![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp_quick.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon|
Return to isakmp_quick.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon |
1.1 misho 1: /* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */
2:
3: /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #include "config.h"
35:
36: #include <sys/types.h>
37: #include <sys/param.h>
38: #include <sys/socket.h>
39:
40: #include <netinet/in.h>
41:
42: #include <stdlib.h>
43: #include <stdio.h>
44: #include <string.h>
45: #include <errno.h>
46: #if TIME_WITH_SYS_TIME
47: # include <sys/time.h>
48: # include <time.h>
49: #else
50: # if HAVE_SYS_TIME_H
51: # include <sys/time.h>
52: # else
53: # include <time.h>
54: # endif
55: #endif
56:
57: #include PATH_IPSEC_H
58:
59: #include "var.h"
60: #include "vmbuf.h"
61: #include "schedule.h"
62: #include "misc.h"
63: #include "plog.h"
64: #include "debug.h"
65:
66: #include "localconf.h"
67: #include "remoteconf.h"
68: #include "handler.h"
69: #include "policy.h"
70: #include "proposal.h"
71: #include "isakmp_var.h"
72: #include "isakmp.h"
73: #include "isakmp_inf.h"
74: #include "isakmp_quick.h"
75: #include "oakley.h"
76: #include "ipsec_doi.h"
77: #include "crypto_openssl.h"
78: #include "pfkey.h"
79: #include "policy.h"
80: #include "algorithm.h"
81: #include "sockmisc.h"
82: #include "proposal.h"
83: #include "sainfo.h"
84: #include "admin.h"
85: #include "strnames.h"
86:
87: #ifdef ENABLE_HYBRID
88: #include <resolv.h>
89: #include "isakmp_xauth.h"
90: #include "isakmp_cfg.h"
91: #endif
92:
93: #ifdef ENABLE_NATT
94: #include "nattraversal.h"
95: #endif
96:
97: /* quick mode */
98: static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99: static int get_sainfo_r __P((struct ph2handle *));
100: static int get_proposal_r __P((struct ph2handle *));
101: static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
102: static void quick_timeover_stub __P((struct sched *));
103: static void quick_timeover __P((struct ph2handle *));
104:
105: /* called from scheduler */
106: static void
107: quick_timeover_stub(p)
108: struct sched *p;
109: {
110: quick_timeover(container_of(p, struct ph2handle, sce));
111: }
112:
113: static void
114: quick_timeover(iph2)
115: struct ph2handle *iph2;
116: {
117: plog(LLV_ERROR, LOCATION, NULL,
118: "%s give up to get IPsec-SA due to time up to wait.\n",
119: saddrwop2str(iph2->dst));
120:
121: /* If initiator side, send error to kernel by SADB_ACQUIRE. */
122: if (iph2->side == INITIATOR)
123: pk_sendeacquire(iph2);
124:
125: remph2(iph2);
126: delph2(iph2);
127: }
128:
129: /*
%%%
130: * Quick Mode
131: */
132: /*
133: * begin Quick Mode as initiator. send pfkey getspi message to kernel.
134: */
135: int
136: quick_i1prep(iph2, msg)
137: struct ph2handle *iph2;
138: vchar_t *msg; /* must be null pointer */
139: {
140: int error = ISAKMP_INTERNAL_ERROR;
141:
142: /* validity check */
143: if (iph2->status != PHASE2ST_STATUS2) {
144: plog(LLV_ERROR, LOCATION, NULL,
145: "status mismatched %d.\n", iph2->status);
146: goto end;
147: }
148:
149: iph2->msgid = isakmp_newmsgid2(iph2->ph1);
150: iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
151: if (iph2->ivm == NULL)
152: return 0;
153:
154: iph2->status = PHASE2ST_GETSPISENT;
155:
156: /* don't anything if local test mode. */
157: if (f_local) {
158: error = 0;
159: goto end;
160: }
161:
162: /* send getspi message */
163: if (pk_sendgetspi(iph2) < 0)
164: goto end;
165:
166: plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
167:
168: sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
169: quick_timeover_stub);
170:
171: error = 0;
172:
173: end:
174: return error;
175: }
176:
177: /*
178: * send to responder
179: * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
180: */
181: int
182: quick_i1send(iph2, msg)
183: struct ph2handle *iph2;
184: vchar_t *msg; /* must be null pointer */
185: {
186: vchar_t *body = NULL;
187: vchar_t *hash = NULL;
188: struct isakmp_gen *gen;
189: char *p;
190: int tlen;
191: int error = ISAKMP_INTERNAL_ERROR;
192: int natoa = ISAKMP_NPTYPE_NONE;
193: int pfsgroup, idci, idcr;
194: int np;
195: struct ipsecdoi_id_b *id, *id_p;
196: #ifdef ENABLE_NATT
197: vchar_t *nat_oai = NULL;
198: vchar_t *nat_oar = NULL;
199: #endif
200:
201: /* validity check */
202: if (msg != NULL) {
203: plog(LLV_ERROR, LOCATION, NULL,
204: "msg has to be NULL in this function.\n");
205: goto end;
206: }
207: if (iph2->status != PHASE2ST_GETSPIDONE) {
208: plog(LLV_ERROR, LOCATION, NULL,
209: "status mismatched %d.\n", iph2->status);
210: goto end;
211: }
212:
213: /* create SA payload for my proposal */
214: if (ipsecdoi_setph2proposal(iph2) < 0)
215: goto end;
216:
217: /* generate NONCE value */
218: iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
219: if (iph2->nonce == NULL)
220: goto end;
221:
222: /*
223: * DH value calculation is kicked out into cfparse.y.
224: * because pfs group can not be negotiated, it's only to be checked
225: * acceptable.
226: */
227: /* generate KE value if need */
228: pfsgroup = iph2->proposal->pfs_group;
229: if (pfsgroup) {
230: /* DH group settting if PFS is required. */
231: if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
232: plog(LLV_ERROR, LOCATION, NULL,
233: "failed to set DH value.\n");
234: goto end;
235: }
236: if (oakley_dh_generate(iph2->pfsgrp,
237: &iph2->dhpub, &iph2->dhpriv) < 0) {
238: goto end;
239: }
240: }
241:
242: /* generate ID value */
243: if (ipsecdoi_setid2(iph2) < 0) {
244: plog(LLV_ERROR, LOCATION, NULL,
245: "failed to get ID.\n");
246: goto end;
247: }
248: plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
249: plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
250: plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
251: plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
252:
253: /*
254: * we do not attach IDci nor IDcr, under the following condition:
255: * - all proposals are transport mode
256: * - no MIP6 or proxy
257: * - id payload suggests to encrypt all the traffic (no specific
258: * protocol type)
259: * - SA endpoints and IKE addresses for the nego are the same
260: * (iph2->src/dst)
261: */
262: id = (struct ipsecdoi_id_b *)iph2->id->v;
263: id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
264: if (id->proto_id == 0 &&
265: id_p->proto_id == 0 &&
266: iph2->ph1->rmconf->support_proxy == 0 &&
267: iph2->sa_src == NULL && iph2->sa_dst == NULL &&
268: ipsecdoi_transportmode(iph2->proposal)) {
269: idci = idcr = 0;
270: } else
271: idci = idcr = 1;
272:
273: #ifdef ENABLE_NATT
274: /*
275: * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
276: * we should send NAT-OA
277: */
278: if (ipsecdoi_transportmode(iph2->proposal)
279: && (iph2->ph1->natt_flags & NAT_DETECTED)) {
280: natoa = iph2->ph1->natt_options->payload_nat_oa;
281:
282: nat_oai = ipsecdoi_sockaddr2id(iph2->src,
283: IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
284: nat_oar = ipsecdoi_sockaddr2id(iph2->dst,
285: IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
286:
287: if (nat_oai == NULL || nat_oar == NULL) {
288: plog(LLV_ERROR, LOCATION, NULL,
289: "failed to generate NAT-OA payload.\n");
290: goto end;
291: }
292:
293: plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
294: plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
295: plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
296: plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
297: } else {
298: natoa = ISAKMP_NPTYPE_NONE;
299: }
300: #endif
301:
302: /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
303: tlen = + sizeof(*gen) + iph2->sa->l
304: + sizeof(*gen) + iph2->nonce->l;
305: if (pfsgroup)
306: tlen += (sizeof(*gen) + iph2->dhpub->l);
307: if (idci)
308: tlen += sizeof(*gen) + iph2->id->l;
309: if (idcr)
310: tlen += sizeof(*gen) + iph2->id_p->l;
311: #ifdef ENABLE_NATT
312: if (natoa != ISAKMP_NPTYPE_NONE)
313: tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
314: #endif
315:
316: body = vmalloc(tlen);
317: if (body == NULL) {
318: plog(LLV_ERROR, LOCATION, NULL,
319: "failed to get buffer to send.\n");
320: goto end;
321: }
322:
323: p = body->v;
324:
325: /* add SA payload */
326: p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
327:
328: /* add NONCE payload */
329: if (pfsgroup)
330: np = ISAKMP_NPTYPE_KE;
331: else if (idci || idcr)
332: np = ISAKMP_NPTYPE_ID;
333: else
334: np = natoa;
335: p = set_isakmp_payload(p, iph2->nonce, np);
336:
337: /* add KE payload if need. */
338: np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa;
339: if (pfsgroup)
340: p = set_isakmp_payload(p, iph2->dhpub, np);
341:
342: /* IDci */
343: np = (idcr) ? ISAKMP_NPTYPE_ID : natoa;
344: if (idci)
345: p = set_isakmp_payload(p, iph2->id, np);
346:
347: /* IDcr */
348: if (idcr)
349: p = set_isakmp_payload(p, iph2->id_p, natoa);
350:
351: #ifdef ENABLE_NATT
352: /* NAT-OA */
353: if (natoa != ISAKMP_NPTYPE_NONE) {
354: p = set_isakmp_payload(p, nat_oai, natoa);
355: p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
356: }
357: #endif
358:
359: /* generate HASH(1) */
360: hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
361: if (hash == NULL)
362: goto end;
363:
364: /* send isakmp payload */
365: iph2->sendbuf = quick_ir1mx(iph2, body, hash);
366: if (iph2->sendbuf == NULL)
367: goto end;
368:
369: /* send the packet, add to the schedule to resend */
370: if (isakmp_ph2send(iph2) == -1)
371: goto end;
372:
373: /* change status of isakmp status entry */
374: iph2->status = PHASE2ST_MSG1SENT;
375:
376: error = 0;
377:
378: end:
379: if (body != NULL)
380: vfree(body);
381: if (hash != NULL)
382: vfree(hash);
383: #ifdef ENABLE_NATT
384: if (nat_oai != NULL)
385: vfree(nat_oai);
386: if (nat_oar != NULL)
387: vfree(nat_oar);
388: #endif
389:
390: return error;
391: }
392:
393: /*
394: * receive from responder
395: * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
396: */
397: int
398: quick_i2recv(iph2, msg0)
399: struct ph2handle *iph2;
400: vchar_t *msg0;
401: {
402: vchar_t *msg = NULL;
403: vchar_t *hbuf = NULL; /* for hash computing. */
404: vchar_t *pbuf = NULL; /* for payload parsing */
405: vchar_t *idci = NULL;
406: vchar_t *idcr = NULL;
407: struct isakmp_parse_t *pa;
408: struct isakmp *isakmp = (struct isakmp *)msg0->v;
409: struct isakmp_pl_hash *hash = NULL;
410: char *p;
411: int tlen;
412: int error = ISAKMP_INTERNAL_ERROR;
413:
414: /* validity check */
415: if (iph2->status != PHASE2ST_MSG1SENT) {
416: plog(LLV_ERROR, LOCATION, NULL,
417: "status mismatched %d.\n", iph2->status);
418: goto end;
419: }
420:
421: /* decrypt packet */
422: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
423: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
424: "Packet wasn't encrypted.\n");
425: goto end;
426: }
427: msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
428: if (msg == NULL)
429: goto end;
430:
431: /* create buffer for validating HASH(2) */
432: /*
433: * ordering rule:
434: * 1. the first one must be HASH
435: * 2. the second one must be SA (added in isakmp-oakley-05!)
