![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon|
Return to isakmp.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon |
1.1 misho 1: /* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */
2:
3: /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #include "config.h"
35:
36: #include <sys/types.h>
37: #include <sys/param.h>
38: #include <sys/socket.h>
39: #include <sys/queue.h>
40:
41: #include <netinet/in.h>
42: #include <arpa/inet.h>
43:
44: #include PATH_IPSEC_H
45:
46: #include <stdlib.h>
47: #include <stdio.h>
48: #include <string.h>
49: #include <errno.h>
50: #if TIME_WITH_SYS_TIME
51: # include <sys/time.h>
52: # include <time.h>
53: #else
54: # if HAVE_SYS_TIME_H
55: # include <sys/time.h>
56: # else
57: # include <time.h>
58: # endif
59: #endif
60: #include <netdb.h>
61: #ifdef HAVE_UNISTD_H
62: #include <unistd.h>
63: #endif
64: #include <ctype.h>
65: #ifdef ENABLE_HYBRID
66: #include <resolv.h>
67: #endif
68:
69: #include "var.h"
70: #include "misc.h"
71: #include "vmbuf.h"
72: #include "plog.h"
73: #include "sockmisc.h"
74: #include "schedule.h"
75: #include "session.h"
76: #include "debug.h"
77:
78: #include "remoteconf.h"
79: #include "localconf.h"
80: #include "grabmyaddr.h"
81: #include "admin.h"
82: #include "privsep.h"
83: #include "isakmp_var.h"
84: #include "isakmp.h"
85: #include "oakley.h"
86: #include "evt.h"
87: #include "handler.h"
88: #include "ipsec_doi.h"
89: #include "pfkey.h"
90: #include "crypto_openssl.h"
91: #include "policy.h"
92: #include "algorithm.h"
93: #include "proposal.h"
94: #include "sainfo.h"
95: #include "isakmp_ident.h"
96: #include "isakmp_agg.h"
97: #include "isakmp_base.h"
98: #include "isakmp_quick.h"
99: #include "isakmp_inf.h"
100: #include "isakmp_newg.h"
101: #ifdef ENABLE_HYBRID
102: #include "vendorid.h"
103: #include "isakmp_xauth.h"
104: #include "isakmp_unity.h"
105: #include "isakmp_cfg.h"
106: #endif
107: #ifdef ENABLE_FRAG
108: #include "isakmp_frag.h"
109: #endif
110: #include "strnames.h"
111:
112: #include <fcntl.h>
113:
114: #ifdef ENABLE_NATT
115: # include "nattraversal.h"
116: #endif
117: # ifdef __linux__
118: # include <linux/udp.h>
119: # include <linux/ip.h>
120: # ifndef SOL_UDP
121: # define SOL_UDP 17
122: # endif
123: # endif /* __linux__ */
124: # if defined(__NetBSD__) || defined(__FreeBSD__) || \
125: (defined(__APPLE__) && defined(__MACH__))
126: # include <netinet/in.h>
127: # include <netinet/udp.h>
128: # include <netinet/in_systm.h>
129: # include <netinet/ip.h>
130: # define SOL_UDP IPPROTO_UDP
131: # endif /* __NetBSD__ / __FreeBSD__ */
132:
133: static int nostate1 __P((struct ph1handle *, vchar_t *));
134: static int nostate2 __P((struct ph2handle *, vchar_t *));
135:
136: extern caddr_t val2str(const char *, size_t);
137:
138: static int (*ph1exchange[][2][PHASE1ST_MAX])
139: __P((struct ph1handle *, vchar_t *)) = {
140: /* error */
141: { { 0 }, { 0 }, },
142: /* Identity Protection exchange */
143: {
144: { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
145: ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, nostate1,},
146: { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
147: ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, nostate1, },
148: },
149: /* Aggressive exchange */
150: {
151: { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
152: nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
153: { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
154: nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
155: },
156: /* Base exchange */
157: {
158: { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
159: base_i3recv, base_i3send, nostate1, nostate1, nostate1, nostate1, },
160: { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
161: nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
162: },
163: };
164:
165: static int (*ph2exchange[][2][PHASE2ST_MAX])
166: __P((struct ph2handle *, vchar_t *)) = {
167: /* error */
168: { { 0 }, { 0 }, },
169: /* Quick mode for IKE */
170: {
171: { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
172: quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
173: { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
174: quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
175: },
176: };
177:
178: static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
179:
180: static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
181: static int ph1_main __P((struct ph1handle *, vchar_t *));
182: static int quick_main __P((struct ph2handle *, vchar_t *));
183: static int isakmp_ph1begin_r __P((vchar_t *,
184: struct sockaddr *, struct sockaddr *, u_int8_t));
185: static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
186: static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
187: static int etypesw1 __P((int));
188: static int etypesw2 __P((int));
189: static int isakmp_ph1resend __P((struct ph1handle *));
190: static int isakmp_ph2resend __P((struct ph2handle *));
191:
192: #ifdef ENABLE_FRAG
193: static int frag_handler(struct ph1handle *,
194: vchar_t *, struct sockaddr *, struct sockaddr *);
195: #endif
196:
197: /*
198: * isakmp packet handler
199: */
200: static int
201: isakmp_handler(ctx, so_isakmp)
202: void *ctx;
203: int so_isakmp;
204: {
205: struct isakmp isakmp;
206: union {
207: char buf[sizeof (isakmp) + 4];
208: u_int32_t non_esp[2];
209: struct {
210: struct udphdr udp;
211: #ifdef __linux
212: struct iphdr ip;
213: #else
214: struct ip ip;
215: #endif
216: char buf[sizeof(isakmp) + 4];
217: } lbuf;
218: } x;
219: struct sockaddr_storage remote;
220: struct sockaddr_storage local;
221: unsigned int remote_len = sizeof(remote);
222: unsigned int local_len = sizeof(local);
223: int len = 0, extralen = 0;
224: vchar_t *buf = NULL, *tmpbuf = NULL;
225: int error = -1, res;
226:
227: /* read message by MSG_PEEK */
228: while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
229: MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
230: (struct sockaddr *)&local, &local_len)) < 0) {
231: if (errno == EINTR)
232: continue;
233: plog(LLV_ERROR, LOCATION, NULL,
234: "failed to receive isakmp packet: %s\n",
235: strerror (errno));
236: goto end;
237: }
238:
239: /* keep-alive packet - ignore */
240: if (len == 1 && (x.buf[0]&0xff) == 0xff) {
241: /* Pull the keep-alive packet */
242: if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
243: 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
244: plog(LLV_ERROR, LOCATION, NULL,
245: "failed to receive keep alive packet: %s\n",
246: strerror (errno));
247: }
248: goto end;
249: }
250:
251: /* Lucent IKE in UDP encapsulation */
252: {
253: #ifdef __linux__
254: if (ntohs(x.lbuf.udp.dest) == 501) {
255: extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ihl;
256: }
257: #else
258: if (ntohs(x.lbuf.udp.uh_dport) == 501) {
259: extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
260: }
261: #endif
262: }
263:
264: #ifdef ENABLE_NATT
265: /* we don't know about portchange yet,
266: look for non-esp marker instead */
267: if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
268: extralen = NON_ESP_MARKER_LEN;
269: #endif
270:
271: /* now we know if there is an extra non-esp
272: marker at the beginning or not */
273: memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
274:
275: /* check isakmp header length, as well as sanity of header length */
276: if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
277: plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
278: "packet shorter than isakmp header size (%u, %u, %zu)\n",
279: len, ntohl(isakmp.len), sizeof(isakmp));
280: /* dummy receive */
281: if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
282: 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
283: plog(LLV_ERROR, LOCATION, NULL,
284: "failed to receive isakmp packet: %s\n",
285: strerror (errno));
286: }
287: goto end;
288: }
289:
290: /* reject it if the size is tooooo big. */
291: if (ntohl(isakmp.len) > 0xffff) {
292: plog(LLV_ERROR, LOCATION, NULL,
293: "the length in the isakmp header is too big.\n");
294: if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
295: 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
296: plog(LLV_ERROR, LOCATION, NULL,
297: "failed to receive isakmp packet: %s\n",
298: strerror (errno));
299: }
300: goto end;
301: }
302:
303: /* read real message */
304: if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
305: plog(LLV_ERROR, LOCATION, NULL,
306: "failed to allocate reading buffer (%u Bytes)\n",
307: ntohl(isakmp.len) + extralen);
308: /* dummy receive */
309: if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
310: 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
311: plog(LLV_ERROR, LOCATION, NULL,
312: "failed to receive isakmp packet: %s\n",
313: strerror (errno));
314: }
315: goto end;
316: }
317:
318: while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
319: 0, (struct sockaddr *)&remote, &remote_len,
320: (struct sockaddr *)&local, &local_len)) < 0) {
321: if (errno == EINTR)
322: continue;
323: plog(LLV_ERROR, LOCATION, NULL,
324: "failed to receive isakmp packet: %s\n",
325: strerror (errno));
326: goto end;
327: }
328:
329: if ((buf = vmalloc(len - extralen)) == NULL) {
330: plog(LLV_ERROR, LOCATION, NULL,
331: "failed to allocate reading buffer (%u Bytes)\n",
332: (len - extralen));
333: goto end;
334: }
335:
336: memcpy (buf->v, tmpbuf->v + extralen, buf->l);
337:
338: len -= extralen;
339:
340: if (len != buf->l) {
341: plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
342: "received invalid length (%d != %zu), why ?\n",
343: len, buf->l);
344: goto end;
345: }
346:
347: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
348: plog(LLV_DEBUG, LOCATION, NULL,
349: "%d bytes message received %s\n",
350: len, saddr2str_fromto("from %s to %s",
351: (struct sockaddr *)&remote,
352: (struct sockaddr *)&local));
353: plogdump(LLV_DEBUG, buf->v, buf->l);
354:
355: /* avoid packets with malicious port/address */
356: if (extract_port((struct sockaddr *)&remote) == 0) {
357: plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
358: "src port == 0 (valid as UDP but not with IKE)\n");
359: goto end;
360: }
361:
362: /* XXX: check sender whether to be allowed or not to accept */
363:
364: /* XXX: I don't know how to check isakmp half connection attack. */
365:
366: /* simply reply if the packet was processed. */
367: res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
368: if (res) {
369: plog(LLV_NOTIFY, LOCATION, NULL,
370: "the packet is retransmitted by %s (%d).\n",
371: saddr2str((struct sockaddr *)&remote), res);
372: error = 0;
373: goto end;
374: }
375:
376: /* isakmp main routine */
377: if (isakmp_main(buf, (struct sockaddr *)&remote,
378: (struct sockaddr *)&local) != 0) goto end;
379:
380: error = 0;
381:
382: end:
383: if (tmpbuf != NULL)
384: vfree(tmpbuf);
385: if (buf != NULL)
386: vfree(buf);
387: return error;
388: }
389:
390: /*
391: * main processing to handle isakmp payload
392: */
393: static int
394: isakmp_main(msg, remote, local)
395: vchar_t *msg;
396: struct sockaddr *remote, *local;
397: {
398: struct isakmp *isakmp = (struct isakmp *)msg->v;
399: isakmp_index *index = (isakmp_index *)isakmp;
400: u_int32_t msgid = isakmp->msgid;
401: struct ph1handle *iph1;
402:
403: #ifdef HAVE_PRINT_ISAKMP_C
404: isakmp_printpacket(msg, remote, local, 0);
405: #endif
406:
407: /* the initiator's cookie must not be zero */
408: if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
409: plog(LLV_ERROR, LOCATION, remote,
410: "malformed cookie received.\n");
411: return -1;
412: }
413:
414: /* Check the Major and Minor Version fields. */
415: /*
416: * XXX Is is right to check version here ?
417: * I think it may no be here because the version depends
418: * on exchange status.
419: */
420: if (isakmp->v < ISAKMP_VERSION_NUMBER) {
421: if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
422: plog(LLV_ERROR, LOCATION, remote,
423: "invalid major version %d.\n",
424: ISAKMP_GETMAJORV(isakmp->v));
425: return -1;
426: }
427: #if ISAKMP_MINOR_VERSION > 0
428: if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
429: plog(LLV_ERROR, LOCATION, remote,
430: "invalid minor version %d.\n",
431: ISAKMP_GETMINORV(isakmp->v));
432: return -1;
433: }
434: #endif
435: }
436:
437: /* check the Flags field. */
438: /* XXX How is the exclusive check, E and A ? */
439: if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
440: plog(LLV_ERROR, LOCATION, remote,
441: "invalid flag 0x%02x.\n", isakmp->flags);
442: return -1;
443: }
444:
445: /* ignore commit bit. */
446: if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
447: if (isakmp->msgid == 0) {
448: isakmp_info_send_nx(isakmp, remote, local,
449: ISAKMP_NTYPE_INVALID_FLAGS, NULL);
450: plog(LLV_ERROR, LOCATION, remote,
451: "Commit bit on phase1 forbidden.\n");
452: return -1;
453: }
454: }
455:
456: iph1 = getph1byindex(index);
457: if (iph1 != NULL) {
458: /* validity check */
459: if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
460: iph1->side == INITIATOR) {
461: plog(LLV_DEBUG, LOCATION, remote,
462: "malformed cookie received or "
463: "the initiator's cookies collide.\n");
464: return -1;
465: }
466:
467: #ifdef ENABLE_NATT
468: /* Floating ports for NAT-T */
469: if (NATT_AVAILABLE(iph1) &&
470: ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
471: ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
472: (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
473: {
474: /* prevent memory leak */
475: racoon_free(iph1->remote);
476: racoon_free(iph1->local);
477: iph1->remote = NULL;
478: iph1->local = NULL;
479:
480: /* copy-in new addresses */
481: iph1->remote = dupsaddr(remote);
482: if (iph1->remote == NULL) {
483: plog(LLV_ERROR, LOCATION, iph1->remote,
484: "phase1 failed: dupsaddr failed.\n");
485: remph1(iph1);
486: delph1(iph1);
487: return -1;
488: }
489: iph1->local = dupsaddr(local);
490: if (iph1->local == NULL) {
491: plog(LLV_ERROR, LOCATION, iph1->remote,
492: "phase1 failed: dupsaddr failed.\n");
493: remph1(iph1);
494: delph1(iph1);
495: return -1;
496: }
497:
498: /* set the flag to prevent further port floating
499: (FIXME: should we allow it? E.g. when the NAT gw
500: is rebooted?) */
501: iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
502:
503: /* print some neat info */
504: plog (LLV_INFO, LOCATION, NULL,
505: "NAT-T: ports changed to: %s\n",
506: saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
507:
508: natt_keepalive_add_ph1 (iph1);
509: }
510: #endif
511:
512: /* must be same addresses in one stream of a phase at least. */
513: if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
514: char *saddr_db, *saddr_act;
515:
516: saddr_db = racoon_strdup(saddr2str(iph1->remote));
517: saddr_act = racoon_strdup(saddr2str(remote));
518: STRDUP_FATAL(saddr_db);
519: STRDUP_FATAL(saddr_act);
520:
521: plog(LLV_WARNING, LOCATION, remote,
522: "remote address mismatched. db=%s, act=%s\n",
523: saddr_db, saddr_act);
524:
525: racoon_free(saddr_db);
526: racoon_free(saddr_act);
527: }
528:
529: /*
530: * don't check of exchange type here because other type will be
531: * with same index, for example, informational exchange.
532: */
533:
534: /* XXX more acceptable check */
535: }
536:
537: switch (isakmp->etype) {
538: case ISAKMP_ETYPE_IDENT:
539: case ISAKMP_ETYPE_AGG:
540: case ISAKMP_ETYPE_BASE:
541: /* phase 1 validity check */
542: if (isakmp->msgid != 0) {
543: plog(LLV_ERROR, LOCATION, remote,
544: "message id should be zero in phase1.\n");
545: return -1;
546: }
547:
548: /* search for isakmp status record of phase 1 */
549: if (iph1 == NULL) {
550: /*
551: * the packet must be the 1st message from a initiator
552: * or the 2nd message from the responder.
553: */
554:
555: /* search for phase1 handle by index without r_ck */
556: iph1 = getph1byindex0(index);
557: if (iph1 == NULL) {
558: /*it must be the 1st message from a initiator.*/
559: if (memcmp(&isakmp->r_ck, r_ck0,
560: sizeof(cookie_t)) != 0) {
561:
562: plog(LLV_DEBUG, LOCATION, remote,
563: "malformed cookie received "
564: "or the spi expired.\n");
565: return -1;
566: }
567:
568: /* it must be responder's 1st exchange. */
569: if (isakmp_ph1begin_r(msg, remote, local,
570: isakmp->etype) < 0)
571: return -1;
572: break;
573:
574: /*NOTREACHED*/
575: }
576:
577: /* it must be the 2nd message from the responder. */
578: if (iph1->side != INITIATOR) {
579: plog(LLV_DEBUG, LOCATION, remote,
580: "malformed cookie received. "
581: "it has to be as the initiator. %s\n",
582: isakmp_pindex(&iph1->index, 0));
583: return -1;
584: }
585: }
586:
587: /*
588: * Don't delete phase 1 handler when the exchange type
589: * in handler is not equal to packet's one because of no
590: * authencication completed.
591: */
592: if (iph1->etype != isakmp->etype) {
593: plog(LLV_ERROR, LOCATION, iph1->remote,
594: "exchange type is mismatched: "
595: "db=%s packet=%s, ignore it.\n",
596: s_isakmp_etype(iph1->etype),
597: s_isakmp_etype(isakmp->etype));
598: return -1;
599: }
600:
601: #ifdef ENABLE_FRAG
602: if (isakmp->np == ISAKMP_NPTYPE_FRAG)
603: return frag_handler(iph1, msg, remote, local);
604: #endif
605:
606: /* call main process of phase 1 */
607: if (ph1_main(iph1, msg) < 0) {
608: plog(LLV_ERROR, LOCATION, iph1->remote,
609: "phase1 negotiation failed.\n");
610: remph1(iph1);
611: delph1(iph1);
612: return -1;
613: }
614: break;
615:
616: case ISAKMP_ETYPE_AUTH:
617: plog(LLV_INFO, LOCATION, remote,
618: "unsupported exchange %d received.\n",
619: isakmp->etype);
620: break;
621:
622: case ISAKMP_ETYPE_INFO:
623: case ISAKMP_ETYPE_ACKINFO:
624: /*
625: * iph1 must be present for Information message.
626: * if iph1 is null then trying to get the phase1 status
627: * as the packet from responder againt initiator's 1st
628: * exchange in phase 1.
629: * NOTE: We think such informational exchange should be ignored.
630: */
631: if (iph1 == NULL) {
632: iph1 = getph1byindex0(index);
633: if (iph1 == NULL) {
634: plog(LLV_ERROR, LOCATION, remote,
635: "unknown Informational "
636: "exchange received.\n");
637: return -1;
638: }
639: if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
640: plog(LLV_WARNING, LOCATION, remote,
641: "remote address mismatched. "
642: "db=%s\n",
643: saddr2str(iph1->remote));
644: }
645: }
646:
647: #ifdef ENABLE_FRAG
648: if (isakmp->np == ISAKMP_NPTYPE_FRAG)
649: return frag_handler(iph1, msg, remote, local);
650: #endif
651:
652: if (isakmp_info_recv(iph1, msg) < 0)
653: return -1;
654: break;
655:
656: case ISAKMP_ETYPE_QUICK:
657: {
658: struct ph2handle *iph2;
659:
660: if (iph1 == NULL) {
661: isakmp_info_send_nx(isakmp, remote, local,
662: ISAKMP_NTYPE_INVALID_COOKIE, NULL);
663: plog(LLV_ERROR, LOCATION, remote,
664: "can't start the quick mode, "
665: "there is no ISAKMP-SA, %s\n",
666: isakmp_pindex((isakmp_index *)&isakmp->i_ck,
667: isakmp->msgid));
668: return -1;
669: }
670: #ifdef ENABLE_HYBRID
671: /* Reinit the IVM if it's still there */
672: if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
673: oakley_delivm(iph1->mode_cfg->ivm);
674: iph1->mode_cfg->ivm = NULL;
675: }
676: #endif
677: #ifdef ENABLE_FRAG
678: if (isakmp->np == ISAKMP_NPTYPE_FRAG)
679: return frag_handler(iph1, msg, remote, local);
680: #endif
681:
682: /* check status of phase 1 whether negotiated or not. */
683: if (iph1->status != PHASE1ST_ESTABLISHED &&
684: iph1->status != PHASE1ST_DYING) {
685: plog(LLV_ERROR, LOCATION, remote,
686: "can't start the quick mode, "
687: "there is no valid ISAKMP-SA, %s\n",
688: isakmp_pindex(&iph1->index, iph1->msgid));
689: return -1;
690: }
691:
692: /* search isakmp phase 2 stauts record. */
693: iph2 = getph2bymsgid(iph1, msgid);
694: if (iph2 == NULL) {
695: /* it must be new negotiation as responder */
696: if (isakmp_ph2begin_r(iph1, msg) < 0)
697: return -1;
698: return 0;
699: /*NOTREACHED*/
700: }
701:
702: /* commit bit. */
703: /* XXX
704: * we keep to set commit bit during negotiation.
705: * When SA is configured, bit will be reset.
706: * XXX
707: * don't initiate commit bit. should be fixed in the future.
708: */
709: if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
710: iph2->flags |= ISAKMP_FLAG_C;
711:
712: /* call main process of quick mode */
713: if (quick_main(iph2, msg) < 0) {
714: plog(LLV_ERROR, LOCATION, iph1->remote,
715: "phase2 negotiation failed.\n");
716: remph2(iph2);
717: delph2(iph2);
718: return -1;
719: }
720: }
721: break;
722:
723: case ISAKMP_ETYPE_NEWGRP:
724: if (iph1 == NULL) {
725: plog(LLV_ERROR, LOCATION, remote,
726: "Unknown new group mode exchange, "
727: "there is no ISAKMP-SA.\n");
728: return -1;
729: }
730:
731: #ifdef ENABLE_FRAG
732: if (isakmp->np == ISAKMP_NPTYPE_FRAG)
733: return frag_handler(iph1, msg, remote, local);
734: #endif
735:
736: isakmp_newgroup_r(iph1, msg);
737: break;
738:
739: #ifdef ENABLE_HYBRID
740: case ISAKMP_ETYPE_CFG:
741: if (iph1 == NULL) {
742: plog(LLV_ERROR, LOCATION, NULL,
743: "mode config %d from %s, "
744: "but we have no ISAKMP-SA.\n",
745: isakmp->etype, saddr2str(remote));
746: return -1;
747: }
748:
749: #ifdef ENABLE_FRAG
750: if (isakmp->np == ISAKMP_NPTYPE_FRAG)
751: return frag_handler(iph1, msg, remote, local);
752: #endif
753:
754: isakmp_cfg_r(iph1, msg);
755: break;
756: #endif
757:
758: case ISAKMP_ETYPE_NONE:
759: default:
760: plog(LLV_ERROR, LOCATION, NULL,
761: "Invalid exchange type %d from %s.\n",
762: isakmp->etype, saddr2str(remote));
763: return -1;
764: }
765:
766: return 0;
767: }
768:
769: /*
770: * main function of phase 1.
771: */
772: static int
773: ph1_main(iph1, msg)
774: struct ph1handle *iph1;
775: vchar_t *msg;
776: {
777: int error;
778: #ifdef ENABLE_STATS
779: struct timeval start, end;
780: #endif
781:
782: /* ignore a packet */
783: if (iph1->status >= PHASE1ST_ESTABLISHED)
784: return 0;
785:
786: #ifdef ENABLE_STATS
787: gettimeofday(&start, NULL);
788: #endif
789: /* receive */
790: if (ph1exchange[etypesw1(iph1->etype)]
791: [iph1->side]
792: [iph1->status] == NULL) {
793: plog(LLV_ERROR, LOCATION, iph1->remote,
794: "why isn't the function defined.\n");
795: return -1;
796: }
797: error = (ph1exchange[etypesw1(iph1->etype)]
798: [iph1->side]
799: [iph1->status])(iph1, msg);
800: if (error != 0) {
801:
802: /* XXX
803: * When an invalid packet is received on phase1, it should
804: * be selected to process this packet. That is to respond
805: * with a notify and delete phase 1 handler, OR not to respond
806: * and keep phase 1 handler. However, in PHASE1ST_START when
807: * acting as RESPONDER we must not keep phase 1 handler or else
808: * it will stay forever.
809: */
810:
811: if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
812: plog(LLV_ERROR, LOCATION, iph1->remote,
813: "failed to pre-process ph1 packet (side: %d, status %d).\n",
814: iph1->side, iph1->status);
815: return -1;
816: } else {
817: /* ignore the error and keep phase 1 handler */
818: return 0;
819: }
820: }
821:
822: #ifndef ENABLE_FRAG
823: /* free resend buffer */
824: if (iph1->sendbuf == NULL) {
825: plog(LLV_ERROR, LOCATION, NULL,
826: "no buffer found as sendbuf\n");
827: return -1;
828: }
829: #endif
830:
831: VPTRINIT(iph1->sendbuf);
832:
833: /* turn off schedule */
834: sched_cancel(&iph1->scr);
835:
836: /* send */
837: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
838: if ((ph1exchange[etypesw1(iph1->etype)]
839: [iph1->side]
840: [iph1->status])(iph1, msg) != 0) {
841: plog(LLV_ERROR, LOCATION, iph1->remote,
842: "failed to process ph1 packet (side: %d, status: %d).\n",
843: iph1->side, iph1->status);
844: return -1;
845: }
846:
847: #ifdef ENABLE_STATS
848: gettimeofday(&end, NULL);
849: syslog(LOG_NOTICE, "%s(%s): %8.6f",
850: "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
851: timedelta(&start, &end));
852: #endif
853: if (iph1->status == PHASE1ST_ESTABLISHED) {
854:
855: #ifdef ENABLE_STATS
856: gettimeofday(&iph1->end, NULL);
857: syslog(LOG_NOTICE, "%s(%s): %8.6f",
858: "phase1", s_isakmp_etype(iph1->etype),
859: timedelta(&iph1->start, &iph1->end));
860: #endif
861:
862: /* save created date. */
863: (void)time(&iph1->created);
864:
865: /* migrate ph2s from dying ph1s */
866: migrate_dying_ph12(iph1);
867:
868: /* add to the schedule to expire, and seve back pointer. */
869: if (ph1_rekey_enabled(iph1)) {
870: sched_schedule(&iph1->sce,
871: iph1->approval->lifetime *
872: PFKEY_SOFT_LIFETIME_RATE / 100,
873: isakmp_ph1dying_stub);
874: } else {
875: sched_schedule(&iph1->sce, iph1->approval->lifetime,
876: isakmp_ph1expire_stub);
877: }
878:
879: #ifdef ENABLE_HYBRID
880: if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
881: switch (iph1->approval->authmethod) {
882: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
883: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
884: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
885: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
886: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
887: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
888: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
889: xauth_sendreq(iph1);
890: /* XXX Don't process INITIAL_CONTACT */
891: iph1->rmconf->ini_contact = 0;
892: break;
893: default:
894: break;
895: }
896: }
897: #endif
898: #ifdef ENABLE_DPD
899: /* Schedule the r_u_there.... */
900: if(iph1->dpd_support && iph1->rmconf->dpd_interval)
901: isakmp_sched_r_u(iph1, 0);
902: #endif
903:
904: /* INITIAL-CONTACT processing */
905: /* don't anything if local test mode. */
906: if (!f_local
907: && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
908: /* send INITIAL-CONTACT */
909: isakmp_info_send_n1(iph1,
910: ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
911: /* insert a node into contacted list. */
912: if (inscontacted(iph1->remote) == -1) {
913: plog(LLV_ERROR, LOCATION, iph1->remote,
914: "failed to add contacted list.\n");
915: /* ignore */
916: }
917: }
918: if (iph1->initial_contact_received)
919: isakmp_info_recv_initialcontact(iph1, NULL);
920:
921: log_ph1established(iph1);
922: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
923:
924: /*
925: * SA up shell script hook: do it now,except if
926: * ISAKMP mode config was requested. In the later
927: * case it is done when we receive the configuration.
928: */
929: if ((iph1->status == PHASE1ST_ESTABLISHED) &&
930: !iph1->rmconf->mode_cfg) {
931: switch (iph1->approval->authmethod) {
932: #ifdef ENABLE_HYBRID
933: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
934: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
935: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
936: /* Unimplemeted... */
937: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
938: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
939: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
940: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
941: break;
942: #endif
943: default:
944: script_hook(iph1, SCRIPT_PHASE1_UP);
945: break;
946: }
947: }
948: }
949:
950: return 0;
951: }
952:
953: /*
954: * main function of quick mode.
955: */
956: static int
957: quick_main(iph2, msg)
958: struct ph2handle *iph2;
959: vchar_t *msg;
960: {
961: struct isakmp *isakmp = (struct isakmp *)msg->v;
962: int error;
963: #ifdef ENABLE_STATS
964: struct timeval start, end;
965: #endif
966:
967: /* ignore a packet */
968: if (iph2->status == PHASE2ST_ESTABLISHED
969: || iph2->status == PHASE2ST_GETSPISENT)
970: return 0;
971:
972: #ifdef ENABLE_STATS
973: gettimeofday(&start, NULL);
974: #endif
975:
976: /* receive */
977: if (ph2exchange[etypesw2(isakmp->etype)]
978: [iph2->side]
979: [iph2->status] == NULL) {
980: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
981: "why isn't the function defined.\n");
982: return -1;
983: }
984: error = (ph2exchange[etypesw2(isakmp->etype)]
985: [iph2->side]
986: [iph2->status])(iph2, msg);
987: if (error != 0) {
988: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
989: "failed to pre-process ph2 packet (side: %d, status %d).\n",
990: iph2->side, iph2->status);
991: if (error == ISAKMP_INTERNAL_ERROR)
992: return 0;
993: isakmp_info_send_n1(iph2->ph1, error, NULL);
994: return -1;
995: }
996:
997: /* when using commit bit, status will be reached here. */
998: if (iph2->status == PHASE2ST_ADDSA)
999: return 0;
1000:
1001: /* free resend buffer */
1002: if (iph2->sendbuf == NULL) {
1003: plog(LLV_ERROR, LOCATION, NULL,
1004: "no buffer found as sendbuf\n");
1005: return -1;
1006: }
1007: VPTRINIT(iph2->sendbuf);
1008:
1009: /* turn off schedule */
1010: sched_cancel(&iph2->scr);
1011:
1012: /* send */
1013: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1014: if ((ph2exchange[etypesw2(isakmp->etype)]
1015: [iph2->side]
1016: [iph2->status])(iph2, msg) != 0) {
1017: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1018: "failed to process ph2 packet (side: %d, status: %d).\n",
1019: iph2->side, iph2->status);
1020: return -1;
1021: }
1022:
1023: #ifdef ENABLE_STATS
1024: gettimeofday(&end, NULL);
1025: syslog(LOG_NOTICE, "%s(%s): %8.6f",
1026: "phase2",
1027: s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1028: timedelta(&start, &end));
1029: #endif
1030:
1031: return 0;
1032: }
1033:
1034: /* new negotiation of phase 1 for initiator */
1035: struct ph1handle *
1036: isakmp_ph1begin_i(rmconf, remote, local)
1037: struct remoteconf *rmconf;
1038: struct sockaddr *remote, *local;
1039: {
1040: struct ph1handle *iph1;
1041: #ifdef ENABLE_STATS
1042: struct timeval start, end;
1043: #endif
1044:
1045: /* get new entry to isakmp status table. */
1046: iph1 = newph1();
1047: if (iph1 == NULL)
1048: return NULL;
1049:
1050: iph1->status = PHASE1ST_START;
1051: iph1->rmconf = rmconf;
1052: iph1->side = INITIATOR;
1053: iph1->version = ISAKMP_VERSION_NUMBER;
1054: iph1->msgid = 0;
1055: iph1->flags = 0;
1056: iph1->ph2cnt = 0;
1057: #ifdef HAVE_GSSAPI
1058: iph1->gssapi_state = NULL;
1059: #endif
1060: #ifdef ENABLE_HYBRID
1061: if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1062: delph1(iph1);
1063: return NULL;
1064: }
1065: #endif
1066: #ifdef ENABLE_FRAG
1067:
1068: if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1069: iph1->frag = 1;
1070: else
1071: iph1->frag = 0;
1072: iph1->frag_chain = NULL;
1073: #endif
1074: iph1->approval = NULL;
1075:
1076: /* XXX copy remote address */
1077: if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1078: delph1(iph1);
1079: return NULL;
1080: }
1081:
1082: (void)insph1(iph1);
1083:
1084: /* start phase 1 exchange */
1085: iph1->etype = rmconf->etypes->type;
1086:
1087: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1088: {
1089: char *a;
1090:
1091: a = racoon_strdup(saddr2str(iph1->local));
1092: STRDUP_FATAL(a);
1093:
1094: plog(LLV_INFO, LOCATION, NULL,
1095: "initiate new phase 1 negotiation: %s<=>%s\n",
1096: a, saddr2str(iph1->remote));
1097: racoon_free(a);
1098: }
1099: plog(LLV_INFO, LOCATION, NULL,
1100: "begin %s mode.\n",
1101: s_isakmp_etype(iph1->etype));
1102:
1103: #ifdef ENABLE_STATS
1104: gettimeofday(&iph1->start, NULL);
1105: gettimeofday(&start, NULL);
1106: #endif
1107: /* start exchange */
1108: if ((ph1exchange[etypesw1(iph1->etype)]
1109: [iph1->side]
1110: [iph1->status])(iph1, NULL) != 0) {
1111: /* failed to start phase 1 negotiation */
1112: remph1(iph1);
1113: delph1(iph1);
1114:
1115: return NULL;
1116: }
1117:
1118: #ifdef ENABLE_STATS
1119: gettimeofday(&end, NULL);
1120: syslog(LOG_NOTICE, "%s(%s): %8.6f",
1121: "phase1",
1122: s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1123: timedelta(&start, &end));
1124: #endif
1125:
1126: return iph1;
1127: }
1128:
1129: /* new negotiation of phase 1 for responder */
1130: static int
1.1.1.1.2.1! misho 1131: isakmp_ph1begin_r(vchar_t *msg, struct sockaddr *remote, struct sockaddr *local, u_int8_t etype)
1.1 misho 1132: {
1133: struct isakmp *isakmp = (struct isakmp *)msg->v;
1134: struct ph1handle *iph1;
1135: struct rmconfselector rmsel;
1136: #ifdef ENABLE_STATS
1137: struct timeval start, end;
1138: #endif
1139:
1140: /* check if this etype is allowed */
1141: memset(&rmsel, 0, sizeof(rmsel));
1142: rmsel.remote = remote;
1143: if (enumrmconf(&rmsel, check_etypeok, (void *) (intptr_t) etype) == 0) {
1144: plog(LLV_ERROR, LOCATION, remote,
1145: "exchange %s not allowed in any applicable rmconf.\n",
1146: s_isakmp_etype(etype));
1147: return -1;
1148: }
1149:
1150: /* get new entry to isakmp status table. */
1151: iph1 = newph1();
1152: if (iph1 == NULL)
1153: return -1;
1154:
1155: memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1156: iph1->status = PHASE1ST_START;
1157: iph1->flags = 0;
1158: iph1->side = RESPONDER;
1159: iph1->etype = etype;
1160: iph1->version = isakmp->v;
1161: iph1->msgid = 0;
1162: #ifdef HAVE_GSSAPI
1163: iph1->gssapi_state = NULL;
1164: #endif
1165: #ifdef ENABLE_HYBRID
1166: if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1167: delph1(iph1);
1168: return -1;
1169: }
1170: #endif
1171: #ifdef ENABLE_FRAG
1172: iph1->frag = 0;
1173: iph1->frag_chain = NULL;
1174: #endif
1175: iph1->approval = NULL;
1176:
1177: #ifdef ENABLE_NATT
1178: /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1179: * We have to setup this flag now to correctly generate the first reply.
1180: * Don't know if a better check could be done for that ?
1181: */
1182: if(extract_port(local) == lcconf->port_isakmp_natt)
1183: iph1->natt_flags |= (NAT_PORTS_CHANGED);
1184: #endif
1185:
1186: /* copy remote address; remote and local always contain
1187: * port numbers so rmconf is not needed */
1188: if (copy_ph1addresses(iph1, NULL, remote, local) < 0) {
1189: delph1(iph1);
1190: return -1;
1191: }
1192: (void)insph1(iph1);
1193:
1194: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1195: {
1196: char *a;
1197:
1198: a = racoon_strdup(saddr2str(iph1->local));
1199: STRDUP_FATAL(a);
1200:
1201: plog(LLV_INFO, LOCATION, NULL,
1202: "respond new phase 1 negotiation: %s<=>%s\n",
1203: a, saddr2str(iph1->remote));
1204: racoon_free(a);
1205: }
1206: plog(LLV_INFO, LOCATION, NULL,
1207: "begin %s mode.\n", s_isakmp_etype(etype));
1208:
1209: #ifdef ENABLE_STATS
1210: gettimeofday(&iph1->start, NULL);
1211: gettimeofday(&start, NULL);
1212: #endif
1213:
1214: #ifndef ENABLE_FRAG
1215:
1216: /* start exchange */
1217: if ((ph1exchange[etypesw1(iph1->etype)]
1218: [iph1->side]
1219: [iph1->status])(iph1, msg) < 0
1220: || (ph1exchange[etypesw1(iph1->etype)]
1221: [iph1->side]
1222: [iph1->status])(iph1, msg) < 0) {
1223: plog(LLV_ERROR, LOCATION, remote,
1224: "failed to process ph1 packet (side: %d, status: %d).\n",
1225: iph1->side, iph1->status);
1226: remph1(iph1);
1227: delph1(iph1);
1228: return -1;
1229: }
1230:
1231: #ifdef ENABLE_STATS
1232: gettimeofday(&end, NULL);
1233: syslog(LOG_NOTICE, "%s(%s): %8.6f",
1234: "phase1",
1235: s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1236: timedelta(&start, &end));
1237: #endif
1238:
1239: return 0;
1240:
1241: #else /* ENABLE_FRAG */
1242:
1243: /* now that we have a phase1 handle, feed back into our
1244: * main receive function to catch fragmented packets
1245: */
1246:
1247: return isakmp_main(msg, remote, local);
1248:
1249: #endif /* ENABLE_FRAG */
1250:
1251: }
1252:
1253: /* new negotiation of phase 2 for initiator */
1254: static int
1255: isakmp_ph2begin_i(iph1, iph2)
1256: struct ph1handle *iph1;
1257: struct ph2handle *iph2;
1258: {
1259: #ifdef ENABLE_HYBRID
1260: if (xauth_check(iph1) != 0) {
1261: plog(LLV_ERROR, LOCATION, NULL,
1262: "Attempt to start phase 2 whereas Xauth failed\n");
1263: return -1;
1264: }
1265: #endif
1266:
1267: /* fixup ph2 ports for this ph1 */
1268: if (extract_port(iph2->src) == 0)
1269: set_port(iph2->src, extract_port(iph1->local));
1270: if (extract_port(iph2->dst) == 0)
1271: set_port(iph2->dst, extract_port(iph1->remote));
1272:
1273: /* found ISAKMP-SA. */
1274: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1275: plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1276: {
1277: char *a;
1278: a = racoon_strdup(saddr2str(iph2->src));
1279: STRDUP_FATAL(a);
1280:
1281: plog(LLV_INFO, LOCATION, NULL,
1282: "initiate new phase 2 negotiation: %s<=>%s\n",
1283: a, saddr2str(iph2->dst));
1284: racoon_free(a);
1285: }
1286:
1287: #ifdef ENABLE_STATS
1288: gettimeofday(&iph2->start, NULL);
1289: #endif
1290: if (iph2->status != PHASE2ST_EXPIRED) /* Phase 1 is already bound (ongoing rekeying) */
1291: bindph12(iph1, iph2);
1292: iph2->status = PHASE2ST_STATUS2;
1293:
1294: if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1295: [iph2->side]
1296: [iph2->status])(iph2, NULL) < 0) {
1297: /* release ipsecsa handler due to internal error. */
1298: remph2(iph2);
1299: return -1;
1300: }
1301: return 0;
1302: }
1303:
1304: /* new negotiation of phase 2 for responder */
1305: static int
1306: isakmp_ph2begin_r(iph1, msg)
1307: struct ph1handle *iph1;
1308: vchar_t *msg;
1309: {
1310: struct isakmp *isakmp = (struct isakmp *)msg->v;
1311: struct ph2handle *iph2 = 0;
1312: int error;
1313: #ifdef ENABLE_STATS
1314: struct timeval start, end;
1315: #endif
1316: #ifdef ENABLE_HYBRID
1317: if (xauth_check(iph1) != 0) {
1318: plog(LLV_ERROR, LOCATION, NULL,
1319: "Attempt to start phase 2 whereas Xauth failed\n");
1320: return -1;
1321: }
1322: #endif
1323:
1324: iph2 = newph2();
1325: if (iph2 == NULL) {
1326: plog(LLV_ERROR, LOCATION, NULL,
1327: "failed to allocate phase2 entry.\n");
1328: return -1;
1329: }
1330:
1331: iph2->side = RESPONDER;
1332: iph2->status = PHASE2ST_START;
1333: iph2->flags = isakmp->flags;
1334: iph2->msgid = isakmp->msgid;
1335: iph2->seq = pk_getseq();
1336: iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1337: if (iph2->ivm == NULL) {
1338: delph2(iph2);
1339: return -1;
1340: }
1341: iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1342: if (iph2->dst == NULL) {
1343: delph2(iph2);
1344: return -1;
1345: }
1346: iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1347: if (iph2->src == NULL) {
1348: delph2(iph2);
1349: return -1;
1350: }
1351:
1352: /* add new entry to isakmp status table */
1353: insph2(iph2);
1354: bindph12(iph1, iph2);
1355:
1356: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1357: {
1358: char *a;
1359:
1360: a = racoon_strdup(saddr2str(iph2->src));
1361: STRDUP_FATAL(a);
1362:
1363: plog(LLV_INFO, LOCATION, NULL,
1364: "respond new phase 2 negotiation: %s<=>%s\n",
1365: a, saddr2str(iph2->dst));
1366: racoon_free(a);
1367: }
1368:
1369: #ifdef ENABLE_STATS
1370: gettimeofday(&start, NULL);
1371: #endif
1372:
1373: error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1374: [iph2->side]
1375: [iph2->status])(iph2, msg);
1376: if (error != 0) {
1377: plog(LLV_ERROR, LOCATION, iph1->remote,
1378: "failed to pre-process ph2 packet (side: %d, status: %d).\n",
1379: iph2->side, iph2->status);
1380: if (error != ISAKMP_INTERNAL_ERROR)
1381: isakmp_info_send_n1(iph2->ph1, error, NULL);
1382: /*
1383: * release handler because it's wrong that ph2handle is kept
1384: * after failed to check message for responder's.
1385: */
1386: remph2(iph2);
1387: delph2(iph2);
1388: return -1;
1389: }
1390:
1391: /* send */
1392: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1393: if ((ph2exchange[etypesw2(isakmp->etype)]
1394: [iph2->side]
1395: [iph2->status])(iph2, msg) < 0) {
1396: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1397: "failed to process ph2 packet (side: %d, status: %d).\n",
1398: iph2->side, iph2->status);
1399: /* don't release handler */
1400: return -1;
1401: }
1402: #ifdef ENABLE_STATS
1403: gettimeofday(&end, NULL);
1404: syslog(LOG_NOTICE, "%s(%s): %8.6f",
1405: "phase2",
1406: s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1407: timedelta(&start, &end));
1408: #endif
1409:
1410: return 0;
1411: }
1412:
1413: /*
1414: * parse ISAKMP payloads, without ISAKMP base header.
1415: */
1416: vchar_t *
1417: isakmp_parsewoh(np0, gen, len)
1418: int np0;
1419: struct isakmp_gen *gen;
1420: int len;
1421: {
1422: u_char np = np0 & 0xff;
1423: int tlen, plen;
1424: vchar_t *result;
1425: struct isakmp_parse_t *p, *ep;
1426:
1427: plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1428:
1429: /*
1430: * 5 is a magic number, but any value larger than 2 should be fine
1431: * as we do vrealloc() in the following loop.
1432: */
1433: result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1434: if (result == NULL) {
1435: plog(LLV_ERROR, LOCATION, NULL,
1436: "failed to get buffer.\n");
1437: return NULL;
1438: }
1439: p = (struct isakmp_parse_t *)result->v;
1440: ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1441:
1442: tlen = len;
1443:
1444: /* parse through general headers */
1445: while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1446: if (tlen <= sizeof(struct isakmp_gen)) {
1447: /* don't send information, see isakmp_ident_r1() */
1448: plog(LLV_ERROR, LOCATION, NULL,
1449: "invalid length of payload\n");
1450: vfree(result);
1451: return NULL;
1452: }
1453:
1454: plog(LLV_DEBUG, LOCATION, NULL,
1455: "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1456:
1457: p->type = np;
1458: p->len = ntohs(gen->len);
1459: if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
1460: plog(LLV_DEBUG, LOCATION, NULL,
1461: "invalid length of payload\n");
1462: vfree(result);
1463: return NULL;
1464: }
1465: p->ptr = gen;
1466: p++;
1467: if (ep <= p) {
1468: int off;
1469:
1470: off = p - (struct isakmp_parse_t *)result->v;
1471: result = vrealloc(result, result->l * 2);
1472: if (result == NULL) {
1473: plog(LLV_DEBUG, LOCATION, NULL,
1474: "failed to realloc buffer.\n");
1475: vfree(result);
1476: return NULL;
1477: }
1478: ep = (struct isakmp_parse_t *)
1479: (result->v + result->l - sizeof(*ep));
1480: p = (struct isakmp_parse_t *)result->v;
1481: p += off;
1482: }
1483:
1484: np = gen->np;
1485: plen = ntohs(gen->len);
1486: gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1487: tlen -= plen;
1488: }
1489: p->type = ISAKMP_NPTYPE_NONE;
1490: p->len = 0;
1491: p->ptr = NULL;
1492:
1493: plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1494:
1495: return result;
1496: }
1497:
1498: /*
1499: * parse ISAKMP payloads, including ISAKMP base header.
1500: */
1501: vchar_t *
1502: isakmp_parse(buf)
1503: vchar_t *buf;
1504: {
1505: struct isakmp *isakmp = (struct isakmp *)buf->v;
1506: struct isakmp_gen *gen;
1507: int tlen;
1508: vchar_t *result;
1509: u_char np;
1510:
1511: np = isakmp->np;
1512: gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1513: tlen = buf->l - sizeof(struct isakmp);
1514: result = isakmp_parsewoh(np, gen, tlen);
1515:
1516: return result;
1517: }
1518:
1519: /* %%% */
1520: int
1521: isakmp_init()
1522: {
1523: /* initialize a isakmp status table */
1524: initph1tree();
1525: initph2tree();
1526: initctdtree();
1527: init_recvdpkt();
1528:
1529: return 0;
1530: }
1531:
1532: /*
1533: * make strings containing i_cookie + r_cookie + msgid
1534: */
1535: const char *
1536: isakmp_pindex(index, msgid)
1537: const isakmp_index *index;
1538: const u_int32_t msgid;
1539: {
1540: static char buf[64];
1541: const u_char *p;
1542: int i, j;
1543:
1544: memset(buf, 0, sizeof(buf));
1545:
1546: /* copy index */
1547: p = (const u_char *)index;
1548: for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1549: snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1550: j += 2;
1551: switch (i) {
1552: case 7:
1553: buf[j++] = ':';
1554: }
1555: }
1556:
1557: if (msgid == 0)
1558: return buf;
1559:
1560: /* copy msgid */
1561: snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1562:
1563: return buf;
1564: }
1565:
1566: /* open ISAKMP sockets. */
1567: int
1568: isakmp_open(struct sockaddr *addr, int udp_encap)
1569: {
1570: const int yes = 1;
1571: int ifnum = 0, encap_ifnum = 0, fd;
1572: struct sockaddr_in *sin = (struct sockaddr_in *) addr;
1573: #ifdef INET6
1574: struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) addr;
1575: int pktinfo;
1576: #endif
1577: #ifdef ENABLE_NATT
1578: int option = -1;
1579: #endif
1580:
1581: /* warn if wildcard address - should we forbid this? */
1582: switch (addr->sa_family) {
1583: case AF_INET:
1584: if (sin->sin_addr.s_addr == 0)
1585: plog(LLV_WARNING, LOCATION, NULL,
1586: "listening to wildcard address,"
1587: "broadcast IKE packet may kill you\n");
1588: break;
1589: #ifdef INET6
1590: case AF_INET6:
1591: if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
1592: plog(LLV_DEBUG, LOCATION, NULL,
1593: "ignoring multicast address %s\n",
1594: saddr2str(addr));
1595: return -1;
1596: }
1597:
1598: if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1599: plog(LLV_WARNING, LOCATION, NULL,
1600: "listening to wildcard address, "
1601: "broadcast IKE packet may kill you\n");
1602: break;
1603: #endif
1604: default:
1605: plog(LLV_ERROR, LOCATION, NULL,
1606: "unsupported address family %d\n",
1607: addr->sa_family);
1608: return -1;
1609: }
1610:
1611: if ((fd = privsep_socket(addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1612: plog(LLV_ERROR, LOCATION, NULL,
1613: "socket(%s)\n", strerror(errno));
1614: return -1;
1615: }
1616: close_on_exec(fd);
1617: if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
1618: plog(LLV_WARNING, LOCATION, NULL,
1619: "failed to put socket in non-blocking mode\n");
1620:
1621: /* receive my interface address on inbound packets. */
1622: switch (addr->sa_family) {
1623: case AF_INET:
1624: if (setsockopt(fd, IPPROTO_IP,
1625: #ifdef __linux__
1626: IP_PKTINFO,
1627: #else
1628: IP_RECVDSTADDR,
1629: #endif
1630: (const void *) &yes, sizeof(yes)) < 0) {
1631: plog(LLV_ERROR, LOCATION, NULL,
1632: "setsockopt IP_RECVDSTADDR (%s)\n",
1633: strerror(errno));
1634: goto err;
1635: }
1636:
1637: #ifdef ENABLE_NATT
1638: if (udp_encap)
1639: option = UDP_ENCAP_ESPINUDP;
1640: #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
1641: else
1642: option = UDP_ENCAP_ESPINUDP_NON_IKE;
1643: #endif
1644: if (option == -1)
1645: break;
1646:
1647: if (setsockopt(fd, SOL_UDP,
1648: UDP_ENCAP, &option,
1649: sizeof(option)) < 0) {
1650: plog(LLV_WARNING, LOCATION, NULL,
1651: "setsockopt(%s): UDP_ENCAP %s\n",
1652: option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1653: strerror(errno));
1654: } else {
1655: plog(LLV_INFO, LOCATION, NULL,
1656: "%s used for NAT-T\n",
1657: saddr2str(addr));
1658: }
1659: #endif
1660: break;
1661:
1662: #ifdef INET6
1663: case AF_INET6:
1664: #if defined(INET6_ADVAPI)
1665: #ifdef IPV6_RECVPKTINFO
1666: pktinfo = IPV6_RECVPKTINFO;
1667: #else /* old adv. API */
1668: pktinfo = IPV6_PKTINFO;
1669: #endif /* IPV6_RECVPKTINFO */
1670: #else
1671: pktinfo = IPV6_RECVDSTADDR;
1672: #endif
1673: if (setsockopt(fd, IPPROTO_IPV6, pktinfo,
1674: (const void *) &yes, sizeof(yes)) < 0) {
1675: plog(LLV_ERROR, LOCATION, NULL,
1676: "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
1677: pktinfo, strerror(errno));
1678: goto err;
1679: }
1680:
1681: #ifdef IPV6_USE_MIN_MTU
1682: if (setsockopt(fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1683: (void *) &yes, sizeof(yes)) < 0) {
1684: plog(LLV_ERROR, LOCATION, NULL,
1685: "setsockopt IPV6_USE_MIN_MTU (%s)\n",
1686: strerror(errno));
1687: goto err;
1688: }
1689: #endif
1690: break;
1691: #endif
1692: }
1693:
1694: if (setsockopt(fd, SOL_SOCKET,
1695: #ifdef __linux__
1696: SO_REUSEADDR,
1697: #else
1698: SO_REUSEPORT,
1699: #endif
1700: (void *) &yes, sizeof(yes)) < 0) {
1701: plog(LLV_ERROR, LOCATION, NULL,
1702: "failed to set REUSE flag on %s (%s).\n",
1703: saddr2str(addr), strerror(errno));
1704: goto err;
1705: }
1706:
1707: if (setsockopt_bypass(fd, addr->sa_family) < 0)
1708: goto err;
1709:
1710: if (privsep_bind(fd, addr, sysdep_sa_len(addr)) < 0) {
1711: plog(LLV_ERROR, LOCATION, addr,
1712: "failed to bind to address %s (%s).\n",
1713: saddr2str(addr), strerror(errno));
1714: goto err;
1715: }
1716:
1717: plog(LLV_INFO, LOCATION, NULL,
1718: "%s used as isakmp port (fd=%d)\n",
1719: saddr2str(addr), fd);
1720:
1721: monitor_fd(fd, isakmp_handler, NULL, 1);
1722: return fd;
1723:
1724: err:
1725: close(fd);
1726: return -1;
1727: }
1728:
1729: void
1730: isakmp_close(int fd)
1731: {
1732: unmonitor_fd(fd);
1733: close(fd);
1734: }
1735:
1736: int
1737: isakmp_send(iph1, sbuf)
1738: struct ph1handle *iph1;
1739: vchar_t *sbuf;
1740: {
1741: int len = 0;
1742: int s;
1743: vchar_t *vbuf = NULL, swap;
1744:
1745: #ifdef ENABLE_NATT
1746: size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1747:
1748: /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
1749: */
1750: if(extralen == NON_ESP_MARKER_LEN &&
1751: *(u_int32_t *)sbuf->v == 0)
1752: extralen = 0;
1753:
1754: #ifdef ENABLE_FRAG
1755: /*
1756: * Do not add the non ESP marker for a packet that will
1757: * be fragmented. The non ESP marker should appear in
1758: * all fragment's packets, but not in the fragmented packet
1759: */
1760: if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1761: extralen = 0;
1762: #endif
1763: if (extralen)
1764: plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1765:
1766: /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1767: must added just before the packet itself. For this we must
1768: allocate a new buffer and release it at the end. */
1769: if (extralen) {
1770: if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
1771: plog(LLV_ERROR, LOCATION, NULL,
1772: "vbuf allocation failed\n");
1773: return -1;
1774: }
1775: *(u_int32_t *)vbuf->v = 0;
1776: memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1777: /* ensures that the modified buffer will be sent back to the caller, so
1778: * add_recvdpkt() will add the correct buffer
1779: */
1780: swap = *sbuf;
1781: *sbuf = *vbuf;
1782: *vbuf = swap;
1783: vfree(vbuf);
1784: }
1785: #endif
1786:
1787: /* select the socket to be sent */
1788: s = myaddr_getfd(iph1->local);
1789: if (s == -1)
1790: return -1;
1791:
1792: plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1793: saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1794:
1795: #ifdef ENABLE_FRAG
1796: if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1797: if (isakmp_sendfrags(iph1, sbuf) == -1) {
1798: plog(LLV_ERROR, LOCATION, NULL,
1799: "isakmp_sendfrags failed\n");
1800: return -1;
1801: }
1802: } else
1803: #endif
1804: {
1805: len = sendfromto(s, sbuf->v, sbuf->l,
1806: iph1->local, iph1->remote, lcconf->count_persend);
1807:
1808: if (len == -1) {
1809: plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1810: return -1;
1811: }
1812: }
1813:
1814: return 0;
1815: }
1816:
1817: /* called from scheduler */
1818: static void
1819: isakmp_ph1resend_stub(p)
1820: struct sched *p;
1821: {
1822: struct ph1handle *iph1 = container_of(p, struct ph1handle, scr);
1823:
1824: if (isakmp_ph1resend(iph1) < 0) {
1825: remph1(iph1);
1826: delph1(iph1);
1827: }
1828: }
1829:
1830: static int
1831: isakmp_ph1resend(iph1)
1832: struct ph1handle *iph1;
1833: {
1834: /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
1835: */
1836: if (iph1->retry_counter <= 0) {
1837: plog(LLV_ERROR, LOCATION, NULL,
1838: "phase1 negotiation failed due to time up. %s\n",
1839: isakmp_pindex(&iph1->index, iph1->msgid));
1840: /* XXX is the peer really "dead" here ??? */
1841: script_hook(iph1, SCRIPT_PHASE1_DEAD);
1842: evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1843:
1844: return -1;
1845: }
1846:
1847: if (isakmp_send(iph1, iph1->sendbuf) < 0){
1848: plog(LLV_ERROR, LOCATION, NULL,
1849: "phase1 negotiation failed due to send error. %s\n",
