISHED) { 2383 /* found isakmp-sa */ 2384 2385 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); 2386 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local)); 2387 plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote)); 2388 plog(LLV_DEBUG2, LOCATION, NULL, "before:\n"); 2389 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); 2390 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); 2391 set_port(iph2->src, extract_port(iph1->local)); 2392 set_port(iph2->dst, extract_port(iph1->remote)); 2393 plog(LLV_DEBUG2, LOCATION, NULL, "After:\n"); 2394 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src)); 2395 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); 2396 2397 /* begin quick mode */ 2398 (void)isakmp_ph2begin_i(iph1, iph2); 2399 return; 2400 } 2401 2402 plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n"); 2403 2404 /* no isakmp-sa found */ 2405 sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub); 2406 2407 return; 2408 } 2409 2410 /* copy variable data into ALLOCATED buffer. */ 2411 caddr_t 2412 isakmp_set_attr_v(buf, type, val, len) 2413 caddr_t buf; 2414 int type; 2415 caddr_t val; 2416 int len; 2417 { 2418 struct isakmp_data *data; 2419 2420 data = (struct isakmp_data *)buf; 2421 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2422 data->lorv = htons((u_int16_t)len); 2423 memcpy(data + 1, val, len); 2424 2425 return buf + sizeof(*data) + len; 2426 } 2427 2428 /* copy fixed length data into ALLOCATED buffer. */ 2429 caddr_t 2430 isakmp_set_attr_l(buf, type, val) 2431 caddr_t buf; 2432 int type; 2433 u_int32_t val; 2434 { 2435 struct isakmp_data *data; 2436 2437 data = (struct isakmp_data *)buf; 2438 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2439 data->lorv = htons((u_int16_t)val); 2440 2441 return buf + sizeof(*data); 2442 } 2443 2444 /* add a variable data attribute to the buffer by reallocating it. */ 2445 vchar_t * 2446 isakmp_add_attr_v(buf0, type, val, len) 2447 vchar_t *buf0; 2448 int type; 2449 caddr_t val; 2450 int len; 2451 { 2452 vchar_t *buf = NULL; 2453 struct isakmp_data *data; 2454 int tlen; 2455 int oldlen = 0; 2456 2457 tlen = sizeof(*data) + len; 2458 2459 if (buf0) { 2460 oldlen = buf0->l; 2461 buf = vrealloc(buf0, oldlen + tlen); 2462 } else 2463 buf = vmalloc(tlen); 2464 if (!buf) { 2465 plog(LLV_ERROR, LOCATION, NULL, 2466 "failed to get a attribute buffer.\n"); 2467 return NULL; 2468 } 2469 2470 data = (struct isakmp_data *)(buf->v + oldlen); 2471 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2472 data->lorv = htons((u_int16_t)len); 2473 memcpy(data + 1, val, len); 2474 2475 return buf; 2476 } 2477 2478 /* add a fixed data attribute to the buffer by reallocating it. */ 2479 vchar_t * 2480 isakmp_add_attr_l(buf0, type, val) 2481 vchar_t *buf0; 2482 int type; 2483 u_int32_t val; 2484 { 2485 vchar_t *buf = NULL; 2486 struct isakmp_data *data; 2487 int tlen; 2488 int oldlen = 0; 2489 2490 tlen = sizeof(*data); 2491 2492 if (buf0) { 2493 oldlen = buf0->l; 2494 buf = vrealloc(buf0, oldlen + tlen); 2495 } else 2496 buf = vmalloc(tlen); 2497 if (!buf) { 2498 plog(LLV_ERROR, LOCATION, NULL, 2499 "failed to get a attribute buffer.\n"); 2500 return NULL; 2501 } 2502 2503 data = (struct isakmp_data *)(buf->v + oldlen); 2504 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2505 data->lorv = htons((u_int16_t)val); 2506 2507 return buf; 2508 } 2509 2510 /* 2511 * calculate cookie and set. 2512 */ 2513 int 2514 isakmp_newcookie(place, remote, local) 2515 caddr_t place; 2516 struct sockaddr *remote; 2517 struct sockaddr *local; 2518 { 2519 vchar_t *buf = NULL, *buf2 = NULL; 2520 char *p; 2521 int blen; 2522 int alen; 2523 caddr_t sa1, sa2; 2524 time_t t; 2525 int error = -1; 2526 u_short port; 2527 2528 2529 if (remote->sa_family != local->sa_family) { 2530 plog(LLV_ERROR, LOCATION, NULL, 2531 "address family mismatch, remote:%d local:%d\n", 2532 remote->sa_family, local->sa_family); 2533 goto end; 2534 } 2535 switch (remote->sa_family) { 2536 case AF_INET: 2537 alen = sizeof(struct in_addr); 2538 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; 2539 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr; 2540 break; 2541 #ifdef INET6 2542 case AF_INET6: 2543 alen = sizeof(struct in6_addr); 2544 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr; 2545 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr; 2546 break; 2547 #endif 2548 default: 2549 plog(LLV_ERROR, LOCATION, NULL, 2550 "invalid family: %d\n", remote->sa_family); 2551 goto end; 2552 } 2553 blen = (alen + sizeof(u_short)) * 2 2554 + sizeof(time_t) + lcconf->secret_size; 2555 buf = vmalloc(blen); 2556 if (buf == NULL) { 2557 plog(LLV_ERROR, LOCATION, NULL, 2558 "failed to get a cookie.