Annotation of embedaddon/ipsec-tools/src/racoon/isakmp_inf.c, revision 1.1
1.1 ! misho 1: /* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */
! 2:
! 3: /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
! 4:
! 5: /*
! 6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 7: * All rights reserved.
! 8: *
! 9: * Redistribution and use in source and binary forms, with or without
! 10: * modification, are permitted provided that the following conditions
! 11: * are met:
! 12: * 1. Redistributions of source code must retain the above copyright
! 13: * notice, this list of conditions and the following disclaimer.
! 14: * 2. Redistributions in binary form must reproduce the above copyright
! 15: * notice, this list of conditions and the following disclaimer in the
! 16: * documentation and/or other materials provided with the distribution.
! 17: * 3. Neither the name of the project nor the names of its contributors
! 18: * may be used to endorse or promote products derived from this software
! 19: * without specific prior written permission.
! 20: *
! 21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 31: * SUCH DAMAGE.
! 32: */
! 33:
! 34: #include "config.h"
! 35:
! 36: #include <sys/types.h>
! 37: #include <sys/param.h>
! 38: #include <sys/socket.h>
! 39:
! 40: #include <net/pfkeyv2.h>
! 41: #include <netinet/in.h>
! 42: #include <sys/queue.h>
! 43: #include PATH_IPSEC_H
! 44:
! 45: #include <stdlib.h>
! 46: #include <stdio.h>
! 47: #include <string.h>
! 48: #include <errno.h>
! 49: #if TIME_WITH_SYS_TIME
! 50: # include <sys/time.h>
! 51: # include <time.h>
! 52: #else
! 53: # if HAVE_SYS_TIME_H
! 54: # include <sys/time.h>
! 55: # else
! 56: # include <time.h>
! 57: # endif
! 58: #endif
! 59: #ifdef ENABLE_HYBRID
! 60: #include <resolv.h>
! 61: #endif
! 62:
! 63: #include "libpfkey.h"
! 64:
! 65: #include "var.h"
! 66: #include "vmbuf.h"
! 67: #include "schedule.h"
! 68: #include "str2val.h"
! 69: #include "misc.h"
! 70: #include "plog.h"
! 71: #include "debug.h"
! 72:
! 73: #include "localconf.h"
! 74: #include "remoteconf.h"
! 75: #include "sockmisc.h"
! 76: #include "handler.h"
! 77: #include "policy.h"
! 78: #include "proposal.h"
! 79: #include "isakmp_var.h"
! 80: #include "evt.h"
! 81: #include "isakmp.h"
! 82: #ifdef ENABLE_HYBRID
! 83: #include "isakmp_xauth.h"
! 84: #include "isakmp_unity.h"
! 85: #include "isakmp_cfg.h"
! 86: #endif
! 87: #include "isakmp_inf.h"
! 88: #include "oakley.h"
! 89: #include "ipsec_doi.h"
! 90: #include "crypto_openssl.h"
! 91: #include "pfkey.h"
! 92: #include "policy.h"
! 93: #include "algorithm.h"
! 94: #include "proposal.h"
! 95: #include "admin.h"
! 96: #include "strnames.h"
! 97: #ifdef ENABLE_NATT
! 98: #include "nattraversal.h"
! 99: #endif
! 100:
! 101: /* information exchange */
! 102: static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int);
! 103: static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int);
! 104:
! 105: #ifdef ENABLE_DPD
! 106: static int isakmp_info_recv_r_u __P((struct ph1handle *,
! 107: struct isakmp_pl_ru *, u_int32_t));
! 108: static int isakmp_info_recv_r_u_ack __P((struct ph1handle *,
! 109: struct isakmp_pl_ru *, u_int32_t));
! 110: static void isakmp_info_send_r_u __P((struct sched *));
! 111: #endif
! 112:
! 113: static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
! 114:
! 115: /* �%%%
! 116: * Information Exchange
! 117: */
! 118: /*
! 119: * receive Information
! 120: */
! 121: int
! 122: isakmp_info_recv(iph1, msg0)
! 123: struct ph1handle *iph1;
! 124: vchar_t *msg0;
! 125: {
! 126: vchar_t *msg = NULL;
! 127: vchar_t *pbuf = NULL;
! 128: u_int32_t msgid = 0;
! 129: int error = -1;
! 130: struct isakmp *isakmp;
! 131: struct isakmp_gen *gen;
! 132: struct isakmp_parse_t *pa, *pap;
! 133: void *p;
! 134: vchar_t *hash, *payload;
! 135: struct isakmp_gen *nd;
! 136: u_int8_t np;
! 137: int encrypted;
! 138:
! 139: plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
! 140:
! 141: encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E);
! 142: msgid = ((struct isakmp *)msg0->v)->msgid;
! 143:
! 144: /* Use new IV to decrypt Informational message. */
! 145: if (encrypted) {
! 146: struct isakmp_ivm *ivm;
! 147:
! 148: if (iph1->ivm == NULL) {
! 149: plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n");
! 150: return -1;
! 151: }
! 152:
! 153: /* compute IV */
! 154: ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid);
! 155: if (ivm == NULL)
! 156: return -1;
! 157:
! 158: msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive);
! 159: oakley_delivm(ivm);
! 160: if (msg == NULL)
! 161: return -1;
! 162:
! 163: } else
! 164: msg = vdup(msg0);
! 165:
! 166: /* Safety check */
! 167: if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
! 168: plog(LLV_ERROR, LOCATION, NULL,
! 169: "ignore information because the "
! 170: "message is way too short - %zu byte(s).\n",
! 171: msg->l);
! 172: goto end;
! 173: }
! 174:
! 175: isakmp = (struct isakmp *)msg->v;
! 176: gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
! 177: np = gen->np;
! 178:
! 179: if (encrypted) {
! 180: if (isakmp->np != ISAKMP_NPTYPE_HASH) {
! 181: plog(LLV_ERROR, LOCATION, NULL,
! 182: "ignore information because the "
! 183: "message has no hash payload.\n");
! 184: goto end;
! 185: }
! 186:
! 187: if (iph1->status != PHASE1ST_ESTABLISHED &&
! 188: iph1->status != PHASE1ST_DYING) {
! 189: plog(LLV_ERROR, LOCATION, NULL,
! 190: "ignore information because ISAKMP-SA "
! 191: "has not been established yet.\n");
! 192: goto end;
! 193: }
! 194:
! 195: /* Safety check */
! 196: if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
! 197: plog(LLV_ERROR, LOCATION, NULL,
! 198: "ignore information because the "
! 199: "message is too short - %zu byte(s).\n",
! 200: msg->l);
! 201: goto end;
! 202: }
! 203:
! 204: p = (caddr_t) gen + sizeof(struct isakmp_gen);
! 205: nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len));
! 206:
! 207: /* nd length check */
! 208: if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) +
! 209: ntohs(gen->len))) {