1850: isakmp_pindex(&iph1->index, iph1->msgid));
1851: evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1852: return -1;
1853: }
1854:
1855: plog(LLV_DEBUG, LOCATION, NULL,
1856: "resend phase1 packet %s\n",
1857: isakmp_pindex(&iph1->index, iph1->msgid));
1858:
1859: iph1->retry_counter--;
1860:
1861: sched_schedule(&iph1->scr, lcconf->retry_interval,
1862: isakmp_ph1resend_stub);
1863:
1864: return 0;
1865: }
1866:
1867: int
1868: isakmp_ph1send(iph1)
1869: struct ph1handle *iph1;
1870: {
1871: iph1->retry_counter = lcconf->retry_counter;
1872: return isakmp_ph1resend(iph1);
1873: }
1874:
1875: /* called from scheduler */
1876: static void
1877: isakmp_ph2resend_stub(p)
1878: struct sched *p;
1879: {
1880: struct ph2handle *iph2 = container_of(p, struct ph2handle, scr);
1881:
1882: if (isakmp_ph2resend(iph2) < 0) {
1883: remph2(iph2);
1884: delph2(iph2);
1885: }
1886: }
1887:
1888: static int
1889: isakmp_ph2resend(iph2)
1890: struct ph2handle *iph2;
1891: {
1892: /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
1893: */
1894: if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
1895: plog(LLV_ERROR, LOCATION, NULL,
1896: "phase2 negotiation failed due to phase1 expired. %s\n",
1897: isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1898: return -1;
1899: }
1900:
1901: if (iph2->retry_counter <= 0) {
1902: plog(LLV_ERROR, LOCATION, NULL,
1903: "phase2 negotiation failed due to time up. %s\n",
1904: isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1905: evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1906: unbindph12(iph2);
1907: return -1;
1908: }
1909:
1910: if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
1911: plog(LLV_ERROR, LOCATION, NULL,
1912: "phase2 negotiation failed due to send error. %s\n",
1913: isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1914: evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1915: return -1;
1916: }
1917:
1918: plog(LLV_DEBUG, LOCATION, NULL,
1919: "resend phase2 packet %s\n",
1920: isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1921:
1922: iph2->retry_counter--;
1923:
1924: sched_schedule(&iph2->scr, lcconf->retry_interval,
1925: isakmp_ph2resend_stub);
1926:
1927: return 0;
1928: }
1929:
1930: int
1931: isakmp_ph2send(iph2)
1932: struct ph2handle *iph2;
1933: {
1934: iph2->retry_counter = lcconf->retry_counter;
1935: return isakmp_ph2resend(iph2);
1936: }
1937:
1938: /* called from scheduler */
1939: void
1940: isakmp_ph1dying_stub(p)
1941: struct sched *p;
1942: {
1943:
1944: isakmp_ph1dying(container_of(p, struct ph1handle, sce));
1945: }
1946:
1947: void
1948: isakmp_ph1dying(iph1)
1949: struct ph1handle *iph1;
1950: {
1951: struct ph1handle *new_iph1;
1952: struct ph2handle *p;
1953: struct remoteconf *rmconf;
1954:
1955: if (iph1->status >= PHASE1ST_DYING)
1956: return;
1957:
1958: /* Going away in after a while... */
1959: iph1->status = PHASE1ST_DYING;
1960:
1961: /* Any fresh phase1s? */
1962: new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
1963: if (new_iph1 == NULL) {
1964: LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
1965: if (p->status != PHASE2ST_ESTABLISHED)
1966: continue;
1967:
1968: plog(LLV_INFO, LOCATION, NULL,
1969: "renegotiating phase1 to %s due to "
1970: "active phase2\n",
1971: saddrwop2str(iph1->remote));
1972:
1973: if (iph1->side == INITIATOR)
1974: isakmp_ph1begin_i(iph1->rmconf, iph1->remote,
1975: iph1->local);
1976:
1977: break;
1978: }
1979: } else {
1980: migrate_ph12(iph1, new_iph1);
1981: }
1982:
1983: /* Schedule for expiration */
1984: sched_schedule(&iph1->sce, iph1->approval->lifetime *
1985: (100 - PFKEY_SOFT_LIFETIME_RATE) / 100,
1986: isakmp_ph1expire_stub);
1987: }
1988:
1989: /* called from scheduler */
1990: void
1991: isakmp_ph1expire_stub(p)
1992: struct sched *p;
1993: {
1994: isakmp_ph1expire(container_of(p, struct ph1handle, sce));
1995: }
1996:
1997: void
1998: isakmp_ph1expire(iph1)
1999: struct ph1handle *iph1;
2000: {
2001: char *src, *dst;
2002:
2003: if (iph1->status < PHASE1ST_EXPIRED) {
2004: src = racoon_strdup(saddr2str(iph1->local));
2005: dst = racoon_strdup(saddr2str(iph1->remote));
2006: STRDUP_FATAL(src);
2007: STRDUP_FATAL(dst);
2008:
2009: plog(LLV_INFO, LOCATION, NULL,
2010: "ISAKMP-SA expired %s-%s spi:%s\n",
2011: src, dst,
2012: isakmp_pindex(&iph1->index, 0));
2013: racoon_free(src);
2014: racoon_free(dst);
2015: iph1->status = PHASE1ST_EXPIRED;
2016: }
2017:
2018: isakmp_ph1delete(iph1);
2019: }
2020:
2021: /* called from scheduler */
2022: void
2023: isakmp_ph1delete_stub(p)
2024: struct sched *p;
2025: {
2026:
2027: isakmp_ph1delete(container_of(p, struct ph1handle, sce));
2028: }
2029:
2030: void
2031: isakmp_ph1delete(iph1)
2032: struct ph1handle *iph1;
2033: {
2034: struct ph2handle *p, *next;
2035: struct ph1handle *new_iph1;
2036: char *src, *dst;
2037:
2038: /* Migrate established phase2s. Any fresh phase1s? */
2039: new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
2040: if (new_iph1 != NULL)
2041: migrate_ph12(iph1, new_iph1);
2042:
2043: /* Discard any left phase2s */
2044: for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) {
2045: next = LIST_NEXT(p, ph1bind);
2046: if (p->status == PHASE2ST_ESTABLISHED)
2047: isakmp_info_send_d2(p);
2048: /* remove all ph2 handles,
2049: * as ph1handle will be expired soon
2050: */
2051: delete_spd(p, 1);
2052: remph2(p);
2053: delph2(p);
2054: }
2055:
2056: src = racoon_strdup(saddr2str(iph1->local));
2057: dst = racoon_strdup(saddr2str(iph1->remote));
2058: STRDUP_FATAL(src);
2059: STRDUP_FATAL(dst);
2060:
2061: plog(LLV_INFO, LOCATION, NULL,
2062: "ISAKMP-SA deleted %s-%s spi:%s\n",
2063: src, dst, isakmp_pindex(&iph1->index, 0));
2064:
2065: evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
2066: if (new_iph1 == NULL && ph1_rekey_enabled(iph1))
2067: script_hook(iph1, SCRIPT_PHASE1_DEAD);
2068:
2069: racoon_free(src);
2070: racoon_free(dst);
2071:
2072: remph1(iph1);
2073: delph1(iph1);
2074: }
2075:
2076: /* called from scheduler.
2077: * this function will call only isakmp_ph2delete().
2078: * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2079: * by something cause. That's why this function is called after phase 2 SA
2080: * expires in the userland.
2081: */
2082: void
2083: isakmp_ph2expire_stub(p)
2084: struct sched *p;
2085: {
2086:
2087: isakmp_ph2expire(container_of(p, struct ph2handle, sce));
2088: }
2089:
2090: void
2091: isakmp_ph2expire(iph2)
2092: struct ph2handle *iph2;
2093: {
2094: char *src, *dst;
2095:
2096: src = racoon_strdup(saddrwop2str(iph2->src));
2097: dst = racoon_strdup(saddrwop2str(iph2->dst));
2098: STRDUP_FATAL(src);
2099: STRDUP_FATAL(dst);
2100:
2101: plog(LLV_INFO, LOCATION, NULL,
2102: "phase2 sa expired %s-%s\n", src, dst);
2103: racoon_free(src);
2104: racoon_free(dst);
2105:
2106: iph2->status = PHASE2ST_EXPIRED;
2107: sched_schedule(&iph2->sce, 1, isakmp_ph2delete_stub);
2108: }
2109:
2110: /* called from scheduler */
2111: void
2112: isakmp_ph2delete_stub(p)
2113: struct sched *p;
2114: {
2115:
2116: isakmp_ph2delete(container_of(p, struct ph2handle, sce));
2117: }
2118:
2119: void
2120: isakmp_ph2delete(iph2)
2121: struct ph2handle *iph2;
2122: {
2123: char *src, *dst;
2124:
2125: src = racoon_strdup(saddrwop2str(iph2->src));
2126: dst = racoon_strdup(saddrwop2str(iph2->dst));
2127: STRDUP_FATAL(src);
2128: STRDUP_FATAL(dst);
2129:
2130: plog(LLV_INFO, LOCATION, NULL,
2131: "phase2 sa deleted %s-%s\n", src, dst);
2132: racoon_free(src);
2133: racoon_free(dst);
2134:
2135: remph2(iph2);
2136: delph2(iph2);
2137:
2138: return;
2139: }
2140:
2141: /*
%%%
2142: * Interface between PF_KEYv2 and ISAKMP
2143: */
2144: /*
2145: * receive ACQUIRE from kernel, and begin either phase1 or phase2.
2146: * if phase1 has been finished, begin phase2.
2147: */
2148: int
2149: isakmp_post_acquire(iph2, iph1hint, nopassive)
2150: struct ph2handle *iph2;
2151: struct ph1handle *iph1hint;
2152: int nopassive;
2153: {
2154: struct remoteconf *rmconf;
2155: struct ph1handle *iph1 = NULL;
2156:
2157: plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
2158:
2159: /* Search appropriate configuration with masking port. Note that
2160: * we always use iph2->dst, and not iph2->sa_dst.
2161: *
2162: * XXX One possible need for using iph2->sa_dst if not NULL would
2163: * be for selecting a remote configuration based on a stable
2164: * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
2165: * as iph2->dst hint). This scenario would require additional changes,
2166: * so no need to bother yet. --arno */
2167:
2168: if (iph1hint == NULL || iph1hint->rmconf == NULL) {
2169: rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
2170: if (rmconf == NULL) {
2171: plog(LLV_ERROR, LOCATION, NULL,
2172: "no configuration found for %s.\n",
2173: saddrwop2str(iph2->dst));
2174: return -1;
2175: }
2176: } else {
2177: rmconf = iph1hint->rmconf;
2178: }
2179:
2180: /* if passive mode, ignore the acquire message */
2181: if (nopassive && rmconf->passive) {
2182: plog(LLV_DEBUG, LOCATION, NULL,
2183: "because of passive mode, "
2184: "ignore the acquire message for %s.\n",
2185: saddrwop2str(iph2->dst));
2186: return 0;
2187: }
2188:
2189: /*
2190: * XXX Searching by IP addresses + ports might fail on
2191: * some cases, we should use the ISAKMP identity to search
2192: * matching ISAKMP.
2193: */
2194: iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
2195:
2196: /* no ISAKMP-SA found. */
2197: if (iph1 == NULL) {
2198: iph2->retry_checkph1 = lcconf->retry_checkph1;
2199: sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2200: plog(LLV_INFO, LOCATION, NULL,
2201: "IPsec-SA request for %s queued "
2202: "due to no phase1 found.\n",
2203: saddrwop2str(iph2->dst));
2204:
2205: /* start phase 1 negotiation as a initiator. */
2206: if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) {
2207: sched_cancel(&iph2->sce);
2208: return -1;
2209: }
2210:
2211: return 0;
2212: /*NOTREACHED*/
2213: }
2214:
2215: /* found ISAKMP-SA, but on negotiation. */
2216: if (iph1->status < PHASE1ST_ESTABLISHED) {
2217: iph2->retry_checkph1 = lcconf->retry_checkph1;
2218: sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2219: plog(LLV_INFO, LOCATION, iph2->dst,
2220: "request for establishing IPsec-SA was queued "
2221: "due to no phase1 found.\n");
2222: return 0;
2223: /*NOTREACHED*/
2224: }
2225:
2226: /* found established ISAKMP-SA */
2227: /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2228:
2229: /* found ISAKMP-SA. */
2230: plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2231:
2232: /* begin quick mode */
2233: if (isakmp_ph2begin_i(iph1, iph2))
2234: return -1;
2235:
2236: return 0;
2237: }
2238:
2239: int
2240: isakmp_get_sainfo(iph2, sp_out, sp_in)
2241: struct ph2handle *iph2;
2242: struct secpolicy *sp_out, *sp_in;
2243: {
2244: struct remoteconf *conf;
2245: uint32_t remoteid = 0;
2246:
2247: plog(LLV_DEBUG, LOCATION, NULL,
2248: "new acquire %s\n", spidx2str(&sp_out->spidx));
2249:
2250: /* get sainfo */
2251: {
2252: vchar_t *idsrc, *iddst;
2253:
2254: idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
2255: sp_out->spidx.prefs, sp_out->spidx.ul_proto);
2256: if (idsrc == NULL) {
2257: plog(LLV_ERROR, LOCATION, NULL,
2258: "failed to get ID for %s\n",
2259: spidx2str(&sp_out->spidx));
2260: return -1;
2261: }
2262: iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
2263: sp_out->spidx.prefd, sp_out->spidx.ul_proto);
2264: if (iddst == NULL) {
2265: plog(LLV_ERROR, LOCATION, NULL,
2266: "failed to get ID for %s\n",
2267: spidx2str(&sp_out->spidx));
2268: vfree(idsrc);
2269: return -1;
2270: }
2271:
2272: conf = getrmconf(iph2->dst, 0);
2273: if (conf != NULL)
2274: remoteid = conf->ph1id;
2275: else
2276: plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
2277:
2278: iph2->sainfo = getsainfo(idsrc, iddst, NULL, NULL, remoteid);
2279: vfree(idsrc);
2280: vfree(iddst);
2281: if (iph2->sainfo == NULL) {
2282: plog(LLV_ERROR, LOCATION, NULL,
2283: "failed to get sainfo.\n");
2284: return -1;
2285: /* XXX should use the algorithm list from register message */
2286: }
2287:
2288: plog(LLV_DEBUG, LOCATION, NULL,
2289: "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2290: }
2291:
2292: if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
2293: plog(LLV_ERROR, LOCATION, NULL,
2294: "failed to create saprop.\n");
2295: return -1;
2296: }
2297:
2298: return 0;
2299: }
2300:
2301:
2302: /*
2303: * receive GETSPI from kernel.
2304: */
2305: int
2306: isakmp_post_getspi(iph2)
2307: struct ph2handle *iph2;
2308: {
2309: #ifdef ENABLE_STATS
2310: struct timeval start, end;
2311: #endif
2312:
2313: /* don't process it because there is no suitable phase1-sa. */
2314: if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
2315: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2316: "the negotiation is stopped, "
2317: "because there is no suitable ISAKMP-SA.\n");
2318: return -1;
2319: }
2320:
2321: #ifdef ENABLE_STATS
2322: gettimeofday(&start, NULL);
2323: #endif
2324: if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2325: [iph2->side]
2326: [iph2->status])(iph2, NULL) != 0)
2327: return -1;
2328: #ifdef ENABLE_STATS
2329: gettimeofday(&end, NULL);
2330: syslog(LOG_NOTICE, "%s(%s): %8.6f",
2331: "phase2",
2332: s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2333: timedelta(&start, &end));
2334: #endif
2335:
2336: return 0;
2337: }
2338:
2339: /* called by scheduler */
2340: void
2341: isakmp_chkph1there_stub(p)
2342: struct sched *p;
2343: {
2344: isakmp_chkph1there(container_of(p, struct ph2handle, sce));
2345: }
2346:
2347: void
2348: isakmp_chkph1there(iph2)
2349: struct ph2handle *iph2;
2350: {
2351: struct ph1handle *iph1;
2352:
2353: iph2->retry_checkph1--;
2354: if (iph2->retry_checkph1 < 0) {
2355: plog(LLV_ERROR, LOCATION, iph2->dst,
2356: "phase2 negotiation failed "
2357: "due to time up waiting for phase1. %s\n",
2358: sadbsecas2str(iph2->dst, iph2->src,
2359: iph2->satype, 0, 0));
2360: plog(LLV_INFO, LOCATION, NULL,
2361: "delete phase 2 handler.\n");
2362:
2363: /* send acquire to kernel as error */
2364: pk_sendeacquire(iph2);
2365:
2366: remph2(iph2);
2367: delph2(iph2);
2368:
2369: return;
2370: }
2371:
2372: /* Search isakmp status table by address and port */
2373: iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2374:
2375: /* XXX Even if ph1 as responder is there, should we not start
2376: * phase 2 negotiation ? */
2377: if (iph1 != NULL
2378: && iph1->status == PHASE1ST_ESTABLISHED) {
2379: /* found isakmp-sa */
2380:
2381: plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
2382: plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
2383: plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
2384: plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
2385: plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2386: plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2387: set_port(iph2->src, extract_port(iph1->local));
2388: set_port(iph2->dst, extract_port(iph1->remote));
2389: plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
2390: plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2391: plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2392:
2393: /* begin quick mode */
2394: (void)isakmp_ph2begin_i(iph1, iph2);
2395: return;
2396: }
2397:
2398: plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
2399:
2400: /* no isakmp-sa found */
2401: sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2402:
2403: return;
2404: }
2405:
2406: /* copy variable data into ALLOCATED buffer. */
2407: caddr_t
2408: isakmp_set_attr_v(buf, type, val, len)
2409: caddr_t buf;
2410: int type;
2411: caddr_t val;
2412: int len;
2413: {
2414: struct isakmp_data *data;
2415:
2416: data = (struct isakmp_data *)buf;
2417: data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2418: data->lorv = htons((u_int16_t)len);
2419: memcpy(data + 1, val, len);
2420:
2421: return buf + sizeof(*data) + len;
2422: }
2423:
2424: /* copy fixed length data into ALLOCATED buffer. */
2425: caddr_t
2426: isakmp_set_attr_l(buf, type, val)
2427: caddr_t buf;
2428: int type;
2429: u_int32_t val;
2430: {
2431: struct isakmp_data *data;
2432:
2433: data = (struct isakmp_data *)buf;
2434: data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2435: data->lorv = htons((u_int16_t)val);
2436:
2437: return buf + sizeof(*data);
2438: }
2439:
2440: /* add a variable data attribute to the buffer by reallocating it. */
2441: vchar_t *
2442: isakmp_add_attr_v(buf0, type, val, len)
2443: vchar_t *buf0;
2444: int type;
2445: caddr_t val;
2446: int len;
2447: {
2448: vchar_t *buf = NULL;
2449: struct isakmp_data *data;
2450: int tlen;
2451: int oldlen = 0;
2452:
2453: tlen = sizeof(*data) + len;
2454:
2455: if (buf0) {
2456: oldlen = buf0->l;
2457: buf = vrealloc(buf0, oldlen + tlen);
2458: } else
2459: buf = vmalloc(tlen);
2460: if (!buf) {
2461: plog(LLV_ERROR, LOCATION, NULL,
2462: "failed to get a attribute buffer.\n");
2463: return NULL;
2464: }
2465:
2466: data = (struct isakmp_data *)(buf->v + oldlen);
2467: data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
2468: data->lorv = htons((u_int16_t)len);
2469: memcpy(data + 1, val, len);
2470:
2471: return buf;
2472: }
2473:
2474: /* add a fixed data attribute to the buffer by reallocating it. */
2475: vchar_t *
2476: isakmp_add_attr_l(buf0, type, val)
2477: vchar_t *buf0;
2478: int type;
2479: u_int32_t val;
2480: {
2481: vchar_t *buf = NULL;
2482: struct isakmp_data *data;
2483: int tlen;
2484: int oldlen = 0;
2485:
2486: tlen = sizeof(*data);
2487:
2488: if (buf0) {
2489: oldlen = buf0->l;
2490: buf = vrealloc(buf0, oldlen + tlen);
2491: } else
2492: buf = vmalloc(tlen);
2493: if (!buf) {
2494: plog(LLV_ERROR, LOCATION, NULL,
2495: "failed to get a attribute buffer.\n");
2496: return NULL;
2497: }
2498:
2499: data = (struct isakmp_data *)(buf->v + oldlen);
2500: data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
2501: data->lorv = htons((u_int16_t)val);
2502:
2503: return buf;
2504: }
2505:
2506: /*
2507: * calculate cookie and set.
2508: */
2509: int
2510: isakmp_newcookie(place, remote, local)
2511: caddr_t place;
2512: struct sockaddr *remote;
2513: struct sockaddr *local;
2514: {
2515: vchar_t *buf = NULL, *buf2 = NULL;
2516: char *p;
2517: int blen;
2518: int alen;
2519: caddr_t sa1, sa2;
2520: time_t t;
2521: int error = -1;
2522: u_short port;
2523:
2524:
2525: if (remote->sa_family != local->sa_family) {
2526: plog(LLV_ERROR, LOCATION, NULL,
2527: "address family mismatch, remote:%d local:%d\n",
2528: remote->sa_family, local->sa_family);
2529: goto end;
2530: }
2531: switch (remote->sa_family) {
2532: case AF_INET:
2533: alen = sizeof(struct in_addr);
2534: sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2535: sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2536: break;
2537: #ifdef INET6
2538: case AF_INET6:
2539: alen = sizeof(struct in6_addr);
2540: sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2541: sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2542: break;
2543: #endif
2544: default:
2545: plog(LLV_ERROR, LOCATION, NULL,
2546: "invalid family: %d\n", remote->sa_family);
2547: goto end;
2548: }
2549: blen = (alen + sizeof(u_short)) * 2
2550: + sizeof(time_t) + lcconf->secret_size;
2551: buf = vmalloc(blen);
2552: if (buf == NULL) {
2553: plog(LLV_ERROR, LOCATION, NULL,
2554: "failed to get a cookie.\n");
2555: goto end;
2556: }
2557: p = buf->v;
2558:
2559: /* copy my address */
2560: memcpy(p, sa1, alen);
2561: p += alen;
2562: port = ((struct sockaddr_in *)remote)->sin_port;
2563: memcpy(p, &port, sizeof(u_short));
2564: p += sizeof(u_short);
2565:
2566: /* copy target address */
2567: memcpy(p, sa2, alen);
2568: p += alen;
2569: port = ((struct sockaddr_in *)local)->sin_port;
2570: memcpy(p, &port, sizeof(u_short));
2571: p += sizeof(u_short);
2572:
2573: /* copy time */
2574: t = time(0);
2575: memcpy(p, (caddr_t)&t, sizeof(t));
2576: p += sizeof(t);
2577:
2578: /* copy random value */
2579: buf2 = eay_set_random(lcconf->secret_size);
2580: if (buf2 == NULL)
2581: goto end;
2582: memcpy(p, buf2->v, lcconf->secret_size);
2583: p += lcconf->secret_size;
2584: vfree(buf2);
2585:
2586: buf2 = eay_sha1_one(buf);
2587: memcpy(place, buf2->v, sizeof(cookie_t));
2588:
2589: sa1 = val2str(place, sizeof (cookie_t));
2590: plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2591: racoon_free(sa1);
2592:
2593: error = 0;
2594: end:
2595: if (buf != NULL)
2596: vfree(buf);
2597: if (buf2 != NULL)
2598: vfree(buf2);
2599: return error;
2600: }
2601:
2602: /*
2603: * save partner's(payload) data into phhandle.
2604: */
2605: int
2606: isakmp_p2ph(buf, gen)
2607: vchar_t **buf;
2608: struct isakmp_gen *gen;
2609: {
2610: /* XXX to be checked in each functions for logging. */
2611: if (*buf) {
2612: plog(LLV_WARNING, LOCATION, NULL,
2613: "ignore this payload, same payload type exist.\n");
2614: return -1;
2615: }
2616:
2617: *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
2618: if (*buf == NULL) {
2619: plog(LLV_ERROR, LOCATION, NULL,
2620: "failed to get buffer.\n");
2621: return -1;
2622: }
2623: memcpy((*buf)->v, gen + 1, (*buf)->l);
2624:
2625: return 0;
2626: }
2627:
2628: u_int32_t
2629: isakmp_newmsgid2(iph1)
2630: struct ph1handle *iph1;
2631: {
2632: u_int32_t msgid2;
2633:
2634: do {
2635: msgid2 = eay_random();
2636: } while (getph2bymsgid(iph1, msgid2));
2637:
2638: return msgid2;
2639: }
2640:
2641: /*
2642: * set values into allocated buffer of isakmp header for phase 1
2643: */
2644: static caddr_t
2645: set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2646: vchar_t *vbuf;
2647: struct ph1handle *iph1;
2648: int nptype;
2649: u_int8_t etype;
2650: u_int8_t flags;
2651: u_int32_t msgid;
2652: {
2653: struct isakmp *isakmp;
2654:
2655: if (vbuf->l < sizeof(*isakmp))
2656: return NULL;
2657:
2658: isakmp = (struct isakmp *)vbuf->v;
2659:
2660: memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2661: memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2662: isakmp->np = nptype;
2663: isakmp->v = iph1->version;
2664: isakmp->etype = etype;
2665: isakmp->flags = flags;
2666: isakmp->msgid = msgid;
2667: isakmp->len = htonl(vbuf->l);
2668:
2669: return vbuf->v + sizeof(*isakmp);
2670: }
2671:
2672: /*
2673: * set values into allocated buffer of isakmp header for phase 1
2674: */
2675: caddr_t
2676: set_isakmp_header1(vbuf, iph1, nptype)
2677: vchar_t *vbuf;
2678: struct ph1handle *iph1;
2679: int nptype;
2680: {
2681: return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2682: }
2683:
2684: /*
2685: * set values into allocated buffer of isakmp header for phase 2
2686: */
2687: caddr_t
2688: set_isakmp_header2(vbuf, iph2, nptype)
2689: vchar_t *vbuf;
2690: struct ph2handle *iph2;
2691: int nptype;
2692: {
2693: return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2694: }
2695:
2696: /*
2697: * set values into allocated buffer of isakmp payload.
2698: */
2699: caddr_t
2700: set_isakmp_payload(buf, src, nptype)
2701: caddr_t buf;
2702: vchar_t *src;
2703: int nptype;
2704: {
2705: struct isakmp_gen *gen;
2706: caddr_t p = buf;
2707:
2708: plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2709: src->l, nptype);
2710:
2711: gen = (struct isakmp_gen *)p;
2712: gen->np = nptype;
2713: gen->len = htons(sizeof(*gen) + src->l);
2714: p += sizeof(*gen);
2715: memcpy(p, src->v, src->l);
2716: p += src->l;
2717:
2718: return p;
2719: }
2720:
2721: static int
2722: etypesw1(etype)
2723: int etype;
2724: {
2725: switch (etype) {
2726: case ISAKMP_ETYPE_IDENT:
2727: return 1;
2728: case ISAKMP_ETYPE_AGG:
2729: return 2;
2730: case ISAKMP_ETYPE_BASE:
2731: return 3;
2732: default:
2733: return 0;
2734: }
2735: /*NOTREACHED*/
2736: }
2737:
2738: static int
2739: etypesw2(etype)
2740: int etype;
2741: {
2742: switch (etype) {
2743: case ISAKMP_ETYPE_QUICK:
2744: return 1;
2745: default:
2746: return 0;
2747: }
2748: /*NOTREACHED*/
2749: }
2750:
2751: #ifdef HAVE_PRINT_ISAKMP_C
2752: /* for print-isakmp.c */
2753: char *snapend;
2754: extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2755:
2756: char *getname __P((const u_char *));
2757: #ifdef INET6
2758: char *getname6 __P((const u_char *));
2759: #endif
2760: int safeputchar __P((int));
2761:
2762: /*
2763: * Return a name for the IP address pointed to by ap. This address
2764: * is assumed to be in network byte order.
2765: */
2766: char *
2767: getname(ap)
2768: const u_char *ap;
2769: {
2770: struct sockaddr_in addr;
2771: static char ntop_buf[NI_MAXHOST];
2772:
2773: memset(&addr, 0, sizeof(addr));
2774: #ifndef __linux__
2775: addr.sin_len = sizeof(struct sockaddr_in);
2776: #endif
2777: addr.sin_family = AF_INET;
2778: memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2779: if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2780: ntop_buf, sizeof(ntop_buf), NULL, 0,
2781: NI_NUMERICHOST | niflags))
2782: strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2783:
2784: return ntop_buf;
2785: }
2786:
2787: #ifdef INET6
2788: /*
2789: * Return a name for the IP6 address pointed to by ap. This address
2790: * is assumed to be in network byte order.
2791: */
2792: char *
2793: getname6(ap)
2794: const u_char *ap;
2795: {
2796: struct sockaddr_in6 addr;
2797: static char ntop_buf[NI_MAXHOST];
2798:
2799: memset(&addr, 0, sizeof(addr));
2800: addr.sin6_len = sizeof(struct sockaddr_in6);
2801: addr.sin6_family = AF_INET6;
2802: memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2803: if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2804: ntop_buf, sizeof(ntop_buf), NULL, 0,
2805: NI_NUMERICHOST | niflags))
2806: strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2807:
2808: return ntop_buf;
2809: }
2810: #endif /* INET6 */
2811:
2812: int
2813: safeputchar(c)
2814: int c;
2815: {
2816: unsigned char ch;
2817:
2818: ch = (unsigned char)(c & 0xff);
2819: if (c < 0x80 && isprint(c))
2820: return printf("%c", c & 0xff);
2821: else
2822: return printf("\\%03o", c & 0xff);
2823: }
2824:
2825: void
2826: isakmp_printpacket(msg, from, my, decoded)
2827: vchar_t *msg;
2828: struct sockaddr *from;
2829: struct sockaddr *my;
2830: int decoded;
2831: {
2832: #ifdef YIPS_DEBUG
2833: struct timeval tv;
2834: int s;
2835: char hostbuf[NI_MAXHOST];
2836: char portbuf[NI_MAXSERV];
2837: struct isakmp *isakmp;
2838: vchar_t *buf;
2839: #endif
2840:
2841: if (loglevel < LLV_DEBUG)
2842: return;
2843:
2844: #ifdef YIPS_DEBUG
2845: plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2846:
2847: gettimeofday(&tv, NULL);
2848: s = tv.tv_sec % 3600;
2849: printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2850:
2851: if (from) {
2852: if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2853: portbuf, sizeof(portbuf),
2854: NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2855: strlcpy(hostbuf, "?", sizeof(hostbuf));
2856: strlcpy(portbuf, "?", sizeof(portbuf));
2857: }
2858: printf("%s:%s", hostbuf, portbuf);
2859: } else
2860: printf("?");
2861: printf(" -> ");
2862: if (my) {
2863: if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2864: portbuf, sizeof(portbuf),
2865: NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2866: strlcpy(hostbuf, "?", sizeof(hostbuf));
2867: strlcpy(portbuf, "?", sizeof(portbuf));
2868: }
2869: printf("%s:%s", hostbuf, portbuf);
2870: } else
2871: printf("?");
2872: printf(": ");
2873:
2874: buf = vdup(msg);
2875: if (!buf) {
2876: printf("(malloc fail)\n");
2877: return;
2878: }
2879: if (decoded) {
2880: isakmp = (struct isakmp *)buf->v;
2881: if (isakmp->flags & ISAKMP_FLAG_E) {
2882: #if 0
2883: int pad;
2884: pad = *(u_char *)(buf->v + buf->l - 1);
2885: if (buf->l < pad && 2 < vflag)
2886: printf("(wrong padding)");
2887: #endif
2888: isakmp->flags &= ~ISAKMP_FLAG_E;
2889: }
2890: }
2891:
2892: snapend = buf->v + buf->l;
2893: isakmp_print(buf->v, buf->l, NULL);
2894: vfree(buf);
2895: printf("\n");
2896: fflush(stdout);
2897:
2898: return;
2899: #endif
2900: }
2901: #endif /*HAVE_PRINT_ISAKMP_C*/
2902:
2903: int
2904: copy_ph1addresses(iph1, rmconf, remote, local)
2905: struct ph1handle *iph1;
2906: struct remoteconf *rmconf;
2907: struct sockaddr *remote, *local;
2908: {
2909: u_int16_t port;
2910:
2911: /* address portion must be grabbed from real remote address "remote" */
2912: iph1->remote = dupsaddr(remote);
2913: if (iph1->remote == NULL)
2914: return -1;
2915:
2916: /*
2917: * if remote has no port # (in case of initiator - from ACQUIRE msg)
2918: * - if remote.conf specifies port #, use that
2919: * - if remote.conf does not, use 500
2920: * if remote has port # (in case of responder - from recvfrom(2))
2921: * respect content of "remote".
2922: */
2923: if (extract_port(iph1->remote) == 0) {
2924: port = 0;
2925: if (rmconf != NULL)
2926: port = extract_port(rmconf->remote);
2927: if (port == 0)
2928: port = PORT_ISAKMP;
2929: set_port(iph1->remote, port);
2930: }
2931:
2932: if (local == NULL)
2933: iph1->local = getlocaladdr(iph1->remote);
2934: else
2935: iph1->local = dupsaddr(local);
2936: if (iph1->local == NULL)
2937: return -1;
2938:
2939: if (extract_port(iph1->local) == 0) {
2940: port = myaddr_getsport(iph1->local);
2941: if (port == 0)
2942: port = PORT_ISAKMP;
2943: set_port(iph1->local, PORT_ISAKMP);
2944: }
2945:
2946: #ifdef ENABLE_NATT
2947: if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
2948: plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2949: iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
2950: }
2951: #endif
2952:
2953: return 0;
2954: }
2955:
2956: static int
2957: nostate1(iph1, msg)
2958: struct ph1handle *iph1;
2959: vchar_t *msg;
2960: {
2961: plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2962: iph1->status);
2963: return -1;
2964: }
2965:
2966: static int
2967: nostate2(iph2, msg)
2968: struct ph2handle *iph2;
2969: vchar_t *msg;
2970: {
2971: plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2972: iph2->status);
2973: return -1;
2974: }
2975:
2976: void
2977: log_ph1established(iph1)
2978: const struct ph1handle *iph1;
2979: {
2980: char *src, *dst;
2981:
2982: src = racoon_strdup(saddr2str(iph1->local));
2983: dst = racoon_strdup(saddr2str(iph1->remote));
2984: STRDUP_FATAL(src);
2985: STRDUP_FATAL(dst);
2986:
2987: plog(LLV_INFO, LOCATION, NULL,
2988: "ISAKMP-SA established %s-%s spi:%s\n",
2989: src, dst,
2990: isakmp_pindex(&iph1->index, 0));
2991:
2992: evt_phase1(iph1, EVT_PHASE1_UP, NULL);
2993: if(!iph1->rmconf->mode_cfg)
2994: evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
2995:
2996: racoon_free(src);
2997: racoon_free(dst);
2998:
2999: return;
3000: }
3001:
3002: struct payload_list *
3003: isakmp_plist_append_full (struct payload_list *plist, vchar_t *payload,
3004: u_int8_t payload_type, u_int8_t free_payload)
3005: {
3006: if (! plist) {
3007: plist = racoon_malloc (sizeof (struct payload_list));
3008: plist->prev = NULL;
3009: }
3010: else {
3011: plist->next = racoon_malloc (sizeof (struct payload_list));
3012: plist->next->prev = plist;
3013: plist = plist->next;
3014: }
3015:
3016: plist->next = NULL;
3017: plist->payload = payload;
3018: plist->payload_type = payload_type;
3019: plist->free_payload = free_payload;
3020:
3021: return plist;
3022: }
3023:
3024: vchar_t *
3025: isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
3026: {
3027: struct payload_list *ptr = *plist, *first;
3028: size_t tlen = sizeof (struct isakmp), n = 0;
3029: vchar_t *buf = NULL;
3030: char *p;
3031:
3032: /* Seek to the first item. */
3033: while (ptr->prev) ptr = ptr->prev;
3034: first = ptr;
3035:
3036: /* Compute the whole length. */
3037: while (ptr) {
3038: tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3039: ptr = ptr->next;
3040: }
3041:
3042: buf = vmalloc(tlen);
3043: if (buf == NULL) {
3044: plog(LLV_ERROR, LOCATION, NULL,
3045: "failed to get buffer to send.\n");
3046: goto end;
3047: }
3048:
3049: ptr = first;
3050:
3051: p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3052: if (p == NULL)
3053: goto end;
3054:
3055: while (ptr)
3056: {
3057: p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3058: first = ptr;
3059: ptr = ptr->next;
3060: if (first->free_payload)
3061: vfree(first->payload);
3062: racoon_free (first);
3063: /* ptr->prev = NULL; first = NULL; ... omitted. */
3064: n++;
3065: }
3066:
3067: *plist = NULL;
3068:
3069: return buf;
3070: end:
3071: if (buf != NULL)
3072: vfree(buf);
3073: return NULL;
3074: }
3075:
3076: #ifdef ENABLE_FRAG
3077: int
3078: frag_handler(iph1, msg, remote, local)
3079: struct ph1handle *iph1;
3080: vchar_t *msg;
3081: struct sockaddr *remote;
3082: struct sockaddr *local;
3083: {
3084: vchar_t *newmsg;
3085:
3086: if (isakmp_frag_extract(iph1, msg) == 1) {
3087: if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3088: plog(LLV_ERROR, LOCATION, remote,
3089: "Packet reassembly failed\n");
3090: return -1;
3091: }
3092: return isakmp_main(newmsg, remote, local);
3093: }
3094:
3095: return 0;
3096: }
3097: #endif
3098:
3099: void
3100: script_hook(iph1, script)
3101: struct ph1handle *iph1;
3102: int script;
3103: {
3104: #define IP_MAX 40
3105: #define PORT_MAX 6
3106: char addrstr[IP_MAX];
3107: char portstr[PORT_MAX];
3108: char **envp = NULL;
3109: int envc = 1;
3110: char **c;
3111:
3112: if (iph1 == NULL ||
3113: iph1->rmconf == NULL ||
3114: iph1->rmconf->script[script] == NULL)
3115: return;
3116:
3117: #ifdef ENABLE_HYBRID
3118: (void)isakmp_cfg_setenv(iph1, &envp, &envc);
3119: #endif
3120:
3121: /* local address */
3122: GETNAMEINFO(iph1->local, addrstr, portstr);
3123:
3124: if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3125: plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3126: goto out;
3127: }
3128:
3129: if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3130: plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3131: goto out;
3132: }
3133:
3134: /* Peer address */
3135: if (iph1->remote != NULL) {
3136: GETNAMEINFO(iph1->remote, addrstr, portstr);
3137:
3138: if (script_env_append(&envp, &envc,
3139: "REMOTE_ADDR", addrstr) != 0) {
3140: plog(LLV_ERROR, LOCATION, NULL,
3141: "Cannot set REMOTE_ADDR\n");
3142: goto out;
3143: }
3144:
3145: if (script_env_append(&envp, &envc,
3146: "REMOTE_PORT", portstr) != 0) {
3147: plog(LLV_ERROR, LOCATION, NULL,
3148: "Cannot set REMOTEL_PORT\n");
3149: goto out;
3150: }
3151: }
3152:
3153: /* Peer identity. */
3154: if (iph1->id_p != NULL) {
3155: if (script_env_append(&envp, &envc, "REMOTE_ID",
3156: ipsecdoi_id2str(iph1->id_p)) != 0) {
3157: plog(LLV_ERROR, LOCATION, NULL,
3158: "Cannot set REMOTE_ID\n");
3159: goto out;
3160: }
3161: }
3162:
3163: if (privsep_script_exec(iph1->rmconf->script[script]->v,
3164: script, envp) != 0)
3165: plog(LLV_ERROR, LOCATION, NULL,
3166: "Script %s execution failed\n", script_names[script]);
3167:
3168: out:
3169: for (c = envp; *c; c++)
3170: racoon_free(*c);
3171:
3172: racoon_free(envp);
3173:
3174: return;
3175: }
3176:
3177: int
3178: script_env_append(envp, envc, name, value)
3179: char ***envp;
3180: int *envc;
3181: char *name;
3182: char *value;
3183: {
3184: char *envitem;
3185: char **newenvp;
3186: int newenvc;
3187:
3188: envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3189: if (envitem == NULL) {
3190: plog(LLV_ERROR, LOCATION, NULL,
3191: "Cannot allocate memory: %s\n", strerror(errno));
3192: return -1;
3193: }
3194: sprintf(envitem, "%s=%s", name, value);
3195:
3196: newenvc = (*envc) + 1;
3197: newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
3198: if (newenvp == NULL) {
3199: plog(LLV_ERROR, LOCATION, NULL,
3200: "Cannot allocate memory: %s\n", strerror(errno));
3201: racoon_free(envitem);
3202: return -1;
3203: }
3204:
3205: newenvp[newenvc - 2] = envitem;
3206: newenvp[newenvc - 1] = NULL;
3207:
3208: *envp = newenvp;
3209: *envc = newenvc;
3210: return 0;
3211: }
3212:
3213: int
3214: script_exec(script, name, envp)
3215: char *script;
3216: int name;
3217: char *const envp[];
3218: {
3219: char *argv[] = { NULL, NULL, NULL };
3220:
3221: argv[0] = script;
3222: argv[1] = script_names[name];
3223: argv[2] = NULL;
3224:
3225: switch (fork()) {
3226: case 0:
3227: execve(argv[0], argv, envp);
3228: plog(LLV_ERROR, LOCATION, NULL,
3229: "execve(\"%s\") failed: %s\n",
3230: argv[0], strerror(errno));
3231: _exit(1);
3232: break;
3233: case -1:
3234: plog(LLV_ERROR, LOCATION, NULL,
3235: "Cannot fork: %s\n", strerror(errno));
3236: return -1;
3237: break;
3238: default:
3239: break;
3240: }
3241: return 0;
3242:
3243: }
3244:
3245: void
3246: purge_remote(iph1)
3247: struct ph1handle *iph1;
3248: {
3249: vchar_t *buf = NULL;
3250: struct sadb_msg *msg, *next, *end;
3251: struct sadb_sa *sa;
3252: struct sockaddr *src, *dst;
3253: caddr_t mhp[SADB_EXT_MAX + 1];
3254: u_int proto_id;
3255: struct ph2handle *iph2;
3256: struct ph1handle *new_iph1;
3257:
3258: plog(LLV_INFO, LOCATION, NULL,
3259: "purging ISAKMP-SA spi=%s.\n",
3260: isakmp_pindex(&(iph1->index), iph1->msgid));
3261:
3262: /* Mark as expired. */
3263: iph1->status = PHASE1ST_EXPIRED;
3264:
3265: /* Check if we have another, still valid, phase1 SA. */
3266: new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
3267:
3268: /*
3269: * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3270: * Keep all others phase2 SAs.
3271: */
3272: buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3273: if (buf == NULL) {
3274: plog(LLV_DEBUG, LOCATION, NULL,
3275: "pfkey_dump_sadb returned nothing.\n");
3276: return;
3277: }
3278:
3279: msg = (struct sadb_msg *)buf->v;
3280: end = (struct sadb_msg *)(buf->v + buf->l);
3281:
3282: while (msg < end) {
3283: if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3284: break;
3285: next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3286: if (msg->sadb_msg_type != SADB_DUMP) {
3287: msg = next;
3288: continue;
3289: }
3290:
3291: if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
3292: plog(LLV_ERROR, LOCATION, NULL,
3293: "pfkey_check (%s)\n", ipsec_strerror());
3294: msg = next;
3295: continue;
3296: }
3297:
3298: sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3299: if (!sa ||
3300: !mhp[SADB_EXT_ADDRESS_SRC] ||
3301: !mhp[SADB_EXT_ADDRESS_DST]) {
3302: msg = next;
3303: continue;
3304: }
3305: pk_fixup_sa_addresses(mhp);
3306: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3307: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3308:
3309: if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3310: sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3311: sa->sadb_sa_state != SADB_SASTATE_DYING) {
3312: msg = next;
3313: continue;
3314: }
3315:
3316: /*
3317: * check in/outbound SAs.
3318: * Select only SAs where src == local and dst == remote (outgoing)
3319: * or src == remote and dst == local (incoming).
3320: */
3321: if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
3322: cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
3323: (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
3324: cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
3325: msg = next;
3326: continue;
3327: }
3328:
3329: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3330: iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3331:
3332: /* Check if there is another valid ISAKMP-SA */
3333: if (new_iph1 != NULL) {
3334:
3335: if (iph2 == NULL) {
3336: /* No handler... still send a pfkey_delete message, but log this !*/
3337: plog(LLV_INFO, LOCATION, NULL,
3338: "Unknown IPsec-SA spi=%u, hmmmm?\n",
3339: ntohl(sa->sadb_sa_spi));
3340: }else{
3341:
3342: /*
3343: * If we have a new ph1, do not purge IPsec-SAs binded
3344: * to a different ISAKMP-SA
3345: */
3346: if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3347: msg = next;
3348: continue;
3349: }
3350:
3351: /* If the ph2handle is established, do not purge IPsec-SA */
3352: if (iph2->status == PHASE2ST_ESTABLISHED ||
3353: iph2->status == PHASE2ST_EXPIRED) {
3354:
3355: plog(LLV_INFO, LOCATION, NULL,
3356: "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3357: ntohl(sa->sadb_sa_spi),
3358: isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3359: msg = next;
3360: continue;
3361: }
3362: }
3363: }
3364:
3365:
3366: pfkey_send_delete(lcconf->sock_pfkey,
3367: msg->sadb_msg_satype,
3368: IPSEC_MODE_ANY,
3369: src, dst, sa->sadb_sa_spi);
3370:
3371: /* delete a relative phase 2 handle. */
3372: if (iph2 != NULL) {
3373: delete_spd(iph2, 0);
3374: remph2(iph2);
3375: delph2(iph2);
3376: }
3377:
3378: plog(LLV_INFO, LOCATION, NULL,
3379: "purged IPsec-SA spi=%u.\n",
3380: ntohl(sa->sadb_sa_spi));
3381:
3382: msg = next;
3383: }
3384:
3385: if (buf)
3386: vfree(buf);
3387:
3388: /* Mark the phase1 handler as EXPIRED */
3389: plog(LLV_INFO, LOCATION, NULL,
3390: "purged ISAKMP-SA spi=%s.\n",
3391: isakmp_pindex(&(iph1->index), iph1->msgid));
3392:
3393: isakmp_ph1delete(iph1);
3394: }
3395:
3396: void
3397: delete_spd(iph2, created)
3398: struct ph2handle *iph2;
3399: u_int64_t created;
3400: {
3401: struct policyindex spidx;
3402: struct sockaddr_storage addr;
3403: u_int8_t pref;
3404: struct sockaddr *src;
3405: struct sockaddr *dst;
3406: int error;
3407: int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3408:
3409: if (iph2 == NULL)
3410: return;
3411:
3412: /* Delete the SPD entry if we generated it
3413: */
3414: if (! iph2->generated_spidx )
3415: return;
3416:
3417: src = iph2->src;
3418: dst = iph2->dst;
3419:
3420: plog(LLV_INFO, LOCATION, NULL,
3421: "deleting a generated policy.\n");
3422:
3423: memset(&spidx, 0, sizeof(spidx));
3424: iph2->spidx_gen = (caddr_t )&spidx;
3425:
3426: /* make inbound policy */
3427: iph2->src = dst;
3428: iph2->dst = src;
3429: spidx.dir = IPSEC_DIR_INBOUND;
3430: spidx.ul_proto = 0;
3431:
3432: /*
3433: * Note: code from get_proposal_r
3434: */
3435:
3436: #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3437:
3438: /*
3439: * make destination address in spidx from either ID payload
3440: * or phase 1 address into a address in spidx.
3441: */
3442: if (iph2->id != NULL
3443: && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3444: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3445: || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3446: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3447: /* get a destination address of a policy */
3448: error = ipsecdoi_id2sockaddr(iph2->id,
3449: (struct sockaddr *)&spidx.dst,
3450: &spidx.prefd, &spidx.ul_proto);
3451: if (error)
3452: goto purge;
3453:
3454: #ifdef INET6
3455: /*
3456: * get scopeid from the SA address.
3457: * note that the phase 1 source address is used as
3458: * a destination address to search for a inbound
3459: * policy entry because rcoon is responder.
3460: */
3461: if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3462: if ((error =
3463: setscopeid((struct sockaddr *)&spidx.dst,
3464: iph2->src)) != 0)
3465: goto purge;
3466: }
3467: #endif
3468:
3469: if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3470: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3471: idi2type = _XIDT(iph2->id);
3472:
3473: } else {
3474:
3475: plog(LLV_DEBUG, LOCATION, NULL,
3476: "get a destination address of SP index "
3477: "from phase1 address "
3478: "due to no ID payloads found "
3479: "OR because ID type is not address.\n");
3480:
3481: /*
3482: * copy the SOURCE address of IKE into the
3483: * DESTINATION address of the key to search the
3484: * SPD because the direction of policy is inbound.
3485: */
3486: memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3487: switch (spidx.dst.ss_family) {
3488: case AF_INET:
3489: spidx.prefd =
3490: sizeof(struct in_addr) << 3;
3491: break;
3492: #ifdef INET6
3493: case AF_INET6:
3494: spidx.prefd =
3495: sizeof(struct in6_addr) << 3;
3496: break;
3497: #endif
3498: default:
3499: spidx.prefd = 0;
3500: break;
3501: }
3502: }
3503:
3504: /* make source address in spidx */
3505: if (iph2->id_p != NULL
3506: && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3507: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3508: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3509: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3510: /* get a source address of inbound SA */
3511: error = ipsecdoi_id2sockaddr(iph2->id_p,
3512: (struct sockaddr *)&spidx.src,
3513: &spidx.prefs, &spidx.ul_proto);
3514: if (error)
3515: goto purge;
3516:
3517: #ifdef INET6
3518: /*
3519: * get scopeid from the SA address.
3520: * for more detail, see above of this function.
3521: */
3522: if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3523: error =
3524: setscopeid((struct sockaddr *)&spidx.src,
3525: iph2->dst);
3526: if (error)
3527: goto purge;
3528: }
3529: #endif
3530:
3531: /* make sa_[src,dst] if both ID types are IP address and same */
3532: if (_XIDT(iph2->id_p) == idi2type
3533: && spidx.dst.ss_family == spidx.src.ss_family) {
3534: iph2->sa_src =
3535: dupsaddr((struct sockaddr *)&spidx.dst);
3536: if (iph2->sa_src == NULL) {
3537: plog(LLV_ERROR, LOCATION, NULL,
3538: "allocation failed\n");
3539: goto purge;
3540: }
3541: iph2->sa_dst =
3542: dupsaddr((struct sockaddr *)&spidx.src);
3543: if (iph2->sa_dst == NULL) {
3544: plog(LLV_ERROR, LOCATION, NULL,
3545: "allocation failed\n");
3546: goto purge;
3547: }
3548: }
3549:
3550: } else {
3551: plog(LLV_DEBUG, LOCATION, NULL,
3552: "get a source address of SP index "
3553: "from phase1 address "
3554: "due to no ID payloads found "
3555: "OR because ID type is not address.\n");
3556:
3557: /* see above comment. */
3558: memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3559: switch (spidx.src.ss_family) {
3560: case AF_INET:
3561: spidx.prefs =
3562: sizeof(struct in_addr) << 3;
3563: break;
3564: #ifdef INET6
3565: case AF_INET6:
3566: spidx.prefs =
3567: sizeof(struct in6_addr) << 3;
3568: break;
3569: #endif
3570: default:
3571: spidx.prefs = 0;
3572: break;
3573: }
3574: }
3575:
3576: #undef _XIDT
3577:
3578: plog(LLV_DEBUG, LOCATION, NULL,
3579: "get a src address from ID payload "
3580: "%s prefixlen=%u ul_proto=%u\n",
3581: saddr2str((struct sockaddr *)&spidx.src),
3582: spidx.prefs, spidx.ul_proto);
3583: plog(LLV_DEBUG, LOCATION, NULL,
3584: "get dst address from ID payload "
3585: "%s prefixlen=%u ul_proto=%u\n",
3586: saddr2str((struct sockaddr *)&spidx.dst),
3587: spidx.prefd, spidx.ul_proto);
3588:
3589: /*
3590: * convert the ul_proto if it is 0
3591: * because 0 in ID payload means a wild card.
3592: */
3593: if (spidx.ul_proto == 0)
3594: spidx.ul_proto = IPSEC_ULPROTO_ANY;
3595:
3596: #undef _XIDT
3597:
3598: /* Check if the generated SPD has the same timestamp as the SA.
3599: * If timestamps are different, this means that the SPD entry has been
3600: * refreshed by another SA, and should NOT be deleted with the current SA.
3601: */
3602: if( created ){
3603: struct secpolicy *p;
3604:
3605: p = getsp(&spidx);
3606: if(p != NULL){
3607: /* just do no test if p is NULL, because this probably just means
3608: * that the policy has already be deleted for some reason.
3609: */
3610: if(p->spidx.created != created)
3611: goto purge;
3612: }
3613: }
3614:
3615: /* End of code from get_proposal_r
3616: */
3617:
3618: if (pk_sendspddelete(iph2) < 0) {
3619: plog(LLV_ERROR, LOCATION, NULL,
3620: "pfkey spddelete(inbound) failed.\n");
3621: }else{
3622: plog(LLV_DEBUG, LOCATION, NULL,
3623: "pfkey spddelete(inbound) sent.\n");
3624: }
3625:
3626: #ifdef HAVE_POLICY_FWD
3627: /* make forward policy if required */
3628: if (tunnel_mode_prop(iph2->approval)) {
3629: spidx.dir = IPSEC_DIR_FWD;
3630: if (pk_sendspddelete(iph2) < 0) {
3631: plog(LLV_ERROR, LOCATION, NULL,
3632: "pfkey spddelete(forward) failed.\n");
3633: }else{
3634: plog(LLV_DEBUG, LOCATION, NULL,
3635: "pfkey spddelete(forward) sent.\n");
3636: }
3637: }
3638: #endif
3639:
3640: /* make outbound policy */
3641: iph2->src = src;
3642: iph2->dst = dst;
3643: spidx.dir = IPSEC_DIR_OUTBOUND;
3644: addr = spidx.src;
3645: spidx.src = spidx.dst;
3646: spidx.dst = addr;
3647: pref = spidx.prefs;
3648: spidx.prefs = spidx.prefd;
3649: spidx.prefd = pref;
3650:
3651: if (pk_sendspddelete(iph2) < 0) {
3652: plog(LLV_ERROR, LOCATION, NULL,
3653: "pfkey spddelete(outbound) failed.\n");
3654: }else{
3655: plog(LLV_DEBUG, LOCATION, NULL,
3656: "pfkey spddelete(outbound) sent.\n");
3657: }
3658: purge:
3659: iph2->spidx_gen=NULL;
3660: }
3661:
3662:
3663: #ifdef INET6
3664: u_int32_t
3665: setscopeid(sp_addr0, sa_addr0)
3666: struct sockaddr *sp_addr0, *sa_addr0;
3667: {
3668: struct sockaddr_in6 *sp_addr, *sa_addr;
3669:
3670: sp_addr = (struct sockaddr_in6 *)sp_addr0;
3671: sa_addr = (struct sockaddr_in6 *)sa_addr0;
3672:
3673: if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3674: && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3675: && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3676: return 0;
3677:
3678: /* this check should not be here ? */
3679: if (sa_addr->sin6_family != AF_INET6) {
3680: plog(LLV_ERROR, LOCATION, NULL,
3681: "can't get scope ID: family mismatch\n");
3682: return -1;
3683: }
3684:
3685: if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3686: plog(LLV_ERROR, LOCATION, NULL,
3687: "scope ID is not supported except of lladdr.\n");
3688: return -1;
3689: }
3690:
3691: sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3692:
3693: return 0;
3694: }
3695: #endif