\n"); 2559 goto end; 2560 } 2561 p = buf->v; 2562 2563 /* copy my address */ 2564 memcpy(p, sa1, alen); 2565 p += alen; 2566 port = ((struct sockaddr_in *)remote)->sin_port; 2567 memcpy(p, &port, sizeof(u_short)); 2568 p += sizeof(u_short); 2569 2570 /* copy target address */ 2571 memcpy(p, sa2, alen); 2572 p += alen; 2573 port = ((struct sockaddr_in *)local)->sin_port; 2574 memcpy(p, &port, sizeof(u_short)); 2575 p += sizeof(u_short); 2576 2577 /* copy time */ 2578 t = time(0); 2579 memcpy(p, (caddr_t)&t, sizeof(t)); 2580 p += sizeof(t); 2581 2582 /* copy random value */ 2583 buf2 = eay_set_random(lcconf->secret_size); 2584 if (buf2 == NULL) 2585 goto end; 2586 memcpy(p, buf2->v, lcconf->secret_size); 2587 p += lcconf->secret_size; 2588 vfree(buf2); 2589 2590 buf2 = eay_sha1_one(buf); 2591 memcpy(place, buf2->v, sizeof(cookie_t)); 2592 2593 sa1 = val2str(place, sizeof (cookie_t)); 2594 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1); 2595 racoon_free(sa1); 2596 2597 error = 0; 2598 end: 2599 if (buf != NULL) 2600 vfree(buf); 2601 if (buf2 != NULL) 2602 vfree(buf2); 2603 return error; 2604 } 2605 2606 /* 2607 * save partner's(payload) data into phhandle. 2608 */ 2609 int 2610 isakmp_p2ph(buf, gen) 2611 vchar_t **buf; 2612 struct isakmp_gen *gen; 2613 { 2614 /* XXX to be checked in each functions for logging. */ 2615 if (*buf) { 2616 plog(LLV_WARNING, LOCATION, NULL, 2617 "ignore this payload, same payload type exist.\n"); 2618 return -1; 2619 } 2620 2621 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); 2622 if (*buf == NULL) { 2623 plog(LLV_ERROR, LOCATION, NULL, 2624 "failed to get buffer.\n"); 2625 return -1; 2626 } 2627 memcpy((*buf)->v, gen + 1, (*buf)->l); 2628 2629 return 0; 2630 } 2631 2632 u_int32_t 2633 isakmp_newmsgid2(iph1) 2634 struct ph1handle *iph1; 2635 { 2636 u_int32_t msgid2; 2637 2638 do { 2639 msgid2 = eay_random(); 2640 } while (getph2bymsgid(iph1, msgid2)); 2641 2642 return msgid2; 2643 } 2644 2645 /* 2646 * set values into allocated buffer of isakmp header for phase 1 2647 */ 2648 static caddr_t 2649 set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) 2650 vchar_t *vbuf; 2651 struct ph1handle *iph1; 2652 int nptype; 2653 u_int8_t etype; 2654 u_int8_t flags; 2655 u_int32_t msgid; 2656 { 2657 struct isakmp *isakmp; 2658 2659 if (vbuf->l < sizeof(*isakmp)) 2660 return NULL; 2661 2662 isakmp = (struct isakmp *)vbuf->v; 2663 2664 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 2665 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 2666 isakmp->np = nptype; 2667 isakmp->v = iph1->version; 2668 isakmp->etype = etype; 2669 isakmp->flags = flags; 2670 isakmp->msgid = msgid; 2671 isakmp->len = htonl(vbuf->l); 2672 2673 return vbuf->v + sizeof(*isakmp); 2674 } 2675 2676 /* 2677 * set values into allocated buffer of isakmp header for phase 1 2678 */ 2679 caddr_t 2680 set_isakmp_header1(vbuf, iph1, nptype) 2681 vchar_t *vbuf; 2682 struct ph1handle *iph1; 2683 int nptype; 2684 { 2685 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid); 2686 } 2687 2688 /* 2689 * set values into allocated buffer of isakmp header for phase 2 2690 */ 2691 caddr_t 2692 set_isakmp_header2(vbuf, iph2, nptype) 2693 vchar_t *vbuf; 2694 struct ph2handle *iph2; 2695 int nptype; 2696 { 2697 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid); 2698 } 2699 2700 /* 2701 * set values into allocated buffer of isakmp payload. 