436: * 3. two IDs must be considered as IDci, then IDcr
437: */
438: pbuf = isakmp_parse(msg);
439: if (pbuf == NULL)
440: goto end;
441: pa = (struct isakmp_parse_t *)pbuf->v;
442:
443: /* HASH payload is fixed postion */
444: if (pa->type != ISAKMP_NPTYPE_HASH) {
445: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
446: "received invalid next payload type %d, "
447: "expecting %d.\n",
448: pa->type, ISAKMP_NPTYPE_HASH);
449: goto end;
450: }
451: hash = (struct isakmp_pl_hash *)pa->ptr;
452: pa++;
453:
454: /*
455: * this restriction was introduced in isakmp-oakley-05.
456: * we do not check this for backward compatibility.
457: * TODO: command line/config file option to enable/disable this code
458: */
459: /* HASH payload is fixed postion */
460: if (pa->type != ISAKMP_NPTYPE_SA) {
461: plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
462: "received invalid next payload type %d, "
463: "expecting %d.\n",
464: pa->type, ISAKMP_NPTYPE_HASH);
465: }
466:
467: /* allocate buffer for computing HASH(2) */
468: tlen = iph2->nonce->l
469: + ntohl(isakmp->len) - sizeof(*isakmp);
470: hbuf = vmalloc(tlen);
471: if (hbuf == NULL) {
472: plog(LLV_ERROR, LOCATION, NULL,
473: "failed to get hash buffer.\n");
474: goto end;
475: }
476: p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
477:
478: /*
479: * parse the payloads.
480: * copy non-HASH payloads into hbuf, so that we can validate HASH.
481: */
482: iph2->sa_ret = NULL;
483: tlen = 0; /* count payload length except of HASH payload. */
484: for (; pa->type; pa++) {
485:
486: /* copy to buffer for HASH */
487: /* Don't modify the payload */
488: memcpy(p, pa->ptr, pa->len);
489:
490: switch (pa->type) {
491: case ISAKMP_NPTYPE_SA:
492: if (iph2->sa_ret != NULL) {
493: plog(LLV_ERROR, LOCATION, NULL,
494: "Ignored, multiple SA "
495: "isn't supported.\n");
496: break;
497: }
498: if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
499: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
500: "duplicate ISAKMP_NPTYPE_SA.\n");
501: goto end;
502: }
503: break;
504:
505: case ISAKMP_NPTYPE_NONCE:
506: if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
507: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
508: "duplicate ISAKMP_NPTYPE_NONCE.\n");
509: goto end;
510: }
511: break;
512:
513: case ISAKMP_NPTYPE_KE:
514: if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
515: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
516: "duplicate ISAKMP_NPTYPE_KE.\n");
517: goto end;
518: }
519: break;
520:
521: case ISAKMP_NPTYPE_ID:
522: if (idci == NULL) {
523: if (isakmp_p2ph(&idci, pa->ptr) < 0)
524: goto end;
525: } else if (idcr == NULL) {
526: if (isakmp_p2ph(&idcr, pa->ptr) < 0)
527: goto end;
528: } else {
529: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
530: "too many ISAKMP_NPTYPE_ID payloads.\n");
531: goto end;
532: }
533: break;
534:
535: case ISAKMP_NPTYPE_N:
536: ph2_recv_n(iph2, pa->ptr);
537: break;
538:
539: #ifdef ENABLE_NATT
540: case ISAKMP_NPTYPE_NATOA_DRAFT:
541: case ISAKMP_NPTYPE_NATOA_RFC:
542: {
543: struct sockaddr_storage addr;
544: struct sockaddr *daddr;
545: u_int8_t prefix;
546: u_int16_t ul_proto;
547: vchar_t *vp = NULL;
548:
549: if (isakmp_p2ph(&vp, pa->ptr) < 0)
550: goto end;
551:
552: error = ipsecdoi_id2sockaddr(vp,
553: (struct sockaddr *) &addr,
554: &prefix, &ul_proto);
555:
556: vfree(vp);
557:
558: if (error)
559: goto end;
560:
561: daddr = dupsaddr((struct sockaddr *) &addr);
562: if (daddr == NULL)
563: goto end;
564:
565: if (iph2->natoa_src == NULL)
566: iph2->natoa_src = daddr;
567: else if (iph2->natoa_dst == NULL)
568: iph2->natoa_dst = daddr;
569: else {
570: racoon_free(daddr);
571: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
572: "too many ISAKMP_NPTYPE_NATOA payloads.\n");
573: goto end;
574: }
575: }
576: break;
577: #endif
578:
579: default:
580: /* don't send information, see ident_r1recv() */
581: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
582: "ignore the packet, "
583: "received unexpecting payload type %d.\n",
584: pa->type);
585: goto end;
586: }
587:
588: p += pa->len;
589:
590: /* compute true length of payload. */
591: tlen += pa->len;
592: }
593:
594: /* payload existency check */
595: if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
596: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
597: "few isakmp message received.\n");
598: goto end;
599: }
600:
601: /* identity check */
602: if (idci != NULL) {
603: struct sockaddr_storage proposed_addr, got_addr;
604: u_int8_t proposed_prefix, got_prefix;
605: u_int16_t proposed_ulproto, got_ulproto;
606:
607: error = ipsecdoi_id2sockaddr(iph2->id,
608: (struct sockaddr *) &proposed_addr,
609: &proposed_prefix, &proposed_ulproto);
610: if (error)
611: goto end;
612:
613: error = ipsecdoi_id2sockaddr(idci,
614: (struct sockaddr *) &got_addr,
615: &got_prefix, &got_ulproto);
616: if (error)
617: goto end;
618:
619: if (proposed_prefix != got_prefix
620: || proposed_ulproto != got_ulproto) {
621: plog(LLV_DEBUG, LOCATION, NULL,
622: "IDci prefix/ulproto does not match proposal.\n");
623: error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
624: goto end;
625: }
626: #ifdef ENABLE_NATT
627: set_port(iph2->natoa_src,
628: extract_port((struct sockaddr *) &proposed_addr));
629: #endif
630:
631: if (cmpsaddr((struct sockaddr *) &proposed_addr,
632: (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
633: plog(LLV_DEBUG, LOCATION, NULL,
634: "IDci matches proposal.\n");
635: #ifdef ENABLE_NATT
636: } else if (iph2->natoa_src != NULL
637: && cmpsaddr(iph2->natoa_src,
638: (struct sockaddr *) &got_addr) == 0) {
639: plog(LLV_DEBUG, LOCATION, NULL,
640: "IDci matches NAT-OAi.\n");
641: #endif
642: } else {
643: plog(LLV_ERROR, LOCATION, NULL,
644: "mismatched IDci was returned.\n");
645: error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
646: goto end;
647: }
648: }
649: if (idcr != NULL) {
650: struct sockaddr_storage proposed_addr, got_addr;
651: u_int8_t proposed_prefix, got_prefix;
652: u_int16_t proposed_ulproto, got_ulproto;
653:
654: error = ipsecdoi_id2sockaddr(iph2->id_p,
655: (struct sockaddr *) &proposed_addr,
656: &proposed_prefix, &proposed_ulproto);
657: if (error)
658: goto end;
659:
660: error = ipsecdoi_id2sockaddr(idcr,
661: (struct sockaddr *) &got_addr,
662: &got_prefix, &got_ulproto);
663: if (error)
664: goto end;
665:
666: if (proposed_prefix != got_prefix
667: || proposed_ulproto != got_ulproto) {
668: plog(LLV_DEBUG, LOCATION, NULL,
669: "IDcr prefix/ulproto does not match proposal.\n");
670: error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
671: goto end;
672: }
673:
674: #ifdef ENABLE_NATT
675: set_port(iph2->natoa_dst,
676: extract_port((struct sockaddr *) &proposed_addr));
677: #endif
678:
679: if (cmpsaddr((struct sockaddr *) &proposed_addr,
680: (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
681: plog(LLV_DEBUG, LOCATION, NULL,
682: "IDcr matches proposal.\n");
683: #ifdef ENABLE_NATT
684: } else if (iph2->natoa_dst != NULL
685: && cmpsaddr(iph2->natoa_dst,
686: (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
687: plog(LLV_DEBUG, LOCATION, NULL,
688: "IDcr matches NAT-OAr.\n");
689: #endif
690: } else {
691: plog(LLV_ERROR, LOCATION, NULL,
692: "mismatched IDcr was returned.\n");
693: error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
694: goto end;
695: }
696: }
697:
698: /* Fixed buffer for calculating HASH */
699: memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
700: plog(LLV_DEBUG, LOCATION, NULL,
701: "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
702: hbuf->l, tlen + iph2->nonce->l);
703: /* adjust buffer length for HASH */
704: hbuf->l = iph2->nonce->l + tlen;
705:
706: /* validate HASH(2) */
707: {
708: char *r_hash;
709: vchar_t *my_hash = NULL;
710: int result;
711:
712: r_hash = (char *)hash + sizeof(*hash);
713:
714: plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
715: plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
716:
717: my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
718: if (my_hash == NULL)
719: goto end;
720:
721: result = memcmp(my_hash->v, r_hash, my_hash->l);
722: vfree(my_hash);
723:
724: if (result) {
725: plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
726: "HASH(2) mismatch.\n");
727: error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
728: goto end;
729: }
730: }
731:
732: /* validity check SA payload sent from responder */
733: if (ipsecdoi_checkph2proposal(iph2) < 0) {
734: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
735: "proposal check failed.\n");
736: error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
737: goto end;
738: }
739:
740: /* change status of isakmp status entry */
741: iph2->status = PHASE2ST_STATUS6;
742:
743: error = 0;
744:
745: end:
746: if (hbuf)
747: vfree(hbuf);
748: if (pbuf)
749: vfree(pbuf);
750: if (msg)
751: vfree(msg);
752: if (idci)
753: vfree(idci);
754: if (idcr)
755: vfree(idcr);
756:
757: if (error) {
758: VPTRINIT(iph2->sa_ret);
759: VPTRINIT(iph2->nonce_p);
760: VPTRINIT(iph2->dhpub_p);
761: VPTRINIT(iph2->id);
762: VPTRINIT(iph2->id_p);
763: #ifdef ENABLE_NATT
764: if (iph2->natoa_src) {
765: racoon_free(iph2->natoa_src);
766: iph2->natoa_src = NULL;
767: }
768: if (iph2->natoa_dst) {
769: racoon_free(iph2->natoa_dst);
770: iph2->natoa_dst = NULL;
771: }
772: #endif
773: }
774:
775: return error;
776: }
777:
778: /*
779: * send to responder
780: * HDR*, HASH(3)
781: */
782: int
783: quick_i2send(iph2, msg0)
784: struct ph2handle *iph2;
785: vchar_t *msg0;
786: {
787: vchar_t *msg = NULL;
788: vchar_t *buf = NULL;
789: vchar_t *hash = NULL;
790: char *p = NULL;
791: int tlen;
792: int error = ISAKMP_INTERNAL_ERROR;
793:
794: /* validity check */
795: if (iph2->status != PHASE2ST_STATUS6) {
796: plog(LLV_ERROR, LOCATION, NULL,
797: "status mismatched %d.\n", iph2->status);
798: goto end;
799: }
800:
801: /* generate HASH(3) */
802: {
803: vchar_t *tmp = NULL;
804:
805: plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
806:
807: tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
808: if (tmp == NULL) {
809: plog(LLV_ERROR, LOCATION, NULL,
810: "failed to get hash buffer.\n");
811: goto end;
812: }
813: memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
814: memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
815:
816: hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
817: vfree(tmp);
818:
819: if (hash == NULL)
820: goto end;
821: }
822:
823: /* create buffer for isakmp payload */
824: tlen = sizeof(struct isakmp)
825: + sizeof(struct isakmp_gen) + hash->l;
826: buf = vmalloc(tlen);
827: if (buf == NULL) {
828: plog(LLV_ERROR, LOCATION, NULL,
829: "failed to get buffer to send.\n");
830: goto end;
831: }
832:
833: /* create isakmp header */
834: p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
835: if (p == NULL)
836: goto end;
837:
838: /* add HASH(3) payload */
839: p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
840:
841: #ifdef HAVE_PRINT_ISAKMP_C
842: isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
843: #endif
844:
845: /* encoding */
846: iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
847: if (iph2->sendbuf == NULL)
848: goto end;
849:
850: /* if there is commit bit, need resending */
851: if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
852: /* send the packet, add to the schedule to resend */
853: if (isakmp_ph2send(iph2) == -1)
854: goto end;
855: } else {
856: /* send the packet */
857: if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
858: goto end;
859: }
860:
861: /* the sending message is added to the received-list. */
862: if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
863: iph2->sendbuf, msg0) == -1) {
864: plog(LLV_ERROR , LOCATION, NULL,
865: "failed to add a response packet to the tree.\n");
866: goto end;
867: }
868:
869: /* compute both of KEYMATs */
870: if (oakley_compute_keymat(iph2, INITIATOR) < 0)
871: goto end;
872:
873: iph2->status = PHASE2ST_ADDSA;
874:
875: /* don't anything if local test mode. */
876: if (f_local) {
877: error = 0;
878: goto end;
879: }
880:
881: /* if there is commit bit don't set up SA now. */
882: if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
883: iph2->status = PHASE2ST_COMMIT;
884: error = 0;
885: goto end;
886: }
887:
888: /* Do UPDATE for initiator */
889: plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
890: if (pk_sendupdate(iph2) < 0) {
891: plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
892: goto end;
893: }
894: plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
895:
896: /* Do ADD for responder */
897: if (pk_sendadd(iph2) < 0) {
898: plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
899: goto end;
900: }
901: plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
902:
903: error = 0;
904:
905: end:
906: if (buf != NULL)
907: vfree(buf);
908: if (msg != NULL)
909: vfree(msg);
910: if (hash != NULL)
911: vfree(hash);
912:
913: return error;
914: }
915:
916: /*
917: * receive from responder
918: * HDR#*, HASH(4), notify
919: */
920: int
921: quick_i3recv(iph2, msg0)
922: struct ph2handle *iph2;
923: vchar_t *msg0;
924: {
925: vchar_t *msg = NULL;
926: vchar_t *pbuf = NULL; /* for payload parsing */
927: struct isakmp_parse_t *pa;
928: struct isakmp_pl_hash *hash = NULL;
929: vchar_t *notify = NULL;
930: int error = ISAKMP_INTERNAL_ERROR;
931:
932: /* validity check */
933: if (iph2->status != PHASE2ST_COMMIT) {
934: plog(LLV_ERROR, LOCATION, NULL,
935: "status mismatched %d.\n", iph2->status);
936: goto end;
937: }
938:
939: /* decrypt packet */
940: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
941: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
942: "Packet wasn't encrypted.\n");
943: goto end;
944: }
945: msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
946: if (msg == NULL)
947: goto end;
948:
949: /* validate the type of next payload */
950: pbuf = isakmp_parse(msg);
951: if (pbuf == NULL)
952: goto end;
953:
954: for (pa = (struct isakmp_parse_t *)pbuf->v;
955: pa->type != ISAKMP_NPTYPE_NONE;
956: pa++) {
957:
958: switch (pa->type) {
959: case ISAKMP_NPTYPE_HASH:
960: hash = (struct isakmp_pl_hash *)pa->ptr;
961: break;
962: case ISAKMP_NPTYPE_N:
963: if (notify != NULL) {
964: plog(LLV_WARNING, LOCATION, NULL,
965: "Ignoring multiples notifications\n");
966: break;
967: }
968: ph2_recv_n(iph2, pa->ptr);
969: notify = vmalloc(pa->len);
970: if (notify == NULL) {
971: plog(LLV_ERROR, LOCATION, NULL,
972: "failed to get notify buffer.\n");
973: goto end;
974: }
975: memcpy(notify->v, pa->ptr, notify->l);
976: break;
977: default:
978: /* don't send information, see ident_r1recv() */
979: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
980: "ignore the packet, "
981: "received unexpecting payload type %d.\n",
982: pa->type);
983: goto end;
984: }
985: }
986:
987: /* payload existency check */
988: if (hash == NULL) {
989: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
990: "few isakmp message received.\n");
991: goto end;
992: }
993:
994: /* validate HASH(4) */
995: {
996: char *r_hash;
997: vchar_t *my_hash = NULL;
998: vchar_t *tmp = NULL;
999: int result;
1000:
1001: r_hash = (char *)hash + sizeof(*hash);
1002:
1003: plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
1004: plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1005:
1006: my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1007: vfree(tmp);
1008: if (my_hash == NULL)
1009: goto end;
1010:
1011: result = memcmp(my_hash->v, r_hash, my_hash->l);
1012: vfree(my_hash);
1013:
1014: if (result) {
1015: plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1016: "HASH(4) mismatch.\n");
1017: error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1018: goto end;
1019: }
1020: }
1021:
1022: iph2->status = PHASE2ST_ADDSA;
1023: iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1024:
1025: /* don't anything if local test mode. */
1026: if (f_local) {
1027: error = 0;
1028: goto end;
1029: }
1030:
1031: /* Do UPDATE for initiator */
1032: plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1033: if (pk_sendupdate(iph2) < 0) {
1034: plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1035: goto end;
1036: }
1037: plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1038:
1039: /* Do ADD for responder */
1040: if (pk_sendadd(iph2) < 0) {
1041: plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1042: goto end;
1043: }
1044: plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1045:
1046: error = 0;
1047:
1048: end:
1049: if (msg != NULL)
1050: vfree(msg);
1051: if (pbuf != NULL)
1052: vfree(pbuf);
1053: if (notify != NULL)
1054: vfree(notify);
1055:
1056: return error;
1057: }
1058:
1059: /*
1060: * receive from initiator
1061: * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1062: */
1063: int
1064: quick_r1recv(iph2, msg0)
1065: struct ph2handle *iph2;
1066: vchar_t *msg0;
1067: {
1068: vchar_t *msg = NULL;
1069: vchar_t *hbuf = NULL; /* for hash computing. */
1070: vchar_t *pbuf = NULL; /* for payload parsing */
1071: struct isakmp_parse_t *pa;
1072: struct isakmp *isakmp = (struct isakmp *)msg0->v;
1073: struct isakmp_pl_hash *hash = NULL;
1074: char *p;
1075: int tlen;
1076: int f_id_order; /* for ID payload detection */
1077: int error = ISAKMP_INTERNAL_ERROR;
1078:
1079: /* validity check */
1080: if (iph2->status != PHASE2ST_START) {
1081: plog(LLV_ERROR, LOCATION, NULL,
1082: "status mismatched %d.\n", iph2->status);
1083: goto end;
1084: }
1085:
1086: /* decrypting */
1087: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1088: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1089: "Packet wasn't encrypted.\n");
1090: error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1091: goto end;
1092: }
1093: /* decrypt packet */
1094: msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1095: if (msg == NULL) {
1096: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1097: "Packet decryption failed.\n");
1098: goto end;
1099: }
1100:
1101: /* create buffer for using to validate HASH(1) */
1102: /*
1103: * ordering rule:
1104: * 1. the first one must be HASH
1105: * 2. the second one must be SA (added in isakmp-oakley-05!)
