1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */ 2 3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 40 #include <netinet/in.h> 41 42 #include <stdlib.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <errno.h> 46 #if TIME_WITH_SYS_TIME 47 # include <sys/time.h> 48 # include <time.h> 49 #else 50 # if HAVE_SYS_TIME_H 51 # include <sys/time.h> 52 # else 53 # include <time.h> 54 # endif 55 #endif 56 #ifdef ENABLE_HYBRID 57 #include <resolv.h> 58 #endif 59 60 #include PATH_IPSEC_H 61 62 #include "var.h" 63 #include "vmbuf.h" 64 #include "schedule.h" 65 #include "misc.h" 66 #include "plog.h" 67 #include "debug.h" 68 69 #include "localconf.h" 70 #include "remoteconf.h" 71 #include "handler.h" 72 #include "policy.h" 73 #include "proposal.h" 74 #include "isakmp_var.h" 75 #include "isakmp.h" 76 #include "isakmp_inf.h" 77 #include "isakmp_quick.h" 78 #include "oakley.h" 79 #include "ipsec_doi.h" 80 #include "crypto_openssl.h" 81 #include "pfkey.h" 82 #include "policy.h" 83 #include "algorithm.h" 84 #include "sockmisc.h" 85 #include "proposal.h" 86 #include "sainfo.h" 87 #include "admin.h" 88 #include "strnames.h" 89 90 /* quick mode */ 91 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); 92 static int get_sainfo_r __P((struct ph2handle *)); 93 static int get_proposal_r __P((struct ph2handle *)); 94 95 /* %%% 97 * Quick Mode 98 */ 99 /* 100 * begin Quick Mode as initiator. send pfkey getspi message to kernel. 101 */ 102 int 103 quick_i1prep(iph2, msg) 104 struct ph2handle *iph2; 105 vchar_t *msg; /* must be null pointer */ 106 { 107 int error = ISAKMP_INTERNAL_ERROR; 108 109 /* validity check */ 110 if (iph2->status != PHASE2ST_STATUS2) { 111 plog(LLV_ERROR, LOCATION, NULL, 112 "status mismatched %d.\n", iph2->status); 113 goto end; 114 } 115 116 iph2->msgid = isakmp_newmsgid2(iph2->ph1); 117 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid); 118 if (iph2->ivm == NULL) 119 return 0; 120 121 iph2->status = PHASE2ST_GETSPISENT; 122 123 /* don't anything if local test mode. */ 124 if (f_local) { 125 error = 0; 126 goto end; 127 } 128 129 /* send getspi message */ 130 if (pk_sendgetspi(iph2) < 0) 131 goto end; 132 133 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 134 135 iph2->sce = sched_new(lcconf->wait_ph2complete, 136 pfkey_timeover_stub, iph2); 137 138 error = 0; 139 140 end: 141 return error; 142 } 143 144 /* 145 * send to responder 146 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] 147 */ 148 int 149 quick_i1send(iph2, msg) 150 struct ph2handle *iph2; 151 vchar_t *msg; /* must be null pointer */ 152 { 153 vchar_t *body = NULL; 154 vchar_t *hash = NULL; 155 struct isakmp_gen *gen; 156 char *p; 157 int tlen; 158 int error = ISAKMP_INTERNAL_ERROR; 159 int pfsgroup, idci, idcr; 160 int np; 161 struct ipsecdoi_id_b *id, *id_p; 162 163 /* validity check */ 164 if (msg != NULL) { 165 plog(LLV_ERROR, LOCATION, NULL, 166 "msg has to be NULL in this function.\n"); 167 goto end; 168 } 169 if (iph2->status != PHASE2ST_GETSPIDONE) { 170 plog(LLV_ERROR, LOCATION, NULL, 171 "status mismatched %d.\n", iph2->status); 172 goto end; 173 } 174 175 /* create SA payload for my proposal */ 176 if (ipsecdoi_setph2proposal(iph2) < 0) 177 goto end; 178 179 /* generate NONCE value */ 180 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 181 if (iph2->nonce == NULL) 182 goto end; 183 184 /* 185 * DH value calculation is kicked out into cfparse.y. 186 * because pfs group can not be negotiated, it's only to be checked 187 * acceptable. 188 */ 189 /* generate KE value if need */ 190 pfsgroup = iph2->proposal->pfs_group; 191 if (pfsgroup) { 192 /* DH group settting if PFS is required. */ 193 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 194 plog(LLV_ERROR, LOCATION, NULL, 195 "failed to set DH value.\n"); 196 goto end; 197 } 198 if (oakley_dh_generate(iph2->pfsgrp, 199 &iph2->dhpub, &iph2->dhpriv) < 0) { 200 goto end; 201 } 202 } 203 204 /* generate ID value */ 205 if (ipsecdoi_setid2(iph2) < 0) { 206 plog(LLV_ERROR, LOCATION, NULL, 207 "failed to get ID.\n"); 208 goto end; 209 } 210 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n"); 211 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 212 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n"); 213 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 214 215 /* 216 * we do not attach IDci nor IDcr, under the following condition: 217 * - all proposals are transport mode 218 * - no MIP6 or proxy 219 * - id payload suggests to encrypt all the traffic (no specific 220 * protocol type) 221 */ 222 id = (struct ipsecdoi_id_b *)iph2->id->v; 223 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; 224 if (id->proto_id == 0 225 && id_p->proto_id == 0 226 && iph2->ph1->rmconf->support_proxy == 0 227 && ipsecdoi_transportmode(iph2->proposal)) { 228 idci = idcr = 0; 229 } else 230 idci = idcr = 1; 231 232 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */ 233 tlen = + sizeof(*gen) + iph2->sa->l 234 + sizeof(*gen) + iph2->nonce->l; 235 if (pfsgroup) 236 tlen += (sizeof(*gen) + iph2->dhpub->l); 237 if (idci) 238 tlen += sizeof(*gen) + iph2->id->l; 239 if (idcr) 240 tlen += sizeof(*gen) + iph2->id_p->l; 241 242 body = vmalloc(tlen); 243 if (body == NULL) { 244 plog(LLV_ERROR, LOCATION, NULL, 245 "failed to get buffer to send.\n"); 246 goto end; 247 } 248 249 p = body->v; 250 251 /* add SA payload */ 252 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE); 253 254 /* add NONCE payload */ 255 if (pfsgroup) 256 np = ISAKMP_NPTYPE_KE; 257 else if (idci || idcr) 258 np = ISAKMP_NPTYPE_ID; 259 else 260 np = ISAKMP_NPTYPE_NONE; 261 p = set_isakmp_payload(p, iph2->nonce, np); 262 263 /* add KE payload if need. */ 264 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE; 265 if (pfsgroup) 266 p = set_isakmp_payload(p, iph2->dhpub, np); 267 268 /* IDci */ 269 np = (idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE; 270 if (idci) 271 p = set_isakmp_payload(p, iph2->id, np); 272 273 /* IDcr */ 274 if (idcr) 275 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_NONE); 276 277 /* generate HASH(1) */ 278 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); 279 if (hash == NULL) 280 goto end; 281 282 /* send isakmp payload */ 283 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 284 if (iph2->sendbuf == NULL) 285 goto end; 286 287 /* send the packet, add to the schedule to resend */ 288 iph2->retry_counter = iph2->ph1->rmconf->retry_counter; 289 if (isakmp_ph2resend(iph2) == -1) 290 goto end; 291 292 /* change status of isakmp status entry */ 293 iph2->status = PHASE2ST_MSG1SENT; 294 295 error = 0; 296 297 end: 298 if (body != NULL) 299 vfree(body); 300 if (hash != NULL) 301 vfree(hash); 302 303 return error; 304 } 305 306 /* 307 * receive from responder 308 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] 309 */ 310 int 311 quick_i2recv(iph2, msg0) 312 struct ph2handle *iph2; 313 vchar_t *msg0; 314 { 315 vchar_t *msg = NULL; 316 vchar_t *hbuf = NULL; /* for hash computing. */ 317 vchar_t *pbuf = NULL; /* for payload parsing */ 318 struct isakmp_parse_t *pa; 319 struct isakmp *isakmp = (struct isakmp *)msg0->v; 320 struct isakmp_pl_hash *hash = NULL; 321 int f_id; 322 char *p; 323 int tlen; 324 int error = ISAKMP_INTERNAL_ERROR; 325 326 /* validity check */ 327 if (iph2->status != PHASE2ST_MSG1SENT) { 328 plog(LLV_ERROR, LOCATION, NULL, 329 "status mismatched %d.\n", iph2->status); 330 goto end; 331 } 332 333 /* decrypt packet */ 334 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 335 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 336 "Packet wasn't encrypted.\n"); 337 goto end; 338 } 339 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 340 if (msg == NULL) 341 goto end; 342 343 /* create buffer for validating HASH(2) */ 344 /* 345 * ordering rule: 346 * 1. the first one must be HASH 347 * 2. the second one must be SA (added in isakmp-oakley-05!) 348 * 3. two IDs must be considered as IDci, then IDcr 349 */ 350 pbuf = isakmp_parse(msg); 351 if (pbuf == NULL) 352 goto end; 353 pa = (struct isakmp_parse_t *)pbuf->v; 354 355 /* HASH payload is fixed postion */ 356 if (pa->type != ISAKMP_NPTYPE_HASH) { 357 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 358 "received invalid next payload type %d, " 359 "expecting %d.\n", 360 pa->type, ISAKMP_NPTYPE_HASH); 361 goto end; 362 } 363 hash = (struct isakmp_pl_hash *)pa->ptr; 364 pa++; 365 366 /* 367 * this restriction was introduced in isakmp-oakley-05. 368 * we do not check this for backward compatibility. 369 * TODO: command line/config file option to enable/disable this code 370 */ 371 /* HASH payload is fixed postion */ 372 if (pa->type != ISAKMP_NPTYPE_SA) { 373 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 374 "received invalid next payload type %d, " 375 "expecting %d.\n", 376 pa->type, ISAKMP_NPTYPE_HASH); 377 } 378 379 /* allocate buffer for computing HASH(2) */ 380 tlen = iph2->nonce->l 381 + ntohl(isakmp->len) - sizeof(*isakmp); 382 hbuf = vmalloc(tlen); 383 if (hbuf == NULL) { 384 plog(LLV_ERROR, LOCATION, NULL, 385 "failed to get hash buffer.\n"); 386 goto end; 387 } 388 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */ 389 390 /* 391 * parse the payloads. 392 * copy non-HASH payloads into hbuf, so that we can validate HASH. 393 */ 394 iph2->sa_ret = NULL; 395 f_id = 0; /* flag to use checking ID */ 396 tlen = 0; /* count payload length except of HASH payload. */ 397 for (; pa->type; pa++) { 398 399 /* copy to buffer for HASH */ 400 /* Don't modify the payload */ 401 memcpy(p, pa->ptr, pa->len); 402 403 switch (pa->type) { 404 case ISAKMP_NPTYPE_SA: 405 if (iph2->sa_ret != NULL) { 406 plog(LLV_ERROR, LOCATION, NULL, 407 "Ignored, multiple SA " 408 "isn't supported.\n"); 409 break; 410 } 411 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) 412 goto end; 413 break; 414 415 case ISAKMP_NPTYPE_NONCE: 416 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) 417 goto end; 418 break; 419 420 case ISAKMP_NPTYPE_KE: 421 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) 422 goto end; 423 break; 424 425 case ISAKMP_NPTYPE_ID: 426 { 427 vchar_t *vp; 428 429 /* check ID value */ 430 if (f_id == 0) { 431 /* for IDci */ 432 f_id = 1; 433 vp = iph2->id; 434 } else { 435 /* for IDcr */ 436 vp = iph2->id_p; 437 } 438 439 #ifndef ANDROID_PATCHED 440 if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) { 441 442 plog(LLV_ERROR, LOCATION, NULL, 443 "mismatched ID was returned.\n"); 444 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 445 goto end; 446 } 447 #endif 448 } 449 break; 450 451 case ISAKMP_NPTYPE_N: 452 isakmp_check_notify(pa->ptr, iph2->ph1); 453 break; 454 455 #ifdef ENABLE_NATT 456 case ISAKMP_NPTYPE_NATOA_DRAFT: 457 case ISAKMP_NPTYPE_NATOA_RFC: 458 /* Ignore original source/destination messages */ 459 break; 460 #endif 461 462 default: 463 /* don't send information, see ident_r1recv() */ 464 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 465 "ignore the packet, " 466 "received unexpecting payload type %d.\n", 467 pa->type); 468 goto end; 469 } 470 471 p += pa->len; 472 473 /* compute true length of payload. */ 474 tlen += pa->len; 475 } 476 477 /* payload existency check */ 478 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { 479 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 480 "few isakmp message received.\n"); 481 goto end; 482 } 483 484 /* Fixed buffer for calculating HASH */ 485 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); 486 plog(LLV_DEBUG, LOCATION, NULL, 487 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n", 488 hbuf->l, tlen + iph2->nonce->l); 489 /* adjust buffer length for HASH */ 490 hbuf->l = iph2->nonce->l + tlen; 491 492 /* validate HASH(2) */ 493 { 494 char *r_hash; 495 vchar_t *my_hash = NULL; 496 int result; 497 498 r_hash = (char *)hash + sizeof(*hash); 499 500 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); 501 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 502 503 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 504 if (my_hash == NULL) 505 goto end; 506 507 result = memcmp(my_hash->v, r_hash, my_hash->l); 508 vfree(my_hash); 509 510 if (result) { 511 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 512 "HASH(2) mismatch.\n"); 513 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 514 goto end; 515 } 516 } 517 518 /* validity check SA payload sent from responder */ 519 if (ipsecdoi_checkph2proposal(iph2) < 0) { 520 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 521 goto end; 522 } 523 524 /* change status of isakmp status entry */ 525 iph2->status = PHASE2ST_STATUS6; 526 527 error = 0; 528 529 end: 530 if (hbuf) 531 vfree(hbuf); 532 if (pbuf) 533 vfree(pbuf); 534 if (msg) 535 vfree(msg); 536 537 if (error) { 538 VPTRINIT(iph2->sa_ret); 539 VPTRINIT(iph2->nonce_p); 540 VPTRINIT(iph2->dhpub_p); 541 VPTRINIT(iph2->id); 542 VPTRINIT(iph2->id_p); 543 } 544 545 return error; 546 } 547 548 /* 549 * send to responder 550 * HDR*, HASH(3) 551 */ 552 int 553 quick_i2send(iph2, msg0) 554 struct ph2handle *iph2; 555 vchar_t *msg0; 556 { 557 vchar_t *msg = NULL; 558 vchar_t *buf = NULL; 559 vchar_t *hash = NULL; 560 char *p = NULL; 561 int tlen; 562 int error = ISAKMP_INTERNAL_ERROR; 563 564 /* validity check */ 565 if (iph2->status != PHASE2ST_STATUS6) { 566 plog(LLV_ERROR, LOCATION, NULL, 567 "status mismatched %d.\n", iph2->status); 568 goto end; 569 } 570 571 /* generate HASH(3) */ 572 { 573 vchar_t *tmp = NULL; 574 575 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); 576 577 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); 578 if (tmp == NULL) { 579 plog(LLV_ERROR, LOCATION, NULL, 580 "failed to get hash buffer.\n"); 581 goto end; 582 } 583 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l); 584 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l); 585 586 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 587 vfree(tmp); 588 589 if (hash == NULL) 590 goto end; 591 } 592 593 /* create buffer for isakmp payload */ 594 tlen = sizeof(struct isakmp) 595 + sizeof(struct isakmp_gen) + hash->l; 596 buf = vmalloc(tlen); 597 if (buf == NULL) { 598 plog(LLV_ERROR, LOCATION, NULL, 599 "failed to get buffer to send.\n"); 600 goto end; 601 } 602 603 /* create isakmp header */ 604 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 605 if (p == NULL) 606 goto end; 607 608 /* add HASH(3) payload */ 609 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE); 610 611 #ifdef HAVE_PRINT_ISAKMP_C 612 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 613 #endif 614 615 /* encoding */ 616 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 617 if (iph2->sendbuf == NULL) 618 goto end; 619 620 /* if there is commit bit, need resending */ 621 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 622 /* send the packet, add to the schedule to resend */ 623 iph2->retry_counter = iph2->ph1->rmconf->retry_counter; 624 if (isakmp_ph2resend(iph2) == -1) 625 goto end; 626 } else { 627 /* send the packet */ 628 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 629 goto end; 630 } 631 632 /* the sending message is added to the received-list. */ 633 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, 634 iph2->sendbuf, msg0) == -1) { 635 plog(LLV_ERROR , LOCATION, NULL, 636 "failed to add a response packet to the tree.\n"); 637 goto end; 638 } 639 640 /* compute both of KEYMATs */ 641 if (oakley_compute_keymat(iph2, INITIATOR) < 0) 642 goto end; 643 644 iph2->status = PHASE2ST_ADDSA; 645 646 /* don't anything if local test mode. */ 647 if (f_local) { 648 error = 0; 649 goto end; 650 } 651 652 /* if there is commit bit don't set up SA now. */ 653 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 654 iph2->status = PHASE2ST_COMMIT; 655 error = 0; 656 goto end; 657 } 658 659 /* Do UPDATE for initiator */ 660 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 661 if (pk_sendupdate(iph2) < 0) { 662 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 663 goto end; 664 } 665 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 666 667 /* Do ADD for responder */ 668 if (pk_sendadd(iph2) < 0) { 669 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 670 goto end; 671 } 672 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 673 674 error = 0; 675 676 end: 677 if (buf != NULL) 678 vfree(buf); 679 if (msg != NULL) 680 vfree(msg); 681 if (hash != NULL) 682 vfree(hash); 683 684 return error; 685 } 686 687 /* 688 * receive from responder 689 * HDR#*, HASH(4), notify 690 */ 691 int 692 quick_i3recv(iph2, msg0) 693 struct ph2handle *iph2; 694 vchar_t *msg0; 695 { 696 vchar_t *msg = NULL; 697 vchar_t *pbuf = NULL; /* for payload parsing */ 698 struct isakmp_parse_t *pa; 699 struct isakmp_pl_hash *hash = NULL; 700 vchar_t *notify = NULL; 701 int error = ISAKMP_INTERNAL_ERROR; 702 703 /* validity check */ 704 if (iph2->status != PHASE2ST_COMMIT) { 705 plog(LLV_ERROR, LOCATION, NULL, 706 "status mismatched %d.\n", iph2->status); 707 goto end; 708 } 709 710 /* decrypt packet */ 711 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 712 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 713 "Packet wasn't encrypted.\n"); 714 goto end; 715 } 716 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 717 if (msg == NULL) 718 goto end; 719 720 /* validate the type of next payload */ 721 pbuf = isakmp_parse(msg); 722 if (pbuf == NULL) 723 goto end; 724 725 for (pa = (struct isakmp_parse_t *)pbuf->v; 726 pa->type != ISAKMP_NPTYPE_NONE; 727 pa++) { 728 729 switch (pa->type) { 730 case ISAKMP_NPTYPE_HASH: 731 hash = (struct isakmp_pl_hash *)pa->ptr; 732 break; 733 case ISAKMP_NPTYPE_N: 734 if (notify != NULL) { 735 plog(LLV_WARNING, LOCATION, NULL, 736 "Ignoring multiples notifications\n"); 737 break; 738 } 739 isakmp_check_notify(pa->ptr, iph2->ph1); 740 notify = vmalloc(pa->len); 741 if (notify == NULL) { 742 plog(LLV_ERROR, LOCATION, NULL, 743 "failed to get notify buffer.\n"); 744 goto end; 745 } 746 memcpy(notify->v, pa->ptr, notify->l); 747 break; 748 default: 749 /* don't send information, see ident_r1recv() */ 750 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 751 "ignore the packet, " 752 "received unexpecting payload type %d.\n", 753 pa->type); 754 goto end; 755 } 756 } 757 758 /* payload existency check */ 759 if (hash == NULL) { 760 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 761 "few isakmp message received.\n"); 762 goto end; 763 } 764 765 /* validate HASH(4) */ 766 { 767 char *r_hash; 768 vchar_t *my_hash = NULL; 769 vchar_t *tmp = NULL; 770 int result; 771 772 r_hash = (char *)hash + sizeof(*hash); 773 774 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); 775 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 776 777 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 778 vfree(tmp); 779 if (my_hash == NULL) 780 goto end; 781 782 result = memcmp(my_hash->v, r_hash, my_hash->l); 783 vfree(my_hash); 784 785 if (result) { 786 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 787 "HASH(4) mismatch.\n"); 788 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 789 goto end; 790 } 791 } 792 793 iph2->status = PHASE2ST_ADDSA; 794 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 795 796 /* don't anything if local test mode. */ 797 if (f_local) { 798 error = 0; 799 goto end; 800 } 801 802 /* Do UPDATE for initiator */ 803 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 804 if (pk_sendupdate(iph2) < 0) { 805 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 806 goto end; 807 } 808 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 809 810 /* Do ADD for responder */ 811 if (pk_sendadd(iph2) < 0) { 812 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 813 goto end; 814 } 815 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 816 817 error = 0; 818 819 end: 820 if (msg != NULL) 821 vfree(msg); 822 if (pbuf != NULL) 823 vfree(pbuf); 824 if (notify != NULL) 825 vfree(notify); 826 827 return error; 828 } 829 830 /* 831 * receive from initiator 832 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] 833 */ 834 int 835 quick_r1recv(iph2, msg0) 836 struct ph2handle *iph2; 837 vchar_t *msg0; 838 { 839 vchar_t *msg = NULL; 840 vchar_t *hbuf = NULL; /* for hash computing. */ 841 vchar_t *pbuf = NULL; /* for payload parsing */ 842 struct isakmp_parse_t *pa; 843 struct isakmp *isakmp = (struct isakmp *)msg0->v; 844 struct isakmp_pl_hash *hash = NULL; 845 char *p; 846 int tlen; 847 int f_id_order; /* for ID payload detection */ 848 int error = ISAKMP_INTERNAL_ERROR; 849 850 /* validity check */ 851 if (iph2->status != PHASE2ST_START) { 852 plog(LLV_ERROR, LOCATION, NULL, 853 "status mismatched %d.\n", iph2->status); 854 goto end; 855 } 856 857 /* decrypting */ 858 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 859 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 860 "Packet wasn't encrypted.\n"); 861 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 862 goto end; 863 } 864 /* decrypt packet */ 865 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 866 if (msg == NULL) 867 goto end; 868 869 /* create buffer for using to validate HASH(1) */ 870 /* 871 * ordering rule: 872 * 1. the first one must be HASH 873 * 2. the second one must be SA (added in isakmp-oakley-05!) 874 * 3. two IDs must be considered as IDci, then IDcr 875 */ 876 pbuf = isakmp_parse(msg); 877 if (pbuf == NULL) 878 goto end; 879 pa = (struct isakmp_parse_t *)pbuf->v; 880 881 /* HASH payload is fixed postion */ 882 if (pa->type != ISAKMP_NPTYPE_HASH) { 883 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 884 "received invalid next payload type %d, " 885 "expecting %d.\n", 886 pa->type, ISAKMP_NPTYPE_HASH); 887 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 888 goto end; 889 } 890 hash = (struct isakmp_pl_hash *)pa->ptr; 891 pa++; 892 893 /* 894 * this restriction was introduced in isakmp-oakley-05. 895 * we do not check this for backward compatibility. 896 * TODO: command line/config file option to enable/disable this code 897 */ 898 /* HASH payload is fixed postion */ 899 if (pa->type != ISAKMP_NPTYPE_SA) { 900 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 901 "received invalid next payload type %d, " 902 "expecting %d.\n", 903 pa->type, ISAKMP_NPTYPE_SA); 904 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 905 } 906 907 /* allocate buffer for computing HASH(1) */ 908 tlen = ntohl(isakmp->len) - sizeof(*isakmp); 909 hbuf = vmalloc(tlen); 910 if (hbuf == NULL) { 911 plog(LLV_ERROR, LOCATION, NULL, 912 "failed to get hash buffer.\n"); 913 goto end; 914 } 915 p = hbuf->v; 916 917 /* 918 * parse the payloads. 919 * copy non-HASH payloads into hbuf, so that we can validate HASH. 920 */ 921 iph2->sa = NULL; /* we don't support multi SAs. */ 922 iph2->nonce_p = NULL; 923 iph2->dhpub_p = NULL; 924 iph2->id_p = NULL; 925 iph2->id = NULL; 926 tlen = 0; /* count payload length except of HASH payload. */ 927 928 /* 929 * IDi2 MUST be immediatelly followed by IDr2. We allowed the 930 * illegal case, but logged. First ID payload is to be IDi2. 931 * And next ID payload is to be IDr2. 932 */ 933 f_id_order = 0; 934 935 for (; pa->type; pa++) { 936 937 /* copy to buffer for HASH */ 938 /* Don't modify the payload */ 939 memcpy(p, pa->ptr, pa->len); 940 941 if (pa->type != ISAKMP_NPTYPE_ID) 942 f_id_order = 0; 943 944 switch (pa->type) { 945 case ISAKMP_NPTYPE_SA: 946 if (iph2->sa != NULL) { 947 plog(LLV_ERROR, LOCATION, NULL, 948 "Multi SAs isn't supported.\n"); 949 goto end; 950 } 951 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) 952 goto end; 953 break; 954 955 case ISAKMP_NPTYPE_NONCE: 956 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) 957 goto end; 958 break; 959 960 case ISAKMP_NPTYPE_KE: 961 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) 962 goto end; 963 break; 964 965 case ISAKMP_NPTYPE_ID: 966 if (iph2->id_p == NULL) { 967 /* for IDci */ 968 f_id_order++; 969 970 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) 971 goto end; 972 973 } else if (iph2->id == NULL) { 974 /* for IDcr */ 975 if (f_id_order == 0) { 976 plog(LLV_ERROR, LOCATION, NULL, 977 "IDr2 payload is not " 978 "immediatelly followed " 979 "by IDi2. We allowed.\n"); 980 /* XXX we allowed in this case. */ 981 } 982 983 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) 984 goto end; 985 } else { 986 plog(LLV_ERROR, LOCATION, NULL, 987 "received too many ID payloads.\n"); 988 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); 989 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; 990 goto end; 991 } 992 break; 993 994 case ISAKMP_NPTYPE_N: 995 isakmp_check_notify(pa->ptr, iph2->ph1); 996 break; 997 998 #ifdef ENABLE_NATT 999 case ISAKMP_NPTYPE_NATOA_DRAFT: 1000 case ISAKMP_NPTYPE_NATOA_RFC: 1001 /* Ignore original source/destination messages */ 1002 break; 1003 #endif 1004 1005 default: 1006 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1007 "ignore the packet, " 1008 "received unexpecting payload type %d.\n", 1009 pa->type); 1010 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1011 goto end; 1012 } 1013 1014 p += pa->len; 1015 1016 /* compute true length of payload. */ 1017 tlen += pa->len; 1018 } 1019 1020 /* payload existency check */ 1021 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { 1022 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1023 "few isakmp message received.\n"); 1024 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1025 goto end; 1026 } 1027 1028 if (iph2->id_p) { 1029 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); 1030 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 1031 } 1032 if (iph2->id) { 1033 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); 1034 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 1035 } 1036 1037 /* adjust buffer length for HASH */ 1038 hbuf->l = tlen; 1039 1040 /* validate HASH(1) */ 1041 { 1042 char *r_hash; 1043 vchar_t *my_hash = NULL; 1044 int result; 1045 1046 r_hash = (caddr_t)hash + sizeof(*hash); 1047 1048 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); 1049 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1050 1051 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 1052 if (my_hash == NULL) 1053 goto end; 1054 1055 result = memcmp(my_hash->v, r_hash, my_hash->l); 1056 vfree(my_hash); 1057 1058 if (result) { 1059 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1060 "HASH(1) mismatch.\n"); 1061 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1062 goto end; 1063 } 1064 } 1065 1066 /* get sainfo */ 1067 error = get_sainfo_r(iph2); 1068 if (error) { 1069 plog(LLV_ERROR, LOCATION, NULL, 1070 "failed to get sainfo.\n"); 1071 goto end; 1072 } 1073 1074 1075 /* check the existence of ID payload and create responder's proposal */ 1076 error = get_proposal_r(iph2); 1077 switch (error) { 1078 case -2: 1079 /* generate a policy template from peer's proposal */ 1080 if (set_proposal_from_proposal(iph2)) { 1081 plog(LLV_ERROR, LOCATION, NULL, 1082 "failed to generate a proposal template " 1083 "from client's proposal.\n"); 1084 return ISAKMP_INTERNAL_ERROR; 1085 } 1086 /*FALLTHROUGH*/ 1087 case 0: 1088 /* select single proposal or reject it. */ 1089 if (ipsecdoi_selectph2proposal(iph2) < 0) { 1090 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1091 goto end; 1092 } 1093 break; 1094 default: 1095 plog(LLV_ERROR, LOCATION, NULL, 1096 "failed to get proposal for responder.\n"); 1097 goto end; 1098 } 1099 1100 /* check KE and attribute of PFS */ 1101 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { 1102 plog(LLV_ERROR, LOCATION, NULL, 1103 "no PFS is specified, but peer sends KE.\n"); 1104 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1105 goto end; 1106 } 1107 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { 1108 plog(LLV_ERROR, LOCATION, NULL, 1109 "PFS is specified, but peer doesn't sends KE.\n"); 1110 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1111 goto end; 1112 } 1113 1114 /* 1115 * save the packet from the initiator in order to resend the 1116 * responder's first packet against this packet. 1117 */ 1118 iph2->msg1 = vdup(msg0); 1119 1120 /* change status of isakmp status entry */ 1121 iph2->status = PHASE2ST_STATUS2; 1122 1123 error = 0; 1124 1125 end: 1126 if (hbuf) 1127 vfree(hbuf); 1128 if (msg) 1129 vfree(msg); 1130 if (pbuf) 1131 vfree(pbuf); 1132 1133 if (error) { 1134 VPTRINIT(iph2->sa); 1135 VPTRINIT(iph2->nonce_p); 1136 VPTRINIT(iph2->dhpub_p); 1137 VPTRINIT(iph2->id); 1138 VPTRINIT(iph2->id_p); 1139 } 1140 1141 return error; 1142 } 1143 1144 /* 1145 * call pfkey_getspi. 1146 */ 1147 int 1148 quick_r1prep(iph2, msg) 1149 struct ph2handle *iph2; 1150 vchar_t *msg; 1151 { 1152 int error = ISAKMP_INTERNAL_ERROR; 1153 1154 /* validity check */ 1155 if (iph2->status != PHASE2ST_STATUS2) { 1156 plog(LLV_ERROR, LOCATION, NULL, 1157 "status mismatched %d.\n", iph2->status); 1158 goto end; 1159 } 1160 1161 iph2->status = PHASE2ST_GETSPISENT; 1162 1163 /* send getspi message */ 1164 if (pk_sendgetspi(iph2) < 0) 1165 goto end; 1166 1167 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 1168 1169 iph2->sce = sched_new(lcconf->wait_ph2complete, 1170 pfkey_timeover_stub, iph2); 1171 1172 error = 0; 1173 1174 end: 1175 return error; 1176 } 1177 1178 /* 1179 * send to initiator 1180 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] 1181 */ 1182 int 1183 quick_r2send(iph2, msg) 1184 struct ph2handle *iph2; 1185 vchar_t *msg; 1186 { 1187 vchar_t *body = NULL; 1188 vchar_t *hash = NULL; 1189 struct isakmp_gen *gen; 1190 char *p; 1191 int tlen; 1192 int error = ISAKMP_INTERNAL_ERROR; 1193 int pfsgroup; 1194 u_int8_t *np_p = NULL; 1195 1196 /* validity check */ 1197 if (msg != NULL) { 1198 plog(LLV_ERROR, LOCATION, NULL, 1199 "msg has to be NULL in this function.\n"); 1200 goto end; 1201 } 1202 if (iph2->status != PHASE2ST_GETSPIDONE) { 1203 plog(LLV_ERROR, LOCATION, NULL, 1204 "status mismatched %d.\n", iph2->status); 1205 goto end; 1206 } 1207 1208 /* update responders SPI */ 1209 if (ipsecdoi_updatespi(iph2) < 0) { 1210 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); 1211 goto end; 1212 } 1213 1214 /* generate NONCE value */ 1215 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 1216 if (iph2->nonce == NULL) 1217 goto end; 1218 1219 /* generate KE value if need */ 1220 pfsgroup = iph2->approval->pfs_group; 1221 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1222 /* DH group settting if PFS is required. */ 1223 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 1224 plog(LLV_ERROR, LOCATION, NULL, 1225 "failed to set DH value.\n"); 1226 goto end; 1227 } 1228 /* generate DH public value */ 1229 if (oakley_dh_generate(iph2->pfsgrp, 1230 &iph2->dhpub, &iph2->dhpriv) < 0) { 1231 goto end; 1232 } 1233 } 1234 1235 /* create SA;NONCE payload, and KE and ID if need */ 1236 tlen = sizeof(*gen) + iph2->sa_ret->l 1237 + sizeof(*gen) + iph2->nonce->l; 1238 if (iph2->dhpub_p != NULL && pfsgroup != 0) 1239 tlen += (sizeof(*gen) + iph2->dhpub->l); 1240 if (iph2->id_p != NULL) 1241 tlen += (sizeof(*gen) + iph2->id_p->l 1242 + sizeof(*gen) + iph2->id->l); 1243 1244 body = vmalloc(tlen); 1245 if (body == NULL) { 1246 plog(LLV_ERROR, LOCATION, NULL, 1247 "failed to get buffer to send.\n"); 1248 goto end; 1249 } 1250 p = body->v; 1251 1252 /* make SA payload */ 1253 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE); 1254 1255 /* add NONCE payload */ 1256 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1257 p = set_isakmp_payload(p, iph2->nonce, 1258 (iph2->dhpub_p != NULL && pfsgroup != 0) 1259 ? ISAKMP_NPTYPE_KE 1260 : (iph2->id_p != NULL 1261 ? ISAKMP_NPTYPE_ID 1262 : ISAKMP_NPTYPE_NONE)); 1263 1264 /* add KE payload if need. */ 1265 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1266 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1267 p = set_isakmp_payload(p, iph2->dhpub, 1268 (iph2->id_p == NULL) 1269 ? ISAKMP_NPTYPE_NONE 1270 : ISAKMP_NPTYPE_ID); 1271 } 1272 1273 /* add ID payloads received. */ 1274 if (iph2->id_p != NULL) { 1275 /* IDci */ 1276 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); 1277 /* IDcr */ 1278 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1279 p = set_isakmp_payload(p, iph2->id, ISAKMP_NPTYPE_NONE); 1280 } 1281 1282 /* add a RESPONDER-LIFETIME notify payload if needed */ 1283 { 1284 vchar_t *data = NULL; 1285 struct saprop *pp = iph2->approval; 1286 struct saproto *pr; 1287 1288 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) { 1289 u_int32_t v = htonl((u_int32_t)pp->lifetime); 1290 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1291 IPSECDOI_ATTR_SA_LD_TYPE_SEC); 1292 if (!data) 1293 goto end; 1294 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1295 (caddr_t)&v, sizeof(v)); 1296 if (!data) 1297 goto end; 1298 } 1299 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) { 1300 u_int32_t v = htonl((u_int32_t)pp->lifebyte); 1301 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1302 IPSECDOI_ATTR_SA_LD_TYPE_KB); 1303 if (!data) 1304 goto end; 1305 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1306 (caddr_t)&v, sizeof(v)); 1307 if (!data) 1308 goto end; 1309 } 1310 1311 /* 1312 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message 1313 * in the case of SA bundle ? 1314 */ 1315 if (data) { 1316 for (pr = pp->head; pr; pr = pr->next) { 1317 body = isakmp_add_pl_n(body, &np_p, 1318 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); 1319 if (!body) { 1320 vfree(data); 1321 return error; /* XXX */ 1322 } 1323 } 1324 vfree(data); 1325 } 1326 } 1327 1328 /* generate HASH(2) */ 1329 { 1330 vchar_t *tmp; 1331 1332 tmp = vmalloc(iph2->nonce_p->l + body->l); 1333 if (tmp == NULL) { 1334 plog(LLV_ERROR, LOCATION, NULL, 1335 "failed to get hash buffer.\n"); 1336 goto end; 1337 } 1338 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1339 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l); 1340 1341 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp); 1342 vfree(tmp); 1343 1344 if (hash == NULL) 1345 goto end; 1346 } 1347 1348 /* send isakmp payload */ 1349 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 1350 if (iph2->sendbuf == NULL) 1351 goto end; 1352 1353 /* send the packet, add to the schedule to resend */ 1354 iph2->retry_counter = iph2->ph1->rmconf->retry_counter; 1355 if (isakmp_ph2resend(iph2) == -1) 1356 goto end; 1357 1358 /* the sending message is added to the received-list. */ 1359 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) { 1360 plog(LLV_ERROR , LOCATION, NULL, 1361 "failed to add a response packet to the tree.\n"); 1362 goto end; 1363 } 1364 1365 /* change status of isakmp status entry */ 1366 iph2->status = PHASE2ST_MSG1SENT; 1367 1368 error = 0; 1369 1370 end: 1371 if (body != NULL) 1372 vfree(body); 1373 if (hash != NULL) 1374 vfree(hash); 1375 1376 return error; 1377 } 1378 1379 /* 1380 * receive from initiator 1381 * HDR*, HASH(3) 1382 */ 1383 int 1384 quick_r3recv(iph2, msg0) 1385 struct ph2handle *iph2; 1386 vchar_t *msg0; 1387 { 1388 vchar_t *msg = NULL; 1389 vchar_t *pbuf = NULL; /* for payload parsing */ 1390 struct isakmp_parse_t *pa; 1391 struct isakmp_pl_hash *hash = NULL; 1392 int error = ISAKMP_INTERNAL_ERROR; 1393 1394 /* validity check */ 1395 if (iph2->status != PHASE2ST_MSG1SENT) { 1396 plog(LLV_ERROR, LOCATION, NULL, 1397 "status mismatched %d.\n", iph2->status); 1398 goto end; 1399 } 1400 1401 /* decrypt packet */ 1402 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1403 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1404 "Packet wasn't encrypted.\n"); 1405 goto end; 1406 } 1407 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1408 if (msg == NULL) 1409 goto end; 1410 1411 /* validate the type of next payload */ 1412 pbuf = isakmp_parse(msg); 1413 if (pbuf == NULL) 1414 goto end; 1415 1416 for (pa = (struct isakmp_parse_t *)pbuf->v; 1417 pa->type != ISAKMP_NPTYPE_NONE; 1418 pa++) { 1419 1420 switch (pa->type) { 1421 case ISAKMP_NPTYPE_HASH: 1422 hash = (struct isakmp_pl_hash *)pa->ptr; 1423 break; 1424 case ISAKMP_NPTYPE_N: 1425 isakmp_check_notify(pa->ptr, iph2->ph1); 1426 break; 1427 default: 1428 /* don't send information, see ident_r1recv() */ 1429 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1430 "ignore the packet, " 1431 "received unexpecting payload type %d.\n", 1432 pa->type); 1433 goto end; 1434 } 1435 } 1436 1437 /* payload existency check */ 1438 if (hash == NULL) { 1439 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1440 "few isakmp message received.\n"); 1441 goto end; 1442 } 1443 1444 /* validate HASH(3) */ 1445 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ 1446 { 1447 char *r_hash; 1448 vchar_t *my_hash = NULL; 1449 vchar_t *tmp = NULL; 1450 int result; 1451 1452 r_hash = (char *)hash + sizeof(*hash); 1453 1454 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); 1455 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1456 1457 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); 1458 if (tmp == NULL) { 1459 plog(LLV_ERROR, LOCATION, NULL, 1460 "failed to get hash buffer.\n"); 1461 goto end; 1462 } 1463 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1464 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l); 1465 1466 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 1467 vfree(tmp); 1468 if (my_hash == NULL) 1469 goto end; 1470 1471 result = memcmp(my_hash->v, r_hash, my_hash->l); 1472 vfree(my_hash); 1473 1474 if (result) { 1475 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1476 "HASH(3) mismatch.\n"); 1477 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1478 goto end; 1479 } 1480 } 1481 1482 /* if there is commit bit, don't set up SA now. */ 1483 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 1484 iph2->status = PHASE2ST_COMMIT; 1485 } else 1486 iph2->status = PHASE2ST_STATUS6; 1487 1488 error = 0; 1489 1490 end: 1491 if (pbuf != NULL) 1492 vfree(pbuf); 1493 if (msg != NULL) 1494 vfree(msg); 1495 1496 return error; 1497 } 1498 1499 /* 1500 * send to initiator 1501 * HDR#*, HASH(4), notify 1502 */ 1503 int 1504 quick_r3send(iph2, msg0) 1505 struct ph2handle *iph2; 1506 vchar_t *msg0; 1507 { 1508 vchar_t *buf = NULL; 1509 vchar_t *myhash = NULL; 1510 struct isakmp_pl_n *n; 1511 vchar_t *notify = NULL; 1512 char *p; 1513 int tlen; 1514 int error = ISAKMP_INTERNAL_ERROR; 1515 1516 /* validity check */ 1517 if (iph2->status != PHASE2ST_COMMIT) { 1518 plog(LLV_ERROR, LOCATION, NULL, 1519 "status mismatched %d.\n", iph2->status); 1520 goto end; 1521 } 1522 1523 /* generate HASH(4) */ 1524 /* XXX What can I do in the case of multiple different SA */ 1525 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); 1526 1527 /* XXX What should I do if there are multiple SAs ? */ 1528 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; 1529 notify = vmalloc(tlen); 1530 if (notify == NULL) { 1531 plog(LLV_ERROR, LOCATION, NULL, 1532 "failed to get notify buffer.\n"); 1533 goto end; 1534 } 1535 n = (struct isakmp_pl_n *)notify->v; 1536 n->h.np = ISAKMP_NPTYPE_NONE; 1537 n->h.len = htons(tlen); 1538 n->doi = htonl(IPSEC_DOI); 1539 n->proto_id = iph2->approval->head->proto_id; 1540 n->spi_size = sizeof(iph2->approval->head->spisize); 1541 n->type = htons(ISAKMP_NTYPE_CONNECTED); 1542 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize); 1543 1544 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1545 if (myhash == NULL) 1546 goto end; 1547 1548 /* create buffer for isakmp payload */ 1549 tlen = sizeof(struct isakmp) 1550 + sizeof(struct isakmp_gen) + myhash->l 1551 + notify->l; 1552 buf = vmalloc(tlen); 1553 if (buf == NULL) { 1554 plog(LLV_ERROR, LOCATION, NULL, 1555 "failed to get buffer to send.\n"); 1556 goto end; 1557 } 1558 1559 /* create isakmp header */ 1560 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 1561 if (p == NULL) 1562 goto end; 1563 1564 /* add HASH(4) payload */ 1565 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N); 1566 1567 /* add notify payload */ 1568 memcpy(p, notify->v, notify->l); 1569 1570 #ifdef HAVE_PRINT_ISAKMP_C 1571 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 1572 #endif 1573 1574 /* encoding */ 1575 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 1576 if (iph2->sendbuf == NULL) 1577 goto end; 1578 1579 /* send the packet */ 1580 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 1581 goto end; 1582 1583 /* the sending message is added to the received-list. */ 1584 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) { 1585 plog(LLV_ERROR , LOCATION, NULL, 1586 "failed to add a response packet to the tree.\n"); 1587 goto end; 1588 } 1589 1590 iph2->status = PHASE2ST_COMMIT; 1591 1592 error = 0; 1593 1594 end: 1595 if (buf != NULL) 1596 vfree(buf); 1597 if (myhash != NULL) 1598 vfree(myhash); 1599 if (notify != NULL) 1600 vfree(notify); 1601 1602 return error; 1603 } 1604 1605 int 1606 tunnel_mode_prop(p) 1607 struct saprop *p; 1608 { 1609 struct saproto *pr; 1610 1611 for (pr = p->head; pr; pr = pr->next) 1612 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) 1613 return 1; 1614 return 0; 1615 } 1616 1617 /* 1618 * set SA to kernel. 1619 */ 1620 int 1621 quick_r3prep(iph2, msg0) 1622 struct ph2handle *iph2; 1623 vchar_t *msg0; 1624 { 1625 int error = ISAKMP_INTERNAL_ERROR; 1626 1627 /* validity check */ 1628 if (iph2->status != PHASE2ST_STATUS6) { 1629 plog(LLV_ERROR, LOCATION, NULL, 1630 "status mismatched %d.\n", iph2->status); 1631 goto end; 1632 } 1633 1634 /* compute both of KEYMATs */ 1635 if (oakley_compute_keymat(iph2, RESPONDER) < 0) 1636 goto end; 1637 1638 iph2->status = PHASE2ST_ADDSA; 1639 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1640 1641 /* don't anything if local test mode. */ 1642 if (f_local) { 1643 error = 0; 1644 goto end; 1645 } 1646 1647 /* Do UPDATE as responder */ 1648 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1649 if (pk_sendupdate(iph2) < 0) { 1650 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1651 goto end; 1652 } 1653 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1654 1655 /* Do ADD for responder */ 1656 if (pk_sendadd(iph2) < 0) { 1657 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1658 goto end; 1659 } 1660 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 1661 1662 /* 1663 * set policies into SPD if the policy is generated 1664 * from peer's policy. 1665 */ 1666 if (iph2->spidx_gen) { 1667 1668 struct policyindex *spidx; 1669 struct sockaddr_storage addr; 1670 u_int8_t pref; 1671 struct sockaddr *src = iph2->src; 1672 struct sockaddr *dst = iph2->dst; 1673 1674 /* make inbound policy */ 1675 iph2->src = dst; 1676 iph2->dst = src; 1677 if (pk_sendspdupdate2(iph2) < 0) { 1678 plog(LLV_ERROR, LOCATION, NULL, 1679 "pfkey spdupdate2(inbound) failed.\n"); 1680 goto end; 1681 } 1682 plog(LLV_DEBUG, LOCATION, NULL, 1683 "pfkey spdupdate2(inbound) sent.\n"); 1684 1685 spidx = (struct policyindex *)iph2->spidx_gen; 1686 #ifdef HAVE_POLICY_FWD 1687 /* make forward policy if required */ 1688 if (tunnel_mode_prop(iph2->approval)) { 1689 spidx->dir = IPSEC_DIR_FWD; 1690 if (pk_sendspdupdate2(iph2) < 0) { 1691 plog(LLV_ERROR, LOCATION, NULL, 1692 "pfkey spdupdate2(forward) failed.\n"); 1693 goto end; 1694 } 1695 plog(LLV_DEBUG, LOCATION, NULL, 1696 "pfkey spdupdate2(forward) sent.\n"); 1697 } 1698 #endif 1699 1700 /* make outbound policy */ 1701 iph2->src = src; 1702 iph2->dst = dst; 1703 spidx->dir = IPSEC_DIR_OUTBOUND; 1704 addr = spidx->src; 1705 spidx->src = spidx->dst; 1706 spidx->dst = addr; 1707 pref = spidx->prefs; 1708 spidx->prefs = spidx->prefd; 1709 spidx->prefd = pref; 1710 1711 if (pk_sendspdupdate2(iph2) < 0) { 1712 plog(LLV_ERROR, LOCATION, NULL, 1713 "pfkey spdupdate2(outbound) failed.\n"); 1714 goto end; 1715 } 1716 plog(LLV_DEBUG, LOCATION, NULL, 1717 "pfkey spdupdate2(outbound) sent.\n"); 1718 1719 /* spidx_gen is unnecessary any more */ 1720 delsp_bothdir((struct policyindex *)iph2->spidx_gen); 1721 racoon_free(iph2->spidx_gen); 1722 iph2->spidx_gen = NULL; 1723 iph2->generated_spidx=1; 1724 } 1725 1726 error = 0; 1727 1728 end: 1729 return error; 1730 } 1731 1732 /* 1733 * create HASH, body (SA, NONCE) payload with isakmp header. 1734 */ 1735 static vchar_t * 1736 quick_ir1mx(iph2, body, hash) 1737 struct ph2handle *iph2; 1738 vchar_t *body, *hash; 1739 { 1740 struct isakmp *isakmp; 1741 vchar_t *buf = NULL, *new = NULL; 1742 char *p; 1743 int tlen; 1744 struct isakmp_gen *gen; 1745 int error = ISAKMP_INTERNAL_ERROR; 1746 1747 /* create buffer for isakmp payload */ 1748 tlen = sizeof(*isakmp) 1749 + sizeof(*gen) + hash->l 1750 + body->l; 1751 buf = vmalloc(tlen); 1752 if (buf == NULL) { 1753 plog(LLV_ERROR, LOCATION, NULL, 1754 "failed to get buffer to send.\n"); 1755 goto end; 1756 } 1757 1758 /* re-set encryption flag, for serurity. */ 1759 iph2->flags |= ISAKMP_FLAG_E; 1760 1761 /* set isakmp header */ 1762 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 1763 if (p == NULL) 1764 goto end; 1765 1766 /* add HASH payload */ 1767 /* XXX is next type always SA ? */ 1768 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA); 1769 1770 /* add body payload */ 1771 memcpy(p, body->v, body->l); 1772 1773 #ifdef HAVE_PRINT_ISAKMP_C 1774 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 1775 #endif 1776 1777 /* encoding */ 1778 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 1779 1780 if (new == NULL) 1781 goto end; 1782 1783 vfree(buf); 1784 1785 buf = new; 1786 1787 error = 0; 1788 1789 end: 1790 if (error && buf != NULL) { 1791 vfree(buf); 1792 buf = NULL; 1793 } 1794 1795 return buf; 1796 } 1797 1798 /* 1799 * get remote's sainfo. 1800 * NOTE: this function is for responder. 1801 */ 1802 static int 1803 get_sainfo_r(iph2) 1804 struct ph2handle *iph2; 1805 { 1806 vchar_t *idsrc = NULL, *iddst = NULL; 1807 int prefixlen; 1808 int error = ISAKMP_INTERNAL_ERROR; 1809 int remoteid = 0; 1810 1811 if (iph2->id == NULL) { 1812 switch (iph2->src->sa_family) { 1813 case AF_INET: 1814 prefixlen = sizeof(struct in_addr) << 3; 1815 break; 1816 case AF_INET6: 1817 prefixlen = sizeof(struct in6_addr) << 3; 1818 break; 1819 default: 1820 plog(LLV_ERROR, LOCATION, NULL, 1821 "invalid family: %d\n", iph2->src->sa_family); 1822 goto end; 1823 } 1824 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen, 1825 IPSEC_ULPROTO_ANY); 1826 } else { 1827 idsrc = vdup(iph2->id); 1828 } 1829 if (idsrc == NULL) { 1830 plog(LLV_ERROR, LOCATION, NULL, 1831 "failed to set ID for source.\n"); 1832 goto end; 1833 } 1834 1835 if (iph2->id_p == NULL) { 1836 switch (iph2->dst->sa_family) { 1837 case AF_INET: 1838 prefixlen = sizeof(struct in_addr) << 3; 1839 break; 1840 case AF_INET6: 1841 prefixlen = sizeof(struct in6_addr) << 3; 1842 break; 1843 default: 1844 plog(LLV_ERROR, LOCATION, NULL, 1845 "invalid family: %d\n", iph2->dst->sa_family); 1846 goto end; 1847 } 1848 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen, 1849 IPSEC_ULPROTO_ANY); 1850 } else { 1851 iddst = vdup(iph2->id_p); 1852 } 1853 if (iddst == NULL) { 1854 plog(LLV_ERROR, LOCATION, NULL, 1855 "failed to set ID for destination.\n"); 1856 goto end; 1857 } 1858 1859 { 1860 struct remoteconf *conf; 1861 conf = getrmconf(iph2->dst); 1862 if (conf != NULL) 1863 remoteid=conf->ph1id; 1864 else{ 1865 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n"); 1866 remoteid=0; 1867 } 1868 1869 } 1870 1871 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, remoteid); 1872 if (iph2->sainfo == NULL) { 1873 plog(LLV_ERROR, LOCATION, NULL, 1874 "failed to get sainfo.\n"); 1875 goto end; 1876 } 1877 1878 #ifdef ENABLE_HYBRID 1879 /* xauth group inclusion check */ 1880 if (iph2->sainfo->group != NULL) 1881 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) 1882 goto end; 1883 #endif 1884 1885 plog(LLV_DEBUG, LOCATION, NULL, 1886 "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); 1887 1888 error = 0; 1889 end: 1890 if (idsrc) 1891 vfree(idsrc); 1892 if (iddst) 1893 vfree(iddst); 1894 1895 return error; 1896 } 1897 1898 /* 1899 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types 1900 * are IP address and same address family. 1901 * Then get remote's policy from SPD copied from kernel. 1902 * If the type of ID payload is address or subnet type, then the index is 1903 * made from the payload. If there is no ID payload, or the type of ID 1904 * payload is NOT address type, then the index is made from the address 1905 * pair of phase 1. 1906 * NOTE: This function is only for responder. 1907 */ 1908 static int 1909 get_proposal_r(iph2) 1910 struct ph2handle *iph2; 1911 { 1912 struct policyindex spidx; 1913 struct secpolicy *sp_in, *sp_out; 1914 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ 1915 int error = ISAKMP_INTERNAL_ERROR; 1916 1917 /* check the existence of ID payload */ 1918 if ((iph2->id_p != NULL && iph2->id == NULL) 1919 || (iph2->id_p == NULL && iph2->id != NULL)) { 1920 plog(LLV_ERROR, LOCATION, NULL, 1921 "Both IDs wasn't found in payload.\n"); 1922 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1923 } 1924 1925 /* make sure if id[src,dst] is null. */ 1926 if (iph2->src_id || iph2->dst_id) { 1927 plog(LLV_ERROR, LOCATION, NULL, 1928 "Why do ID[src,dst] exist already.\n"); 1929 return ISAKMP_INTERNAL_ERROR; 1930 } 1931 1932 memset(&spidx, 0, sizeof(spidx)); 1933 1934 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 1935 1936 /* make a spidx; a key to search SPD */ 1937 spidx.dir = IPSEC_DIR_INBOUND; 1938 spidx.ul_proto = 0; 1939 1940 /* 1941 * make destination address in spidx from either ID payload 1942 * or phase 1 address into a address in spidx. 