2702 */ 2703 caddr_t 2704 set_isakmp_payload(buf, src, nptype) 2705 caddr_t buf; 2706 vchar_t *src; 2707 int nptype; 2708 { 2709 struct isakmp_gen *gen; 2710 caddr_t p = buf; 2711 2712 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n", 2713 src->l, nptype); 2714 2715 gen = (struct isakmp_gen *)p; 2716 gen->np = nptype; 2717 gen->len = htons(sizeof(*gen) + src->l); 2718 p += sizeof(*gen); 2719 memcpy(p, src->v, src->l); 2720 p += src->l; 2721 2722 return p; 2723 } 2724 2725 static int 2726 etypesw1(etype) 2727 int etype; 2728 { 2729 switch (etype) { 2730 case ISAKMP_ETYPE_IDENT: 2731 return 1; 2732 case ISAKMP_ETYPE_AGG: 2733 return 2; 2734 case ISAKMP_ETYPE_BASE: 2735 return 3; 2736 default: 2737 return 0; 2738 } 2739 /*NOTREACHED*/ 2740 } 2741 2742 static int 2743 etypesw2(etype) 2744 int etype; 2745 { 2746 switch (etype) { 2747 case ISAKMP_ETYPE_QUICK: 2748 return 1; 2749 default: 2750 return 0; 2751 } 2752 /*NOTREACHED*/ 2753 } 2754 2755 #ifdef HAVE_PRINT_ISAKMP_C 2756 /* for print-isakmp.c */ 2757 char *snapend; 2758 extern void isakmp_print __P((const u_char *, u_int, const u_char *)); 2759 2760 char *getname __P((const u_char *)); 2761 #ifdef INET6 2762 char *getname6 __P((const u_char *)); 2763 #endif 2764 int safeputchar __P((int)); 2765 2766 /* 2767 * Return a name for the IP address pointed to by ap. This address 2768 * is assumed to be in network byte order. 2769 */ 2770 char * 2771 getname(ap) 2772 const u_char *ap; 2773 { 2774 struct sockaddr_in addr; 2775 static char ntop_buf[NI_MAXHOST]; 2776 2777 memset(&addr, 0, sizeof(addr)); 2778 #ifndef __linux__ 2779 addr.sin_len = sizeof(struct sockaddr_in); 2780 #endif 2781 addr.sin_family = AF_INET; 2782 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); 2783 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr), 2784 ntop_buf, sizeof(ntop_buf), NULL, 0, 2785 NI_NUMERICHOST | niflags)) 2786 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2787 2788 return ntop_buf; 2789 } 2790 2791 #ifdef INET6 2792 /* 2793 * Return a name for the IP6 address pointed to by ap. This address 2794 * is assumed to be in network byte order. 2795 */ 2796 char * 2797 getname6(ap) 2798 const u_char *ap; 2799 { 2800 struct sockaddr_in6 addr; 2801 static char ntop_buf[NI_MAXHOST]; 2802 2803 memset(&addr, 0, sizeof(addr)); 2804 addr.sin6_len = sizeof(struct sockaddr_in6); 2805 addr.sin6_family = AF_INET6; 2806 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); 2807 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len, 2808 ntop_buf, sizeof(ntop_buf), NULL, 0, 2809 NI_NUMERICHOST | niflags)) 2810 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2811 2812 return ntop_buf; 2813 } 2814 #endif /* INET6 */ 2815 2816 int 2817 safeputchar(c) 2818 int c; 2819 { 2820 unsigned char ch; 2821 2822 ch = (unsigned char)(c & 0xff); 2823 if (c < 0x80 && isprint(c)) 2824 return printf("%c", c & 0xff); 2825 else 2826 return printf("\\%03o", c & 0xff); 2827 } 2828 2829 void 2830 isakmp_printpacket(msg, from, my, decoded) 2831 vchar_t *msg; 2832 struct sockaddr *from; 2833 struct sockaddr *my; 2834 int decoded; 2835 { 2836 #ifdef YIPS_DEBUG 2837 struct timeval tv; 2838 int s; 2839 char hostbuf[NI_MAXHOST]; 2840 char portbuf[NI_MAXSERV]; 2841 struct isakmp *isakmp; 2842 vchar_t *buf; 2843 #endif 2844 2845 if (loglevel < LLV_DEBUG) 2846 return; 2847 2848 #ifdef YIPS_DEBUG 2849 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); 2850 2851 gettimeofday(&tv, NULL); 2852 s = tv.tv_sec % 3600; 2853 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); 2854 2855 if (from) { 2856 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf), 2857 portbuf, sizeof(portbuf), 2858 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2859 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2860 strlcpy(portbuf, "?", sizeof(portbuf)); 2861 } 2862 printf("%s:%s", hostbuf, portbuf); 2863 } else 2864 printf("?"); 2865 printf(" -> "); 2866 if (my) { 2867 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf), 2868 portbuf, sizeof(portbuf), 2869 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2870 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2871 strlcpy(portbuf, "?", sizeof(portbuf)); 2872 } 2873 printf("%s:%s", hostbuf, portbuf); 2874 } else 2875 printf("?"); 2876 printf(": "); 2877 2878 buf = vdup(msg); 2879 if (!buf) { 2880 printf("(malloc fail)\n"); 2881 return; 2882 } 2883 if (decoded) { 2884 isakmp = (struct isakmp *)buf->v; 2885 if (isakmp->flags & ISAKMP_FLAG_E) { 2886 #if 0 2887 int pad; 2888 pad = *(u_char *)(buf->v + buf->l - 1); 2889 if (buf->l < pad && 2 < vflag) 2890 printf("(wrong padding)"); 2891 #endif 2892 isakmp->flags &= ~ISAKMP_FLAG_E; 2893 } 2894 } 2895 2896 snapend = buf->v + buf->l; 2897 isakmp_print(buf->v, buf->l, NULL); 2898 vfree(buf); 2899 printf("\n"); 2900 fflush(stdout); 2901 2902 return; 2903 #endif 2904 } 2905 #endif /*HAVE_PRINT_ISAKMP_C*/ 2906 2907 int 2908 copy_ph1addresses(iph1, rmconf, remote, local) 2909 struct ph1handle *iph1; 2910 struct remoteconf *rmconf; 2911 struct sockaddr *remote, *local; 2912 { 2913 u_int16_t port; 2914 2915 /* address portion must be grabbed from real remote address "remote" */ 2916 iph1->remote = dupsaddr(remote); 2917 if (iph1->remote == NULL) 2918 return -1; 2919 2920 /* 2921 * if remote has no port # (in case of initiator - from ACQUIRE msg) 2922 * - if remote.conf specifies port #, use that 2923 * - if remote.conf does not, use 500 2924 * if remote has port # (in case of responder - from recvfrom(2)) 2925 * respect content of "remote". 2926 */ 2927 if (extract_port(iph1->remote) == 0) { 2928 port = 0; 2929 if (rmconf != NULL) 2930 port = extract_port(rmconf->remote); 2931 if (port == 0) 2932 port = PORT_ISAKMP; 2933 set_port(iph1->remote, port); 2934 } 2935 2936 if (local == NULL) 2937 iph1->local = getlocaladdr(iph1->remote); 2938 else 2939 iph1->local = dupsaddr(local); 2940 if (iph1->local == NULL) 2941 return -1; 2942 2943 if (extract_port(iph1->local) == 0) { 2944 port = myaddr_getsport(iph1->local); 2945 if (port == 0) 2946 port = PORT_ISAKMP; 2947 set_port(iph1->local, PORT_ISAKMP); 2948 } 2949 2950 #ifdef ENABLE_NATT 2951 if (extract_port(iph1->local) == lcconf->port_isakmp_natt) { 2952 plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n"); 2953 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; 2954 } 2955 #endif 2956 2957 return 0; 2958 } 2959 2960 static int 2961 nostate1(iph1, msg) 2962 struct ph1handle *iph1; 2963 vchar_t *msg; 2964 { 2965 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n", 2966 iph1->status); 2967 return -1; 2968 } 2969 2970 static int 2971 nostate2(iph2, msg) 2972 struct ph2handle *iph2; 2973 vchar_t *msg; 2974 { 2975 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n", 2976 iph2->status); 2977 return -1; 2978 } 2979 2980 void 2981 log_ph1established(iph1) 2982 const struct ph1handle *iph1; 2983 { 2984 char *src, *dst; 2985 2986 src = racoon_strdup(saddr2str(iph1->local)); 2987 dst = racoon_strdup(saddr2str(iph1->remote)); 2988 STRDUP_FATAL(src); 2989 STRDUP_FATAL(dst); 2990 2991 plog(LLV_INFO, LOCATION, NULL, 2992 "ISAKMP-SA established %s-%s spi:%s\n", 2993 src, dst, 2994 isakmp_pindex(&iph1->index, 0)); 2995 2996 evt_phase1(iph1, EVT_PHASE1_UP, NULL); 2997 if(!iph1->rmconf->mode_cfg) 2998 evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); 2999 3000 racoon_free(src); 3001 racoon_free(dst); 3002 3003 return; 3004 } 3005 3006 struct payload_list * 3007 isakmp_plist_append_full (struct payload_list *plist, vchar_t *payload, 3008 u_int8_t payload_type, u_int8_t free_payload) 3009 { 3010 if (! plist) { 3011 plist = racoon_malloc (sizeof (struct payload_list)); 3012 plist->prev = NULL; 3013 } 3014 else { 3015 plist->next = racoon_malloc (sizeof (struct payload_list)); 3016 plist->next->prev = plist; 3017 plist = plist->next; 3018 } 3019 3020 plist->next = NULL; 3021 plist->payload = payload; 3022 plist->payload_type = payload_type; 3023 plist->free_payload = free_payload; 3024 3025 return plist; 3026 } 3027 3028 vchar_t * 3029 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) 3030 { 3031 struct payload_list *ptr = *plist, *first; 3032 size_t tlen = sizeof (struct isakmp), n = 0; 3033 vchar_t *buf = NULL; 3034 char *p; 3035 3036 /* Seek to the first item. */ 3037 while (ptr->prev) ptr = ptr->prev; 3038 first = ptr; 3039 3040 /* Compute the whole length. */ 3041 while (ptr) { 3042 tlen += ptr->payload->l + sizeof (struct isakmp_gen); 3043 ptr = ptr->next; 3044 } 3045 3046 buf = vmalloc(tlen); 3047 if (buf == NULL) { 3048 plog(LLV_ERROR, LOCATION, NULL, 3049 "failed to get buffer to send.\n"); 3050 goto end; 3051 } 3052 3053 ptr = first; 3054 3055 p = set_isakmp_header1(buf, iph1, ptr->payload_type); 3056 if (p == NULL) 3057 goto end; 3058 3059 while (ptr) 3060 { 3061 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE); 3062 first = ptr; 3063 ptr = ptr->next; 3064 if (first->free_payload) 3065 vfree(first->payload); 3066 racoon_free (first); 3067 /* ptr->prev = NULL; first = NULL; ... omitted. */ 3068 n++; 3069 } 3070 3071 *plist = NULL; 3072 3073 return buf; 3074 end: 3075 if (buf != NULL) 3076 vfree(buf); 3077 return NULL; 3078 } 3079 3080 #ifdef ENABLE_FRAG 3081 int 3082 frag_handler(iph1, msg, remote, local) 3083 struct ph1handle *iph1; 3084 vchar_t *msg; 3085 struct sockaddr *remote; 3086 struct sockaddr *local; 3087 { 3088 vchar_t *newmsg; 3089 3090 if (isakmp_frag_extract(iph1, msg) == 1) { 3091 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { 3092 plog(LLV_ERROR, LOCATION, remote, 3093 "Packet reassembly failed\n"); 3094 return -1; 3095 } 3096 return isakmp_main(newmsg, remote, local); 3097 } 3098 3099 return 0; 3100 } 3101 #endif 3102 3103 void 3104 script_hook(iph1, script) 3105 struct ph1handle *iph1; 3106 int script; 3107 { 3108 #define IP_MAX 40 3109 #define PORT_MAX 6 3110 char addrstr[IP_MAX]; 3111 char portstr[PORT_MAX]; 3112 char **envp = NULL; 3113 int envc = 1; 3114 char **c; 3115 3116 if (iph1 == NULL || 3117 iph1->rmconf == NULL || 3118 iph1->rmconf->script[script] == NULL) 3119 return; 3120 3121 #ifdef ENABLE_HYBRID 3122 (void)isakmp_cfg_setenv(iph1, &envp, &envc); 3123 #endif 3124 3125 /* local address */ 3126 GETNAMEINFO(iph1->local, addrstr, portstr); 3127 3128 if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) { 3129 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n"); 3130 goto out; 3131 } 3132 3133 if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) { 3134 plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n"); 3135 goto out; 3136 } 3137 3138 /* Peer address */ 3139 if (iph1->remote != NULL) { 3140 GETNAMEINFO(iph1->remote, addrstr, portstr); 3141 3142 if (script_env_append(&envp, &envc, 3143 "REMOTE_ADDR", addrstr) != 0) { 3144 plog(LLV_ERROR, LOCATION, NULL, 3145 "Cannot set REMOTE_ADDR\n"); 3146 goto out; 3147 } 3148 3149 if (script_env_append(&envp, &envc, 3150 "REMOTE_PORT", portstr) != 0) { 3151 plog(LLV_ERROR, LOCATION, NULL, 3152 "Cannot set REMOTEL_PORT\n"); 3153 goto out; 3154 } 3155 } 3156 3157 /* Peer identity. */ 3158 if (iph1->id_p != NULL) { 3159 if (script_env_append(&envp, &envc, "REMOTE_ID", 3160 ipsecdoi_id2str(iph1->id_p)) != 0) { 3161 plog(LLV_ERROR, LOCATION, NULL, 3162 "Cannot set REMOTE_ID\n"); 3163 goto out; 3164 } 3165 } 3166 3167 if (privsep_script_exec(iph1->rmconf->script[script]->v, 3168 script, envp) != 0) 3169 plog(LLV_ERROR, LOCATION, NULL, 3170 "Script %s execution failed\n", script_names[script]); 3171 3172 out: 3173 for (c = envp; *c; c++) 3174 racoon_free(*c); 3175 3176 racoon_free(envp); 3177 3178 return; 3179 } 3180 3181 int 3182 script_env_append(envp, envc, name, value) 3183 char ***envp; 3184 int *envc; 3185 char *name; 3186 char *value; 3187 { 3188 char *envitem; 3189 char **newenvp; 3190 int newenvc; 3191 3192 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1); 3193 if (envitem == NULL) { 3194 plog(LLV_ERROR, LOCATION, NULL, 3195 "Cannot allocate memory: %s\n", strerror(errno)); 3196 return -1; 3197 } 3198 sprintf(envitem, "%s=%s", name, value); 3199 3200 newenvc = (*envc) + 1; 3201 newenvp = racoon_realloc(*envp, newenvc * sizeof(char *)); 3202 if (newenvp == NULL) { 3203 plog(LLV_ERROR, LOCATION, NULL, 3204 "Cannot allocate memory: %s\n", strerror(errno)); 3205 racoon_free(envitem); 3206 return -1; 3207 } 3208 3209 newenvp[newenvc - 2] = envitem; 3210 newenvp[newenvc - 1] = NULL; 3211 3212 *envp = newenvp; 3213 *envc = newenvc; 3214 return 0; 3215 } 3216 3217 int 3218 script_exec(script, name, envp) 3219 char *script; 3220 int name; 3221 char *const envp[]; 3222 { 3223 char *argv[] = { NULL, NULL, NULL }; 3224 3225 argv[0] = script; 3226 argv[1] = script_names[name]; 3227 argv[2] = NULL; 3228 3229 switch (fork()) { 3230 case 0: 3231 execve(argv[0], argv, envp); 3232 plog(LLV_ERROR, LOCATION, NULL, 3233 "execve(\"%s\") failed: %s\n", 3234 argv[0], strerror(errno)); 3235 _exit(1); 3236 break; 3237 case -1: 3238 plog(LLV_ERROR, LOCATION, NULL, 3239 "Cannot fork: %s\n", strerror(errno)); 3240 return -1; 3241 break; 3242 default: 3243 break; 3244 } 3245 return 0; 3246 3247 } 3248 3249 void 3250 purge_remote(iph1) 3251 struct ph1handle *iph1; 3252 { 3253 vchar_t *buf = NULL; 3254 struct sadb_msg *msg, *next, *end; 3255 struct sadb_sa *sa; 3256 struct sockaddr *src, *dst; 3257 caddr_t mhp[SADB_EXT_MAX + 1]; 3258 u_int proto_id; 3259 struct ph2handle *iph2; 3260 struct ph1handle *new_iph1; 3261 3262 plog(LLV_INFO, LOCATION, NULL, 3263 "purging ISAKMP-SA spi=%s.\n", 3264 isakmp_pindex(&(iph1->index), iph1->msgid)); 3265 3266 /* Mark as expired. */ 3267 iph1->status = PHASE1ST_EXPIRED; 3268 3269 /* Check if we have another, still valid, phase1 SA. */ 3270 new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); 3271 3272 /* 3273 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. 3274 * Keep all others phase2 SAs. 3275 */ 3276 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); 3277 if (buf == NULL) { 3278 plog(LLV_DEBUG, LOCATION, NULL, 3279 "pfkey_dump_sadb returned nothing.\n"); 3280 return; 3281 } 3282 3283 msg = (struct sadb_msg *)buf->v; 3284 end = (struct sadb_msg *)(buf->v + buf->l); 3285 3286 while (msg < end) { 3287 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 3288 break; 3289 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 3290 if (msg->sadb_msg_type != SADB_DUMP) { 3291 msg = next; 3292 continue; 3293 } 3294 3295 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 3296 plog(LLV_ERROR, LOCATION, NULL, 3297 "pfkey_check (%s)\n", ipsec_strerror()); 3298 msg = next; 3299 continue; 3300 } 3301 3302 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); 3303 if (!sa || 3304 !mhp[SADB_EXT_ADDRESS_SRC] || 3305 !mhp[SADB_EXT_ADDRESS_DST]) { 3306 msg = next; 3307 continue; 3308 } 3309 pk_fixup_sa_addresses(mhp); 3310 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 3311 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 3312 3313 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && 3314 sa->sadb_sa_state != SADB_SASTATE_MATURE && 3315 sa->sadb_sa_state != SADB_SASTATE_DYING) { 3316 msg = next; 3317 continue; 3318 } 3319 3320 /* 3321 * check in/outbound SAs. 3322 * Select only SAs where src == local and dst == remote (outgoing) 3323 * or src == remote and dst == local (incoming). 3324 */ 3325 if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || 3326 cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && 3327 (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || 3328 cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) { 3329 msg = next; 3330 continue; 3331 } 3332 3333 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 3334 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 3335 3336 /* Check if there is another valid ISAKMP-SA */ 3337 if (new_iph1 != NULL) { 3338 3339 if (iph2 == NULL) { 3340 /* No handler... still send a pfkey_delete message, but log this !*/ 3341 plog(LLV_INFO, LOCATION, NULL, 3342 "Unknown IPsec-SA spi=%u, hmmmm?\n", 3343 ntohl(sa->sadb_sa_spi)); 3344 }else{ 3345 3346 /* 3347 * If we have a new ph1, do not purge IPsec-SAs binded 3348 * to a different ISAKMP-SA 3349 */ 3350 if (iph2->ph1 != NULL && iph2->ph1 != iph1){ 3351 msg = next; 3352 continue; 3353 } 3354 3355 /* If the ph2handle is established, do not purge IPsec-SA */ 3356 if (iph2->status == PHASE2ST_ESTABLISHED || 3357 iph2->status == PHASE2ST_EXPIRED) { 3358 3359 plog(LLV_INFO, LOCATION, NULL, 3360 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", 3361 ntohl(sa->sadb_sa_spi), 3362 isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); 3363 msg = next; 3364 continue; 3365 } 3366 } 3367 } 3368 3369 3370 pfkey_send_delete(lcconf->sock_pfkey, 3371 msg->sadb_msg_satype, 3372 IPSEC_MODE_ANY, 3373 src, dst, sa->sadb_sa_spi); 3374 3375 /* delete a relative phase 2 handle. */ 3376 if (iph2 != NULL) { 3377 delete_spd(iph2, 0); 3378 remph2(iph2); 3379 delph2(iph2); 3380 } 3381 3382 plog(LLV_INFO, LOCATION, NULL, 3383 "purged IPsec-SA spi=%u.\n", 3384 ntohl(sa->sadb_sa_spi)); 3385 3386 msg = next; 3387 } 3388 3389 if (buf) 3390 vfree(buf); 3391 3392 /* Mark the phase1 handler as EXPIRED */ 3393 plog(LLV_INFO, LOCATION, NULL, 3394 "purged ISAKMP-SA spi=%s.\n", 3395 isakmp_pindex(&(iph1->index), iph1->msgid)); 3396 3397 isakmp_ph1delete(iph1); 3398 } 3399 3400 void 3401 delete_spd(iph2, created) 3402 struct ph2handle *iph2; 3403 u_int64_t created; 3404 { 3405 struct policyindex spidx; 3406 struct sockaddr_storage addr; 3407 u_int8_t pref; 3408 struct sockaddr *src; 3409 struct sockaddr *dst; 3410 int error; 3411 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ 3412 3413 if (iph2 == NULL) 3414 return; 3415 3416 /* Delete the SPD entry if we generated it 3417 */ 3418 if (! iph2->generated_spidx ) 3419 return; 3420 3421 src = iph2->src; 3422 dst = iph2->dst; 3423 3424 plog(LLV_INFO, LOCATION, NULL, 3425 "deleting a generated policy.\n"); 3426 3427 memset(&spidx, 0, sizeof(spidx)); 3428 iph2->spidx_gen = (caddr_t )&spidx; 3429 3430 /* make inbound policy */ 3431 iph2->src = dst; 3432 iph2->dst = src; 3433 spidx.dir = IPSEC_DIR_INBOUND; 3434 spidx.ul_proto = 0; 3435 3436 /* 3437 * Note: code from get_proposal_r 3438 */ 3439 3440 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 3441 3442 /* 3443 * make destination address in spidx from either ID payload 3444 * or phase 1 address into a address in spidx. 3445 */ 3446 if (iph2->id != NULL 3447 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3448 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 3449 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3450 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3451 /* get a destination address of a policy */ 3452 error = ipsecdoi_id2sockaddr(iph2->id, 3453 (struct sockaddr *)&spidx.dst, 3454 &spidx.prefd, &spidx.ul_proto); 3455 if (error) 3456 goto purge; 3457 3458 #ifdef INET6 3459 /* 3460 * get scopeid from the SA address. 3461 * note that the phase 1 source address is used as 3462 * a destination address to search for a inbound 3463 * policy entry because rcoon is responder. 3464 */ 3465 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 3466 if ((error = 3467 setscopeid((struct sockaddr *)&spidx.dst, 3468 iph2->src)) != 0) 3469 goto purge; 3470 } 3471 #endif 3472 3473 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3474 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 3475 idi2type = _XIDT(iph2->id); 3476 3477 } else { 3478 3479 plog(LLV_DEBUG, LOCATION, NULL, 3480 "get a destination address of SP index " 3481 "from phase1 address " 3482 "due to no ID payloads found " 3483 "OR because ID type is not address.\n"); 3484 3485 /* 3486 * copy the SOURCE address of IKE into the 3487 * DESTINATION address of the key to search the 3488 * SPD because the direction of policy is inbound. 3489 */ 3490 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 3491 switch (spidx.dst.ss_family) { 3492 case AF_INET: 3493 spidx.prefd = 3494 sizeof(struct in_addr) << 3; 3495 break; 3496 #ifdef INET6 3497 case AF_INET6: 3498 spidx.prefd = 3499 sizeof(struct in6_addr) << 3; 3500 break; 3501 #endif 3502 default: 3503 spidx.prefd = 0; 3504 break; 3505 } 3506 } 3507 3508 /* make source address in spidx */ 3509 if (iph2->id_p != NULL 3510 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 3511 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 3512 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3513 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3514 /* get a source address of inbound SA */ 3515 error = ipsecdoi_id2sockaddr(iph2->id_p, 3516 (struct sockaddr *)&spidx.src, 3517 &spidx.prefs, &spidx.ul_proto); 3518 if (error) 3519 goto purge; 3520 3521 #ifdef INET6 3522 /* 3523 * get scopeid from the SA address. 3524 * for more detail, see above of this function. 3525 */ 3526 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 3527 error = 3528 setscopeid((struct sockaddr *)&spidx.src, 3529 iph2->dst); 3530 if (error) 3531 goto purge; 3532 } 3533 #endif 3534 3535 /* make sa_[src,dst] if both ID types are IP address and same */ 3536 if (_XIDT(iph2->id_p) == idi2type 3537 && spidx.dst.ss_family == spidx.src.ss_family) { 3538 iph2->sa_src = 3539 dupsaddr((struct sockaddr *)&spidx.dst); 3540 if (iph2->sa_src == NULL) { 3541 plog(LLV_ERROR, LOCATION, NULL, 3542 "allocation failed\n"); 3543 goto purge; 3544 } 3545 iph2->sa_dst = 3546 dupsaddr((struct sockaddr *)&spidx.src); 3547 if (iph2->sa_dst == NULL) { 3548 plog(LLV_ERROR, LOCATION, NULL, 3549 "allocation failed\n"); 3550 goto purge; 3551 } 3552 } 3553 3554 } else { 3555 plog(LLV_DEBUG, LOCATION, NULL, 3556 "get a source address of SP index " 3557 "from phase1 address " 3558 "due to no ID payloads found " 3559 "OR because ID type is not address.\n"); 3560 3561 /* see above comment. */ 3562 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 3563 switch (spidx.src.ss_family) { 3564 case AF_INET: 3565 spidx.prefs = 3566 sizeof(struct in_addr) << 3; 3567 break; 3568 #ifdef INET6 3569 case AF_INET6: 3570 spidx.prefs = 3571 sizeof(struct in6_addr) << 3; 3572 break; 3573 #endif 3574 default: 3575 spidx.prefs = 0; 3576 break; 3577 } 3578 } 3579 3580 #undef _XIDT 3581 3582 plog(LLV_DEBUG, LOCATION, NULL, 3583 "get a src address from ID payload " 3584 "%s prefixlen=%u ul_proto=%u\n", 3585 saddr2str((struct sockaddr *)&spidx.src), 3586 spidx.prefs, spidx.ul_proto); 3587 plog(LLV_DEBUG, LOCATION, NULL, 3588 "get dst address from ID payload " 3589 "%s prefixlen=%u ul_proto=%u\n", 3590 saddr2str((struct sockaddr *)&spidx.dst), 3591 spidx.prefd, spidx.ul_proto); 3592 3593 /* 3594 * convert the ul_proto if it is 0 3595 * because 0 in ID payload means a wild card. 3596 */ 3597 if (spidx.ul_proto == 0) 3598 spidx.ul_proto = IPSEC_ULPROTO_ANY; 3599 3600 #undef _XIDT 3601 3602 /* Check if the generated SPD has the same timestamp as the SA. 3603 * If timestamps are different, this means that the SPD entry has been 3604 * refreshed by another SA, and should NOT be deleted with the current SA. 3605 */ 3606 if( created ){ 3607 struct secpolicy *p; 3608 3609 p = getsp(&spidx); 3610 if(p != NULL){ 3611 /* just do no test if p is NULL, because this probably just means 3612 * that the policy has already be deleted for some reason. 3613 */ 3614 if(p->spidx.created != created) 3615 goto purge; 3616 } 3617 } 3618 3619 /* End of code from get_proposal_r 3620 */ 3621 3622 if (pk_sendspddelete(iph2) < 0) { 3623 plog(LLV_ERROR, LOCATION, NULL, 3624 "pfkey spddelete(inbound) failed.\n"); 3625 }else{ 3626 plog(LLV_DEBUG, LOCATION, NULL, 3627 "pfkey spddelete(inbound) sent.\n"); 3628 } 3629 3630 #ifdef HAVE_POLICY_FWD 3631 /* make forward policy if required */ 3632 if (tunnel_mode_prop(iph2->approval)) { 3633 spidx.dir = IPSEC_DIR_FWD; 3634 if (pk_sendspddelete(iph2) < 0) { 3635 plog(LLV_ERROR, LOCATION, NULL, 3636 "pfkey spddelete(forward) failed.\n"); 3637 }else{ 3638 plog(LLV_DEBUG, LOCATION, NULL, 3639 "pfkey spddelete(forward) sent.\n"); 3640 } 3641 } 3642 #endif 3643 3644 /* make outbound policy */ 3645 iph2->src = src; 3646 iph2->dst = dst; 3647 spidx.dir = IPSEC_DIR_OUTBOUND; 3648 addr = spidx.src; 3649 spidx.src = spidx.dst; 3650 spidx.dst = addr; 3651 pref = spidx.prefs; 3652 spidx.prefs = spidx.prefd; 3653 spidx.prefd = pref; 3654 3655 if (pk_sendspddelete(iph2) < 0) { 3656 plog(LLV_ERROR, LOCATION, NULL, 3657 "pfkey spddelete(outbound) failed.\n"); 3658 }else{ 3659 plog(LLV_DEBUG, LOCATION, NULL, 3660 "pfkey spddelete(outbound) sent.\n"); 3661 } 3662 purge: 3663 iph2->spidx_gen=NULL; 3664 } 3665 3666 3667 #ifdef INET6 3668 u_int32_t 3669 setscopeid(sp_addr0, sa_addr0) 3670 struct sockaddr *sp_addr0, *sa_addr0; 3671 { 3672 struct sockaddr_in6 *sp_addr, *sa_addr; 3673 3674 sp_addr = (struct sockaddr_in6 *)sp_addr0; 3675 sa_addr = (struct sockaddr_in6 *)sa_addr0; 3676 3677 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr) 3678 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr) 3679 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr)) 3680 return 0; 3681 3682 /* this check should not be here ? */ 3683 if (sa_addr->sin6_family != AF_INET6) { 3684 plog(LLV_ERROR, LOCATION, NULL, 3685 "can't get scope ID: family mismatch\n"); 3686 return -1; 3687 } 3688 3689 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { 3690 plog(LLV_ERROR, LOCATION, NULL, 3691 "scope ID is not supported except of lladdr.\n"); 3692 return -1; 3693 } 3694 3695 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id; 3696 3697 return 0; 3698 } 3699 #endif 3700