! 210: plog(LLV_ERROR, LOCATION, NULL,
! 211: "too long payload length (broken message?)\n");
! 212: goto end;
! 213: }
! 214:
! 215: if (ntohs(nd->len) < sizeof(*nd)) {
! 216: plog(LLV_ERROR, LOCATION, NULL,
! 217: "too short payload length (broken message?)\n");
! 218: goto end;
! 219: }
! 220:
! 221: payload = vmalloc(ntohs(nd->len));
! 222: if (payload == NULL) {
! 223: plog(LLV_ERROR, LOCATION, NULL,
! 224: "cannot allocate memory\n");
! 225: goto end;
! 226: }
! 227:
! 228: memcpy(payload->v, (caddr_t) nd, ntohs(nd->len));
! 229:
! 230: /* compute HASH */
! 231: hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
! 232: if (hash == NULL) {
! 233: plog(LLV_ERROR, LOCATION, NULL,
! 234: "cannot compute hash\n");
! 235:
! 236: vfree(payload);
! 237: goto end;
! 238: }
! 239:
! 240: if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) {
! 241: plog(LLV_ERROR, LOCATION, NULL,
! 242: "ignore information due to hash length mismatch\n");
! 243:
! 244: vfree(hash);
! 245: vfree(payload);
! 246: goto end;
! 247: }
! 248:
! 249: if (memcmp(p, hash->v, hash->l) != 0) {
! 250: plog(LLV_ERROR, LOCATION, NULL,
! 251: "ignore information due to hash mismatch\n");
! 252:
! 253: vfree(hash);
! 254: vfree(payload);
! 255: goto end;
! 256: }
! 257:
! 258: plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
! 259:
! 260: vfree(hash);
! 261: vfree(payload);
! 262: } else {
! 263: /* make sure the packet was encrypted after the beginning of phase 1. */
! 264: switch (iph1->etype) {
! 265: case ISAKMP_ETYPE_AGG:
! 266: case ISAKMP_ETYPE_BASE:
! 267: case ISAKMP_ETYPE_IDENT:
! 268: if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT)
! 269: || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) {
! 270: break;
! 271: }
! 272: /*FALLTHRU*/
! 273: default:
! 274: plog(LLV_ERROR, LOCATION, iph1->remote,
! 275: "%s message must be encrypted\n",
! 276: s_isakmp_nptype(np));
! 277: error = 0;
! 278: goto end;
! 279: }
! 280: }
! 281:
! 282: if (!(pbuf = isakmp_parse(msg))) {
! 283: error = -1;
! 284: goto end;
! 285: }
! 286:
! 287: error = 0;
! 288: for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) {
! 289: switch (pa->type) {
! 290: case ISAKMP_NPTYPE_HASH:
! 291: /* Handled above */
! 292: break;
! 293: case ISAKMP_NPTYPE_N:
! 294: error = isakmp_info_recv_n(iph1,
! 295: (struct isakmp_pl_n *)pa->ptr,
! 296: msgid, encrypted);
! 297: break;
! 298: case ISAKMP_NPTYPE_D:
! 299: error = isakmp_info_recv_d(iph1,
! 300: (struct isakmp_pl_d *)pa->ptr,
! 301: msgid, encrypted);
! 302: break;
! 303: case ISAKMP_NPTYPE_NONCE:
! 304: /* XXX to be 6.4.2 ike-01.txt */
! 305: /* XXX IV is to be synchronized. */
! 306: plog(LLV_ERROR, LOCATION, iph1->remote,
! 307: "ignore Acknowledged Informational\n");
! 308: break;
! 309: default:
! 310: /* don't send information, see isakmp_ident_r1() */
! 311: error = 0;
! 312: plog(LLV_ERROR, LOCATION, iph1->remote,
! 313: "reject the packet, "
! 314: "received unexpected payload type %s.\n",
! 315: s_isakmp_nptype(gen->np));
! 316: }
! 317: if (error < 0)
! 318: break;
! 319: }
! 320: end:
! 321: if (msg != NULL)
! 322: vfree(msg);
! 323: if (pbuf != NULL)
! 324: vfree(pbuf);
! 325: return error;
! 326: }
! 327:
! 328:
! 329: /*
! 330: * log unhandled / unallowed Notification payload
! 331: */
! 332: int
! 333: isakmp_log_notify(iph1, notify, exchange)
! 334: struct ph1handle *iph1;
! 335: struct isakmp_pl_n *notify;
! 336: const char *exchange;
! 337: {
! 338: u_int type;
! 339: char *nraw, *ndata, *nhex;
! 340: size_t l;
! 341:
! 342: type = ntohs(notify->type);
! 343: if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
! 344: plog(LLV_ERROR, LOCATION, iph1->remote,
! 345: "invalid spi_size in %s notification in %s.\n",
! 346: s_isakmp_notify_msg(type), exchange);
! 347: return -1;
! 348: }
! 349:
! 350: plog(LLV_ERROR, LOCATION, iph1->remote,
! 351: "notification %s received in %s.\n",
! 352: s_isakmp_notify_msg(type), exchange);
! 353:
! 354: nraw = ((char*) notify) + sizeof(*notify) + notify->spi_size;
! 355: l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
! 356: if (l > 0) {
! 357: if (type >= ISAKMP_NTYPE_MINERROR &&
! 358: type <= ISAKMP_NTYPE_MAXERROR) {
! 359: ndata = binsanitize(nraw, l);
! 360: if (ndata != NULL) {
! 361: plog(LLV_ERROR, LOCATION, iph1->remote,
! 362: "error message: '%s'.\n",
! 363: ndata);
! 364: racoon_free(ndata);
! 365: } else {
! 366: plog(LLV_ERROR, LOCATION, iph1->remote,
! 367: "Cannot allocate memory\n");
! 368: }
! 369: } else {
! 370: nhex = val2str(nraw, l);
! 371: if (nhex != NULL) {
! 372: plog(LLV_ERROR, LOCATION, iph1->remote,
! 373: "notification payload: %s.\n",
! 374: nhex);
! 375: racoon_free(nhex);
! 376: } else {
! 377: plog(LLV_ERROR, LOCATION, iph1->remote,
! 378: "Cannot allocate memory\n");
! 379: }
! 380: }
! 381: }
! 382:
! 383: return 0;
! 384: }
! 385:
! 386:
! 387: /*
! 388: * handling of Notification payload
! 389: */
! 390: static int
! 391: isakmp_info_recv_n(iph1, notify, msgid, encrypted)
! 392: struct ph1handle *iph1;
! 393: struct isakmp_pl_n *notify;
! 394: u_int32_t msgid;
! 395: int encrypted;
! 396: {
! 397: u_int type;
! 398:
! 399: type = ntohs(notify->type);
! 400: switch (type) {
! 401: case ISAKMP_NTYPE_CONNECTED:
! 402: case ISAKMP_NTYPE_RESPONDER_LIFETIME:
! 403: case ISAKMP_NTYPE_REPLAY_STATUS:
! 404: #ifdef ENABLE_HYBRID
! 405: case ISAKMP_NTYPE_UNITY_HEARTBEAT:
! 406: #endif
! 407: /* do something */
! 408: break;
! 409: case ISAKMP_NTYPE_INITIAL_CONTACT:
! 410: if (encrypted)
! 411: return isakmp_info_recv_initialcontact(iph1, NULL);
! 412: break;
! 413: #ifdef ENABLE_DPD
! 414: case ISAKMP_NTYPE_R_U_THERE:
! 415: if (encrypted)
! 416: return isakmp_info_recv_r_u(iph1,
! 417: (struct isakmp_pl_ru *)notify, msgid);
! 418: break;
! 419: case ISAKMP_NTYPE_R_U_THERE_ACK:
! 420: if (encrypted)
! 421: return isakmp_info_recv_r_u_ack(iph1,
! 422: (struct isakmp_pl_ru *)notify, msgid);
! 423: break;
! 424: #endif
! 425: }
! 426:
! 427: /* If we receive a error notification we should delete the related
! 428: * phase1 / phase2 handle, and send an event to racoonctl.
! 429: * However, since phase1 error notifications are not encrypted and
! 430: * can not be authenticated, it would allow a DoS attack possibility
! 431: * to handle them.
! 432: * Phase2 error notifications should be encrypted, so we could handle
! 433: * those, but it needs implementing (the old code didn't implement
! 434: * that either).
! 435: * So we are good to just log the messages here.
! 436: */
! 437: if (encrypted)
! 438: isakmp_log_notify(iph1, notify, "informational exchange");
! 439: else
! 440: isakmp_log_notify(iph1, notify, "unencrypted informational exchange");
! 441:
! 442: return 0;
! 443: }
! 444:
! 445: /*
! 446: * handling of Deletion payload
! 447: */
! 448: static int
! 449: isakmp_info_recv_d(iph1, delete, msgid, encrypted)
! 450: struct ph1handle *iph1;
! 451: struct isakmp_pl_d *delete;
! 452: u_int32_t msgid;
! 453: int encrypted;
! 454: {
! 455: int tlen, num_spi;
! 456: vchar_t *pbuf;
! 457: int protected = 0;
! 458: struct ph1handle *del_ph1;
! 459: struct ph2handle *iph2;
! 460: union {
! 461: u_int32_t spi32;
! 462: u_int16_t spi16[2];
! 463: } spi;
! 464:
! 465: if (ntohl(delete->doi) != IPSEC_DOI) {
! 466: plog(LLV_ERROR, LOCATION, iph1->remote,
! 467: "delete payload with invalid doi:%d.\n",
! 468: ntohl(delete->doi));
! 469: #ifdef ENABLE_HYBRID
! 470: /*
! 471: * At deconnexion time, Cisco VPN client does this
! 472: * with a zero DOI. Don't give up in that situation.
! 473: */
! 474: if (((iph1->mode_cfg->flags &
! 475: ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0))
! 476: return 0;
! 477: #else
! 478: return 0;
! 479: #endif
! 480: }
! 481:
! 482: num_spi = ntohs(delete->num_spi);
! 483: tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d);
! 484:
! 485: if (tlen != num_spi * delete->spi_size) {
! 486: plog(LLV_ERROR, LOCATION, iph1->remote,
! 487: "deletion payload with invalid length.\n");
! 488: return 0;
! 489: }
! 490:
! 491: plog(LLV_DEBUG, LOCATION, iph1->remote,
! 492: "delete payload for protocol %s\n",
! 493: s_ipsecdoi_proto(delete->proto_id));
! 494:
! 495: if(!iph1->rmconf->weak_phase1_check && !encrypted) {
! 496: plog(LLV_WARNING, LOCATION, iph1->remote,
! 497: "Ignoring unencrypted delete payload "
! 498: "(check the weak_phase1_check option)\n");
! 499: return 0;
! 500: }
! 501:
! 502: switch (delete->proto_id) {
! 503: case IPSECDOI_PROTO_ISAKMP:
! 504: if (delete->spi_size != sizeof(isakmp_index)) {
! 505: plog(LLV_ERROR, LOCATION, iph1->remote,
! 506: "delete payload with strange spi "
! 507: "size %d(proto_id:%d)\n",
! 508: delete->spi_size, delete->proto_id);
! 509: return 0;
! 510: }
! 511:
! 512: del_ph1=getph1byindex((isakmp_index *)(delete + 1));
! 513: if(del_ph1 != NULL){
! 514:
! 515: evt_phase1(iph1, EVT_PHASE1_PEER_DELETED, NULL);
! 516: sched_cancel(&del_ph1->scr);
! 517:
! 518: /*
! 519: * Delete also IPsec-SAs if rekeying is enabled.
! 520: */
! 521: if (ph1_rekey_enabled(del_ph1))
! 522: purge_remote(del_ph1);
! 523: else
! 524: isakmp_ph1expire(del_ph1);
! 525: }
! 526: break;
! 527:
! 528: case IPSECDOI_PROTO_IPSEC_AH:
! 529: case IPSECDOI_PROTO_IPSEC_ESP:
! 530: if (delete->spi_size != sizeof(u_int32_t)) {
! 531: plog(LLV_ERROR, LOCATION, iph1->remote,
! 532: "delete payload with strange spi "
! 533: "size %d(proto_id:%d)\n",
! 534: delete->spi_size, delete->proto_id);
! 535: return 0;
! 536: }
! 537: purge_ipsec_spi(iph1->remote, delete->proto_id,
! 538: (u_int32_t *)(delete + 1), num_spi);
! 539: break;
! 540:
! 541: case IPSECDOI_PROTO_IPCOMP:
! 542: /* need to handle both 16bit/32bit SPI */
! 543: memset(&spi, 0, sizeof(spi));
! 544: if (delete->spi_size == sizeof(spi.spi16[1])) {
! 545: memcpy(&spi.spi16[1], delete + 1,
! 546: sizeof(spi.spi16[1]));
! 547: } else if (delete->spi_size == sizeof(spi.spi32))
! 548: memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32));
! 549: else {
! 550: plog(LLV_ERROR, LOCATION, iph1->remote,
! 551: "delete payload with strange spi "
! 552: "size %d(proto_id:%d)\n",
! 553: delete->spi_size, delete->proto_id);
! 554: return 0;
! 555: }
! 556: purge_ipsec_spi(iph1->remote, delete->proto_id,
! 557: &spi.spi32, num_spi);
! 558: break;
! 559:
! 560: default:
! 561: plog(LLV_ERROR, LOCATION, iph1->remote,
! 562: "deletion message received, "
! 563: "invalid proto_id: %d\n",
! 564: delete->proto_id);
! 565: return 0;
! 566: }
! 567:
! 568: plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n");
! 569:
! 570: return 0;
! 571: }
! 572:
! 573: /*
! 574: * send Delete payload (for ISAKMP SA) in Informational exchange.
! 575: */
! 576: int
! 577: isakmp_info_send_d1(iph1)
! 578: struct ph1handle *iph1;
! 579: {
! 580: struct isakmp_pl_d *d;
! 581: vchar_t *payload = NULL;
! 582: int tlen;
! 583: int error = 0;
! 584:
! 585: if (iph1->status != PHASE2ST_ESTABLISHED)
! 586: return 0;
! 587:
! 588: /* create delete payload */
! 589:
! 590: /* send SPIs of inbound SAs. */
! 591: /* XXX should send outbound SAs's ? */
! 592: tlen = sizeof(*d) + sizeof(isakmp_index);
! 593: payload = vmalloc(tlen);
! 594: if (payload == NULL) {
! 595: plog(LLV_ERROR, LOCATION, NULL,
! 596: "failed to get buffer for payload.\n");
! 597: return errno;
! 598: }
! 599:
! 600: d = (struct isakmp_pl_d *)payload->v;
! 601: d->h.np = ISAKMP_NPTYPE_NONE;
! 602: d->h.len = htons(tlen);
! 603: d->doi = htonl(IPSEC_DOI);
! 604: d->proto_id = IPSECDOI_PROTO_ISAKMP;
! 605: d->spi_size = sizeof(isakmp_index);
! 606: d->num_spi = htons(1);
! 607: memcpy(d + 1, &iph1->index, sizeof(isakmp_index));
! 608:
! 609: error = isakmp_info_send_common(iph1, payload,
! 610: ISAKMP_NPTYPE_D, 0);
! 611: vfree(payload);
! 612:
! 613: return error;
! 614: }
! 615:
! 616: /*
! 617: * send Delete payload (for IPsec SA) in Informational exchange, based on
! 618: * pfkey msg. It sends always single SPI.
! 619: */
! 620: int
! 621: isakmp_info_send_d2(iph2)
! 622: struct ph2handle *iph2;
! 623: {
! 624: struct ph1handle *iph1;
! 625: struct saproto *pr;
! 626: struct isakmp_pl_d *d;
! 627: vchar_t *payload = NULL;
! 628: int tlen;
! 629: int error = 0;
! 630: u_int8_t *spi;
! 631:
! 632: if (iph2->status != PHASE2ST_ESTABLISHED)
! 633: return 0;
! 634:
! 635: /*
! 636: * don't send delete information if there is no phase 1 handler.
! 637: * It's nonsensical to negotiate phase 1 to send the information.
! 638: */
! 639: iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
! 640: if (iph1 == NULL){
! 641: plog(LLV_DEBUG2, LOCATION, NULL,
! 642: "No ph1 handler found, could not send DELETE_SA\n");
! 643: return 0;
! 644: }
! 645:
! 646: /* create delete payload */
! 647: for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
! 648:
! 649: /* send SPIs of inbound SAs. */
! 650: /*
! 651: * XXX should I send outbound SAs's ?
! 652: * I send inbound SAs's SPI only at the moment because I can't
! 653: * decode any more if peer send encoded packet without aware of
! 654: * deletion of SA. Outbound SAs don't come under the situation.
! 655: */
! 656: tlen = sizeof(*d) + pr->spisize;
! 657: payload = vmalloc(tlen);
! 658: if (payload == NULL) {
! 659: plog(LLV_ERROR, LOCATION, NULL,
! 660: "failed to get buffer for payload.\n");
! 661: return errno;
! 662: }
! 663:
! 664: d = (struct isakmp_pl_d *)payload->v;
! 665: d->h.np = ISAKMP_NPTYPE_NONE;
! 666: d->h.len = htons(tlen);
! 667: d->doi = htonl(IPSEC_DOI);
! 668: d->proto_id = pr->proto_id;
! 669: d->spi_size = pr->spisize;
! 670: d->num_spi = htons(1);
! 671: /*
! 672: * XXX SPI bits are left-filled, for use with IPComp.
! 673: * we should be switching to variable-length spi field...
! 674: */
! 675: spi = (u_int8_t *)&pr->spi;
! 676: spi += sizeof(pr->spi);
! 677: spi -= pr->spisize;
! 678: memcpy(d + 1, spi, pr->spisize);
! 679:
! 680: error = isakmp_info_send_common(iph1, payload,
! 681: ISAKMP_NPTYPE_D, 0);
! 682: vfree(payload);
! 683: }
! 684:
! 685: return error;
! 686: }
! 687:
! 688: /*
! 689: * send Notification payload (for without ISAKMP SA) in Informational exchange
! 690: */
! 691: int
! 692: isakmp_info_send_nx(isakmp, remote, local, type, data)
! 693: struct isakmp *isakmp;
! 694: struct sockaddr *remote, *local;
! 695: int type;
! 696: vchar_t *data;
! 697: {
! 698: struct ph1handle *iph1 = NULL;
! 699: vchar_t *payload = NULL;
! 700: int tlen;
! 701: int error = -1;
! 702: struct isakmp_pl_n *n;
! 703: int spisiz = 0; /* see below */
! 704:
! 705: /* add new entry to isakmp status table. */
! 706: iph1 = newph1();
! 707: if (iph1 == NULL)
! 708: return -1;
! 709:
! 710: memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t));
! 711: isakmp_newcookie((char *)&iph1->index.r_ck, remote, local);
! 712: iph1->status = PHASE1ST_START;
! 713: iph1->side = INITIATOR;
! 714: iph1->version = isakmp->v;
! 715: iph1->flags = 0;
! 716: iph1->msgid = 0; /* XXX */
! 717: #ifdef ENABLE_HYBRID
! 718: if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
! 719: goto end;
! 720: #endif
! 721: #ifdef ENABLE_FRAG
! 722: iph1->frag = 0;
! 723: iph1->frag_chain = NULL;
! 724: #endif
! 725:
! 726: /* copy remote address */
! 727: if (copy_ph1addresses(iph1, NULL, remote, local) < 0)
! 728: goto end;
! 729:
! 730: tlen = sizeof(*n) + spisiz;
! 731: if (data)
! 732: tlen += data->l;
! 733: payload = vmalloc(tlen);
! 734: if (payload == NULL) {
! 735: plog(LLV_ERROR, LOCATION, NULL,
! 736: "failed to get buffer to send.\n");
! 737: goto end;
! 738: }
! 739:
! 740: n = (struct isakmp_pl_n *)payload->v;
! 741: n->h.np = ISAKMP_NPTYPE_NONE;
! 742: n->h.len = htons(tlen);
! 743: n->doi = htonl(IPSEC_DOI);
! 744: n->proto_id = IPSECDOI_KEY_IKE;
! 745: n->spi_size = spisiz;
! 746: n->type = htons(type);
! 747: if (spisiz)
! 748: memset(n + 1, 0, spisiz); /* XXX spisiz is always 0 */
! 749: if (data)
! 750: memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
! 751:
! 752: error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
! 753: vfree(payload);
! 754:
! 755: end:
! 756: if (iph1 != NULL)
! 757: delph1(iph1);
! 758:
! 759: return error;
! 760: }
! 761:
! 762: /*
! 763: * send Notification payload (for ISAKMP SA) in Informational exchange
! 764: */
! 765: int
! 766: isakmp_info_send_n1(iph1, type, data)
! 767: struct ph1handle *iph1;
! 768: int type;
! 769: vchar_t *data;
! 770: {
! 771: vchar_t *payload = NULL;
! 772: int tlen;
! 773: int error = 0;
! 774: struct isakmp_pl_n *n;
! 775: int spisiz;
! 776:
! 777: /*
! 778: * note on SPI size: which description is correct? I have chosen
! 779: * this to be 0.
! 780: *
! 781: * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by
! 782: * Initiator/Responder cookie and SPI has no meaning, SPI size = 0.
! 783: * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified
! 784: * by cookie and SPI has no meaning, 0 <= SPI size <= 16.
! 785: * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16.
! 786: */
! 787: if (type == ISAKMP_NTYPE_INITIAL_CONTACT)
! 788: spisiz = sizeof(isakmp_index);
! 789: else
! 790: spisiz = 0;
! 791:
! 792: tlen = sizeof(*n) + spisiz;
! 793: if (data)
! 794: tlen += data->l;
! 795: payload = vmalloc(tlen);
! 796: if (payload == NULL) {
! 797: plog(LLV_ERROR, LOCATION, NULL,
! 798: "failed to get buffer to send.\n");
! 799: return errno;
! 800: }
! 801:
! 802: n = (struct isakmp_pl_n *)payload->v;
! 803: n->h.np = ISAKMP_NPTYPE_NONE;
! 804: n->h.len = htons(tlen);
! 805: n->doi = htonl(iph1->rmconf->doitype);
! 806: n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */
! 807: n->spi_size = spisiz;
! 808: n->type = htons(type);
! 809: if (spisiz)
! 810: memcpy(n + 1, &iph1->index, sizeof(isakmp_index));
! 811: if (data)
! 812: memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
! 813:
! 814: error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags);
! 815: vfree(payload);
! 816:
! 817: return error;
! 818: }
! 819:
! 820: /*
! 821: * send Notification payload (for IPsec SA) in Informational exchange
! 822: */
! 823: int
! 824: isakmp_info_send_n2(iph2, type, data)
! 825: struct ph2handle *iph2;
! 826: int type;
! 827: vchar_t *data;
! 828: {
! 829: struct ph1handle *iph1 = iph2->ph1;
! 830: vchar_t *payload = NULL;
! 831: int tlen;
! 832: int error = 0;
! 833: struct isakmp_pl_n *n;
! 834: struct saproto *pr;
! 835:
! 836: if (!iph2->approval)
! 837: return EINVAL;
! 838:
! 839: pr = iph2->approval->head;
! 840:
! 841: /* XXX must be get proper spi */
! 842: tlen = sizeof(*n) + pr->spisize;
! 843: if (data)
! 844: tlen += data->l;
! 845: payload = vmalloc(tlen);
! 846: if (payload == NULL) {
! 847: plog(LLV_ERROR, LOCATION, NULL,
! 848: "failed to get buffer to send.\n");
! 849: return errno;
! 850: }
! 851:
! 852: n = (struct isakmp_pl_n *)payload->v;
! 853: n->h.np = ISAKMP_NPTYPE_NONE;
! 854: n->h.len = htons(tlen);
! 855: n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
! 856: n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
! 857: n->spi_size = pr->spisize;
! 858: n->type = htons(type);
! 859: *(u_int32_t *)(n + 1) = pr->spi;
! 860: if (data)
! 861: memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
! 862:
! 863: iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */
! 864: error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags);
! 865: vfree(payload);
! 866:
! 867: return error;
! 868: }
! 869:
! 870: /*
! 871: * send Information
! 872: * When ph1->skeyid_a == NULL, send message without encoding.
! 873: */
! 874: int
! 875: isakmp_info_send_common(iph1, payload, np, flags)
! 876: struct ph1handle *iph1;
! 877: vchar_t *payload;
! 878: u_int32_t np;
! 879: int flags;
! 880: {
! 881: struct ph2handle *iph2 = NULL;
! 882: vchar_t *hash = NULL;
! 883: struct isakmp *isakmp;
! 884: struct isakmp_gen *gen;
! 885: char *p;
! 886: int tlen;
! 887: int error = -1;
! 888:
! 889: /* add new entry to isakmp status table */
! 890: iph2 = newph2();
! 891: if (iph2 == NULL)
! 892: goto end;
! 893:
! 894: iph2->dst = dupsaddr(iph1->remote);
! 895: if (iph2->dst == NULL) {
! 896: delph2(iph2);
! 897: goto end;
! 898: }
! 899: iph2->src = dupsaddr(iph1->local);
! 900: if (iph2->src == NULL) {
! 901: delph2(iph2);
! 902: goto end;
! 903: }
! 904: iph2->side = INITIATOR;
! 905: iph2->status = PHASE2ST_START;
! 906: iph2->msgid = isakmp_newmsgid2(iph1);
! 907:
! 908: /* get IV and HASH(1) if skeyid_a was generated. */
! 909: if (iph1->skeyid_a != NULL) {
! 910: iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
! 911: if (iph2->ivm == NULL) {
! 912: delph2(iph2);
! 913: goto end;
! 914: }
! 915:
! 916: /* generate HASH(1) */
! 917: hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
! 918: if (hash == NULL) {
! 919: delph2(iph2);
! 920: goto end;
! 921: }
! 922:
! 923: /* initialized total buffer length */
! 924: tlen = hash->l;
! 925: tlen += sizeof(*gen);
! 926: } else {
! 927: /* IKE-SA is not established */
! 928: hash = NULL;
! 929:
! 930: /* initialized total buffer length */
! 931: tlen = 0;
! 932: }
! 933: if ((flags & ISAKMP_FLAG_A) == 0)
! 934: iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
! 935: else
! 936: iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
! 937:
! 938: insph2(iph2);
! 939: bindph12(iph1, iph2);
! 940:
! 941: tlen += sizeof(*isakmp) + payload->l;
! 942:
! 943: /* create buffer for isakmp payload */
! 944: iph2->sendbuf = vmalloc(tlen);
! 945: if (iph2->sendbuf == NULL) {
! 946: plog(LLV_ERROR, LOCATION, NULL,
! 947: "failed to get buffer to send.\n");
! 948: goto err;
! 949: }
! 950:
! 951: /* create isakmp header */
! 952: isakmp = (struct isakmp *)iph2->sendbuf->v;
! 953: memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
! 954: memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
! 955: isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
! 956: isakmp->v = iph1->version;
! 957: isakmp->etype = ISAKMP_ETYPE_INFO;
! 958: isakmp->flags = iph2->flags;
! 959: memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
! 960: isakmp->len = htonl(tlen);
! 961: p = (char *)(isakmp + 1);
! 962:
! 963: /* create HASH payload */
! 964: if (hash != NULL) {
! 965: gen = (struct isakmp_gen *)p;
! 966: gen->np = np & 0xff;
! 967: gen->len = htons(sizeof(*gen) + hash->l);
! 968: p += sizeof(*gen);
! 969: memcpy(p, hash->v, hash->l);
! 970: p += hash->l;
! 971: }
! 972:
! 973: /* add payload */
! 974: memcpy(p, payload->v, payload->l);
! 975: p += payload->l;
! 976:
! 977: #ifdef HAVE_PRINT_ISAKMP_C
! 978: isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
! 979: #endif
! 980:
! 981: /* encoding */
! 982: if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
! 983: vchar_t *tmp;
! 984:
! 985: tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive,
! 986: iph2->ivm->iv);
! 987: VPTRINIT(iph2->sendbuf);
! 988: if (tmp == NULL)
! 989: goto err;
! 990: iph2->sendbuf = tmp;
! 991: }
! 992:
! 993: /* HDR*, HASH(1), N */
! 994: if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
! 995: VPTRINIT(iph2->sendbuf);
! 996: goto err;
! 997: }
! 998:
! 999: plog(LLV_DEBUG, LOCATION, NULL,
! 1000: "sendto Information %s.\n", s_isakmp_nptype(np));
! 1001:
! 1002: /*
! 1003: * don't resend notify message because peer can use Acknowledged
! 1004: * Informational if peer requires the reply of the notify message.
! 1005: */
! 1006:
! 1007: /* XXX If Acknowledged Informational required, don't delete ph2handle */
! 1008: error = 0;
! 1009: VPTRINIT(iph2->sendbuf);
! 1010: goto err; /* XXX */
! 1011:
! 1012: end:
! 1013: if (hash)
! 1014: vfree(hash);
! 1015: return error;
! 1016:
! 1017: err:
! 1018: remph2(iph2);
! 1019: delph2(iph2);
! 1020: goto end;
! 1021: }
! 1022:
! 1023: /*
! 1024: * add a notify payload to buffer by reallocating buffer.
! 1025: * If buf == NULL, the function only create a notify payload.
! 1026: *
! 1027: * XXX Which is SPI to be included, inbound or outbound ?
! 1028: */
! 1029: vchar_t *
! 1030: isakmp_add_pl_n(buf0, np_p, type, pr, data)
! 1031: vchar_t *buf0;
! 1032: u_int8_t **np_p;
! 1033: int type;
! 1034: struct saproto *pr;
! 1035: vchar_t *data;
! 1036: {
! 1037: vchar_t *buf = NULL;
! 1038: struct isakmp_pl_n *n;
! 1039: int tlen;
! 1040: int oldlen = 0;
! 1041:
! 1042: if (*np_p)
! 1043: **np_p = ISAKMP_NPTYPE_N;
! 1044:
! 1045: tlen = sizeof(*n) + pr->spisize;
! 1046:
! 1047: if (data)
! 1048: tlen += data->l;
! 1049: if (buf0) {
! 1050: oldlen = buf0->l;
! 1051: buf = vrealloc(buf0, buf0->l + tlen);
! 1052: } else
! 1053: buf = vmalloc(tlen);
! 1054: if (!buf) {
! 1055: plog(LLV_ERROR, LOCATION, NULL,
! 1056: "failed to get a payload buffer.\n");
! 1057: return NULL;
! 1058: }
! 1059:
! 1060: n = (struct isakmp_pl_n *)(buf->v + oldlen);
! 1061: n->h.np = ISAKMP_NPTYPE_NONE;
! 1062: n->h.len = htons(tlen);
! 1063: n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
! 1064: n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
! 1065: n->spi_size = pr->spisize;
! 1066: n->type = htons(type);
! 1067: *(u_int32_t *)(n + 1) = pr->spi; /* XXX */
! 1068: if (data)
! 1069: memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
! 1070:
! 1071: /* save the pointer of next payload type */
! 1072: *np_p = &n->h.np;
! 1073:
! 1074: return buf;
! 1075: }
! 1076:
! 1077: static void
! 1078: purge_isakmp_spi(proto, spi, n)
! 1079: int proto;
! 1080: isakmp_index *spi; /*network byteorder*/
! 1081: size_t n;
! 1082: {
! 1083: struct ph1handle *iph1;
! 1084: size_t i;
! 1085:
! 1086: for (i = 0; i < n; i++) {
! 1087: iph1 = getph1byindex(&spi[i]);
! 1088: if (!iph1)
! 1089: continue;
! 1090:
! 1091: plog(LLV_INFO, LOCATION, NULL,
! 1092: "purged ISAKMP-SA proto_id=%s spi=%s.\n",
! 1093: s_ipsecdoi_proto(proto),
! 1094: isakmp_pindex(&spi[i], 0));
! 1095:
! 1096: iph1->status = PHASE1ST_EXPIRED;
! 1097: isakmp_ph1delete(iph1);
! 1098: }
! 1099: }
! 1100:
! 1101:
! 1102:
! 1103: void
! 1104: purge_ipsec_spi(dst0, proto, spi, n)
! 1105: struct sockaddr *dst0;
! 1106: int proto;
! 1107: u_int32_t *spi; /*network byteorder*/
! 1108: size_t n;
! 1109: {
! 1110: vchar_t *buf = NULL;
! 1111: struct sadb_msg *msg, *next, *end;
! 1112: struct sadb_sa *sa;
! 1113: struct sadb_lifetime *lt;
! 1114: struct sockaddr *src, *dst;
! 1115: struct ph2handle *iph2;
! 1116: u_int64_t created;
! 1117: size_t i;
! 1118: caddr_t mhp[SADB_EXT_MAX + 1];
! 1119:
! 1120: plog(LLV_DEBUG2, LOCATION, NULL,
! 1121: "purge_ipsec_spi:\n");
! 1122: plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0));
! 1123: plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0]));
! 1124:
! 1125: buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto));
! 1126: if (buf == NULL) {
! 1127: plog(LLV_DEBUG, LOCATION, NULL,
! 1128: "pfkey_dump_sadb returned nothing.\n");
! 1129: return;
! 1130: }
! 1131:
! 1132: msg = (struct sadb_msg *)buf->v;
! 1133: end = (struct sadb_msg *)(buf->v + buf->l);
! 1134:
! 1135: while (msg < end) {
! 1136: if ((msg->sadb_msg_len << 3) < sizeof(*msg))
! 1137: break;
! 1138: next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
! 1139: if (msg->sadb_msg_type != SADB_DUMP) {
! 1140: msg = next;
! 1141: continue;
! 1142: }
! 1143:
! 1144: if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
! 1145: plog(LLV_ERROR, LOCATION, NULL,
! 1146: "pfkey_check (%s)\n", ipsec_strerror());
! 1147: msg = next;
! 1148: continue;
! 1149: }
! 1150:
! 1151: sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
! 1152: if (!sa
! 1153: || !mhp[SADB_EXT_ADDRESS_SRC]
! 1154: || !mhp[SADB_EXT_ADDRESS_DST]) {
! 1155: msg = next;
! 1156: continue;
! 1157: }
! 1158: pk_fixup_sa_addresses(mhp);
! 1159: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1160: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1161: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 1162: if(lt != NULL)
! 1163: created = lt->sadb_lifetime_addtime;
! 1164: else
! 1165: created = 0;
! 1166:
! 1167: if (sa->sadb_sa_state != SADB_SASTATE_MATURE
! 1168: && sa->sadb_sa_state != SADB_SASTATE_DYING) {
! 1169: msg = next;
! 1170: continue;
! 1171: }
! 1172:
! 1173: plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
! 1174: plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
! 1175:
! 1176: /* XXX n^2 algorithm, inefficient */
! 1177:
! 1178: /* don't delete inbound SAs at the moment */
! 1179: /* XXX should we remove SAs with opposite direction as well? */
! 1180: if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
! 1181: msg = next;
! 1182: continue;
! 1183: }
! 1184:
! 1185: for (i = 0; i < n; i++) {
! 1186: plog(LLV_DEBUG, LOCATION, NULL,
! 1187: "check spi(packet)=%u spi(db)=%u.\n",
! 1188: ntohl(spi[i]), ntohl(sa->sadb_sa_spi));
! 1189: if (spi[i] != sa->sadb_sa_spi)
! 1190: continue;
! 1191:
! 1192: pfkey_send_delete(lcconf->sock_pfkey,
! 1193: msg->sadb_msg_satype,
! 1194: IPSEC_MODE_ANY,
! 1195: src, dst, sa->sadb_sa_spi);
! 1196:
! 1197: /*
! 1198: * delete a relative phase 2 handler.
! 1199: * continue to process if no relative phase 2 handler
! 1200: * exists.
! 1201: */
! 1202: iph2 = getph2bysaidx(src, dst, proto, spi[i]);
! 1203: if(iph2 != NULL){
! 1204: delete_spd(iph2, created);
! 1205: remph2(iph2);
! 1206: delph2(iph2);
! 1207: }
! 1208:
! 1209: plog(LLV_INFO, LOCATION, NULL,
! 1210: "purged IPsec-SA proto_id=%s spi=%u.\n",
! 1211: s_ipsecdoi_proto(proto),
! 1212: ntohl(spi[i]));
! 1213: }
! 1214:
! 1215: msg = next;
! 1216: }
! 1217:
! 1218: if (buf)
! 1219: vfree(buf);
! 1220: }
! 1221:
! 1222: /*
! 1223: * delete all phase2 sa relatived to the destination address
! 1224: * (except the phase2 within which the INITIAL-CONTACT was received).
! 1225: * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore
! 1226: * an INITIAL-CONTACT if we have contacted the peer. This matches the
! 1227: * Sun IKE behavior, and makes rekeying work much better when the peer
! 1228: * restarts.
! 1229: */
! 1230: int
! 1231: isakmp_info_recv_initialcontact(iph1, protectedph2)
! 1232: struct ph1handle *iph1;
! 1233: struct ph2handle *protectedph2;
! 1234: {
! 1235: vchar_t *buf = NULL;
! 1236: struct sadb_msg *msg, *next, *end;
! 1237: struct sadb_sa *sa;
! 1238: struct sockaddr *src, *dst;
! 1239: caddr_t mhp[SADB_EXT_MAX + 1];
! 1240: int proto_id, i;
! 1241: struct ph2handle *iph2;
! 1242: #if 0
! 1243: char *loc, *rem;
! 1244: #endif
! 1245:
! 1246: plog(LLV_INFO, LOCATION, iph1->remote, "received INITIAL-CONTACT\n");
! 1247:
! 1248: if (f_local)
! 1249: return 0;
! 1250:
! 1251: #if 0
! 1252: loc = racoon_strdup(saddrwop2str(iph1->local));
! 1253: rem = racoon_strdup(saddrwop2str(iph1->remote));
! 1254: STRDUP_FATAL(loc);
! 1255: STRDUP_FATAL(rem);
! 1256:
! 1257: /*
! 1258: * Purge all IPSEC-SAs for the peer. We can do this
! 1259: * the easy way (using a PF_KEY SADB_DELETE extension)
! 1260: * or we can do it the hard way.
! 1261: */
! 1262: for (i = 0; i < pfkey_nsatypes; i++) {
! 1263: proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype);
! 1264:
! 1265: plog(LLV_INFO, LOCATION, NULL,
! 1266: "purging %s SAs for %s -> %s\n",
! 1267: pfkey_satypes[i].ps_name, loc, rem);
! 1268: if (pfkey_send_delete_all(lcconf->sock_pfkey,
! 1269: pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
! 1270: iph1->local, iph1->remote) == -1) {
! 1271: plog(LLV_ERROR, LOCATION, NULL,
! 1272: "delete_all %s -> %s failed for %s (%s)\n",
! 1273: loc, rem,
! 1274: pfkey_satypes[i].ps_name, ipsec_strerror());
! 1275: goto the_hard_way;
! 1276: }
! 1277:
! 1278: deleteallph2(iph1->local, iph1->remote, proto_id);
! 1279:
! 1280: plog(LLV_INFO, LOCATION, NULL,
! 1281: "purging %s SAs for %s -> %s\n",
! 1282: pfkey_satypes[i].ps_name, rem, loc);
! 1283: if (pfkey_send_delete_all(lcconf->sock_pfkey,
! 1284: pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
! 1285: iph1->remote, iph1->local) == -1) {
! 1286: plog(LLV_ERROR, LOCATION, NULL,
! 1287: "delete_all %s -> %s failed for %s (%s)\n",
! 1288: rem, loc,
! 1289: pfkey_satypes[i].ps_name, ipsec_strerror());
! 1290: goto the_hard_way;
! 1291: }
! 1292:
! 1293: deleteallph2(iph1->remote, iph1->local, proto_id);
! 1294: }
! 1295:
! 1296: racoon_free(loc);
! 1297: racoon_free(rem);
! 1298: return 0;
! 1299:
! 1300: the_hard_way:
! 1301: racoon_free(loc);
! 1302: racoon_free(rem);
! 1303: #endif
! 1304:
! 1305: buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
! 1306: if (buf == NULL) {
! 1307: plog(LLV_DEBUG, LOCATION, NULL,
! 1308: "pfkey_dump_sadb returned nothing.\n");
! 1309: return 0;
! 1310: }
! 1311:
! 1312: msg = (struct sadb_msg *)buf->v;
! 1313: end = (struct sadb_msg *)(buf->v + buf->l);
! 1314:
! 1315: for (; msg < end; msg = next) {
! 1316: if ((msg->sadb_msg_len << 3) < sizeof(*msg))
! 1317: break;
! 1318:
! 1319: next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
! 1320: if (msg->sadb_msg_type != SADB_DUMP)
! 1321: continue;
! 1322:
! 1323: if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
! 1324: plog(LLV_ERROR, LOCATION, NULL,
! 1325: "pfkey_check (%s)\n", ipsec_strerror());
! 1326: continue;
! 1327: }
! 1328:
! 1329: if (mhp[SADB_EXT_SA] == NULL
! 1330: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1331: || mhp[SADB_EXT_ADDRESS_DST] == NULL)
! 1332: continue;
! 1333:
! 1334: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 1335: pk_fixup_sa_addresses(mhp);
! 1336: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1337: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1338:
! 1339: if (sa->sadb_sa_state != SADB_SASTATE_MATURE
! 1340: && sa->sadb_sa_state != SADB_SASTATE_DYING)
! 1341: continue;
! 1342:
! 1343: /*
! 1344: * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
! 1345: * announces the sender of the message was rebooted.
! 1346: * it is interpreted to delete all SAs which source address
! 1347: * is the sender of the message.
! 1348: * racoon only deletes SA which is matched both the
! 1349: * source address and the destination accress.
! 1350: */
! 1351:
! 1352: /*
! 1353: * Check that the IP and port match. But this is not optimal,
! 1354: * since NAT-T can make the peer have multiple different
! 1355: * ports. Correct thing to do is delete all entries with
! 1356: * same identity. -TT
! 1357: */
! 1358: if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
! 1359: cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
! 1360: (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
! 1361: cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
! 1362: continue;
! 1363:
! 1364: /*
! 1365: * Make sure this is an SATYPE that we manage.
! 1366: * This is gross; too bad we couldn't do it the
! 1367: * easy way.
! 1368: */
! 1369: for (i = 0; i < pfkey_nsatypes; i++) {
! 1370: if (pfkey_satypes[i].ps_satype ==
! 1371: msg->sadb_msg_satype)
! 1372: break;
! 1373: }
! 1374: if (i == pfkey_nsatypes)
! 1375: continue;
! 1376:
! 1377: plog(LLV_INFO, LOCATION, NULL,
! 1378: "purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
! 1379: pfkey_send_delete(lcconf->sock_pfkey,
! 1380: msg->sadb_msg_satype,
! 1381: IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi);
! 1382:
! 1383: /*
! 1384: * delete a relative phase 2 handler.
! 1385: * continue to process if no relative phase 2 handler
! 1386: * exists.
! 1387: */
! 1388: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
! 1389: iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
! 1390: if (iph2 && iph2 != protectedph2) {
! 1391: delete_spd(iph2, 0);
! 1392: remph2(iph2);
! 1393: delph2(iph2);
! 1394: }
! 1395: }
! 1396:
! 1397: vfree(buf);
! 1398: return 0;
! 1399: }
! 1400:
! 1401:
! 1402: #ifdef ENABLE_DPD
! 1403: static int
! 1404: isakmp_info_recv_r_u (iph1, ru, msgid)
! 1405: struct ph1handle *iph1;
! 1406: struct isakmp_pl_ru *ru;
! 1407: u_int32_t msgid;
! 1408: {
! 1409: struct isakmp_pl_ru *ru_ack;
! 1410: vchar_t *payload = NULL;
! 1411: int tlen;
! 1412: int error = 0;
! 1413:
! 1414: plog(LLV_DEBUG, LOCATION, iph1->remote,
! 1415: "DPD R-U-There received\n");
! 1416:
! 1417: /* XXX should compare cookies with iph1->index?
! 1418: Or is this already done by calling function? */
! 1419: tlen = sizeof(*ru_ack);
! 1420: payload = vmalloc(tlen);
! 1421: if (payload == NULL) {
! 1422: plog(LLV_ERROR, LOCATION, NULL,
! 1423: "failed to get buffer to send.\n");
! 1424: return errno;
! 1425: }
! 1426:
! 1427: ru_ack = (struct isakmp_pl_ru *)payload->v;
! 1428: ru_ack->h.np = ISAKMP_NPTYPE_NONE;
! 1429: ru_ack->h.len = htons(tlen);
! 1430: ru_ack->doi = htonl(IPSEC_DOI);
! 1431: ru_ack->type = htons(ISAKMP_NTYPE_R_U_THERE_ACK);
! 1432: ru_ack->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ? */
! 1433: ru_ack->spi_size = sizeof(isakmp_index);
! 1434: memcpy(ru_ack->i_ck, ru->i_ck, sizeof(cookie_t));
! 1435: memcpy(ru_ack->r_ck, ru->r_ck, sizeof(cookie_t));
! 1436: ru_ack->data = ru->data;
! 1437:
! 1438: /* XXX Should we do FLAG_A ? */
! 1439: error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N,
! 1440: ISAKMP_FLAG_E);
! 1441: vfree(payload);
! 1442:
! 1443: plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n");
! 1444:
! 1445: /* Should we mark tunnel as active ? */
! 1446: return error;
! 1447: }
! 1448:
! 1449: static int
! 1450: isakmp_info_recv_r_u_ack (iph1, ru, msgid)
! 1451: struct ph1handle *iph1;
! 1452: struct isakmp_pl_ru *ru;
! 1453: u_int32_t msgid;
! 1454: {
! 1455: u_int32_t seq;
! 1456:
! 1457: plog(LLV_DEBUG, LOCATION, iph1->remote,
! 1458: "DPD R-U-There-Ack received\n");
! 1459:
! 1460: seq = ntohl(ru->data);
! 1461: if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
! 1462: plog(LLV_ERROR, LOCATION, iph1->remote,
! 1463: "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
! 1464: seq, iph1->dpd_last_ack, iph1->dpd_seq);
! 1465: return 0;
! 1466: }
! 1467:
! 1468: if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
! 1469: memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
! 1470: plog(LLV_ERROR, LOCATION, iph1->remote,
! 1471: "Cookie mismatch in DPD ACK!.\n");
! 1472: return 0;
! 1473: }
! 1474:
! 1475: iph1->dpd_fails = 0;
! 1476: iph1->dpd_last_ack = seq;
! 1477: sched_cancel(&iph1->dpd_r_u);
! 1478: isakmp_sched_r_u(iph1, 0);
! 1479:
! 1480: plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
! 1481:
! 1482: return 0;
! 1483: }
! 1484:
! 1485:
! 1486:
! 1487:
! 1488: /*
! 1489: * send DPD R-U-THERE payload in Informational exchange.
! 1490: */
! 1491: static void
! 1492: isakmp_info_send_r_u(sc)
! 1493: struct sched *sc;
! 1494: {
! 1495: struct ph1handle *iph1 = container_of(sc, struct ph1handle, dpd_r_u);
! 1496:
! 1497: /* create R-U-THERE payload */
! 1498: struct isakmp_pl_ru *ru;
! 1499: vchar_t *payload = NULL;
! 1500: int tlen;
! 1501: int error = 0;
! 1502:
! 1503: plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n");
! 1504:
! 1505: if (iph1->status == PHASE1ST_EXPIRED) {
! 1506: /* This can happen after removing tunnels from the
! 1507: * config file and then reloading.
! 1508: * Such iph1 have rmconf=NULL, so return before the if
! 1509: * block below.
! 1510: */
! 1511: return;
! 1512: }
! 1513:
! 1514: if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
! 1515:
! 1516: plog(LLV_INFO, LOCATION, iph1->remote,
! 1517: "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n",
! 1518: isakmp_pindex(&iph1->index, 0));
! 1519:
! 1520: script_hook(iph1, SCRIPT_PHASE1_DEAD);
! 1521: evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL);
! 1522: purge_remote(iph1);
! 1523:
! 1524: /* Do not reschedule here: phase1 is deleted,
! 1525: * DPD will be reactivated when a new ph1 will be negociated
! 1526: */
! 1527: return;
! 1528: }
! 1529:
! 1530: /* TODO: check recent activity to avoid useless sends... */
! 1531:
! 1532: tlen = sizeof(*ru);
! 1533: payload = vmalloc(tlen);
! 1534: if (payload == NULL) {
! 1535: plog(LLV_ERROR, LOCATION, NULL,
! 1536: "failed to get buffer for payload.\n");
! 1537: return;
! 1538: }
! 1539: ru = (struct isakmp_pl_ru *)payload->v;
! 1540: ru->h.np = ISAKMP_NPTYPE_NONE;
! 1541: ru->h.len = htons(tlen);
! 1542: ru->doi = htonl(IPSEC_DOI);
! 1543: ru->type = htons(ISAKMP_NTYPE_R_U_THERE);
! 1544: ru->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ?*/
! 1545: ru->spi_size = sizeof(isakmp_index);
! 1546:
! 1547: memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
! 1548: memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
! 1549:
! 1550: if (iph1->dpd_seq == 0) {
! 1551: /* generate a random seq which is not too big */
! 1552: iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
! 1553: }
! 1554:
! 1555: iph1->dpd_seq++;
! 1556: iph1->dpd_fails++;
! 1557: ru->data = htonl(iph1->dpd_seq);
! 1558:
! 1559: error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
! 1560: vfree(payload);
! 1561:
! 1562: plog(LLV_DEBUG, LOCATION, iph1->remote,
! 1563: "DPD R-U-There sent (%d)\n", error);
! 1564:
! 1565: /* Reschedule the r_u_there with a short delay,
! 1566: * will be deleted/rescheduled if ACK received before */
! 1567: isakmp_sched_r_u(iph1, 1);
! 1568:
! 1569: plog(LLV_DEBUG, LOCATION, iph1->remote,
! 1570: "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry);
! 1571: }
! 1572:
! 1573: /* Schedule a new R-U-THERE */
! 1574: int
! 1575: isakmp_sched_r_u(iph1, retry)
! 1576: struct ph1handle *iph1;
! 1577: int retry;
! 1578: {
! 1579: if(iph1 == NULL ||
! 1580: iph1->rmconf == NULL)
! 1581: return 1;
! 1582:
! 1583:
! 1584: if(iph1->dpd_support == 0 ||
! 1585: iph1->rmconf->dpd_interval == 0)
! 1586: return 0;
! 1587:
! 1588: if(retry)
! 1589: sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_retry,
! 1590: isakmp_info_send_r_u);
! 1591: else
! 1592: sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_interval,
! 1593: isakmp_info_send_r_u);
! 1594:
! 1595: return 0;
! 1596: }
! 1597: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp_inf.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon