1 /* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */ 2 3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 40 #include <netinet/in.h> 41 42 #include <stdlib.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <errno.h> 46 #if TIME_WITH_SYS_TIME 47 # include <sys/time.h> 48 # include <time.h> 49 #else 50 # if HAVE_SYS_TIME_H 51 # include <sys/time.h> 52 # else 53 # include <time.h> 54 # endif 55 #endif 56 57 #include PATH_IPSEC_H 58 59 #include "var.h" 60 #include "vmbuf.h" 61 #include "schedule.h" 62 #include "misc.h" 63 #include "plog.h" 64 #include "debug.h" 65 66 #include "localconf.h" 67 #include "remoteconf.h" 68 #include "handler.h" 69 #include "policy.h" 70 #include "proposal.h" 71 #include "isakmp_var.h" 72 #include "isakmp.h" 73 #include "isakmp_inf.h" 74 #include "isakmp_quick.h" 75 #include "oakley.h" 76 #include "ipsec_doi.h" 77 #include "crypto_openssl.h" 78 #include "pfkey.h" 79 #include "policy.h" 80 #include "algorithm.h" 81 #include "sockmisc.h" 82 #include "proposal.h" 83 #include "sainfo.h" 84 #include "admin.h" 85 #include "strnames.h" 86 87 #ifdef ENABLE_HYBRID 88 #include <resolv.h> 89 #include "isakmp_xauth.h" 90 #include "isakmp_cfg.h" 91 #endif 92 93 #ifdef ENABLE_NATT 94 #include "nattraversal.h" 95 #endif 96 97 /* quick mode */ 98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); 99 static int get_sainfo_r __P((struct ph2handle *)); 100 static int get_proposal_r __P((struct ph2handle *)); 101 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *)); 102 static void quick_timeover_stub __P((struct sched *)); 103 static void quick_timeover __P((struct ph2handle *)); 104 105 /* called from scheduler */ 106 static void 107 quick_timeover_stub(p) 108 struct sched *p; 109 { 110 quick_timeover(container_of(p, struct ph2handle, sce)); 111 } 112 113 static void 114 quick_timeover(iph2) 115 struct ph2handle *iph2; 116 { 117 plog(LLV_ERROR, LOCATION, NULL, 118 "%s give up to get IPsec-SA due to time up to wait.\n", 119 saddrwop2str(iph2->dst)); 120 121 /* If initiator side, send error to kernel by SADB_ACQUIRE. */ 122 if (iph2->side == INITIATOR) 123 pk_sendeacquire(iph2); 124 125 remph2(iph2); 126 delph2(iph2); 127 } 128 129 /* %%% 131 * Quick Mode 132 */ 133 /* 134 * begin Quick Mode as initiator. send pfkey getspi message to kernel. 135 */ 136 int 137 quick_i1prep(iph2, msg) 138 struct ph2handle *iph2; 139 vchar_t *msg; /* must be null pointer */ 140 { 141 int error = ISAKMP_INTERNAL_ERROR; 142 143 /* validity check */ 144 if (iph2->status != PHASE2ST_STATUS2) { 145 plog(LLV_ERROR, LOCATION, NULL, 146 "status mismatched %d.\n", iph2->status); 147 goto end; 148 } 149 150 iph2->msgid = isakmp_newmsgid2(iph2->ph1); 151 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid); 152 if (iph2->ivm == NULL) 153 return 0; 154 155 iph2->status = PHASE2ST_GETSPISENT; 156 157 /* don't anything if local test mode. */ 158 if (f_local) { 159 error = 0; 160 goto end; 161 } 162 163 /* send getspi message */ 164 if (pk_sendgetspi(iph2) < 0) 165 goto end; 166 167 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 168 169 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 170 quick_timeover_stub); 171 172 error = 0; 173 174 end: 175 return error; 176 } 177 178 /* 179 * send to responder 180 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 181 */ 182 int 183 quick_i1send(iph2, msg) 184 struct ph2handle *iph2; 185 vchar_t *msg; /* must be null pointer */ 186 { 187 vchar_t *body = NULL; 188 vchar_t *hash = NULL; 189 struct isakmp_gen *gen; 190 char *p; 191 int tlen; 192 int error = ISAKMP_INTERNAL_ERROR; 193 int natoa = ISAKMP_NPTYPE_NONE; 194 int pfsgroup, idci, idcr; 195 int np; 196 struct ipsecdoi_id_b *id, *id_p; 197 #ifdef ENABLE_NATT 198 vchar_t *nat_oai = NULL; 199 vchar_t *nat_oar = NULL; 200 #endif 201 202 /* validity check */ 203 if (msg != NULL) { 204 plog(LLV_ERROR, LOCATION, NULL, 205 "msg has to be NULL in this function.\n"); 206 goto end; 207 } 208 if (iph2->status != PHASE2ST_GETSPIDONE) { 209 plog(LLV_ERROR, LOCATION, NULL, 210 "status mismatched %d.\n", iph2->status); 211 goto end; 212 } 213 214 /* create SA payload for my proposal */ 215 if (ipsecdoi_setph2proposal(iph2) < 0) 216 goto end; 217 218 /* generate NONCE value */ 219 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 220 if (iph2->nonce == NULL) 221 goto end; 222 223 /* 224 * DH value calculation is kicked out into cfparse.y. 225 * because pfs group can not be negotiated, it's only to be checked 226 * acceptable. 227 */ 228 /* generate KE value if need */ 229 pfsgroup = iph2->proposal->pfs_group; 230 if (pfsgroup) { 231 /* DH group settting if PFS is required. */ 232 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 233 plog(LLV_ERROR, LOCATION, NULL, 234 "failed to set DH value.\n"); 235 goto end; 236 } 237 if (oakley_dh_generate(iph2->pfsgrp, 238 &iph2->dhpub, &iph2->dhpriv) < 0) { 239 goto end; 240 } 241 } 242 243 /* generate ID value */ 244 if (ipsecdoi_setid2(iph2) < 0) { 245 plog(LLV_ERROR, LOCATION, NULL, 246 "failed to get ID.\n"); 247 goto end; 248 } 249 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n"); 250 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 251 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n"); 252 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 253 254 /* 255 * we do not attach IDci nor IDcr, under the following condition: 256 * - all proposals are transport mode 257 * - no MIP6 or proxy 258 * - id payload suggests to encrypt all the traffic (no specific 259 * protocol type) 260 * - SA endpoints and IKE addresses for the nego are the same 261 * (iph2->src/dst) 262 */ 263 id = (struct ipsecdoi_id_b *)iph2->id->v; 264 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; 265 if (id->proto_id == 0 && 266 id_p->proto_id == 0 && 267 iph2->ph1->rmconf->support_proxy == 0 && 268 iph2->sa_src == NULL && iph2->sa_dst == NULL && 269 ipsecdoi_transportmode(iph2->proposal)) { 270 idci = idcr = 0; 271 } else 272 idci = idcr = 1; 273 274 #ifdef ENABLE_NATT 275 /* 276 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport 277 * we should send NAT-OA 278 */ 279 if (ipsecdoi_transportmode(iph2->proposal) 280 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 281 natoa = iph2->ph1->natt_options->payload_nat_oa; 282 283 nat_oai = ipsecdoi_sockaddr2id(iph2->src, 284 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 285 nat_oar = ipsecdoi_sockaddr2id(iph2->dst, 286 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 287 288 if (nat_oai == NULL || nat_oar == NULL) { 289 plog(LLV_ERROR, LOCATION, NULL, 290 "failed to generate NAT-OA payload.\n"); 291 goto end; 292 } 293 294 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 295 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 296 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 297 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 298 } else { 299 natoa = ISAKMP_NPTYPE_NONE; 300 } 301 #endif 302 303 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */ 304 tlen = + sizeof(*gen) + iph2->sa->l 305 + sizeof(*gen) + iph2->nonce->l; 306 if (pfsgroup) 307 tlen += (sizeof(*gen) + iph2->dhpub->l); 308 if (idci) 309 tlen += sizeof(*gen) + iph2->id->l; 310 if (idcr) 311 tlen += sizeof(*gen) + iph2->id_p->l; 312 #ifdef ENABLE_NATT 313 if (natoa != ISAKMP_NPTYPE_NONE) 314 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 315 #endif 316 317 body = vmalloc(tlen); 318 if (body == NULL) { 319 plog(LLV_ERROR, LOCATION, NULL, 320 "failed to get buffer to send.\n"); 321 goto end; 322 } 323 324 p = body->v; 325 326 /* add SA payload */ 327 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE); 328 329 /* add NONCE payload */ 330 if (pfsgroup) 331 np = ISAKMP_NPTYPE_KE; 332 else if (idci || idcr) 333 np = ISAKMP_NPTYPE_ID; 334 else 335 np = natoa; 336 p = set_isakmp_payload(p, iph2->nonce, np); 337 338 /* add KE payload if need. */ 339 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa; 340 if (pfsgroup) 341 p = set_isakmp_payload(p, iph2->dhpub, np); 342 343 /* IDci */ 344 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa; 345 if (idci) 346 p = set_isakmp_payload(p, iph2->id, np); 347 348 /* IDcr */ 349 if (idcr) 350 p = set_isakmp_payload(p, iph2->id_p, natoa); 351 352 #ifdef ENABLE_NATT 353 /* NAT-OA */ 354 if (natoa != ISAKMP_NPTYPE_NONE) { 355 p = set_isakmp_payload(p, nat_oai, natoa); 356 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 357 } 358 #endif 359 360 /* generate HASH(1) */ 361 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); 362 if (hash == NULL) 363 goto end; 364 365 /* send isakmp payload */ 366 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 367 if (iph2->sendbuf == NULL) 368 goto end; 369 370 /* send the packet, add to the schedule to resend */ 371 if (isakmp_ph2send(iph2) == -1) 372 goto end; 373 374 /* change status of isakmp status entry */ 375 iph2->status = PHASE2ST_MSG1SENT; 376 377 error = 0; 378 379 end: 380 if (body != NULL) 381 vfree(body); 382 if (hash != NULL) 383 vfree(hash); 384 #ifdef ENABLE_NATT 385 if (nat_oai != NULL) 386 vfree(nat_oai); 387 if (nat_oar != NULL) 388 vfree(nat_oar); 389 #endif 390 391 return error; 392 } 393 394 /* 395 * receive from responder 396 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 397 */ 398 int 399 quick_i2recv(iph2, msg0) 400 struct ph2handle *iph2; 401 vchar_t *msg0; 402 { 403 vchar_t *msg = NULL; 404 vchar_t *hbuf = NULL; /* for hash computing. */ 405 vchar_t *pbuf = NULL; /* for payload parsing */ 406 vchar_t *idci = NULL; 407 vchar_t *idcr = NULL; 408 struct isakmp_parse_t *pa; 409 struct isakmp *isakmp = (struct isakmp *)msg0->v; 410 struct isakmp_pl_hash *hash = NULL; 411 char *p; 412 int tlen; 413 int error = ISAKMP_INTERNAL_ERROR; 414 415 /* validity check */ 416 if (iph2->status != PHASE2ST_MSG1SENT) { 417 plog(LLV_ERROR, LOCATION, NULL, 418 "status mismatched %d.\n", iph2->status); 419 goto end; 420 } 421 422 /* decrypt packet */ 423 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 424 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 425 "Packet wasn't encrypted.\n"); 426 goto end; 427 } 428 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 429 if (msg == NULL) 430 goto end; 431 432 /* create buffer for validating HASH(2) */ 433 /* 434 * ordering rule: 435 * 1. the first one must be HASH 436 * 2. the second one must be SA (added in isakmp-oakley-05!) 437 * 3. two IDs must be considered as IDci, then IDcr 438 */ 439 pbuf = isakmp_parse(msg); 440 if (pbuf == NULL) 441 goto end; 442 pa = (struct isakmp_parse_t *)pbuf->v; 443 444 /* HASH payload is fixed postion */ 445 if (pa->type != ISAKMP_NPTYPE_HASH) { 446 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 447 "received invalid next payload type %d, " 448 "expecting %d.\n", 449 pa->type, ISAKMP_NPTYPE_HASH); 450 goto end; 451 } 452 hash = (struct isakmp_pl_hash *)pa->ptr; 453 pa++; 454 455 /* 456 * this restriction was introduced in isakmp-oakley-05. 457 * we do not check this for backward compatibility. 458 * TODO: command line/config file option to enable/disable this code 459 */ 460 /* HASH payload is fixed postion */ 461 if (pa->type != ISAKMP_NPTYPE_SA) { 462 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 463 "received invalid next payload type %d, " 464 "expecting %d.\n", 465 pa->type, ISAKMP_NPTYPE_HASH); 466 } 467 468 /* allocate buffer for computing HASH(2) */ 469 tlen = iph2->nonce->l 470 + ntohl(isakmp->len) - sizeof(*isakmp); 471 hbuf = vmalloc(tlen); 472 if (hbuf == NULL) { 473 plog(LLV_ERROR, LOCATION, NULL, 474 "failed to get hash buffer.\n"); 475 goto end; 476 } 477 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */ 478 479 /* 480 * parse the payloads. 481 * copy non-HASH payloads into hbuf, so that we can validate HASH. 482 */ 483 iph2->sa_ret = NULL; 484 tlen = 0; /* count payload length except of HASH payload. */ 485 for (; pa->type; pa++) { 486 487 /* copy to buffer for HASH */ 488 /* Don't modify the payload */ 489 memcpy(p, pa->ptr, pa->len); 490 491 switch (pa->type) { 492 case ISAKMP_NPTYPE_SA: 493 if (iph2->sa_ret != NULL) { 494 plog(LLV_ERROR, LOCATION, NULL, 495 "Ignored, multiple SA " 496 "isn't supported.\n"); 497 break; 498 } 499 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) { 500 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 501 "duplicate ISAKMP_NPTYPE_SA.\n"); 502 goto end; 503 } 504 break; 505 506 case ISAKMP_NPTYPE_NONCE: 507 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 508 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 509 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 510 goto end; 511 } 512 break; 513 514 case ISAKMP_NPTYPE_KE: 515 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 516 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 517 "duplicate ISAKMP_NPTYPE_KE.\n"); 518 goto end; 519 } 520 break; 521 522 case ISAKMP_NPTYPE_ID: 523 if (idci == NULL) { 524 if (isakmp_p2ph(&idci, pa->ptr) < 0) 525 goto end; 526 } else if (idcr == NULL) { 527 if (isakmp_p2ph(&idcr, pa->ptr) < 0) 528 goto end; 529 } else { 530 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 531 "too many ISAKMP_NPTYPE_ID payloads.\n"); 532 goto end; 533 } 534 break; 535 536 case ISAKMP_NPTYPE_N: 537 ph2_recv_n(iph2, pa->ptr); 538 break; 539 540 #ifdef ENABLE_NATT 541 case ISAKMP_NPTYPE_NATOA_DRAFT: 542 case ISAKMP_NPTYPE_NATOA_RFC: 543 { 544 struct sockaddr_storage addr; 545 struct sockaddr *daddr; 546 u_int8_t prefix; 547 u_int16_t ul_proto; 548 vchar_t *vp = NULL; 549 550 if (isakmp_p2ph(&vp, pa->ptr) < 0) 551 goto end; 552 553 error = ipsecdoi_id2sockaddr(vp, 554 (struct sockaddr *) &addr, 555 &prefix, &ul_proto); 556 557 vfree(vp); 558 559 if (error) 560 goto end; 561 562 daddr = dupsaddr((struct sockaddr *) &addr); 563 if (daddr == NULL) 564 goto end; 565 566 if (iph2->natoa_src == NULL) 567 iph2->natoa_src = daddr; 568 else if (iph2->natoa_dst == NULL) 569 iph2->natoa_dst = daddr; 570 else { 571 racoon_free(daddr); 572 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 573 "too many ISAKMP_NPTYPE_NATOA payloads.\n"); 574 goto end; 575 } 576 } 577 break; 578 #endif 579 580 default: 581 /* don't send information, see ident_r1recv() */ 582 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 583 "ignore the packet, " 584 "received unexpecting payload type %d.\n", 585 pa->type); 586 goto end; 587 } 588 589 p += pa->len; 590 591 /* compute true length of payload. */ 592 tlen += pa->len; 593 } 594 595 /* payload existency check */ 596 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { 597 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 598 "few isakmp message received.\n"); 599 goto end; 600 } 601 602 #ifndef ANDROID_PATCHED 603 /* identity check */ 604 if (idci != NULL) { 605 struct sockaddr_storage proposed_addr, got_addr; 606 u_int8_t proposed_prefix, got_prefix; 607 u_int16_t proposed_ulproto, got_ulproto; 608 609 error = ipsecdoi_id2sockaddr(iph2->id, 610 (struct sockaddr *) &proposed_addr, 611 &proposed_prefix, &proposed_ulproto); 612 if (error) 613 goto end; 614 615 error = ipsecdoi_id2sockaddr(idci, 616 (struct sockaddr *) &got_addr, 617 &got_prefix, &got_ulproto); 618 if (error) 619 goto end; 620 621 if (proposed_prefix != got_prefix 622 || proposed_ulproto != got_ulproto) { 623 plog(LLV_DEBUG, LOCATION, NULL, 624 "IDci prefix/ulproto does not match proposal.\n"); 625 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 626 goto end; 627 } 628 #ifdef ENABLE_NATT 629 set_port(iph2->natoa_src, 630 extract_port((struct sockaddr *) &proposed_addr)); 631 #endif 632 633 if (cmpsaddr((struct sockaddr *) &proposed_addr, 634 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 635 plog(LLV_DEBUG, LOCATION, NULL, 636 "IDci matches proposal.\n"); 637 #ifdef ENABLE_NATT 638 } else if (iph2->natoa_src != NULL 639 && cmpsaddr(iph2->natoa_src, 640 (struct sockaddr *) &got_addr) == 0) { 641 plog(LLV_DEBUG, LOCATION, NULL, 642 "IDci matches NAT-OAi.\n"); 643 #endif 644 } else { 645 plog(LLV_ERROR, LOCATION, NULL, 646 "mismatched IDci was returned.\n"); 647 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 648 goto end; 649 } 650 } 651 if (idcr != NULL) { 652 struct sockaddr_storage proposed_addr, got_addr; 653 u_int8_t proposed_prefix, got_prefix; 654 u_int16_t proposed_ulproto, got_ulproto; 655 656 error = ipsecdoi_id2sockaddr(iph2->id_p, 657 (struct sockaddr *) &proposed_addr, 658 &proposed_prefix, &proposed_ulproto); 659 if (error) 660 goto end; 661 662 error = ipsecdoi_id2sockaddr(idcr, 663 (struct sockaddr *) &got_addr, 664 &got_prefix, &got_ulproto); 665 if (error) 666 goto end; 667 668 if (proposed_prefix != got_prefix 669 || proposed_ulproto != got_ulproto) { 670 plog(LLV_DEBUG, LOCATION, NULL, 671 "IDcr prefix/ulproto does not match proposal.\n"); 672 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 673 goto end; 674 } 675 676 #ifdef ENABLE_NATT 677 set_port(iph2->natoa_dst, 678 extract_port((struct sockaddr *) &proposed_addr)); 679 #endif 680 681 if (cmpsaddr((struct sockaddr *) &proposed_addr, 682 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 683 plog(LLV_DEBUG, LOCATION, NULL, 684 "IDcr matches proposal.\n"); 685 #ifdef ENABLE_NATT 686 } else if (iph2->natoa_dst != NULL 687 && cmpsaddr(iph2->natoa_dst, 688 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 689 plog(LLV_DEBUG, LOCATION, NULL, 690 "IDcr matches NAT-OAr.\n"); 691 #endif 692 } else { 693 plog(LLV_ERROR, LOCATION, NULL, 694 "mismatched IDcr was returned.\n"); 695 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 696 goto end; 697 } 698 } 699 #endif 700 701 /* Fixed buffer for calculating HASH */ 702 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); 703 plog(LLV_DEBUG, LOCATION, NULL, 704 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n", 705 hbuf->l, tlen + iph2->nonce->l); 706 /* adjust buffer length for HASH */ 707 hbuf->l = iph2->nonce->l + tlen; 708 709 /* validate HASH(2) */ 710 { 711 char *r_hash; 712 vchar_t *my_hash = NULL; 713 int result; 714 715 r_hash = (char *)hash + sizeof(*hash); 716 717 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); 718 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 719 720 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 721 if (my_hash == NULL) 722 goto end; 723 724 result = memcmp(my_hash->v, r_hash, my_hash->l); 725 vfree(my_hash); 726 727 if (result) { 728 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 729 "HASH(2) mismatch.\n"); 730 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 731 goto end; 732 } 733 } 734 735 /* validity check SA payload sent from responder */ 736 if (ipsecdoi_checkph2proposal(iph2) < 0) { 737 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 738 "proposal check failed.\n"); 739 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 740 goto end; 741 } 742 743 /* change status of isakmp status entry */ 744 iph2->status = PHASE2ST_STATUS6; 745 746 error = 0; 747 748 end: 749 if (hbuf) 750 vfree(hbuf); 751 if (pbuf) 752 vfree(pbuf); 753 if (msg) 754 vfree(msg); 755 if (idci) 756 vfree(idci); 757 if (idcr) 758 vfree(idcr); 759 760 if (error) { 761 VPTRINIT(iph2->sa_ret); 762 VPTRINIT(iph2->nonce_p); 763 VPTRINIT(iph2->dhpub_p); 764 VPTRINIT(iph2->id); 765 VPTRINIT(iph2->id_p); 766 #ifdef ENABLE_NATT 767 if (iph2->natoa_src) { 768 racoon_free(iph2->natoa_src); 769 iph2->natoa_src = NULL; 770 } 771 if (iph2->natoa_dst) { 772 racoon_free(iph2->natoa_dst); 773 iph2->natoa_dst = NULL; 774 } 775 #endif 776 } 777 778 return error; 779 } 780 781 /* 782 * send to responder 783 * HDR*, HASH(3) 784 */ 785 int 786 quick_i2send(iph2, msg0) 787 struct ph2handle *iph2; 788 vchar_t *msg0; 789 { 790 vchar_t *msg = NULL; 791 vchar_t *buf = NULL; 792 vchar_t *hash = NULL; 793 char *p = NULL; 794 int tlen; 795 int error = ISAKMP_INTERNAL_ERROR; 796 797 /* validity check */ 798 if (iph2->status != PHASE2ST_STATUS6) { 799 plog(LLV_ERROR, LOCATION, NULL, 800 "status mismatched %d.\n", iph2->status); 801 goto end; 802 } 803 804 /* generate HASH(3) */ 805 { 806 vchar_t *tmp = NULL; 807 808 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); 809 810 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); 811 if (tmp == NULL) { 812 plog(LLV_ERROR, LOCATION, NULL, 813 "failed to get hash buffer.\n"); 814 goto end; 815 } 816 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l); 817 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l); 818 819 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 820 vfree(tmp); 821 822 if (hash == NULL) 823 goto end; 824 } 825 826 /* create buffer for isakmp payload */ 827 tlen = sizeof(struct isakmp) 828 + sizeof(struct isakmp_gen) + hash->l; 829 buf = vmalloc(tlen); 830 if (buf == NULL) { 831 plog(LLV_ERROR, LOCATION, NULL, 832 "failed to get buffer to send.\n"); 833 goto end; 834 } 835 836 /* create isakmp header */ 837 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 838 if (p == NULL) 839 goto end; 840 841 /* add HASH(3) payload */ 842 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE); 843 844 #ifdef HAVE_PRINT_ISAKMP_C 845 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 846 #endif 847 848 /* encoding */ 849 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 850 if (iph2->sendbuf == NULL) 851 goto end; 852 853 /* if there is commit bit, need resending */ 854 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 855 /* send the packet, add to the schedule to resend */ 856 if (isakmp_ph2send(iph2) == -1) 857 goto end; 858 } else { 859 /* send the packet */ 860 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 861 goto end; 862 } 863 864 /* the sending message is added to the received-list. */ 865 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, 866 iph2->sendbuf, msg0) == -1) { 867 plog(LLV_ERROR , LOCATION, NULL, 868 "failed to add a response packet to the tree.\n"); 869 goto end; 870 } 871 872 /* compute both of KEYMATs */ 873 if (oakley_compute_keymat(iph2, INITIATOR) < 0) 874 goto end; 875 876 iph2->status = PHASE2ST_ADDSA; 877 878 /* don't anything if local test mode. */ 879 if (f_local) { 880 error = 0; 881 goto end; 882 } 883 884 /* if there is commit bit don't set up SA now. */ 885 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 886 iph2->status = PHASE2ST_COMMIT; 887 error = 0; 888 goto end; 889 } 890 891 /* Do UPDATE for initiator */ 892 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 893 if (pk_sendupdate(iph2) < 0) { 894 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 895 goto end; 896 } 897 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 898 899 /* Do ADD for responder */ 900 if (pk_sendadd(iph2) < 0) { 901 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 902 goto end; 903 } 904 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 905 906 error = 0; 907 908 end: 909 if (buf != NULL) 910 vfree(buf); 911 if (msg != NULL) 912 vfree(msg); 913 if (hash != NULL) 914 vfree(hash); 915 916 return error; 917 } 918 919 /* 920 * receive from responder 921 * HDR#*, HASH(4), notify 922 */ 923 int 924 quick_i3recv(iph2, msg0) 925 struct ph2handle *iph2; 926 vchar_t *msg0; 927 { 928 vchar_t *msg = NULL; 929 vchar_t *pbuf = NULL; /* for payload parsing */ 930 struct isakmp_parse_t *pa; 931 struct isakmp_pl_hash *hash = NULL; 932 vchar_t *notify = NULL; 933 int error = ISAKMP_INTERNAL_ERROR; 934 935 /* validity check */ 936 if (iph2->status != PHASE2ST_COMMIT) { 937 plog(LLV_ERROR, LOCATION, NULL, 938 "status mismatched %d.\n", iph2->status); 939 goto end; 940 } 941 942 /* decrypt packet */ 943 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 944 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 945 "Packet wasn't encrypted.\n"); 946 goto end; 947 } 948 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 949 if (msg == NULL) 950 goto end; 951 952 /* validate the type of next payload */ 953 pbuf = isakmp_parse(msg); 954 if (pbuf == NULL) 955 goto end; 956 957 for (pa = (struct isakmp_parse_t *)pbuf->v; 958 pa->type != ISAKMP_NPTYPE_NONE; 959 pa++) { 960 961 switch (pa->type) { 962 case ISAKMP_NPTYPE_HASH: 963 hash = (struct isakmp_pl_hash *)pa->ptr; 964 break; 965 case ISAKMP_NPTYPE_N: 966 if (notify != NULL) { 967 plog(LLV_WARNING, LOCATION, NULL, 968 "Ignoring multiples notifications\n"); 969 break; 970 } 971 ph2_recv_n(iph2, pa->ptr); 972 notify = vmalloc(pa->len); 973 if (notify == NULL) { 974 plog(LLV_ERROR, LOCATION, NULL, 975 "failed to get notify buffer.\n"); 976 goto end; 977 } 978 memcpy(notify->v, pa->ptr, notify->l); 979 break; 980 default: 981 /* don't send information, see ident_r1recv() */ 982 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 983 "ignore the packet, " 984 "received unexpecting payload type %d.\n", 985 pa->type); 986 goto end; 987 } 988 } 989 990 /* payload existency check */ 991 if (hash == NULL) { 992 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 993 "few isakmp message received.\n"); 994 goto end; 995 } 996 997 /* validate HASH(4) */ 998 { 999 char *r_hash; 1000 vchar_t *my_hash = NULL; 1001 vchar_t *tmp = NULL; 1002 int result; 1003 1004 r_hash = (char *)hash + sizeof(*hash); 1005 1006 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); 1007 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1008 1009 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1010 vfree(tmp); 1011 if (my_hash == NULL) 1012 goto end; 1013 1014 result = memcmp(my_hash->v, r_hash, my_hash->l); 1015 vfree(my_hash); 1016 1017 if (result) { 1018 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1019 "HASH(4) mismatch.\n"); 1020 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1021 goto end; 1022 } 1023 } 1024 1025 iph2->status = PHASE2ST_ADDSA; 1026 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1027 1028 /* don't anything if local test mode. */ 1029 if (f_local) { 1030 error = 0; 1031 goto end; 1032 } 1033 1034 /* Do UPDATE for initiator */ 1035 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1036 if (pk_sendupdate(iph2) < 0) { 1037 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1038 goto end; 1039 } 1040 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1041 1042 /* Do ADD for responder */ 1043 if (pk_sendadd(iph2) < 0) { 1044 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1045 goto end; 1046 } 1047 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 1048 1049 error = 0; 1050 1051 end: 1052 if (msg != NULL) 1053 vfree(msg); 1054 if (pbuf != NULL) 1055 vfree(pbuf); 1056 if (notify != NULL) 1057 vfree(notify); 1058 1059 return error; 1060 } 1061 1062 /* 1063 * receive from initiator 1064 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1065 */ 1066 int 1067 quick_r1recv(iph2, msg0) 1068 struct ph2handle *iph2; 1069 vchar_t *msg0; 1070 { 1071 vchar_t *msg = NULL; 1072 vchar_t *hbuf = NULL; /* for hash computing. */ 1073 vchar_t *pbuf = NULL; /* for payload parsing */ 1074 struct isakmp_parse_t *pa; 1075 struct isakmp *isakmp = (struct isakmp *)msg0->v; 1076 struct isakmp_pl_hash *hash = NULL; 1077 char *p; 1078 int tlen; 1079 int f_id_order; /* for ID payload detection */ 1080 int error = ISAKMP_INTERNAL_ERROR; 1081 1082 /* validity check */ 1083 if (iph2->status != PHASE2ST_START) { 1084 plog(LLV_ERROR, LOCATION, NULL, 1085 "status mismatched %d.\n", iph2->status); 1086 goto end; 1087 } 1088 1089 /* decrypting */ 1090 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1091 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1092 "Packet wasn't encrypted.\n"); 1093 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1094 goto end; 1095 } 1096 /* decrypt packet */ 1097 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1098 if (msg == NULL) { 1099 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1100 "Packet decryption failed.\n"); 1101 goto end; 1102 } 1103 1104 /* create buffer for using to validate HASH(1) */ 1105 /* 1106 * ordering rule: 1107 * 1. the first one must be HASH 1108 * 2. the second one must be SA (added in isakmp-oakley-05!) 1109 * 3. two IDs must be considered as IDci, then IDcr 1110 */ 1111 pbuf = isakmp_parse(msg); 1112 if (pbuf == NULL) 1113 goto end; 1114 pa = (struct isakmp_parse_t *)pbuf->v; 1115 1116 /* HASH payload is fixed postion */ 1117 if (pa->type != ISAKMP_NPTYPE_HASH) { 1118 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1119 "received invalid next payload type %d, " 1120 "expecting %d.\n", 1121 pa->type, ISAKMP_NPTYPE_HASH); 1122 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1123 goto end; 1124 } 1125 hash = (struct isakmp_pl_hash *)pa->ptr; 1126 pa++; 1127 1128 /* 1129 * this restriction was introduced in isakmp-oakley-05. 1130 * we do not check this for backward compatibility. 1131 * TODO: command line/config file option to enable/disable this code 1132 */ 1133 /* HASH payload is fixed postion */ 1134 if (pa->type != ISAKMP_NPTYPE_SA) { 1135 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 1136 "received invalid next payload type %d, " 1137 "expecting %d.\n", 1138 pa->type, ISAKMP_NPTYPE_SA); 1139 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1140 } 1141 1142 /* allocate buffer for computing HASH(1) */ 1143 tlen = ntohl(isakmp->len) - sizeof(*isakmp); 1144 hbuf = vmalloc(tlen); 1145 if (hbuf == NULL) { 1146 plog(LLV_ERROR, LOCATION, NULL, 1147 "failed to get hash buffer.\n"); 1148 goto end; 1149 } 1150 p = hbuf->v; 1151 1152 /* 1153 * parse the payloads. 1154 * copy non-HASH payloads into hbuf, so that we can validate HASH. 1155 */ 1156 iph2->sa = NULL; /* we don't support multi SAs. */ 1157 iph2->nonce_p = NULL; 1158 iph2->dhpub_p = NULL; 1159 iph2->id_p = NULL; 1160 iph2->id = NULL; 1161 tlen = 0; /* count payload length except of HASH payload. */ 1162 1163 /* 1164 * IDi2 MUST be immediatelly followed by IDr2. We allowed the 1165 * illegal case, but logged. First ID payload is to be IDi2. 1166 * And next ID payload is to be IDr2. 1167 */ 1168 f_id_order = 0; 1169 1170 for (; pa->type; pa++) { 1171 1172 /* copy to buffer for HASH */ 1173 /* Don't modify the payload */ 1174 memcpy(p, pa->ptr, pa->len); 1175 1176 if (pa->type != ISAKMP_NPTYPE_ID) 1177 f_id_order = 0; 1178 1179 switch (pa->type) { 1180 case ISAKMP_NPTYPE_SA: 1181 if (iph2->sa != NULL) { 1182 plog(LLV_ERROR, LOCATION, NULL, 1183 "Multi SAs isn't supported.\n"); 1184 goto end; 1185 } 1186 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { 1187 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1188 "duplicate ISAKMP_NPTYPE_SA.\n"); 1189 goto end; 1190 } 1191 break; 1192 1193 case ISAKMP_NPTYPE_NONCE: 1194 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 1195 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1196 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 1197 goto end; 1198 } 1199 break; 1200 1201 case ISAKMP_NPTYPE_KE: 1202 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 1203 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1204 "duplicate ISAKMP_NPTYPE_KE.\n"); 1205 goto end; 1206 } 1207 break; 1208 1209 case ISAKMP_NPTYPE_ID: 1210 if (iph2->id_p == NULL) { 1211 /* for IDci */ 1212 f_id_order++; 1213 1214 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) 1215 goto end; 1216 1217 } else if (iph2->id == NULL) { 1218 /* for IDcr */ 1219 if (f_id_order == 0) { 1220 plog(LLV_ERROR, LOCATION, NULL, 1221 "IDr2 payload is not " 1222 "immediatelly followed " 1223 "by IDi2. We allowed.\n"); 1224 /* XXX we allowed in this case. */ 1225 } 1226 1227 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) 1228 goto end; 1229 } else { 1230 plog(LLV_ERROR, LOCATION, NULL, 1231 "received too many ID payloads.\n"); 1232 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); 1233 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1234 goto end; 1235 } 1236 break; 1237 1238 case ISAKMP_NPTYPE_N: 1239 ph2_recv_n(iph2, pa->ptr); 1240 break; 1241 1242 #ifdef ENABLE_NATT 1243 case ISAKMP_NPTYPE_NATOA_DRAFT: 1244 case ISAKMP_NPTYPE_NATOA_RFC: 1245 { 1246 struct sockaddr_storage addr; 1247 struct sockaddr *daddr; 1248 u_int8_t prefix; 1249 u_int16_t ul_proto; 1250 vchar_t *vp = NULL; 1251 1252 if (isakmp_p2ph(&vp, pa->ptr) < 0) 1253 goto end; 1254 1255 error = ipsecdoi_id2sockaddr(vp, 1256 (struct sockaddr *) &addr, 1257 &prefix, &ul_proto); 1258 1259 vfree(vp); 1260 1261 if (error) 1262 goto end; 1263 1264 daddr = dupsaddr((struct sockaddr *) &addr); 1265 if (daddr == NULL) 1266 goto end; 1267 1268 if (iph2->natoa_dst == NULL) 1269 iph2->natoa_dst = daddr; 1270 else if (iph2->natoa_src == NULL) 1271 iph2->natoa_src = daddr; 1272 else { 1273 racoon_free(daddr); 1274 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1275 "received too many NAT-OA payloads.\n"); 1276 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1277 goto end; 1278 } 1279 } 1280 break; 1281 #endif 1282 1283 default: 1284 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1285 "ignore the packet, " 1286 "received unexpecting payload type %d.\n", 1287 pa->type); 1288 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1289 goto end; 1290 } 1291 1292 p += pa->len; 1293 1294 /* compute true length of payload. */ 1295 tlen += pa->len; 1296 } 1297 1298 /* payload existency check */ 1299 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { 1300 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1301 "few isakmp message received.\n"); 1302 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1303 goto end; 1304 } 1305 1306 if (iph2->id_p) { 1307 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); 1308 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 1309 } 1310 if (iph2->id) { 1311 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); 1312 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 1313 } 1314 1315 /* adjust buffer length for HASH */ 1316 hbuf->l = tlen; 1317 1318 /* validate HASH(1) */ 1319 { 1320 char *r_hash; 1321 vchar_t *my_hash = NULL; 1322 int result; 1323 1324 r_hash = (caddr_t)hash + sizeof(*hash); 1325 1326 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); 1327 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1328 1329 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 1330 if (my_hash == NULL) 1331 goto end; 1332 1333 result = memcmp(my_hash->v, r_hash, my_hash->l); 1334 vfree(my_hash); 1335 1336 if (result) { 1337 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1338 "HASH(1) mismatch.\n"); 1339 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1340 goto end; 1341 } 1342 } 1343 1344 /* get sainfo */ 1345 error = get_sainfo_r(iph2); 1346 if (error) { 1347 plog(LLV_ERROR, LOCATION, NULL, 1348 "failed to get sainfo.\n"); 1349 goto end; 1350 } 1351 1352 1353 /* check the existence of ID payload and create responder's proposal */ 1354 error = get_proposal_r(iph2); 1355 switch (error) { 1356 case -2: 1357 /* generate a policy template from peer's proposal */ 1358 if (set_proposal_from_proposal(iph2)) { 1359 plog(LLV_ERROR, LOCATION, NULL, 1360 "failed to generate a proposal template " 1361 "from client's proposal.\n"); 1362 error = ISAKMP_INTERNAL_ERROR; 1363 goto end; 1364 } 1365 /*FALLTHROUGH*/ 1366 case 0: 1367 /* select single proposal or reject it. */ 1368 if (ipsecdoi_selectph2proposal(iph2) < 0) { 1369 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1370 "no proposal chosen.\n"); 1371 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1372 goto end; 1373 } 1374 break; 1375 default: 1376 plog(LLV_ERROR, LOCATION, NULL, 1377 "failed to get proposal for responder.\n"); 1378 goto end; 1379 } 1380 1381 /* check KE and attribute of PFS */ 1382 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { 1383 plog(LLV_ERROR, LOCATION, NULL, 1384 "no PFS is specified, but peer sends KE.\n"); 1385 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1386 goto end; 1387 } 1388 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { 1389 plog(LLV_ERROR, LOCATION, NULL, 1390 "PFS is specified, but peer doesn't sends KE.\n"); 1391 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1392 goto end; 1393 } 1394 1395 /* 1396 * save the packet from the initiator in order to resend the 1397 * responder's first packet against this packet. 1398 */ 1399 iph2->msg1 = vdup(msg0); 1400 1401 /* change status of isakmp status entry */ 1402 iph2->status = PHASE2ST_STATUS2; 1403 1404 error = 0; 1405 1406 end: 1407 if (hbuf) 1408 vfree(hbuf); 1409 if (msg) 1410 vfree(msg); 1411 if (pbuf) 1412 vfree(pbuf); 1413 1414 if (error) { 1415 VPTRINIT(iph2->sa); 1416 VPTRINIT(iph2->nonce_p); 1417 VPTRINIT(iph2->dhpub_p); 1418 VPTRINIT(iph2->id); 1419 VPTRINIT(iph2->id_p); 1420 #ifdef ENABLE_NATT 1421 if (iph2->natoa_src) { 1422 racoon_free(iph2->natoa_src); 1423 iph2->natoa_src = NULL; 1424 } 1425 if (iph2->natoa_dst) { 1426 racoon_free(iph2->natoa_dst); 1427 iph2->natoa_dst = NULL; 1428 } 1429 #endif 1430 } 1431 1432 return error; 1433 } 1434 1435 /* 1436 * call pfkey_getspi. 1437 */ 1438 int 1439 quick_r1prep(iph2, msg) 1440 struct ph2handle *iph2; 1441 vchar_t *msg; 1442 { 1443 int error = ISAKMP_INTERNAL_ERROR; 1444 1445 /* validity check */ 1446 if (iph2->status != PHASE2ST_STATUS2) { 1447 plog(LLV_ERROR, LOCATION, NULL, 1448 "status mismatched %d.\n", iph2->status); 1449 goto end; 1450 } 1451 1452 iph2->status = PHASE2ST_GETSPISENT; 1453 1454 /* send getspi message */ 1455 if (pk_sendgetspi(iph2) < 0) 1456 goto end; 1457 1458 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 1459 1460 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 1461 quick_timeover_stub); 1462 1463 error = 0; 1464 1465 end: 1466 return error; 1467 } 1468 1469 /* 1470 * send to initiator 1471 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1472 */ 1473 int 1474 quick_r2send(iph2, msg) 1475 struct ph2handle *iph2; 1476 vchar_t *msg; 1477 { 1478 vchar_t *body = NULL; 1479 vchar_t *hash = NULL; 1480 struct isakmp_gen *gen; 1481 char *p; 1482 int tlen; 1483 int error = ISAKMP_INTERNAL_ERROR; 1484 int natoa = ISAKMP_NPTYPE_NONE; 1485 int pfsgroup; 1486 u_int8_t *np_p = NULL; 1487 #ifdef ENABLE_NATT 1488 vchar_t *nat_oai = NULL; 1489 vchar_t *nat_oar = NULL; 1490 #endif 1491 1492 /* validity check */ 1493 if (msg != NULL) { 1494 plog(LLV_ERROR, LOCATION, NULL, 1495 "msg has to be NULL in this function.\n"); 1496 goto end; 1497 } 1498 if (iph2->status != PHASE2ST_GETSPIDONE) { 1499 plog(LLV_ERROR, LOCATION, NULL, 1500 "status mismatched %d.\n", iph2->status); 1501 goto end; 1502 } 1503 1504 /* update responders SPI */ 1505 if (ipsecdoi_updatespi(iph2) < 0) { 1506 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); 1507 goto end; 1508 } 1509 1510 /* generate NONCE value */ 1511 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 1512 if (iph2->nonce == NULL) 1513 goto end; 1514 1515 /* generate KE value if need */ 1516 pfsgroup = iph2->approval->pfs_group; 1517 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1518 /* DH group settting if PFS is required. */ 1519 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 1520 plog(LLV_ERROR, LOCATION, NULL, 1521 "failed to set DH value.\n"); 1522 goto end; 1523 } 1524 /* generate DH public value */ 1525 if (oakley_dh_generate(iph2->pfsgrp, 1526 &iph2->dhpub, &iph2->dhpriv) < 0) { 1527 goto end; 1528 } 1529 } 1530 1531 #ifdef ENABLE_NATT 1532 /* 1533 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport 1534 * we should send NAT-OA 1535 */ 1536 if (ipsecdoi_transportmode(iph2->proposal) 1537 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 1538 natoa = iph2->ph1->natt_options->payload_nat_oa; 1539 1540 nat_oai = ipsecdoi_sockaddr2id(iph2->dst, 1541 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1542 nat_oar = ipsecdoi_sockaddr2id(iph2->src, 1543 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1544 1545 if (nat_oai == NULL || nat_oar == NULL) { 1546 plog(LLV_ERROR, LOCATION, NULL, 1547 "failed to generate NAT-OA payload.\n"); 1548 goto end; 1549 } 1550 1551 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 1552 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 1553 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 1554 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 1555 } 1556 #endif 1557 1558 /* create SA;NONCE payload, and KE and ID if need */ 1559 tlen = sizeof(*gen) + iph2->sa_ret->l 1560 + sizeof(*gen) + iph2->nonce->l; 1561 if (iph2->dhpub_p != NULL && pfsgroup != 0) 1562 tlen += (sizeof(*gen) + iph2->dhpub->l); 1563 if (iph2->id_p != NULL) 1564 tlen += (sizeof(*gen) + iph2->id_p->l 1565 + sizeof(*gen) + iph2->id->l); 1566 #ifdef ENABLE_NATT 1567 if (natoa != ISAKMP_NPTYPE_NONE) 1568 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 1569 #endif 1570 1571 body = vmalloc(tlen); 1572 if (body == NULL) { 1573 plog(LLV_ERROR, LOCATION, NULL, 1574 "failed to get buffer to send.\n"); 1575 goto end; 1576 } 1577 p = body->v; 1578 1579 /* make SA payload */ 1580 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE); 1581 1582 /* add NONCE payload */ 1583 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1584 p = set_isakmp_payload(p, iph2->nonce, 1585 (iph2->dhpub_p != NULL && pfsgroup != 0) 1586 ? ISAKMP_NPTYPE_KE 1587 : (iph2->id_p != NULL 1588 ? ISAKMP_NPTYPE_ID 1589 : natoa)); 1590 1591 /* add KE payload if need. */ 1592 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1593 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1594 p = set_isakmp_payload(p, iph2->dhpub, 1595 (iph2->id_p == NULL) 1596 ? natoa 1597 : ISAKMP_NPTYPE_ID); 1598 } 1599 1600 /* add ID payloads received. */ 1601 if (iph2->id_p != NULL) { 1602 /* IDci */ 1603 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); 1604 /* IDcr */ 1605 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1606 p = set_isakmp_payload(p, iph2->id, natoa); 1607 } 1608 1609 #ifdef ENABLE_NATT 1610 /* NAT-OA */ 1611 if (natoa != ISAKMP_NPTYPE_NONE) { 1612 p = set_isakmp_payload(p, nat_oai, natoa); 1613 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 1614 } 1615 #endif 1616 1617 /* add a RESPONDER-LIFETIME notify payload if needed */ 1618 { 1619 vchar_t *data = NULL; 1620 struct saprop *pp = iph2->approval; 1621 struct saproto *pr; 1622 1623 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) { 1624 u_int32_t v = htonl((u_int32_t)pp->lifetime); 1625 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1626 IPSECDOI_ATTR_SA_LD_TYPE_SEC); 1627 if (!data) 1628 goto end; 1629 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1630 (caddr_t)&v, sizeof(v)); 1631 if (!data) 1632 goto end; 1633 } 1634 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) { 1635 u_int32_t v = htonl((u_int32_t)pp->lifebyte); 1636 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1637 IPSECDOI_ATTR_SA_LD_TYPE_KB); 1638 if (!data) 1639 goto end; 1640 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1641 (caddr_t)&v, sizeof(v)); 1642 if (!data) 1643 goto end; 1644 } 1645 1646 /* 1647 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message 1648 * in the case of SA bundle ? 1649 */ 1650 if (data) { 1651 for (pr = pp->head; pr; pr = pr->next) { 1652 body = isakmp_add_pl_n(body, &np_p, 1653 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); 1654 if (!body) { 1655 vfree(data); 1656 return error; /* XXX */ 1657 } 1658 } 1659 vfree(data); 1660 } 1661 } 1662 1663 /* generate HASH(2) */ 1664 { 1665 vchar_t *tmp; 1666 1667 tmp = vmalloc(iph2->nonce_p->l + body->l); 1668 if (tmp == NULL) { 1669 plog(LLV_ERROR, LOCATION, NULL, 1670 "failed to get hash buffer.\n"); 1671 goto end; 1672 } 1673 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1674 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l); 1675 1676 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp); 1677 vfree(tmp); 1678 1679 if (hash == NULL) 1680 goto end; 1681 } 1682 1683 /* send isakmp payload */ 1684 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 1685 if (iph2->sendbuf == NULL) 1686 goto end; 1687 1688 /* send the packet, add to the schedule to resend */ 1689 if (isakmp_ph2send(iph2) == -1) 1690 goto end; 1691 1692 /* the sending message is added to the received-list. */ 1693 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) { 1694 plog(LLV_ERROR , LOCATION, NULL, 1695 "failed to add a response packet to the tree.\n"); 1696 goto end; 1697 } 1698 1699 /* change status of isakmp status entry */ 1700 iph2->status = PHASE2ST_MSG1SENT; 1701 1702 error = 0; 1703 1704 end: 1705 if (body != NULL) 1706 vfree(body); 1707 if (hash != NULL) 1708 vfree(hash); 1709 #ifdef ENABLE_NATT 1710 if (nat_oai != NULL) 1711 vfree(nat_oai); 1712 if (nat_oar != NULL) 1713 vfree(nat_oar); 1714 #endif 1715 1716 return error; 1717 } 1718 1719 /* 1720 * receive from initiator 1721 * HDR*, HASH(3) 1722 1723 */ 1724 int 1725 quick_r3recv(iph2, msg0) 1726 struct ph2handle *iph2; 1727 vchar_t *msg0; 1728 { 1729 vchar_t *msg = NULL; 1730 vchar_t *pbuf = NULL; /* for payload parsing */ 1731 struct isakmp_parse_t *pa; 1732 struct isakmp_pl_hash *hash = NULL; 1733 int error = ISAKMP_INTERNAL_ERROR; 1734 1735 /* validity check */ 1736 if (iph2->status != PHASE2ST_MSG1SENT) { 1737 plog(LLV_ERROR, LOCATION, NULL, 1738 "status mismatched %d.\n", iph2->status); 1739 goto end; 1740 } 1741 1742 /* decrypt packet */ 1743 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1744 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1745 "Packet wasn't encrypted.\n"); 1746 goto end; 1747 } 1748 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1749 if (msg == NULL) 1750 goto end; 1751 1752 /* validate the type of next payload */ 1753 pbuf = isakmp_parse(msg); 1754 if (pbuf == NULL) 1755 goto end; 1756 1757 for (pa = (struct isakmp_parse_t *)pbuf->v; 1758 pa->type != ISAKMP_NPTYPE_NONE; 1759 pa++) { 1760 1761 switch (pa->type) { 1762 case ISAKMP_NPTYPE_HASH: 1763 hash = (struct isakmp_pl_hash *)pa->ptr; 1764 break; 1765 case ISAKMP_NPTYPE_N: 1766 ph2_recv_n(iph2, pa->ptr); 1767 break; 1768 default: 1769 /* don't send information, see ident_r1recv() */ 1770 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1771 "ignore the packet, " 1772 "received unexpecting payload type %d.\n", 1773 pa->type); 1774 goto end; 1775 } 1776 } 1777 1778 /* payload existency check */ 1779 if (hash == NULL) { 1780 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1781 "few isakmp message received.\n"); 1782 goto end; 1783 } 1784 1785 /* validate HASH(3) */ 1786 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ 1787 { 1788 char *r_hash; 1789 vchar_t *my_hash = NULL; 1790 vchar_t *tmp = NULL; 1791 int result; 1792 1793 r_hash = (char *)hash + sizeof(*hash); 1794 1795 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); 1796 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1797 1798 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); 1799 if (tmp == NULL) { 1800 plog(LLV_ERROR, LOCATION, NULL, 1801 "failed to get hash buffer.\n"); 1802 goto end; 1803 } 1804 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1805 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l); 1806 1807 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 1808 vfree(tmp); 1809 if (my_hash == NULL) 1810 goto end; 1811 1812 result = memcmp(my_hash->v, r_hash, my_hash->l); 1813 vfree(my_hash); 1814 1815 if (result) { 1816 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1817 "HASH(3) mismatch.\n"); 1818 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1819 goto end; 1820 } 1821 } 1822 1823 /* if there is commit bit, don't set up SA now. */ 1824 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 1825 iph2->status = PHASE2ST_COMMIT; 1826 } else 1827 iph2->status = PHASE2ST_STATUS6; 1828 1829 error = 0; 1830 1831 end: 1832 if (pbuf != NULL) 1833 vfree(pbuf); 1834 if (msg != NULL) 1835 vfree(msg); 1836 1837 return error; 1838 } 1839 1840 /* 1841 * send to initiator 1842 * HDR#*, HASH(4), notify 1843 */ 1844 int 1845 quick_r3send(iph2, msg0) 1846 struct ph2handle *iph2; 1847 vchar_t *msg0; 1848 { 1849 vchar_t *buf = NULL; 1850 vchar_t *myhash = NULL; 1851 struct isakmp_pl_n *n; 1852 vchar_t *notify = NULL; 1853 char *p; 1854 int tlen; 1855 int error = ISAKMP_INTERNAL_ERROR; 1856 1857 /* validity check */ 1858 if (iph2->status != PHASE2ST_COMMIT) { 1859 plog(LLV_ERROR, LOCATION, NULL, 1860 "status mismatched %d.\n", iph2->status); 1861 goto end; 1862 } 1863 1864 /* generate HASH(4) */ 1865 /* XXX What can I do in the case of multiple different SA */ 1866 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); 1867 1868 /* XXX What should I do if there are multiple SAs ? */ 1869 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; 1870 notify = vmalloc(tlen); 1871 if (notify == NULL) { 1872 plog(LLV_ERROR, LOCATION, NULL, 1873 "failed to get notify buffer.\n"); 1874 goto end; 1875 } 1876 n = (struct isakmp_pl_n *)notify->v; 1877 n->h.np = ISAKMP_NPTYPE_NONE; 1878 n->h.len = htons(tlen); 1879 n->doi = htonl(IPSEC_DOI); 1880 n->proto_id = iph2->approval->head->proto_id; 1881 n->spi_size = sizeof(iph2->approval->head->spisize); 1882 n->type = htons(ISAKMP_NTYPE_CONNECTED); 1883 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize); 1884 1885 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1886 if (myhash == NULL) 1887 goto end; 1888 1889 /* create buffer for isakmp payload */ 1890 tlen = sizeof(struct isakmp) 1891 + sizeof(struct isakmp_gen) + myhash->l 1892 + notify->l; 1893 buf = vmalloc(tlen); 1894 if (buf == NULL) { 1895 plog(LLV_ERROR, LOCATION, NULL, 1896 "failed to get buffer to send.\n"); 1897 goto end; 1898 } 1899 1900 /* create isakmp header */ 1901 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 1902 if (p == NULL) 1903 goto end; 1904 1905 /* add HASH(4) payload */ 1906 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N); 1907 1908 /* add notify payload */ 1909 memcpy(p, notify->v, notify->l); 1910 1911 #ifdef HAVE_PRINT_ISAKMP_C 1912 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 1913 #endif 1914 1915 /* encoding */ 1916 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 1917 if (iph2->sendbuf == NULL) 1918 goto end; 1919 1920 /* send the packet */ 1921 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 1922 goto end; 1923 1924 /* the sending message is added to the received-list. */ 1925 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) { 1926 plog(LLV_ERROR , LOCATION, NULL, 1927 "failed to add a response packet to the tree.\n"); 1928 goto end; 1929 } 1930 1931 iph2->status = PHASE2ST_COMMIT; 1932 1933 error = 0; 1934 1935 end: 1936 if (buf != NULL) 1937 vfree(buf); 1938 if (myhash != NULL) 1939 vfree(myhash); 1940 if (notify != NULL) 1941 vfree(notify); 1942 1943 return error; 1944 } 1945 1946 int 1947 tunnel_mode_prop(p) 1948 struct saprop *p; 1949 { 1950 struct saproto *pr; 1951 1952 for (pr = p->head; pr; pr = pr->next) 1953 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) 1954 return 1; 1955 return 0; 1956 } 1957 1958 /* 1959 * set SA to kernel. 1960 */ 1961 int 1962 quick_r3prep(iph2, msg0) 1963 struct ph2handle *iph2; 1964 vchar_t *msg0; 1965 { 1966 int error = ISAKMP_INTERNAL_ERROR; 1967 1968 /* validity check */ 1969 if (iph2->status != PHASE2ST_STATUS6) { 1970 plog(LLV_ERROR, LOCATION, NULL, 1971 "status mismatched %d.\n", iph2->status); 1972 goto end; 1973 } 1974 1975 /* compute both of KEYMATs */ 1976 if (oakley_compute_keymat(iph2, RESPONDER) < 0) 1977 goto end; 1978 1979 iph2->status = PHASE2ST_ADDSA; 1980 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1981 1982 /* don't anything if local test mode. */ 1983 if (f_local) { 1984 error = 0; 1985 goto end; 1986 } 1987 1988 /* Do UPDATE as responder */ 1989 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1990 if (pk_sendupdate(iph2) < 0) { 1991 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1992 goto end; 1993 } 1994 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1995 1996 /* Do ADD for responder */ 1997 if (pk_sendadd(iph2) < 0) { 1998 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1999 goto end; 2000 } 2001 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 2002 2003 /* 2004 * set policies into SPD if the policy is generated 2005 * from peer's policy. 2006 */ 2007 if (iph2->spidx_gen) { 2008 2009 struct policyindex *spidx; 2010 struct sockaddr_storage addr; 2011 u_int8_t pref; 2012 struct sockaddr *src = iph2->src; 2013 struct sockaddr *dst = iph2->dst; 2014 2015 /* make inbound policy */ 2016 iph2->src = dst; 2017 iph2->dst = src; 2018 if (pk_sendspdupdate2(iph2) < 0) { 2019 plog(LLV_ERROR, LOCATION, NULL, 2020 "pfkey spdupdate2(inbound) failed.\n"); 2021 goto end; 2022 } 2023 plog(LLV_DEBUG, LOCATION, NULL, 2024 "pfkey spdupdate2(inbound) sent.\n"); 2025 2026 spidx = (struct policyindex *)iph2->spidx_gen; 2027 #ifdef HAVE_POLICY_FWD 2028 /* make forward policy if required */ 2029 if (tunnel_mode_prop(iph2->approval)) { 2030 spidx->dir = IPSEC_DIR_FWD; 2031 if (pk_sendspdupdate2(iph2) < 0) { 2032 plog(LLV_ERROR, LOCATION, NULL, 2033 "pfkey spdupdate2(forward) failed.\n"); 2034 goto end; 2035 } 2036 plog(LLV_DEBUG, LOCATION, NULL, 2037 "pfkey spdupdate2(forward) sent.\n"); 2038 } 2039 #endif 2040 2041 /* make outbound policy */ 2042 iph2->src = src; 2043 iph2->dst = dst; 2044 spidx->dir = IPSEC_DIR_OUTBOUND; 2045 addr = spidx->src; 2046 spidx->src = spidx->dst; 2047 spidx->dst = addr; 2048 pref = spidx->prefs; 2049 spidx->prefs = spidx->prefd; 2050 spidx->prefd = pref; 2051 2052 if (pk_sendspdupdate2(iph2) < 0) { 2053 plog(LLV_ERROR, LOCATION, NULL, 2054 "pfkey spdupdate2(outbound) failed.\n"); 2055 goto end; 2056 } 2057 plog(LLV_DEBUG, LOCATION, NULL, 2058 "pfkey spdupdate2(outbound) sent.\n"); 2059 2060 /* spidx_gen is unnecessary any more */ 2061 delsp_bothdir((struct policyindex *)iph2->spidx_gen); 2062 racoon_free(iph2->spidx_gen); 2063 iph2->spidx_gen = NULL; 2064 iph2->generated_spidx=1; 2065 } 2066 2067 error = 0; 2068 2069 end: 2070 return error; 2071 } 2072 2073 /* 2074 * create HASH, body (SA, NONCE) payload with isakmp header. 2075 */ 2076 static vchar_t * 2077 quick_ir1mx(iph2, body, hash) 2078 struct ph2handle *iph2; 2079 vchar_t *body, *hash; 2080 { 2081 struct isakmp *isakmp; 2082 vchar_t *buf = NULL, *new = NULL; 2083 char *p; 2084 int tlen; 2085 struct isakmp_gen *gen; 2086 int error = ISAKMP_INTERNAL_ERROR; 2087 2088 /* create buffer for isakmp payload */ 2089 tlen = sizeof(*isakmp) 2090 + sizeof(*gen) + hash->l 2091 + body->l; 2092 buf = vmalloc(tlen); 2093 if (buf == NULL) { 2094 plog(LLV_ERROR, LOCATION, NULL, 2095 "failed to get buffer to send.\n"); 2096 goto end; 2097 } 2098 2099 /* re-set encryption flag, for serurity. */ 2100 iph2->flags |= ISAKMP_FLAG_E; 2101 2102 /* set isakmp header */ 2103 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 2104 if (p == NULL) 2105 goto end; 2106 2107 /* add HASH payload */ 2108 /* XXX is next type always SA ? */ 2109 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA); 2110 2111 /* add body payload */ 2112 memcpy(p, body->v, body->l); 2113 2114 #ifdef HAVE_PRINT_ISAKMP_C 2115 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 2116 #endif 2117 2118 /* encoding */ 2119 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 2120 2121 if (new == NULL) 2122 goto end; 2123 2124 vfree(buf); 2125 2126 buf = new; 2127 2128 error = 0; 2129 2130 end: 2131 if (error && buf != NULL) { 2132 vfree(buf); 2133 buf = NULL; 2134 } 2135 2136 return buf; 2137 } 2138 2139 /* 2140 * get remote's sainfo. 2141 * NOTE: this function is for responder. 2142 */ 2143 static int 2144 get_sainfo_r(iph2) 2145 struct ph2handle *iph2; 2146 { 2147 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL; 2148 int error = ISAKMP_INTERNAL_ERROR; 2149 2150 if (iph2->id == NULL) { 2151 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST, 2152 IPSEC_ULPROTO_ANY); 2153 } else { 2154 idsrc = vdup(iph2->id); 2155 } 2156 if (idsrc == NULL) { 2157 plog(LLV_ERROR, LOCATION, NULL, 2158 "failed to set ID for source.\n"); 2159 goto end; 2160 } 2161 2162 if (iph2->id_p == NULL) { 2163 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2164 IPSEC_ULPROTO_ANY); 2165 } else { 2166 iddst = vdup(iph2->id_p); 2167 } 2168 if (iddst == NULL) { 2169 plog(LLV_ERROR, LOCATION, NULL, 2170 "failed to set ID for destination.\n"); 2171 goto end; 2172 } 2173 2174 #ifdef ENABLE_HYBRID 2175 2176 /* clientaddr check : obtain modecfg address */ 2177 if (iph2->ph1->mode_cfg != NULL) { 2178 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 2179 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){ 2180 struct sockaddr saddr; 2181 saddr.sa_family = AF_INET; 2182 #ifndef __linux__ 2183 saddr.sa_len = sizeof(struct sockaddr_in); 2184 #endif 2185 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; 2186 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 2187 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr)); 2188 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY); 2189 } 2190 } 2191 2192 /* clientaddr check, fallback to peer address */ 2193 if (client == NULL) 2194 { 2195 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2196 IPSEC_ULPROTO_ANY); 2197 } 2198 #endif 2199 2200 /* obtain a matching sainfo section */ 2201 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id); 2202 if (iph2->sainfo == NULL) { 2203 plog(LLV_ERROR, LOCATION, NULL, 2204 "failed to get sainfo.\n"); 2205 goto end; 2206 } 2207 2208 #ifdef ENABLE_HYBRID 2209 /* xauth group inclusion check */ 2210 if (iph2->sainfo->group != NULL) 2211 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) 2212 goto end; 2213 #endif 2214 2215 plog(LLV_DEBUG, LOCATION, NULL, 2216 "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); 2217 2218 error = 0; 2219 end: 2220 if (idsrc) 2221 vfree(idsrc); 2222 if (iddst) 2223 vfree(iddst); 2224 if (client) 2225 vfree(client); 2226 2227 return error; 2228 } 2229 2230 /* 2231 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types 2232 * are IP address and same address family. 2233 * Then get remote's policy from SPD copied from kernel. 2234 * If the type of ID payload is address or subnet type, then the index is 2235 * made from the payload. If there is no ID payload, or the type of ID 2236 * payload is NOT address type, then the index is made from the address 2237 * pair of phase 1. 2238 * NOTE: This function is only for responder. 2239 */ 2240 static int 2241 get_proposal_r(iph2) 2242 struct ph2handle *iph2; 2243 { 2244 struct policyindex spidx; 2245 struct secpolicy *sp_in, *sp_out; 2246 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ 2247 int error = ISAKMP_INTERNAL_ERROR; 2248 2249 /* check the existence of ID payload */ 2250 if ((iph2->id_p != NULL && iph2->id == NULL) 2251 || (iph2->id_p == NULL && iph2->id != NULL)) { 2252 plog(LLV_ERROR, LOCATION, NULL, 2253 "Both IDs wasn't found in payload.\n"); 2254 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2255 } 2256 2257 /* make sure if sa_[src, dst] are null. */ 2258 if (iph2->sa_src || iph2->sa_dst) { 2259 plog(LLV_ERROR, LOCATION, NULL, 2260 "Why do ID[src,dst] exist already.\n"); 2261 return ISAKMP_INTERNAL_ERROR; 2262 } 2263 2264 memset(&spidx, 0, sizeof(spidx)); 2265 2266 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 2267 2268 /* make a spidx; a key to search SPD */ 2269 spidx.dir = IPSEC_DIR_INBOUND; 2270 spidx.ul_proto = 0; 2271 2272 /* 2273 * make destination address in spidx from either ID payload 2274 * or phase 1 address into a address in spidx. 2275 */ 2276 if (iph2->id != NULL 2277 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2278 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 2279 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2280 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2281 /* get a destination address of a policy */ 2282 error = ipsecdoi_id2sockaddr(iph2->id, 2283 (struct sockaddr *)&spidx.dst, 2284 &spidx.prefd, &spidx.ul_proto); 2285 if (error) 2286 return error; 2287 2288 #ifdef INET6 2289 /* 2290 * get scopeid from the SA address. 2291 * note that the phase 1 source address is used as 2292 * a destination address to search for a inbound policy entry 2293 * because rcoon is responder. 2294 */ 2295 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 2296 error = setscopeid((struct sockaddr *)&spidx.dst, 2297 iph2->src); 2298 if (error) 2299 return error; 2300 } 2301 #endif 2302 2303 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2304 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 2305 idi2type = _XIDT(iph2->id); 2306 2307 } else { 2308 2309 plog(LLV_DEBUG, LOCATION, NULL, 2310 "get a destination address of SP index " 2311 "from phase1 address " 2312 "due to no ID payloads found " 2313 "OR because ID type is not address.\n"); 2314 2315 /* 2316 * copy the SOURCE address of IKE into the DESTINATION address 2317 * of the key to search the SPD because the direction of policy 2318 * is inbound. 2319 */ 2320 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 2321 switch (spidx.dst.ss_family) { 2322 case AF_INET: 2323 spidx.prefd = sizeof(struct in_addr) << 3; 2324 break; 2325 #ifdef INET6 2326 case AF_INET6: 2327 spidx.prefd = sizeof(struct in6_addr) << 3; 2328 break; 2329 #endif 2330 default: 2331 spidx.prefd = 0; 2332 break; 2333 } 2334 } 2335 2336 /* make source address in spidx */ 2337 if (iph2->id_p != NULL 2338 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 2339 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 2340 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2341 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2342 /* get a source address of inbound SA */ 2343 error = ipsecdoi_id2sockaddr(iph2->id_p, 2344 (struct sockaddr *)&spidx.src, 2345 &spidx.prefs, &spidx.ul_proto); 2346 if (error) 2347 return error; 2348 2349 #ifdef INET6 2350 /* 2351 * get scopeid from the SA address. 2352 * for more detail, see above of this function. 2353 */ 2354 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 2355 error = setscopeid((struct sockaddr *)&spidx.src, 2356 iph2->dst); 2357 if (error) 2358 return error; 2359 } 2360 #endif 2361 2362 /* Before setting iph2->[sa_src, sa_dst] with the addresses 2363 * provided in ID payloads, we check: 2364 * - they are both addresses of same family 2365 * - sainfo has not been selected only based on ID payload 2366 * information but also based on specific Phase 1 2367 * credentials (iph2->sainfo->id_i is defined), i.e. 2368 * local configuration _explicitly_ expect that user 2369 * (e.g. from asn1dn "C=FR, ...") with those IDs) */ 2370 if (_XIDT(iph2->id_p) == idi2type && 2371 spidx.dst.ss_family == spidx.src.ss_family && 2372 iph2->sainfo && iph2->sainfo->id_i) { 2373 2374 iph2->sa_src = dupsaddr((struct sockaddr *)&spidx.dst); 2375 if (iph2->sa_src == NULL) { 2376 plog(LLV_ERROR, LOCATION, NULL, 2377 "buffer allocation failed.\n"); 2378 return ISAKMP_INTERNAL_ERROR; 2379 } 2380 2381 iph2->sa_dst = dupsaddr((struct sockaddr *)&spidx.src); 2382 if (iph2->sa_dst == NULL) { 2383 plog(LLV_ERROR, LOCATION, NULL, 2384 "buffer allocation failed.\n"); 2385 return ISAKMP_INTERNAL_ERROR; 2386 } 2387 } else { 2388 plog(LLV_DEBUG, LOCATION, NULL, 2389 "Either family (%d - %d), types (%d - %d) of ID " 2390 "from initiator differ or matching sainfo " 2391 "has no id_i defined for the peer. Not filling " 2392 "iph2->sa_src and iph2->sa_dst.\n", 2393 spidx.src.ss_family, spidx.dst.ss_family, 2394 _XIDT(iph2->id_p),idi2type); 2395 } 2396 } else { 2397 plog(LLV_DEBUG, LOCATION, NULL, 2398 "get a source address of SP index from Phase 1" 2399 "addresses due to no ID payloads found" 2400 "OR because ID type is not address.\n"); 2401 2402 /* see above comment. */ 2403 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 2404 switch (spidx.src.ss_family) { 2405 case AF_INET: 2406 spidx.prefs = sizeof(struct in_addr) << 3; 2407 break; 2408 #ifdef INET6 2409 case AF_INET6: 2410 spidx.prefs = sizeof(struct in6_addr) << 3; 2411 break; 2412 #endif 2413 default: 2414 spidx.prefs = 0; 2415 break; 2416 } 2417 } 2418 2419 #undef _XIDT 2420 2421 plog(LLV_DEBUG, LOCATION, NULL, 2422 "get src address from ID payload " 2423 "%s prefixlen=%u ul_proto=%u\n", 2424 saddr2str((struct sockaddr *)&spidx.src), 2425 spidx.prefs, spidx.ul_proto); 2426 plog(LLV_DEBUG, LOCATION, NULL, 2427 "get dst address from ID payload " 2428 "%s prefixlen=%u ul_proto=%u\n", 2429 saddr2str((struct sockaddr *)&spidx.dst), 2430 spidx.prefd, spidx.ul_proto); 2431 2432 /* 2433 * convert the ul_proto if it is 0 2434 * because 0 in ID payload means a wild card. 2435 */ 2436 if (spidx.ul_proto == 0) 2437 spidx.ul_proto = IPSEC_ULPROTO_ANY; 2438 2439 #ifdef HAVE_SECCTX 2440 /* 2441 * Need to use security context in spidx to ensure the correct 2442 * policy is selected. The only way to get the security context 2443 * is to look into the proposal sent by peer ahead of time. 2444 */ 2445 if (get_security_context(iph2->sa, &spidx)) { 2446 plog(LLV_ERROR, LOCATION, NULL, 2447 "error occurred trying to get security context.\n"); 2448 return ISAKMP_INTERNAL_ERROR; 2449 } 2450 #endif /* HAVE_SECCTX */ 2451 2452 /* get inbound policy */ 2453 sp_in = getsp_r(&spidx); 2454 if (sp_in == NULL) { 2455 if (iph2->ph1->rmconf->gen_policy) { 2456 plog(LLV_INFO, LOCATION, NULL, 2457 "no policy found, " 2458 "try to generate the policy : %s\n", 2459 spidx2str(&spidx)); 2460 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2461 if (!iph2->spidx_gen) { 2462 plog(LLV_ERROR, LOCATION, NULL, 2463 "buffer allocation failed.\n"); 2464 return ISAKMP_INTERNAL_ERROR; 2465 } 2466 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2467 return -2; /* special value */ 2468 } 2469 plog(LLV_ERROR, LOCATION, NULL, 2470 "no policy found: %s\n", spidx2str(&spidx)); 2471 return ISAKMP_INTERNAL_ERROR; 2472 } 2473 /* Refresh existing generated policies 2474 */ 2475 if (iph2->ph1->rmconf->gen_policy) { 2476 plog(LLV_INFO, LOCATION, NULL, 2477 "Update the generated policy : %s\n", 2478 spidx2str(&spidx)); 2479 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2480 if (!iph2->spidx_gen) { 2481 plog(LLV_ERROR, LOCATION, NULL, 2482 "buffer allocation failed.\n"); 2483 return ISAKMP_INTERNAL_ERROR; 2484 } 2485 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2486 } 2487 2488 /* get outbound policy */ 2489 { 2490 struct sockaddr_storage addr; 2491 u_int8_t pref; 2492 2493 spidx.dir = IPSEC_DIR_OUTBOUND; 2494 addr = spidx.src; 2495 spidx.src = spidx.dst; 2496 spidx.dst = addr; 2497 pref = spidx.prefs; 2498 spidx.prefs = spidx.prefd; 2499 spidx.prefd = pref; 2500 2501 sp_out = getsp_r(&spidx); 2502 if (!sp_out) { 2503 plog(LLV_WARNING, LOCATION, NULL, 2504 "no outbound policy found: %s\n", 2505 spidx2str(&spidx)); 2506 } 2507 } 2508 2509 plog(LLV_DEBUG, LOCATION, NULL, 2510 "suitable SP found:%s\n", spidx2str(&spidx)); 2511 2512 /* 2513 * In the responder side, the inbound policy should be using IPsec. 2514 * outbound policy is not checked currently. 2515 */ 2516 if (sp_in->policy != IPSEC_POLICY_IPSEC) { 2517 plog(LLV_ERROR, LOCATION, NULL, 2518 "policy found, but no IPsec required: %s\n", 2519 spidx2str(&spidx)); 2520 return ISAKMP_INTERNAL_ERROR; 2521 } 2522 2523 /* set new proposal derived from a policy into the iph2->proposal. */ 2524 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { 2525 plog(LLV_ERROR, LOCATION, NULL, 2526 "failed to create saprop.\n"); 2527 return ISAKMP_INTERNAL_ERROR; 2528 } 2529 2530 #ifdef HAVE_SECCTX 2531 if (spidx.sec_ctx.ctx_str) { 2532 set_secctx_in_proposal(iph2, spidx); 2533 } 2534 #endif /* HAVE_SECCTX */ 2535 2536 iph2->spid = sp_in->id; 2537 2538 return 0; 2539 } 2540 2541 /* 2542 * handle a notification payload inside phase2 exchange. 2543 * phase2 is always encrypted, so it does not need to be checked 2544 * for explicitely. 2545 */ 2546 static int 2547 ph2_recv_n(iph2, gen) 2548 struct ph2handle *iph2; 2549 struct isakmp_gen *gen; 2550 { 2551 struct ph1handle *iph1 = iph2->ph1; 2552 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen; 2553 u_int type; 2554 int check_level; 2555 2556 type = ntohs(notify->type); 2557 switch (type) { 2558 case ISAKMP_NTYPE_CONNECTED: 2559 break; 2560 case ISAKMP_NTYPE_INITIAL_CONTACT: 2561 return isakmp_info_recv_initialcontact(iph1, iph2); 2562 case ISAKMP_NTYPE_RESPONDER_LIFETIME: 2563 ipsecdoi_parse_responder_lifetime(notify, 2564 &iph2->lifetime_secs, &iph2->lifetime_kb); 2565 2566 if (iph1 != NULL && iph1->rmconf != NULL) { 2567 check_level = iph1->rmconf->pcheck_level; 2568 } else { 2569 if (iph1 != NULL) 2570 plog(LLV_DEBUG, LOCATION, NULL, 2571 "No phase1 rmconf found !\n"); 2572 else 2573 plog(LLV_DEBUG, LOCATION, NULL, 2574 "No phase1 found !\n"); 2575 check_level = PROP_CHECK_EXACT; 2576 } 2577 2578 switch (check_level) { 2579 case PROP_CHECK_OBEY: 2580 break; 2581 case PROP_CHECK_STRICT: 2582 case PROP_CHECK_CLAIM: 2583 if (iph2->sainfo == NULL 2584 || iph2->sainfo->lifetime <= iph2->lifetime_secs) { 2585 plog(LLV_WARNING, LOCATION, NULL, 2586 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2587 iph2->lifetime_secs = 0; 2588 } 2589 break; 2590 case PROP_CHECK_EXACT: 2591 if (iph2->sainfo == NULL 2592 || iph2->sainfo->lifetime != iph2->lifetime_secs) { 2593 plog(LLV_WARNING, LOCATION, NULL, 2594 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2595 iph2->lifetime_secs = 0; 2596 } 2597 break; 2598 } 2599 break; 2600 default: 2601 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange"); 2602 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, 2603 NULL); 2604 break; 2605 } 2606 return 0; 2607 } 2608 2609