1106: * 3. two IDs must be considered as IDci, then IDcr
1107: */
1108: pbuf = isakmp_parse(msg);
1109: if (pbuf == NULL)
1110: goto end;
1111: pa = (struct isakmp_parse_t *)pbuf->v;
1112:
1113: /* HASH payload is fixed postion */
1114: if (pa->type != ISAKMP_NPTYPE_HASH) {
1115: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1116: "received invalid next payload type %d, "
1117: "expecting %d.\n",
1118: pa->type, ISAKMP_NPTYPE_HASH);
1119: error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1120: goto end;
1121: }
1122: hash = (struct isakmp_pl_hash *)pa->ptr;
1123: pa++;
1124:
1125: /*
1126: * this restriction was introduced in isakmp-oakley-05.
1127: * we do not check this for backward compatibility.
1128: * TODO: command line/config file option to enable/disable this code
1129: */
1130: /* HASH payload is fixed postion */
1131: if (pa->type != ISAKMP_NPTYPE_SA) {
1132: plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1133: "received invalid next payload type %d, "
1134: "expecting %d.\n",
1135: pa->type, ISAKMP_NPTYPE_SA);
1136: error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1137: }
1138:
1139: /* allocate buffer for computing HASH(1) */
1140: tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1141: hbuf = vmalloc(tlen);
1142: if (hbuf == NULL) {
1143: plog(LLV_ERROR, LOCATION, NULL,
1144: "failed to get hash buffer.\n");
1145: goto end;
1146: }
1147: p = hbuf->v;
1148:
1149: /*
1150: * parse the payloads.
1151: * copy non-HASH payloads into hbuf, so that we can validate HASH.
1152: */
1153: iph2->sa = NULL; /* we don't support multi SAs. */
1154: iph2->nonce_p = NULL;
1155: iph2->dhpub_p = NULL;
1156: iph2->id_p = NULL;
1157: iph2->id = NULL;
1158: tlen = 0; /* count payload length except of HASH payload. */
1159:
1160: /*
1161: * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1162: * illegal case, but logged. First ID payload is to be IDi2.
1163: * And next ID payload is to be IDr2.
1164: */
1165: f_id_order = 0;
1166:
1167: for (; pa->type; pa++) {
1168:
1169: /* copy to buffer for HASH */
1170: /* Don't modify the payload */
1171: memcpy(p, pa->ptr, pa->len);
1172:
1173: if (pa->type != ISAKMP_NPTYPE_ID)
1174: f_id_order = 0;
1175:
1176: switch (pa->type) {
1177: case ISAKMP_NPTYPE_SA:
1178: if (iph2->sa != NULL) {
1179: plog(LLV_ERROR, LOCATION, NULL,
1180: "Multi SAs isn't supported.\n");
1181: goto end;
1182: }
1183: if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1184: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1185: "duplicate ISAKMP_NPTYPE_SA.\n");
1186: goto end;
1187: }
1188: break;
1189:
1190: case ISAKMP_NPTYPE_NONCE:
1191: if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1192: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1193: "duplicate ISAKMP_NPTYPE_NONCE.\n");
1194: goto end;
1195: }
1196: break;
1197:
1198: case ISAKMP_NPTYPE_KE:
1199: if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1200: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1201: "duplicate ISAKMP_NPTYPE_KE.\n");
1202: goto end;
1203: }
1204: break;
1205:
1206: case ISAKMP_NPTYPE_ID:
1207: if (iph2->id_p == NULL) {
1208: /* for IDci */
1209: f_id_order++;
1210:
1211: if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
1212: goto end;
1213:
1214: } else if (iph2->id == NULL) {
1215: /* for IDcr */
1216: if (f_id_order == 0) {
1217: plog(LLV_ERROR, LOCATION, NULL,
1218: "IDr2 payload is not "
1219: "immediatelly followed "
1220: "by IDi2. We allowed.\n");
1221: /* XXX we allowed in this case. */
1222: }
1223:
1224: if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
1225: goto end;
1226: } else {
1227: plog(LLV_ERROR, LOCATION, NULL,
1228: "received too many ID payloads.\n");
1229: plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1230: error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1231: goto end;
1232: }
1233: break;
1234:
1235: case ISAKMP_NPTYPE_N:
1236: ph2_recv_n(iph2, pa->ptr);
1237: break;
1238:
1239: #ifdef ENABLE_NATT
1240: case ISAKMP_NPTYPE_NATOA_DRAFT:
1241: case ISAKMP_NPTYPE_NATOA_RFC:
1242: {
1243: struct sockaddr_storage addr;
1244: struct sockaddr *daddr;
1245: u_int8_t prefix;
1246: u_int16_t ul_proto;
1247: vchar_t *vp = NULL;
1248:
1249: if (isakmp_p2ph(&vp, pa->ptr) < 0)
1250: goto end;
1251:
1252: error = ipsecdoi_id2sockaddr(vp,
1253: (struct sockaddr *) &addr,
1254: &prefix, &ul_proto);
1255:
1256: vfree(vp);
1257:
1258: if (error)
1259: goto end;
1260:
1261: daddr = dupsaddr((struct sockaddr *) &addr);
1262: if (daddr == NULL)
1263: goto end;
1264:
1265: if (iph2->natoa_dst == NULL)
1266: iph2->natoa_dst = daddr;
1267: else if (iph2->natoa_src == NULL)
1268: iph2->natoa_src = daddr;
1269: else {
1270: racoon_free(daddr);
1271: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1272: "received too many NAT-OA payloads.\n");
1273: error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1274: goto end;
1275: }
1276: }
1277: break;
1278: #endif
1279:
1280: default:
1281: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1282: "ignore the packet, "
1283: "received unexpecting payload type %d.\n",
1284: pa->type);
1285: error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1286: goto end;
1287: }
1288:
1289: p += pa->len;
1290:
1291: /* compute true length of payload. */
1292: tlen += pa->len;
1293: }
1294:
1295: /* payload existency check */
1296: if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1297: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1298: "few isakmp message received.\n");
1299: error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1300: goto end;
1301: }
1302:
1303: if (iph2->id_p) {
1304: plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1305: plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1306: }
1307: if (iph2->id) {
1308: plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1309: plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1310: }
1311:
1312: /* adjust buffer length for HASH */
1313: hbuf->l = tlen;
1314:
1315: /* validate HASH(1) */
1316: {
1317: char *r_hash;
1318: vchar_t *my_hash = NULL;
1319: int result;
1320:
1321: r_hash = (caddr_t)hash + sizeof(*hash);
1322:
1323: plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1324: plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1325:
1326: my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1327: if (my_hash == NULL)
1328: goto end;
1329:
1330: result = memcmp(my_hash->v, r_hash, my_hash->l);
1331: vfree(my_hash);
1332:
1333: if (result) {
1334: plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1335: "HASH(1) mismatch.\n");
1336: error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1337: goto end;
1338: }
1339: }
1340:
1341: /* get sainfo */
1342: error = get_sainfo_r(iph2);
1343: if (error) {
1344: plog(LLV_ERROR, LOCATION, NULL,
1345: "failed to get sainfo.\n");
1346: goto end;
1347: }
1348:
1349:
1350: /* check the existence of ID payload and create responder's proposal */
1351: error = get_proposal_r(iph2);
1352: switch (error) {
1353: case -2:
1354: /* generate a policy template from peer's proposal */
1355: if (set_proposal_from_proposal(iph2)) {
1356: plog(LLV_ERROR, LOCATION, NULL,
1357: "failed to generate a proposal template "
1358: "from client's proposal.\n");
1359: error = ISAKMP_INTERNAL_ERROR;
1360: goto end;
1361: }
1362: /*FALLTHROUGH*/
1363: case 0:
1364: /* select single proposal or reject it. */
1365: if (ipsecdoi_selectph2proposal(iph2) < 0) {
1366: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1367: "no proposal chosen.\n");
1368: error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1369: goto end;
1370: }
1371: break;
1372: default:
1373: plog(LLV_ERROR, LOCATION, NULL,
1374: "failed to get proposal for responder.\n");
1375: goto end;
1376: }
1377:
1378: /* check KE and attribute of PFS */
1379: if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1380: plog(LLV_ERROR, LOCATION, NULL,
1381: "no PFS is specified, but peer sends KE.\n");
1382: error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1383: goto end;
1384: }
1385: if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1386: plog(LLV_ERROR, LOCATION, NULL,
1387: "PFS is specified, but peer doesn't sends KE.\n");
1388: error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1389: goto end;
1390: }
1391:
1392: /*
1393: * save the packet from the initiator in order to resend the
1394: * responder's first packet against this packet.