1943 */ 1944 if (iph2->id != NULL 1945 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 1946 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 1947 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 1948 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 1949 /* get a destination address of a policy */ 1950 error = ipsecdoi_id2sockaddr(iph2->id, 1951 (struct sockaddr *)&spidx.dst, 1952 &spidx.prefd, &spidx.ul_proto); 1953 if (error) 1954 return error; 1955 1956 #ifdef INET6 1957 /* 1958 * get scopeid from the SA address. 1959 * note that the phase 1 source address is used as 1960 * a destination address to search for a inbound policy entry 1961 * because rcoon is responder. 1962 */ 1963 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 1964 error = setscopeid((struct sockaddr *)&spidx.dst, 1965 iph2->src); 1966 if (error) 1967 return error; 1968 } 1969 #endif 1970 1971 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 1972 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 1973 idi2type = _XIDT(iph2->id); 1974 1975 } else { 1976 1977 plog(LLV_DEBUG, LOCATION, NULL, 1978 "get a destination address of SP index " 1979 "from phase1 address " 1980 "due to no ID payloads found " 1981 "OR because ID type is not address.\n"); 1982 1983 /* 1984 * copy the SOURCE address of IKE into the DESTINATION address 1985 * of the key to search the SPD because the direction of policy 1986 * is inbound. 1987 */ 1988 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 1989 switch (spidx.dst.ss_family) { 1990 case AF_INET: 1991 spidx.prefd = sizeof(struct in_addr) << 3; 1992 break; 1993 #ifdef INET6 1994 case AF_INET6: 1995 spidx.prefd = sizeof(struct in6_addr) << 3; 1996 break; 1997 #endif 1998 default: 1999 spidx.prefd = 0; 2000 break; 2001 } 2002 } 2003 2004 /* make source address in spidx */ 2005 if (iph2->id_p != NULL 2006 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 2007 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 2008 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2009 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2010 /* get a source address of inbound SA */ 2011 error = ipsecdoi_id2sockaddr(iph2->id_p, 2012 (struct sockaddr *)&spidx.src, 2013 &spidx.prefs, &spidx.ul_proto); 2014 if (error) 2015 return error; 2016 2017 #ifdef INET6 2018 /* 2019 * get scopeid from the SA address. 2020 * for more detail, see above of this function. 2021 */ 2022 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 2023 error = setscopeid((struct sockaddr *)&spidx.src, 2024 iph2->dst); 2025 if (error) 2026 return error; 2027 } 2028 #endif 2029 2030 /* make id[src,dst] if both ID types are IP address and same */ 2031 if (_XIDT(iph2->id_p) == idi2type 2032 && spidx.dst.ss_family == spidx.src.ss_family) { 2033 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst); 2034 if (iph2->src_id == NULL) { 2035 plog(LLV_ERROR, LOCATION, NULL, 2036 "buffer allocation failed.\n"); 2037 return ISAKMP_INTERNAL_ERROR; 2038 } 2039 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src); 2040 if (iph2->dst_id == NULL) { 2041 plog(LLV_ERROR, LOCATION, NULL, 2042 "buffer allocation failed.\n"); 2043 return ISAKMP_INTERNAL_ERROR; 2044 } 2045 } 2046 2047 } else { 2048 plog(LLV_DEBUG, LOCATION, NULL, 2049 "get a source address of SP index " 2050 "from phase1 address " 2051 "due to no ID payloads found " 2052 "OR because ID type is not address.\n"); 2053 2054 /* see above comment. */ 2055 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 2056 switch (spidx.src.ss_family) { 2057 case AF_INET: 2058 spidx.prefs = sizeof(struct in_addr) << 3; 2059 break; 2060 #ifdef INET6 2061 case AF_INET6: 2062 spidx.prefs = sizeof(struct in6_addr) << 3; 2063 break; 2064 #endif 2065 default: 2066 spidx.prefs = 0; 2067 break; 2068 } 2069 } 2070 2071 #undef _XIDT 2072 2073 plog(LLV_DEBUG, LOCATION, NULL, 2074 "get a src address from ID payload " 2075 "%s prefixlen=%u ul_proto=%u\n", 2076 saddr2str((struct sockaddr *)&spidx.src), 2077 spidx.prefs, spidx.ul_proto); 2078 plog(LLV_DEBUG, LOCATION, NULL, 2079 "get dst address from ID payload " 2080 "%s prefixlen=%u ul_proto=%u\n", 2081 saddr2str((struct sockaddr *)&spidx.dst), 2082 spidx.prefd, spidx.ul_proto); 2083 2084 /* 2085 * convert the ul_proto if it is 0 2086 * because 0 in ID payload means a wild card. 2087 */ 2088 if (spidx.ul_proto == 0) 2089 spidx.ul_proto = IPSEC_ULPROTO_ANY; 2090 2091 #ifdef HAVE_SECCTX 2092 /* 2093 * Need to use security context in spidx to ensure the correct 2094 * policy is selected. The only way to get the security context 2095 * is to look into the proposal sent by peer ahead of time. 2096 */ 2097 if (get_security_context(iph2->sa, &spidx)) { 2098 plog(LLV_ERROR, LOCATION, NULL, 2099 "error occurred trying to get security context.\n"); 2100 return ISAKMP_INTERNAL_ERROR; 2101 } 2102 #endif /* HAVE_SECCTX */ 2103 2104 /* get inbound policy */ 2105 sp_in = getsp_r(&spidx); 2106 if (sp_in == NULL) { 2107 if (iph2->ph1->rmconf->gen_policy) { 2108 plog(LLV_INFO, LOCATION, NULL, 2109 "no policy found, " 2110 "try to generate the policy : %s\n", 2111 spidx2str(&spidx)); 2112 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2113 if (!iph2->spidx_gen) { 2114 plog(LLV_ERROR, LOCATION, NULL, 2115 "buffer allocation failed.\n"); 2116 return ISAKMP_INTERNAL_ERROR; 2117 } 2118 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2119 return -2; /* special value */ 2120 } 2121 plog(LLV_ERROR, LOCATION, NULL, 2122 "no policy found: %s\n", spidx2str(&spidx)); 2123 return ISAKMP_INTERNAL_ERROR; 2124 } 2125 /* Refresh existing generated policies 2126 */ 2127 if (iph2->ph1->rmconf->gen_policy) { 2128 plog(LLV_INFO, LOCATION, NULL, 2129 "Update the generated policy : %s\n", 2130 spidx2str(&spidx)); 2131 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2132 if (!iph2->spidx_gen) { 2133 plog(LLV_ERROR, LOCATION, NULL, 2134 "buffer allocation failed.\n"); 2135 return ISAKMP_INTERNAL_ERROR; 2136 } 2137 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2138 } 2139 2140 /* get outbound policy */ 2141 { 2142 struct sockaddr_storage addr; 2143 u_int8_t pref; 2144 2145 spidx.dir = IPSEC_DIR_OUTBOUND; 2146 addr = spidx.src; 2147 spidx.src = spidx.dst; 2148 spidx.dst = addr; 2149 pref = spidx.prefs; 2150 spidx.prefs = spidx.prefd; 2151 spidx.prefd = pref; 2152 2153 sp_out = getsp_r(&spidx); 2154 if (!sp_out) { 2155 plog(LLV_WARNING, LOCATION, NULL, 2156 "no outbound policy found: %s\n", 2157 spidx2str(&spidx)); 2158 } 2159 } 2160 2161 plog(LLV_DEBUG, LOCATION, NULL, 2162 "suitable SP found:%s\n", spidx2str(&spidx)); 2163 2164 /* 2165 * In the responder side, the inbound policy should be using IPsec. 2166 * outbound policy is not checked currently. 2167 */ 2168 if (sp_in->policy != IPSEC_POLICY_IPSEC) { 2169 plog(LLV_ERROR, LOCATION, NULL, 2170 "policy found, but no IPsec required: %s\n", 2171 spidx2str(&spidx)); 2172 return ISAKMP_INTERNAL_ERROR; 2173 } 2174 2175 /* set new proposal derived from a policy into the iph2->proposal. */ 2176 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { 2177 plog(LLV_ERROR, LOCATION, NULL, 2178 "failed to create saprop.\n"); 2179 return ISAKMP_INTERNAL_ERROR; 2180 } 2181 2182 #ifdef HAVE_SECCTX 2183 if (spidx.sec_ctx.ctx_str) { 2184 set_secctx_in_proposal(iph2, spidx); 2185 } 2186 #endif /* HAVE_SECCTX */ 2187 2188 return 0; 2189 } 2190 2191