1395: */
1396: iph2->msg1 = vdup(msg0);
1397:
1398: /* change status of isakmp status entry */
1399: iph2->status = PHASE2ST_STATUS2;
1400:
1401: error = 0;
1402:
1403: end:
1404: if (hbuf)
1405: vfree(hbuf);
1406: if (msg)
1407: vfree(msg);
1408: if (pbuf)
1409: vfree(pbuf);
1410:
1411: if (error) {
1412: VPTRINIT(iph2->sa);
1413: VPTRINIT(iph2->nonce_p);
1414: VPTRINIT(iph2->dhpub_p);
1415: VPTRINIT(iph2->id);
1416: VPTRINIT(iph2->id_p);
1417: #ifdef ENABLE_NATT
1418: if (iph2->natoa_src) {
1419: racoon_free(iph2->natoa_src);
1420: iph2->natoa_src = NULL;
1421: }
1422: if (iph2->natoa_dst) {
1423: racoon_free(iph2->natoa_dst);
1424: iph2->natoa_dst = NULL;
1425: }
1426: #endif
1427: }
1428:
1429: return error;
1430: }
1431:
1432: /*
1433: * call pfkey_getspi.
1434: */
1435: int
1436: quick_r1prep(iph2, msg)
1437: struct ph2handle *iph2;
1438: vchar_t *msg;
1439: {
1440: int error = ISAKMP_INTERNAL_ERROR;
1441:
1442: /* validity check */
1443: if (iph2->status != PHASE2ST_STATUS2) {
1444: plog(LLV_ERROR, LOCATION, NULL,
1445: "status mismatched %d.\n", iph2->status);
1446: goto end;
1447: }
1448:
1449: iph2->status = PHASE2ST_GETSPISENT;
1450:
1451: /* send getspi message */
1452: if (pk_sendgetspi(iph2) < 0)
1453: goto end;
1454:
1455: plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1456:
1457: sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
1458: quick_timeover_stub);
1459:
1460: error = 0;
1461:
1462: end:
1463: return error;
1464: }
1465:
1466: /*
1467: * send to initiator
1468: * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1469: */
1470: int
1471: quick_r2send(iph2, msg)
1472: struct ph2handle *iph2;
1473: vchar_t *msg;
1474: {
1475: vchar_t *body = NULL;
1476: vchar_t *hash = NULL;
1477: struct isakmp_gen *gen;
1478: char *p;
1479: int tlen;
1480: int error = ISAKMP_INTERNAL_ERROR;
1481: int natoa = ISAKMP_NPTYPE_NONE;
1482: int pfsgroup;
1483: u_int8_t *np_p = NULL;
1484: #ifdef ENABLE_NATT
1485: vchar_t *nat_oai = NULL;
1486: vchar_t *nat_oar = NULL;
1487: #endif
1488:
1489: /* validity check */
1490: if (msg != NULL) {
1491: plog(LLV_ERROR, LOCATION, NULL,
1492: "msg has to be NULL in this function.\n");
1493: goto end;
1494: }
1495: if (iph2->status != PHASE2ST_GETSPIDONE) {
1496: plog(LLV_ERROR, LOCATION, NULL,
1497: "status mismatched %d.\n", iph2->status);
1498: goto end;
1499: }
1500:
1501: /* update responders SPI */
1502: if (ipsecdoi_updatespi(iph2) < 0) {
1503: plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1504: goto end;
1505: }
1506:
1507: /* generate NONCE value */
1508: iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1509: if (iph2->nonce == NULL)
1510: goto end;
1511:
1512: /* generate KE value if need */
1513: pfsgroup = iph2->approval->pfs_group;
1514: if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1515: /* DH group settting if PFS is required. */
1516: if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1517: plog(LLV_ERROR, LOCATION, NULL,
1518: "failed to set DH value.\n");
1519: goto end;
1520: }
1521: /* generate DH public value */
1522: if (oakley_dh_generate(iph2->pfsgrp,
1523: &iph2->dhpub, &iph2->dhpriv) < 0) {
1524: goto end;
1525: }
1526: }
1527:
1528: #ifdef ENABLE_NATT
1529: /*
1530: * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1531: * we should send NAT-OA
1532: */
1533: if (ipsecdoi_transportmode(iph2->proposal)
1534: && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1535: natoa = iph2->ph1->natt_options->payload_nat_oa;
1536:
1537: nat_oai = ipsecdoi_sockaddr2id(iph2->dst,
1538: IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1539: nat_oar = ipsecdoi_sockaddr2id(iph2->src,
1540: IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1541:
1542: if (nat_oai == NULL || nat_oar == NULL) {
1543: plog(LLV_ERROR, LOCATION, NULL,
1544: "failed to generate NAT-OA payload.\n");
1545: goto end;
1546: }
1547:
1548: plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
1549: plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
1550: plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
1551: plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
1552: }
1553: #endif
1554:
1555: /* create SA;NONCE payload, and KE and ID if need */
1556: tlen = sizeof(*gen) + iph2->sa_ret->l
1557: + sizeof(*gen) + iph2->nonce->l;
1558: if (iph2->dhpub_p != NULL && pfsgroup != 0)
1559: tlen += (sizeof(*gen) + iph2->dhpub->l);
1560: if (iph2->id_p != NULL)
1561: tlen += (sizeof(*gen) + iph2->id_p->l
1562: + sizeof(*gen) + iph2->id->l);
1563: #ifdef ENABLE_NATT
1564: if (natoa != ISAKMP_NPTYPE_NONE)
1565: tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
1566: #endif
1567:
1568: body = vmalloc(tlen);
1569: if (body == NULL) {
1570: plog(LLV_ERROR, LOCATION, NULL,
1571: "failed to get buffer to send.\n");
1572: goto end;
1573: }
1574: p = body->v;
1575:
1576: /* make SA payload */
1577: p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1578:
1579: /* add NONCE payload */
1580: np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1581: p = set_isakmp_payload(p, iph2->nonce,
1582: (iph2->dhpub_p != NULL && pfsgroup != 0)
1583: ? ISAKMP_NPTYPE_KE
1584: : (iph2->id_p != NULL
1585: ? ISAKMP_NPTYPE_ID
1586: : natoa));
1587:
1588: /* add KE payload if need. */
1589: if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1590: np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1591: p = set_isakmp_payload(p, iph2->dhpub,
1592: (iph2->id_p == NULL)
1593: ? natoa
1594: : ISAKMP_NPTYPE_ID);
1595: }
1596:
1597: /* add ID payloads received. */
1598: if (iph2->id_p != NULL) {
1599: /* IDci */
1600: p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1601: /* IDcr */
1602: np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1603: p = set_isakmp_payload(p, iph2->id, natoa);
1604: }
1605:
1606: #ifdef ENABLE_NATT
1607: /* NAT-OA */
1608: if (natoa != ISAKMP_NPTYPE_NONE) {
1609: p = set_isakmp_payload(p, nat_oai, natoa);
1610: p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
1611: }
1612: #endif
1613:
1614: /* add a RESPONDER-LIFETIME notify payload if needed */
1615: {
1616: vchar_t *data = NULL;
1617: struct saprop *pp = iph2->approval;
1618: struct saproto *pr;
1619:
1620: if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1621: u_int32_t v = htonl((u_int32_t)pp->lifetime);
1622: data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1623: IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1624: if (!data)
1625: goto end;
1626: data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1627: (caddr_t)&v, sizeof(v));
1628: if (!data)
1629: goto end;
1630: }
1631: if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1632: u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1633: data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1634: IPSECDOI_ATTR_SA_LD_TYPE_KB);
1635: if (!data)
1636: goto end;
1637: data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1638: (caddr_t)&v, sizeof(v));
1639: if (!data)
1640: goto end;
1641: }
1642:
1643: /*
1644: * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1645: * in the case of SA bundle ?
1646: */
1647: if (data) {
1648: for (pr = pp->head; pr; pr = pr->next) {
1649: body = isakmp_add_pl_n(body, &np_p,
1650: ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1651: if (!body) {
1652: vfree(data);
1653: return error; /* XXX */
1654: }
1655: }
1656: vfree(data);
1657: }
1658: }
1659:
1660: /* generate HASH(2) */
1661: {
1662: vchar_t *tmp;
1663:
1664: tmp = vmalloc(iph2->nonce_p->l + body->l);
1665: if (tmp == NULL) {
1666: plog(LLV_ERROR, LOCATION, NULL,
1667: "failed to get hash buffer.\n");
1668: goto end;
1669: }
1670: memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1671: memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1672:
1673: hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1674: vfree(tmp);
1675:
1676: if (hash == NULL)
1677: goto end;
1678: }
1679:
1680: /* send isakmp payload */
1681: iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1682: if (iph2->sendbuf == NULL)
1683: goto end;
1684:
1685: /* send the packet, add to the schedule to resend */
1686: if (isakmp_ph2send(iph2) == -1)
1687: goto end;
1688:
1689: /* the sending message is added to the received-list. */
1690: if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
1691: plog(LLV_ERROR , LOCATION, NULL,
1692: "failed to add a response packet to the tree.\n");
1693: goto end;
1694: }
1695:
1696: /* change status of isakmp status entry */
1697: iph2->status = PHASE2ST_MSG1SENT;
1698:
1699: error = 0;
1700:
1701: end:
1702: if (body != NULL)
1703: vfree(body);
1704: if (hash != NULL)
1705: vfree(hash);
1706: #ifdef ENABLE_NATT
1707: if (nat_oai != NULL)
1708: vfree(nat_oai);
1709: if (nat_oar != NULL)
1710: vfree(nat_oar);
1711: #endif
1712:
1713: return error;
1714: }
1715:
1716: /*
1717: * receive from initiator
1718: * HDR*, HASH(3)
1719:
1720: */
1721: int
1722: quick_r3recv(iph2, msg0)
1723: struct ph2handle *iph2;
1724: vchar_t *msg0;
1725: {
1726: vchar_t *msg = NULL;
1727: vchar_t *pbuf = NULL; /* for payload parsing */
1728: struct isakmp_parse_t *pa;
1729: struct isakmp_pl_hash *hash = NULL;
1730: int error = ISAKMP_INTERNAL_ERROR;
1731:
1732: /* validity check */
1733: if (iph2->status != PHASE2ST_MSG1SENT) {
1734: plog(LLV_ERROR, LOCATION, NULL,
1735: "status mismatched %d.\n", iph2->status);
1736: goto end;
1737: }
1738:
1739: /* decrypt packet */
1740: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1741: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1742: "Packet wasn't encrypted.\n");
1743: goto end;
1744: }
1745: msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1746: if (msg == NULL)
1747: goto end;
1748:
1749: /* validate the type of next payload */
1750: pbuf = isakmp_parse(msg);
1751: if (pbuf == NULL)
1752: goto end;
1753:
1754: for (pa = (struct isakmp_parse_t *)pbuf->v;
1755: pa->type != ISAKMP_NPTYPE_NONE;
1756: pa++) {
1757:
1758: switch (pa->type) {
1759: case ISAKMP_NPTYPE_HASH:
1760: hash = (struct isakmp_pl_hash *)pa->ptr;
1761: break;
1762: case ISAKMP_NPTYPE_N:
1763: ph2_recv_n(iph2, pa->ptr);
1764: break;
1765: default:
1766: /* don't send information, see ident_r1recv() */
1767: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1768: "ignore the packet, "
1769: "received unexpecting payload type %d.\n",
1770: pa->type);
1771: goto end;
1772: }
1773: }
1774:
1775: /* payload existency check */
1776: if (hash == NULL) {
1777: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1778: "few isakmp message received.\n");
1779: goto end;
1780: }
1781:
1782: /* validate HASH(3) */
1783: /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1784: {
1785: char *r_hash;
1786: vchar_t *my_hash = NULL;
1787: vchar_t *tmp = NULL;
1788: int result;
1789:
1790: r_hash = (char *)hash + sizeof(*hash);
1791:
1792: plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1793: plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1794:
1795: tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1796: if (tmp == NULL) {
1797: plog(LLV_ERROR, LOCATION, NULL,
1798: "failed to get hash buffer.\n");
1799: goto end;
1800: }
1801: memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1802: memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1803:
1804: my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1805: vfree(tmp);
1806: if (my_hash == NULL)
1807: goto end;
1808:
1809: result = memcmp(my_hash->v, r_hash, my_hash->l);
1810: vfree(my_hash);
1811:
1812: if (result) {
1813: plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1814: "HASH(3) mismatch.\n");
1815: error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1816: goto end;
1817: }
1818: }
1819:
1820: /* if there is commit bit, don't set up SA now. */
1821: if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1822: iph2->status = PHASE2ST_COMMIT;
1823: } else
1824: iph2->status = PHASE2ST_STATUS6;
1825:
1826: error = 0;
1827:
1828: end:
1829: if (pbuf != NULL)
1830: vfree(pbuf);
1831: if (msg != NULL)
1832: vfree(msg);
1833:
1834: return error;
1835: }
1836:
1837: /*
1838: * send to initiator
1839: * HDR#*, HASH(4), notify
1840: */
1841: int
1842: quick_r3send(iph2, msg0)
1843: struct ph2handle *iph2;
1844: vchar_t *msg0;
1845: {
1846: vchar_t *buf = NULL;
1847: vchar_t *myhash = NULL;
1848: struct isakmp_pl_n *n;
1849: vchar_t *notify = NULL;
1850: char *p;
1851: int tlen;
1852: int error = ISAKMP_INTERNAL_ERROR;
1853:
1854: /* validity check */
1855: if (iph2->status != PHASE2ST_COMMIT) {
1856: plog(LLV_ERROR, LOCATION, NULL,
1857: "status mismatched %d.\n", iph2->status);
1858: goto end;
1859: }
1860:
1861: /* generate HASH(4) */
1862: /* XXX What can I do in the case of multiple different SA */
1863: plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1864:
1865: /* XXX What should I do if there are multiple SAs ? */
1866: tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1867: notify = vmalloc(tlen);
1868: if (notify == NULL) {
1869: plog(LLV_ERROR, LOCATION, NULL,
1870: "failed to get notify buffer.\n");
1871: goto end;
1872: }
1873: n = (struct isakmp_pl_n *)notify->v;
1874: n->h.np = ISAKMP_NPTYPE_NONE;
1875: n->h.len = htons(tlen);
1876: n->doi = htonl(IPSEC_DOI);
1877: n->proto_id = iph2->approval->head->proto_id;
1878: n->spi_size = sizeof(iph2->approval->head->spisize);
1879: n->type = htons(ISAKMP_NTYPE_CONNECTED);
1880: memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1881:
1882: myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1883: if (myhash == NULL)
1884: goto end;
1885:
1886: /* create buffer for isakmp payload */
1887: tlen = sizeof(struct isakmp)
1888: + sizeof(struct isakmp_gen) + myhash->l
1889: + notify->l;
1890: buf = vmalloc(tlen);
1891: if (buf == NULL) {
1892: plog(LLV_ERROR, LOCATION, NULL,
1893: "failed to get buffer to send.\n");
1894: goto end;
1895: }
1896:
1897: /* create isakmp header */
1898: p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1899: if (p == NULL)
1900: goto end;
1901:
1902: /* add HASH(4) payload */
1903: p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1904:
1905: /* add notify payload */
1906: memcpy(p, notify->v, notify->l);
1907:
1908: #ifdef HAVE_PRINT_ISAKMP_C
1909: isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1910: #endif
1911:
1912: /* encoding */
1913: iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1914: if (iph2->sendbuf == NULL)
1915: goto end;
1916:
1917: /* send the packet */
1918: if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1919: goto end;
1920:
1921: /* the sending message is added to the received-list. */
1922: if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
1923: plog(LLV_ERROR , LOCATION, NULL,
1924: "failed to add a response packet to the tree.\n");
1925: goto end;
1926: }
1927:
1928: iph2->status = PHASE2ST_COMMIT;
1929:
1930: error = 0;
1931:
1932: end:
1933: if (buf != NULL)
1934: vfree(buf);
1935: if (myhash != NULL)
1936: vfree(myhash);
1937: if (notify != NULL)
1938: vfree(notify);
1939:
1940: return error;
1941: }
1942:
1943: int
1944: tunnel_mode_prop(p)
1945: struct saprop *p;
1946: {
1947: struct saproto *pr;
1948:
1949: for (pr = p->head; pr; pr = pr->next)
1950: if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
1951: return 1;
1952: return 0;
1953: }
1954:
1955: /*
1956: * set SA to kernel.
1957: */
1958: int
1959: quick_r3prep(iph2, msg0)
1960: struct ph2handle *iph2;
1961: vchar_t *msg0;
1962: {
1963: int error = ISAKMP_INTERNAL_ERROR;
1964:
1965: /* validity check */
1966: if (iph2->status != PHASE2ST_STATUS6) {
1967: plog(LLV_ERROR, LOCATION, NULL,
1968: "status mismatched %d.\n", iph2->status);
1969: goto end;
1970: }
1971:
1972: /* compute both of KEYMATs */
1973: if (oakley_compute_keymat(iph2, RESPONDER) < 0)
1974: goto end;
1975:
1976: iph2->status = PHASE2ST_ADDSA;
1977: iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1978:
1979: /* don't anything if local test mode. */
1980: if (f_local) {
1981: error = 0;
1982: goto end;
1983: }
1984:
1985: /* Do UPDATE as responder */
1986: plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1987: if (pk_sendupdate(iph2) < 0) {
1988: plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1989: goto end;
1990: }
1991: plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1992:
1993: /* Do ADD for responder */
1994: if (pk_sendadd(iph2) < 0) {
1995: plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1996: goto end;
1997: }
1998: plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1999:
2000: /*
2001: * set policies into SPD if the policy is generated
2002: * from peer's policy.
2003: */
2004: if (iph2->spidx_gen) {
2005:
2006: struct policyindex *spidx;
2007: struct sockaddr_storage addr;
2008: u_int8_t pref;
2009: struct sockaddr *src = iph2->src;
2010: struct sockaddr *dst = iph2->dst;
2011:
2012: /* make inbound policy */
2013: iph2->src = dst;
2014: iph2->dst = src;
2015: if (pk_sendspdupdate2(iph2) < 0) {
2016: plog(LLV_ERROR, LOCATION, NULL,
2017: "pfkey spdupdate2(inbound) failed.\n");
2018: goto end;
2019: }
2020: plog(LLV_DEBUG, LOCATION, NULL,
2021: "pfkey spdupdate2(inbound) sent.\n");
2022:
2023: spidx = (struct policyindex *)iph2->spidx_gen;
2024: #ifdef HAVE_POLICY_FWD
2025: /* make forward policy if required */
2026: if (tunnel_mode_prop(iph2->approval)) {
2027: spidx->dir = IPSEC_DIR_FWD;
2028: if (pk_sendspdupdate2(iph2) < 0) {
2029: plog(LLV_ERROR, LOCATION, NULL,
2030: "pfkey spdupdate2(forward) failed.\n");
2031: goto end;
2032: }
2033: plog(LLV_DEBUG, LOCATION, NULL,
2034: "pfkey spdupdate2(forward) sent.\n");
2035: }
2036: #endif
2037:
2038: /* make outbound policy */
2039: iph2->src = src;
2040: iph2->dst = dst;
2041: spidx->dir = IPSEC_DIR_OUTBOUND;
2042: addr = spidx->src;
2043: spidx->src = spidx->dst;
2044: spidx->dst = addr;
2045: pref = spidx->prefs;
2046: spidx->prefs = spidx->prefd;
2047: spidx->prefd = pref;
2048:
2049: if (pk_sendspdupdate2(iph2) < 0) {
2050: plog(LLV_ERROR, LOCATION, NULL,
2051: "pfkey spdupdate2(outbound) failed.\n");
2052: goto end;
2053: }
2054: plog(LLV_DEBUG, LOCATION, NULL,
2055: "pfkey spdupdate2(outbound) sent.\n");
2056:
2057: /* spidx_gen is unnecessary any more */
2058: delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2059: racoon_free(iph2->spidx_gen);
2060: iph2->spidx_gen = NULL;
2061: iph2->generated_spidx=1;
2062: }
2063:
2064: error = 0;
2065:
2066: end:
2067: return error;
2068: }
2069:
2070: /*
2071: * create HASH, body (SA, NONCE) payload with isakmp header.
2072: */
2073: static vchar_t *
2074: quick_ir1mx(iph2, body, hash)
2075: struct ph2handle *iph2;
2076: vchar_t *body, *hash;
2077: {
2078: struct isakmp *isakmp;
2079: vchar_t *buf = NULL, *new = NULL;
2080: char *p;
2081: int tlen;
2082: struct isakmp_gen *gen;
2083: int error = ISAKMP_INTERNAL_ERROR;
2084:
2085: /* create buffer for isakmp payload */
2086: tlen = sizeof(*isakmp)
2087: + sizeof(*gen) + hash->l
2088: + body->l;
2089: buf = vmalloc(tlen);
2090: if (buf == NULL) {
2091: plog(LLV_ERROR, LOCATION, NULL,
2092: "failed to get buffer to send.\n");
2093: goto end;
2094: }
2095:
2096: /* re-set encryption flag, for serurity. */
2097: iph2->flags |= ISAKMP_FLAG_E;
2098:
2099: /* set isakmp header */
2100: p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2101: if (p == NULL)
2102: goto end;
2103:
2104: /* add HASH payload */
2105: /* XXX is next type always SA ? */
2106: p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2107:
2108: /* add body payload */
2109: memcpy(p, body->v, body->l);
2110:
2111: #ifdef HAVE_PRINT_ISAKMP_C
2112: isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2113: #endif
2114:
2115: /* encoding */
2116: new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2117:
2118: if (new == NULL)
2119: goto end;
2120:
2121: vfree(buf);
2122:
2123: buf = new;
2124:
2125: error = 0;
2126:
2127: end:
2128: if (error && buf != NULL) {
2129: vfree(buf);
2130: buf = NULL;
2131: }
2132:
2133: return buf;
2134: }
2135:
2136: /*
2137: * get remote's sainfo.
2138: * NOTE: this function is for responder.
2139: */
2140: static int
2141: get_sainfo_r(iph2)
2142: struct ph2handle *iph2;
2143: {
2144: vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL;
2145: int error = ISAKMP_INTERNAL_ERROR;
2146:
2147: if (iph2->id == NULL) {
2148: idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
2149: IPSEC_ULPROTO_ANY);
2150: } else {
2151: idsrc = vdup(iph2->id);
2152: }
2153: if (idsrc == NULL) {
2154: plog(LLV_ERROR, LOCATION, NULL,
2155: "failed to set ID for source.\n");
2156: goto end;
2157: }
2158:
2159: if (iph2->id_p == NULL) {
2160: iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2161: IPSEC_ULPROTO_ANY);
2162: } else {
2163: iddst = vdup(iph2->id_p);
2164: }
2165: if (iddst == NULL) {
2166: plog(LLV_ERROR, LOCATION, NULL,
2167: "failed to set ID for destination.\n");
2168: goto end;
2169: }
2170:
2171: #ifdef ENABLE_HYBRID
2172:
2173: /* clientaddr check : obtain modecfg address */
2174: if (iph2->ph1->mode_cfg != NULL) {
2175: if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
2176: (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
2177: struct sockaddr saddr;
2178: saddr.sa_family = AF_INET;
2179: #ifndef __linux__
2180: saddr.sa_len = sizeof(struct sockaddr_in);
2181: #endif
2182: ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
2183: memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
2184: &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
2185: client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
2186: }
2187: }
2188:
2189: /* clientaddr check, fallback to peer address */
2190: if (client == NULL)
2191: {
2192: client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2193: IPSEC_ULPROTO_ANY);
2194: }
2195: #endif
2196:
2197: /* obtain a matching sainfo section */
2198: iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id);
2199: if (iph2->sainfo == NULL) {
2200: plog(LLV_ERROR, LOCATION, NULL,
2201: "failed to get sainfo.\n");
2202: goto end;
2203: }
2204:
2205: #ifdef ENABLE_HYBRID
2206: /* xauth group inclusion check */
2207: if (iph2->sainfo->group != NULL)
2208: if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
2209: goto end;
2210: #endif
2211:
2212: plog(LLV_DEBUG, LOCATION, NULL,
2213: "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2214:
2215: error = 0;
2216: end:
2217: if (idsrc)
2218: vfree(idsrc);
2219: if (iddst)
2220: vfree(iddst);
2221: if (client)
2222: vfree(client);
2223:
2224: return error;
2225: }
2226:
2227: /*
2228: * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2229: * are IP address and same address family.
2230: * Then get remote's policy from SPD copied from kernel.
2231: * If the type of ID payload is address or subnet type, then the index is
2232: * made from the payload. If there is no ID payload, or the type of ID
2233: * payload is NOT address type, then the index is made from the address
2234: * pair of phase 1.
2235: * NOTE: This function is only for responder.
2236: */
2237: static int
2238: get_proposal_r(iph2)
2239: struct ph2handle *iph2;
2240: {
2241: struct policyindex spidx;
2242: struct secpolicy *sp_in, *sp_out;
2243: int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2244: int error = ISAKMP_INTERNAL_ERROR;
2245:
2246: /* check the existence of ID payload */
2247: if ((iph2->id_p != NULL && iph2->id == NULL)
2248: || (iph2->id_p == NULL && iph2->id != NULL)) {
2249: plog(LLV_ERROR, LOCATION, NULL,
2250: "Both IDs wasn't found in payload.\n");
2251: return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2252: }
2253:
2254: /* make sure if sa_[src, dst] are null. */
2255: if (iph2->sa_src || iph2->sa_dst) {
2256: plog(LLV_ERROR, LOCATION, NULL,
2257: "Why do ID[src,dst] exist already.\n");
2258: return ISAKMP_INTERNAL_ERROR;
2259: }
2260:
2261: memset(&spidx, 0, sizeof(spidx));
2262:
2263: #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2264:
2265: /* make a spidx; a key to search SPD */
2266: spidx.dir = IPSEC_DIR_INBOUND;
2267: spidx.ul_proto = 0;
2268:
2269: /*
2270: * make destination address in spidx from either ID payload
2271: * or phase 1 address into a address in spidx.
2272: */
2273: if (iph2->id != NULL
2274: && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2275: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2276: || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2277: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2278: /* get a destination address of a policy */
2279: error = ipsecdoi_id2sockaddr(iph2->id,
2280: (struct sockaddr *)&spidx.dst,
2281: &spidx.prefd, &spidx.ul_proto);
2282: if (error)
2283: return error;
2284:
2285: #ifdef INET6
2286: /*
2287: * get scopeid from the SA address.
2288: * note that the phase 1 source address is used as
2289: * a destination address to search for a inbound policy entry
2290: * because rcoon is responder.
2291: */
2292: if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2293: error = setscopeid((struct sockaddr *)&spidx.dst,
2294: iph2->src);
2295: if (error)
2296: return error;
2297: }
2298: #endif
2299:
2300: if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2301: || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2302: idi2type = _XIDT(iph2->id);
2303:
2304: } else {
2305:
2306: plog(LLV_DEBUG, LOCATION, NULL,
2307: "get a destination address of SP index "
2308: "from phase1 address "
2309: "due to no ID payloads found "
2310: "OR because ID type is not address.\n");
2311:
2312: /*
2313: * copy the SOURCE address of IKE into the DESTINATION address
2314: * of the key to search the SPD because the direction of policy
2315: * is inbound.
2316: */
2317: memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2318: switch (spidx.dst.ss_family) {
2319: case AF_INET:
2320: spidx.prefd = sizeof(struct in_addr) << 3;
2321: break;
2322: #ifdef INET6
2323: case AF_INET6:
2324: spidx.prefd = sizeof(struct in6_addr) << 3;
2325: break;
2326: #endif
2327: default:
2328: spidx.prefd = 0;
2329: break;
2330: }
2331: }
2332:
2333: /* make source address in spidx */
2334: if (iph2->id_p != NULL
2335: && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2336: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2337: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2338: || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2339: /* get a source address of inbound SA */
2340: error = ipsecdoi_id2sockaddr(iph2->id_p,
2341: (struct sockaddr *)&spidx.src,
2342: &spidx.prefs, &spidx.ul_proto);
2343: if (error)
2344: return error;
2345:
2346: #ifdef INET6
2347: /*
2348: * get scopeid from the SA address.
2349: * for more detail, see above of this function.
2350: */
2351: if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2352: error = setscopeid((struct sockaddr *)&spidx.src,
2353: iph2->dst);
2354: if (error)
2355: return error;
2356: }
2357: #endif
2358:
2359: /* Before setting iph2->[sa_src, sa_dst] with the addresses
2360: * provided in ID payloads, we check:
2361: * - they are both addresses of same family
2362: * - sainfo has not been selected only based on ID payload
2363: * information but also based on specific Phase 1
2364: * credentials (iph2->sainfo->id_i is defined), i.e.
2365: * local configuration _explicitly_ expect that user
2366: * (e.g. from asn1dn "C=FR, ...") with those IDs) */
2367: if (_XIDT(iph2->id_p) == idi2type &&
2368: spidx.dst.ss_family == spidx.src.ss_family &&
2369: iph2->sainfo && iph2->sainfo->id_i) {
2370:
2371: iph2->sa_src = dupsaddr((struct sockaddr *)&spidx.dst);
2372: if (iph2->sa_src == NULL) {
2373: plog(LLV_ERROR, LOCATION, NULL,
2374: "buffer allocation failed.\n");
2375: return ISAKMP_INTERNAL_ERROR;
2376: }
2377:
2378: iph2->sa_dst = dupsaddr((struct sockaddr *)&spidx.src);
2379: if (iph2->sa_dst == NULL) {
2380: plog(LLV_ERROR, LOCATION, NULL,
2381: "buffer allocation failed.\n");
2382: return ISAKMP_INTERNAL_ERROR;
2383: }
2384: } else {
2385: plog(LLV_DEBUG, LOCATION, NULL,
2386: "Either family (%d - %d), types (%d - %d) of ID "
2387: "from initiator differ or matching sainfo "
2388: "has no id_i defined for the peer. Not filling "
2389: "iph2->sa_src and iph2->sa_dst.\n",
2390: spidx.src.ss_family, spidx.dst.ss_family,
2391: _XIDT(iph2->id_p),idi2type);
2392: }
2393: } else {
2394: plog(LLV_DEBUG, LOCATION, NULL,
2395: "get a source address of SP index from Phase 1"
2396: "addresses due to no ID payloads found"
2397: "OR because ID type is not address.\n");
2398:
2399: /* see above comment. */
2400: memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2401: switch (spidx.src.ss_family) {
2402: case AF_INET:
2403: spidx.prefs = sizeof(struct in_addr) << 3;
2404: break;
2405: #ifdef INET6
2406: case AF_INET6:
2407: spidx.prefs = sizeof(struct in6_addr) << 3;
2408: break;
2409: #endif
2410: default:
2411: spidx.prefs = 0;
2412: break;
2413: }
2414: }
2415:
2416: #undef _XIDT
2417:
2418: plog(LLV_DEBUG, LOCATION, NULL,
2419: "get src address from ID payload "
2420: "%s prefixlen=%u ul_proto=%u\n",
2421: saddr2str((struct sockaddr *)&spidx.src),
2422: spidx.prefs, spidx.ul_proto);
2423: plog(LLV_DEBUG, LOCATION, NULL,
2424: "get dst address from ID payload "
2425: "%s prefixlen=%u ul_proto=%u\n",
2426: saddr2str((struct sockaddr *)&spidx.dst),
2427: spidx.prefd, spidx.ul_proto);
2428:
2429: /*
2430: * convert the ul_proto if it is 0
2431: * because 0 in ID payload means a wild card.
2432: */
2433: if (spidx.ul_proto == 0)
2434: spidx.ul_proto = IPSEC_ULPROTO_ANY;
2435:
2436: #ifdef HAVE_SECCTX
2437: /*
2438: * Need to use security context in spidx to ensure the correct
2439: * policy is selected. The only way to get the security context
2440: * is to look into the proposal sent by peer ahead of time.
2441: */
2442: if (get_security_context(iph2->sa, &spidx)) {
2443: plog(LLV_ERROR, LOCATION, NULL,
2444: "error occurred trying to get security context.\n");
2445: return ISAKMP_INTERNAL_ERROR;
2446: }
2447: #endif /* HAVE_SECCTX */
2448:
2449: /* get inbound policy */
2450: sp_in = getsp_r(&spidx);
2451: if (sp_in == NULL) {
2452: if (iph2->ph1->rmconf->gen_policy) {
2453: plog(LLV_INFO, LOCATION, NULL,
2454: "no policy found, "
2455: "try to generate the policy : %s\n",
2456: spidx2str(&spidx));
2457: iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2458: if (!iph2->spidx_gen) {
2459: plog(LLV_ERROR, LOCATION, NULL,
2460: "buffer allocation failed.\n");
2461: return ISAKMP_INTERNAL_ERROR;
2462: }
2463: memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2464: return -2; /* special value */
2465: }
2466: plog(LLV_ERROR, LOCATION, NULL,
2467: "no policy found: %s\n", spidx2str(&spidx));
2468: return ISAKMP_INTERNAL_ERROR;
2469: }
2470: /* Refresh existing generated policies
2471: */
2472: if (iph2->ph1->rmconf->gen_policy) {
2473: plog(LLV_INFO, LOCATION, NULL,
2474: "Update the generated policy : %s\n",
2475: spidx2str(&spidx));
2476: iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2477: if (!iph2->spidx_gen) {
2478: plog(LLV_ERROR, LOCATION, NULL,
2479: "buffer allocation failed.\n");
2480: return ISAKMP_INTERNAL_ERROR;
2481: }
2482: memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2483: }
2484:
2485: /* get outbound policy */
2486: {
2487: struct sockaddr_storage addr;
2488: u_int8_t pref;
2489:
2490: spidx.dir = IPSEC_DIR_OUTBOUND;
2491: addr = spidx.src;
2492: spidx.src = spidx.dst;
2493: spidx.dst = addr;
2494: pref = spidx.prefs;
2495: spidx.prefs = spidx.prefd;
2496: spidx.prefd = pref;
2497:
2498: sp_out = getsp_r(&spidx);
2499: if (!sp_out) {
2500: plog(LLV_WARNING, LOCATION, NULL,
2501: "no outbound policy found: %s\n",
2502: spidx2str(&spidx));
2503: }
2504: }
2505:
2506: plog(LLV_DEBUG, LOCATION, NULL,
2507: "suitable SP found:%s\n", spidx2str(&spidx));
2508:
2509: /*
2510: * In the responder side, the inbound policy should be using IPsec.
2511: * outbound policy is not checked currently.
2512: */
2513: if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2514: plog(LLV_ERROR, LOCATION, NULL,
2515: "policy found, but no IPsec required: %s\n",
2516: spidx2str(&spidx));
2517: return ISAKMP_INTERNAL_ERROR;
2518: }
2519:
2520: /* set new proposal derived from a policy into the iph2->proposal. */
2521: if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2522: plog(LLV_ERROR, LOCATION, NULL,
2523: "failed to create saprop.\n");
2524: return ISAKMP_INTERNAL_ERROR;
2525: }
2526:
2527: #ifdef HAVE_SECCTX
2528: if (spidx.sec_ctx.ctx_str) {
2529: set_secctx_in_proposal(iph2, spidx);
2530: }
2531: #endif /* HAVE_SECCTX */
2532:
2533: iph2->spid = sp_in->id;
2534:
2535: return 0;
2536: }
2537:
2538: /*
2539: * handle a notification payload inside phase2 exchange.
2540: * phase2 is always encrypted, so it does not need to be checked
2541: * for explicitely.
2542: */
2543: static int
2544: ph2_recv_n(iph2, gen)
2545: struct ph2handle *iph2;
2546: struct isakmp_gen *gen;
2547: {
2548: struct ph1handle *iph1 = iph2->ph1;
2549: struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
2550: u_int type;
2551: int check_level;
2552:
2553: type = ntohs(notify->type);
2554: switch (type) {
2555: case ISAKMP_NTYPE_CONNECTED:
2556: break;
2557: case ISAKMP_NTYPE_INITIAL_CONTACT:
2558: return isakmp_info_recv_initialcontact(iph1, iph2);
2559: case ISAKMP_NTYPE_RESPONDER_LIFETIME:
2560: ipsecdoi_parse_responder_lifetime(notify,
2561: &iph2->lifetime_secs, &iph2->lifetime_kb);
2562:
2563: if (iph1 != NULL && iph1->rmconf != NULL) {
2564: check_level = iph1->rmconf->pcheck_level;
2565: } else {
2566: if (iph1 != NULL)
2567: plog(LLV_DEBUG, LOCATION, NULL,
2568: "No phase1 rmconf found !\n");
2569: else
2570: plog(LLV_DEBUG, LOCATION, NULL,
2571: "No phase1 found !\n");
2572: check_level = PROP_CHECK_EXACT;
2573: }
2574:
2575: switch (check_level) {
2576: case PROP_CHECK_OBEY:
2577: break;
2578: case PROP_CHECK_STRICT:
2579: case PROP_CHECK_CLAIM:
2580: if (iph2->sainfo == NULL
2581: || iph2->sainfo->lifetime <= iph2->lifetime_secs) {
2582: plog(LLV_WARNING, LOCATION, NULL,
2583: "RESPONDER-LIFETIME: lifetime mismatch\n");
2584: iph2->lifetime_secs = 0;
2585: }
2586: break;
2587: case PROP_CHECK_EXACT:
2588: if (iph2->sainfo == NULL
2589: || iph2->sainfo->lifetime != iph2->lifetime_secs) {
2590: plog(LLV_WARNING, LOCATION, NULL,
2591: "RESPONDER-LIFETIME: lifetime mismatch\n");
2592: iph2->lifetime_secs = 0;
2593: }
2594: break;
2595: }
2596: break;
2597: default:
2598: isakmp_log_notify(iph2->ph1, notify, "phase2 exchange");
2599: isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE,
2600: NULL);
2601: break;
2602: }
2603: return 0;
2604: }
2605: